├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── artwork └── linux_audit.png ├── presentations ├── 2006-selinux_symposium │ ├── audit-bofs-selinux-2006.odp │ └── audit-bofs-selinux-2006.pdf ├── 2007-rh_summit │ └── summit07_audit_ids.pdf ├── 2007-selinux_symposium │ ├── audit-bofs-selinux-2007.odp │ └── audit-bofs-selinux-2007.pdf ├── 2008-rh_summit │ └── audit-ids.pdf └── 2011-rh_summit │ └── audit_ids_2011.pdf ├── specs ├── fields │ └── field-dictionary.csv └── messages │ ├── message-dictionary-ranges.txt │ └── message-dictionary.csv └── wiki_assets └── spec-audit_state_diagram └── audit-state-diagram.png /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | How to Contribute to the Linux Audit Documentation Project 2 | =============================================================================== 3 | https://github.com/linux-audit/audit-documentation 4 | 5 | This document is intended to act as a guide to help you contribute to the 6 | Linux Audit Documentation project. It is not perfect, and there will always be 7 | exceptions to the rules described here, but by following the instructions below 8 | you should have a much easier time getting your work merged with the upstream 9 | project. 10 | 11 | ## Explain Your Work 12 | 13 | At the top of every patch you should include a one line summary of the change 14 | that follows the "\: \" format. After that you should 15 | include a slightly longer description of the changes you are making in this 16 | patch and why you are making these changes. When in doubt you can always look 17 | at the `git log` for examples. 18 | 19 | ## Sign Your Work 20 | 21 | The sign-off is a simple line at the end of the patch description, which 22 | certifies that you wrote it or otherwise have the right to pass it on as an 23 | open-source patch. The "Developer's Certificate of Origin" pledge is taken 24 | from the Linux Kernel and the rules are pretty simple: 25 | 26 | Developer's Certificate of Origin 1.1 27 | 28 | By making a contribution to this project, I certify that: 29 | 30 | (a) The contribution was created in whole or in part by me and I 31 | have the right to submit it under the open source license 32 | indicated in the file; or 33 | 34 | (b) The contribution is based upon previous work that, to the best 35 | of my knowledge, is covered under an appropriate open source 36 | license and I have the right under that license to submit that 37 | work with modifications, whether created in whole or in part 38 | by me, under the same open source license (unless I am 39 | permitted to submit under a different license), as indicated 40 | in the file; or 41 | 42 | (c) The contribution was provided directly to me by some other 43 | person who certified (a), (b) or (c) and I have not modified 44 | it. 45 | 46 | (d) I understand and agree that this project and the contribution 47 | are public and that a record of the contribution (including all 48 | personal information I submit with it, including my sign-off) is 49 | maintained indefinitely and may be redistributed consistent with 50 | this project or the open source license(s) involved. 51 | 52 | ... then you just add a line to the bottom of your patch description, with 53 | your real name, saying: 54 | 55 | Signed-off-by: Random J Developer 56 | 57 | You can add this to your commit description in `git` with `git commit -s` 58 | 59 | ## Post Your Patches Upstream using GitHub Pull Requests 60 | 61 | See [this guide](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request) if you've never done this before. 62 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Attribution 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More_considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution 4.0 International Public License 58 | 59 | By exercising the Licensed Rights (defined below), You accept and agree 60 | to be bound by the terms and conditions of this Creative Commons 61 | Attribution 4.0 International Public License ("Public License"). To the 62 | extent this Public License may be interpreted as a contract, You are 63 | granted the Licensed Rights in consideration of Your acceptance of 64 | these terms and conditions, and the Licensor grants You such rights in 65 | consideration of benefits the Licensor receives from making the 66 | Licensed Material available under these terms and conditions. 67 | 68 | 69 | Section 1 -- Definitions. 70 | 71 | a. Adapted Material means material subject to Copyright and Similar 72 | Rights that is derived from or based upon the Licensed Material 73 | and in which the Licensed Material is translated, altered, 74 | arranged, transformed, or otherwise modified in a manner requiring 75 | permission under the Copyright and Similar Rights held by the 76 | Licensor. For purposes of this Public License, where the Licensed 77 | Material is a musical work, performance, or sound recording, 78 | Adapted Material is always produced where the Licensed Material is 79 | synched in timed relation with a moving image. 80 | 81 | b. Adapter's License means the license You apply to Your Copyright 82 | and Similar Rights in Your contributions to Adapted Material in 83 | accordance with the terms and conditions of this Public License. 84 | 85 | c. Copyright and Similar Rights means copyright and/or similar rights 86 | closely related to copyright including, without limitation, 87 | performance, broadcast, sound recording, and Sui Generis Database 88 | Rights, without regard to how the rights are labeled or 89 | categorized. For purposes of this Public License, the rights 90 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 91 | Rights. 92 | 93 | d. Effective Technological Measures means those measures that, in the 94 | absence of proper authority, may not be circumvented under laws 95 | fulfilling obligations under Article 11 of the WIPO Copyright 96 | Treaty adopted on December 20, 1996, and/or similar international 97 | agreements. 98 | 99 | e. Exceptions and Limitations means fair use, fair dealing, and/or 100 | any other exception or limitation to Copyright and Similar Rights 101 | that applies to Your use of the Licensed Material. 102 | 103 | f. Licensed Material means the artistic or literary work, database, 104 | or other material to which the Licensor applied this Public 105 | License. 106 | 107 | g. Licensed Rights means the rights granted to You subject to the 108 | terms and conditions of this Public License, which are limited to 109 | all Copyright and Similar Rights that apply to Your use of the 110 | Licensed Material and that the Licensor has authority to license. 