LOGIN
|
None
|
LOGON
|
SYSTEM
|
USER_AUTH
|
None
|
AUTHENTICATE
|
USER
|
USER_ACCT
|
None
|
AUTHORIZE
|
USER
|
CRED_ACQ
|
None
|
ACQUIRE
|
USER
|
CRED_DISP
|
None
|
RESET
|
USER
|
DAEMON_START
|
None
|
AUDIT
|
AUDITSERVICE
|
DAEMON_END
|
None
|
NOAUDIT
|
AUDITSERVICE
|
DAEMON_ABORT
|
None
|
TERMINATE
|
AUDITSERVICE
|
DAEMON_CONFIG
|
None
|
CONFIGURE
|
AUDITSERVICE
|
DAEMON_ROTATE
|
None
|
UPDATE
|
AUDITSERVICE
|
DAEMON_RESUME
|
None
|
RESUME
|
AUDITSERVICE
|
CONFIG_CHANGE
|
audit_enabled record field contains 1 or 2
|
AUDIT
|
AUDITSERVICE
|
CONFIG_CHANGE
|
audit_enabled record field contains 0
|
NOAUDIT
|
AUDITSERVICE
|
CONFIG_CHANGE
|
op record field contains add rule
|
AUDIT
|
AUDITSERVICE
|
CONFIG_CHANGE
|
op record field contains remove rule
|
NOAUDIT
|
AUDITSERVICE
|
CONFIG_CHANGE
|
audit_failure record field contains value 0
|
NOAUDIT
|
AUDITSERVICE
|
CONFIG_CHANGE
|
audit_failure record field contains value 1
|
NOAUDIT
|
AUDITSERVICE
|
CONFIG_CHANGE
|
audit_failure record field contains value 2
|
NOAUDIT
|
AUDITSERVICE
|
CONFIG_CHANGE
|
any other CONFIG_CHANGE cases not specified above
|
UPDATE
|
AUDITSERVICE
|
CRYPTO_SESSION
|
None
|
START
|
SESSION
|
AVC
|
None
|
ACCESS
|
PRIVILEGE
|
MAC_POLICY_LOAD
|
None
|
ENABLE
|
POLICY
|
MAC_STATUS
|
None
|
UPDATE
|
SYSTEM
|
MAC_CONFIG_CHANGE
|
None
|
MODIFY
|
RULE
|
MAC_UNLBL_ALLOW
|
None
|
UPDATE
|
MODULE
|
MAC_CIPSOV4_ADD
|
None
|
CREATE
|
MODULE
|
MAC_CIPSOV4_DEL
|
None
|
DELETE
|
USER
|
MAC_MAP_ADD
|
None
|
CREATE
|
MODULE
|
MAC_MAP_DEL
|
None
|
DELETE
|
MODULE
|
MAC_IPSEC_ADDSA
|
None
|
CREATE
|
MODULE
|
MAC_IPSEC_DELSA
|
None
|
DELETE
|
MODULE
|
MAC_IPSEC_ADDSPD
|
None
|
MODIFY
|
MODULE
|
MAC_IPSEC_DELSPD
|
None
|
DELETE
|
MODULE
|
ANOM_PROMISCUOUS
|
None
|
UPDATE
|
DEVICE
|
ANOM_ABEND
|
None
|
EXECUTE
|
MODULE
|
ANOM_LOGIN_FAILURES
|
None
|
LOGIN
|
USER
|
ANOM_LOGIN_TIME
|
None
|
LOGIN
|
USER
|
ANOM_LOGIN_SESSIONS
|
None
|
LOGIN
|
USER
|
ANOM_LOGIN_LOCATION
|
None
|
LOGON
|
USER
|
RESP_ACCT_UNLOCK_ TIMED
|
None
|
ENABLE
|
USER
|
RESP_ACCT_LOCK
|
None
|
LOCK
|
USER
|
TTY
|
None
|
EXECUTE
|
KEYSTROKE
|
USER_AVC
|
None
|
ACCESS
|
PRIVILEGE
|
USER_ROLE_CHANGE
|
op record field is not present
|
MODIFY
|
USER
|
USER_ROLE_CHANGE
|
op record field contains add SELinux user record
|
ADD
|
USER
|
USER_ROLE_CHANGE
|
op record field contains delete SELinux user record
|
DELETE
|
USER
|
USER_ROLE_CHANGE
|
any other USER_ROLE_CHANGE cases not specified above
|
MODIFY
|
USER
|
LABEL_OVERRIDE
|
None
|
UPDATE
|
OBJECT
|
LABEL_LEVEL_CHANGE
|
None
|
UPDATE
|
OBJECT
|
USER_LABELED_EXPORT
|
None
|
EXPORT
|
OBJECT
|
USER_UNLABELED_ EXPORT
|
None
|
EXPORT
|
OBJECT
|
USER_START
|
None
|
START
|
USER
|
USER_END
|
None
|
END
|
USER
|
CRED_REFR
|
None
|
REFRESH
|
USER
|
USER_LOGIN
|
None
|
LOGIN
|
ACCOUNT
|
USER_LOGOUT
|
None
|
LOGOUT
|
ACCOUNT
|
USER_ERR
|
None
|
RAISE
|
USER
|
USYS_CONFIG
|
None
|
UPDATE
|
USER
|
USER_CMD
|
None
|
EXECUTE
|
PROGRAM
|
FS_RELABEL
|
None
|
MODIFY
|
SYSTEM
|
USER_CHAUTHTOK
|
op record field contains value change password
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value changing password
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value change expired password
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value change age
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value change max age
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value change min age
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value change passwd warning
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value change inactive days
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value change passwd expiration
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value change last change date
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value change all aging information
