• Recent blogs

    25 Must know AUDIT RECORD TYPES in Linux

    25 Must know AUDIT RECORD TYPES in Linux

    These record types are used by audispd . audispd is an audit event multiplexor. It has to be started by the audit daemon in order to get events. It takes audit events and distributes them to child programs that want to analyze events in realtime. When the audit daemon receives a SIGTERM or SIGHUP, it passes that signal to the dispatcher, too. The dispatcher in turn passes those signals to its child processes.

    For Example:

    Sep 16 18:14:45 server audispd: node=server type=ANOM_ABEND msg=audit(1568675685.304:2067): auid=4294967295 uid=202 gid=202 ses=4294967295 pid=118623 comm="rm" reason="memory violation" sig=11

    So let check out some of these record types. This will be handy when we check security events:
    ADD_GROUP :- Triggered when a user-space group is added.
    ADD_USER  :-  Triggered when a user-space user account is added.
    ANOM_ABEND :- Triggered when a processes ends abnormally (with a signal that could cause a core dump, if enabled).
    ANOM_CRYPTO_FAIL :- Triggered when a failure in the cryptographic system is detected.
    ANOM_EXEC :- Triggered when an execution of a file ends abnormally.
    ANOM_LOGIN_ACCT :- Triggered when an account login attempt ends abnormally.
    ANOM_LOGIN_FAILURES :- Triggered when the limit of failed login attempts is reached.
    ANOM_LOGIN_SESSIONS :- Triggered when a login attempt reaches the maximum amount of concurrent sessions.A
    ANOM_LOGIN_TIME :- Triggered when a login attempt is made at a time when it is prevented by, for example, pam_time.
    ANOM_MK_EXEC :- Triggered when a file is made executable.
    ANOM_ROOT_TRANS :- Triggered when a user becomes root.
    AVC Triggered :- to record an SELinux permission check.
    AVC_PATH Triggered to record the dentry and vfsmount pair when an SELinux permission check occurs.
    CHGRP_ID Triggered when a user-space group ID is changed.
    CHUSER_ID Triggered when a user-space user ID is changed.
    CRYPTO_FAILURE_USER Triggered when a decrypt, encrypt, or randomize cryptographic operation fails.
    CRYPTO_LOGIN Triggered when a cryptographic officer login attempt is detected.
    CRYPTO_LOGOUT Triggered when a crypto officer logout attempt is detected.
    CRYPTO_SESSION Triggered to record parameters set during a TLS session establishment.
    CWD Triggered to record the current working directory.
    DAEMON_ABORT Triggered when a daemon is stopped due to an error.
    DAEMON_END Triggered when a daemon is successfully stopped.
    KERNEL Triggered to record the initialization of the Audit system.
    KERNEL_OTHER Triggered to record information from third-party kernel modules.
    LABEL_LEVEL_CHANGE Triggered when an object's level label is modified.
    LABEL_OVERRIDE Triggered when an administrator overrides an object's level label.

    No comments