How to learn the Message type?
Steve Grubb
sgrubb at redhat.com
Sat Jan 2 13:47:35 UTC 2010
On Wednesday 30 December 2009 09:59:49 pm 陈洁丹 wrote:
> Every record contains a type field.It's about the message type such as
> AUDIT_AVC, AUDIT_SYSCALL and so on.
> Does AVC mean Mandatory Access Control ?
Specifically, its a SE Linux access control decision. You have to look at the
syscall record to see if it was actually successful.
> Is all the messag types listed in msg_typetab.h?
Yes. There are a few more, but you will never see them since they are command
types rather than events.
> What do they mean exactly?
> Where can I get the information about them?
The header file usually has a brief 1 sentence comment about what its used for.
You would look in 1 of 2 places:
/usr/include/linux/audit.h
/usr/include/libaudit.h
> I look into the _LIBAUDIT_H_ , and find this sentence
> * 1300 - 1399 audit event messages
> But in this file , I find nothing about audit event message
> Can anyone give me an URL or give a book for me about the audit event
> message?
The audit events are divided into broad categories so that similar events are
in the same range of numbers. This is what its referring to. But look at the 2
header files and you should know more about it.
-Steve
More information about the Linux-audit
mailing list