AUDIT SYSTEM REFERENCE

APPENDIX B. AUDIT SYSTEM REFERENCE
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/app-Audit_Reference#sec-Audit_Events_Fields

https://elixir.bootlin.com/linux/latest/source/kernel/audit.c
https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/audit.h

/* The netlink messages for the audit system is divided into blocks:

  • 1000 - 1099 are for commanding the audit system
  • 1100 - 1199 user space trusted application messages
  • 1200 - 1299 messages internal to the audit daemon
  • 1300 - 1399 audit event messages
  • 1400 - 1499 SE Linux use
  • 1500 - 1599 kernel LSPP events
  • 1600 - 1699 kernel crypto events
  • 1700 - 1799 kernel anomaly records
  • 1800 - 1899 kernel integrity events
  • 1900 - 1999 future kernel use
  • 2000 is for otherwise unclassified kernel audit messages (legacy)
  • 2001 - 2099 unused (kernel)
  • 2100 - 2199 user space anomaly records
  • 2200 - 2299 user space actions taken in response to anomalies
  • 2300 - 2399 user space generated LSPP events
  • 2400 - 2499 user space crypto events
  • 2500 - 2999 future user space (maybe integrity labels and related events)
  • Messages from 1000-1199 are bi-directional. 1200-1299 & 2100 - 2999 are
  • exclusively user space. 1300-2099 is kernel --> user space
  • communication.
    */
posted @ 2020-05-05 19:46  kkun  阅读(203)  评论(0编辑  收藏  举报