These clarifications had really helped. I will definitely check out your presentations, Richard.
Thank you again to both of you for your patient explanations. They are much appreciated. Have a good weekend! Bruce On Fri, Mar 10, 2023 at 1:38 PM Richard Guy Briggs <r...@redhat.com> wrote: > > On 2023-03-10 11:04, Paul Moore wrote: > > On Fri, Mar 10, 2023 at 9:36 AM Steve Grubb <sgr...@redhat.com> wrote: > > > On Thursday, March 9, 2023 5:52:28 PM EST Bruce Elrick wrote: > > > > Anyway, I think I need to spend some time playing until that "aha!" > > > > moment comes. It's feels a lot closer thanks to both of your responses > > > > and I really apprecaite the time you've taken to read my emails and > > > > respond to them. > > > > > > There are simple events which are one line and compound events which are > > > multiple lines - called records. The simple events tend to be hardwired > > > and > > > not optional. For example, logins are hardwired; kernel config changes are > > > hardwired; authentication is hardwired. > > > > Reading Steve's response I'm not sure we use the same terminology, or > > perhaps we explain it a bit differently. Regardless, here is a quick > > definition that I stick to when discussing audit: > > > > "audit record": An audit record is a single line in the audit log that > > consists of a timestamp, record type (type=XXX), and a series of > > fields which are dependent on the record type. Here is an example of > > a SYSCALL record: > > > > type=SYSCALL msg=audit(03/10/2023 10:59:00.797:563) : > > arch=x86_64 syscall=bpf success=yes exit=12 a0=BPF_PROG_LOAD > > a1=0x7ffde0efc650 a2=0x80 a3=0x13 items=0 ppid=1 pid=2683 > > auid=root uid=root gid=root euid=root suid=root fsuid=root > > egid=root sgid=root fsgid=root tty=(none) ses=10 comm=systemd > > exe=/usr/lib/systemd/systemd > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > > > "audit event": An audit event consists of multiple audit records > > grouped together by a single timestamp. Single record audit events > > are allowed and do exist. There is no upper bound on the number of > > records allowed in an audit event. Here is an example of an audit > > event consisting of PROCTITLE, SYSCALL, and BPF audit records: > > > > type=PROCTITLE msg=audit(03/10/2023 10:59:00.797:563) : > > proctitle=(systemd) > > type=SYSCALL msg=audit(03/10/2023 10:59:00.797:563) : > > arch=x86_64 syscall=bpf success=yes exit=12 a0=BPF_PROG_LOAD > > a1=0x7ffde0efc650 a2=0x80 a3=0x13 items=0 ppid=1 pid=2683 > > auid=root uid=root gid=root euid=root suid=root fsuid=root > > egid=root sgid=root fsgid=root tty=(none) ses=10 comm=systemd > > exe=/usr/lib/systemd/systemd > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > type=BPF msg=audit(03/10/2023 10:59:00.797:563) : > > prog-id=172 op=LOAD > > An "audit event" which is a collection of audit records with the same > timestamp and serial number correspond to *one* event of interest to the > audit subsystem either due to internal rules or added audit rules that > when triggered record audit information into a set of records that are > all related to give a larger picture of the circumstances of that event. > Configuration changes, being audit rules added, or firewall rules > changes, are hardwired. > > > I hope that helps. > > > > -- > > paul-moore.com > > > > - RGB > > -- > Richard Guy Briggs <r...@redhat.com> > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
