Skip to content

Linux Audit参考

linux-audit/audit-documentation

Field-dictionary

NAME FORMAT MEANING EXCEPTION
a[0-3] numeric hexadecimal the arguments to a syscall syscall
a[[:digit:]+][.*] encoded the arguments to the execve syscall execve
acct encoded a user's account name nan
acl alphabet access mode of resource assigned to vm nan
action numeric netfilter packet disposition nan
added numeric number of new files detected nan
addr encoded the remote address that the user is connecting from nan
apparmor encoded apparmor event information nan
arch numeric hexadecimal the elf architecture flags nan
argc numeric decimal the number of arguments to an execve syscall nan
audit_backlog_limit numeric decimal audit system's backlog queue size nan
audit_backlog_wait_time numeric decimal audit system's backlog wait time nan
audit_enabled numeric decimal audit systems's enable/disable status nan
audit_failure numeric decimal audit system's failure mode nan
auid numeric decimal login user ID nan
banners alphanumeric banners used on printed page nan
bool alphanumeric name of SELinux boolean nan
bus alphanumeric name of subsystem bus a vm resource belongs to nan
capability numeric decimal posix capabilities nan
cap_fe numeric decimal file assigned effective capability map nan
cap_fi numeric hexadecimal file inherited capability map nan
cap_fp numeric hexadecimal file permitted capability map nan
cap_fver numeric hexadecimal file system capabilities version number nan
cap_pa numeric hexadecimal process ambient capability map nan
cap_pe numeric hexadecimal process effective capability map nan
cap_pi numeric hexadecimal process inherited capability map nan
cap_pp numeric hexadecimal process permitted capability map nan
category alphabet resource category assigned to vm nan
cgroup encoded path to cgroup in sysfs nan
changed numeric decimal number of changed files nan
cipher alphanumeric name of crypto cipher selected nan
class alphabet resource class assigned to vm nan
cmd encoded command being executed nan
code numeric hexadecimal seccomp action code nan
comm encoded command line program name nan
compat numeric decimal is_compat_task result nan
cwd encoded the current working directory nan
daddr alphanumeric remote IP address nan
data encoded TTY text nan
default-context alphanumeric default MAC context nan
dev numeric hexadecimal-tuple in path records major and minor for device
dev alphanumeric device name as found in /dev avc
device encoded device name nan
dir encoded directory name nan
direction alphanumeric direction of crypto operation nan
dmac numeric remote MAC address nan
dport numeric decimal remote port number nan
egid numeric decimal effective group ID nan
enforcing numeric decimal new MAC enforcement status nan
entries numeric decimal number of entries in the netfilter table nan
errno numeric decimal error code of the audited operation nan
euid numeric decimal effective user ID nan
exe encoded executable name nan
exit numeric decimal syscall exit code nan
fam alphanumeric socket address family nan
family numeric decimal netfilter protocol nan
fd numeric decimal file descriptor number nan
file encoded file name nan
flags numeric hexadecimal mmap syscall flags nan
fe numeric decimal file assigned effective capability map nan
feature alphanumeric kernel feature being changed nan
