RHEL Audit System Reference
Updated
Audit Event Fields
The following table lists all currently-supported Audit event fields. An event field is the value preceding the equal sign in the Audit log files.
| Event Field | Explanation | RHEL 7 | RHEL 8 |
|---|---|---|---|
| a0, a1, a2, a3 | Records the first four arguments of the system call, encoded in hexadecimal notation. | yes | yes |
| acct | Record the user account name under which the process was executed. | yes | yes |
| action | Records the action taking place in an integrity policy rule. | yes | yes |
| appraise_type | Records the appraisal type used in an integrity policy rule. | yes | yes |
| addr | Records the IPv4 or IPv6 address. This field usually follows a hostname field and contains the address the host name resolves to. | yes | yes |
| arch | Records information about the CPU architecture of the system, encoded in hexadecimal notation. | yes | yes |
| auid | Records the Audit user ID. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with su -john). | yes | yes |
| calipso_doi | Records the DOI of an RFC5570 Calipso entry. | no | yes |
| calipso_type | Records the type of an RFC5570 Calipso entry. | no | yes |
| capability | Records the number of bits that were used to set a particular Linux capability. For more information on Linux capabilities, see the capabilities(7) man page. | yes | yes |
| cap_fe | Records data related to the setting of the effective file system-based capability bit. | yes | yes |
| cap_fi | Records data related to the setting of an inherited file system-based capability. | yes | yes |
| cap_fp | Records data related to the setting of a permitted file system-based capability. | yes | yes |
| cap_fver | Records the version of a file system-based capability. | yes | yes |
| cap_pe | Records data related to the setting of an effective process-based capability. | yes | yes |
| cap_pi | Records data related to the setting of an inherited process-based capability. | yes | yes |
| cap_pp | Records data related to the setting of a permitted process-based capability. | yes | yes |
| cause | Records the cause in an integrity policy rule. | yes | yes |
| cgroup | Records the path to the cgroup that contains the process at the time the Audit event was generated. | yes | yes |
| cmd | Records the entire command line that is executed. This is useful in case of shell interpreters where the exe field records, for example, /bin/bash as the shell interpreter and the cmd field records the rest of the command line that is executed, for example helloworld.sh --help. | yes | yes |
| code | Records the seccomp action. | yes | yes |
| comm | Records the command that is executed. This is useful in case of shell interpreters where the exe field records, for example, /bin/bash as the shell interpreter and the comm field records the name of the script that is executed, for example helloworld.sh. | yes | yes |
| compat | Records the syscall compatibility mode in a seccomp action. | yes | yes |
| cwd | Records the path to the directory in which a system call was invoked. | yes | yes |
| data | Records data associated with TTY records. | yes | yes |
| dev | Records the minor and major ID of the device that contains the file or directory recorded in an event. | yes | yes |
| devmajor | Records the major device ID. | yes | yes |
| devminor | Records the minor device ID. | yes | yes |
| egid | Records the effective group ID of the user who started the analyzed process. | yes | yes |
| euid | Records the effective user ID of the user who started the analyzed process. | yes | yes |
| exe | Records the path to the executable that was used to invoke the analyzed process. | yes | yes |
| exit | Records the exit code returned by a system call. This value varies by system call. You can interpret the value to its human-readable equivalent with the following command: ausearch --interpret --exit exit_code | yes | yes |
| family | Records the type of address protocol that was used, either IPv4 or IPv6. | yes | yes |
| feature | Records the audit feature being set or cleared. | yes | yes |
| file | Records the file involved in an integrity measurement. | yes | yes |
| filetype | Records the type of the file. | yes | yes |
| flags | Records the file system name flags. | yes | yes |
| fowner | Records the file owner used in an integrity policy rule. | yes | yes |
