This repository has been archived by the owner on Jul 23, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 37
/
audit_constant.go
474 lines (443 loc) · 25.1 KB
/
audit_constant.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
package libaudit
// audit_constants.go contains constants used within libaudit, sourced from linux/audit.h
// (from the Linux kernel) and from libaudit.h in the audit userspace source code.
// Code generated using various audit headers, DO NOT EDIT.
const (
AUDIT_STATUS_SIZE = 40 // Size of auditStatus
)
const (
MAX_AUDIT_MESSAGE_LENGTH = 8970
AUDIT_MAX_FIELDS = 64
AUDIT_BITMASK_SIZE = 64
//Rule Flags
AUDIT_FILTER_USER = 0x00 /* Apply rule to user-generated messages */
AUDIT_FILTER_TASK = 0x01 /* Apply rule at task creation (not syscall) */
AUDIT_FILTER_ENTRY = 0x02 /* Apply rule at syscall entry */
AUDIT_FILTER_WATCH = 0x03 /* Apply rule to file system watches */
AUDIT_FILTER_EXIT = 0x04 /* Apply rule at syscall exit */
AUDIT_FILTER_TYPE = 0x05 /* Apply rule at audit_log_start */
/* These are used in filter control */
AUDIT_FILTER_MASK = 0x07 /* Mask to get actual filter */
AUDIT_FILTER_UNSET = 0x80 /* This value means filter is unset */
/* Rule actions */
AUDIT_NEVER = 0 /* Do not build context if rule matches */
AUDIT_POSSIBLE = 1 /* Build context if rule matches */
AUDIT_ALWAYS = 2 /* Generate audit record if rule matches */
/* Rule fields */
/* These are useful when checking the
* task structure at task creation time
* (AUDIT_PER_TASK). */
AUDIT_PID = 0
AUDIT_UID = 1
AUDIT_EUID = 2
AUDIT_SUID = 3
AUDIT_FSUID = 4
AUDIT_GID = 5
AUDIT_EGID = 6
AUDIT_SGID = 7
AUDIT_FSGID = 8
AUDIT_LOGINUID = 9
AUDIT_OBJ_GID = 110
AUDIT_OBJ_UID = 109
AUDIT_EXIT = 103
AUDIT_PERS = 10
AUDIT_FILTER_EXCLUDE = 0x05
AUDIT_ARCH = 11
PATH_MAX = 4096
AUDIT_MSGTYPE = 12
AUDIT_MAX_KEY_LEN = 256
AUDIT_PERM = 106
AUDIT_FILTERKEY = 210
AUDIT_SUBJ_USER = 13 /* security label user */
AUDIT_SUBJ_ROLE = 14 /* security label role */
AUDIT_SUBJ_TYPE = 15 /* security label type */
AUDIT_SUBJ_SEN = 16 /* security label sensitivity label */
AUDIT_SUBJ_CLR = 17 /* security label clearance label */
AUDIT_PPID = 18
AUDIT_OBJ_USER = 19
AUDIT_OBJ_ROLE = 20
AUDIT_OBJ_TYPE = 21
AUDIT_WATCH = 105
AUDIT_DIR = 107
AUDIT_OBJ_LEV_LOW = 22
AUDIT_OBJ_LEV_HIGH = 23
AUDIT_LOGINUID_SET = 24
AUDIT_DEVMAJOR = 100
AUDIT_DEVMINOR = 101
AUDIT_INODE = 102
AUDIT_SUCCESS = 104
AUDIT_FIELD_COMPARE = 111
AUDIT_EXE = 112
AUDIT_PERM_EXEC = 1
AUDIT_PERM_WRITE = 2
AUDIT_PERM_READ = 4
AUDIT_PERM_ATTR = 8
AUDIT_FILETYPE = 108
AUDIT_ARG0 = 200
AUDIT_ARG1 = (AUDIT_ARG0 + 1)
AUDIT_ARG2 = (AUDIT_ARG0 + 2)
AUDIT_ARG3 = (AUDIT_ARG0 + 3)
AUDIT_BIT_MASK = 0x08000000
AUDIT_LESS_THAN = 0x10000000
AUDIT_GREATER_THAN = 0x20000000
AUDIT_NOT_EQUAL = 0x30000000
AUDIT_EQUAL = 0x40000000