fi numeric hexadecimal file assigned inherited capability map nan
fp numeric hexadecimal file assigned permitted capability map nan
fp alphanumeric crypto key finger print crypto_key
format alphanumeric audit log's format nan
fsgid numeric decimal file system group ID nan
fsuid numeric decimal file system user ID nan
fver numeric hexadecimal file system capabilities version number nan
gid numeric decimal group ID nan
grantors alphanumeric pam modules approving the action nan
grp encoded group name nan
hook numeric netfilter hook that packet came from nan
hostname alphanumeric the hostname that the user is connecting from nan
icmp_type numeric type of icmp message nan
id numeric during account changes the user ID of the account
igid numeric decimal ipc object's group ID nan
img-ctx alphanumeric the vm's disk image context string nan
inif numeric in interface number nan
ip alphanumeric network address of a printer nan
ipid numeric decimal IP datagram fragment identifier nan
ino numeric decimal inode number nan
inode numeric decimal inode number nan
inode_gid numeric decimal group ID of the inode's owner nan
inode_uid numeric decimal user ID of the inode's owner nan
invalid_context encoded SELinux context nan
ioctlcmd numeric hexadecimal The request argument to the ioctl syscall nan
ipx-net numeric IPX network number nan
item numeric decimal which item is being recorded nan
items numeric decimal the number of path records in the event nan
iuid numeric decimal ipc object's user ID nan
kernel alphanumeric kernel's version number nan
key encoded key assigned from triggered audit rule nan
kind alphabet server or client in crypto operation nan
ksize numeric key size for crypto operation nan
laddr alphanumeric local network address nan
len numeric decimal length nan
lport numeric decimal local network port nan
list numeric decimal the audit system's filter list number nan
mac alphanumeric crypto MAC algorithm selected nan
macproto numeric ethernet packet type ID field nan
maj numeric device major number nan
major numeric decimal device major number nan
minor numeric decimal device minor number nan
mode numeric octal mode flags on a file nan
model alphanumeric security model being used for virt nan
msg alphanumeric the payload of the audit record nan
nargs numeric decimal the number of arguments to a socket call nan
name encoded file name in avcs nan
nametype alphabet kind of file operation being referenced nan
net alphanumeric network MAC address nan
new numeric value being set in feature nan
new-chardev encoded new character device being assigned to vm nan
new-disk encoded disk being added to vm nan
new-enabled numeric decimal new TTY audit enabled setting nan
new-fs encoded file system being added to vm nan
new_gid numeric decimal new group ID being assigned nan
new-level alphanumeric new run level nan
new_lock numeric decimal new value of feature lock nan
new-log_passwd numeric decimal new value for TTY password logging nan
new-mem numeric new amount of memory in KB nan
new-net encoded MAC address being assigned to vm nan
new_pe numeric new process effective capability map(deprec) nan
new_pi numeric new process inherited capability map(deprec) nan
new_pp numeric new process permitted capability map(deprec) nan
new-range alphanumeric new SELinux range nan
new-rng encoded device name of rng being added from a vm nan
