搜索

此内容没有您所选择的语言版本。

B.2. Audit Record Types

download PDF
Table B.2, “Record Types” lists all currently-supported types of Audit records. The event type is specified in the type= field at the beginning of every Audit record.
Table B.2. Record Types
Event Type Explanation
ADD_GROUPTriggered when a user-space group is added.
ADD_USERTriggered when a user-space user account is added.
ANOM_ABEND[a]Triggered when a processes ends abnormally (with a signal that could cause a core dump, if enabled).
ANOM_ACCESS_FS[a]Triggered when a file or a directory access ends abnormally.
ANOM_ADD_ACCT[a]Triggered when a user-space account addition ends abnormally.
ANOM_AMTU_FAIL[a]Triggered when a failure of the Abstract Machine Test Utility (AMTU) is detected.
ANOM_CRYPTO_FAIL[a]Triggered when a failure in the cryptographic system is detected.
ANOM_DEL_ACCT[a]Triggered when a user-space account deletion ends abnormally.
ANOM_EXEC[a]Triggered when an execution of a file ends abnormally.
ANOM_LOGIN_ACCT[a]Triggered when an account login attempt ends abnormally.
ANOM_LOGIN_FAILURES[a]Triggered when the limit of failed login attempts is reached.
ANOM_LOGIN_LOCATION[a]Triggered when a login attempt is made from a forbidden location.
ANOM_LOGIN_SESSIONS[a]Triggered when a login attempt reaches the maximum amount of concurrent sessions.
ANOM_LOGIN_TIME[a]Triggered when a login attempt is made at a time when it is prevented by, for example, pam_time.
ANOM_MAX_DAC[a]Triggered when the maximum amount of Discretionary Access Control (DAC) failures is reached.
ANOM_MAX_MAC[a]Triggered when the maximum amount of Mandatory Access Control (MAC) failures is reached.
ANOM_MK_EXEC[a]Triggered when a file is made executable.
ANOM_MOD_ACCT[a]Triggered when a user-space account modification ends abnormally.
ANOM_PROMISCUOUS[a]Triggered when a device enables or disables promiscuous mode.
ANOM_RBAC_FAIL[a]Triggered when a Role-Based Access Control (RBAC) self-test failure is detected.
ANOM_RBAC_INTEGRITY_FAIL[a]Triggered when a Role-Based Access Control (RBAC) file integrity test failure is detected.
ANOM_ROOT_TRANS[a]Triggered when a user becomes root.
AVCTriggered to record an SELinux permission check.
AVC_PATHTriggered to record the dentry and vfsmount pair when an SELinux permission check occurs.
BPRM_FCAPSTriggered when a user executes a program with a file system capability.
CAPSETTriggered to record any changes in process-based capabilities.
CHGRP_IDTriggered when a user-space group ID is changed.
CHUSER_IDTriggered when a user-space user ID is changed.
CONFIG_CHANGETriggered when the Audit system configuration is modified.
CRED_ACQTriggered when a user acquires user-space credentials.
CRED_DISPTriggered when a user disposes of user-space credentials.
CRED_REFRTriggered when a user refreshes their user-space credentials.
CRYPTO_FAILURE_USERTriggered when a decrypt, encrypt, or randomize cryptographic operation fails.
CRYPTO_KEY_USERTriggered to record the cryptographic key identifier used for cryptographic purposes.
CRYPTO_LOGINTriggered when a cryptographic officer login attempt is detected.
CRYPTO_LOGOUTTriggered when a crypto officer logout attempt is detected.
CRYPTO_PARAM_CHANGE_USERTriggered when a change in a cryptographic parameter is detected.
CRYPTO_REPLAY_USERTriggered when a replay attack is detected.
CRYPTO_SESSIONTriggered to record parameters set during a TLS session establishment.
CRYPTO_TEST_USERTriggered to record cryptographic test results as required by the FIPS-140 standard.
CWDTriggered to record the current working directory.