| fsgid | Records the file system group ID of the user who started the analyzed process. | yes | yes |
| fsmagic | Records the filesystem magic used in an integrity policy rule. | yes | yes |
| fsuuid | Records the fsuuid used in an integrity policy rule. | yes | yes |
| fsuid | Records the file system user ID of the user who started the analyzed process. | yes | yes |
| func | Records the function involved in an integrity policy rule. | yes | yes |
| gid | Records the group ID. | yes | yes |
| hash | Records the hash of a file involved in an integrity measurement. | yes | yes |
| hostname | Records the host name. | yes | yes |
| icmptype | Records the type of a Internet Control Message Protocol (ICMP) package that is received. Audit messages containing this field are usually generated by iptables. | yes | yes |
| id | Records the user ID of an account that was changed. | yes | yes |
| inode | Records the inode number associated with the file or directory recorded in an Audit event. | yes | yes |
| inode_gid | Records the group ID of the inode's owner. | yes | yes |
| inode_uid | Records the user ID of the inode's owner. | yes | yes |
| ip | Records the instruction pointer in a seccomp action. | yes | yes |
| items | Records the number of path records that are attached to this record. | yes | yes |
| key | Records the user defined string associated with a rule that generated a particular event in the Audit log. | yes | yes |
| list | Records the Audit rule list ID. The following is a list of known IDs: 0 — user, 1 — task, 4 — exit, 5 — exclude | yes | yes |
| mode | Records the file or directory permissions, encoded in numerical notation. | yes | yes |
| msg | Records a time stamp and a unique ID of a record, or various event-specific | yes | yes |
| msgtype | Records the message type that is returned in case of a user-based AVC denial. The message type is determined by D-Bus. | yes | yes |
| name | Records the full path of the file or directory that was passed to the system call as an argument. | yes | yes |
| new-disk | Records the name of a new disk resource that is assigned to a virtual machine. | yes | yes |
| new-mem | Records the amount of a new memory resource that is assigned to a virtual machine. | yes | yes |
| new-vcpu | Records the number of a new virtual CPU resource that is assigned to a virtual machine. | yes | yes |
| new-net | Records the MAC address of a new network interface resource that is assigned to a virtual machine. | yes | yes |
| new_gid | Records a group ID that is assigned to a user. | yes | yes |
| new_lock | Records the new value of a lock being set on an audit feature. | yes | yes |
| nsec | Records the number of nanoseconds by which the system clock was shifted. | no | yes |
| oauid | Records the user ID of the user that has logged in to access the system (as opposed to, for example, using su) and has started the target process. This field is exclusive to the record of type OBJ_PID. | yes | yes |
| ocomm | Records the command that was used to start the target process.This field is exclusive to the record of type OBJ_PID. | yes | yes |
| old_lock | Records the old value of a lock being set on an audit feature. | yes | yes |
| opid | Records the process ID of the target process. This field is exclusive to the record of type OBJ_PID. | yes | yes |
| oses | Records the session ID of the target process. This field is exclusive to the record of type OBJ_PID. | yes | yes |
| ouid | Records the real user ID of the target process | yes | yes |
| obj | Records the SELinux context of an object. An object can be a file, a directory, a socket, or anything that is receiving the action of a subject. | yes | yes |
| objtype | Records the intent of the PATH record object in the context of a syscall. | yes | yes |
| obj_gid | Records the group ID of an object. | yes | yes |
| obj_lev_high | Records the high SELinux level of an object. | yes | yes |
| obj_lev_low | Records the low SELinux level of an object. | yes | yes |
| obj_role | Records the SELinux role of an object. | yes | yes |
| obj_type | Records the type of an object. | yes | yes |
| obj_uid | Records the UID of an object | yes | yes |
| obj_user | Records the user that is associated with an object. | yes | yes |
| ogid | Records the object owner's group ID. | yes | yes |
| old-disk | Records the name of an old disk resource when a new disk resource is assigned to a virtual machine. | yes | yes |