new-role alphanumeric new SELinux role nan
new-seuser alphanumeric new SELinux user nan
new-vcpu numeric new number of CPU cores nan
nlnk-fam numeric netlink protocol number nan
nlnk-grp numeric netlink group number nan
nlnk-pid numeric decimal pid of netlink packet sender nan
oauid numeric decimal object's login user ID nan
obj alphanumeric lspp object context string nan
obj_gid numeric decimal group ID of object nan
obj_uid numeric decimal user ID of object nan
oflag numeric open syscall flags nan
ogid numeric decimal file owner group ID nan
ocomm encoded object's command line name nan
old numeric present value of kernel feature nan
old numeric old value audit_enabled audit_backlog audit_failure value
old-auid numeric decimal previous auid value nan
old-chardev encoded present character device assigned to vm nan
old-disk encoded disk being removed from vm nan
old-enabled numeric decimal present TTY audit enabled setting nan
old_enforcing numeric decimal old MAC enforcement status nan
old-fs encoded file system being removed from vm nan
old-level alphanumeric old run level nan
old_lock numeric decimal present value of feature lock nan
old-log_passwd numeric decimal present value for TTY password logging nan
old-mem numeric present amount of memory in KB nan
old-net encoded present MAC address assigned to vm nan
old_pa numeric hexadecimal old process ambient capability map nan
old_pe numeric hexadecimal old process effective capability map nan
old_pi numeric hexadecimal old process inherited capability map nan
old_pp numeric hexadecimal old process permitted capability map nan
old_prom numeric decimal network promiscuity flag nan
old-range alphanumeric present SELinux range nan
old-rng encoded device name of rng being removed from a vm nan
old-role alphanumeric present SELinux role nan
old-ses numeric decimal previous ses value nan
old-seuser alphanumeric present SELinux user nan
old_val numeric decimal current value of SELinux boolean nan
old-vcpu numeric present number of CPU cores nan
op alphanumeric the operation being performed that is audited nan
opid numeric decimal object's process ID nan
oses numeric decimal object's session ID nan
ouid numeric decimal file owner user ID nan
outif numeric out interface number nan
pa numeric hexadecimal process ambient capability map nan
pe numeric hexadecimal process effective capability map nan
pi numeric hexadecimal process inherited capability map nan
pp numeric hexadecimal process permitted capability map nan
parent numeric the inode number of the parent file nan
path encoded file system path name nan
per numeric hexadecimal linux personality nan
perm numeric the file permission being used nan
perm_mask numeric file permission mask that triggered a watch event nan
permissive numeric decimal SELinux is in permissive mode nan
pfs alphanumeric perfect forward secrecy method nan
pid numeric decimal process ID nan
ppid numeric decimal parent process ID nan
printer alphanumeric printer name nan
prom numeric decimal network promiscuity flag nan
proctitle encoded process title and command line parameters nan
proto numeric decimal network protocol nan
qbytes numeric hexadecimal ipc objects quantity of bytes nan
range alphanumeric user's SE Linux range nan
rdev numeric hexadecimal-tuple the device identifier (special files only) nan