111 | 112 | h. Licensor means the individual(s) or entity(ies) granting rights 113 | under this Public License. 114 | 115 | i. Share means to provide material to the public by any means or 116 | process that requires permission under the Licensed Rights, such 117 | as reproduction, public display, public performance, distribution, 118 | dissemination, communication, or importation, and to make material 119 | available to the public including in ways that members of the 120 | public may access the material from a place and at a time 121 | individually chosen by them. 122 | 123 | j. Sui Generis Database Rights means rights other than copyright 124 | resulting from Directive 96/9/EC of the European Parliament and of 125 | the Council of 11 March 1996 on the legal protection of databases, 126 | as amended and/or succeeded, as well as other essentially 127 | equivalent rights anywhere in the world. 128 | 129 | k. You means the individual or entity exercising the Licensed Rights 130 | under this Public License. Your has a corresponding meaning. 131 | 132 | 133 | Section 2 -- Scope. 134 | 135 | a. License grant. 136 | 137 | 1. Subject to the terms and conditions of this Public License, 138 | the Licensor hereby grants You a worldwide, royalty-free, 139 | non-sublicensable, non-exclusive, irrevocable license to 140 | exercise the Licensed Rights in the Licensed Material to: 141 | 142 | a. reproduce and Share the Licensed Material, in whole or 143 | in part; and 144 | 145 | b. produce, reproduce, and Share Adapted Material. 146 | 147 | 2. Exceptions and Limitations. For the avoidance of doubt, where 148 | Exceptions and Limitations apply to Your use, this Public 149 | License does not apply, and You do not need to comply with 150 | its terms and conditions. 151 | 152 | 3. Term. The term of this Public License is specified in Section 153 | 6(a). 154 | 155 | 4. Media and formats; technical modifications allowed. The 156 | Licensor authorizes You to exercise the Licensed Rights in 157 | all media and formats whether now known or hereafter created, 158 | and to make technical modifications necessary to do so. The 159 | Licensor waives and/or agrees not to assert any right or 160 | authority to forbid You from making technical modifications 161 | necessary to exercise the Licensed Rights, including 162 | technical modifications necessary to circumvent Effective 163 | Technological Measures. For purposes of this Public License, 164 | simply making modifications authorized by this Section 2(a) 165 | (4) never produces Adapted Material. 166 | 167 | 5. Downstream recipients. 168 | 169 | a. Offer from the Licensor -- Licensed Material. Every 170 | recipient of the Licensed Material automatically 171 | receives an offer from the Licensor to exercise the 172 | Licensed Rights under the terms and conditions of this 173 | Public License. 174 | 175 | b. No downstream restrictions. You may not offer or impose 176 | any additional or different terms or conditions on, or 177 | apply any Effective Technological Measures to, the 178 | Licensed Material if doing so restricts exercise of the 179 | Licensed Rights by any recipient of the Licensed 180 | Material. 181 | 182 | 6. No endorsement. Nothing in this Public License constitutes or 183 | may be construed as permission to assert or imply that You 184 | are, or that Your use of the Licensed Material is, connected 185 | with, or sponsored, endorsed, or granted official status by, 186 | the Licensor or others designated to receive attribution as 187 | provided in Section 3(a)(1)(A)(i). 188 | 189 | b. Other rights. 190 | 191 | 1. Moral rights, such as the right of integrity, are not 192 | licensed under this Public License, nor are publicity, 193 | privacy, and/or other similar personality rights; however, to 194 | the extent possible, the Licensor waives and/or agrees not to 195 | assert any such rights held by the Licensor to the limited 196 | extent necessary to allow You to exercise the Licensed 197 | Rights, but not otherwise. 198 | 199 | 2. Patent and trademark rights are not licensed under this 200 | Public License. 201 | 202 | 3. To the extent possible, the Licensor waives any right to 203 | collect royalties from You for the exercise of the Licensed 204 | Rights, whether directly or through a collecting society 205 | under any voluntary or waivable statutory or compulsory 206 | licensing scheme. In all other cases the Licensor expressly 207 | reserves any right to collect such royalties. 208 | 209 | 210 | Section 3 -- License Conditions. 211 | 212 | Your exercise of the Licensed Rights is expressly made subject to the 213 | following conditions. 214 | 215 | a. Attribution. 216 | 217 | 1. If You Share the Licensed Material (including in modified 218 | form), You must: 219 | 220 | a. retain the following if it is supplied by the Licensor 221 | with the Licensed Material: 222 | 223 | i. identification of the creator(s) of the Licensed 224 | Material and any others designated to receive 225 | attribution, in any reasonable manner requested by 226 | the Licensor (including by pseudonym if 227 | designated); 228 | 229 | ii. a copyright notice; 230 | 231 | iii. a notice that refers to this Public License; 232 | 233 | iv. a notice that refers to the disclaimer of 234 | warranties; 235 | 236 | v. a URI or hyperlink to the Licensed Material to the 237 | extent reasonably practicable; 238 | 239 | b. indicate if You modified the Licensed Material and 240 | retain an indication of any previous modifications; and 241 | 242 | c. indicate the Licensed Material is licensed under this 243 | Public License, and include the text of, or the URI or 244 | hyperlink to, this Public License. 245 | 246 | 2. You may satisfy the conditions in Section 3(a)(1) in any 247 | reasonable manner based on the medium, means, and context in 248 | which You Share the Licensed Material. For example, it may be 249 | reasonable to satisfy the conditions by providing a URI or 250 | hyperlink to a resource that includes the required 251 | information. 252 | 253 | 3. If requested by the Licensor, You must remove any of the 254 | information required by Section 3(a)(1)(A) to the extent 255 | reasonably practicable. 256 | 257 | 4. If You Share Adapted Material You produce, the Adapter's 258 | License You apply must not prevent recipients of the Adapted 259 | Material from complying with this Public License. 