Constants§
- AUDIT_
ADD - Add syscall rule – deprecated
- AUDIT_
ADD_ RULE - Add syscall filtering rule
- AUDIT_
ALWAYS - Generate audit record if rule matches
- AUDIT_
ANOM_ ABEND - Process ended abnormally
- AUDIT_
ANOM_ LINK - Suspicious use of file links
- AUDIT_
ANOM_ PROMISCUOUS - Device changed promiscuous mode
- AUDIT_
ARCH - AUDIT_
ARCH_ AARC H64 - AUDIT_
ARCH_ ALPHA - AUDIT_
ARCH_ ARM - AUDIT_
ARCH_ ARMEB - AUDIT_
ARCH_ CRIS - AUDIT_
ARCH_ FRV - AUDIT_
ARCH_ I386 - AUDIT_
ARCH_ IA64 - AUDIT_
ARCH_ M32R - AUDIT_
ARCH_ M68K - AUDIT_
ARCH_ MICROBLAZE - AUDIT_
ARCH_ MIPS - AUDIT_
ARCH_ MIPS64 - AUDIT_
ARCH_ MIPS64 N32 - AUDIT_
ARCH_ MIPSEL - AUDIT_
ARCH_ MIPSE L64 - AUDIT_
ARCH_ MIPSE L64N32 - AUDIT_
ARCH_ OPENRISC - AUDIT_
ARCH_ PARISC - AUDIT_
ARCH_ PARIS C64 - AUDIT_
ARCH_ PPC - AUDIT_
ARCH_ PPC64 - AUDIT_
ARCH_ PPC64LE - AUDIT_
ARCH_ S390 - AUDIT_
ARCH_ S390X - AUDIT_
ARCH_ SH - AUDIT_
ARCH_ SH64 - AUDIT_
ARCH_ SHEL - AUDIT_
ARCH_ SHEL64 - AUDIT_
ARCH_ SPARC - AUDIT_
ARCH_ SPAR C64 - AUDIT_
ARCH_ TILEGX - AUDIT_
ARCH_ TILEG X32 - AUDIT_
ARCH_ TILEPRO - AUDIT_
ARCH_ X86_ 64 - AUDIT_
ARG0 - AUDIT_
ARG1 - AUDIT_
ARG2 - AUDIT_
ARG3 - AUDIT_
AVC - SE Linux avc denial or grant
- AUDIT_
AVC_ PATH - dentry, vfsmount pair from avc
- AUDIT_
BITMASK_ SIZE - AUDIT_
BIT_ MASK - AUDIT_
BIT_ TEST - AUDIT_
BPRM_ FCAPS - Information about fcaps increasing perms
- AUDIT_
CAPSET - Record showing argument to sys_capset
- AUDIT_
CLASS_ CHATTR - AUDIT_
CLASS_ CHATTR_ 32 - AUDIT_
CLASS_ DIR_ WRITE - AUDIT_
CLASS_ DIR_ WRITE_ 32 - AUDIT_
CLASS_ READ - AUDIT_
CLASS_ READ_ 32 - AUDIT_
CLASS_ SIGNAL - AUDIT_
CLASS_ SIGNAL_ 32 - AUDIT_
CLASS_ WRITE - AUDIT_
CLASS_ WRITE_ 32 - AUDIT_
COMPARE_ AUID_ TO_ EUID - AUDIT_
COMPARE_ AUID_ TO_ FSUID - AUDIT_
COMPARE_ AUID_ TO_ OBJ_ UID - AUDIT_
COMPARE_ AUID_ TO_ SUID - AUDIT_
COMPARE_ EGID_ TO_ FSGID - AUDIT_
COMPARE_ EGID_ TO_ OBJ_ GID - AUDIT_
COMPARE_ EGID_ TO_ SGID - AUDIT_
COMPARE_ EUID_ TO_ FSUID - AUDIT_
COMPARE_ EUID_ TO_ OBJ_ UID - AUDIT_
COMPARE_ EUID_ TO_ SUID - AUDIT_
COMPARE_ FSGID_ TO_ OBJ_ GID - AUDIT_
COMPARE_ FSUID_ TO_ OBJ_ UID - AUDIT_
COMPARE_ GID_ TO_ EGID - AUDIT_
COMPARE_ GID_ TO_ FSGID - AUDIT_
COMPARE_ GID_ TO_ OBJ_ GID - AUDIT_
COMPARE_ GID_ TO_ SGID - AUDIT_
COMPARE_ SGID_ TO_ FSGID - AUDIT_
COMPARE_ SGID_ TO_ OBJ_ GID - AUDIT_
COMPARE_ SUID_ TO_ FSUID - AUDIT_
COMPARE_ SUID_ TO_ OBJ_ UID - AUDIT_
COMPARE_ UID_ TO_ AUID - AUDIT_
COMPARE_ UID_ TO_ EUID - AUDIT_
COMPARE_ UID_ TO_ FSUID - AUDIT_
COMPARE_ UID_ TO_ OBJ_ UID - AUDIT_
COMPARE_ UID_ TO_ SUID - AUDIT_
CONFIG_ CHANGE - Audit system configuration change
- AUDIT_
CWD - Current working directory
- AUDIT_
DAEMON_ ABORT - Daemon error stop record
- AUDIT_
DAEMON_ CONFIG - Daemon config change
- AUDIT_
DAEMON_ END - Daemon normal stop record
- AUDIT_
DAEMON_ START - Daemon startup record
- AUDIT_
DEL - Delete syscall rule – deprecated
- AUDIT_