reason alphanumeric text string denoting a reason for the action nan
removed numeric number of deleted files nan
res numeric decimal result of the audited operation(success/fail) nan
resrc alphanumeric resource being assigned nan
result alphanumeric result of the audited operation(success/fail) nan
role alphanumeric user's SELinux role nan
rport numeric decimal remote port number nan
saddr encoded struct socket address structure nan
sauid numeric decimal sent login user ID nan
scontext alphanumeric the subject's context string nan
selected-context alphanumeric new MAC context assigned to session nan
seperm alphanumeric SELinux permission being decided on nan
seqno numeric decimal sequence number nan
seperms alphabet SELinux permissions being used nan
seresult alphabet SELinux AVC decision granted/denied nan
ses numeric decimal login session ID nan
seuser alphanumeric user's SE Linux user acct nan
sgid numeric decimal set group ID nan
sig numeric decimal signal number nan
sigev_signo numeric decimal signal number nan
smac numeric local MAC address nan
spid numeric decimal sent process ID nan
sport numeric decimal local port number nan
state alphanumeric audit daemon configuration resulting state nan
subj alphanumeric lspp subject's context string nan
success alphanumeric whether the syscall was successful or not nan
suid numeric decimal sent user ID nan
syscall numeric decimal syscall number in effect when the event occurred nan
table alphanumeric netfilter table name nan
tclass alphanumeric target's object classification nan
tcontext alphanumeric the target's or object's context string nan
terminal alphanumeric terminal name the user is running programs on nan
tty alphanumeric tty udevice the user is running programs on nan
type alphanumeric the audit record's type nan
uid numeric decimal user ID nan
unit alphanumeric systemd unit nan
uri alphanumeric URI pointing to a printer nan
user alphanumeric account submitted for authentication nan
uuid alphanumeric a UUID nan
val alphanumeric generic value associated with the operation nan
val numeric decimal new value of SELinux boolean nan
ver numeric audit daemon's version number nan
virt alphanumeric kind of virtualization being referenced nan
vm encoded virtual machine name nan
vm-ctx alphanumeric the vm's context string nan
vm-pid numeric decimal vm's process ID nan
watch encoded file name in a watch record nan

Message-dictionary

MACRO NAME VALUE ORIGIN CLASS DESCRIPITON
AUDIT_GET 1000 USER CTL Get status
AUDIT_SET 1001 USER CTL Set status (enable/disable/auditd)
AUDIT_LIST 1002 USER DEP List syscall rules -- deprecated
AUDIT_ADD 1003 USER DEP Add syscall rule -- deprecated
AUDIT_DEL 1004 USER DEP Delete syscall rule -- deprecated
AUDIT_USER 1005 USER DEP Message from userspace -- deprecated
AUDIT_LOGIN 1006 KERN IND Define the login ID and information
AUDIT_WATCH_INS 1007 USER DEP Insert file/dir watch entry
AUDIT_WATCH_REM 1008 USER DEP Remove file/dir watch entry
AUDIT_WATCH_LIST 1009 USER DEP List all file/dir watches
AUDIT_SIGNAL_INFO 1010 USER CTL Get info about sender of signal to auditd
AUDIT_ADD_RULE 1011 USER CTL Add syscall filtering rule
AUDIT_DEL_RULE 1012 USER CTL Delete syscall filtering rule
AUDIT_LIST_RULES 1013 USER CTL List syscall filtering rules
AUDIT_TRIM 1014 USER CTL Trim junk from watched tree
AUDIT_MAKE_EQUIV 1015 USER CTL Append to watched tree
