зеркало из https://github.com/mozilla/libaudit-go.git
475 строки
25 KiB
Go
475 строки
25 KiB
Go
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
package libaudit
|
|
|
|
// audit_constants.go contains constants used within libaudit, sourced from linux/audit.h
|
|
// (from the Linux kernel) and from libaudit.h in the audit userspace source code.
|
|
|
|
// Code generated using various audit headers, DO NOT EDIT.
|
|
|
|
const (
|
|
AUDIT_STATUS_SIZE = 40 // Size of auditStatus
|
|
)
|
|
|
|
const (
|
|
MAX_AUDIT_MESSAGE_LENGTH = 8970
|
|
AUDIT_MAX_FIELDS = 64
|
|
AUDIT_BITMASK_SIZE = 64
|
|
//Rule Flags
|
|
AUDIT_FILTER_USER = 0x00 /* Apply rule to user-generated messages */
|
|
AUDIT_FILTER_TASK = 0x01 /* Apply rule at task creation (not syscall) */
|
|
AUDIT_FILTER_ENTRY = 0x02 /* Apply rule at syscall entry */
|
|
AUDIT_FILTER_WATCH = 0x03 /* Apply rule to file system watches */
|
|
AUDIT_FILTER_EXIT = 0x04 /* Apply rule at syscall exit */
|
|
AUDIT_FILTER_TYPE = 0x05 /* Apply rule at audit_log_start */
|
|
/* These are used in filter control */
|
|
AUDIT_FILTER_MASK = 0x07 /* Mask to get actual filter */
|
|
AUDIT_FILTER_UNSET = 0x80 /* This value means filter is unset */
|
|
|
|
/* Rule actions */
|
|
AUDIT_NEVER = 0 /* Do not build context if rule matches */
|
|
AUDIT_POSSIBLE = 1 /* Build context if rule matches */
|
|
AUDIT_ALWAYS = 2 /* Generate audit record if rule matches */
|
|
|
|
/* Rule fields */
|
|
/* These are useful when checking the
|
|
* task structure at task creation time
|
|
* (AUDIT_PER_TASK). */
|
|
AUDIT_PID = 0
|
|
AUDIT_UID = 1
|
|
AUDIT_EUID = 2
|
|
AUDIT_SUID = 3
|
|
AUDIT_FSUID = 4
|
|
AUDIT_GID = 5
|
|
AUDIT_EGID = 6
|
|
AUDIT_SGID = 7
|
|
AUDIT_FSGID = 8
|
|
AUDIT_LOGINUID = 9
|
|
AUDIT_OBJ_GID = 110
|
|
AUDIT_OBJ_UID = 109
|
|
AUDIT_EXIT = 103
|
|
AUDIT_PERS = 10
|
|
AUDIT_FILTER_EXCLUDE = 0x05
|
|
AUDIT_ARCH = 11
|
|
PATH_MAX = 4096
|
|
AUDIT_MSGTYPE = 12
|
|
AUDIT_MAX_KEY_LEN = 256
|
|
AUDIT_PERM = 106
|
|
AUDIT_FILTERKEY = 210
|
|
AUDIT_SUBJ_USER = 13 /* security label user */
|
|
AUDIT_SUBJ_ROLE = 14 /* security label role */
|
|
AUDIT_SUBJ_TYPE = 15 /* security label type */
|
|
AUDIT_SUBJ_SEN = 16 /* security label sensitivity label */
|
|
AUDIT_SUBJ_CLR = 17 /* security label clearance label */
|
|
AUDIT_PPID = 18
|
|
AUDIT_OBJ_USER = 19
|
|
AUDIT_OBJ_ROLE = 20
|
|
AUDIT_OBJ_TYPE = 21
|
|
AUDIT_WATCH = 105
|
|
AUDIT_DIR = 107
|
|
AUDIT_OBJ_LEV_LOW = 22
|
|
AUDIT_OBJ_LEV_HIGH = 23
|
|
AUDIT_LOGINUID_SET = 24
|
|
AUDIT_DEVMAJOR = 100
|
|
AUDIT_DEVMINOR = 101
|
|
AUDIT_INODE = 102
|
|
AUDIT_SUCCESS = 104
|
|
AUDIT_FIELD_COMPARE = 111
|
|
AUDIT_EXE = 112
|
|
AUDIT_PERM_EXEC = 1
|
|
AUDIT_PERM_WRITE = 2
|
|
AUDIT_PERM_READ = 4
|
|
AUDIT_PERM_ATTR = 8
|
|
AUDIT_FILETYPE = 108
|
|
AUDIT_ARG0 = 200
|
|
AUDIT_ARG1 = (AUDIT_ARG0 + 1)
|
|
AUDIT_ARG2 = (AUDIT_ARG0 + 2)
|
|
AUDIT_ARG3 = (AUDIT_ARG0 + 3)
|
|
AUDIT_BIT_MASK = 0x08000000
|
|
AUDIT_LESS_THAN = 0x10000000
|
|
AUDIT_GREATER_THAN = 0x20000000
|
|
AUDIT_NOT_EQUAL = 0x30000000
|
|