| old-mem | Records the amount of an old memory resource when a new amount of memory is assigned to a virtual machine. | yes | yes |
| old-vcpu | Records the number of an old virtual CPU resource when a new virtual CPU is assigned to a virtual machine. | yes | yes |
| old-net | Records the MAC address of an old network interface resource when a new network interface is assigned to a virtual machine. | yes | yes |
| old_prom | Records the previous value of the network promiscuity flag. | yes | yes |
| ouid | Records the real user ID of the user who started the target process. | yes | yes |
| path | Records the full path of the file or directory that was passed to the system call as an argument in case of AVC-related Audit events | yes | yes |
| perm | Records the file permission that was used to generate an event (that is, read, write, execute, or attribute change) | yes | yes |
| pid | The pid field semantics depend on the origin of the value in this field. In fields generated from user-space, this field holds a process ID. In fields generated by the kernel, this field holds a thread ID. The thread ID is equal to process ID for single-threaded processes. Note that the value of this thread ID is different from the values of pthread_t IDs used in user-space. For more information, see the gettid(2) man page. | yes | yes |
| ppid | Records the Parent Process ID (PID). | yes | yes |
| proctitle | Records the full command-line of the command that was used to invoke the analyzed process. The field is encoded in hexadecimal notation to not allow the user to influence the Audit log parser. The text decodes to the command that triggered this Audit event. When searching Audit records with the ausearch command, use the -i or --interpret option to automatically convert hexadecimal values into their human-readable equivalents. | yes | yes |
| prom | Records the network promiscuity flag. | yes | yes |
| proto | Records the networking protocol that was used. This field is specific to Audit events generated by iptables. | yes | yes |
| res | Records the result of the operation that triggered the Audit event. | yes | yes |
| resp | Records the response from an fanotify access control decision. | yes | yes |
| result | Records the result of the operation that triggered the Audit event. | yes | yes |
| saddr | Records the socket address. | yes | yes |
| sauid | Records the sender Audit login user ID. This ID is provided by D-Bus as the kernel is unable to see which user is sending the original auid. | yes | yes |
| sec | Records the number of seconds by which the system clock was shifted. | no | yes |
| ses | Records the session ID of the session from which the analyzed process was invoked. | yes | yes |
| sgid | Records the set group ID of the user who started the analyzed process. | yes | yes |
| sig | Records the number of a signal that causes a program to end abnormally. Usually, this is a sign of a system intrusion. | yes | yes |
| subj | Records the SELinux context of a subject. A subject can be a process, a user, or anything that is acting upon an object. | yes | yes |
| subj_clr | Records the SELinux clearance of a subject. | yes | yes |
| subj_role | Records the SELinux role of a subject. | yes | yes |
| subj_sen | Records the SELinux sensitivity of a subject. | yes | yes |
| subj_type | Records the type of a subject. | yes | yes |
| subj_user | Records the user that is associated with a subject. | yes | yes |
| success | Records whether a system call was successful or failed. | yes | yes |
| suid | Records the set user ID of the user who started the analyzed process. | yes | yes |
| syscall | Records the type of the system call that was sent to the kernel. | yes | yes |
| terminal | Records the terminal name (without /dev/). | yes | yes |
| tty | Records the name of the controlling terminal. The value (none) is used if the process has no controlling terminal. | yes | yes |
| uid | Records the real user ID of the user who started the analyzed process. | yes | yes |
| vm | Records the name of a virtual machine from which the Audit event originated. | yes | yes |
| xattr | Records the set of extended attributes modified and protected by EVM. | no | yes |
Audit Record Types
The following table lists all currently-supported types of Audit records. The event type is specified in the type= field at the beginning of every Audit record.
