Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cover more message types #1

Open
19 of 71 tasks
foxcpp opened this issue Apr 3, 2018 · 4 comments
Open
19 of 71 tasks

Cover more message types #1

foxcpp opened this issue Apr 3, 2018 · 4 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@foxcpp
Copy link
Owner

foxcpp commented Apr 3, 2018
edited

Ref.: https://github.com/linux-audit/audit-documentation

  • SELinux
    Ref.: https://selinuxproject.org/page/NB_AL

    SELinux uses format different from all other audit events.
    I'm not going to support it now. If you interested in SELinux
    log pretty printing using audit_pretty - any help is appreciated.

    • AVC
    • USER_AVC
    • MAC_POLICY_LOAD
    • USER_MAC_POLICY_LOAD
    • MAC_CONFIG_CHANGE
    • MAC_STATUS
    • MAC_UNLBL_STCADD
    • MAC_IPSEC_EVENT
    • SELINUX_ERR
    • USER_ROLE_CHANGE

  • AppArmor

    • AVC (Policy violations)
    • AVC (Status messages)

  • System lifecycle events

    • SYSTEM_BOOT
    • SYSTEM_RUNLEVEL
    • DAEMON_START
    • DAEMON_ABORT
    • SERVICE_START (systemd)
    • SERVICE_STOP (systemd)
    • SERVICE_START (openrc)
    • SERVICE_STOP (openrc)
    • SYSTEM_SHUTDOWN
    • DAEMON_END

  • User account lifecycle events

    • ADD_USER
    • USER_MGMT
    • USER_CHAUTHTOK
    • ROLE_ASSIGN
    • ROLE_REMOVE
    • DEL_USER
    • ADD_GROUP
    • GRP_MGMT
    • GRP_CHAUTHTOK
    • DEL_GROUP

  • User login lifecycle events

    • CRYPTO_KEY_USER
    • CRYPTO_SESSION
    • USER_AUTH
    • LOGIN
    • USER_ACCT
    • USER_CHAUTHTOK
    • USER_ERR
    • CRED_ACQ
    • USER_ROLE_CHANGE
    • USER_START
    • USER_LOGIN
    • CRED_REFR
    • GRP_AUTH
    • CHUSER_ID
    • CHGRP_ID
    • USER_LOGOUT
    • USER_END
    • CRED_DISP
    • ANOM_LOGIN_FAILURES
    • ANOM_LOGIN_TIME
    • ANOM_LOGIN_SESSIONS
    • ANOM_LOGIN_ACCT
    • ANOM_LOGIN_LOCATION

  • Virt. manager guest lifecycle events

    • VIRT_MACHINE_ID
    • VIRT_INTEGRITY_CHECK
    • VIRT_RESOURCE
    • VIRT_CONTROL

  • Seccomp violation notifications

  • Generic record types

    • PROCTITLE
    • SYSCALL
    • PATH
    • CWD

This list is incomplete. More types listed here.
@foxcpp foxcpp added enhancement New feature or request help wanted Extra attention is needed labels Apr 3, 2018
@foxcpp
Copy link
Owner Author

foxcpp commented Apr 3, 2018
edited

Doesn't seem to be documented, so here is may research results:

type=AVC (1400)

Used by AppArmor and SELinux for various messages.

apparmor="DENIED" or `apparmor="ALLOWED"

  • operation
    Type of operation performed (usually system call, e.g. open, mknod)
  • profile
    Name of profile applied
  • name (FS operations only)
    Name of target file
  • peer (only if operation=ptrace)
    Profile name of target process (?)
  • pid
    Process ID
  • comm
    Usually thread name (or program's name if thread doesn't have a custom name).
  • requested_mask
    Requested access type (one of rwxmkl for FS operations, trace for ptrace, ...)
  • denied_mask
    Which kind of access is denied (?)
  • fsuid
    Process's FS UID.
  • ouid
    TODO

apparmor="STATUS"

  • operation

    • profile_load
    • profile_replace
    • profile_remove

  • profile
    Profile of executor's process, if any, otherwise "unconfined".

  • name
    Name of relevant profile

  • pid
    Process ID

  • comm
    Usually thread name (or program's name if thread doesn't have a custom name).

Examples

type=AVC msg=audit(1522442734.236:76430): apparmor="DENIED" operation="ptrace" profile="/usr/{lib/firefox/firefox,lib/firefox-esr/firefox-esr}" pid=11270 comm=46532042726F6B6572203237373233 requested_mask="trace" denied_mask="trace" peer="/usr/{lib/firefox/firefox,lib/firefox-esr/firefox-esr}"
type=AVC msg=audit(1522959040.390:897): apparmor="DENIED" operation="open" profile="/usr/lib/thunderbird/thunderbird{,-bin}" name="/home/user/.cache/thunderbird/i8qh2tsj.default/startupCache/startupCache.8.little" pid=25104 comm="StartupCache" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

@foxcpp
Copy link
Owner Author

foxcpp commented Apr 3, 2018
edited

Doesn't seem to be documented, so here is may research results:

type=SECOMP (1326)

Used by Secure Computing subsystem for notifications about violations.

Fields

  • auid
    Audit UID, original process owner
  • uid
    Process owner's UID (?)
  • gid
    Process owner's GID (?)
  • ses
    Session id
  • pid
    Process ID
  • comm
    Thread name
  • exe
    Full path to process image
  • sig
    Signal sent to process
  • arch
    Process's architecture.
    • c000003e is x86_64
  • syscall
    System call ID
  • compat
    TODO
  • ip
    Current instruction pointer of thread
  • code (!)
    Seccomp action code

Examples

auid=1000 uid=1000 gid=1000 ses=1 pid=3166 comm="VideoCapture" exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=144 compat=0 ip=0x7fb6e3b56667 code=0x0

@foxcpp foxcpp pinned this issue Feb 18, 2019
@QGB
Copy link

QGB commented Oct 29, 2022

@foxcpp

any update for now?

@foxcpp
Copy link
Owner Author

foxcpp commented Oct 30, 2022

No. The project is unmaintained since I lost interesting in messing with libaudit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@QGB @foxcpp