AUDIT_EQUAL = 0x40000000
|
|
AUDIT_BIT_TEST = (AUDIT_BIT_MASK | AUDIT_EQUAL)
|
|
AUDIT_LESS_THAN_OR_EQUAL = (AUDIT_LESS_THAN | AUDIT_EQUAL)
|
|
AUDIT_GREATER_THAN_OR_EQUAL = (AUDIT_GREATER_THAN | AUDIT_EQUAL)
|
|
AUDIT_OPERATORS = (AUDIT_EQUAL | AUDIT_NOT_EQUAL | AUDIT_BIT_MASK)
|
|
/* Status symbols */
|
|
/* Mask values */
|
|
AUDIT_STATUS_ENABLED = 0x0001
|
|
AUDIT_STATUS_FAILURE = 0x0002
|
|
AUDIT_STATUS_PID = 0x0004
|
|
AUDIT_STATUS_RATE_LIMIT = 0x0008
|
|
AUDIT_STATUS_BACKLOG_LIMIT = 0x0010
|
|
/* Failure-to-log actions */
|
|
AUDIT_FAIL_SILENT = 0
|
|
AUDIT_FAIL_PRINTK = 1
|
|
AUDIT_FAIL_PANIC = 2
|
|
|
|
/* distinguish syscall tables */
|
|
__AUDIT_ARCH_64BIT = 0x80000000
|
|
__AUDIT_ARCH_LE = 0x40000000
|
|
AUDIT_ARCH_ALPHA = (EM_ALPHA | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
|
|
AUDIT_ARCH_ARM = (EM_ARM | __AUDIT_ARCH_LE)
|
|
AUDIT_ARCH_ARMEB = (EM_ARM)
|
|
AUDIT_ARCH_CRIS = (EM_CRIS | __AUDIT_ARCH_LE)
|
|
AUDIT_ARCH_FRV = (EM_FRV)
|
|
AUDIT_ARCH_I386 = (EM_386 | __AUDIT_ARCH_LE)
|
|
AUDIT_ARCH_IA64 = (EM_IA_64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
|
|
AUDIT_ARCH_M32R = (EM_M32R)
|
|
AUDIT_ARCH_M68K = (EM_68K)
|
|
AUDIT_ARCH_MIPS = (EM_MIPS)
|
|
AUDIT_ARCH_MIPSEL = (EM_MIPS | __AUDIT_ARCH_LE)
|
|
AUDIT_ARCH_MIPS64 = (EM_MIPS | __AUDIT_ARCH_64BIT)
|
|
AUDIT_ARCH_MIPSEL64 = (EM_MIPS | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
|
|
// AUDIT_ARCH_OPENRISC = (EM_OPENRISC)
|
|
// AUDIT_ARCH_PARISC = (EM_PARISC)
|
|
// AUDIT_ARCH_PARISC64 = (EM_PARISC | __AUDIT_ARCH_64BIT)
|
|
AUDIT_ARCH_PPC = (EM_PPC)
|
|
AUDIT_ARCH_PPC64 = (EM_PPC64 | __AUDIT_ARCH_64BIT)
|
|
AUDIT_ARCH_S390 = (EM_S390)
|
|
AUDIT_ARCH_S390X = (EM_S390 | __AUDIT_ARCH_64BIT)
|
|
AUDIT_ARCH_SH = (EM_SH)
|
|
AUDIT_ARCH_SHEL = (EM_SH | __AUDIT_ARCH_LE)
|
|
AUDIT_ARCH_SH64 = (EM_SH | __AUDIT_ARCH_64BIT)
|
|
AUDIT_ARCH_SHEL64 = (EM_SH | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
|
|
AUDIT_ARCH_SPARC = (EM_SPARC)
|
|
AUDIT_ARCH_SPARC64 = (EM_SPARCV9 | __AUDIT_ARCH_64BIT)
|
|
AUDIT_ARCH_X86_64 = (EM_X86_64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
|
|
///Temporary Solution need to add linux/elf-em.h
|
|
EM_NONE = 0
|
|
EM_M32 = 1
|
|
EM_SPARC = 2
|
|
EM_386 = 3
|
|
EM_68K = 4
|
|
EM_88K = 5
|
|
EM_486 = 6 /* Perhaps disused */
|
|
EM_860 = 7
|
|
EM_MIPS = 8 /* MIPS R3000 (officially, big-endian only) */
|
|
/* Next two are historical and binaries and
|
|
modules of these types will be rejected by
|
|
Linux. */
|
|
EM_MIPS_RS3_LE = 10 /* MIPS R3000 little-endian */
|
|
EM_MIPS_RS4_BE = 10 /* MIPS R4000 big-endian */
|
|
|
|
EM_PARISC = 15 /* HPPA */
|
|
EM_SPARC32PLUS = 18 /* Sun's "v8plus" */
|
|
EM_PPC = 20 /* PowerPC */
|
|
EM_PPC64 = 21 /* PowerPC64 */
|
|
EM_SPU = 23 /* Cell BE SPU */
|
|
EM_ARM = 40 /* ARM 32 bit */
|
|
EM_SH = 42 /* SuperH */
|
|
EM_SPARCV9 = 43 /* SPARC v9 64-bit */
|
|
EM_IA_64 = 50 /* HP/Intel IA-64 */
|
|
EM_X86_64 = 62 /* AMD x86-64 */
|
|
EM_S390 = 22 /* IBM S/390 */
|
|
EM_CRIS = 76 /* Axis Communications 32-bit embedded processor */
|
|