AUDIT_TTY_GET 1016 USER CTL Get TTY auditing status
AUDIT_TTY_SET 1017 USER CTL Set TTY auditing status
AUDIT_SET_FEATURE 1018 USER CTL Turn an audit feature on or off
AUDIT_GET_FEATURE 1019 USER CTL Get which features are enabled
AUDIT_USER_AUTH 1100 USER IND User system access authentication
AUDIT_USER_ACCT 1101 USER IND User system access authorization
AUDIT_USER_MGMT 1102 USER IND User account attribute change
AUDIT_CRED_ACQ 1103 USER IND User credential acquired
AUDIT_CRED_DISP 1104 USER IND User credential disposed
AUDIT_USER_START 1105 USER IND User session start
AUDIT_USER_END 1106 USER IND User session end
AUDIT_USER_AVC 1107 USER IND User space AVC (Access Vector Cache) message
AUDIT_USER_CHAUTHTOK 1108 USER IND User account password or PIN changed
AUDIT_USER_ERR 1109 USER IND User account state error
AUDIT_CRED_REFR 1110 USER IND User credential refreshed
AUDIT_USYS_CONFIG 1111 USER IND User space system config change
AUDIT_USER_LOGIN 1112 USER IND User has logged in
AUDIT_USER_LOGOUT 1113 USER IND User has logged out
AUDIT_ADD_USER 1114 USER IND User account added
AUDIT_DEL_USER 1115 USER IND User account deleted
AUDIT_ADD_GROUP 1116 USER IND Group account added
AUDIT_DEL_GROUP 1117 USER IND Group account deleted
AUDIT_DAC_CHECK 1118 USER IND User space DAC check results
AUDIT_CHGRP_ID 1119 USER IND User space group ID changed
AUDIT_TEST 1120 USER IND Used for test success messages
AUDIT_TRUSTED_APP 1121 USER IND Trusted app msg - freestyle text
AUDIT_USER_SELINUX_ERR 1122 USER IND SELinux user space error
AUDIT_USER_CMD 1123 USER IND User shell command and args
AUDIT_USER_TTY 1124 USER IND Non-ICANON TTY input meaning
AUDIT_CHUSER_ID 1125 USER IND Changed user ID supplemental data
AUDIT_GRP_AUTH 1126 USER IND Authentication for group password
AUDIT_SYSTEM_BOOT 1127 USER IND System boot
AUDIT_SYSTEM_SHUTDOWN 1128 USER IND System shutdown
AUDIT_SYSTEM_RUNLEVEL 1129 USER IND System runlevel change
AUDIT_SERVICE_START 1130 USER IND Service (daemon) start
AUDIT_SERVICE_STOP 1131 USER IND Service (daemon) stop
AUDIT_GRP_MGMT 1132 USER IND Group account attribute was modified
AUDIT_GRP_CHAUTHTOK 1133 USER IND Group account password or PIN changed
AUDIT_MAC_CHECK 1134 USER IND User space MAC (Mandatory Access Control) decision results
AUDIT_ACCT_LOCK 1135 USER IND User's account locked by admin
AUDIT_ACCT_UNLOCK 1136 USER IND User's account unlocked by admin
AUDIT_USER_DEVICE 1137 USER IND User space hotplug device changes
AUDIT_SOFTWARE_UPDATE 1138 USER IND Software update event
AUDIT_DAEMON_START 1200 USER IND Daemon startup record
AUDIT_DAEMON_END 1201 USER IND Daemon normal stop record
AUDIT_DAEMON_ABORT 1202 USER IND Daemon error stop record
AUDIT_DAEMON_CONFIG 1203 USER IND Daemon config change
AUDIT_DAEMON_RECONFIG 1204 USER IND Auditd should reconfigure
AUDIT_DAEMON_ROTATE 1205 USER IND Auditd should rotate logs
AUDIT_DAEMON_RESUME 1206 USER IND Auditd should resume logging
AUDIT_DAEMON_ACCEPT 1207 USER IND Auditd accepted remote connection
AUDIT_DAEMON_CLOSE 1208 USER IND Auditd closed remote connection
AUDIT_DAEMON_ERR 1209 USER IND Auditd internal error
AUDIT_SYSCALL 1300 KERN SC System call event information
AUDIT_FS_WATCH 1301 KERN DEP Deprecated
AUDIT_PATH 1302 KERN SC Filename path information
AUDIT_IPC 1303 KERN SC System call IPC (Inter-Process Communication) object