AUDIT_BIT_TEST = (AUDIT_BIT_MASK | AUDIT_EQUAL)
AUDIT_LESS_THAN_OR_EQUAL = (AUDIT_LESS_THAN | AUDIT_EQUAL)
AUDIT_GREATER_THAN_OR_EQUAL = (AUDIT_GREATER_THAN | AUDIT_EQUAL)
AUDIT_OPERATORS = (AUDIT_EQUAL | AUDIT_NOT_EQUAL | AUDIT_BIT_MASK)
/* Status symbols */
/* Mask values */
AUDIT_STATUS_ENABLED = 0x0001
AUDIT_STATUS_FAILURE = 0x0002
AUDIT_STATUS_PID = 0x0004
AUDIT_STATUS_RATE_LIMIT = 0x0008
AUDIT_STATUS_BACKLOG_LIMIT = 0x0010
/* Failure-to-log actions */
AUDIT_FAIL_SILENT = 0
AUDIT_FAIL_PRINTK = 1
AUDIT_FAIL_PANIC = 2
/* distinguish syscall tables */
__AUDIT_ARCH_64BIT = 0x80000000
__AUDIT_ARCH_LE = 0x40000000
AUDIT_ARCH_ALPHA = (EM_ALPHA | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
AUDIT_ARCH_ARM = (EM_ARM | __AUDIT_ARCH_LE)
AUDIT_ARCH_ARMEB = (EM_ARM)
AUDIT_ARCH_CRIS = (EM_CRIS | __AUDIT_ARCH_LE)
AUDIT_ARCH_FRV = (EM_FRV)
AUDIT_ARCH_I386 = (EM_386 | __AUDIT_ARCH_LE)
AUDIT_ARCH_IA64 = (EM_IA_64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
AUDIT_ARCH_M32R = (EM_M32R)
AUDIT_ARCH_M68K = (EM_68K)
AUDIT_ARCH_MIPS = (EM_MIPS)
AUDIT_ARCH_MIPSEL = (EM_MIPS | __AUDIT_ARCH_LE)
AUDIT_ARCH_MIPS64 = (EM_MIPS | __AUDIT_ARCH_64BIT)
AUDIT_ARCH_MIPSEL64 = (EM_MIPS | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
// AUDIT_ARCH_OPENRISC = (EM_OPENRISC)
// AUDIT_ARCH_PARISC = (EM_PARISC)
// AUDIT_ARCH_PARISC64 = (EM_PARISC | __AUDIT_ARCH_64BIT)
AUDIT_ARCH_PPC = (EM_PPC)
AUDIT_ARCH_PPC64 = (EM_PPC64 | __AUDIT_ARCH_64BIT)
AUDIT_ARCH_S390 = (EM_S390)
AUDIT_ARCH_S390X = (EM_S390 | __AUDIT_ARCH_64BIT)
AUDIT_ARCH_SH = (EM_SH)
AUDIT_ARCH_SHEL = (EM_SH | __AUDIT_ARCH_LE)
AUDIT_ARCH_SH64 = (EM_SH | __AUDIT_ARCH_64BIT)
AUDIT_ARCH_SHEL64 = (EM_SH | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
AUDIT_ARCH_SPARC = (EM_SPARC)
AUDIT_ARCH_SPARC64 = (EM_SPARCV9 | __AUDIT_ARCH_64BIT)
AUDIT_ARCH_X86_64 = (EM_X86_64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
///Temporary Solution need to add linux/elf-em.h
EM_NONE = 0
EM_M32 = 1
EM_SPARC = 2
EM_386 = 3
EM_68K = 4
EM_88K = 5
EM_486 = 6 /* Perhaps disused */
EM_860 = 7
EM_MIPS = 8 /* MIPS R3000 (officially, big-endian only) */
/* Next two are historical and binaries and
modules of these types will be rejected by
Linux. */
EM_MIPS_RS3_LE = 10 /* MIPS R3000 little-endian */
EM_MIPS_RS4_BE = 10 /* MIPS R4000 big-endian */
EM_PARISC = 15 /* HPPA */
EM_SPARC32PLUS = 18 /* Sun's "v8plus" */
EM_PPC = 20 /* PowerPC */
EM_PPC64 = 21 /* PowerPC64 */
EM_SPU = 23 /* Cell BE SPU */
EM_ARM = 40 /* ARM 32 bit */
EM_SH = 42 /* SuperH */
EM_SPARCV9 = 43 /* SPARC v9 64-bit */
EM_IA_64 = 50 /* HP/Intel IA-64 */
EM_X86_64 = 62 /* AMD x86-64 */
EM_S390 = 22 /* IBM S/390 */
EM_CRIS = 76 /* Axis Communications 32-bit embedded processor */
EM_V850 = 87 /* NEC v850 */
EM_M32R = 88 /* Renesas M32R */
EM_MN10300 = 89 /* Panasonic/MEI MN10300, AM33 */