EM_V850 = 87 /* NEC v850 */
|
|
EM_M32R = 88 /* Renesas M32R */
|
|
EM_MN10300 = 89 /* Panasonic/MEI MN10300, AM33 */
|
|
EM_BLACKFIN = 106 /* ADI Blackfin Processor */
|
|
EM_TI_C6000 = 140 /* TI C6X DSPs */
|
|
EM_AARCH64 = 183 /* ARM 64 bit */
|
|
EM_FRV = 0x5441 /* Fujitsu FR-V */
|
|
EM_AVR32 = 0x18ad /* Atmel AVR32 */
|
|
|
|
/*
|
|
* This is an interim value that we will use until the committee comes
|
|
* up with a final number.
|
|
*/
|
|
EM_ALPHA = 0x9026
|
|
|
|
/* Bogus old v850 magic number, used by old tools. */
|
|
EM_CYGNUS_V850 = 0x9080
|
|
/* Bogus old m32r magic number, used by old tools. */
|
|
EM_CYGNUS_M32R = 0x9041
|
|
/* This is the old interim value for S/390 architecture */
|
|
EM_S390_OLD = 0xA390
|
|
/* Also Panasonic/MEI MN10300, AM33 */
|
|
EM_CYGNUS_MN10300 = 0xbeef
|
|
//AUDIT_ARCH determination purpose
|
|
_UTSNAME_LENGTH = 65
|
|
_UTSNAME_DOMAIN_LENGTH = _UTSNAME_LENGTH
|
|
_UTSNAME_NODENAME_LENGTH = _UTSNAME_DOMAIN_LENGTH
|
|
)
|
|
|
|
/* Audit message types as of 2.6.29 kernel:
|
|
* 1000 - 1099 are for commanding the audit system
|
|
* 1100 - 1199 user space trusted application messages
|
|
* 1200 - 1299 messages internal to the audit daemon
|
|
* 1300 - 1399 audit event messages
|
|
* 1400 - 1499 kernel SE Linux use
|
|
* 1500 - 1599 AppArmor events
|
|
* 1600 - 1699 kernel crypto events
|
|
* 1700 - 1799 kernel anomaly records
|
|
* 1800 - 1899 kernel integrity labels and related events
|
|
* 1800 - 1999 future kernel use
|
|
* 2001 - 2099 unused (kernel)
|
|
* 2100 - 2199 user space anomaly records
|
|
* 2200 - 2299 user space actions taken in response to anomalies
|
|
* 2300 - 2399 user space generated LSPP events
|
|
* 2400 - 2499 user space crypto events
|
|
* 2500 - 2599 user space virtualization management events
|
|
* 2600 - 2999 future user space (maybe integrity labels and related events)
|
|
*/
|
|
|
|
//go:generate stringer -type=auditConstant audit_constant.go
|
|
type auditConstant uint16
|
|
|
|
const (
|
|
AUDIT_GET auditConstant = 1000 /* Get status */
|
|
AUDIT_SET auditConstant = 1001 /* Set status (enable/disable/auditd) */
|
|
AUDIT_LIST auditConstant = 1002 /* List syscall rules -- deprecated */
|
|
AUDIT_ADD auditConstant = 1003 /* Add syscall rule -- deprecated */
|
|
AUDIT_DEL auditConstant = 1004 /* Delete syscall rule -- deprecated */
|
|
AUDIT_USER auditConstant = 1005 /* Message from userspace -- deprecated */
|
|
AUDIT_LOGIN auditConstant = 1006 /* Define the login id and information */
|
|
AUDIT_WATCH_INS auditConstant = 1007 /* Insert file/dir watch entry */
|
|
AUDIT_WATCH_REM auditConstant = 1008 /* Remove file/dir watch entry */
|
|
AUDIT_WATCH_LIST auditConstant = 1009 /* List all file/dir watches */
|
|
AUDIT_SIGNAL_INFO auditConstant = 1010 /* Get info about sender of signal to auditd */
|
|
AUDIT_ADD_RULE auditConstant = 1011 /* Add syscall filtering rule */
|
|
AUDIT_DEL_RULE auditConstant = 1012 /* Delete syscall filtering rule */
|
|
AUDIT_LIST_RULES auditConstant = 1013 /* List syscall filtering rules */
|
|
