message type dictionary clarifications

Steve Grubb sgrubb at redhat.com
Thu Jul 13 21:02:22 UTC 2017 

On Thursday, July 13, 2017 4:51:04 PM EDT Richard Guy Briggs wrote:
> In the process of updating the audit message type dictionary, I came
> across a couple of differences I wanted to clear up.
> 
> The descriptions in the userspace header file don't obviously line up
> with another source.  Can I get a clarification on these two messages:
> 
> AUDIT_USER_ACCT	1101	User system access authorization
> 		Alt:	User account modification

This is access authorization. Authorization is different than authentication. 
Pam sends this event during login.


> AUDIT_USER_MGMT	1102	User account attribute change
> 		Alt:	Userspace management data

This is strictly user account attribute changes. This is usually sent by 
something like usermod of shadow-utils.


> Similarly, these weren't clear to me as to whether they were active or
> passive reports.  Do these records say that the RESPonse happenned, or
> that the RESPonse should happen?

They should record what actually happened including success or not.


> AUDIT_RESP_ALERT	2201	Alert email was sent
> AUDIT_RESP_ANOMALY	2200	Anomaly not reacted to
> AUDIT_RESP_EXEC		2210	Execute a script
> AUDIT_RESP_HALT		2212	take the system down
> AUDIT_RESP_KILL_PROC	2202	Kill program
> AUDIT_RESP_SEBOOL	2209	Set an SELinux boolean
> AUDIT_RESP_SINGLE	2211	Go to single user mode
> AUDIT_RESP_TERM_ACCESS	2203	Terminate session
> AUDIT_RESP_TERM_LOCK	2208	Terminal was locked
>
> In particular, does AUDIT_RESP_EXEC mean something as simple as a script
> was executed in response to some detected event, or intrusion detection
> program responds to a threat originating from the execution of a
> program?

It means a script was executed in response.

-Steve

> I suspect they are all active and this EXEC one means a script
> was executed in response.
> 
> Thanks!
> 
> - RGB
> 
> --
> Richard Guy Briggs <rbriggs at redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems,
> Red Hat Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list