260 | 261 | 262 | Section 4 -- Sui Generis Database Rights. 263 | 264 | Where the Licensed Rights include Sui Generis Database Rights that 265 | apply to Your use of the Licensed Material: 266 | 267 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 268 | to extract, reuse, reproduce, and Share all or a substantial 269 | portion of the contents of the database; 270 | 271 | b. if You include all or a substantial portion of the database 272 | contents in a database in which You have Sui Generis Database 273 | Rights, then the database in which You have Sui Generis Database 274 | Rights (but not its individual contents) is Adapted Material; and 275 | 276 | c. You must comply with the conditions in Section 3(a) if You Share 277 | all or a substantial portion of the contents of the database. 278 | 279 | For the avoidance of doubt, this Section 4 supplements and does not 280 | replace Your obligations under this Public License where the Licensed 281 | Rights include other Copyright and Similar Rights. 282 | 283 | 284 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 285 | 286 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 287 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 288 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 289 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 290 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 291 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 292 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 293 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 294 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 295 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 296 | 297 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 298 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 299 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 300 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 301 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 302 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 303 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 304 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 305 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 306 | 307 | c. The disclaimer of warranties and limitation of liability provided 308 | above shall be interpreted in a manner that, to the extent 309 | possible, most closely approximates an absolute disclaimer and 310 | waiver of all liability. 311 | 312 | 313 | Section 6 -- Term and Termination. 314 | 315 | a. This Public License applies for the term of the Copyright and 316 | Similar Rights licensed here. However, if You fail to comply with 317 | this Public License, then Your rights under this Public License 318 | terminate automatically. 319 | 320 | b. Where Your right to use the Licensed Material has terminated under 321 | Section 6(a), it reinstates: 322 | 323 | 1. automatically as of the date the violation is cured, provided 324 | it is cured within 30 days of Your discovery of the 325 | violation; or 326 | 327 | 2. upon express reinstatement by the Licensor. 328 | 329 | For the avoidance of doubt, this Section 6(b) does not affect any 330 | right the Licensor may have to seek remedies for Your violations 331 | of this Public License. 332 | 333 | c. For the avoidance of doubt, the Licensor may also offer the 334 | Licensed Material under separate terms or conditions or stop 335 | distributing the Licensed Material at any time; however, doing so 336 | will not terminate this Public License. 337 | 338 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 339 | License. 340 | 341 | 342 | Section 7 -- Other Terms and Conditions. 343 | 344 | a. The Licensor shall not be bound by any additional or different 345 | terms or conditions communicated by You unless expressly agreed. 346 | 347 | b. Any arrangements, understandings, or agreements regarding the 348 | Licensed Material not stated herein are separate from and 349 | independent of the terms and conditions of this Public License. 350 | 351 | 352 | Section 8 -- Interpretation. 353 | 354 | a. For the avoidance of doubt, this Public License does not, and 355 | shall not be interpreted to, reduce, limit, restrict, or impose 356 | conditions on any use of the Licensed Material that could lawfully 357 | be made without permission under this Public License. 358 | 359 | b. To the extent possible, if any provision of this Public License is 360 | deemed unenforceable, it shall be automatically reformed to the 361 | minimum extent necessary to make it enforceable. If the provision 362 | cannot be reformed, it shall be severed from this Public License 363 | without affecting the enforceability of the remaining terms and 364 | conditions. 365 | 366 | c. No term or condition of this Public License will be waived and no 367 | failure to comply consented to unless expressly agreed to by the 368 | Licensor. 369 | 370 | d. Nothing in this Public License constitutes or may be interpreted 371 | as a limitation upon, or waiver of, any privileges and immunities 372 | that apply to the Licensor or You, including from the legal 373 | processes of any jurisdiction or authority. 374 | 375 | 376 | ======================================================================= 377 | 378 | Creative Commons is not a party to its public 379 | licenses. Notwithstanding, Creative Commons may elect to apply one of 380 | its public licenses to material it publishes and in those instances 381 | will be considered the “Licensor.” The text of the Creative Commons 382 | public licenses is dedicated to the public domain under the CC0 Public 383 | Domain Dedication. Except for the limited purpose of indicating that 384 | material is shared under a Creative Commons public license or as 385 | otherwise permitted by the Creative Commons policies published at 386 | creativecommons.org/policies, Creative Commons does not authorize the 387 | use of the trademark "Creative Commons" or any other trademark or logo 388 | of Creative Commons without its prior written consent including, 389 | without limitation, in connection with any unauthorized modifications 390 | to any of its public licenses or any other arrangements, 391 | understandings, or agreements concerning use of licensed material. For 392 | the avoidance of doubt, this paragraph does not form part of the 393 | public licenses. 394 | 395 | Creative Commons may be contacted at creativecommons.org. 396 | 397 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Welcome the Linux Audit Documentation Project 2 | 3 | The Linux Audit Documentation project is intended to hold documentation and 4 | specifications related to the Linux Audit project. 