Linux auditd

205 events across 1 channel

msgtype	Title	Description	Sample
1005	USER	Message from userspace -- deprecated	Y
1006	LOGIN	Define the login ID and information	Y
1100	USER_AUTH	User system access authentication	Y
1101	USER_ACCT	User system access authorization	Y
1102	USER_MGMT	User account attribute change	Y
1103	CRED_ACQ	User credential acquired	Y
1104	CRED_DISP	User credential disposed	Y
1105	USER_START	User session start	Y
1106	USER_END	User session end	Y
1107	USER_AVC	User space AVC (Access Vector Cache) message	Y
1108	USER_CHAUTHTOK	User account authentication token or attribute changed	Y
1109	USER_ERR	User account state error	Y
1110	CRED_REFR	User credential refreshed	Y
1111	USYS_CONFIG	User space system config change	Y
1112	USER_LOGIN	User login attempt (success or failure)	Y
1113	USER_LOGOUT	User has logged out	Y
1114	ADD_USER	User account added	Y
1115	DEL_USER	User account deleted	Y
1116	ADD_GROUP	Group account added	Y
1117	DEL_GROUP	Group account deleted	Y
1118	DAC_CHECK	User space DAC check results	N
1119	CHGRP_ID	User space group ID changed	Y
1120	TEST	Used for test success messages	N
1121	TRUSTED_APP	Trusted app msg - freestyle text	Y
1122	USER_SELINUX_ERR	SELinux user space error	N
1123	USER_CMD	User shell command and args	Y
1124	USER_TTY	Non-ICANON TTY input meaning	N
1125	CHUSER_ID	Changed user ID supplemental data	N
1126	GRP_AUTH	Authentication for group password	Y
1127	SYSTEM_BOOT	System boot	Y
1128	SYSTEM_SHUTDOWN	System shutdown	Y
1129	SYSTEM_RUNLEVEL	System runlevel change	Y
1130	SERVICE_START	Service (daemon) start	Y
1131	SERVICE_STOP	Service (daemon) stop	Y
1132	GRP_MGMT	Group account attribute was modified	Y
1133	GRP_CHAUTHTOK	Group account password or PIN changed	Y
1134	MAC_CHECK	User space MAC (Mandatory Access Control) decision results	N
1135	ACCT_LOCK	User's account locked by admin	Y
1136	ACCT_UNLOCK	User's account unlocked by admin	Y
1137	USER_DEVICE	User space hotplug device changes	N
1138	SOFTWARE_UPDATE	Software update event	N
1200	DAEMON_START	Daemon startup record	Y
1201	DAEMON_END	Daemon normal stop record	Y
1202	DAEMON_ABORT	Daemon error stop record	Y
1203	DAEMON_CONFIG	Daemon config change	Y
1205	DAEMON_ROTATE	Auditd should rotate logs	Y
1206	DAEMON_RESUME	Auditd should resume logging	Y
1207	DAEMON_ACCEPT	Auditd accepted remote connection	Y
1208	DAEMON_CLOSE	Auditd closed remote connection	Y
1209	DAEMON_ERR	Auditd internal error	N
1300	SYSCALL	System call event information	Y
1302	PATH	Filename path information	Y
1303	IPC	System call IPC (Inter-Process Communication) object	Y
1304	SOCKETCALL	System call socketcall arguments	Y
1305	CONFIG_CHANGE	Audit system configuration change	Y
1306	SOCKADDR	System call socket address argument information	Y
1307	CWD	Current working directory	Y
1309	EXECVE	Arguments supplied to the execve system call	Y
1311	IPC_SET_PERM	IPC new permissions record type	Y
1312	MQ_OPEN	POSIX MQ open record type	Y
1313	MQ_SENDRECV	POSIX MQ send/receive record type	Y