| Event Type | Explanation | RHEL 7 | RHEL 8 |
|---|---|---|---|
| ACCT_LOCK | Triggered when a user-space user account is locked by the administrator. | yes | yes |
| ACCT_UNLOCK | Triggered when a user-space user account is unlocked by the administrator. | yes | yes |
| ADD_GROUP | Triggered when a user-space group is added. | yes | yes |
| ADD_USER | Triggered when a user-space user account is added. | yes | yes |
| ANOM_ABEND1 | Triggered when a processes ends abnormally (with a signal that could cause a core dump, if enabled). | yes | yes |
| ANOM_ACCESS_FS1 | Triggered when a file or a directory access ends abnormally. | yes | yes |
| ANOM_ADD_ACCT1 | Triggered when a user-space account addition ends abnormally. | yes | yes |
| ANOM_AMTU_FAIL1 | Triggered when a failure of the Abstract Machine Test Utility (AMTU) is detected. | yes | yes |
| ANOM_CRYPTO_FAIL1 | Triggered when a failure in the cryptographic system is detected. | yes | yes |
| ANOM_DEL_ACCT1 | Triggered when a user-space account deletion ends abnormally. | yes | yes |
| ANOM_EXEC1 | Triggered when an execution of a file ends abnormally. | yes | yes |
| ANOM_LINK1 | Triggered when suspicious use of file links is detected. | yes | yes |
| ANOM_LOGIN_ACCT1 | Triggered when an account login attempt ends abnormally. | yes | yes |
| ANOM_LOGIN_FAILURES1 | Triggered when the limit of failed login attempts is reached. | yes | yes |
| ANOM_LOGIN_LOCATION1 | Triggered when a login attempt is made from a forbidden location. | yes | yes |
| ANOM_LOGIN_SESSIONS1 | Triggered when a login attempt reaches the maximum amount of concurrent sessions. | yes | yes |
| ANOM_LOGIN_TIME1 | Triggered when a login attempt is made at a time when it is prevented by, for example, pam_time. | yes | yes |
| ANOM_MAX_DAC1 | Triggered when the maximum amount of Discretionary Access Control (DAC) failures is reached. | yes | yes |
| ANOM_MAX_MAC1 | Triggered when the maximum amount of Mandatory Access Control (MAC) failures is reached. | yes | yes |
| ANOM_MK_EXEC1 | Triggered when a file is made executable. | yes | yes |
| ANOM_MOD_ACCT1 | Triggered when a user-space account modification ends abnormally. | yes | yes |
| ANOM_PROMISCUOUS1 | Triggered when a device enables or disables promiscuous mode. | yes | yes |
| ANOM_RBAC_FAIL1 | Triggered when a Role-Based Access Control (RBAC) self-test failure is detected. | yes | yes |
| ANOM_RBAC_INTEGRITY_FAIL1 | Triggered when a Role-Based Access Control (RBAC) file integrity test failure is detected. | yes | yes |
| ANOM_ROOT_TRANS1 | Triggered when a user becomes root. | yes | yes |
| AVC | Triggered to record an SELinux permission check. | yes | yes |
| AVC_PATH | Triggered to record the dentry and vfsmount pair when an SELinux permission check occurs. | yes | yes |
| BPRM_FCAPS | Triggered when a user executes a program with a file system capability. | yes | yes |
| CAPSET | Triggered to record the capabilities being set for process-based capabilities, for example, running as root to drop capabilities. | yes | yes |
| CHGRP_ID | Triggered when a user-space group ID is changed. | yes | yes |
| CHUSER_ID | Triggered when a user-space user ID is changed. | yes | yes |
| CONFIG_CHANGE | Triggered when the Audit system configuration is modified. | yes | yes |
| CRED_ACQ | Triggered when a user acquires user-space credentials. | yes | yes |
| CRED_DISP | Triggered when a user disposes of user-space credentials. | yes | yes |
| CRED_REFR | Triggered when a user refreshes their user-space credentials. | yes | yes |
| CRYPTO_FAILURE_USER | Triggered when a decrypt, encrypt, or randomize cryptographic operation fails. | yes | yes |
| CRYPTO_IKE_SA | Triggered when an Internet Key Exchange Security Association is established. | yes | yes |
| CRYPTO_IPSEC_SA | Triggered when an Internet Protocol Security Association is established. | yes | yes |
| CRYPTO_KEY_USER | Triggered to record the cryptographic key identifier used for cryptographic purposes. | yes | yes |
