B.2. Audit Record Types

Table B.2, “Record Types” lists all currently-supported types of Audit records. The event type is specified in the type= field at the beginning of every Audit record.

Table B.2. Record Types

Event Type Explanation
ADD_GROUPTriggered when a user-space group is added.
ADD_USERTriggered when a user-space user account is added.
ANOM_ABEND[a]Triggered when a processes ends abnormally (with a signal that could cause a core dump, if enabled).
ANOM_ACCESS_FS[a]Triggered when a file or a directory access ends abnormally.
ANOM_ADD_ACCT[a]Triggered when a user-space account addition ends abnormally.
ANOM_AMTU_FAIL[a]Triggered when a failure of the Abstract Machine Test Utility (AMTU) is detected.
ANOM_CRYPTO_FAIL[a]Triggered when a failure in the cryptographic system is detected.
ANOM_DEL_ACCT[a]Triggered when a user-space account deletion ends abnormally.
ANOM_EXEC[a]Triggered when an execution of a file ends abnormally.
ANOM_LOGIN_ACCT[a]Triggered when an account login attempt ends abnormally.
ANOM_LOGIN_FAILURES[a]Triggered when the limit of failed login attempts is reached.
ANOM_LOGIN_LOCATION[a]Triggered when a login attempt is made from a forbidden location.
ANOM_LOGIN_SESSIONS[a]Triggered when a login attempt reaches the maximum amount of concurrent sessions.
ANOM_LOGIN_TIME[a]Triggered when a login attempt is made at a time when it is prevented by, for example, pam_time.
ANOM_MAX_DAC[a]Triggered when the maximum amount of Discretionary Access Control (DAC) failures is reached.
ANOM_MAX_MAC[a]Triggered when the maximum amount of Mandatory Access Control (MAC) failures is reached.
ANOM_MK_EXEC[a]Triggered when a file is made executable.
ANOM_MOD_ACCT[a]Triggered when a user-space account modification ends abnormally.
ANOM_PROMISCUOUS[a]Triggered when a device enables or disables promiscuous mode.
ANOM_RBAC_FAIL[a]Triggered when a Role-Based Access Control (RBAC) self-test failure is detected.
ANOM_RBAC_INTEGRITY_FAIL[a]Triggered when a Role-Based Access Control (RBAC) file integrity test failure is detected.
ANOM_ROOT_TRANS[a]Triggered when a user becomes root.
AVCTriggered to record an SELinux permission check.
AVC_PATHTriggered to record the dentry and vfsmount pair when an SELinux permission check occurs.
BPRM_FCAPSTriggered when a user executes a program with a file system capability.
CAPSETTriggered to record the capabilities being set for process-based capabilities, for example, running as root to drop capabilities.
CHGRP_IDTriggered when a user-space group ID is changed.
CHUSER_IDTriggered when a user-space user ID is changed.
CONFIG_CHANGETriggered when the Audit system configuration is modified.
CRED_ACQTriggered when a user acquires user-space credentials.
CRED_DISPTriggered when a user disposes of user-space credentials.
CRED_REFRTriggered when a user refreshes their user-space credentials.
CRYPTO_FAILURE_USERTriggered when a decrypt, encrypt, or randomize cryptographic operation fails.
CRYPTO_KEY_USERTriggered to record the cryptographic key identifier used for cryptographic purposes.
CRYPTO_LOGINTriggered when a cryptographic officer login attempt is detected.
CRYPTO_LOGOUTTriggered when a cryptographic officer logout attempt is detected.
CRYPTO_PARAM_CHANGE_USERTriggered when a change in a cryptographic parameter is detected.
CRYPTO_REPLAY_USERTriggered when a replay attack is detected.
CRYPTO_SESSIONTriggered to record parameters set during a TLS session establishment.
CRYPTO_TEST_USERTriggered to record cryptographic test results as required by the FIPS-140 standard.
CWDTriggered to record the current working directory.