5 | 6 | # Wiki 7 | 8 | The wiki holds a variety of information relating to Linux Audit. 9 | 10 | * https://github.com/linux-audit/audit-documentation/wiki 11 | 12 | # Contributing to the Linux Audit Documentation 13 | 14 | The [CONTRIBUTING.md](CONTRIBUTING.md) file in this repository provides a brief 15 | introduction in how to best contribute to the Linux Audit Documentation 16 | Project. 17 | -------------------------------------------------------------------------------- /artwork/linux_audit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linux-audit/audit-documentation/73ff7e6893c681a5b827a897615c7c1f5e8bb557/artwork/linux_audit.png -------------------------------------------------------------------------------- /presentations/2006-selinux_symposium/audit-bofs-selinux-2006.odp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linux-audit/audit-documentation/73ff7e6893c681a5b827a897615c7c1f5e8bb557/presentations/2006-selinux_symposium/audit-bofs-selinux-2006.odp -------------------------------------------------------------------------------- /presentations/2006-selinux_symposium/audit-bofs-selinux-2006.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linux-audit/audit-documentation/73ff7e6893c681a5b827a897615c7c1f5e8bb557/presentations/2006-selinux_symposium/audit-bofs-selinux-2006.pdf -------------------------------------------------------------------------------- /presentations/2007-rh_summit/summit07_audit_ids.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linux-audit/audit-documentation/73ff7e6893c681a5b827a897615c7c1f5e8bb557/presentations/2007-rh_summit/summit07_audit_ids.pdf -------------------------------------------------------------------------------- /presentations/2007-selinux_symposium/audit-bofs-selinux-2007.odp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linux-audit/audit-documentation/73ff7e6893c681a5b827a897615c7c1f5e8bb557/presentations/2007-selinux_symposium/audit-bofs-selinux-2007.odp -------------------------------------------------------------------------------- /presentations/2007-selinux_symposium/audit-bofs-selinux-2007.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linux-audit/audit-documentation/73ff7e6893c681a5b827a897615c7c1f5e8bb557/presentations/2007-selinux_symposium/audit-bofs-selinux-2007.pdf -------------------------------------------------------------------------------- /presentations/2008-rh_summit/audit-ids.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linux-audit/audit-documentation/73ff7e6893c681a5b827a897615c7c1f5e8bb557/presentations/2008-rh_summit/audit-ids.pdf -------------------------------------------------------------------------------- /presentations/2011-rh_summit/audit_ids_2011.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linux-audit/audit-documentation/73ff7e6893c681a5b827a897615c7c1f5e8bb557/presentations/2011-rh_summit/audit_ids_2011.pdf -------------------------------------------------------------------------------- /specs/fields/field-dictionary.csv: -------------------------------------------------------------------------------- 1 | NAME,FORMAT,MEANING,EXCEPTION 2 | a[0-3],numeric hexadecimal,the arguments to a syscall,syscall 3 | a[[:digit:]+]\[.*\],encoded,the arguments to the execve syscall,execve 4 | acct,encoded,a user's account name, 5 | acl,alphabet,access mode of resource assigned to vm, 6 | action,numeric,netfilter packet disposition, 7 | added,numeric,number of new files detected, 8 | addr,encoded,the remote address that the user is connecting from, 9 | apparmor,encoded,apparmor event information, 10 | arch,numeric hexadecimal,the elf architecture flags, 11 | argc,numeric decimal,the number of arguments to an execve syscall, 12 | audit_backlog_limit,numeric decimal,audit system's backlog queue size, 13 | audit_backlog_wait_time,numeric decimal,audit system's backlog wait time, 14 | audit_enabled,numeric decimal,audit systems's enable/disable status, 15 | audit_failure,numeric decimal,audit system's failure mode, 16 | auid,numeric decimal,login user ID, 17 | banners,alphanumeric,banners used on printed page, 18 | bool,alphanumeric,name of SELinux boolean, 19 | bus,alphanumeric,name of subsystem bus a vm resource belongs to, 20 | capability,numeric decimal,posix capabilities, 21 | cap_fe,numeric decimal,file assigned effective capability map, 22 | cap_fi,numeric hexadecimal,file inherited capability map, 23 | cap_fp,numeric hexadecimal,file permitted capability map, 24 | cap_fver,numeric hexadecimal,file system capabilities version number, 25 | cap_pa,numeric hexadecimal,process ambient capability map, 26 | cap_pe,numeric hexadecimal,process effective capability map, 27 | cap_pi,numeric hexadecimal,process inherited capability map, 28 | cap_pp,numeric hexadecimal,process permitted capability map, 29 | category,alphabet,resource category assigned to vm, 30 | cgroup,encoded,path to cgroup in sysfs, 31 | changed,numeric decimal,number of changed files, 32 | cipher,alphanumeric,name of crypto cipher selected, 33 | class,alphabet,resource class assigned to vm, 34 | cmd,encoded,command being executed, 35 | code,numeric hexadecimal,seccomp action code, 36 | comm,encoded,command line program name, 37 | compat,numeric decimal,is_compat_task result, 38 | cwd,encoded,the current working directory, 39 | daddr,alphanumeric,remote IP address, 40 | data,encoded,TTY text, 41 | default-context,alphanumeric,default MAC context, 42 | dev,numeric hexadecimal-tuple,in path records,major and minor for device 43 | dev,alphanumeric,device name as found in /dev,avc 44 | device,encoded,device name, 45 | dir,encoded,directory name, 46 | direction,alphanumeric,direction of crypto operation, 47 | dmac,numeric,remote MAC address, 48 | dport,numeric decimal,remote port number, 49 | egid,numeric decimal,effective group ID, 50 | enforcing,numeric decimal,new MAC enforcement status, 51 | entries,numeric decimal,number of entries in the netfilter table, 52 | errno,numeric decimal,error code of the audited operation, 53 | euid,numeric decimal,effective user ID, 54 | exe,encoded,executable name, 55 | exit,numeric decimal,syscall exit code, 56 | fam,alphanumeric,socket address family, 57 | family,numeric decimal,netfilter protocol, 58 | fd,numeric decimal,file descriptor number, 59 | file,encoded,file name, 60 | flags,numeric hexadecimal,mmap syscall flags, 61 | fe,numeric