Ce contenu n'est pas disponible dans la langue sélectionnée.
Appendix B. Audit System Reference
B.1. Audit Event Fields
Table B.1, “Event Fields” lists all currently-supported Audit event fields. An event field is the value preceding the equal sign in the Audit log files.
Event Field | Explanation |
---|---|
a0 , a1 , a2 , a3 | Records the first four arguments of the system call, encoded in hexadecimal notation. |
acct | Records a user's account name. |
addr | Records the IPv4 or IPv6 address. This field usually follows a hostname field and contains the address the host name resolves to. |
arch | Records information about the CPU architecture of the system, encoded in hexadecimal notation. |
auid | Records the Audit user ID. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with su - john ). |
capability | Records the number of bits that were used to set a particular Linux capability. For more information on Linux capabilities, see the capabilities(7) man page. |
cap_fi | Records data related to the setting of an inherited file system-based capability. |
cap_fp | Records data related to the setting of a permitted file system-based capability. |
cap_pe | Records data related to the setting of an effective process-based capability. |
cap_pi | Records data related to the setting of an inherited process-based capability. |
cap_pp | Records data related to the setting of a permitted process-based capability. |
cgroup | Records the path to the cgroup that contains the process at the time the Audit event was generated. |
cmd | Records the entire command line that is executed. This is useful in case of shell interpreters where the exe field records, for example, /bin/bash as the shell interpreter and the cmd field records the rest of the command line that is executed, for example helloworld.sh --help . |
comm | Records the command that is executed. This is useful in case of shell interpreters where the exe field records, for example, /bin/bash as the shell interpreter and the comm field records the name of the script that is executed, for example helloworld.sh . |
cwd | Records the path to the directory in which a system call was invoked. |
data | Records data associated with TTY records. |
dev | Records the minor and major ID of the device that contains the file or directory recorded in an event. |
devmajor | Records the major device ID. |
devminor | Records the minor device ID. |
egid | Records the effective group ID of the user who started the analyzed process. |
euid | Records the effective user ID of the user who started the analyzed process. |
exe | Records the path to the executable that was used to invoke the analyzed process. |
exit | Records the exit code returned by a system call. This value varies by system call. You can interpret the value to its human-readable equivalent with the following command: ausearch --interpret --exit exit_code |
family | Records the type of address protocol that was used, either IPv4 or IPv6. |
filetype | Records the type of the file. |
flags | Records the file system name flags. |
fsgid | Records the file system group ID of the user who started the analyzed process. |
fsuid | Records the file system user ID of the user who started the analyzed process. |
gid | Records the group ID. |
hostname | Records the host name. |
icmptype | Records the type of a Internet Control Message Protocol (ICMP) package that is received. Audit messages containing this field are usually generated by iptables. |
id | Records the user ID of an account that was changed. |
inode | Records the inode number associated with the file or directory recorded in an Audit event. |
inode_gid | Records the group ID of the inode's owner. |
inode_uid | Records the user ID of the inode's owner. |
items | Records the number of path records that are attached to this record. |
key | Records the user defined string associated with a rule that generated a particular event in the Audit log. |
list | Records the Audit rule list ID. The following is a list of known IDs:
|
mode | Records the file or directory permissions, encoded in numerical notation. |
msg | Records a time stamp and a unique ID of a record, or various event-specific <name>=<value> pairs provided by the kernel or user space applications. |
msgtype | Records the message type that is returned in case of a user-based AVC denial. The message type is determined by D-Bus. |
name | Records the full path of the file or directory that was passed to the system call as an argument. |
new-disk | Records the name of a new disk resource that is assigned to a virtual machine. |
new-mem | Records the amount of a new memory resource that is assigned to a virtual machine. |
new-vcpu | Records the number of a new virtual CPU resource that is assigned to a virtual machine. |
new-net | Records the MAC address of a new network interface resource that is assigned to a virtual machine. |
new_gid | Records a group ID that is assigned to a user. |
oauid | Records the user ID of the user that has logged in to access the system (as opposed to, for example, using su ) and has started the target process. This field is exclusive to the record of type OBJ_PID . |
ocomm | Records the command that was used to start the target process.This field is exclusive to the record of type OBJ_PID . |
opid | Records the process ID of the target process. This field is exclusive to the record of type OBJ_PID . |
oses | Records the session ID of the target process. This field is exclusive to the record of type OBJ_PID . |
ouid | Records the real user ID of the target process |
obj | Records the SELinux context of an object. An object can be a file, a directory, a socket, or anything that is receiving the action of a subject. |
obj_gid | Records the group ID of an object. |
obj_lev_high | Records the high SELinux level of an object. |
obj_lev_low | Records the low SELinux level of an object. |
obj_role | Records the SELinux role of an object. |
obj_uid | Records the UID of an object |
obj_user | Records the user that is associated with an object. |
ogid | Records the object owner's group ID. |
old-disk | Records the name of an old disk resource when a new disk resource is assigned to a virtual machine. |
old-mem | Records the amount of an old memory resource when a new amount of memory is assigned to a virtual machine. |
old-vcpu | Records the number of an old virtual CPU resource when a new virtual CPU is assigned to a virtual machine. |
old-net | Records the MAC address of an old network interface resource when a new network interface is assigned to a virtual machine. |
old_prom | Records the previous value of the network promiscuity flag. |
ouid | Records the real user ID of the user who started the target process. |
path | Records the full path of the file or directory that was passed to the system call as an argument in case of AVC-related Audit events |
perm | Records the file permission that was used to generate an event (that is, read, write, execute, or attribute change) |
pid |
The
pid field semantics depend on the origin of the value in this field.
In fields generated from user-space, this field holds a process ID.
In fields generated by the kernel, this field holds a thread ID. The thread ID is equal to process ID for single-threaded processes. Note that the value of this thread ID is different from the values of pthread_t IDs used in user-space. For more information, see the gettid(2) man page.
|
ppid | Records the Parent Process ID (PID). |
prom | Records the network promiscuity flag. |
proto | Records the networking protocol that was used. This field is specific to Audit events generated by iptables. |
res | Records the result of the operation that triggered the Audit event. |
result | Records the result of the operation that triggered the Audit event. |
saddr | Records the socket address. |
sauid | Records the sender Audit login user ID. This ID is provided by D-Bus as the kernel is unable to see which user is sending the original auid . |
ses | Records the session ID of the session from which the analyzed process was invoked. |
sgid | Records the set group ID of the user who started the analyzed process. |
sig | Records the number of a signal that causes a program to end abnormally. Usually, this is a sign of a system intrusion. |
subj | Records the SELinux context of a subject. A subject can be a process, a user, or anything that is acting upon an object. |
subj_clr | Records the SELinux clearance of a subject. |
subj_role | Records the SELinux role of a subject. |
subj_sen | Records the SELinux sensitivity of a subject. |
subj_user | Records the user that is associated with a subject. |
success | Records whether a system call was successful or failed. |
suid | Records the set user ID of the user who started the analyzed process. |
syscall | Records the type of the system call that was sent to the kernel. |
terminal | Records the terminal name (without /dev/ ). |
tty | Records the name of the controlling terminal. The value (none) is used if the process has no controlling terminal. |
uid | Records the real user ID of the user who started the analyzed process. |
vm | Records the name of a virtual machine from which the Audit event originated. |