message type dictionary clarifications
Steve Grubb
sgrubb at redhat.com
Thu Jul 13 21:02:22 UTC 2017
On Thursday, July 13, 2017 4:51:04 PM EDT Richard Guy Briggs wrote:
> In the process of updating the audit message type dictionary, I came
> across a couple of differences I wanted to clear up.
>
> The descriptions in the userspace header file don't obviously line up
> with another source. Can I get a clarification on these two messages:
>
> AUDIT_USER_ACCT 1101 User system access authorization
> Alt: User account modification
This is access authorization. Authorization is different than authentication.
Pam sends this event during login.
> AUDIT_USER_MGMT 1102 User account attribute change
> Alt: Userspace management data
This is strictly user account attribute changes. This is usually sent by
something like usermod of shadow-utils.
> Similarly, these weren't clear to me as to whether they were active or
> passive reports. Do these records say that the RESPonse happenned, or
> that the RESPonse should happen?
They should record what actually happened including success or not.
> AUDIT_RESP_ALERT 2201 Alert email was sent
> AUDIT_RESP_ANOMALY 2200 Anomaly not reacted to
> AUDIT_RESP_EXEC 2210 Execute a script
> AUDIT_RESP_HALT 2212 take the system down
> AUDIT_RESP_KILL_PROC 2202 Kill program
> AUDIT_RESP_SEBOOL 2209 Set an SELinux boolean
> AUDIT_RESP_SINGLE 2211 Go to single user mode
> AUDIT_RESP_TERM_ACCESS 2203 Terminate session
> AUDIT_RESP_TERM_LOCK 2208 Terminal was locked
>
> In particular, does AUDIT_RESP_EXEC mean something as simple as a script
> was executed in response to some detected event, or intrusion detection
> program responds to a threat originating from the execution of a
> program?
It means a script was executed in response.
-Steve
> I suspect they are all active and this EXEC one means a script
> was executed in response.
>
> Thanks!
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs at redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems,
> Red Hat Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list