decimal,file assigned effective capability map, 62 | feature,alphanumeric,kernel feature being changed, 63 | fi,numeric hexadecimal,file assigned inherited capability map, 64 | fp,numeric hexadecimal,file assigned permitted capability map, 65 | fp,alphanumeric,crypto key finger print,crypto_key 66 | format,alphanumeric,audit log's format, 67 | fsgid,numeric decimal,file system group ID, 68 | fsuid,numeric decimal,file system user ID, 69 | fver,numeric hexadecimal,file system capabilities version number, 70 | gid,numeric decimal,group ID, 71 | grantors,alphanumeric,pam modules approving the action, 72 | grp,encoded,group name, 73 | hook,numeric,netfilter hook that packet came from, 74 | hostname,alphanumeric,the hostname that the user is connecting from, 75 | icmp_type,numeric,type of icmp message, 76 | id,numeric,during account changes,the user ID of the account 77 | igid,numeric decimal,ipc object's group ID, 78 | img-ctx,alphanumeric,the vm's disk image context string, 79 | inif,numeric,in interface number, 80 | ip,alphanumeric,network address of a printer, 81 | ipid,numeric decimal,IP datagram fragment identifier, 82 | ino,numeric decimal,inode number, 83 | inode,numeric decimal,inode number, 84 | inode_gid,numeric decimal,group ID of the inode's owner, 85 | inode_uid,numeric decimal,user ID of the inode's owner, 86 | invalid_context,encoded,SELinux context, 87 | ioctlcmd,numeric hexadecimal,The request argument to the ioctl syscall, 88 | ipx-net,numeric,IPX network number, 89 | item,numeric decimal,which item is being recorded, 90 | items,numeric decimal,the number of path records in the event, 91 | iuid,numeric decimal,ipc object's user ID, 92 | kernel,alphanumeric,kernel's version number, 93 | key,encoded,key assigned from triggered audit rule, 94 | kind,alphabet,server or client in crypto operation, 95 | ksize,numeric,key size for crypto operation, 96 | laddr,alphanumeric,local network address, 97 | len,numeric decimal,length, 98 | lport,numeric decimal,local network port, 99 | list,numeric decimal,the audit system's filter list number, 100 | mac,alphanumeric,crypto MAC algorithm selected, 101 | macproto,numeric,ethernet packet type ID field, 102 | maj,numeric,device major number, 103 | major,numeric decimal,device major number, 104 | minor,numeric decimal,device minor number, 105 | mode,numeric octal,mode flags on a file, 106 | model,alphanumeric,security model being used for virt, 107 | msg,alphanumeric,the payload of the audit record, 108 | nargs,numeric decimal,the number of arguments to a socket call, 109 | name,encoded,file name in avcs, 110 | nametype,alphabet,kind of file operation being referenced, 111 | net,alphanumeric,network MAC address, 112 | new,numeric,value being set in feature, 113 | new-chardev,encoded,new character device being assigned to vm, 114 | new-disk,encoded,disk being added to vm, 115 | new-enabled,numeric decimal,new TTY audit enabled setting, 116 | new-fs,encoded,file system being added to vm, 117 | new_gid,numeric decimal,new group ID being assigned, 118 | new-level,alphanumeric,new run level, 119 | new_lock,numeric decimal,new value of feature lock, 120 | new-log_passwd,numeric decimal,new value for TTY password logging, 121 | new-mem,numeric,new amount of memory in KB, 122 | new-net,encoded,MAC address being assigned to vm, 123 | new_pe,numeric,new process effective capability map(deprec), 124 | new_pi,numeric,new process inherited capability map(deprec), 125 | new_pp,numeric,new process permitted capability map(deprec), 126 | new-range,alphanumeric,new SELinux range, 127 | new-rng,encoded,device name of rng being added from a vm, 128 | new-role,alphanumeric,new SELinux role, 129 | new-seuser,alphanumeric,new SELinux user, 130 | new-vcpu,numeric,new number of CPU cores, 131 | nlnk-fam,numeric,netlink protocol number, 132 | nlnk-grp,numeric,netlink group number, 133 | nlnk-pid,numeric decimal,pid of netlink packet sender, 134 | oauid,numeric decimal,object's login user ID, 135 | obj,alphanumeric,lspp object context string, 136 | obj_gid,numeric decimal,group ID of object, 137 | obj_uid,numeric decimal,user ID of object, 138 | oflag,numeric,open syscall flags, 139 | ogid,numeric decimal,file owner group ID, 140 | ocomm,encoded,object's command line name, 141 | old,numeric,present value of kernel feature, 142 | old,numeric,old value,audit_enabled audit_backlog audit_failure value 143 | old-auid,numeric decimal,previous auid value, 144 | old-chardev,encoded,present character device assigned to vm, 145 | old-disk,encoded,disk being removed from vm, 146 | old-enabled,numeric decimal,present TTY audit enabled setting, 147 | old_enforcing,numeric decimal,old MAC enforcement status, 148 | old-fs,encoded,file system being removed from vm, 149 | old-level,alphanumeric,old run level, 150 | old_lock,numeric decimal,present value of feature lock, 151 | old-log_passwd,numeric decimal,present value for TTY password logging, 152 | old-mem,numeric,present amount of memory in KB, 153 | old-net,encoded,present MAC address assigned to vm, 154 | old_pa,numeric hexadecimal,old process ambient capability map, 155 | old_pe,numeric hexadecimal,old process effective capability map, 156 | old_pi,numeric hexadecimal,old process inherited capability map, 157 | old_pp,numeric hexadecimal,old process permitted capability map, 158 | old_prom,numeric decimal,network promiscuity flag, 159 | old-range,alphanumeric,present SELinux range, 160 | old-rng,encoded,device name of rng being removed from a vm, 161 | old-role,alphanumeric,present SELinux role, 162 | old-ses,numeric decimal,previous ses value, 163 | old-seuser,alphanumeric,present SELinux user, 164 | old_val,numeric decimal,current value of SELinux boolean, 165 | old-vcpu,numeric,present number of CPU cores, 166 | op,alphanumeric,the operation being performed that is audited, 167 | opid,numeric decimal,object's process ID, 168 | oses,numeric decimal,object's session ID, 169 | ouid,numeric decimal,file owner user ID, 170 | outif,numeric,out interface number, 171 | pa,numeric hexadecimal,process ambient capability map, 172 | pe,numeric hexadecimal,process effective capability map, 173 | pi,numeric hexadecimal,process inherited capability map, 174 | pp,numeric hexadecimal,process permitted capability map, 175 | parent,numeric,the inode number of the parent file, 176 | path,encoded,file system path name, 177 | per,numeric hexadecimal,linux personality, 178 | perm,numeric,the file permission being used, 179 | perm_mask,numeric,file permission