AUDIT_SOCKETCALL 1304 KERN SC System call socketcall arguments
AUDIT_CONFIG_CHANGE 1305 KERN IND Audit system configuration change
AUDIT_SOCKADDR 1306 KERN SC System call socket address argument information
AUDIT_CWD 1307 KERN SC Current working directory
AUDIT_EXECVE 1309 KERN SC Arguments supplied to the execve system call
AUDIT_IPC_SET_PERM 1311 KERN SC IPC new permissions record type
AUDIT_MQ_OPEN 1312 KERN SC POSIX MQ open record type
AUDIT_MQ_SENDRECV 1313 KERN SC POSIX MQ send/receive record type
AUDIT_MQ_NOTIFY 1314 KERN SC POSIX MQ notify record type
AUDIT_MQ_GETSETATTR 1315 KERN SC POSIX MQ get/set attribute record type
AUDIT_KERNEL_OTHER 1316 KERN IND For use by 3rd party modules
AUDIT_FD_PAIR 1317 KERN SC Information for pipe and socketpair system calls
AUDIT_OBJ_PID 1318 KERN SC ptrace target
AUDIT_TTY 1319 KERN IND Input on an administrative TTY
AUDIT_EOE 1320 KERN CTL End of multi-record event
AUDIT_BPRM_FCAPS 1321 KERN SC Information about file system capabilities increasing permissions
AUDIT_CAPSET 1322 KERN SC Record showing argument to sys_capset setting process-based capabilities
AUDIT_MMAP 1323 KERN SC Mmap system call file descriptor and flags
AUDIT_NETFILTER_PKT 1324 KERN IND Packets traversing netfilter chains
AUDIT_NETFILTER_CFG 1325 KERN IND/SC Netfilter chain modifications
AUDIT_SECCOMP 1326 KERN IND Secure Computing event
AUDIT_PROCTITLE 1327 KERN SC Process Title info
AUDIT_FEATURE_CHANGE 1328 KERN IND Audit feature changed value
AUDIT_REPLACE 1329 KERN CTL Replace auditd if this probe unanswerd
AUDIT_KERN_MODULE 1330 KERN SC Kernel Module events
AUDIT_FANOTIFY 1331 KERN SC Fanotify access decision
AUDIT_TIME_INJOFFSET 1332 KERN SC Timekeeping offset injected
AUDIT_TIME_ADJNTPVAL 1333 KERN SC NTP value adjustment
AUDIT_BPF 1334 KERN SC BPF load/unload
AUDIT_EVENT_LISTENER 1335 KERN SC audit mcast sock join/part
AUDIT_URINGOP 1336 KERN SC io_uring operation
AUDIT_OPENAT2 1337 KERN SC Record showing openat2 how args
AUDIT_DM_CTRL 1338 KERN SC Device Mapper target control
AUDIT_DM_EVENT 1339 KERN SC Device Mapper events
AUDIT_AVC 1400 KERN SC SELinux AVC (Access Vector Cache) denial or grant
AUDIT_SELINUX_ERR 1401 KERN SC Internal SELinux errors
AUDIT_AVC_PATH 1402 KERN SC dentry, vfsmount pair from AVC
AUDIT_MAC_POLICY_LOAD 1403 KERN SC SELinux Policy file load
AUDIT_MAC_STATUS 1404 KERN SC SELinux mode (enforcing, permissive, off) changed
AUDIT_MAC_CONFIG_CHANGE 1405 KERN SC SELinux Boolean value modification
AUDIT_MAC_UNLBL_ALLOW 1406 KERN SC NetLabel: allow unlabeled traffic
AUDIT_MAC_CIPSOV4_ADD 1407 KERN SC NetLabel: add CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry
AUDIT_MAC_CIPSOV4_DEL 1408 KERN SC NetLabel: del CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry
AUDIT_MAC_MAP_ADD 1409 KERN SC NetLabel: add LSM (Linux Security Module) domain mapping
AUDIT_MAC_MAP_DEL 1410 KERN SC NetLabel: del LSM (Linux Security Module) domain mapping
AUDIT_MAC_IPSEC_ADDSA 1411 KERN DEP Not used
AUDIT_MAC_IPSEC_DELSA 1412 KERN DEP Not used
AUDIT_MAC_IPSEC_ADDSPD 1413 KERN DEP Not used
AUDIT_MAC_IPSEC_DELSPD 1414 KERN DEP Not used
AUDIT_MAC_IPSEC_EVENT 1415 KERN SC Audit an IPsec event
AUDIT_MAC_UNLBL_STCADD 1416 KERN SC NetLabel: add a static label
AUDIT_MAC_UNLBL_STCDEL 1417 KERN SC NetLabel: del a static label