EM_BLACKFIN = 106 /* ADI Blackfin Processor */
EM_TI_C6000 = 140 /* TI C6X DSPs */
EM_AARCH64 = 183 /* ARM 64 bit */
EM_FRV = 0x5441 /* Fujitsu FR-V */
EM_AVR32 = 0x18ad /* Atmel AVR32 */
/*
* This is an interim value that we will use until the committee comes
* up with a final number.
*/
EM_ALPHA = 0x9026
/* Bogus old v850 magic number, used by old tools. */
EM_CYGNUS_V850 = 0x9080
/* Bogus old m32r magic number, used by old tools. */
EM_CYGNUS_M32R = 0x9041
/* This is the old interim value for S/390 architecture */
EM_S390_OLD = 0xA390
/* Also Panasonic/MEI MN10300, AM33 */
EM_CYGNUS_MN10300 = 0xbeef
//AUDIT_ARCH determination purpose
_UTSNAME_LENGTH = 65
_UTSNAME_DOMAIN_LENGTH = _UTSNAME_LENGTH
_UTSNAME_NODENAME_LENGTH = _UTSNAME_DOMAIN_LENGTH
)
/* Audit message types as of 2.6.29 kernel:
* 1000 - 1099 are for commanding the audit system
* 1100 - 1199 user space trusted application messages
* 1200 - 1299 messages internal to the audit daemon
* 1300 - 1399 audit event messages
* 1400 - 1499 kernel SE Linux use
* 1500 - 1599 AppArmor events
* 1600 - 1699 kernel crypto events
* 1700 - 1799 kernel anomaly records
* 1800 - 1899 kernel integrity labels and related events
* 1800 - 1999 future kernel use
* 2001 - 2099 unused (kernel)
* 2100 - 2199 user space anomaly records
* 2200 - 2299 user space actions taken in response to anomalies
* 2300 - 2399 user space generated LSPP events
* 2400 - 2499 user space crypto events
* 2500 - 2599 user space virtualization management events
* 2600 - 2999 future user space (maybe integrity labels and related events)
*/
//go:generate stringer -type=auditConstant audit_constant.go
type auditConstant uint16
const (
AUDIT_GET auditConstant = 1000 /* Get status */
AUDIT_SET auditConstant = 1001 /* Set status (enable/disable/auditd) */
AUDIT_LIST auditConstant = 1002 /* List syscall rules -- deprecated */
AUDIT_ADD auditConstant = 1003 /* Add syscall rule -- deprecated */
AUDIT_DEL auditConstant = 1004 /* Delete syscall rule -- deprecated */
AUDIT_USER auditConstant = 1005 /* Message from userspace -- deprecated */
AUDIT_LOGIN auditConstant = 1006 /* Define the login id and information */
AUDIT_WATCH_INS auditConstant = 1007 /* Insert file/dir watch entry */
AUDIT_WATCH_REM auditConstant = 1008 /* Remove file/dir watch entry */
AUDIT_WATCH_LIST auditConstant = 1009 /* List all file/dir watches */
AUDIT_SIGNAL_INFO auditConstant = 1010 /* Get info about sender of signal to auditd */
AUDIT_ADD_RULE auditConstant = 1011 /* Add syscall filtering rule */
AUDIT_DEL_RULE auditConstant = 1012 /* Delete syscall filtering rule */
AUDIT_LIST_RULES auditConstant = 1013 /* List syscall filtering rules */
AUDIT_TRIM auditConstant = 1014 /* Trim junk from watched tree */
AUDIT_MAKE_EQUIV auditConstant = 1015 /* Append to watched tree */