mask that triggered a watch event, 180 | permissive,numeric decimal,SELinux is in permissive mode, 181 | pfs,alphanumeric,perfect forward secrecy method, 182 | pid,numeric decimal,process ID, 183 | ppid,numeric decimal,parent process ID, 184 | printer,alphanumeric,printer name, 185 | prom,numeric decimal,network promiscuity flag, 186 | proctitle,encoded,process title and command line parameters, 187 | proto,numeric decimal,network protocol, 188 | qbytes,numeric hexadecimal,ipc objects quantity of bytes, 189 | range,alphanumeric,user's SE Linux range, 190 | rdev,numeric hexadecimal-tuple,the device identifier (special files only), 191 | reason,alphanumeric,text string denoting a reason for the action, 192 | removed,numeric,number of deleted files, 193 | res,numeric decimal,result of the audited operation(success/fail), 194 | resrc,alphanumeric,resource being assigned, 195 | result,alphanumeric,result of the audited operation(success/fail), 196 | role,alphanumeric,user's SELinux role, 197 | rport,numeric decimal,remote port number, 198 | saddr,encoded,struct socket address structure, 199 | sauid,numeric decimal,sent login user ID, 200 | scontext,alphanumeric,the subject's context string, 201 | selected-context,alphanumeric,new MAC context assigned to session, 202 | seperm,alphanumeric,SELinux permission being decided on, 203 | seqno,numeric decimal,sequence number, 204 | seperms,alphabet,SELinux permissions being used, 205 | seresult,alphabet,SELinux AVC decision granted/denied, 206 | ses,numeric decimal,login session ID, 207 | seuser,alphanumeric,user's SE Linux user acct, 208 | sgid,numeric decimal,set group ID, 209 | sig,numeric decimal,signal number, 210 | sigev_signo,numeric decimal,signal number, 211 | smac,numeric,local MAC address, 212 | spid,numeric decimal,sent process ID, 213 | sport,numeric decimal,local port number, 214 | state,alphanumeric,audit daemon configuration resulting state, 215 | subj,alphanumeric,lspp subject's context string, 216 | success,alphanumeric,whether the syscall was successful or not, 217 | suid,numeric decimal,sent user ID, 218 | syscall,numeric decimal,syscall number in effect when the event occurred, 219 | table,alphanumeric,netfilter table name, 220 | tclass,alphanumeric,target's object classification, 221 | tcontext,alphanumeric,the target's or object's context string, 222 | terminal,alphanumeric,terminal name the user is running programs on, 223 | tty,alphanumeric,tty udevice the user is running programs on, 224 | type,alphanumeric,the audit record's type, 225 | uid,numeric decimal,user ID, 226 | unit,alphanumeric,systemd unit, 227 | uri,alphanumeric,URI pointing to a printer, 228 | user,alphanumeric,account submitted for authentication, 229 | uuid,alphanumeric,a UUID, 230 | val,alphanumeric,generic value associated with the operation, 231 | val,numeric decimal,new value of SELinux boolean, 232 | ver,numeric,audit daemon's version number, 233 | virt,alphanumeric,kind of virtualization being referenced, 234 | vm,encoded,virtual machine name, 235 | vm-ctx,alphanumeric,the vm's context string, 236 | vm-pid,numeric decimal,vm's process ID, 237 | watch,encoded,file name in a watch record, 238 | -------------------------------------------------------------------------------- /specs/messages/message-dictionary-ranges.txt: -------------------------------------------------------------------------------- 1 | * 1000 - 1099 are for commanding the audit system 2 | * 1100 - 1199 user space trusted application messages 3 | * 1200 - 1299 messages internal to the audit daemon 4 | * 1300 - 1399 audit event messages 5 | * 1400 - 1499 kernel SELinux use 6 | * 1500 - 1599 AppArmor events 7 | * 1500 - 1599 kernel LSPP events 8 | * 1600 - 1699 kernel crypto events 9 | * 1700 - 1799 kernel anomaly records 10 | * 1800 - 1899 kernel integrity labels and related events 11 | * 1900 - 1999 future kernel use 12 | * 2000 is for otherwise unclassified kernel audit messages (legacy) 13 | * 2001 - 2099 unused (kernel) 14 | * 2100 - 2199 user space anomaly records 15 | * 2200 - 2299 user space actions taken in response to anomalies 16 | * 2300 - 2399 user space generated LSPP events 17 | * 2400 - 2499 user space crypto events 18 | * 2500 - 2599 user space virtualization management events 19 | * 2600 - 2999 future user space (maybe integrity labels and related events) 20 | -------------------------------------------------------------------------------- /specs/messages/message-dictionary.csv: -------------------------------------------------------------------------------- 1 | MACRO NAME,VALUE,ORIGIN,CLASS,DESCRIPTION 2 | AUDIT_GET,1000,USER,CTL,Get status 3 | AUDIT_SET,1001,USER,CTL,Set status (enable/disable/auditd) 4 | AUDIT_LIST,1002,USER,DEP,List syscall rules -- deprecated 5 | AUDIT_ADD,1003,USER,DEP,Add syscall rule -- deprecated 6 | AUDIT_DEL,1004,USER,DEP,Delete syscall rule -- deprecated 7 | AUDIT_USER,1005,USER,DEP,Message from userspace -- deprecated 8 | AUDIT_LOGIN,1006,KERN,IND,Define the login ID and information 9 | AUDIT_WATCH_INS,1007,USER,DEP,Insert file/dir watch entry 10 | AUDIT_WATCH_REM,1008,USER,DEP,Remove file/dir watch entry 11 | AUDIT_WATCH_LIST,1009,USER,DEP,List all file/dir watches 12 | AUDIT_SIGNAL_INFO,1010,USER,CTL,Get info about sender of signal to auditd 13 | AUDIT_ADD_RULE,1011,USER,CTL,Add syscall filtering rule 14 | AUDIT_DEL_RULE,1012,USER,CTL,Delete syscall filtering rule 15 | AUDIT_LIST_RULES,1013,USER,CTL,List syscall filtering rules 16 | AUDIT_TRIM,1014,USER,CTL,Trim junk from watched tree 17 | AUDIT_MAKE_EQUIV,1015,USER,CTL,Append to watched tree 18 | AUDIT_TTY_GET,1016,USER,CTL,Get TTY auditing status 19 | AUDIT_TTY_SET,1017,USER,CTL,Set TTY auditing status 20 | AUDIT_SET_FEATURE,1018,USER,CTL,Turn an audit feature on or off 21 | AUDIT_GET_FEATURE,1019,USER,CTL,Get which features are enabled 22 | AUDIT_USER_AUTH,1100,USER,IND,User system access authentication 23 | AUDIT_USER_ACCT,1101,USER,IND,User system access authorization 24 | AUDIT_USER_MGMT,1102,USER,IND,User account attribute change 25 | AUDIT_CRED_ACQ,1103,USER,IND,User credential acquired 26 | AUDIT_CRED_DISP,1104,USER,IND,User credential disposed 27 | AUDIT_USER_START,1105,USER,IND,User session start 28 | AUDIT_USER_END,1106,USER,IND,User session end 29 | AUDIT_USER_AVC,1107,USER,IND,User space AVC (Access Vector Cache) message 30 | AUDIT_USER_CHAUTHTOK,1108,USER,IND,User account password or PIN changed 31 | AUDIT_USER_ERR,1109,USER,IND,User account state error 32 | AUDIT_CRED_REFR,1110,USER,IND,User