AUDIT_TRIM auditConstant = 1014 /* Trim junk from watched tree */
|
|
AUDIT_MAKE_EQUIV auditConstant = 1015 /* Append to watched tree */
|
|
AUDIT_TTY_GET auditConstant = 1016 /* Get TTY auditing status */
|
|
AUDIT_TTY_SET auditConstant = 1017 /* Set TTY auditing status */
|
|
AUDIT_SET_FEATURE auditConstant = 1018 /* Turn an audit feature on or off */
|
|
AUDIT_GET_FEATURE auditConstant = 1019 /* Get which features are enabled */
|
|
|
|
AUDIT_FIRST_USER_MSG auditConstant = 1100 /* First user space message */
|
|
AUDIT_LAST_USER_MSG auditConstant = 1199 /* Last user space message */
|
|
AUDIT_USER_AUTH auditConstant = 1100 /* User space authentication */
|
|
AUDIT_USER_ACCT auditConstant = 1101 /* User space acct change */
|
|
AUDIT_USER_MGMT auditConstant = 1102 /* User space acct management */
|
|
AUDIT_CRED_ACQ auditConstant = 1103 /* User space credential acquired */
|
|
AUDIT_CRED_DISP auditConstant = 1104 /* User space credential disposed */
|
|
AUDIT_USER_START auditConstant = 1105 /* User space session start */
|
|
AUDIT_USER_END auditConstant = 1106 /* User space session end */
|
|
AUDIT_USER_AVC auditConstant = 1107 /* User space avc message */
|
|
AUDIT_USER_CHAUTHTOK auditConstant = 1108 /* User space acct attr changed */
|
|
AUDIT_USER_ERR auditConstant = 1109 /* User space acct state err */
|
|
AUDIT_CRED_REFR auditConstant = 1110 /* User space credential refreshed */
|
|
AUDIT_USYS_CONFIG auditConstant = 1111 /* User space system config change */
|
|
AUDIT_USER_LOGIN auditConstant = 1112 /* User space user has logged in */
|
|
AUDIT_USER_LOGOUT auditConstant = 1113 /* User space user has logged out */
|
|
AUDIT_ADD_USER auditConstant = 1114 /* User space user account added */
|
|
AUDIT_DEL_USER auditConstant = 1115 /* User space user account deleted */
|
|
AUDIT_ADD_GROUP auditConstant = 1116 /* User space group added */
|
|
AUDIT_DEL_GROUP auditConstant = 1117 /* User space group deleted */
|
|
AUDIT_DAC_CHECK auditConstant = 1118 /* User space DAC check results */
|
|
AUDIT_CHGRP_ID auditConstant = 1119 /* User space group ID changed */
|
|
AUDIT_TEST auditConstant = 1120 /* Used for test success messages */
|
|
AUDIT_TRUSTED_APP auditConstant = 1121 /* Trusted app msg - freestyle text */
|
|
AUDIT_USER_SELINUX_ERR auditConstant = 1122 /* SE Linux user space error */
|
|
AUDIT_USER_CMD auditConstant = 1123 /* User shell command and args */
|
|
AUDIT_USER_TTY auditConstant = 1124 /* Non-ICANON TTY input meaning */
|
|
AUDIT_CHUSER_ID auditConstant = 1125 /* Changed user ID supplemental data */
|
|
AUDIT_GRP_AUTH auditConstant = 1126 /* Authentication for group password */
|
|
AUDIT_SYSTEM_BOOT auditConstant = 1127 /* System boot */
|
|
AUDIT_SYSTEM_SHUTDOWN auditConstant = 1128 /* System shutdown */
|
|
AUDIT_SYSTEM_RUNLEVEL auditConstant = 1129 /* System runlevel change */
|
|
AUDIT_SERVICE_START auditConstant = 1130 /* Service (daemon) start */
|
|
AUDIT_SERVICE_STOP auditConstant = 1131 /* Service (daemon) stop */
|
|
AUDIT_GRP_MGMT auditConstant = 1132 /* Group account attr was modified */