AUDIT_TTY_GET auditConstant = 1016 /* Get TTY auditing status */
AUDIT_TTY_SET auditConstant = 1017 /* Set TTY auditing status */
AUDIT_SET_FEATURE auditConstant = 1018 /* Turn an audit feature on or off */
AUDIT_GET_FEATURE auditConstant = 1019 /* Get which features are enabled */
AUDIT_FIRST_USER_MSG auditConstant = 1100 /* First user space message */
AUDIT_LAST_USER_MSG auditConstant = 1199 /* Last user space message */
AUDIT_USER_AUTH auditConstant = 1100 /* User space authentication */
AUDIT_USER_ACCT auditConstant = 1101 /* User space acct change */
AUDIT_USER_MGMT auditConstant = 1102 /* User space acct management */
AUDIT_CRED_ACQ auditConstant = 1103 /* User space credential acquired */
AUDIT_CRED_DISP auditConstant = 1104 /* User space credential disposed */
AUDIT_USER_START auditConstant = 1105 /* User space session start */
AUDIT_USER_END auditConstant = 1106 /* User space session end */
AUDIT_USER_AVC auditConstant = 1107 /* User space avc message */
AUDIT_USER_CHAUTHTOK auditConstant = 1108 /* User space acct attr changed */
AUDIT_USER_ERR auditConstant = 1109 /* User space acct state err */
AUDIT_CRED_REFR auditConstant = 1110 /* User space credential refreshed */
AUDIT_USYS_CONFIG auditConstant = 1111 /* User space system config change */
AUDIT_USER_LOGIN auditConstant = 1112 /* User space user has logged in */
AUDIT_USER_LOGOUT auditConstant = 1113 /* User space user has logged out */
AUDIT_ADD_USER auditConstant = 1114 /* User space user account added */
AUDIT_DEL_USER auditConstant = 1115 /* User space user account deleted */
AUDIT_ADD_GROUP auditConstant = 1116 /* User space group added */
AUDIT_DEL_GROUP auditConstant = 1117 /* User space group deleted */
AUDIT_DAC_CHECK auditConstant = 1118 /* User space DAC check results */
AUDIT_CHGRP_ID auditConstant = 1119 /* User space group ID changed */
AUDIT_TEST auditConstant = 1120 /* Used for test success messages */
AUDIT_TRUSTED_APP auditConstant = 1121 /* Trusted app msg - freestyle text */
AUDIT_USER_SELINUX_ERR auditConstant = 1122 /* SE Linux user space error */
AUDIT_USER_CMD auditConstant = 1123 /* User shell command and args */
AUDIT_USER_TTY auditConstant = 1124 /* Non-ICANON TTY input meaning */
AUDIT_CHUSER_ID auditConstant = 1125 /* Changed user ID supplemental data */
AUDIT_GRP_AUTH auditConstant = 1126 /* Authentication for group password */
AUDIT_SYSTEM_BOOT auditConstant = 1127 /* System boot */
AUDIT_SYSTEM_SHUTDOWN auditConstant = 1128 /* System shutdown */
AUDIT_SYSTEM_RUNLEVEL auditConstant = 1129 /* System runlevel change */
AUDIT_SERVICE_START auditConstant = 1130 /* Service (daemon) start */
AUDIT_SERVICE_STOP auditConstant = 1131 /* Service (daemon) stop */
AUDIT_GRP_MGMT auditConstant = 1132 /* Group account attr was modified */
