Module netlink_packet_audit::constants

Constants

• AUDIT_ADD
  Add syscall rule – deprecated
• AUDIT_ADD_RULE
  Add syscall filtering rule
• AUDIT_ALWAYS
  Generate audit record if rule matches
• AUDIT_ANOM_ABEND
  Process ended abnormally
• AUDIT_ANOM_LINK
  Suspicious use of file links
• AUDIT_ANOM_PROMISCUOUS
  Device changed promiscuous mode
• AUDIT_ARCH
• AUDIT_ARCH_AARCH64
• AUDIT_ARCH_ALPHA
• AUDIT_ARCH_ARM
• AUDIT_ARCH_ARMEB
• AUDIT_ARCH_CRIS
• AUDIT_ARCH_FRV
• AUDIT_ARCH_I386
• AUDIT_ARCH_IA64
• AUDIT_ARCH_M32R
• AUDIT_ARCH_M68K
• AUDIT_ARCH_MICROBLAZE
• AUDIT_ARCH_MIPS
• AUDIT_ARCH_MIPS64
• AUDIT_ARCH_MIPS64N32
• AUDIT_ARCH_MIPSEL
• AUDIT_ARCH_MIPSEL64
• AUDIT_ARCH_MIPSEL64N32
• AUDIT_ARCH_OPENRISC
• AUDIT_ARCH_PARISC
• AUDIT_ARCH_PARISC64
• AUDIT_ARCH_PPC
• AUDIT_ARCH_PPC64
• AUDIT_ARCH_PPC64LE
• AUDIT_ARCH_S390
• AUDIT_ARCH_S390X
• AUDIT_ARCH_SH
• AUDIT_ARCH_SH64
• AUDIT_ARCH_SHEL
• AUDIT_ARCH_SHEL64
• AUDIT_ARCH_SPARC
• AUDIT_ARCH_SPARC64
• AUDIT_ARCH_TILEGX
• AUDIT_ARCH_TILEGX32
• AUDIT_ARCH_TILEPRO
• AUDIT_ARCH_X86_64
• AUDIT_ARG0
• AUDIT_ARG1
• AUDIT_ARG2
• AUDIT_ARG3
• AUDIT_AVC
  SE Linux avc denial or grant
• AUDIT_AVC_PATH
  dentry, vfsmount pair from avc
• AUDIT_BITMASK_SIZE
• AUDIT_BIT_MASK
• AUDIT_BIT_TEST
• AUDIT_BPRM_FCAPS
  Information about fcaps increasing perms
• AUDIT_CAPSET
  Record showing argument to sys_capset
• AUDIT_CLASS_CHATTR
• AUDIT_CLASS_CHATTR_32
• AUDIT_CLASS_DIR_WRITE
• AUDIT_CLASS_DIR_WRITE_32
• AUDIT_CLASS_READ
• AUDIT_CLASS_READ_32
• AUDIT_CLASS_SIGNAL
• AUDIT_CLASS_SIGNAL_32
• AUDIT_CLASS_WRITE
• AUDIT_CLASS_WRITE_32
• AUDIT_COMPARE_AUID_TO_EUID
• AUDIT_COMPARE_AUID_TO_FSUID
• AUDIT_COMPARE_AUID_TO_OBJ_UID
• AUDIT_COMPARE_AUID_TO_SUID
• AUDIT_COMPARE_EGID_TO_FSGID
• AUDIT_COMPARE_EGID_TO_OBJ_GID
• AUDIT_COMPARE_EGID_TO_SGID
• AUDIT_COMPARE_EUID_TO_FSUID
• AUDIT_COMPARE_EUID_TO_OBJ_UID
• AUDIT_COMPARE_EUID_TO_SUID
• AUDIT_COMPARE_FSGID_TO_OBJ_GID
• AUDIT_COMPARE_FSUID_TO_OBJ_UID
• AUDIT_COMPARE_GID_TO_EGID
• AUDIT_COMPARE_GID_TO_FSGID
• AUDIT_COMPARE_GID_TO_OBJ_GID
• AUDIT_COMPARE_GID_TO_SGID
• AUDIT_COMPARE_SGID_TO_FSGID
• AUDIT_COMPARE_SGID_TO_OBJ_GID
• AUDIT_COMPARE_SUID_TO_FSUID
• AUDIT_COMPARE_SUID_TO_OBJ_UID
• AUDIT_COMPARE_UID_TO_AUID
• AUDIT_COMPARE_UID_TO_EUID
• AUDIT_COMPARE_UID_TO_FSUID
• AUDIT_COMPARE_UID_TO_OBJ_UID
• AUDIT_COMPARE_UID_TO_SUID
• AUDIT_CONFIG_CHANGE
  Audit system configuration change
• AUDIT_CWD
  Current working directory
• AUDIT_DAEMON_ABORT
  Daemon error stop record
• AUDIT_DAEMON_CONFIG
  Daemon config change
• AUDIT_DAEMON_END
  Daemon normal stop record
• AUDIT_DAEMON_START
  Daemon startup record
• AUDIT_DEL
  Delete syscall rule – deprecated
• AUDIT_DEL_RULE
  Delete syscall filtering rule