|
|
AUDIT_GRP_CHAUTHTOK auditConstant = 1133 /* Group acct password or pin changed */
|
|
AUDIT_MAC_CHECK auditConstant = 1134 /* User space MAC decision results */
|
|
AUDIT_ACCT_LOCK auditConstant = 1135 /* User's account locked by admin */
|
|
AUDIT_ACCT_UNLOCK auditConstant = 1136 /* User's account unlocked by admin */
|
|
|
|
AUDIT_FIRST_DAEMON auditConstant = 1200
|
|
AUDIT_LAST_DAEMON auditConstant = 1299
|
|
AUDIT_DAEMON_CONFIG auditConstant = 1203 /* Daemon config change */
|
|
AUDIT_DAEMON_RECONFIG auditConstant = 1204 /* Auditd should reconfigure */
|
|
AUDIT_DAEMON_ROTATE auditConstant = 1205 /* Auditd should rotate logs */
|
|
AUDIT_DAEMON_RESUME auditConstant = 1206 /* Auditd should resume logging */
|
|
AUDIT_DAEMON_ACCEPT auditConstant = 1207 /* Auditd accepted remote connection */
|
|
AUDIT_DAEMON_CLOSE auditConstant = 1208 /* Auditd closed remote connection */
|
|
|
|
AUDIT_SYSCALL auditConstant = 1300 /* Syscall event */
|
|
/* AUDIT_FS_WATCH auditConstant = 1301 * Deprecated */
|
|
AUDIT_PATH auditConstant = 1302 /* Filename path information */
|
|
AUDIT_IPC auditConstant = 1303 /* IPC record */
|
|
AUDIT_SOCKETCALL auditConstant = 1304 /* sys_socketcall arguments */
|
|
AUDIT_CONFIG_CHANGE auditConstant = 1305 /* Audit system configuration change */
|
|
AUDIT_SOCKADDR auditConstant = 1306 /* sockaddr copied as syscall arg */
|
|
AUDIT_CWD auditConstant = 1307 /* Current working directory */
|
|
AUDIT_EXECVE auditConstant = 1309 /* execve arguments */
|
|
AUDIT_IPC_SET_PERM auditConstant = 1311 /* IPC new permissions record type */
|
|
AUDIT_MQ_OPEN auditConstant = 1312 /* POSIX MQ open record type */
|
|
AUDIT_MQ_SENDRECV auditConstant = 1313 /* POSIX MQ send/receive record type */
|
|
AUDIT_MQ_NOTIFY auditConstant = 1314 /* POSIX MQ notify record type */
|
|
AUDIT_MQ_GETSETATTR auditConstant = 1315 /* POSIX MQ get/set attribute record type */
|
|
AUDIT_KERNEL_OTHER auditConstant = 1316 /* For use by 3rd party modules */
|
|
AUDIT_FD_PAIR auditConstant = 1317 /* audit record for pipe/socketpair */
|
|
AUDIT_OBJ_PID auditConstant = 1318 /* ptrace target */
|
|
AUDIT_TTY auditConstant = 1319 /* Input on an administrative TTY */
|
|
AUDIT_EOE auditConstant = 1320 /* End of multi-record event */
|
|
AUDIT_BPRM_FCAPS auditConstant = 1321 /* Information about fcaps increasing perms */
|
|
AUDIT_CAPSET auditConstant = 1322 /* Record showing argument to sys_capset */
|
|
AUDIT_MMAP auditConstant = 1323 /* Record showing descriptor and flags in mmap */
|
|
AUDIT_NETFILTER_PKT auditConstant = 1324 /* Packets traversing netfilter chains */
|
|
AUDIT_NETFILTER_CFG auditConstant = 1325 /* Netfilter chain modifications */
|
|
AUDIT_SECCOMP auditConstant = 1326 /* Secure Computing event */
|
|
AUDIT_PROCTITLE auditConstant = 1327 /* Proctitle emit event */
|
|
AUDIT_FEATURE_CHANGE auditConstant = 1328 /* audit log listing feature changes */
|
|
|
|
/* AUDIT_FIRST_EVENT 1300 */ //TODO: libaudit define this as AUDIT_FIRST_EVENT but audit.h differently.