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value password attribute change
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value password aging data updated
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value display aging info
|
READ
|
USER
|
USER_CHAUTHTOK
|
op record field contains value password status display
|
READ
|
USER
|
USER_CHAUTHTOK
|
op record field contains value password status displayed for user
|
READ
|
USER
|
USER_CHAUTHTOK
|
op record field contains value adding to group
|
CREATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value adding group member
|
CREATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value adding user to group
|
CREATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value adding user to shadow group
|
CREATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value changing primary group
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value changing group member
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value changing admin name in shadow group
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value changing member in shadow group
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value deleting group password
|
DELETE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value deleting member
|
DELETE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value deleting user from group
|
DELETE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value deleting user from shadow group
|
DELETE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value removing group member
|
DELETE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value removing user from shadow group
|
DELETE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value user lookup
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value adding group
|
CREATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value deleting group
|
DELETE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value adding user
|
CREATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value adding home directory
|
CREATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value deleting user entries
|
DELETE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value deleting user not found
|
DELETE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value deleting user
|
DELETE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value deleting user logged in
|
DELETE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value deleting mail file
|
DELETE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value deleting home directory
|
DELETE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value lock password
|
LOCK
|
USER
|
USER_CHAUTHTOK
|
op record field contains value delete password
|
DELETE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value updating password
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value unlock password
|
UNLOCK
|
USER
|
USER_CHAUTHTOK
|
op record field contains value changing name
|
RENAME
|
USER
|
USER_CHAUTHTOK
|
op record field contains value changing uid
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value changing home directory
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value moving home directory
|
MOVE
|
USER
|
USER_CHAUTHTOK
|
op record field contains value changing mail file name
|
RENAME
|
USER
|
USER_CHAUTHTOK
|
op record field contains value changing mail file owner
|
UPDATE
|
USER
|
USER_CHAUTHTOK
|
None
|
UPDATE
|
USER
|
USER_TTY
|
None
|
EXECUTE
|
KEYSTROKE
|
ADD_GROUP
|
None
|
ADD
|
GROUP
|
ADD_USER
|
None
|
CREATE
|
USER
|
DEL_USER
|
None
|
DELETE
|
USER
|
SYSCALL
|
None
|
EXECUTE
|
SYSCALL
|
SYSCALL
|
SYSCALL record field contains value 0
|
READ
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 1
|
WRITE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 2
|
OPEN
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 3
|