• AUDIT_DEVMAJOR
• AUDIT_DEVMINOR
• AUDIT_DIR
• AUDIT_EGID
• AUDIT_EOE
  End of multi-record event
• AUDIT_EQUAL
• AUDIT_EUID
• AUDIT_EVENT_MESSAGE_MAX
• AUDIT_EVENT_MESSAGE_MIN
• AUDIT_EXE
• AUDIT_EXECVE
  execve arguments
• AUDIT_EXIT
• AUDIT_FAIL_PANIC
• AUDIT_FAIL_PRINTK
• AUDIT_FAIL_SILENT
• AUDIT_FANOTIFY
  Fanotify access decision
• AUDIT_FD_PAIR
  audit record for pipe/socketpair
• AUDIT_FEATURE_CHANGE
  audit log listing feature changes
• AUDIT_FEATURE_LOGINUID_IMMUTABLE
• AUDIT_FEATURE_ONLY_UNSET_LOGINUID
• AUDIT_FEATURE_VERSION
• AUDIT_FIELD_COMPARE
• AUDIT_FILETYPE
• AUDIT_FILTERKEY
• AUDIT_FILTER_ENTRY
  Apply rule at syscall entry
• AUDIT_FILTER_EXIT
  Apply rule at syscall exit
• AUDIT_FILTER_FS
• AUDIT_FILTER_PREPEND
• AUDIT_FILTER_TASK
  Apply rule at task creation (not syscall)
• AUDIT_FILTER_TYPE
  Apply rule at audit_log_start
• AUDIT_FILTER_UNSET
  Filter is unset
• AUDIT_FILTER_USER
  Apply rule to user-generated messages
• AUDIT_FILTER_WATCH
  Apply rule to file system watches
• AUDIT_FIRST_KERN_ANOM_MSG
• AUDIT_FIRST_USER_MSG
  Userspace messages mostly uninteresting to kernel
• AUDIT_FIRST_USER_MSG2
  More user space messages;
• AUDIT_FSGID
• AUDIT_FSTYPE
• AUDIT_FSUID
• AUDIT_GET
  Get status
• AUDIT_GET_FEATURE
  Get which features are enabled
• AUDIT_GID
• AUDIT_GREATER_THAN
• AUDIT_GREATER_THAN_OR_EQUAL
• AUDIT_INODE
• AUDIT_INTEGRITY_DATA
  Data integrity verification
• AUDIT_INTEGRITY_HASH
  Integrity HASH type
• AUDIT_INTEGRITY_METADATA
  Metadata integrity verification
• AUDIT_INTEGRITY_PCR
  PCR invalidation msgs
• AUDIT_INTEGRITY_RULE
  policy rule
• AUDIT_INTEGRITY_STATUS
  Integrity enable status
• AUDIT_IPC
  IPC record
• AUDIT_IPC_SET_PERM
  IPC new permissions record type
• AUDIT_KERNEL
• AUDIT_KERNEL_OTHER
  For use by 3rd party modules
• AUDIT_KERN_MODULE
  Kernel Module events
• AUDIT_LAST_FEATURE
• AUDIT_LAST_KERN_ANOM_MSG
• AUDIT_LAST_USER_MSG
• AUDIT_LAST_USER_MSG2
• AUDIT_LESS_THAN
• AUDIT_LESS_THAN_OR_EQUAL
• AUDIT_LIST
  List syscall rules – deprecated
• AUDIT_LIST_RULES
  List syscall filtering rules
• AUDIT_LOGIN
  Define the login id and information
• AUDIT_LOGINUID
• AUDIT_LOGINUID_SET
• AUDIT_MAC_CALIPSO_ADD
  NetLabel: add CALIPSO DOI entry
• AUDIT_MAC_CALIPSO_DEL
  NetLabel: del CALIPSO DOI entry
• AUDIT_MAC_CIPSOV4_ADD
  NetLabel: add CIPSOv4 DOI entry
• AUDIT_MAC_CIPSOV4_DEL
  NetLabel: del CIPSOv4 DOI entry
• AUDIT_MAC_CONFIG_CHANGE
  Changes to booleans
• AUDIT_MAC_IPSEC_ADDSA
  Not used
• AUDIT_MAC_IPSEC_ADDSPD
  Not used
• AUDIT_MAC_IPSEC_DELSA
  Not used
• AUDIT_MAC_IPSEC_DELSPD
  Not used
• AUDIT_MAC_IPSEC_EVENT
  Audit an IPSec event
• AUDIT_MAC_MAP_ADD
  NetLabel: add LSM domain mapping
• AUDIT_MAC_MAP_DEL