AUDIT_MAC_CALIPSO_ADD 1418 KERN SC NetLabel: add CALIPSO DOI (Domain of Interpretation) entry
AUDIT_MAC_CALIPSO_DEL 1419 KERN SC NetLabel: delete CALIPSO DOI (Domain of Interpretation) entry
AUDIT_AA 1500 KERN ? nan
AUDIT_APPARMOR_AUDIT 1501 KERN SC nan
AUDIT_APPARMOR_ALLOWED 1502 KERN SC nan
AUDIT_APPARMOR_DENIED 1503 KERN SC nan
AUDIT_APPARMOR_HINT 1504 KERN SC nan
AUDIT_APPARMOR_STATUS 1505 KERN SC nan
AUDIT_APPARMOR_ERROR 1506 KERN SC nan
AUDIT_APPARMOR_KILL 1507 KERN SC nan
AUDIT_ANOM_PROMISCUOUS 1700 KERN SC/IND Device changed promiscuous mode
AUDIT_ANOM_ABEND 1701 KERN IND Process ended abnormally
AUDIT_ANOM_LINK 1702 KERN SC? Suspicious use of file links
AUDIT_ANOM_CREAT 1703 KERN SC? Suspicious file creation
AUDIT_INTEGRITY_DATA 1800 KERN SC Data integrity verification
AUDIT_INTEGRITY_METADATA 1801 KERN SC Metadata integrity verification
AUDIT_INTEGRITY_STATUS 1802 KERN SC Integrity enable status
AUDIT_INTEGRITY_HASH 1803 KERN SC Integrity HASH type
AUDIT_INTEGRITY_PCR 1804 KERN SC PCR (Platform Configuration Register) invalidation messages
AUDIT_INTEGRITY_RULE 1805 KERN SC/IND Integrity Policy action
AUDIT_INTEGRITY_EVM_XATTR 1806 KERN SC EVM XATTRS modifications
AUDIT_INTEGRITY_POLICY_RULE 1807 KERN SC Integrity Policy rule
AUDIT_KERNEL 2000 KERN IND Kernel audit status
AUDIT_ANOM_LOGIN_FAILURES 2100 USER IND Failed login limit reached
AUDIT_ANOM_LOGIN_TIME 2101 USER IND Login attempted at bad time
AUDIT_ANOM_LOGIN_SESSIONS 2102 USER IND Maximum concurrent sessions reached
AUDIT_ANOM_LOGIN_ACCT 2103 USER IND Login attempted to watched account
AUDIT_ANOM_LOGIN_LOCATION 2104 USER IND Login from forbidden location
AUDIT_ANOM_MAX_DAC 2105 USER IND Max DAC (Discretionary Access Control) failures reached
AUDIT_ANOM_MAX_MAC 2106 USER IND Max MAC (Mandatory Access Control) failures reached
AUDIT_ANOM_AMTU_FAIL 2107 USER IND AMTU (Abstract Machine Test Utility) failure
AUDIT_ANOM_RBAC_FAIL 2108 USER IND RBAC (Role-Based Access Control) self test failure
AUDIT_ANOM_RBAC_INTEGRITY_FAIL 2109 USER IND RBAC (Role-Based Access Control) file integrity test failure
AUDIT_ANOM_CRYPTO_FAIL 2110 USER IND Crypto system test failure
AUDIT_ANOM_ACCESS_FS 2111 USER IND Access of file or directory ended abnormally
AUDIT_ANOM_EXEC 2112 USER IND Execution of file ended abnormally
AUDIT_ANOM_MK_EXEC 2113 USER IND Make an executable
AUDIT_ANOM_ADD_ACCT 2114 USER IND Adding a user account ended abnormally
AUDIT_ANOM_DEL_ACCT 2115 USER IND Deleting a user account ended abnormally
AUDIT_ANOM_MOD_ACCT 2116 USER IND Changing an account ended abnormally
AUDIT_ANOM_ROOT_TRANS 2117 USER IND User became root
AUDIT_ANOM_LOGIN_SERVICE 2118 USER IND Service acct attempted login
AUDIT_RESP_ANOMALY 2200 USER IND Anomaly not reacted to
AUDIT_RESP_ALERT 2201 USER IND Alert email was sent
AUDIT_RESP_KILL_PROC 2202 USER IND Kill program
AUDIT_RESP_TERM_ACCESS 2203 USER IND Terminate session
AUDIT_RESP_ACCT_REMOTE 2204 USER IND User account locked from remote access
AUDIT_RESP_ACCT_LOCK_TIMED 2205 USER IND User account locked for time
AUDIT_RESP_ACCT_UNLOCK_TIMED 2206 USER IND User account unlocked from time
AUDIT_RESP_ACCT_LOCK 2207 USER IND User account was locked
AUDIT_RESP_TERM_LOCK 2208 USER IND Terminal was locked
AUDIT_RESP_SEBOOL 2209 USER IND Set an SELinux boolean
AUDIT_RESP_EXEC 2210 USER IND Execute a script
AUDIT_RESP_SINGLE 2211 USER IND Go to single user mode