AUDIT_GRP_CHAUTHTOK auditConstant = 1133 /* Group acct password or pin changed */
AUDIT_MAC_CHECK auditConstant = 1134 /* User space MAC decision results */
AUDIT_ACCT_LOCK auditConstant = 1135 /* User's account locked by admin */
AUDIT_ACCT_UNLOCK auditConstant = 1136 /* User's account unlocked by admin */
AUDIT_FIRST_DAEMON auditConstant = 1200
AUDIT_LAST_DAEMON auditConstant = 1299
AUDIT_DAEMON_CONFIG auditConstant = 1203 /* Daemon config change */
AUDIT_DAEMON_RECONFIG auditConstant = 1204 /* Auditd should reconfigure */
AUDIT_DAEMON_ROTATE auditConstant = 1205 /* Auditd should rotate logs */
AUDIT_DAEMON_RESUME auditConstant = 1206 /* Auditd should resume logging */
AUDIT_DAEMON_ACCEPT auditConstant = 1207 /* Auditd accepted remote connection */
AUDIT_DAEMON_CLOSE auditConstant = 1208 /* Auditd closed remote connection */
AUDIT_SYSCALL auditConstant = 1300 /* Syscall event */
/* AUDIT_FS_WATCH auditConstant = 1301 * Deprecated */
AUDIT_PATH auditConstant = 1302 /* Filename path information */
AUDIT_IPC auditConstant = 1303 /* IPC record */
AUDIT_SOCKETCALL auditConstant = 1304 /* sys_socketcall arguments */
AUDIT_CONFIG_CHANGE auditConstant = 1305 /* Audit system configuration change */
AUDIT_SOCKADDR auditConstant = 1306 /* sockaddr copied as syscall arg */
AUDIT_CWD auditConstant = 1307 /* Current working directory */
AUDIT_EXECVE auditConstant = 1309 /* execve arguments */
AUDIT_IPC_SET_PERM auditConstant = 1311 /* IPC new permissions record type */
AUDIT_MQ_OPEN auditConstant = 1312 /* POSIX MQ open record type */
AUDIT_MQ_SENDRECV auditConstant = 1313 /* POSIX MQ send/receive record type */
AUDIT_MQ_NOTIFY auditConstant = 1314 /* POSIX MQ notify record type */
AUDIT_MQ_GETSETATTR auditConstant = 1315 /* POSIX MQ get/set attribute record type */
AUDIT_KERNEL_OTHER auditConstant = 1316 /* For use by 3rd party modules */
AUDIT_FD_PAIR auditConstant = 1317 /* audit record for pipe/socketpair */
AUDIT_OBJ_PID auditConstant = 1318 /* ptrace target */
AUDIT_TTY auditConstant = 1319 /* Input on an administrative TTY */
AUDIT_EOE auditConstant = 1320 /* End of multi-record event */
AUDIT_BPRM_FCAPS auditConstant = 1321 /* Information about fcaps increasing perms */
AUDIT_CAPSET auditConstant = 1322 /* Record showing argument to sys_capset */
AUDIT_MMAP auditConstant = 1323 /* Record showing descriptor and flags in mmap */
AUDIT_NETFILTER_PKT auditConstant = 1324 /* Packets traversing netfilter chains */
AUDIT_NETFILTER_CFG auditConstant = 1325 /* Netfilter chain modifications */
AUDIT_SECCOMP auditConstant = 1326 /* Secure Computing event */
AUDIT_PROCTITLE auditConstant = 1327 /* Proctitle emit event */
AUDIT_FEATURE_CHANGE auditConstant = 1328 /* audit log listing feature changes */
/* AUDIT_FIRST_EVENT 1300 */ //TODO: libaudit define this as AUDIT_FIRST_EVENT but audit.h differently.