|
|
AUDIT_LAST_EVENT auditConstant = 1399
|
|
|
|
/* AUDIT_FIRST_SELINUX 1400 */ // TODO: libaudit define this as AUDIT_FIRST_SELINUX but audit.h as AUDIT_AVC
|
|
AUDIT_AVC auditConstant = 1400 /* SE Linux avc denial or grant */
|
|
AUDIT_SELINUX_ERR auditConstant = 1401 /* internal SE Linux Errors */
|
|
AUDIT_AVC_PATH auditConstant = 1402 /* dentry, vfsmount pair from avc */
|
|
AUDIT_MAC_POLICY_LOAD auditConstant = 1403 /* Policy file load */
|
|
AUDIT_MAC_STATUS auditConstant = 1404 /* Changed enforcing,permissive,off */
|
|
AUDIT_MAC_CONFIG_CHANGE auditConstant = 1405 /* Changes to booleans */
|
|
AUDIT_MAC_UNLBL_ALLOW auditConstant = 1406 /* NetLabel: allow unlabeled traffic */
|
|
AUDIT_MAC_CIPSOV4_ADD auditConstant = 1407 /* NetLabel: add CIPSOv4 DOI entry */
|
|
AUDIT_MAC_CIPSOV4_DEL auditConstant = 1408 /* NetLabel: del CIPSOv4 DOI entry */
|
|
AUDIT_MAC_MAP_ADD auditConstant = 1409 /* NetLabel: add LSM domain mapping */
|
|
AUDIT_MAC_MAP_DEL auditConstant = 1410 /* NetLabel: del LSM domain mapping */
|
|
AUDIT_MAC_IPSEC_ADDSA auditConstant = 1411 /* Not used */
|
|
AUDIT_MAC_IPSEC_DELSA auditConstant = 1412 /* Not used */
|
|
AUDIT_MAC_IPSEC_ADDSPD auditConstant = 1413 /* Not used */
|
|
AUDIT_MAC_IPSEC_DELSPD auditConstant = 1414 /* Not used */
|
|
AUDIT_MAC_IPSEC_EVENT auditConstant = 1415 /* Audit an IPSec event */
|
|
AUDIT_MAC_UNLBL_STCADD auditConstant = 1416 /* NetLabel: add a static label */
|
|
AUDIT_MAC_UNLBL_STCDEL auditConstant = 1417 /* NetLabel: del a static label */
|
|
AUDIT_LAST_SELINUX auditConstant = 1499
|
|
|
|
AUDIT_FIRST_APPARMOR auditConstant = 1500
|
|
AUDIT_LAST_APPARMOR auditConstant = 1599
|
|
|
|
AUDIT_AA auditConstant = 1500 /* Not upstream yet*/
|
|
AUDIT_APPARMOR_AUDIT auditConstant = 1501
|
|
AUDIT_APPARMOR_ALLOWED auditConstant = 1502
|
|
AUDIT_APPARMOR_DENIED auditConstant = 1503
|
|
AUDIT_APPARMOR_HT auditConstant = 1504
|
|
AUDIT_APPARMOR_STATUS auditConstant = 1505
|
|
AUDIT_APPARMOR_ERROR auditConstant = 1506
|
|
|
|
AUDIT_FIRST_KERN_CRYPTO_MSG auditConstant = 1600
|
|
AUDIT_LAST_KERN_CRYPTO_MSG auditConstant = 1699
|
|
|
|
// AUDIT_FIRST_KERN_ANOM_MSG auditConstant = 1700
|
|
AUDIT_LAST_KERN_ANOM_MSG auditConstant = 1799
|
|
AUDIT_ANOM_PROMISCUOUS auditConstant = 1700 /* Device changed promiscuous mode */
|
|
AUDIT_ANOM_ABEND auditConstant = 1701 /* Process ended abnormally */
|
|
AUDIT_ANOM_LINK auditConstant = 1702 /* Suspicious use of file links */
|
|
|
|
AUDIT_INTEGRITY_FIRST_MSG auditConstant = 1800
|
|
AUDIT_TINTEGRITY_LAST_MSG auditConstant = 1899
|
|
|
|
AUDIT_INTEGRITY_DATA auditConstant = 1800 /* Data integrity verification */
|
|
AUDIT_INTEGRITY_METADATA auditConstant = 1801 // Metadata integrity verification
|
|
AUDIT_INTEGRITY_STATUS auditConstant = 1802 /* integrity enable status */
|
|
AUDIT_INTEGRITY_HASH auditConstant = 1803 /* integrity HASH type */
|
|
AUDIT_INTEGRITY_PCR auditConstant = 1804 /* PCR invalidation msgs */
|
|
AUDIT_INTEGRITY_RULE auditConstant = 1805 /* Policy rule */
|
|
AUDIT_KERNEL auditConstant = 2000 /* Asynchronous audit record. NOT A REQUEST. */
|
|
|