DAC_CHECKTriggered to record DAC check results.
DAEMON_ABORTTriggered when a daemon is stopped due to an error.
DAEMON_ACCEPTTriggered when the auditd daemon accepts a remote connection.
DAEMON_CLOSETriggered when the auditd daemon closes a remote connection.
DAEMON_CONFIGTriggered when a daemon configuration change is detected.
DAEMON_ENDTriggered when a daemon is successfully stopped.
DAEMON_RESUMETriggered when the auditd daemon resumes logging.
DAEMON_ROTATETriggered when the auditd daemon rotates the Audit log files.
DAEMON_STARTTriggered when the auditd daemon is started.
DEL_GROUPTriggered when a user-space group is deleted
DEL_USERTriggered when a user-space user is deleted
DEV_ALLOCTriggered when a device is allocated.
DEV_DEALLOCTriggered when a device is deallocated.
EOETriggered to record the end of a multi-record event.
EXECVETriggered to record arguments of the execve(2) system call.
FD_PAIRTriggered to record the use of the pipe and socketpair system calls.
FS_RELABELTriggered when a file system relabel operation is detected.
GRP_AUTHTriggered when a group password is used to authenticate against a user-space group.
INTEGRITY_DATA[b]Triggered to record a data integrity verification event run by the kernel.
INTEGRITY_HASH[b]Triggered to record a hash type integrity verification event run by the kernel.
INTEGRITY_METADATA[b]Triggered to record a metadata integrity verification event run by the kernel.
INTEGRITY_PCR[b]Triggered to record Platform Configuration Register (PCR) invalidation messages.
INTEGRITY_RULE[b]Triggered to record a policy rule.
INTEGRITY_STATUS[b]Triggered to record the status of integrity verification.
IPCTriggered to record information about a Inter-Process Communication object referenced by a system call.
IPC_SET_PERMTriggered to record information about new values set by an IPC_SET control operation on an IPC object.
KERNELTriggered to record the initialization of the Audit system.
KERNEL_OTHERTriggered to record information from third-party kernel modules.
LABEL_LEVEL_CHANGETriggered when an object's level label is modified.
LABEL_OVERRIDETriggered when an administrator overrides an object's level label.
LOGINTriggered to record relevant login information when a user log in to access the system.
MAC_CIPSOV4_ADDTriggered when a Commercial Internet Protocol Security Option (CIPSO) user adds a new Domain of Interpretation (DOI). Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_CIPSOV4_DELTriggered when a CIPSO user deletes an existing DOI. Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_CONFIG_CHANGETriggered when an SELinux Boolean value is changed.
MAC_IPSEC_EVENTTriggered to record information about an IPSec event, when one is detected, or when the IPSec configuration changes.
MAC_MAP_ADDTriggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_MAP_DELTriggered when an existing LSM domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_POLICY_LOADTriggered when a SELinux policy file is loaded.
MAC_STATUSTriggered when the SELinux mode (enforcing, permissive, off) is changed.
MAC_UNLBL_ALLOWTriggered when unlabeled traffic is allowed when using the packet labeling capabilities of the kernel provided by NetLabel.
MAC_UNLBL_STCADDTriggered when a static label is added when using the packet labeling capabilities of the kernel provided by NetLabel.
MAC_UNLBL_STCDELTriggered when a static label is deleted when using the packet labeling capabilities of the kernel provided by NetLabel.
MMAPTriggered to record a file descriptor and flags of the mmap(2) system call.
MQ_GETSETATTRTriggered to record the mq_getattr(3) and mq_setattr(3) message queue attributes.
MQ_NOTIFYTriggered to record arguments of the mq_notify(3) system call.
MQ_OPENTriggered to record arguments of the mq_open(3) system call.
MQ_SENDRECVTriggered to record arguments of the mq_send(3) and mq_receive(3) system calls.
NETFILTER_CFGTriggered when Netfilter chain modifications are detected.
NETFILTER_PKTTriggered to record packets traversing Netfilter chains.
