ANOM_ROOT_TRANS
Steve Grubb
sgrubb at redhat.com
Tue Oct 2 16:56:17 UTC 2018
On Tuesday, October 2, 2018 7:43:04 AM EDT Maupertuis Philippe wrote:
> According to the Redhat 7 security guide ANOM_ROOT_TRANS is triggered when
> a user becomes root. It seems that using sudo doesn't trigger this event.
> I would like to know how this event is triggered.
Looking at the blame view of libaudit.h on github, this was imported as far
back as 1.7.4 over 10 years ago. Back then, work was being done around
prelude IDS and feeding it with events for correlation and escalation. That
work was mothballed when prelude upstream became inactive. Prelude support
has also been removed from audit-3.0 when it gets released.
> There are also several ANOM_ types that I can't see generated.
> Is there a document describing from where these event would come.
The event types in libaudit.h are not 100% supported. Some were supported and
are now not in use. (Can't remove them since you really might run across the
event in a heterogenous network.) Many in the ANOM and RESP categories are
placeholders for future use. The description is accurate wrt the intended
use. At the moment nothing I know of is sending that event. But the roadmap
for audit 3.1 has a mention for a basic IDS capability. That might be when
ANOM and RESP categories get better supported. I wouldn't expect sudo or su
to send these.
-Steve
More information about the Linux-audit
mailing list