CLOSE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 4
|
GET
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 5
|
GET
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 6
|
GET
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 7
|
GET
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 8
|
GET
|
FILE OFFSET
|
SYSCALL
|
SYSCALL record field contains value 9
|
SET
|
PAGE
|
SYSCALL
|
SYSCALL record field contains value 10
|
EXECUTE
|
MEMORY
|
SYSCALL
|
SYSCALL record field contains value 1 1
|
RESET
|
PAGE
|
SYSCALL
|
SYSCALL record field contains value 1 2
|
UPDATE
|
SPACE
|
SYSCALL
|
SYSCALL record field contains value 13
|
UPDATE
|
ACTION
|
SYSCALL
|
SYSCALL record field contains value 14
|
ACCESS
|
SIGNAL MASK
|
SYSCALL
|
SYSCALL record field contains value 15
|
UNDO
|
PROCESS
|
SYSCALL
|
SYSCALL record field contains value 16
|
CONTROL
|
DEVICE
|
SYSCALL
|
SYSCALL record field contains value 17
|
READ
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 18
|
INSERT
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 19
|
READ
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 20
|
INSERT
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 21
|
VALIDATE
|
PERMISSION
|
SYSCALL
|
SYSCALL record field contains value 22
|
CREATE
|
CHANNEL
|
SYSCALL
|
SYSCALL record field contains value 23
|
EXECUTE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 24
|
ACQUIRE
|
CPU
|
SYSCALL
|
SYSCALL record field contains value 25
|
RESET
|
MEMORY ADDRESS
|
SYSCALL
|
SYSCALL record field contains value 26
|
SYNCHRONIZE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 27
|
GET
|
PAGE
|
SYSCALL
|
SYSCALL record field contains value 28
|
EXECUTE
|
MEMORY
|
SYSCALL
|
SYSCALL record field contains value 29
|
ASSIGN
|
SEGMENT
|
SYSCALL
|
SYSCALL record field contains value 30
|
EXECUTE
|
MEMORY
|
SYSCALL
|
SYSCALL record field contains value 3 1
|
CONTROL
|
MEMORY
|
SYSCALL
|
SYSCALL record field contains value 3 2
|
COPY
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 33
|
COPY
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 34
|
WAIT
|
SIGNAL
|
SYSCALL
|
SYSCALL record field contains value 35
|
SUSPEND
|
THREAD
|
SYSCALL
|
SYSCALL record field contains value 36
|
GET
|
TIMER
|
SYSCALL
|
SYSCALL record field contains value 37
|
SET
|
ALARM
|
SYSCALL
|
SYSCALL record field contains value 38
|
SET
|
TIMER
|
SYSCALL
|
SYSCALL record field contains value 39
|
GET
|
PROCESS
|
SYSCALL
|
SYSCALL record field contains value 40
|
SEND
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 41
|
CREATE
|
COMMUNICATION ENDPOINT
|
SYSCALL
|
SYSCALL record field contains value 4 2
|
CONNECT
|
SOCKET
|
SYSCALL
|
SYSCALL record field contains value 43
|
ACQUIRE
|
SOCKET CONNECTION
|
SYSCALL
|
SYSCALL record field contains value 44
|
SEND
|
MESSAGE
|
SYSCALL
|
SYSCALL record field contains value 45
|
RECEIVE
|
MESSAGE
|
SYSCALL
|
SYSCALL record field contains value 46
|
SEND
|
MESSAGE
|
SYSCALL
|
SYSCALL record field contains value 47
|
RECEIVE
|
MESSAGE
|
SYSCALL
|
SYSCALL record field contains value 48
|
STOP
|
CONNECTION
|
SYSCALL
|
SYSCALL record field contains value 49
|
BIND
|
NAME
|
SYSCALL
|
SYSCALL record field contains value 50
|
EXECUTE
|
CONNECTION
|
SYSCALL
|
SYSCALL record field contains value 51
|
GET
|
SOCKET
|
SYSCALL
|
SYSCALL record field contains value 5 2
|
GET
|
SOCKET
|
SYSCALL
|
SYSCALL record field contains value 53
|
CREATE
|
SOCKET
|
SYSCALL
|
SYSCALL record field contains value 54
|
SET
|
SOCKET
|
SYSCALL
|
SYSCALL record field contains value 55
|
GET
|
SOCKET
|
SYSCALL
|
SYSCALL record field contains value 56
|
COPY
|
PROCESS
|
SYSCALL
|
SYSCALL record field contains value 57
|
EXECUTE
|
PROCESS
|
SYSCALL
|
SYSCALL record field contains value 58
|
EXECUTE
|
PROCESS
|
SYSCALL
|
SYSCALL record field contains value 59
|
EXECUTE
|
PROCESS
|
SYSCALL
|
SYSCALL record field contains value 60
