// This Source Code Form is subject to the terms of the Mozilla Public // License, v. 2.0. If a copy of the MPL was not distributed with this // file, You can obtain one at http://mozilla.org/MPL/2.0/. package libaudit // audit_constants.go contains constants used within libaudit, sourced from linux/audit.h // (from the Linux kernel) and from libaudit.h in the audit userspace source code. // Code generated using various audit headers, DO NOT EDIT. const ( AUDIT_STATUS_SIZE = 40 // Size of auditStatus ) const ( MAX_AUDIT_MESSAGE_LENGTH = 8970 AUDIT_MAX_FIELDS = 64 AUDIT_BITMASK_SIZE = 64 //Rule Flags AUDIT_FILTER_USER = 0x00 /* Apply rule to user-generated messages */ AUDIT_FILTER_TASK = 0x01 /* Apply rule at task creation (not syscall) */ AUDIT_FILTER_ENTRY = 0x02 /* Apply rule at syscall entry */ AUDIT_FILTER_WATCH = 0x03 /* Apply rule to file system watches */ AUDIT_FILTER_EXIT = 0x04 /* Apply rule at syscall exit */ AUDIT_FILTER_TYPE = 0x05 /* Apply rule at audit_log_start */ /* These are used in filter control */ AUDIT_FILTER_MASK = 0x07 /* Mask to get actual filter */ AUDIT_FILTER_UNSET = 0x80 /* This value means filter is unset */ /* Rule actions */ AUDIT_NEVER = 0 /* Do not build context if rule matches */ AUDIT_POSSIBLE = 1 /* Build context if rule matches */ AUDIT_ALWAYS = 2 /* Generate audit record if rule matches */ /* Rule fields */ /* These are useful when checking the * task structure at task creation time * (AUDIT_PER_TASK). */ AUDIT_PID = 0 AUDIT_UID = 1 AUDIT_EUID = 2 AUDIT_SUID = 3 AUDIT_FSUID = 4 AUDIT_GID = 5 AUDIT_EGID = 6 AUDIT_SGID = 7 AUDIT_FSGID = 8 AUDIT_LOGINUID = 9 AUDIT_OBJ_GID = 110 AUDIT_OBJ_UID = 109 AUDIT_EXIT = 103 AUDIT_PERS = 10 AUDIT_FILTER_EXCLUDE = 0x05 AUDIT_ARCH = 11 PATH_MAX = 4096 AUDIT_MSGTYPE = 12 AUDIT_MAX_KEY_LEN = 256 AUDIT_PERM = 106 AUDIT_FILTERKEY = 210 AUDIT_SUBJ_USER = 13 /* security label user */ AUDIT_SUBJ_ROLE = 14 /* security label role */ AUDIT_SUBJ_TYPE = 15 /* security label type */ AUDIT_SUBJ_SEN = 16 /* security label sensitivity label */ AUDIT_SUBJ_CLR = 17 /* security label clearance label */ AUDIT_PPID = 18 AUDIT_OBJ_USER = 19 AUDIT_OBJ_ROLE = 20 AUDIT_OBJ_TYPE = 21 AUDIT_WATCH = 105 AUDIT_DIR = 107 AUDIT_OBJ_LEV_LOW = 22 AUDIT_OBJ_LEV_HIGH = 23 AUDIT_LOGINUID_SET = 24 AUDIT_DEVMAJOR = 100 AUDIT_DEVMINOR = 101 AUDIT_INODE = 102 AUDIT_SUCCESS = 104 AUDIT_FIELD_COMPARE = 111 AUDIT_EXE = 112 AUDIT_PERM_EXEC = 1 AUDIT_PERM_WRITE = 2 AUDIT_PERM_READ = 4 AUDIT_PERM_ATTR = 8 AUDIT_FILETYPE = 108 AUDIT_ARG0 = 200 AUDIT_ARG1 = (AUDIT_ARG0 + 1) AUDIT_ARG2 = (AUDIT_ARG0 + 2) AUDIT_ARG3 = (AUDIT_ARG0 + 3) AUDIT_BIT_MASK = 0x08000000 AUDIT_LESS_THAN = 0x10000000 AUDIT_GREATER_THAN = 0x20000000 AUDIT_NOT_EQUAL = 0x30000000 AUDIT_EQUAL = 0x40000000 AUDIT_BIT_TEST = (AUDIT_BIT_MASK | AUDIT_EQUAL) AUDIT_LESS_THAN_OR_EQUAL = (AUDIT_LESS_THAN | AUDIT_EQUAL) AUDIT_GREATER_THAN_OR_EQUAL = (AUDIT_GREATER_THAN | AUDIT_EQUAL) AUDIT_OPERATORS = (AUDIT_EQUAL | AUDIT_NOT_EQUAL | AUDIT_BIT_MASK) /* Status symbols */ /* Mask values */ AUDIT_STATUS_ENABLED = 0x0001 AUDIT_STATUS_FAILURE = 0x0002 AUDIT_STATUS_PID = 0x0004 AUDIT_STATUS_RATE_LIMIT = 0x0008 AUDIT_STATUS_BACKLOG_LIMIT = 0x0010 /* Failure-to-log actions */ AUDIT_FAIL_SILENT = 0 AUDIT_FAIL_PRINTK = 1 AUDIT_FAIL_PANIC = 2 /* distinguish syscall tables */ __AUDIT_ARCH_64BIT = 0x80000000 __AUDIT_ARCH_LE = 0x40000000 AUDIT_ARCH_ALPHA = (EM_ALPHA | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE) AUDIT_ARCH_ARM = (EM_ARM | __AUDIT_ARCH_LE) AUDIT_ARCH_ARMEB = (EM_ARM) AUDIT_ARCH_CRIS = (EM_CRIS | __AUDIT_ARCH_LE) AUDIT_ARCH_FRV = (EM_FRV) AUDIT_ARCH_I386 = (EM_386 | __AUDIT_ARCH_LE) AUDIT_ARCH_IA64 = (EM_IA_64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE) AUDIT_ARCH_M32R = (EM_M32R) AUDIT_ARCH_M68K = (EM_68K) AUDIT_ARCH_MIPS = (EM_MIPS) AUDIT_ARCH_MIPSEL = (EM_MIPS | __AUDIT_ARCH_LE) AUDIT_ARCH_MIPS64 = (EM_MIPS | __AUDIT_ARCH_64BIT) AUDIT_ARCH_MIPSEL64 = (EM_MIPS | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE) // AUDIT_ARCH_OPENRISC = (EM_OPENRISC) // AUDIT_ARCH_PARISC = (EM_PARISC) // AUDIT_ARCH_PARISC64 = (EM_PARISC | __AUDIT_ARCH_64BIT) AUDIT_ARCH_PPC = (EM_PPC) AUDIT_ARCH_PPC64 = (EM_PPC64 | __AUDIT_ARCH_64BIT) AUDIT_ARCH_S390 = (EM_S390) AUDIT_ARCH_S390X = (EM_S390 | __AUDIT_ARCH_64BIT) AUDIT_ARCH_SH = (EM_SH) AUDIT_ARCH_SHEL = (EM_SH | __AUDIT_ARCH_LE) AUDIT_ARCH_SH64 = (EM_SH | __AUDIT_ARCH_64BIT) AUDIT_ARCH_SHEL64 = (EM_SH | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE) AUDIT_ARCH_SPARC = (EM_SPARC) AUDIT_ARCH_SPARC64 = (EM_SPARCV9 | __AUDIT_ARCH_64BIT) AUDIT_ARCH_X86_64 = (EM_X86_64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE) ///Temporary Solution need to add linux/elf-em.h EM_NONE = 0 EM_M32 = 1 EM_SPARC = 2 EM_386 = 3 EM_68K = 4 EM_88K = 5 EM_486 = 6 /* Perhaps disused */ EM_860 = 7 EM_MIPS = 8 /* MIPS R3000 (officially, big-endian only) */ /* Next two are historical and binaries and modules of these types will be rejected by Linux. */ EM_MIPS_RS3_LE = 10 /* MIPS R3000 little-endian */ EM_MIPS_RS4_BE = 10 /* MIPS R4000 big-endian */ EM_PARISC = 15 /* HPPA */ EM_SPARC32PLUS = 18 /* Sun's "v8plus" */ EM_PPC = 20 /* PowerPC */ EM_PPC64 = 21 /* PowerPC64 */ EM_SPU = 23 /* Cell BE SPU */ EM_ARM = 40 /* ARM 32 bit */ EM_SH = 42 /* SuperH */ EM_SPARCV9 = 43 /* SPARC v9 64-bit */ EM_IA_64 = 50 /* HP/Intel IA-64 */ EM_X86_64 = 62 /* AMD x86-64 */ EM_S390 = 22 /* IBM S/390 */ EM_CRIS = 76 /* Axis Communications 32-bit embedded processor */ EM_V850 = 87 /* NEC v850 */ EM_M32R = 88 /* Renesas M32R */ EM_MN10300 = 89 /* Panasonic/MEI MN10300, AM33 */ EM_BLACKFIN = 106 /* ADI Blackfin Processor */ EM_TI_C6000 = 140 /* TI C6X DSPs */ EM_AARCH64 = 183 /* ARM 64 bit */ EM_FRV = 0x5441 /* Fujitsu FR-V */ EM_AVR32 = 0x18ad /* Atmel AVR32 */ /* * This is an interim value that we will use until the committee comes * up with a final number. */ EM_ALPHA = 0x9026 /* Bogus old v850 magic number, used by old tools. */ EM_CYGNUS_V850 = 0x9080 /* Bogus old m32r magic number, used by old tools. */ EM_CYGNUS_M32R = 0x9041 /* This is the old interim value for S/390 architecture */ EM_S390_OLD = 0xA390 /* Also Panasonic/MEI MN10300, AM33 */ EM_CYGNUS_MN10300 = 0xbeef //AUDIT_ARCH determination purpose _UTSNAME_LENGTH = 65 _UTSNAME_DOMAIN_LENGTH = _UTSNAME_LENGTH _UTSNAME_NODENAME_LENGTH = _UTSNAME_DOMAIN_LENGTH ) /* Audit message types as of 2.6.29 kernel: * 1000 - 1099 are for commanding the audit system * 1100 - 1199 user space trusted application messages * 1200 - 1299 messages internal to the audit daemon * 1300 - 1399 audit event messages * 1400 - 1499 kernel SE Linux use * 1500 - 1599 AppArmor events * 1600 - 1699 kernel crypto events * 1700 - 1799 kernel anomaly records * 1800 - 1899 kernel integrity labels and related events * 1800 - 1999 future kernel use * 2001 - 2099 unused (kernel) * 2100 - 2199 user space anomaly records * 2200 - 2299 user space actions taken in response to anomalies * 2300 - 2399 user space generated LSPP events * 2400 - 2499 user space crypto events * 2500 - 2599 user space virtualization management events * 2600 - 2999 future user space (maybe integrity labels and related events) */ //go:generate stringer -type=auditConstant audit_constant.go type auditConstant uint16 const ( AUDIT_GET auditConstant = 1000 /* Get status */ AUDIT_SET auditConstant = 1001 /* Set status (enable/disable/auditd) */ AUDIT_LIST auditConstant = 1002 /* List syscall rules -- deprecated */ AUDIT_ADD auditConstant = 1003 /* Add syscall rule -- deprecated */ AUDIT_DEL auditConstant = 1004 /* Delete syscall rule -- deprecated */ AUDIT_USER auditConstant = 1005 /* Message from userspace -- deprecated */ AUDIT_LOGIN auditConstant = 1006 /* Define the login id and information */ AUDIT_WATCH_INS auditConstant = 1007 /* Insert file/dir watch entry */ AUDIT_WATCH_REM auditConstant = 1008 /* Remove file/dir watch entry */ AUDIT_WATCH_LIST auditConstant = 1009 /* List all file/dir watches */ AUDIT_SIGNAL_INFO auditConstant = 1010 /* Get info about sender of signal to auditd */ AUDIT_ADD_RULE auditConstant = 1011 /* Add syscall filtering rule */ AUDIT_DEL_RULE auditConstant = 1012 /* Delete syscall filtering rule */ AUDIT_LIST_RULES auditConstant = 1013 /* List syscall filtering rules */ AUDIT_TRIM auditConstant = 1014 /* Trim junk from watched tree */ AUDIT_MAKE_EQUIV auditConstant = 1015 /* Append to watched tree */ AUDIT_TTY_GET auditConstant = 1016 /* Get TTY auditing status */ AUDIT_TTY_SET auditConstant = 1017 /* Set TTY auditing