Linux-audit Digest, Vol 40, Issue 8

Mon Jan 14 11:06:33 UTC 2008

In audit logs one field which is always present is "TYPE".

What does this type indicate ?

If this type indicates the symbolic constants which are defined in
linux/audit.h then types like USER_AUTH, USER_ACCT, CRED_ACQ etc are not
defined in that particular file.

So how to map this symbolic constants to the numeric values.

For eg.

If type=CONFIG_CHANGE then we get numeric value for type as "1305" which is
defined in file linux/audit.h

But no such values are there for type=USER_AUTH, CRED_ACQ etc.

For such type we get numeric value 1819222064. How to interpret such values.

We are adding DB support for Auditing System in which we are thinking of
creating tables on the basis of blocks of the netlink msgs which are shown
as below.

*/* The netlink messages for the audit system is divided into blocks:*
  <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L31>
* * 1000 - 1099 are for commanding the audit system (Table1)*
  <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L32>*
 * 1100 - 1199 user space trusted application messages (Table2)*
  <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L33>
* * 1200 - 1299 messages internal to the audit daemon (Table3)*
 34 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L34>
* * 1300 - 1399 audit event messages (Table4)*
 35 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L35>
* * 1400 - 1499 SE Linux use*
 36 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L36>
* * 1500 - 1599 kernel LSPP events*
 37 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L37>
* * 1600 - 1699 kernel crypto events*
 38 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L38>
* * 1700 - 1799 kernel anomaly records*
 39 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L39>
* * 1800 - 1999 future kernel use (maybe integrity labels and related
events)*
 40 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L40>
* * 2000 is for otherwise unclassified kernel audit messages (legacy)*
 41 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L41>
* * 2001 - 2099 unused (kernel)*
 42 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L42>
* * 2100 - 2199 user space anomaly records*
 43 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L43>
* * 2200 - 2299 user space actions taken in response to anomalies*
 44 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L44>
* * 2300 - 2399 user space generated LSPP events*
 45 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L45>
* * 2400 - 2499 user space crypto events*
 46 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L46>
* * 2500 - 2999 future user space (maybe integrity labels and related
events)*
 47 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L47> * **
 48 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L48>
* * Messages from 1000-1199 are bi-directional. 1200-1299 & 2100 -
2999 are*
 49 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L49>
* * exclusively user space. 1300-2099 is kernel --> user space *
 50 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L50>
* * communication.*
 51 <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L51> * */*

How to do it on the basis of type fields?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20080114/9c0a8f7e/attachment.htm>