|
STOP
|
PROCESS
|
SYSCALL
|
SYSCALL record field contains value 61
|
WAIT
|
PROCESS
|
SYSCALL
|
SYSCALL record field contains value 6 2
|
SEND
|
SIGNAL
|
SYSCALL
|
SYSCALL record field contains value 63
|
GET
|
NAME
|
SYSCALL
|
SYSCALL record field contains value 64
|
GET
|
SEMAPHORE
|
SYSCALL
|
SYSCALL record field contains value 65
|
EXECUTE
|
SEMAPHORE
|
SYSCALL
|
SYSCALL record field contains value 66
|
CONTROL
|
SEMAPHORE
|
SYSCALL
|
SYSCALL record field contains value 67
|
EXECUTE
|
MEMORY
|
SYSCALL
|
SYSCALL record field contains value 68
|
GET
|
QUEUE ID
|
SYSCALL
|
SYSCALL record field contains value 69
|
SEND
|
MESSAGE
|
SYSCALL
|
SYSCALL record field contains value 70
|
RECEIVE
|
MESSAGE
|
SYSCALL
|
SYSCALL record field contains value 71
|
CONTROL
|
MESSAGE
|
SYSCALL
|
SYSCALL record field contains value 7 2
|
UPDATE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 73
|
LOCK
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 74
|
SYNCHRONIZE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 75
|
SYNCHRONIZE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 76
|
TRUNCATE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 77
|
TRUNCATE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 78
|
GET
|
ENTRIES
|
SYSCALL
|
SYSCALL record field contains value 79
|
GET
|
DIRECTORY
|
SYSCALL
|
SYSCALL record field contains value 80
|
UPDATE
|
DIRECTORY
|
SYSCALL
|
SYSCALL record field contains value 81
|
UPDATE
|
DIRECTORY
|
SYSCALL
|
SYSCALL record field contains value 82
|
UPDATE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 83
|
CREATE
|
DIRECTORY
|
SYSCALL
|
SYSCALL record field contains value 84
|
DELETE
|
DIRECTORY
|
SYSCALL
|
SYSCALL record field contains value 85
|
CREATE
|
FILE OR DEVICE
|
SYSCALL
|
SYSCALL record field contains value 86
|
CONNECT
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 87
|
DISCONNECT
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 88
|
CONNECT
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 89
|
READ
|
VALUE
|
SYSCALL
|
SYSCALL record field contains value 90
|
UPDATE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 91
|
UPDATE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 92
|
UPDATE
|
OWNERSHIP
|
SYSCALL
|
SYSCALL record field contains value 93
|
UPDATE
|
OWNERSHIP
|
SYSCALL
|
SYSCALL record field contains value 94
|
UPDATE
|
OWNERSHIP
|
SYSCALL
|
SYSCALL record field contains value 95
|
SET
|
MASK
|
SYSCALL
|
SYSCALL record field contains value 96
|
GET
|
TIME
|
SYSCALL
|
SYSCALL record field contains value 97
|
GET
|
LIMIT
|
SYSCALL
|
SYSCALL record field contains value 98
|
GET
|
USAGE
|
SYSCALL
|
SYSCALL record field contains value 99
|
GET
|
INFORMATION
|
SYSCALL
|
SYSCALL record field contains value 100
|
GET
|
TIME
|
SYSCALL
|
SYSCALL record field contains value 101
|
SEARCH
|
PROCESS
|
SYSCALL
|
SYSCALL record field contains value 102
|
GET
|
USER
|
SYSCALL
|
SYSCALL record field contains value 103
|
READ
|
LOG
|
SYSCALL
|
SYSCALL record field contains value 104
|
GET
|
GROUP
|
SYSCALL
|
SYSCALL record field contains value 105
|
SET
|
USER
|
SYSCALL
|
SYSCALL record field contains value 106
|
GET
|
GROUP
|
SYSCALL
|
SYSCALL record field contains value 107
|
GET
|
USER
|
SYSCALL
|
SYSCALL record field contains value 108
|
GET
|
GROUP
|
SYSCALL
|
SYSCALL record field contains value 109
|
SET
|
GROUP
|
SYSCALL
|
SYSCALL record field contains value 110
|
GET
|
PROCESS
|
SYSCALL
|
SYSCALL record field contains value 111
|
GET
|
PROCESS GROUP
|
SYSCALL
|
SYSCALL record field contains value 112
|
SET
|
PROCESS GROUP
|
SYSCALL
|
SYSCALL record field contains value 113
|
SET
|
USER
|
SYSCALL
|
SYSCALL record field contains value 114
|
SET
|
GROUP
|
SYSCALL
|
SYSCALL record field contains value 115
|
GET
|
GROUP
|
SYSCALL
|
SYSCALL record field contains value 116
|
SET
|
GROUP
|
SYSCALL
|
