Module netlink_packet_audit::constants
source · [−]Constants
Add syscall rule – deprecated
Add syscall filtering rule
Generate audit record if rule matches
Process ended abnormally
Suspicious use of file links
Device changed promiscuous mode
SE Linux avc denial or grant
dentry, vfsmount pair from avc
Information about fcaps increasing perms
Record showing argument to sys_capset
Audit system configuration change
Current working directory
Daemon error stop record
Daemon config change
Daemon normal stop record
Daemon startup record
Delete syscall rule – deprecated
Delete syscall filtering rule
End of multi-record event
execve arguments
Fanotify access decision
audit record for pipe/socketpair
audit log listing feature changes
Apply rule at syscall entry
Apply rule at syscall exit
Apply rule at task creation (not syscall)
Apply rule at audit_log_start
Filter is unset
Apply rule to user-generated messages
Apply rule to file system watches
Userspace messages mostly uninteresting to kernel
More user space messages;
Get status
Get which features are enabled
Data integrity verification
Integrity HASH type
Metadata integrity verification
PCR invalidation msgs
policy rule
Integrity enable status
IPC record
IPC new permissions record type
For use by 3rd party modules
Kernel Module events
List syscall rules – deprecated
List syscall filtering rules
Define the login id and information
NetLabel: add CALIPSO DOI entry
NetLabel: del CALIPSO DOI entry
NetLabel: add CIPSOv4 DOI entry
NetLabel: del CIPSOv4 DOI entry
Changes to booleans
Not used
Not used
Not used
Not used
Audit an IPSec event
NetLabel: add LSM domain mapping
NetLabel: del LSM domain mapping
Policy file load
Changed enforcing,permissive,off
NetLabel: allow unlabeled traffic
NetLabel: add a static label
NetLabel: del a static label
Append to watched tree
Record showing descriptor and flags in mmap
POSIX MQ get/set attribute record type
POSIX MQ notify record type
POSIX MQ open record type
POSIX MQ send/receive record type
Netfilter chain modifications
Packets traversing netfilter chains
Do not build context if rule matches
Unused multicast group for audit
Multicast group to listen for audit events
Mask to get actual filter
ptrace target
Filename path information
Build context if rule matches
Proctitle emit event
Replace auditd if this packet unanswerd
Secure Computing event
Internal SE Linux Errors
Set status (enable/disable/auditd)
Turn an audit feature on or off
Get info about sender of signal to auditd
sockaddr copied as syscall arg
sys_socketcall arguments
Syscall event
Trim junk from watched tree
Input on an administrative TTY
Get TTY auditing status
Set TTY auditing status
Message from userspace – deprecated
We filter this differently
Non-ICANON TTY input meaning
Insert file/dir watch entry
List all file/dir watches
Remove file/dir watch entry
Request for an acknowledgment on success. Typical direction of request is from user space (CPC) to kernel space (FEC).
extended ACK TVLs were included
Add to the end of the object list.
Return an atomic snapshot of the table. Requires CAP_NET_ADMIN capability or a effective UID
of 0.
request was capped
Create object if it doesn’t already exist.
Dump was filtered as requested
Dump was inconsistent due to sequence change
Echo this request. Typical direction of request is from user space (CPC) to kernel space (FEC).
Don’t replace if the object already exists.
Return all entries matching criteria passed in message content.
Indicates the message is part of a multipart message terminated by NLMSG_DONE
Do not delete recursively
Replace existing matching object.
Must be set on all request messages (typically from user space to kernel space)
Return the complete table instead of a single entry.