DEL_ RULE - Delete syscall filtering rule
- AUDIT_
DEVMAJOR - AUDIT_
DEVMINOR - AUDIT_
DIR - AUDIT_
EGID - AUDIT_
EOE - End of multi-record event
- AUDIT_
EQUAL - AUDIT_
EUID - AUDIT_
EVENT_ MESSAGE_ MAX - AUDIT_
EVENT_ MESSAGE_ MIN - AUDIT_
EXE - AUDIT_
EXECVE - execve arguments
- AUDIT_
EXIT - AUDIT_
FAIL_ PANIC - AUDIT_
FAIL_ PRINTK - AUDIT_
FAIL_ SILENT - AUDIT_
FANOTIFY - Fanotify access decision
- AUDIT_
FD_ PAIR - audit record for pipe/socketpair
- AUDIT_
FEATURE_ CHANGE - audit log listing feature changes
- AUDIT_
FEATURE_ LOGINUID_ IMMUTABLE - AUDIT_
FEATURE_ ONLY_ UNSET_ LOGINUID - AUDIT_
FEATURE_ VERSION - AUDIT_
FIELD_ COMPARE - AUDIT_
FILETYPE - AUDIT_
FILTERKEY - AUDIT_
FILTER_ ENTRY - Apply rule at syscall entry
- AUDIT_
FILTER_ EXIT - Apply rule at syscall exit
- AUDIT_
FILTER_ FS - AUDIT_
FILTER_ PREPEND - AUDIT_
FILTER_ TASK - Apply rule at task creation (not syscall)
- AUDIT_
FILTER_ TYPE - Apply rule at audit_log_start
- AUDIT_
FILTER_ UNSET - Filter is unset
- AUDIT_
FILTER_ USER - Apply rule to user-generated messages
- AUDIT_
FILTER_ WATCH - Apply rule to file system watches
- AUDIT_
FIRST_ KERN_ ANOM_ MSG - AUDIT_
FIRST_ USER_ MSG - Userspace messages mostly uninteresting to kernel
- AUDIT_
FIRST_ USER_ MSG2 - More user space messages;
- AUDIT_
FSGID - AUDIT_
FSTYPE - AUDIT_
FSUID - AUDIT_
GET - Get status
- AUDIT_
GET_ FEATURE - Get which features are enabled
- AUDIT_
GID - AUDIT_
GREATER_ THAN - AUDIT_
GREATER_ THAN_ OR_ EQUAL - AUDIT_
INODE - AUDIT_
INTEGRITY_ DATA - Data integrity verification
- AUDIT_
INTEGRITY_ HASH - Integrity HASH type
- AUDIT_
INTEGRITY_ METADATA - Metadata integrity verification
- AUDIT_
INTEGRITY_ PCR - PCR invalidation msgs
- AUDIT_
INTEGRITY_ RULE - policy rule
- AUDIT_
INTEGRITY_ STATUS - Integrity enable status
- AUDIT_
IPC - IPC record
- AUDIT_
IPC_ SET_ PERM - IPC new permissions record type
- AUDIT_
KERNEL - AUDIT_
KERNEL_ OTHER - For use by 3rd party modules
- AUDIT_
KERN_ MODULE - Kernel Module events
- AUDIT_
LAST_ FEATURE - AUDIT_
LAST_ KERN_ ANOM_ MSG - AUDIT_
LAST_ USER_ MSG - AUDIT_
LAST_ USER_ MSG2 - AUDIT_
LESS_ THAN - AUDIT_
LESS_ THAN_ OR_ EQUAL - AUDIT_
LIST - List syscall rules – deprecated
- AUDIT_
LIST_ RULES - List syscall filtering rules
- AUDIT_
LOGIN - Define the login id and information
- AUDIT_
LOGINUID - AUDIT_
LOGINUID_ SET - AUDIT_
MAC_ CALIPSO_ ADD - NetLabel: add CALIPSO DOI entry
- AUDIT_
MAC_ CALIPSO_ DEL - NetLabel: del CALIPSO DOI entry
- AUDIT_
MAC_ CIPSO V4_ ADD - NetLabel: add CIPSOv4 DOI entry
- AUDIT_
MAC_ CIPSO V4_ DEL - NetLabel: del CIPSOv4 DOI entry
- AUDIT_
MAC_ CONFIG_ CHANGE - Changes to booleans
- AUDIT_
MAC_ IPSEC_ ADDSA - Not used
- AUDIT_
MAC_ IPSEC_ ADDSPD - Not used
- AUDIT_
MAC_ IPSEC_ DELSA - Not used
- AUDIT_
MAC_ IPSEC_ DELSPD - Not used
- AUDIT_
MAC_ IPSEC_ EVENT - Audit an IPSec event
- AUDIT_
MAC_ MAP_ ADD - NetLabel: add LSM domain mapping