|
AUDIT_FIRST_ANOM_MSG auditConstant = 2100
|
|
AUDIT_LAST_ANOM_MSG auditConstant = 2199
|
|
AUDIT_ANOM_LOGIN_FAILURES auditConstant = 2100 // Failed login limit reached
|
|
AUDIT_ANOM_LOGIN_TIME auditConstant = 2101 // Login attempted at bad time
|
|
AUDIT_ANOM_LOGIN_SESSIONS auditConstant = 2102 // Max concurrent sessions reached
|
|
AUDIT_ANOM_LOGIN_ACCT auditConstant = 2103 // Login attempted to watched acct
|
|
AUDIT_ANOM_LOGIN_LOCATION auditConstant = 2104 // Login from forbidden location
|
|
AUDIT_ANOM_MAX_DAC auditConstant = 2105 // Max DAC failures reached
|
|
AUDIT_ANOM_MAX_MAC auditConstant = 2106 // Max MAC failures reached
|
|
AUDIT_ANOM_AMTU_FAIL auditConstant = 2107 // AMTU failure
|
|
AUDIT_ANOM_RBAC_FAIL auditConstant = 2108 // RBAC self test failure
|
|
AUDIT_ANOM_RBAC_INTEGRITY_FAIL auditConstant = 2109 // RBAC file Tegrity failure
|
|
AUDIT_ANOM_CRYPTO_FAIL auditConstant = 2110 // Crypto system test failure
|
|
AUDIT_ANOM_ACCESS_FS auditConstant = 2111 // Access of file or dir
|
|
AUDIT_ANOM_EXEC auditConstant = 2112 // Execution of file
|
|
AUDIT_ANOM_MK_EXEC auditConstant = 2113 // Make an executable
|
|
AUDIT_ANOM_ADD_ACCT auditConstant = 2114 // Adding an acct
|
|
AUDIT_ANOM_DEL_ACCT auditConstant = 2115 // Deleting an acct
|
|
AUDIT_ANOM_MOD_ACCT auditConstant = 2116 // Changing an acct
|
|
AUDIT_ANOM_ROOT_TRANS auditConstant = 2117 // User became root
|
|
|
|
AUDIT_FIRST_ANOM_RESP auditConstant = 2200
|
|
AUDIT_LAST_ANOM_RESP auditConstant = 2299
|
|
AUDIT_RESP_ANOMALY auditConstant = 2200 /* Anomaly not reacted to */
|
|
AUDIT_RESP_ALERT auditConstant = 2201 /* Alert email was sent */
|
|
AUDIT_RESP_KILL_PROC auditConstant = 2202 /* Kill program */
|
|
AUDIT_RESP_TERM_ACCESS auditConstant = 2203 /* Terminate session */
|
|
AUDIT_RESP_ACCT_REMOTE auditConstant = 2204 /* Acct locked from remote access*/
|
|
AUDIT_RESP_ACCT_LOCK_TIMED auditConstant = 2205 /* User acct locked for time */
|
|
AUDIT_RESP_ACCT_UNLOCK_TIMED auditConstant = 2206 /* User acct unlocked from time */
|
|
AUDIT_RESP_ACCT_LOCK auditConstant = 2207 /* User acct was locked */
|
|
AUDIT_RESP_TERM_LOCK auditConstant = 2208 /* Terminal was locked */
|
|
AUDIT_RESP_SEBOOL auditConstant = 2209 /* Set an SE Linux boolean */
|
|
AUDIT_RESP_EXEC auditConstant = 2210 /* Execute a script */
|
|
AUDIT_RESP_SINGLE auditConstant = 2211 /* Go to single user mode */
|
|
AUDIT_RESP_HALT auditConstant = 2212 /* take the system down */
|
|
|
|
AUDIT_FIRST_USER_LSPP_MSG auditConstant = 2300
|
|
AUDIT_LAST_USER_LSPP_MSG auditConstant = 2399
|
|
AUDIT_USER_ROLE_CHANGE auditConstant = 2300 /* User changed to a new role */
|
|
AUDIT_ROLE_ASSIGN auditConstant = 2301 /* Admin assigned user to role */
|
|
AUDIT_ROLE_REMOVE auditConstant = 2302 /* Admin removed user from role */
|
|
AUDIT_LABEL_OVERRIDE auditConstant = 2303 /* Admin is overriding a label */
|
|
AUDIT_LABEL_LEVEL_CHANGE auditConstant = 2304 /* Object's level was changed */
|
|
AUDIT_USER_LABELED_EXPORT auditConstant = 2305 /* Object exported with label */
|
|
AUDIT_USER_UNLABELED_EXPORT auditConstant = 2306 /* Object exported without label */