SYSCALL record field contains value 117
|
SET
|
USER
|
SYSCALL
|
SYSCALL record field contains value 118
|
GET
|
USER
|
SYSCALL
|
SYSCALL record field contains value 119
|
SET
|
GROUP
|
SYSCALL
|
SYSCALL record field contains value 120
|
GET
|
GROUP
|
SYSCALL
|
SYSCALL record field contains value 121
|
GET
|
PROCESS GROUP
|
SYSCALL
|
SYSCALL record field contains value 122
|
SET
|
USER IDENTITY
|
SYSCALL
|
SYSCALL record field contains value 123
|
SET
|
GROUP IDENTITY
|
SYSCALL
|
SYSCALL record field contains value 124
|
GET
|
SESSION
|
SYSCALL
|
SYSCALL record field contains value 125
|
GET
|
CAPABILITIES
|
SYSCALL
|
SYSCALL record field contains value 126
|
SET
|
CAPABILITIES
|
SYSCALL
|
SYSCALL record field contains value 127
|
SEARCH
|
SIGNAL
|
SYSCALL
|
SYSCALL record field contains value 128
|
WAIT
|
SIGNAL
|
SYSCALL
|
SYSCALL record field contains value 129
|
QUEUE
|
SIGNAL
|
SYSCALL
|
SYSCALL record field contains value 130
|
WAIT
|
SIGNAL
|
SYSCALL
|
SYSCALL record field contains value 131
|
SET
|
CONTEXT
|
SYSCALL
|
SYSCALL record field contains value 132
|
UPDATE
|
TIME
|
SYSCALL
|
SYSCALL record field contains value 133
|
CREATE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 134
|
EXECUTE
|
SYSTEM CALLS
|
SYSCALL
|
SYSCALL record field contains value 135
|
SET
|
DOMAIN
|
SYSCALL
|
SYSCALL record field contains value 136
|
GET
|
STATISTICS
|
SYSCALL
|
SYSCALL record field contains value 137
|
GET
|
STATISTICS
|
SYSCALL
|
SYSCALL record field contains value 138
|
GET
|
STATISTICS
|
SYSCALL
|
SYSCALL record field contains value 139
|
GET
|
INFORMATION
|
SYSCALL
|
SYSCALL record field contains value 140
|
GET
|
PRIORITY
|
SYSCALL
|
SYSCALL record field contains value 141
|
SET
|
PRIORITY
|
SYSCALL
|
SYSCALL record field contains value 142
|
SET
|
PARAMETERS
|
SYSCALL
|
SYSCALL record field contains value 143
|
GET
|
PARAMETERS
|
SYSCALL
|
SYSCALL record field contains value 144
|
SET
|
POLICY OR PARAMETERS
|
SYSCALL
|
SYSCALL record field contains value 145
|
GET
|
POLICY OR PARAMETERS
|
SYSCALL
|
SYSCALL record field contains value 146
|
GET
|
PRIORITY
|
SYSCALL
|
SYSCALL record field contains value 147
|
GET
|
PRIORITY
|
SYSCALL
|
SYSCALL record field contains value 148
|
GET
|
INTERVAL
|
SYSCALL
|
SYSCALL record field contains value 149
|
LOCK
|
MEMORY
|
SYSCALL
|
SYSCALL record field contains value 150
|
UNLOCK
|
MEMORY
|
SYSCALL
|
SYSCALL record field contains value 151
|
LOCK
|
MEMORY
|
SYSCALL
|
SYSCALL record field contains value 152
|
UNLOCK
|
MEMORY
|
SYSCALL
|
SYSCALL record field contains value 153
|
WAIT
|
TERMINAL
|
SYSCALL
|
SYSCALL record field contains value 154
|
UPDATE
|
TABLE
|
SYSCALL
|
SYSCALL record field contains value 155
|
UPDATE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 156
|
UPDATE
|
PARAMETERS
|
SYSCALL
|
SYSCALL record field contains value 157
|
EXECUTE
|
PROCESS
|
SYSCALL
|
SYSCALL record field contains value 158
|
SET
|
STATE
|
SYSCALL
|
SYSCALL record field contains value 159
|
SET
|
STATE
|
SYSCALL
|
SYSCALL record field contains value 160
|
SET
|
RESOURCE LIMIT
|
SYSCALL
|
SYSCALL record field contains value 161
|
UPDATE
|
DIRECTORY
|
SYSCALL
|
SYSCALL record field contains value 162
|
COMMIT
|
CACHE
|
SYSCALL
|
SYSCALL record field contains value 163
|
UPDATE
|
ACCOUNTING
|
SYSCALL
|
SYSCALL record field contains value 164
|
SET
|
TIME
|
SYSCALL
|
SYSCALL record field contains value 165
|
MOUNT
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 166
|
UNMOUNT
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 167
|
START
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 168
|
STOP
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 169
|
START
|
SYSTEM
|
SYSCALL
|
SYSCALL record field contains value 170
|
SET
|
HOSTNAME
|
SYSCALL
|
SYSCALL record field contains value 171
|
SET
|
DOMAINNAME
|
SYSCALL
|
SYSCALL record field contains value 172