DAC_CHECKTriggered to record DAC check results.
DAEMON_ABORTTriggered when a daemon is stopped due to an error.
DAEMON_ACCEPTTriggered when the auditd daemon accepts a remote connection.
DAEMON_CLOSETriggered when the auditd daemon closes a remote connection.
DAEMON_CONFIGTriggered when a daemon configuration change is detected.
DAEMON_ENDTriggered when a daemon is successfully stopped.
DAEMON_RESUMETriggered when the auditd daemon resumes logging.
DAEMON_ROTATETriggered when the auditd daemon rotates the Audit log files.
DAEMON_STARTTriggered when the auditd daemon is started.
DEL_GROUPTriggered when a user-space group is deleted
DEL_USERTriggered when a user-space user is deleted
DEV_ALLOCTriggered when a device is allocated.
DEV_DEALLOCTriggered when a device is deallocated.
EOETriggered to record the end of a multi-record event.
EXECVETriggered to record arguments of the execve(2) system call.
FD_PAIRTriggered to record the use of the pipe and socketpair system calls.
FS_RELABELTriggered when a file system relabel operation is detected.
GRP_AUTHTriggered when a group password is used to authenticate against a user-space group.
INTEGRITY_DATA[b]Triggered to record a data integrity verification event run by the kernel.
INTEGRITY_HASH[b]Triggered to record a hash type integrity verification event run by the kernel.
INTEGRITY_METADATA[b]Triggered to record a metadata integrity verification event run by the kernel.
INTEGRITY_PCR[b]Triggered to record Platform Configuration Register (PCR) invalidation messages.
INTEGRITY_RULE[b]Triggered to record a policy rule.
INTEGRITY_STATUS[b]Triggered to record the status of integrity verification.
IPCTriggered to record information about a Inter-Process Communication object referenced by a system call.
IPC_SET_PERMTriggered to record information about new values set by an IPC_SET control operation on an IPC object.
KERNELTriggered to record the initialization of the Audit system.
KERNEL_OTHERTriggered to record information from third-party kernel modules.
LABEL_LEVEL_CHANGETriggered when an object's level label is modified.
LABEL_OVERRIDETriggered when an administrator overrides an object's level label.
LOGINTriggered to record relevant login information when a user log in to access the system.
MAC_CIPSOV4_ADDTriggered when a Commercial Internet Protocol Security Option (CIPSO) user adds a new Domain of Interpretation (DOI). Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_CIPSOV4_DELTriggered when a CIPSO user deletes an existing DOI. Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_CONFIG_CHANGETriggered when an SELinux Boolean value is changed.
MAC_IPSEC_EVENTTriggered to record information about an IPSec event, when one is detected, or when the IPSec configuration changes.
MAC_MAP_ADDTriggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_MAP_DELTriggered when an existing LSM domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_POLICY_LOADTriggered when a SELinux policy file is loaded.
MAC_STATUSTriggered when the SELinux mode (enforcing, permissive, off) is changed.
MAC_UNLBL_ALLOWTriggered when unlabeled traffic is allowed when using the packet labeling capabilities of the kernel provided by NetLabel.
MAC_UNLBL_STCADDTriggered when a static label is added when using the packet labeling capabilities of the kernel provided by NetLabel.
MAC_UNLBL_STCDELTriggered when a static label is deleted when using the packet labeling capabilities of the kernel provided by NetLabel.
MMAPTriggered to record a file descriptor and flags of the mmap(2) system call.
MQ_GETSETATTRTriggered to record the mq_getattr(3) and mq_setattr(3) message queue attributes.
MQ_NOTIFYTriggered to record arguments of the mq_notify(3) system call.
MQ_OPENTriggered to record arguments of the mq_open(3) system call.
MQ_SENDRECVTriggered to record arguments of the mq_send(3) and mq_receive(3) system calls.
NETFILTER_CFGTriggered when Netfilter chain modifications are detected.
NETFILTER_PKTTriggered to record packets traversing Netfilter chains.