AUDIT_LAST_EVENT auditConstant = 1399
/* AUDIT_FIRST_SELINUX 1400 */ // TODO: libaudit define this as AUDIT_FIRST_SELINUX but audit.h as AUDIT_AVC
AUDIT_AVC auditConstant = 1400 /* SE Linux avc denial or grant */
AUDIT_SELINUX_ERR auditConstant = 1401 /* internal SE Linux Errors */
AUDIT_AVC_PATH auditConstant = 1402 /* dentry, vfsmount pair from avc */
AUDIT_MAC_POLICY_LOAD auditConstant = 1403 /* Policy file load */
AUDIT_MAC_STATUS auditConstant = 1404 /* Changed enforcing,permissive,off */
AUDIT_MAC_CONFIG_CHANGE auditConstant = 1405 /* Changes to booleans */
AUDIT_MAC_UNLBL_ALLOW auditConstant = 1406 /* NetLabel: allow unlabeled traffic */
AUDIT_MAC_CIPSOV4_ADD auditConstant = 1407 /* NetLabel: add CIPSOv4 DOI entry */
AUDIT_MAC_CIPSOV4_DEL auditConstant = 1408 /* NetLabel: del CIPSOv4 DOI entry */
AUDIT_MAC_MAP_ADD auditConstant = 1409 /* NetLabel: add LSM domain mapping */
AUDIT_MAC_MAP_DEL auditConstant = 1410 /* NetLabel: del LSM domain mapping */
AUDIT_MAC_IPSEC_ADDSA auditConstant = 1411 /* Not used */
AUDIT_MAC_IPSEC_DELSA auditConstant = 1412 /* Not used */
AUDIT_MAC_IPSEC_ADDSPD auditConstant = 1413 /* Not used */
AUDIT_MAC_IPSEC_DELSPD auditConstant = 1414 /* Not used */
AUDIT_MAC_IPSEC_EVENT auditConstant = 1415 /* Audit an IPSec event */
AUDIT_MAC_UNLBL_STCADD auditConstant = 1416 /* NetLabel: add a static label */
AUDIT_MAC_UNLBL_STCDEL auditConstant = 1417 /* NetLabel: del a static label */
AUDIT_LAST_SELINUX auditConstant = 1499
AUDIT_FIRST_APPARMOR auditConstant = 1500
AUDIT_LAST_APPARMOR auditConstant = 1599
AUDIT_AA auditConstant = 1500 /* Not upstream yet*/
AUDIT_APPARMOR_AUDIT auditConstant = 1501
AUDIT_APPARMOR_ALLOWED auditConstant = 1502
AUDIT_APPARMOR_DENIED auditConstant = 1503
AUDIT_APPARMOR_HT auditConstant = 1504
AUDIT_APPARMOR_STATUS auditConstant = 1505
AUDIT_APPARMOR_ERROR auditConstant = 1506
AUDIT_FIRST_KERN_CRYPTO_MSG auditConstant = 1600
AUDIT_LAST_KERN_CRYPTO_MSG auditConstant = 1699
// AUDIT_FIRST_KERN_ANOM_MSG auditConstant = 1700
AUDIT_LAST_KERN_ANOM_MSG auditConstant = 1799
AUDIT_ANOM_PROMISCUOUS auditConstant = 1700 /* Device changed promiscuous mode */
AUDIT_ANOM_ABEND auditConstant = 1701 /* Process ended abnormally */
AUDIT_ANOM_LINK auditConstant = 1702 /* Suspicious use of file links */
AUDIT_INTEGRITY_FIRST_MSG auditConstant = 1800
AUDIT_TINTEGRITY_LAST_MSG auditConstant = 1899
AUDIT_INTEGRITY_DATA auditConstant = 1800 /* Data integrity verification */
AUDIT_INTEGRITY_METADATA auditConstant = 1801 // Metadata integrity verification
AUDIT_INTEGRITY_STATUS auditConstant = 1802 /* integrity enable status */
AUDIT_INTEGRITY_HASH auditConstant = 1803 /* integrity HASH type */
AUDIT_INTEGRITY_PCR auditConstant = 1804 /* PCR invalidation msgs */
AUDIT_INTEGRITY_RULE auditConstant = 1805 /* Policy rule */
AUDIT_KERNEL auditConstant = 2000 /* Asynchronous audit record. NOT A REQUEST. */