status */ AUDIT_SET_FEATURE auditConstant = 1018 /* Turn an audit feature on or off */ AUDIT_GET_FEATURE auditConstant = 1019 /* Get which features are enabled */ AUDIT_FIRST_USER_MSG auditConstant = 1100 /* First user space message */ AUDIT_LAST_USER_MSG auditConstant = 1199 /* Last user space message */ AUDIT_USER_AUTH auditConstant = 1100 /* User space authentication */ AUDIT_USER_ACCT auditConstant = 1101 /* User space acct change */ AUDIT_USER_MGMT auditConstant = 1102 /* User space acct management */ AUDIT_CRED_ACQ auditConstant = 1103 /* User space credential acquired */ AUDIT_CRED_DISP auditConstant = 1104 /* User space credential disposed */ AUDIT_USER_START auditConstant = 1105 /* User space session start */ AUDIT_USER_END auditConstant = 1106 /* User space session end */ AUDIT_USER_AVC auditConstant = 1107 /* User space avc message */ AUDIT_USER_CHAUTHTOK auditConstant = 1108 /* User space acct attr changed */ AUDIT_USER_ERR auditConstant = 1109 /* User space acct state err */ AUDIT_CRED_REFR auditConstant = 1110 /* User space credential refreshed */ AUDIT_USYS_CONFIG auditConstant = 1111 /* User space system config change */ AUDIT_USER_LOGIN auditConstant = 1112 /* User space user has logged in */ AUDIT_USER_LOGOUT auditConstant = 1113 /* User space user has logged out */ AUDIT_ADD_USER auditConstant = 1114 /* User space user account added */ AUDIT_DEL_USER auditConstant = 1115 /* User space user account deleted */ AUDIT_ADD_GROUP auditConstant = 1116 /* User space group added */ AUDIT_DEL_GROUP auditConstant = 1117 /* User space group deleted */ AUDIT_DAC_CHECK auditConstant = 1118 /* User space DAC check results */ AUDIT_CHGRP_ID auditConstant = 1119 /* User space group ID changed */ AUDIT_TEST auditConstant = 1120 /* Used for test success messages */ AUDIT_TRUSTED_APP auditConstant = 1121 /* Trusted app msg - freestyle text */ AUDIT_USER_SELINUX_ERR auditConstant = 1122 /* SE Linux user space error */ AUDIT_USER_CMD auditConstant = 1123 /* User shell command and args */ AUDIT_USER_TTY auditConstant = 1124 /* Non-ICANON TTY input meaning */ AUDIT_CHUSER_ID auditConstant = 1125 /* Changed user ID supplemental data */ AUDIT_GRP_AUTH auditConstant = 1126 /* Authentication for group password */ AUDIT_SYSTEM_BOOT auditConstant = 1127 /* System boot */ AUDIT_SYSTEM_SHUTDOWN auditConstant = 1128 /* System shutdown */ AUDIT_SYSTEM_RUNLEVEL auditConstant = 1129 /* System runlevel change */ AUDIT_SERVICE_START auditConstant = 1130 /* Service (daemon) start */ AUDIT_SERVICE_STOP auditConstant = 1131 /* Service (daemon) stop */ AUDIT_GRP_MGMT auditConstant = 1132 /* Group account attr was modified */ AUDIT_GRP_CHAUTHTOK auditConstant = 1133 /* Group acct password or pin changed */ AUDIT_MAC_CHECK auditConstant = 1134 /* User space MAC decision results */ AUDIT_ACCT_LOCK auditConstant = 1135 /* User's account locked by admin */ AUDIT_ACCT_UNLOCK auditConstant = 1136 /* User's account unlocked by admin */ AUDIT_FIRST_DAEMON auditConstant = 1200 AUDIT_LAST_DAEMON auditConstant = 1299 AUDIT_DAEMON_CONFIG auditConstant = 1203 /* Daemon config change */ AUDIT_DAEMON_RECONFIG auditConstant = 1204 /* Auditd should reconfigure */ AUDIT_DAEMON_ROTATE auditConstant = 1205 /* Auditd should rotate logs */ AUDIT_DAEMON_RESUME auditConstant = 1206 /* Auditd should resume logging */ AUDIT_DAEMON_ACCEPT auditConstant = 1207 /* Auditd accepted remote connection */ AUDIT_DAEMON_CLOSE auditConstant = 1208 /* Auditd closed remote connection */ AUDIT_SYSCALL auditConstant = 1300 /* Syscall event */ /* AUDIT_FS_WATCH auditConstant = 1301 * Deprecated */ AUDIT_PATH auditConstant = 1302 /* Filename path information */ AUDIT_IPC auditConstant = 1303 /* IPC record */ AUDIT_SOCKETCALL auditConstant = 1304 /* sys_socketcall arguments */ AUDIT_CONFIG_CHANGE auditConstant = 1305 /* Audit system configuration change */ AUDIT_SOCKADDR auditConstant = 1306 /* sockaddr copied as syscall arg */ AUDIT_CWD auditConstant = 1307 /* Current working directory */ AUDIT_EXECVE auditConstant = 1309 /* execve arguments */ AUDIT_IPC_SET_PERM auditConstant = 1311 /* IPC new permissions record type */ AUDIT_MQ_OPEN auditConstant = 1312 /* POSIX MQ open record type */ AUDIT_MQ_SENDRECV auditConstant = 1313 /* POSIX MQ send/receive record type */ AUDIT_MQ_NOTIFY auditConstant = 1314 /* POSIX MQ notify record type */ AUDIT_MQ_GETSETATTR auditConstant = 1315 /* POSIX MQ get/set attribute record type */ AUDIT_KERNEL_OTHER auditConstant = 1316 /* For use by 3rd party modules */ AUDIT_FD_PAIR auditConstant = 1317 /* audit record for pipe/socketpair */ AUDIT_OBJ_PID auditConstant = 1318 /* ptrace target */ AUDIT_TTY auditConstant = 1319 /* Input on an administrative TTY */ AUDIT_EOE auditConstant = 1320 /* End of multi-record event */ AUDIT_BPRM_FCAPS auditConstant = 1321 /* Information about fcaps increasing perms */ AUDIT_CAPSET auditConstant = 1322 /* Record showing argument to sys_capset */ AUDIT_MMAP auditConstant = 1323 /* Record showing descriptor and flags in mmap */ AUDIT_NETFILTER_PKT auditConstant = 1324 /* Packets traversing netfilter chains */ AUDIT_NETFILTER_CFG auditConstant = 1325 /* Netfilter chain modifications */ AUDIT_SECCOMP auditConstant = 1326 /* Secure Computing event */ AUDIT_PROCTITLE auditConstant = 1327 /* Proctitle emit event */ AUDIT_FEATURE_CHANGE auditConstant = 1328 /* audit log listing feature changes */ /* AUDIT_FIRST_EVENT 1300 */ //TODO: libaudit define this as AUDIT_FIRST_EVENT but audit.h differently. AUDIT_LAST_EVENT auditConstant = 1399 /* AUDIT_FIRST_SELINUX 1400 */ // TODO: libaudit define this as AUDIT_FIRST_SELINUX but audit.h as AUDIT_AVC AUDIT_AVC auditConstant = 1400 /* SE Linux avc denial or grant */ AUDIT_SELINUX_ERR auditConstant = 1401 /* internal SE Linux Errors */ AUDIT_AVC_PATH auditConstant = 1402 /* dentry, vfsmount pair from avc */ AUDIT_MAC_POLICY_LOAD auditConstant = 1403 /* Policy file load */ AUDIT_MAC_STATUS auditConstant = 1404 /* Changed enforcing,permissive,off */ AUDIT_MAC_CONFIG_CHANGE auditConstant = 1405 /* Changes to booleans */ AUDIT_MAC_UNLBL_ALLOW auditConstant = 1406 /* NetLabel: allow unlabeled traffic */ AUDIT_MAC_CIPSOV4_ADD auditConstant = 1407 /* NetLabel: add CIPSOv4 DOI entry */ AUDIT_MAC_CIPSOV4_DEL auditConstant = 1408 /* NetLabel: del CIPSOv4 DOI entry */ AUDIT_MAC_MAP_ADD auditConstant = 1409 /* NetLabel: add LSM domain mapping */ AUDIT_MAC_MAP_DEL auditConstant = 1410 /* NetLabel: del LSM domain mapping */ AUDIT_MAC_IPSEC_ADDSA auditConstant = 1411 /* Not used */ AUDIT_MAC_IPSEC_DELSA auditConstant = 1412 /* Not used */ AUDIT_MAC_IPSEC_ADDSPD auditConstant = 1413 /* Not used */ AUDIT_MAC_IPSEC_DELSPD auditConstant = 1414 /* Not used */ AUDIT_MAC_IPSEC_EVENT auditConstant = 1415 /* Audit an IPSec event */ AUDIT_MAC_UNLBL_STCADD auditConstant = 1416 /* NetLabel: add a static label */ AUDIT_MAC_UNLBL_STCDEL auditConstant = 1417 /* NetLabel: del a static label */ AUDIT_LAST_SELINUX auditConstant = 1499 AUDIT_FIRST_APPARMOR auditConstant = 1500 AUDIT_LAST_APPARMOR auditConstant = 1599 AUDIT_AA auditConstant = 1500 /* Not upstream yet*/ AUDIT_APPARMOR_AUDIT auditConstant = 1501 AUDIT_APPARMOR_ALLOWED auditConstant = 1502 AUDIT_APPARMOR_DENIED auditConstant = 1503 AUDIT_APPARMOR_HT auditConstant = 1504 AUDIT_APPARMOR_STATUS auditConstant = 1505 AUDIT_APPARMOR_ERROR auditConstant = 1506 AUDIT_FIRST_KERN_CRYPTO_MSG auditConstant = 1600 AUDIT_LAST_KERN_CRYPTO_MSG auditConstant = 1699 // AUDIT_FIRST_KERN_ANOM_MSG auditConstant = 1700 AUDIT_LAST_KERN_ANOM_MSG auditConstant = 1799 AUDIT_ANOM_PROMISCUOUS auditConstant = 1700 /* Device changed promiscuous mode */ AUDIT_ANOM_ABEND auditConstant = 1701 /* Process ended abnormally */ AUDIT_ANOM_LINK auditConstant = 1702 /* Suspicious use of file links */ AUDIT_INTEGRITY_FIRST_MSG auditConstant = 1800 AUDIT_TINTEGRITY_LAST_MSG auditConstant = 1899 AUDIT_INTEGRITY_DATA auditConstant = 1800 /* Data integrity verification */ AUDIT_INTEGRITY_METADATA auditConstant = 1801 // Metadata integrity verification AUDIT_INTEGRITY_STATUS auditConstant = 1802 /* integrity enable status */ AUDIT_INTEGRITY_HASH auditConstant = 1803 /* integrity HASH type */ AUDIT_INTEGRITY_PCR auditConstant = 1804 /* PCR invalidation msgs */ AUDIT_INTEGRITY_RULE auditConstant = 1805 /* Policy rule */ AUDIT_KERNEL auditConstant = 2000 /* Asynchronous audit record. NOT A REQUEST. */ AUDIT_FIRST_ANOM_MSG auditConstant = 2100 AUDIT_LAST_ANOM_MSG auditConstant = 2199 AUDIT_ANOM_LOGIN_FAILURES auditConstant = 2100 // Failed login limit reached AUDIT_ANOM_LOGIN_TIME auditConstant = 2101 // Login attempted at bad time AUDIT_ANOM_LOGIN_SESSIONS auditConstant = 2102 // Max concurrent sessions reached AUDIT_ANOM_LOGIN_ACCT auditConstant = 2103 // Login attempted to watched acct AUDIT_ANOM_LOGIN_LOCATION auditConstant = 2104 // Login from forbidden location AUDIT_ANOM_MAX_DAC auditConstant = 2105 // Max DAC failures reached AUDIT_ANOM_MAX_MAC auditConstant = 2106 // Max MAC failures reached AUDIT_ANOM_AMTU_FAIL auditConstant = 2107 // AMTU failure AUDIT_ANOM_RBAC_FAIL auditConstant = 2108 // RBAC self test failure AUDIT_ANOM_RBAC_INTEGRITY_FAIL auditConstant = 2109 // RBAC file Tegrity failure AUDIT_ANOM_CRYPTO_FAIL auditConstant = 2110 // Crypto system test failure AUDIT_ANOM_ACCESS_FS auditConstant = 2111 // Access of file or dir AUDIT_ANOM_EXEC auditConstant = 2112 // Execution of file AUDIT_ANOM_MK_EXEC auditConstant = 2113 // Make an executable AUDIT_ANOM_ADD_ACCT auditConstant = 2114 // Adding an acct AUDIT_ANOM_DEL_ACCT auditConstant = 2115 // Deleting an acct AUDIT_ANOM_MOD_ACCT auditConstant = 2116 // Changing an acct AUDIT_ANOM_ROOT_TRANS auditConstant = 2117 // User became root AUDIT_FIRST_ANOM_RESP auditConstant = 2200 AUDIT_LAST_ANOM_RESP auditConstant = 2299 AUDIT_RESP_ANOMALY auditConstant = 2200 /* Anomaly not reacted to */ AUDIT_RESP_ALERT auditConstant = 2201 /* Alert email was sent */ AUDIT_RESP_KILL_PROC auditConstant = 2202 /* Kill program */ AUDIT_RESP_TERM_ACCESS auditConstant = 2203 /* Terminate session */ AUDIT_RESP_ACCT_REMOTE auditConstant = 2204 /* Acct locked from remote access*/ AUDIT_RESP_ACCT_LOCK_TIMED auditConstant = 2205 /* User acct locked for time */ AUDIT_RESP_ACCT_UNLOCK_TIMED auditConstant = 2206 /* User acct unlocked from time */ AUDIT_RESP_ACCT_LOCK auditConstant = 2207 /* User acct was locked */ AUDIT_RESP_TERM_LOCK auditConstant = 2208 /* Terminal was locked */ AUDIT_RESP_SEBOOL auditConstant = 2209 /* Set an SE Linux boolean */ AUDIT_RESP_EXEC auditConstant = 2210 /* Execute a script */ AUDIT_RESP_SINGLE auditConstant = 2211 /* Go to single user mode */ AUDIT_RESP_HALT auditConstant = 2212 /* take the system down */ AUDIT_FIRST_USER_LSPP_MSG auditConstant = 2300 AUDIT_LAST_USER_LSPP_MSG auditConstant = 2399 AUDIT_USER_ROLE_CHANGE auditConstant = 2300 /* User changed to a new role */ AUDIT_ROLE_ASSIGN auditConstant = 2301 /* Admin assigned user to role */ AUDIT_ROLE_REMOVE auditConstant = 2302 /* Admin removed user from role */ AUDIT_LABEL_OVERRIDE auditConstant = 2303 /* Admin is overriding a label */ AUDIT_LABEL_LEVEL_CHANGE auditConstant = 2304 /* Object's level was changed */ AUDIT_USER_LABELED_EXPORT auditConstant = 2305 /* Object exported with label */ AUDIT_USER_UNLABELED_EXPORT auditConstant = 2306 /* Object exported without label */ AUDIT_DEV_ALLOC