|
UPDATE
|
IOPL
|
SYSCALL
|
SYSCALL record field contains value 173
|
UPDATE
|
PERMISSION
|
SYSCALL
|
SYSCALL record field contains value 174
|
CREATE
|
MODULE
|
SYSCALL
|
SYSCALL record field contains value 175
|
INITIALIZE
|
MODULE
|
SYSCALL
|
SYSCALL record field contains value 176
|
DELETE
|
MODULE
|
SYSCALL
|
SYSCALL record field contains value 177
|
GET
|
KERNEL
|
SYSCALL
|
SYSCALL record field contains value 178
|
QUERY
|
KERNEL
|
SYSCALL
|
SYSCALL record field contains value 179
|
EXECUTE
|
QUOTAS
|
SYSCALL
|
SYSCALL record field contains value 180
|
EXECUTE
|
KERNEL
|
SYSCALL
|
SYSCALL record field contains value 186
|
GET
|
THREAD
|
SYSCALL
|
SYSCALL record field contains value 187
|
LOAD
|
CACHE
|
SYSCALL
|
SYSCALL record field contains value 188
|
SET
|
ATTRIBUTE
|
SYSCALL
|
SYSCALL record field contains value 189
|
SET
|
ATTRIBUTE
|
SYSCALL
|
SYSCALL record field contains value 190
|
SET
|
ATTRIBUTE
|
SYSCALL
|
SYSCALL record field contains value 191
|
GET
|
ATTRIBUTE
|
SYSCALL
|
SYSCALL record field contains value 192
|
GET
|
ATTRIBUTE
|
SYSCALL
|
SYSCALL record field contains value 193
|
GET
|
ATTRIBUTE
|
SYSCALL
|
SYSCALL record field contains value 194
|
READ
|
ATTRIBUTE
|
SYSCALL
|
SYSCALL record field contains value 195
|
READ
|
ATTRIBUTE
|
SYSCALL
|
SYSCALL record field contains value 196
|
READ
|
ATTRIBUTE
|
SYSCALL
|
SYSCALL record field contains value 197
|
DELETE
|
ATTRIBUTE
|
SYSCALL
|
SYSCALL record field contains value 198
|
DELET
|
ATTRIBUTE
|
SYSCALL
|
SYSCALL record field contains value 199
|
DELETE
|
ATTRIBUTE
|
SYSCALL
|
SYSCALL record field contains value 200
|
SEND
|
SIGNAL
|
SYSCALL
|
SYSCALL record field contains value 201
|
GET
|
TIME
|
SYSCALL
|
SYSCALL record field contains value 202
|
WAIT
|
ADDRESS
|
SYSCALL
|
SYSCALL record field contains value 203
|
SET
|
MASK
|
SYSCALL
|
SYSCALL record field contains value 204
|
GET
|
MASK
|
SYSCALL
|
SYSCALL record field contains value 205
|
SET
|
STORAGE
|
SYSCALL
|
SYSCALL record field contains value 206
|
CREATE
|
CONTEXT
|
SYSCALL
|
SYSCALL record field contains value 207
|
DELETE
|
CONTEXT
|
SYSCALL
|
SYSCALL record field contains value 208
|
READ
|
EVENTS
|
SYSCALL
|
SYSCALL record field contains value 209
|
SUBMIT
|
BLOCK
|
SYSCALL
|
SYSCALL record field contains value 210
|
CANCEL
|
OPERATION
|
SYSCALL
|
SYSCALL record field contains value 211
|
GET
|
STORAGE
|
SYSCALL
|
SYSCALL record field contains value 212
|
RESUME
|
PATH
|
SYSCALL
|
SYSCALL record field contains value 213
|
OPEN
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 215
|
WAIT
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 216
|
CREATE
|
MAPPING
|
SYSCALL
|
SYSCALL record field contains value 217
|
GET
|
DIRECTORY
|
SYSCALL
|
SYSCALL record field contains value 218
|
SET
|
POINTER
|
SYSCALL
|
SYSCALL record field contains value 219
|
START
|
SYSCALL
|
SYSCALL
|
SYSCALL record field contains value 220
|
EXECUTE
|
SEMAPHORE
|
SYSCALL
|
SYSCALL record field contains value 221
|
SUBSCRIBE
|
PATTERN
|
SYSCALL
|
SYSCALL record field contains value 222
|
CREATE
|
TIMER
|
SYSCALL
|
SYSCALL record field contains value 223
|
EXECUTE
|
TIMER
|
SYSCALL
|
SYSCALL record field contains value 224
|
EXECUTE
|
TIMER
|
SYSCALL
|
SYSCALL record field contains value 225
|
GET
|
TIMER
|
SYSCALL
|
SYSCALL record field contains value 226
|
DELETE
|
TIMER
|
SYSCALL
|
SYSCALL record field contains value 227
|
SET
|
CLOCK
|
SYSCALL
|
SYSCALL record field contains value 228
|
GET
|
CLOCK
|
SYSCALL
|
SYSCALL record field contains value 229
|
FIND
|
CLOCK
|
SYSCALL
|
SYSCALL record field contains value 230
|
WAIT
|
CLOCK
|
SYSCALL
|
SYSCALL record field contains value 231
|
EXIT
|
THREAD
|
SYSCALL
|
SYSCALL record field contains value 232
|
WAIT
|
EVENT
|
SYSCALL
|
SYSCALL record field contains value 234
|
SEND
|
SIGNAL
|
SYSCALL
|
SYSCALL record field contains value 235
