Red Hat SummitAppendix B. Audit System Reference
B.1. Audit Event Fields
Copiar enlaceEnlace copiado en el portapapeles!
Table B.1, “Event Fields” lists all currently-supported Audit event fields. An event field is the value preceding the equal sign in the Audit log files.
| Event Field | Explanation |
|---|---|
a0, a1, a2, a3 | Records the first four arguments of the system call, encoded in hexadecimal notation. |
acct | Records a user's account name. |
addr | Records the IPv4 or IPv6 address. This field usually follows a hostname field and contains the address the host name resolves to. |
arch | Records information about the CPU architecture of the system, encoded in hexadecimal notation. |
auid | Records the Audit user ID. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with su - john). |
capability | Records the number of bits that were used to set a particular Linux capability. For more information on Linux capabilities, see the capabilities(7) man page. |
cap_fi | Records data related to the setting of an inherited file system-based capability. |
cap_fp | Records data related to the setting of a permitted file system-based capability. |
cap_pe | Records data related to the setting of an effective process-based capability. |
cap_pi | Records data related to the setting of an inherited process-based capability. |
cap_pp | Records data related to the setting of a permitted process-based capability. |
cgroup | Records the path to the cgroup that contains the process at the time the Audit event was generated. |
cmd | Records the entire command line that is executed. This is useful in case of shell interpreters where the exe field records, for example, /bin/bash as the shell interpreter and the cmd field records the rest of the command line that is executed, for example helloworld.sh --help. |
comm | Records the command that is executed. This is useful in case of shell interpreters where the exe field records, for example, /bin/bash as the shell interpreter and the comm field records the name of the script that is executed, for example helloworld.sh. |
cwd | Records the path to the directory in which a system call was invoked. |
data | Records data associated with TTY records. |
dev | Records the minor and major ID of the device that contains the file or directory recorded in an event. |
devmajor | Records the major device ID. |
devminor | Records the minor device ID. |
egid | Records the effective group ID of the user who started the analyzed process. |
euid | Records the effective user ID of the user who started the analyzed process. |
exe | Records the path to the executable that was used to invoke the analyzed process. |
exit | Records the exit code returned by a system call. This value varies by system call. You can interpret the value to its human-readable equivalent with the following command: ausearch --interpret --exit exit_code |
family | Records the type of address protocol that was used, either IPv4 or IPv6. |
filetype | Records the type of the file. |
flags | Records the file system name flags. |
fsgid | Records the file system group ID of the user who started the analyzed process. |
fsuid | Records the file system user ID of the user who started the analyzed process. |
gid | Records the group ID. |
hostname | Records the host name. |
icmptype | Records the type of a Internet Control Message Protocol (ICMP) package that is received. Audit messages containing this field are usually generated by iptables. |
id | Records the user ID of an account that was changed. |
inode | Records the inode number associated with the file or directory recorded in an Audit event. |
inode_gid | Records the group ID of the inode's owner. |
inode_uid | Records the user ID of the inode's owner. |
items | Records the number of path records that are attached to this record. |
key | Records the user defined string associated with a rule that generated a particular event in the Audit log. |
list | Records the Audit rule list ID. The following is a list of known IDs:
|
mode | Records the file or directory permissions, encoded in numerical notation. |
msg | Records a time stamp and a unique ID of a record, or various event-specific <name>=<value> pairs provided by the kernel or user space applications. |
msgtype | Records the message type that is returned in case of a user-based AVC denial. The message type is determined by D-Bus. |
name | Records the full path of the file or directory that was passed to the system call as an argument. |
new-disk | Records the name of a new disk resource that is assigned to a virtual machine. |
new-mem | Records the amount of a new memory resource that is assigned to a virtual machine. |
new-vcpu | Records the number of a new virtual CPU resource that is assigned to a virtual machine. |
new-net | Records the MAC address of a new network interface resource that is assigned to a virtual machine. |
new_gid | Records a group ID that is assigned to a user. |
oauid | Records the user ID of the user that has logged in to access the system (as opposed to, for example, using su) and has started the target process. This field is exclusive to the record of type OBJ_PID. |
ocomm | Records the command that was used to start the target process.This field is exclusive to the record of type OBJ_PID. |
opid | Records the process ID of the target process. This field is exclusive to the record of type OBJ_PID. |
oses | Records the session ID of the target process. This field is exclusive to the record of type OBJ_PID. |
ouid | Records the real user ID of the target process |
obj | Records the SELinux context of an object. An object can be a file, a directory, a socket, or anything that is receiving the action of a subject. |
obj_gid | Records the group ID of an object. |
obj_lev_high | Records the high SELinux level of an object. |
obj_lev_low | Records the low SELinux level of an object. |
obj_role | Records the SELinux role of an object. |
obj_uid | Records the UID of an object |
obj_user | Records the user that is associated with an object. |
ogid | Records the object owner's group ID. |
old-disk | Records the name of an old disk resource when a new disk resource is assigned to a virtual machine. |
old-mem | Records the amount of an old memory resource when a new amount of memory is assigned to a virtual machine. |
old-vcpu | Records the number of an old virtual CPU resource when a new virtual CPU is assigned to a virtual machine. |
old-net | Records the MAC address of an old network interface resource when a new network interface is assigned to a virtual machine. |
old_prom | Records the previous value of the network promiscuity flag. |
ouid | Records the real user ID of the user who started the target process. |
path | Records the full path of the file or directory that was passed to the system call as an argument in case of AVC-related Audit events |
perm | Records the file permission that was used to generate an event (that is, read, write, execute, or attribute change) |
pid |
The
pid field semantics depend on the origin of the value in this field.
In fields generated from user-space, this field holds a process ID.
In fields generated by the kernel, this field holds a thread ID. The thread ID is equal to process ID for single-threaded processes. Note that the value of this thread ID is different from the values of pthread_t IDs used in user-space. For more information, see the gettid(2) man page.
|
ppid | Records the Parent Process ID (PID). |
prom | Records the network promiscuity flag. |
proto | Records the networking protocol that was used. This field is specific to Audit events generated by iptables. |
res | Records the result of the operation that triggered the Audit event. |
result | Records the result of the operation that triggered the Audit event. |
saddr | Records the socket address. |
sauid | Records the sender Audit login user ID. This ID is provided by D-Bus as the kernel is unable to see which user is sending the original auid. |
ses | Records the session ID of the session from which the analyzed process was invoked. |
sgid | Records the set group ID of the user who started the analyzed process. |
sig | Records the number of a signal that causes a program to end abnormally. Usually, this is a sign of a system intrusion. |
subj | Records the SELinux context of a subject. A subject can be a process, a user, or anything that is acting upon an object. |
subj_clr | Records the SELinux clearance of a subject. |
subj_role | Records the SELinux role of a subject. |
subj_sen | Records the SELinux sensitivity of a subject. |
subj_user | Records the user that is associated with a subject. |
success | Records whether a system call was successful or failed. |
suid | Records the set user ID of the user who started the analyzed process. |
syscall | Records the type of the system call that was sent to the kernel. |
terminal | Records the terminal name (without /dev/). |
tty | Records the name of the controlling terminal. The value (none) is used if the process has no controlling terminal. |
uid | Records the real user ID of the user who started the analyzed process. |
vm | Records the name of a virtual machine from which the Audit event originated. |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}