AUDIT_FIRST_ANOM_MSG auditConstant = 2100
AUDIT_LAST_ANOM_MSG auditConstant = 2199
AUDIT_ANOM_LOGIN_FAILURES auditConstant = 2100 // Failed login limit reached
AUDIT_ANOM_LOGIN_TIME auditConstant = 2101 // Login attempted at bad time
AUDIT_ANOM_LOGIN_SESSIONS auditConstant = 2102 // Max concurrent sessions reached
AUDIT_ANOM_LOGIN_ACCT auditConstant = 2103 // Login attempted to watched acct
AUDIT_ANOM_LOGIN_LOCATION auditConstant = 2104 // Login from forbidden location
AUDIT_ANOM_MAX_DAC auditConstant = 2105 // Max DAC failures reached
AUDIT_ANOM_MAX_MAC auditConstant = 2106 // Max MAC failures reached
AUDIT_ANOM_AMTU_FAIL auditConstant = 2107 // AMTU failure
AUDIT_ANOM_RBAC_FAIL auditConstant = 2108 // RBAC self test failure
AUDIT_ANOM_RBAC_INTEGRITY_FAIL auditConstant = 2109 // RBAC file Tegrity failure
AUDIT_ANOM_CRYPTO_FAIL auditConstant = 2110 // Crypto system test failure
AUDIT_ANOM_ACCESS_FS auditConstant = 2111 // Access of file or dir
AUDIT_ANOM_EXEC auditConstant = 2112 // Execution of file
AUDIT_ANOM_MK_EXEC auditConstant = 2113 // Make an executable
AUDIT_ANOM_ADD_ACCT auditConstant = 2114 // Adding an acct
AUDIT_ANOM_DEL_ACCT auditConstant = 2115 // Deleting an acct
AUDIT_ANOM_MOD_ACCT auditConstant = 2116 // Changing an acct
AUDIT_ANOM_ROOT_TRANS auditConstant = 2117 // User became root
AUDIT_FIRST_ANOM_RESP auditConstant = 2200
AUDIT_LAST_ANOM_RESP auditConstant = 2299
AUDIT_RESP_ANOMALY auditConstant = 2200 /* Anomaly not reacted to */
AUDIT_RESP_ALERT auditConstant = 2201 /* Alert email was sent */
AUDIT_RESP_KILL_PROC auditConstant = 2202 /* Kill program */
AUDIT_RESP_TERM_ACCESS auditConstant = 2203 /* Terminate session */
AUDIT_RESP_ACCT_REMOTE auditConstant = 2204 /* Acct locked from remote access*/
AUDIT_RESP_ACCT_LOCK_TIMED auditConstant = 2205 /* User acct locked for time */
AUDIT_RESP_ACCT_UNLOCK_TIMED auditConstant = 2206 /* User acct unlocked from time */
AUDIT_RESP_ACCT_LOCK auditConstant = 2207 /* User acct was locked */
AUDIT_RESP_TERM_LOCK auditConstant = 2208 /* Terminal was locked */
AUDIT_RESP_SEBOOL auditConstant = 2209 /* Set an SE Linux boolean */
AUDIT_RESP_EXEC auditConstant = 2210 /* Execute a script */
AUDIT_RESP_SINGLE auditConstant = 2211 /* Go to single user mode */
AUDIT_RESP_HALT auditConstant = 2212 /* take the system down */
AUDIT_FIRST_USER_LSPP_MSG auditConstant = 2300
AUDIT_LAST_USER_LSPP_MSG auditConstant = 2399
AUDIT_USER_ROLE_CHANGE auditConstant = 2300 /* User changed to a new role */
AUDIT_ROLE_ASSIGN auditConstant = 2301 /* Admin assigned user to role */
AUDIT_ROLE_REMOVE auditConstant = 2302 /* Admin removed user from role */
AUDIT_LABEL_OVERRIDE auditConstant = 2303 /* Admin is overriding a label */
AUDIT_LABEL_LEVEL_CHANGE auditConstant = 2304 /* Object's level was changed */
AUDIT_USER_LABELED_EXPORT auditConstant = 2305 /* Object exported with label */