credential refreshed 33 | AUDIT_USYS_CONFIG,1111,USER,IND,User space system config change 34 | AUDIT_USER_LOGIN,1112,USER,IND,User has logged in 35 | AUDIT_USER_LOGOUT,1113,USER,IND,User has logged out 36 | AUDIT_ADD_USER,1114,USER,IND,User account added 37 | AUDIT_DEL_USER,1115,USER,IND,User account deleted 38 | AUDIT_ADD_GROUP,1116,USER,IND,Group account added 39 | AUDIT_DEL_GROUP,1117,USER,IND,Group account deleted 40 | AUDIT_DAC_CHECK,1118,USER,IND,User space DAC check results 41 | AUDIT_CHGRP_ID,1119,USER,IND,User space group ID changed 42 | AUDIT_TEST,1120,USER,IND,Used for test success messages 43 | AUDIT_TRUSTED_APP,1121,USER,IND,Trusted app msg - freestyle text 44 | AUDIT_USER_SELINUX_ERR,1122,USER,IND,SELinux user space error 45 | AUDIT_USER_CMD,1123,USER,IND,User shell command and args 46 | AUDIT_USER_TTY,1124,USER,IND,Non-ICANON TTY input meaning 47 | AUDIT_CHUSER_ID,1125,USER,IND,Changed user ID supplemental data 48 | AUDIT_GRP_AUTH,1126,USER,IND,Authentication for group password 49 | AUDIT_SYSTEM_BOOT,1127,USER,IND,System boot 50 | AUDIT_SYSTEM_SHUTDOWN,1128,USER,IND,System shutdown 51 | AUDIT_SYSTEM_RUNLEVEL,1129,USER,IND,System runlevel change 52 | AUDIT_SERVICE_START,1130,USER,IND,Service (daemon) start 53 | AUDIT_SERVICE_STOP,1131,USER,IND,Service (daemon) stop 54 | AUDIT_GRP_MGMT,1132,USER,IND,Group account attribute was modified 55 | AUDIT_GRP_CHAUTHTOK,1133,USER,IND,Group account password or PIN changed 56 | AUDIT_MAC_CHECK,1134,USER,IND,User space MAC (Mandatory Access Control) decision results 57 | AUDIT_ACCT_LOCK,1135,USER,IND,User's account locked by admin 58 | AUDIT_ACCT_UNLOCK,1136,USER,IND,User's account unlocked by admin 59 | AUDIT_USER_DEVICE,1137,USER,IND,User space hotplug device changes 60 | AUDIT_SOFTWARE_UPDATE,1138,USER,IND,Software update event 61 | AUDIT_DAEMON_START,1200,USER,IND,Daemon startup record 62 | AUDIT_DAEMON_END,1201,USER,IND,Daemon normal stop record 63 | AUDIT_DAEMON_ABORT,1202,USER,IND,Daemon error stop record 64 | AUDIT_DAEMON_CONFIG,1203,USER,IND,Daemon config change 65 | AUDIT_DAEMON_RECONFIG,1204,USER,IND,Auditd should reconfigure 66 | AUDIT_DAEMON_ROTATE,1205,USER,IND,Auditd should rotate logs 67 | AUDIT_DAEMON_RESUME,1206,USER,IND,Auditd should resume logging 68 | AUDIT_DAEMON_ACCEPT,1207,USER,IND,Auditd accepted remote connection 69 | AUDIT_DAEMON_CLOSE,1208,USER,IND,Auditd closed remote connection 70 | AUDIT_DAEMON_ERR,1209,USER,IND,Auditd internal error 71 | AUDIT_SYSCALL,1300,KERN,SC,System call event information 72 | AUDIT_FS_WATCH,1301,KERN,DEP,Deprecated 73 | AUDIT_PATH,1302,KERN,SC,Filename path information 74 | AUDIT_IPC,1303,KERN,SC,System call IPC (Inter-Process Communication) object 75 | AUDIT_SOCKETCALL,1304,KERN,SC,System call socketcall arguments 76 | AUDIT_CONFIG_CHANGE,1305,KERN,IND,Audit system configuration change 77 | AUDIT_SOCKADDR,1306,KERN,SC,System call socket address argument information 78 | AUDIT_CWD,1307,KERN,SC,Current working directory 79 | AUDIT_EXECVE,1309,KERN,SC,Arguments supplied to the execve system call 80 | AUDIT_IPC_SET_PERM,1311,KERN,SC,IPC new permissions record type 81 | AUDIT_MQ_OPEN,1312,KERN,SC,POSIX MQ open record type 82 | AUDIT_MQ_SENDRECV,1313,KERN,SC,POSIX MQ send/receive record type 83 | AUDIT_MQ_NOTIFY,1314,KERN,SC,POSIX MQ notify record type 84 | AUDIT_MQ_GETSETATTR,1315,KERN,SC,POSIX MQ get/set attribute record type 85 | AUDIT_KERNEL_OTHER,1316,KERN,IND,For use by 3rd party modules 86 | AUDIT_FD_PAIR,1317,KERN,SC,Information for pipe and socketpair system calls 87 | AUDIT_OBJ_PID,1318,KERN,SC,ptrace target 88 | AUDIT_TTY,1319,KERN,IND,Input on an administrative TTY 89 | AUDIT_EOE,1320,KERN,CTL,End of multi-record event 90 | AUDIT_BPRM_FCAPS,1321,KERN,SC,Information about file system capabilities increasing permissions 91 | AUDIT_CAPSET,1322,KERN,SC,Record showing argument to sys_capset setting process-based capabilities 92 | AUDIT_MMAP,1323,KERN,SC,Mmap system call file descriptor and flags 93 | AUDIT_NETFILTER_PKT,1324,KERN,IND,Packets traversing netfilter chains 94 | AUDIT_NETFILTER_CFG,1325,KERN,IND/SC,Netfilter chain modifications 95 | AUDIT_SECCOMP,1326,KERN,IND,Secure Computing event 96 | AUDIT_PROCTITLE,1327,KERN,SC,Process Title info 97 | AUDIT_FEATURE_CHANGE,1328,KERN,IND,Audit feature changed value 98 | AUDIT_REPLACE,1329,KERN,CTL,Replace auditd if this probe unanswered 99 | AUDIT_KERN_MODULE,1330,KERN,SC,Kernel Module events 100 | AUDIT_FANOTIFY,1331,KERN,SC,Fanotify access decision 101 | AUDIT_TIME_INJOFFSET,1332,KERN,SC,Timekeeping offset injected 102 | AUDIT_TIME_ADJNTPVAL,1333,KERN,SC,NTP value adjustment 103 | AUDIT_BPF,1334,KERN,SC,BPF load/unload 104 | AUDIT_EVENT_LISTENER,1335,KERN,SC,audit mcast sock join/part 105 | AUDIT_URINGOP,1336,KERN,SC,io_uring operation 106 | AUDIT_OPENAT2,1337,KERN,SC,Record showing openat2 how args 107 | AUDIT_DM_CTRL,1338,KERN,SC,Device Mapper target control 108 | AUDIT_DM_EVENT,1339,KERN,SC,Device Mapper events 109 | AUDIT_AVC,1400,KERN,SC,SELinux AVC (Access Vector Cache) denial or grant 110 | AUDIT_SELINUX_ERR,1401,KERN,SC,Internal SELinux errors 111 | AUDIT_AVC_PATH,1402,KERN,SC,"dentry, vfsmount pair from AVC" 112 | AUDIT_MAC_POLICY_LOAD,1403,KERN,SC,SELinux Policy file load 113 | AUDIT_MAC_STATUS,1404,KERN,SC,"SELinux mode (enforcing, permissive, off) changed" 114 | AUDIT_MAC_CONFIG_CHANGE,1405,KERN,SC,SELinux Boolean value modification 115 | AUDIT_MAC_UNLBL_ALLOW,1406,KERN,SC,NetLabel: allow unlabeled traffic 116 | AUDIT_MAC_CIPSOV4_ADD,1407,KERN,SC,NetLabel: add CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry 117 | AUDIT_MAC_CIPSOV4_DEL,1408,KERN,SC,NetLabel: del CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry 118 | AUDIT_MAC_MAP_ADD,1409,KERN,SC,NetLabel: add LSM (Linux Security Module) domain mapping 119 | AUDIT_MAC_MAP_DEL,1410,KERN,SC,NetLabel: del LSM (Linux Security Module) domain mapping 120 | AUDIT_MAC_IPSEC_ADDSA,1411,KERN,DEP,Not used 121 | AUDIT_MAC_IPSEC_DELSA,1412,KERN,DEP,Not used 122 | AUDIT_MAC_IPSEC_ADDSPD,1413,KERN,DEP,Not used 123 | AUDIT_MAC_IPSEC_DELSPD,1414,KERN,DEP,Not used 124 | AUDIT_MAC_IPSEC_EVENT,1415,KERN,SC,Audit an IPsec event 125 | AUDIT_MAC_UNLBL_STCADD,1416,KERN,SC,NetLabel: add a static label 126 | AUDIT_MAC_UNLBL_STCDEL,1417,KERN,SC,NetLabel: del a static label 127 | AUDIT_MAC_CALIPSO_ADD,1418,KERN,SC,NetLabel: add CALIPSO DOI (Domain of Interpretation) entry 128 | AUDIT_MAC_CALIPSO_DEL,1419,KERN,SC,NetLabel: delete CALIPSO DOI (Domain of Interpretation) entry 129 | AUDIT_AA,1500,KERN,?, 130 | AUDIT_APPARMOR_AUDIT,1501,KERN,SC, 131 | AUDIT_APPARMOR_ALLOWED,1502,KERN,SC, 132 | AUDIT_APPARMOR_DENIED,1503,KERN,SC, 133 | AUDIT_APPARMOR_HINT,1504,KERN,SC, 134 | AUDIT_APPARMOR_STATUS,1505,KERN,SC, 135 | AUDIT_APPARMOR_ERROR,1506,KERN,SC, 136 | AUDIT_APPARMOR_KILL,1507,KERN,SC, 137 | AUDIT_ANOM_PROMISCUOUS,1700,KERN,SC/IND,Device changed promiscuous mode 138 | AUDIT_ANOM_ABEND,1701,KERN,IND,Process ended abnormally 139 | AUDIT_ANOM_LINK,1702,KERN,SC?,Suspicious use of file links 140 | AUDIT_ANOM_CREAT,1703,KERN,SC?,Suspicious file creation 141 | AUDIT_INTEGRITY_DATA,1800,KERN,SC,Data integrity verification 142 | AUDIT_INTEGRITY_METADATA,1801,KERN,SC,Metadata integrity verification 143 | AUDIT_INTEGRITY_STATUS,1802,KERN,SC,Integrity enable status 144 | AUDIT_INTEGRITY_HASH,1803,KERN,SC,Integrity HASH type 145 | AUDIT_INTEGRITY_PCR,1804,KERN,SC,PCR (Platform Configuration Register) invalidation messages 146 | AUDIT_INTEGRITY_RULE,1805,KERN,SC/IND,Integrity Policy action 147 | AUDIT_INTEGRITY_EVM_XATTR,1806,KERN,SC,EVM XATTRS modifications 148 | AUDIT_INTEGRITY_POLICY_RULE,1807,KERN,SC,Integrity Policy rule 149 | AUDIT_KERNEL,2000,KERN,IND,Kernel audit status 150 | AUDIT_ANOM_LOGIN_FAILURES,2100,USER,IND,Failed login limit reached 151 | AUDIT_ANOM_LOGIN_TIME,2101,USER,IND,Login attempted at bad time 152 | AUDIT_ANOM_LOGIN_SESSIONS,2102,USER,IND,Maximum concurrent sessions reached 153 | AUDIT_ANOM_LOGIN_ACCT,2103,USER,IND,Login attempted to watched account 154 | AUDIT_ANOM_LOGIN_LOCATION,2104,USER,IND,Login from forbidden location 155 | AUDIT_ANOM_MAX_DAC,2105,USER,IND,Max DAC (Discretionary Access Control) failures reached 156 | AUDIT_ANOM_MAX_MAC,2106,USER,IND,Max MAC (Mandatory Access Control) failures reached 157 | AUDIT_ANOM_AMTU_FAIL,2107,USER,IND,AMTU (Abstract Machine Test Utility) failure 158 | AUDIT_ANOM_RBAC_FAIL,2108,USER,IND,RBAC (Role-Based Access Control) self test failure 159 | AUDIT_ANOM_RBAC_INTEGRITY_FAIL,2109,USER,IND,RBAC (Role-Based Access Control) file integrity test failure 160 | AUDIT_ANOM_CRYPTO_FAIL,2110,USER,IND,Crypto system test failure 161 | AUDIT_ANOM_ACCESS_FS,2111,USER,IND,Access of file or directory ended abnormally 162 | AUDIT_ANOM_EXEC,2112,USER,IND,Execution of file ended abnormally 163 | AUDIT_ANOM_MK_EXEC,2113,USER,IND,Make an executable 164 | AUDIT_ANOM_ADD_ACCT,2114,USER,IND,Adding a user account ended abnormally 165 | AUDIT_ANOM_DEL_ACCT,2115,USER,IND,Deleting a user account ended abnormally 166 | AUDIT_ANOM_MOD_ACCT,2116,USER,IND,Changing an account ended abnormally 167 | AUDIT_ANOM_ROOT_TRANS,2117,USER,IND,User became root 168 | AUDIT_ANOM_LOGIN_SERVICE,2118,USER,IND,Service acct attempted login 169 | AUDIT_RESP_ANOMALY,2200,USER,IND,Anomaly not reacted to 170 | AUDIT_RESP_ALERT,2201,USER,IND,Alert email was sent 171 | AUDIT_RESP_KILL_PROC,2202,USER,IND,Kill program 172 | AUDIT_RESP_TERM_ACCESS,2203,USER,IND,Terminate session 173 | AUDIT_RESP_ACCT_REMOTE,2204,USER,IND,User account locked from remote access 174 | AUDIT_RESP_ACCT_LOCK_TIMED,2205,USER,IND,User account locked for time 175 | AUDIT_RESP_ACCT_UNLOCK_TIMED,2206,USER,IND,User account unlocked from time 176 | AUDIT_RESP_ACCT_LOCK,2207,USER,IND,User account was locked 177 | AUDIT_RESP_TERM_LOCK,2208,USER,IND,Terminal was locked 178 | AUDIT_RESP_SEBOOL,2209,USER,IND,Set an SELinux boolean 179 | AUDIT_RESP_EXEC,2210,USER,IND,Execute a script 180 | AUDIT_RESP_SINGLE,2211,USER,IND,Go to single user mode 181 | AUDIT_RESP_HALT,2212,USER,IND,Take the system down 182 | AUDIT_RESP_ORIGIN_BLOCK,2213,USER,IND,Address blocked by iptables 183 | AUDIT_RESP_ORIGIN_BLOCK_TIMED,2214,USER,IND,Address blocked for time 184 | AUDIT_USER_ROLE_CHANGE,2300,USER,IND,User changed to a new SELinux role 185 | AUDIT_ROLE_ASSIGN,2301,USER,IND,Administrator assigned user to SELinux role 186 | AUDIT_ROLE_REMOVE,2302,USER,IND,Administrator removed user from SELinux role 187 | AUDIT_LABEL_OVERRIDE,2303,USER,IND,Administrator is overriding a SELinux label 188 | AUDIT_LABEL_LEVEL_CHANGE,2304,USER,IND,Object level SELinux label modified 189 | AUDIT_USER_LABELED_EXPORT,2305,USER,IND,Object exported with SELinux label 190 | AUDIT_USER_UNLABELED_EXPORT,2306,USER,IND,Object exported without SELinux label 191 | AUDIT_DEV_ALLOC,2307,USER,IND,Device was allocated 192 | AUDIT_DEV_DEALLOC,2308,USER,IND,Device was deallocated 193 | AUDIT_FS_RELABEL,2309,USER,IND,Filesystem relabeled 194 | AUDIT_USER_MAC_POLICY_LOAD,2310,USER,IND,Userspace daemon loaded SELinux policy 195 | AUDIT_ROLE_MODIFY,2311,USER,IND,Administrator modified an SELinux role 196 | AUDIT_USER_MAC_CONFIG_CHANGE,2312,USER,IND,Change made to MAC (Mandatory Access Control) policy 197 | AUDIT_USER_MAC_STATUS,2313,USER,IND,Userspace daemon enforcing change 198 | AUDIT_CRYPTO_TEST_USER,2400,USER,IND,Cryptographic test results 199 | AUDIT_CRYPTO_PARAM_CHANGE_USER,2401,USER,IND,Cryptographic attribute change 200 | AUDIT_CRYPTO_LOGIN,2402,USER,IND,Cryptographic officer login 201 | AUDIT_CRYPTO_LOGOUT,2403,USER,IND,Cryptographic officer logout 202 | AUDIT_CRYPTO_KEY_USER,2404,USER,IND,"Create, delete, negotiate cryptographic key identifier" 203 | AUDIT_CRYPTO_FAILURE_USER,2405,USER,IND,"Fail decrypt, encrypt or randomize operation" 204 | AUDIT_CRYPTO_REPLAY_USER,2406,USER,IND,Cryptographic replay attack detected 205 | AUDIT_CRYPTO_SESSION,2407,USER,IND,Parameters set during TLS session establishment 206 | AUDIT_CRYPTO_IKE_SA,2408,USER,IND,Parameters related to IKE SA 207 | AUDIT_CRYPTO_IPSEC_SA,2409,USER,IND,Parameters related to IPSEC SA 208 | AUDIT_VIRT_CONTROL,2500,USER,IND,"Start, Pause, Stop VM" 209 | AUDIT_VIRT_RESOURCE,2501,USER,IND,Resource assignment 210 | AUDIT_VIRT_MACHINE_ID,2502,USER,IND,Binding of label to VM 211 | AUDIT_VIRT_INTEGRITY_CHECK,2503,USER,IND,Guest integrity results 212 | AUDIT_VIRT_CREATE,2504,USER,IND,Creation of guest image 213 | AUDIT_VIRT_DESTROY,2505,USER,IND,Destruction of guest image 214 | AUDIT_VIRT_MIGRATE_IN,2506,USER,IND,Inbound guest migration info 215 | AUDIT_VIRT_MIGRATE_OUT,2507,USER,IND,Outbound guest migration info 216 | -------------------------------------------------------------------------------- /wiki_assets/spec-audit_state_diagram/audit-state-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linux-audit/audit-documentation/73ff7e6893c681a5b827a897615c7c1f5e8bb557/wiki_assets/spec-audit_state_diagram/audit-state-diagram.png --------------------------------------------------------------------------------