OBJ_PIDTriggered to record information about a process to which a signal is sent.
PATHTriggered to record file name path information.
RESP_ACCT_LOCK[c]Triggered when a user account is locked.
RESP_ACCT_LOCK_TIMED[c]Triggered when a user account is locked for a specified period of time.
RESP_ACCT_REMOTE[c]Triggered when a user account is locked from a remote session.
RESP_ACCT_UNLOCK_TIMED[c]Triggered when a user account is unlocked after a configured period of time.
RESP_ALERT[c]Triggered when an alert email is sent.
RESP_ANOMALY[c]Triggered when an anomaly was not acted upon.
RESP_EXEC[c]Triggered when an intrusion detection program responds to a threat originating from the execution of a program.
RESP_HALT[c]Triggered when the system is shut down.
RESP_KILL_PROC[c]Triggered when a process is terminated.
RESP_SEBOOL[c]Triggered when an SELinux Boolean value is set.
RESP_SINGLE[c]Triggered when the system is put into single-user mode.
RESP_TERM_ACCESS[c]Triggered when a session is terminated.
RESP_TERM_LOCK[c]Triggered when a terminal is locked.
ROLE_ASSIGNTriggered when an administrator assigns a user to an SELinux role.
ROLE_MODIFYTriggered when an administrator modifies an SELinux role.
ROLE_REMOVETriggered when an administrator removes a user from an SELinux role.
SELINUX_ERRTriggered when an internal SELinux error is detected.
SERVICE_STARTTriggered when a service is started.
SERVICE_STOPTriggered when a service is stopped.
SOCKADDRTriggered to record a socket address.
SOCKETCALLTriggered to record arguments of the sys_socketcall system call (used to multiplex many socket-related system calls).
SYSCALLTriggered to record a system call to the kernel.
SYSTEM_BOOTTriggered when the system is booted up.
SYSTEM_RUNLEVELTriggered when the system's run level is changed.
SYSTEM_SHUTDOWNTriggered when the system is shut down.
TESTTriggered to record the success value of a test message.
TRUSTED_APPThe record of this type can be used by third party application that require auditing.
TTYTriggered when TTY input was sent to an administrative process.
USER_ACCTTriggered when a user-space user account is modified.
USER_AUTHTriggered when a user-space authentication attempt is detected.
USER_AVCTriggered when a user-space AVC message is generated.
USER_CHAUTHTOKTriggered when a user account attribute is modified.
USER_CMDTriggered when a user-space shell command is executed.
USER_ENDTriggered when a user-space session is terminated.
USER_ERRTriggered when a user account state error is detected.
USER_LABELED_EXPORTTriggered when an object is exported with an SELinux label.
USER_LOGINTriggered when a user logs in.
USER_LOGOUTTriggered when a user logs out.
USER_MAC_POLICY_LOADTriggered when a user-space daemon loads an SELinux policy.
USER_MGMTTriggered to record user-space management data.
USER_ROLE_CHANGETriggered when a user's SELinux role is changed.
USER_SELINUX_ERRTriggered when a user-space SELinux error is detected.
USER_STARTTriggered when a user-space session is started.
USER_TTYTriggered when an explanatory message about TTY input to an administrative process is sent from user-space.
USER_UNLABELED_EXPORTTriggered when an object is exported without SELinux label.
USYS_CONFIGTriggered when a user-space system configuration change is detected.
VIRT_CONTROLTriggered when a virtual machine is started, paused, or stopped.
VIRT_MACHINE_IDTriggered to record the binding of a label to a virtual machine.
VIRT_RESOURCETriggered to record resource assignment of a virtual machine.
[a] All Audit event types prepended with ANOM are intended to be processed by an intrusion detection program.
[b] This event type is related to the Integrity Measurement Architecture (IMA), which functions best with a Trusted Platform Module (TPM) chip.
[c] All Audit event types prepended with RESP are intended responses of an intrusion detection system in case it detects malicious activity on the system.
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.