| CRYPTO_LOGIN | Triggered when a cryptographic officer login attempt is detected. | yes | yes |
| CRYPTO_LOGOUT | Triggered when a cryptographic officer logout attempt is detected. | yes | yes |
| CRYPTO_PARAM_CHANGE_USER | Triggered when a change in a cryptographic parameter is detected. | yes | yes |
| CRYPTO_REPLAY_USER | Triggered when a replay attack is detected. | yes | yes |
| CRYPTO_SESSION | Triggered to record parameters set during a TLS session establishment. | yes | yes |
| CRYPTO_TEST_USER | Triggered to record cryptographic test results as required by the FIPS-140 standard. | yes | yes |
| CWD | Triggered to record the current working directory. | yes | yes |
| DAC_CHECK | Triggered to record DAC check results. | yes | yes |
| DAEMON_ABORT | Triggered when a daemon is stopped due to an error. | yes | yes |
| DAEMON_ACCEPT | Triggered when the auditd daemon accepts a remote connection. | yes | yes |
| DAEMON_CLOSE | Triggered when the auditd daemon closes a remote connection. | yes | yes |
| DAEMON_CONFIG | Triggered when a daemon configuration change is detected. | yes | yes |
| DAEMON_END | Triggered when a daemon is successfully stopped. | yes | yes |
| DAEMON_ERR | Triggered when an auditd daemon internal error is detected. | yes | yes |
| DAEMON_RESUME | Triggered when the auditd daemon resumes logging. | yes | yes |
| DAEMON_ROTATE | Triggered when the auditd daemon rotates the Audit log files. | yes | yes |
| DAEMON_START | Triggered when the auditd daemon is started. | yes | yes |
| DEL_GROUP | Triggered when a user-space group is deleted | yes | yes |
| DEL_USER | Triggered when a user-space user is deleted | yes | yes |
| DEV_ALLOC | Triggered when a device is allocated. | yes | yes |
| DEV_DEALLOC | Triggered when a device is deallocated. | yes | yes |
| EOE | Triggered to record the end of a multi-record event. | yes | yes |
| EXECVE | Triggered to record arguments of the execve(2) system call. | yes | yes |
| FANOTIFY | Triggered when an fanotify access decision is made. | yes | yes |
| FD_PAIR | Triggered to record the use of the pipe and socketpair system calls. | yes | yes |
| FEATURE_CHANGE | Triggered when an Audit feature changed value. | yes | yes |
| FS_RELABEL | Triggered when a file system relabel operation is detected. | yes | yes |
| GRP_AUTH | Triggered when a group password is used to authenticate against a user-space group. | yes | yes |
| GRP_CHAUTHTOK | Triggered when a group account password or PIN is modified. | yes | yes |
| GRP_MGMT | Triggered to record user-space group account attribute modification. | yes | yes |
| INTEGRITY_DATA2 | Triggered to record a data integrity verification event run by the kernel. | yes | yes |
| INTEGRITY_EVM_XATTR2 | Triggered when an EVM-covered extended attribute is modified. | no | yes |
| INTEGRITY_HASH2 | Triggered to record a hash type integrity verification event run by the kernel. | yes | yes |
| INTEGRITY_METADATA2 | Triggered to record a metadata integrity verification event run by the kernel. | yes | yes |
| INTEGRITY_PCR2 | Triggered to record Platform Configuration Register (PCR) invalidation messages. | yes | yes |
| INTEGRITY_RULE2 | Triggered to record a policy rule. | yes | yes |
| INTEGRITY_STATUS2 | Triggered to record the status of integrity verification. | yes | yes |
| IPC | Triggered to record information about a Inter-Process Communication object referenced by a system call. | yes | yes |
| IPC_SET_PERM | Triggered to record information about new values set by an IPC_SET control operation on an IPC object. | yes | yes |
| KERN_MODULE | Triggered to record a kernel module name on load or unload. | yes | yes |
| KERNEL | Triggered to record the initialization of the Audit system. | yes | yes |
| KERNEL_OTHER | Triggered to record information from third-party kernel modules. | yes | yes |
| LABEL_LEVEL_CHANGE | Triggered when an object's level label is modified. | yes | yes |
| LABEL_OVERRIDE | Triggered when an administrator overrides an object's level label. | yes | yes |