OBJ_PIDTriggered to record information about a process to which a signal is sent.
PATHTriggered to record file name path information.
RESP_ACCT_LOCK[c]Triggered when a user account is locked.
RESP_ACCT_LOCK_TIMED[c]Triggered when a user account is locked for a specified period of time.
RESP_ACCT_REMOTE[c]Triggered when a user account is locked from a remote session.
RESP_ACCT_UNLOCK_TIMED[c]Triggered when a user account is unlocked after a configured period of time.
RESP_ALERT[c]Triggered when an alert email is sent.
RESP_ANOMALY[c]Triggered when an anomaly was not acted upon.
RESP_EXEC[c]Triggered when an intrusion detection program responds to a threat originating from the execution of a program.
RESP_HALT[c]Triggered when the system is shut down.
RESP_KILL_PROC[c]Triggered when a process is terminated.
RESP_SEBOOL[c]Triggered when an SELinux Boolean value is set.
RESP_SINGLE[c]Triggered when the system is put into single-user mode.
RESP_TERM_ACCESS[c]Triggered when a session is terminated.
RESP_TERM_LOCK[c]Triggered when a terminal is locked.
ROLE_ASSIGNTriggered when an administrator assigns a user to an SELinux role.
ROLE_MODIFYTriggered when an administrator modifies an SELinux role.
ROLE_REMOVETriggered when an administrator removes a user from an SELinux role.
SELINUX_ERRTriggered when an internal SELinux error is detected.
SERVICE_STARTTriggered when a service is started.
SERVICE_STOPTriggered when a service is stopped.
SOCKADDRTriggered to record a socket address.
SOCKETCALLTriggered to record arguments of the sys_socketcall system call (used to multiplex many socket-related system calls).
SYSCALLTriggered to record a system call to the kernel.
SYSTEM_BOOTTriggered when the system is booted up.
SYSTEM_RUNLEVELTriggered when the system's run level is changed.
SYSTEM_SHUTDOWNTriggered when the system is shut down.
TESTTriggered to record the success value of a test message.
TRUSTED_APPThe record of this type can be used by third party application that require auditing.
TTYTriggered when TTY input was sent to an administrative process.
USER_ACCTTriggered when a user-space user account is modified.
USER_AUTHTriggered when a user-space authentication attempt is detected.
USER_AVCTriggered when a user-space AVC message is generated.
USER_CHAUTHTOKTriggered when a user account attribute is modified.
USER_CMDTriggered when a user-space shell command is executed.
USER_ENDTriggered when a user-space session is terminated.
USER_ERRTriggered when a user account state error is detected.
USER_LABELED_EXPORTTriggered when an object is exported with an SELinux label.
USER_LOGINTriggered when a user logs in.
USER_LOGOUTTriggered when a user logs out.
USER_MAC_POLICY_LOADTriggered when a user-space daemon loads an SELinux policy.
USER_MGMTTriggered to record user-space management data.
USER_ROLE_CHANGETriggered when a user's SELinux role is changed.
USER_SELINUX_ERRTriggered when a user-space SELinux error is detected.
USER_STARTTriggered when a user-space session is started.
USER_TTYTriggered when an explanatory message about TTY input to an administrative process is sent from user-space.
USER_UNLABELED_EXPORTTriggered when an object is exported without SELinux label.
USYS_CONFIGTriggered when a user-space system configuration change is detected.
VIRT_CONTROLTriggered when a virtual machine is started, paused, or stopped.
VIRT_MACHINE_IDTriggered to record the binding of a label to a virtual machine.
VIRT_RESOURCETriggered to record resource assignment of a virtual machine.
[a] All Audit event types prepended with ANOM are intended to be processed by an intrusion detection program.
[b] This event type is related to the Integrity Measurement Architecture (IMA), which functions best with a Trusted Platform Module (TPM) chip.
[c] All Audit event types prepended with RESP are intended responses of an intrusion detection system in case it detects malicious activity on the system.