- AUDIT_
MAC_ MAP_ DEL - NetLabel: del LSM domain mapping
- AUDIT_
MAC_ POLICY_ LOAD - Policy file load
- AUDIT_
MAC_ STATUS - Changed enforcing,permissive,off
- AUDIT_
MAC_ UNLBL_ ALLOW - NetLabel: allow unlabeled traffic
- AUDIT_
MAC_ UNLBL_ STCADD - NetLabel: add a static label
- AUDIT_
MAC_ UNLBL_ STCDEL - NetLabel: del a static label
- AUDIT_
MAKE_ EQUIV - Append to watched tree
- AUDIT_
MAX_ FIELDS - AUDIT_
MAX_ FIELD_ COMPARE - AUDIT_
MAX_ KEY_ LEN - AUDIT_
MESSAGE_ TEXT_ MAX - AUDIT_
MMAP - Record showing descriptor and flags in mmap
- AUDIT_
MQ_ GETSETATTR - POSIX MQ get/set attribute record type
- AUDIT_
MQ_ NOTIFY - POSIX MQ notify record type
- AUDIT_
MQ_ OPEN - POSIX MQ open record type
- AUDIT_
MQ_ SENDRECV - POSIX MQ send/receive record type
- AUDIT_
MSGTYPE - AUDIT_
NETFILTER_ CFG - Netfilter chain modifications
- AUDIT_
NETFILTER_ PKT - Packets traversing netfilter chains
- AUDIT_
NEVER - Do not build context if rule matches
- AUDIT_
NLGRP_ NONE - Unused multicast group for audit
- AUDIT_
NLGRP_ READLOG - Multicast group to listen for audit events
- AUDIT_
NOT_ EQUAL - AUDIT_
NR_ FILTERS - Mask to get actual filter
- AUDIT_
OBJ_ GID - AUDIT_
OBJ_ LEV_ HIGH - AUDIT_
OBJ_ LEV_ LOW - AUDIT_
OBJ_ PID - ptrace target
- AUDIT_
OBJ_ ROLE - AUDIT_
OBJ_ TYPE - AUDIT_
OBJ_ UID - AUDIT_
OBJ_ USER - AUDIT_
OPERATORS - AUDIT_
PATH - Filename path information
- AUDIT_
PERM - AUDIT_
PERM_ ATTR - AUDIT_
PERM_ EXEC - AUDIT_
PERM_ READ - AUDIT_
PERM_ WRITE - AUDIT_
PERS - AUDIT_
PID - AUDIT_
POSSIBLE - Build context if rule matches
- AUDIT_
PPID - AUDIT_
PROCTITLE - Proctitle emit event
- AUDIT_
REPLACE - Replace auditd if this packet unanswerd
- AUDIT_
SECCOMP - Secure Computing event
- AUDIT_
SELINUX_ ERR - Internal SE Linux Errors
- AUDIT_
SESSIONID - AUDIT_
SET - Set status (enable/disable/auditd)
- AUDIT_
SET_ FEATURE - Turn an audit feature on or off
- AUDIT_
SGID - AUDIT_
SIGNAL_ INFO - Get info about sender of signal to auditd
- AUDIT_
SOCKADDR - sockaddr copied as syscall arg
- AUDIT_
SOCKETCALL - sys_socketcall arguments
- AUDIT_
SUBJ_ CLR - AUDIT_
SUBJ_ ROLE - AUDIT_
SUBJ_ SEN - AUDIT_
SUBJ_ TYPE - AUDIT_
SUBJ_ USER - AUDIT_
SUCCESS - AUDIT_
SUID - AUDIT_
SYSCALL - Syscall event
- AUDIT_
SYSCALL_ CLASSES - AUDIT_
TRIM - Trim junk from watched tree
- AUDIT_
TTY - Input on an administrative TTY
- AUDIT_
TTY_ GET - Get TTY auditing status
- AUDIT_
TTY_ SET - Set TTY auditing status
- AUDIT_
UID - AUDIT_
UNUSED_ BITS - AUDIT_
USER - Message from userspace – deprecated
- AUDIT_
USER_ AVC - We filter this differently
- AUDIT_
USER_ TTY - Non-ICANON TTY input meaning
- AUDIT_
WATCH - AUDIT_
WATCH_ INS - Insert file/dir watch entry
- AUDIT_
WATCH_ LIST - List all file/dir watches
- AUDIT_
WATCH_ REM - Remove file/dir watch entry
- __
AUDIT_ ARCH_ 64BIT - __
AUDIT_ ARCH_ CONVENTION_ MASK - __
AUDIT_ ARCH_ CONVENTION_ MIPS64_ N32 - __
AUDIT_ ARCH_ LE