auditConstant = 2307 /* Device was allocated */ AUDIT_DEV_DEALLOC auditConstant = 2308 /* Device was deallocated */ AUDIT_FS_RELABEL auditConstant = 2309 /* Filesystem relabeled */ AUDIT_USER_MAC_POLICY_LOAD auditConstant = 2310 /* Userspc daemon loaded policy */ AUDIT_ROLE_MODIFY auditConstant = 2311 /* Admin modified a role */ AUDIT_USER_MAC_CONFIG_CHANGE auditConstant = 2312 /* Change made to MAC policy */ AUDIT_FIRST_CRYPTO_MSG auditConstant = 2400 AUDIT_CRYPTO_TEST_USER auditConstant = 2400 /* Crypto test results */ AUDIT_CRYPTO_PARAM_CHANGE_USER auditConstant = 2401 /* Crypto attribute change */ AUDIT_CRYPTO_LOGIN auditConstant = 2402 /* Logged in as crypto officer */ AUDIT_CRYPTO_LOGOUT auditConstant = 2403 /* Logged out from crypto */ AUDIT_CRYPTO_KEY_USER auditConstant = 2404 /* Create,delete,negotiate */ AUDIT_CRYPTO_FAILURE_USER auditConstant = 2405 /* Fail decrypt,encrypt,randomiz */ AUDIT_CRYPTO_REPLAY_USER auditConstant = 2406 /* Crypto replay detected */ AUDIT_CRYPTO_SESSION auditConstant = 2407 /* Record parameters set during TLS session establishment */ AUDIT_CRYPTO_IKE_SA auditConstant = 2408 /* Record parameters related to IKE SA */ AUDIT_CRYPTO_IPSEC_SA auditConstant = 2409 /* Record parameters related to IPSEC SA */ AUDIT_LAST_CRYPTO_MSG auditConstant = 2499 AUDIT_FIRST_VIRT_MSG auditConstant = 2500 AUDIT_VIRT_CONTROL auditConstant = 2500 /* Start, Pause, Stop VM */ AUDIT_VIRT_RESOURCE auditConstant = 2501 /* Resource assignment */ AUDIT_VIRT_MACHINE_ID auditConstant = 2502 /* Binding of label to VM */ AUDIT_LAST_VIRT_MSG auditConstant = 2599 AUDIT_LAST_USER_MSG2 auditConstant = 2999 // Field Comparing Constants AUDIT_COMPARE_UID_TO_OBJ_UID auditConstant = 1 AUDIT_COMPARE_GID_TO_OBJ_GID auditConstant = 2 AUDIT_COMPARE_EUID_TO_OBJ_UID auditConstant = 3 AUDIT_COMPARE_EGID_TO_OBJ_GID auditConstant = 4 AUDIT_COMPARE_AUID_TO_OBJ_UID auditConstant = 5 AUDIT_COMPARE_SUID_TO_OBJ_UID auditConstant = 6 AUDIT_COMPARE_SGID_TO_OBJ_GID auditConstant = 7 AUDIT_COMPARE_FSUID_TO_OBJ_UID auditConstant = 8 AUDIT_COMPARE_FSGID_TO_OBJ_GID auditConstant = 9 AUDIT_COMPARE_UID_TO_AUID auditConstant = 10 AUDIT_COMPARE_UID_TO_EUID auditConstant = 11 AUDIT_COMPARE_UID_TO_FSUID auditConstant = 12 AUDIT_COMPARE_UID_TO_SUID auditConstant = 13 AUDIT_COMPARE_AUID_TO_FSUID auditConstant = 14 AUDIT_COMPARE_AUID_TO_SUID auditConstant = 15 AUDIT_COMPARE_AUID_TO_EUID auditConstant = 16 AUDIT_COMPARE_EUID_TO_SUID auditConstant = 17 AUDIT_COMPARE_EUID_TO_FSUID auditConstant = 18 AUDIT_COMPARE_SUID_TO_FSUID auditConstant = 19 AUDIT_COMPARE_GID_TO_EGID auditConstant = 20 AUDIT_COMPARE_GID_TO_FSGID auditConstant = 21 AUDIT_COMPARE_GID_TO_SGID auditConstant = 22 AUDIT_COMPARE_EGID_TO_FSGID auditConstant = 23 AUDIT_COMPARE_EGID_TO_SGID auditConstant = 24 AUDIT_COMPARE_SGID_TO_FSGID auditConstant = 25 )