|
UPDATE
|
TIME
|
SYSCALL
|
SYSCALL record field contains value 237
|
EXECUTE
|
SET
|
SYSCALL
|
SYSCALL record field contains value 238
|
EXECUTE
|
SET
|
SYSCALL
|
SYSCALL record field contains value 239
|
SET
|
SET
|
SYSCALL
|
SYSCALL record field contains value 240
|
OPEN
|
QUEUE
|
SYSCALL
|
SYSCALL record field contains value 241
|
DISCONNECT
|
QUEUE
|
SYSCALL
|
SYSCALL record field contains value 242
|
SEND
|
MESSAGE
|
SYSCALL
|
SYSCALL record field contains value 243
|
RECEIVE
|
MESSAGE
|
SYSCALL
|
SYSCALL record field contains value 244
|
REGISTER
|
NOTIFICATION
|
SYSCALL
|
SYSCALL record field contains value 245
|
GET
|
ATTRIBUTE
|
SYSCALL
|
SYSCALL record field contains value 246
|
LOAD
|
KERNEL
|
SYSCALL
|
SYSCALL record field contains value 247
|
WAIT
|
PROCESS
|
SYSCALL
|
SYSCALL record field contains value 248
|
CREATE
|
KEY
|
SYSCALL
|
SYSCALL record field contains value 249
|
REQUEST
|
KEY
|
SYSCALL
|
SYSCALL record field contains value 250
|
EXECUTE
|
KERNEL
|
SYSCALL
|
SYSCALL record field contains value 251
|
SET
|
PRIORITY
|
SYSCALL
|
SYSCALL record field contains value 252
|
GET
|
PRIORITY
|
SYSCALL
|
SYSCALL record field contains value 253
|
INITIALIZE
|
INSTANCE
|
SYSCALL
|
SYSCALL record field contains value 254
|
CREATE
|
INSTANCE
|
SYSCALL
|
SYSCALL record field contains value 255
|
DELETE
|
INSTANCE
|
SYSCALL
|
SYSCALL record field contains value 256
|
MOVE
|
PAGE
|
SYSCALL
|
SYSCALL record field contains value 257
|
OPEN
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 258
|
CREATE
|
DIRECTORY
|
SYSCALL
|
SYSCALL record field contains value 259
|
CREATE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 260
|
UPDATE
|
FILE OR DIRECTORY
|
SYSCALL
|
SYSCALL record field contains value 261
|
UPDATE
|
TIMESTAMP
|
SYSCALL
|
SYSCALL record field contains value 262
|
GET
|
STATUS
|
SYSCALL
|
SYSCALL record field contains value 263
|
REMOVE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 264
|
RENAME
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 265
|
CREATE
|
LINK
|
SYSCALL
|
SYSCALL record field contains value 266
|
CREATE
|
LINK
|
SYSCALL
|
SYSCALL record field contains value 267
|
READ
|
LINK
|
SYSCALL
|
SYSCALL record field contains value 268
|
UPDATE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 269
|
VALIDATE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 270
|
EXECUTE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 271
|
WAIT
|
EVENT
|
SYSCALL
|
SYSCALL record field contains value 272
|
DISASSOCIATE
|
CONTEXT
|
SYSCALL
|
SYSCALL record field contains value 273
|
SET
|
LIST
|
SYSCALL
|
SYSCALL record field contains value 274
|
GET
|
LIST
|
SYSCALL
|
SYSCALL record field contains value 275
|
EXECUTE
|
DATA
|
SYSCALL
|
SYSCALL record field contains value 276
|
COPY
|
CONTENT
|
SYSCALL
|
SYSCALL record field contains value 277
|
SYNCHRONIZE
|
SEGMENT
|
SYSCALL
|
SYSCALL record field contains value 278
|
EXECUTE
|
PAGE
|
SYSCALL
|
SYSCALL record field contains value 279
|
MOVE
|
PAGE
|
SYSCALL
|
SYSCALL record field contains value 280
|
UPDATE
|
TIMESTAMP
|
SYSCALL
|
SYSCALL record field contains value 281
|
WAIT
|
EVENT
|
SYSCALL
|
SYSCALL record field contains value 282
|
CREATE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 283
|
EXECUTE
|
TIMER
|
SYSCALL
|
SYSCALL record field contains value 284
|
CREATE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 285
|
EXECUTE
|
SPACE
|
SYSCALL
|
SYSCALL record field contains value 286
|
CREATE
|
TIMER
|
SYSCALL
|
SYSCALL record field contains value 287
|
GET
|
TIMER
|
SYSCALL
|
SYSCALL record field contains value 288
|
ACQUIRE
|
CONNECTION
|
SYSCALL
|
SYSCALL record field contains value 289
|
CREATE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 290
|
CREATE
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 291
|
OPEN
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 292