| LOGIN | Triggered to record relevant login information when a user log in to access the system. | yes | yes |
| MAC_CALIPSO_ADD | Triggered when a NetLabel CALIPSO DOI entry is added. | no | yes |
| MAC_CALIPSO_DEL | Triggered when a NetLabel CALIPSO DOI entry is deleted. | no | yes |
| MAC_CHECK | Triggered when a user space MAC (Mandatory Access Control) decision is made. | yes | yes |
| MAC_CIPSOV4_ADD | Triggered when a Commercial Internet Protocol Security Option (CIPSO) user adds a new Domain of Interpretation (DOI). Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel. | yes | yes |
| MAC_CIPSOV4_DEL | Triggered when a CIPSO user deletes an existing DOI. Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel. | yes | yes |
| MAC_CONFIG_CHANGE | Triggered when an SELinux Boolean value is changed. | yes | yes |
| MAC_IPSEC_EVENT | Triggered to record information about an IPSec event, when one is detected, or when the IPSec configuration changes. | yes | yes |
| MAC_MAP_ADD | Triggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel. | yes | yes |
| MAC_MAP_DEL | Triggered when an existing LSM domain mapping is deleted. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel. | yes | yes |
| MAC_POLICY_LOAD | Triggered when a SELinux policy file is loaded. | yes | yes |
| MAC_STATUS | Triggered when the SELinux mode (enforcing, permissive, off) is changed. | yes | yes |
| MAC_UNLBL_ALLOW | Triggered when unlabeled traffic is allowed when using the packet labeling capabilities of the kernel provided by NetLabel. | yes | yes |
| MAC_UNLBL_STCADD | Triggered when a static label is added when using the packet labeling capabilities of the kernel provided by NetLabel. | yes | yes |
| MAC_UNLBL_STCDEL | Triggered when a static label is deleted when using the packet labeling capabilities of the kernel provided by NetLabel. | yes | yes |
| MMAP | Triggered to record a file descriptor and flags of the mmap(2) system call. | yes | yes |
| MQ_GETSETATTR | Triggered to record the mq_getattr(3) and mq_setattr(3) message queue attributes. | yes | yes |
| MQ_NOTIFY | Triggered to record arguments of the mq_notify(3) system call. | yes | yes |
| MQ_OPEN | Triggered to record arguments of the mq_open(3) system call. | yes | yes |
| MQ_SENDRECV | Triggered to record arguments of the mq_send(3) and mq_receive(3) system calls. | yes | yes |
| NETFILTER_CFG | Triggered when Netfilter chain modifications are detected. | yes | yes |
| NETFILTER_PKT | Triggered to record packets traversing Netfilter chains. | yes | yes |
| OBJ_PID | Triggered to record information about a process to which a signal is sent. | yes | yes |
| PATH | Triggered to record file name path information. | yes | yes |
| PROCTITLE | Gives the full command-line that triggered this Audit event, triggered by a system call to the kernel. | yes | yes |
| RESP_ACCT_LOCK3 | Triggered when a user account is locked. | yes | yes |
| RESP_ACCT_LOCK_TIMED3 | Triggered when a user account is locked for a specified period of time. | yes | yes |
| RESP_ACCT_REMOTE3 | Triggered when a user account is locked from a remote session. | yes | yes |
| RESP_ACCT_UNLOCK_TIMED3 | Triggered when a user account is unlocked after a configured period of time. | yes | yes |
| RESP_ALERT3 | Triggered when an alert email is sent. | yes | yes |
| RESP_ANOMALY3 | Triggered when an anomaly was not acted upon. | yes | yes |
| RESP_EXEC3 | Triggered when an intrusion detection program responds to a threat originating from the execution of a program. | yes | yes |
| RESP_HALT3 | Triggered when the system is shut down. | yes | yes |
| RESP_KILL_PROC3 | Triggered when a process is terminated. | yes | yes |
| RESP_SEBOOL3 | Triggered when an SELinux Boolean value is set. | yes | yes |
| RESP_SINGLE3 | Triggered when the system is put into single-user mode. | yes | yes |
| RESP_TERM_ACCESS3 | Triggered when a session is terminated. | yes | yes |
| RESP_TERM_LOCK3 | Triggered when a terminal is locked. | yes | yes |
| ROLE_ASSIGN | Triggered when an administrator assigns a user to an SELinux role. | yes | yes |