  NetLabel: del LSM domain mapping
• AUDIT_MAC_POLICY_LOAD
  Policy file load
• AUDIT_MAC_STATUS
  Changed enforcing,permissive,off
• AUDIT_MAC_UNLBL_ALLOW
  NetLabel: allow unlabeled traffic
• AUDIT_MAC_UNLBL_STCADD
  NetLabel: add a static label
• AUDIT_MAC_UNLBL_STCDEL
  NetLabel: del a static label
• AUDIT_MAKE_EQUIV
  Append to watched tree
• AUDIT_MAX_FIELDS
• AUDIT_MAX_FIELD_COMPARE
• AUDIT_MAX_KEY_LEN
• AUDIT_MESSAGE_TEXT_MAX
• AUDIT_MMAP
  Record showing descriptor and flags in mmap
• AUDIT_MQ_GETSETATTR
  POSIX MQ get/set attribute record type
• AUDIT_MQ_NOTIFY
  POSIX MQ notify record type
• AUDIT_MQ_OPEN
  POSIX MQ open record type
• AUDIT_MQ_SENDRECV
  POSIX MQ send/receive record type
• AUDIT_MSGTYPE
• AUDIT_NETFILTER_CFG
  Netfilter chain modifications
• AUDIT_NETFILTER_PKT
  Packets traversing netfilter chains
• AUDIT_NEVER
  Do not build context if rule matches
• AUDIT_NLGRP_NONE
  Unused multicast group for audit
• AUDIT_NLGRP_READLOG
  Multicast group to listen for audit events
• AUDIT_NOT_EQUAL
• AUDIT_NR_FILTERS
  Mask to get actual filter
• AUDIT_OBJ_GID
• AUDIT_OBJ_LEV_HIGH
• AUDIT_OBJ_LEV_LOW
• AUDIT_OBJ_PID
  ptrace target
• AUDIT_OBJ_ROLE
• AUDIT_OBJ_TYPE
• AUDIT_OBJ_UID
• AUDIT_OBJ_USER
• AUDIT_OPERATORS
• AUDIT_PATH
  Filename path information
• AUDIT_PERM
• AUDIT_PERM_ATTR
• AUDIT_PERM_EXEC
• AUDIT_PERM_READ
• AUDIT_PERM_WRITE
• AUDIT_PERS
• AUDIT_PID
• AUDIT_POSSIBLE
  Build context if rule matches
• AUDIT_PPID
• AUDIT_PROCTITLE
  Proctitle emit event
• AUDIT_REPLACE
  Replace auditd if this packet unanswerd
• AUDIT_SECCOMP
  Secure Computing event
• AUDIT_SELINUX_ERR
  Internal SE Linux Errors
• AUDIT_SESSIONID
• AUDIT_SET
  Set status (enable/disable/auditd)
• AUDIT_SET_FEATURE
  Turn an audit feature on or off
• AUDIT_SGID
• AUDIT_SIGNAL_INFO
  Get info about sender of signal to auditd
• AUDIT_SOCKADDR
  sockaddr copied as syscall arg
• AUDIT_SOCKETCALL
  sys_socketcall arguments
• AUDIT_SUBJ_CLR
• AUDIT_SUBJ_ROLE
• AUDIT_SUBJ_SEN
• AUDIT_SUBJ_TYPE
• AUDIT_SUBJ_USER
• AUDIT_SUCCESS
• AUDIT_SUID
• AUDIT_SYSCALL
  Syscall event
• AUDIT_SYSCALL_CLASSES
• AUDIT_TRIM
  Trim junk from watched tree
• AUDIT_TTY
  Input on an administrative TTY
• AUDIT_TTY_GET
  Get TTY auditing status
• AUDIT_TTY_SET
  Set TTY auditing status
• AUDIT_UID
• AUDIT_UNUSED_BITS
• AUDIT_USER
  Message from userspace – deprecated
• AUDIT_USER_AVC
  We filter this differently
• AUDIT_USER_TTY
  Non-ICANON TTY input meaning
• AUDIT_WATCH
• AUDIT_WATCH_INS
  Insert file/dir watch entry
• AUDIT_WATCH_LIST
  List all file/dir watches
• AUDIT_WATCH_REM
  Remove file/dir watch entry
• __AUDIT_ARCH_64BIT
• __AUDIT_ARCH_CONVENTION_MASK
• __AUDIT_ARCH_CONVENTION_MIPS64_N32
• __AUDIT_ARCH_LE