|
COPY
|
FILE
|
SYSCALL
|
SYSCALL record field contains value 293
|
CREATE
|
PIPE
|
SYSCALL
|
SYSCALL record field contains value 294
|
INITIALIZE
|
INSTANCE
|
SYSCALL
|
SYSCALL record field contains value 295
|
READ
|
DATA
|
SYSCALL
|
SYSCALL record field contains value 296
|
WRITE
|
DATA
|
SYSCALL
|
SYSCALL record field contains value 297
|
SUBSCRIBE
|
DATA
|
SYSCALL
|
SYSCALL record field contains value 298
|
CREATE
|
FILE
|
SELINUX_ERR
|
None
|
RAISE
|
SYSTEM
|
SYSTEM_SHUTDOWN
|
None
|
SHUTDOWN
|
OS
|
ROLE_REMOVE
|
None
|
DELETE
|
ROLE
|
ROLE_ASSIGN
|
None
|
ASSIGN
|
ROLE
|
SYSTEM_RUNLEVEL
|
None
|
STOP
|
SYSTEM
|
NETFILTER_CFG
|
None
|
CONFIGURE
|
SOCKET
|
DEL_GROUP
|
None
|
DELETE
|
GROUP
|
CRYPTO_KEY_USER
|
None
|
DISCONNECT
|
USER SESSION
|
USER_MGMT
|
User account attribute change
|
UPDATE
|
USER
|
DAC_CHECK
|
User space DAC check results
|
VALIDATE
|
PRIVILEGE
|
DAEMON_RECONFIG
|
Auditd should be reconfigured
|
CONFIGURE
|
AUDITSERVICE
|
ANOM_MOD_ACCT
|
Changing an account
|
UPDATE
|
ACCOUNT
|
RESP_EXEC
|
Execute a script
|
EXECUTE
|
SCRIPT
|
USER_MAC_POLICY_LOAD
|
User’s PC daemon loaded policy
|
LOAD
|
POLICY
|
USER_MAC_CONFIG_CHANGE
|
Change made to MAC policy
|
UPDATE
|
POLICY
|
ANOM_LINK
|
Suspicious use of file links
|
ACCESS
|
FILE
|
GRP_MGMT
|
Group account attribute was modified
|
UPDATE
|
GROUP
|
GRP_MGMT
|
Group is created
|
CREATE
|
GROUP
|
GRP_CHAUTHTOK
|
Group account password or pin changed
|
UPDATE
|
GROUP
|
ACCT_LOCK
|
User account locked by administrator
|
LOCK
|
USER
|
ACCT_UNLOCK
|
User account unlocked by administrator
|
UNLOCK
|
USER
|
DAEMON_ERR
|
Auditd daemon internal error is detected
|
ERROR
|
AUDITSERVICE
|
OBJ_PID
|
Records information about a process to which a signal is sent
|
SEND
|
PROCESS
|
PATH
|
Records information about file name path
|
EXECUTE
|
FILE
|
PROCTITLE
|
Provides the full command line that triggered this audit event. Triggered by system call to the kernel
|
EXECUTE
|
SYSCALL
|
AVC_PATH
|
Records the dentry and vfsmount pair when SE Linux permission check occurs
|
ACCESS
|
PRIVILEGE
|
MAC_CHECK
|
User space MAC decision is made
|
ACCESS
|
USER
|
SECCOMP
|
Triggered when a secure computing event is detected
|
FIND
|
EVENT
|
CRYPTO_IKE_SA
|
Internet Key Exchange Security Association establishment
|
START
|
SESSION
|
CRYPTO_IPSEC_SA
|
Internet Protocol Security Association establishment
|
START
|
SESSION
|
CAPSET
|
Records any changes in process based capabilities
|
UPDATE
|
PROCESS
|
CWD
|
Record the current working directory
|
GET
|
DIRECTORY
|
EOE
|
Records the end of a multi record event
|
EXECUTE
|
EVENT
|
EXECVE
|
Records arguments of the execve(2) system call
|
EXECUTE
|
SYSCALL
|
FD_PAIR
|
Records the use of the pipe and socket pair system calls
|
EXECUTE
|
SYSCALL
|
FEATURE_CHANGE
|
Audit feature value has been changed
|
UPDATE
|
AUDITSERVICE
|
IPC
|
Records information about an inter process communication object referenced by a system call
|
EXECUTE
|
SYSCALL
|
MMAP
|
Records a file descriptor and flags of the mmap(2) system call
|
EXECUTE
|
SYSCALL
|
MQ_GETSETATTR
|
Records the mq_getattr(3) and mq_setattr(3) message queue attributes
|
EXECUTE
|
SYSCALL
|
MQ_NOTIFY
|
Records arguments of the mq_notify(3) system call
|
EXECUTE
|
SYSCALL
|
MQ_OPEN
|
Records arguments of the mq_open(3) system call
|
EXECUTE
|
SYSCALL
|
MQ_SENDRECV
|
Records arguments of the mq_send(3) and mq_recieve(3) system calls
|
EXECUTE
|
SYSCALL
|
KERN_MODULE
|
Records a kernel module name on load or unload
|
EXECUTE
|
MODULE
|
SOCKADDR
|
Records socket address
|
EXECUTE
|
SOCKET
|
SOCKETCALL
|
Records arguments of the sys_socket call system call
|
EXECUTE
|
SYSCALL
|
TEST
|
Records the success value of a test message
|
VALIDATE
|
MESSAGE
|
TRUSTED_APP
|
The record of this type can be used by third party application that requires auditing
|
EXECUTE
|
AUDITSERVICE
|