| ROLE_MODIFY | Triggered when an administrator modifies an SELinux role. | yes | yes |
| ROLE_REMOVE | Triggered when an administrator removes a user from an SELinux role. | yes | yes |
| SECCOMP | Triggered when a SECure COMPuting event is detected. | yes | yes |
| SELINUX_ERR | Triggered when an internal SELinux error is detected. | yes | yes |
| SERVICE_START | Triggered when a service is started. | yes | yes |
| SERVICE_STOP | Triggered when a service is stopped. | yes | yes |
| SOCKADDR | Triggered to record a socket address. | yes | yes |
| SOCKETCALL | Triggered to record arguments of the sys_socketcall system call (used to multiplex many socket-related system calls). | yes | yes |
| SOFTWARE_UPDATE | Triggered to record software update events. | yes | yes |
| SYSCALL | Triggered to record a system call to the kernel. | yes | yes |
| SYSTEM_BOOT | Triggered when the system is booted up. | yes | yes |
| SYSTEM_RUNLEVEL | Triggered when the system's run level is changed. | yes | yes |
| SYSTEM_SHUTDOWN | Triggered when the system is shut down. | yes | yes |
| TEST | Triggered to record the success value of a test message. | yes | yes |
| TIME_ADJNTPVAL | Triggered when the system clock is modified. | no | yes |
| TIME_INJOFFSET | Triggered when a Timekeeping offset is injected to the sytem clock. | no | yes |
| TRUSTED_APP | The record of this type can be used by third party application that require auditing. | yes | yes |
| TTY | Triggered when TTY input was sent to an administrative process. | yes | yes |
| USER_ACCT | Triggered when a user-space user authorization attempt is detected. | yes | yes |
| USER_AUTH | Triggered when a user-space user authentication attempt is detected. | yes | yes |
| USER_AVC | Triggered when a user-space AVC message is generated. | yes | yes |
| USER_CHAUTHTOK | Triggered when a user account password or PIN is modified. | yes | yes |
| USER_CMD | Triggered when a user-space shell command is executed. | yes | yes |
| USER_DEVICE | Triggered when a user-space hotplug device is changed. | yes | yes |
| USER_END | Triggered when a user-space session is terminated. | yes | yes |
| USER_ERR | Triggered when a user account state error is detected. | yes | yes |
| USER_LABELED_EXPORT | Triggered when an object is exported with an SELinux label. | yes | yes |
| USER_LOGIN | Triggered when a user logs in. | yes | yes |
| USER_LOGOUT | Triggered when a user logs out. | yes | yes |
| USER_MAC_POLICY_LOAD | Triggered when a user-space daemon loads an SELinux policy. | yes | yes |
| USER_MGMT | Triggered to record user-space user account attribute modification. | yes | yes |
| USER_ROLE_CHANGE | Triggered when a user's SELinux role is changed. | yes | yes |
| USER_SELINUX_ERR | Triggered when a user-space SELinux error is detected. | yes | yes |
| USER_START | Triggered when a user-space session is started. | yes | yes |
| USER_TTY | Triggered when an explanatory message about TTY input to an administrative process is sent from user-space. | yes | yes |
| USER_UNLABELED_EXPORT | Triggered when an object is exported without SELinux label. | yes | yes |
| USYS_CONFIG | Triggered when a user-space system configuration change is detected. | yes | yes |
| VIRT_CONTROL | Triggered when a virtual machine is started, paused, or stopped. | yes | yes |
| VIRT_MACHINE_ID | Triggered to record the binding of a label to a virtual machine. | yes | yes |
| VIRT_RESOURCE | Triggered to record resource assignment of a virtual machine. | yes | yes |
1
All Audit event types prepended with ANOM are intended to be processed by an intrusion detection program.
2: This event type is related to the Integrity Measurement Architecture (IMA), which functions best with a Trusted Platform Module (TPM) chip.
3: All Audit event types prepended with RESP are intended responses of an intrusion detection system in case it detects malicious activity on the system.
Additional Resources
auditd(8)man pageausearch(8)man pageauditd.conf(5)man page
Product(s)
Category
Components
Article Type