AUDIT_RESP_HALT 2212 USER IND Take the system down
AUDIT_RESP_ORIGIN_BLOCK 2213 USER IND Address blocked by iptables
AUDIT_RESP_ORIGIN_BLOCK_TIMED 2214 USER IND Address blocked for time
AUDIT_USER_ROLE_CHANGE 2300 USER IND User changed to a new SELinux role
AUDIT_ROLE_ASSIGN 2301 USER IND Administrator assigned user to SELinux role
AUDIT_ROLE_REMOVE 2302 USER IND Administrator removed user from SELinux role
AUDIT_LABEL_OVERRIDE 2303 USER IND Administrator is overriding a SELinux label
AUDIT_LABEL_LEVEL_CHANGE 2304 USER IND Object level SELinux label modified
AUDIT_USER_LABELED_EXPORT 2305 USER IND Object exported with SELinux label
AUDIT_USER_UNLABELED_EXPORT 2306 USER IND Object exported without SELinux label
AUDIT_DEV_ALLOC 2307 USER IND Device was allocated
AUDIT_DEV_DEALLOC 2308 USER IND Device was deallocated
AUDIT_FS_RELABEL 2309 USER IND Filesystem relabeled
AUDIT_USER_MAC_POLICY_LOAD 2310 USER IND Usersapce daemon loaded SELinux policy
AUDIT_ROLE_MODIFY 2311 USER IND Administrator modified an SELinux role
AUDIT_USER_MAC_CONFIG_CHANGE 2312 USER IND Change made to MAC (Mandatory Access Control) policy
AUDIT_USER_MAC_STATUS 2313 USER IND Userspc daemon enforcing change
AUDIT_CRYPTO_TEST_USER 2400 USER IND Cryptographic test results
AUDIT_CRYPTO_PARAM_CHANGE_USER 2401 USER IND Cryptographic attribute change
AUDIT_CRYPTO_LOGIN 2402 USER IND Cryptographic officer login
AUDIT_CRYPTO_LOGOUT 2403 USER IND Cryptographic officer logout
AUDIT_CRYPTO_KEY_USER 2404 USER IND Create, delete, negotiate cryptographic key identifier
AUDIT_CRYPTO_FAILURE_USER 2405 USER IND Fail decrypt, encrypt or randomize operation
AUDIT_CRYPTO_REPLAY_USER 2406 USER IND Cryptographic replay attack detected
AUDIT_CRYPTO_SESSION 2407 USER IND Parameters set during TLS session establishment
AUDIT_CRYPTO_IKE_SA 2408 USER IND Parameters related to IKE SA
AUDIT_CRYPTO_IPSEC_SA 2409 USER IND Parameters related to IPSEC SA
AUDIT_VIRT_CONTROL 2500 USER IND Start, Pause, Stop VM
AUDIT_VIRT_RESOURCE 2501 USER IND Resource assignment
AUDIT_VIRT_MACHINE_ID 2502 USER IND Binding of label to VM
AUDIT_VIRT_INTEGRITY_CHECK 2503 USER IND Guest integrity results
AUDIT_VIRT_CREATE 2504 USER IND Creation of guest image
AUDIT_VIRT_DESTROY 2505 USER IND Destruction of guest image
AUDIT_VIRT_MIGRATE_IN 2506 USER IND Inbound guest migration info
AUDIT_VIRT_MIGRATE_OUT 2507 USER IND Outbound guest migration info

Message-dictionary Ranges

  • 1000 - 1099 are for commanding the audit system
  • 1100 - 1199 user space trusted application messages
  • 1200 - 1299 messages internal to the audit daemon
  • 1300 - 1399 audit event messages
  • 1400 - 1499 kernel SELinux use
  • 1500 - 1599 AppArmor events
  • 1500 - 1599 kernel LSPP events
  • 1600 - 1699 kernel crypto events
  • 1700 - 1799 kernel anomaly records
  • 1800 - 1899 kernel integrity labels and related events
  • 1900 - 1999 future kernel use
  • 2000 is for otherwise unclassified kernel audit messages (legacy)
  • 2001 - 2099 unused (kernel)
  • 2100 - 2199 user space anomaly records
  • 2200 - 2299 user space actions taken in response to anomalies
  • 2300 - 2399 user space generated LSPP events
  • 2400 - 2499 user space crypto events
  • 2500 - 2599 user space virtualization management events
  • 2600 - 2999 future user space (maybe integrity labels and related events)

日志解析示例