N Linux Operating System Audit Events
Linux operation system events include events such as LOGIN
, USER_AUTH
, and USER_ACCT
.
This appendix maps audit event names used in the Linux Operating System to their equivalent values in the Additional Description, command_class and target_type fields in the Oracle Audit Vault and Database Firewall audit record. You can use the audit events mapped here to create custom audit reports using other Oracle Database reporting products or third-party tools.
See Also:
Oracle Audit Vault and Database Firewall Database Schemas for Oracle Audit Vault and Database Firewall data warehouse details that may be useful in designing your own reports.
Table N-1 lists the Linux audit events and the equivalent Oracle Audit Vault and Database Firewall events.
Table N-1 Linux Audit Events
Source Event | Additional Description | Command Class | Target Type |
---|---|---|---|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
any other |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
any other |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
op record field contains value change password |
|
|
|
op record field contains value changing password |
|
|
|
op record field contains value change expired password |
|
|
|
op record field contains value change age |
|
|
|
op record field contains value change max age |
|
|
|
op record field contains value change min age |
|
|
|
op record field contains value change passwd warning |
|
|
|
op record field contains value change inactive days |
|
|
|
op record field contains value change passwd expiration |
|
|
|
op record field contains value change last change date |
|
|
|
op record field contains value change all aging information |
|
|
|
op record field contains value password attribute change |
|
|
|
op record field contains value password aging data updated |
|
|
|
op record field contains value display aging info |
|
|
|
op record field contains value password status display |
|
|
|
op record field contains value password status displayed for user |
|
|
|
op record field contains value adding to group |
|
|
|
op record field contains value adding group member |
|
|
|
op record field contains value adding user to group |
|
|
|
op record field contains value adding user to shadow group |
|
|
|
op record field contains value changing primary group |
|
|
|
op record field contains value changing group member |
|
|
|
op record field contains value changing admin name in shadow group |
|
|
|
op record field contains value changing member in shadow group |
|
|
|
op record field contains value deleting group password |
|
|
|
op record field contains value deleting member |
|
|
|
op record field contains value deleting user from group |
|
|
|
op record field contains value deleting user from shadow group |
|
|
|
op record field contains value removing group member |
|
|
|
op record field contains value removing user from shadow group |
|
|
|
op record field contains value user lookup |
|
|
|
op record field contains value adding group |
|
|
|
op record field contains value deleting group |
|
|
|
op record field contains value adding user |
|
|
|
op record field contains value adding home directory |
|
|
|
op record field contains value deleting user entries |
|
|
|
op record field contains value deleting user not found |
|
|
|
op record field contains value deleting user |
|
|
|
op record field contains value deleting user logged in |
|
|
|
op record field contains value deleting mail file |
|
|
|
op record field contains value deleting home directory |
|
|
|
op record field contains value lock password |
|
|
|
op record field contains value delete password |
|
|
|
op record field contains value updating password |
|
|
|
op record field contains value unlock password |
|
|
|
op record field contains value changing name |
|
|
USER_CHAUTHTOK |
op record field contains value changing uid |
|
|
|
op record field contains value changing home directory |
|
|
|
op record field contains value moving home directory |
|
|
|
op record field contains value changing mail file name |
|
|
|
op record field contains value changing mail file owner |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
SYSCALL |
None |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|