AUDIT_USER_UNLABELED_EXPORT auditConstant = 2306 /* Object exported without label */
AUDIT_DEV_ALLOC auditConstant = 2307 /* Device was allocated */
AUDIT_DEV_DEALLOC auditConstant = 2308 /* Device was deallocated */
AUDIT_FS_RELABEL auditConstant = 2309 /* Filesystem relabeled */
AUDIT_USER_MAC_POLICY_LOAD auditConstant = 2310 /* Userspc daemon loaded policy */
AUDIT_ROLE_MODIFY auditConstant = 2311 /* Admin modified a role */
AUDIT_USER_MAC_CONFIG_CHANGE auditConstant = 2312 /* Change made to MAC policy */
AUDIT_FIRST_CRYPTO_MSG auditConstant = 2400
AUDIT_CRYPTO_TEST_USER auditConstant = 2400 /* Crypto test results */
AUDIT_CRYPTO_PARAM_CHANGE_USER auditConstant = 2401 /* Crypto attribute change */
AUDIT_CRYPTO_LOGIN auditConstant = 2402 /* Logged in as crypto officer */
AUDIT_CRYPTO_LOGOUT auditConstant = 2403 /* Logged out from crypto */
AUDIT_CRYPTO_KEY_USER auditConstant = 2404 /* Create,delete,negotiate */
AUDIT_CRYPTO_FAILURE_USER auditConstant = 2405 /* Fail decrypt,encrypt,randomiz */
AUDIT_CRYPTO_REPLAY_USER auditConstant = 2406 /* Crypto replay detected */
AUDIT_CRYPTO_SESSION auditConstant = 2407 /* Record parameters set during TLS session establishment */
AUDIT_CRYPTO_IKE_SA auditConstant = 2408 /* Record parameters related to IKE SA */
AUDIT_CRYPTO_IPSEC_SA auditConstant = 2409 /* Record parameters related to IPSEC SA */
AUDIT_LAST_CRYPTO_MSG auditConstant = 2499
AUDIT_FIRST_VIRT_MSG auditConstant = 2500
AUDIT_VIRT_CONTROL auditConstant = 2500 /* Start, Pause, Stop VM */
AUDIT_VIRT_RESOURCE auditConstant = 2501 /* Resource assignment */
AUDIT_VIRT_MACHINE_ID auditConstant = 2502 /* Binding of label to VM */
AUDIT_LAST_VIRT_MSG auditConstant = 2599
AUDIT_LAST_USER_MSG2 auditConstant = 2999
// Field Comparing Constants
AUDIT_COMPARE_UID_TO_OBJ_UID auditConstant = 1
AUDIT_COMPARE_GID_TO_OBJ_GID auditConstant = 2
AUDIT_COMPARE_EUID_TO_OBJ_UID auditConstant = 3
AUDIT_COMPARE_EGID_TO_OBJ_GID auditConstant = 4
AUDIT_COMPARE_AUID_TO_OBJ_UID auditConstant = 5
AUDIT_COMPARE_SUID_TO_OBJ_UID auditConstant = 6
AUDIT_COMPARE_SGID_TO_OBJ_GID auditConstant = 7
AUDIT_COMPARE_FSUID_TO_OBJ_UID auditConstant = 8
AUDIT_COMPARE_FSGID_TO_OBJ_GID auditConstant = 9
AUDIT_COMPARE_UID_TO_AUID auditConstant = 10
AUDIT_COMPARE_UID_TO_EUID auditConstant = 11
AUDIT_COMPARE_UID_TO_FSUID auditConstant = 12
AUDIT_COMPARE_UID_TO_SUID auditConstant = 13
AUDIT_COMPARE_AUID_TO_FSUID auditConstant = 14
AUDIT_COMPARE_AUID_TO_SUID auditConstant = 15
AUDIT_COMPARE_AUID_TO_EUID auditConstant = 16
AUDIT_COMPARE_EUID_TO_SUID auditConstant = 17
AUDIT_COMPARE_EUID_TO_FSUID auditConstant = 18
AUDIT_COMPARE_SUID_TO_FSUID auditConstant = 19
AUDIT_COMPARE_GID_TO_EGID auditConstant = 20
AUDIT_COMPARE_GID_TO_FSGID auditConstant = 21
AUDIT_COMPARE_GID_TO_SGID auditConstant = 22
AUDIT_COMPARE_EGID_TO_FSGID auditConstant = 23
AUDIT_COMPARE_EGID_TO_SGID auditConstant = 24
AUDIT_COMPARE_SGID_TO_FSGID auditConstant = 25
)