|
|
AUDIT_DEV_ALLOC auditConstant = 2307 /* Device was allocated */
|
|
AUDIT_DEV_DEALLOC auditConstant = 2308 /* Device was deallocated */
|
|
AUDIT_FS_RELABEL auditConstant = 2309 /* Filesystem relabeled */
|
|
AUDIT_USER_MAC_POLICY_LOAD auditConstant = 2310 /* Userspc daemon loaded policy */
|
|
AUDIT_ROLE_MODIFY auditConstant = 2311 /* Admin modified a role */
|
|
AUDIT_USER_MAC_CONFIG_CHANGE auditConstant = 2312 /* Change made to MAC policy */
|
|
|
|
AUDIT_FIRST_CRYPTO_MSG auditConstant = 2400
|
|
AUDIT_CRYPTO_TEST_USER auditConstant = 2400 /* Crypto test results */
|
|
AUDIT_CRYPTO_PARAM_CHANGE_USER auditConstant = 2401 /* Crypto attribute change */
|
|
AUDIT_CRYPTO_LOGIN auditConstant = 2402 /* Logged in as crypto officer */
|
|
AUDIT_CRYPTO_LOGOUT auditConstant = 2403 /* Logged out from crypto */
|
|
AUDIT_CRYPTO_KEY_USER auditConstant = 2404 /* Create,delete,negotiate */
|
|
AUDIT_CRYPTO_FAILURE_USER auditConstant = 2405 /* Fail decrypt,encrypt,randomiz */
|
|
AUDIT_CRYPTO_REPLAY_USER auditConstant = 2406 /* Crypto replay detected */
|
|
AUDIT_CRYPTO_SESSION auditConstant = 2407 /* Record parameters set during TLS session establishment */
|
|
AUDIT_CRYPTO_IKE_SA auditConstant = 2408 /* Record parameters related to IKE SA */
|
|
AUDIT_CRYPTO_IPSEC_SA auditConstant = 2409 /* Record parameters related to IPSEC SA */
|
|
|
|
AUDIT_LAST_CRYPTO_MSG auditConstant = 2499
|
|
|
|
AUDIT_FIRST_VIRT_MSG auditConstant = 2500
|
|
AUDIT_VIRT_CONTROL auditConstant = 2500 /* Start, Pause, Stop VM */
|
|
AUDIT_VIRT_RESOURCE auditConstant = 2501 /* Resource assignment */
|
|
AUDIT_VIRT_MACHINE_ID auditConstant = 2502 /* Binding of label to VM */
|
|
AUDIT_LAST_VIRT_MSG auditConstant = 2599
|
|
AUDIT_LAST_USER_MSG2 auditConstant = 2999
|
|
// Field Comparing Constants
|
|
AUDIT_COMPARE_UID_TO_OBJ_UID auditConstant = 1
|
|
AUDIT_COMPARE_GID_TO_OBJ_GID auditConstant = 2
|
|
AUDIT_COMPARE_EUID_TO_OBJ_UID auditConstant = 3
|
|
AUDIT_COMPARE_EGID_TO_OBJ_GID auditConstant = 4
|
|
AUDIT_COMPARE_AUID_TO_OBJ_UID auditConstant = 5
|
|
AUDIT_COMPARE_SUID_TO_OBJ_UID auditConstant = 6
|
|
AUDIT_COMPARE_SGID_TO_OBJ_GID auditConstant = 7
|
|
AUDIT_COMPARE_FSUID_TO_OBJ_UID auditConstant = 8
|
|
AUDIT_COMPARE_FSGID_TO_OBJ_GID auditConstant = 9
|
|
AUDIT_COMPARE_UID_TO_AUID auditConstant = 10
|
|
AUDIT_COMPARE_UID_TO_EUID auditConstant = 11
|
|
AUDIT_COMPARE_UID_TO_FSUID auditConstant = 12
|
|
AUDIT_COMPARE_UID_TO_SUID auditConstant = 13
|
|
AUDIT_COMPARE_AUID_TO_FSUID auditConstant = 14
|
|
AUDIT_COMPARE_AUID_TO_SUID auditConstant = 15
|
|
AUDIT_COMPARE_AUID_TO_EUID auditConstant = 16
|
|
AUDIT_COMPARE_EUID_TO_SUID auditConstant = 17
|
|
AUDIT_COMPARE_EUID_TO_FSUID auditConstant = 18
|
|
AUDIT_COMPARE_SUID_TO_FSUID auditConstant = 19
|
|
AUDIT_COMPARE_GID_TO_EGID auditConstant = 20
|
|
AUDIT_COMPARE_GID_TO_FSGID auditConstant = 21
|
|
AUDIT_COMPARE_GID_TO_SGID auditConstant = 22
|
|
AUDIT_COMPARE_EGID_TO_FSGID auditConstant = 23
|
|
AUDIT_COMPARE_EGID_TO_SGID auditConstant = 24
|
|
AUDIT_COMPARE_SGID_TO_FSGID auditConstant = 25
|
|
)
|