1314	MQ_NOTIFY	POSIX MQ notify record type	Y
1315	MQ_GETSETATTR	POSIX MQ get/set attribute record type	Y
1316	KERNEL_OTHER	For use by 3rd party modules	N
1317	FD_PAIR	Information for pipe and socketpair system calls	Y
1318	OBJ_PID	Target process information for ptrace, kill, tkill, and tgkill syscalls	Y
1319	TTY	Input on an administrative TTY	Y
1320	EOE	End of multi-record event	Y
1321	BPRM_FCAPS	Information about file system capabilities increasing permissions	Y
1322	CAPSET	Record showing argument to sys_capset setting process-based capabilities	Y
1323	MMAP	Mmap system call file descriptor and flags	Y
1324	NETFILTER_PKT	Packets traversing netfilter chains	Y
1325	NETFILTER_CFG	Netfilter chain modifications	Y
1326	SECCOMP	Secure Computing event	Y
1327	PROCTITLE	Process Title info	Y
1328	FEATURE_CHANGE	Audit feature changed value	Y
1330	KERN_MODULE	Kernel Module events	Y
1331	FANOTIFY	Fanotify access decision	Y
1332	TIME_INJOFFSET	Timekeeping offset injected	Y
1333	TIME_ADJNTPVAL	NTP value adjustment	Y
1334	BPF	BPF load/unload	Y
1335	EVENT_LISTENER	audit mcast sock join/part	Y
1336	URINGOP	io_uring operation	Y
1337	OPENAT2	Record showing openat2 how args	Y
1338	DM_CTRL	Device Mapper target control	Y
1339	DM_EVENT	Device Mapper events	Y
1400	AVC	SELinux AVC (Access Vector Cache) denial or grant	Y
1401	SELINUX_ERR	Internal SELinux errors	Y
1402	AVC_PATH	dentry, vfsmount pair from AVC	N
1403	MAC_POLICY_LOAD	SELinux Policy file load	Y
1404	MAC_STATUS	SELinux mode (enforcing, permissive, off) changed	Y
1405	MAC_CONFIG_CHANGE	SELinux Boolean value modification	Y
1406	MAC_UNLBL_ALLOW	NetLabel: allow unlabeled traffic	Y
1407	MAC_CIPSOV4_ADD	NetLabel: add CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry	Y
1408	MAC_CIPSOV4_DEL	NetLabel: del CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry	Y
1409	MAC_MAP_ADD	NetLabel: add LSM (Linux Security Module) domain mapping	Y
1410	MAC_MAP_DEL	NetLabel: del LSM (Linux Security Module) domain mapping	Y
1411	MAC_IPSEC_ADDSA	Not used	N
1412	MAC_IPSEC_DELSA	Not used	N
1413	MAC_IPSEC_ADDSPD	Not used	N
1414	MAC_IPSEC_DELSPD	Not used	N
1415	MAC_IPSEC_EVENT	Audit an IPsec event	Y
1416	MAC_UNLBL_STCADD	NetLabel: add a static label	Y
1417	MAC_UNLBL_STCDEL	NetLabel: del a static label	Y
1418	MAC_CALIPSO_ADD	NetLabel: add CALIPSO DOI (Domain of Interpretation) entry	Y
1419	MAC_CALIPSO_DEL	NetLabel: delete CALIPSO DOI (Domain of Interpretation) entry	Y
1420	IPE_ACCESS	Integrity Policy Enforcement (IPE) access decision (denial or grant)	Y
1421	IPE_CONFIG_CHANGE	IPE active policy change	Y
1422	IPE_POLICY_LOAD	IPE policy load	Y
1423	LANDLOCK_ACCESS	Landlock access denial	Y
1424	LANDLOCK_DOMAIN	Landlock domain allocation or deallocation status	Y
1425	MAC_TASK_CONTEXTS	Subject security contexts when multiple LSMs are active	N
1426	MAC_OBJ_CONTEXTS	Object security contexts when multiple LSMs are active	N
1500	APPARMOR	AppArmor LSM audit event	N
1501	APPARMOR_AUDIT	AppArmor access decision logged in audit mode	N
1502	APPARMOR_ALLOWED	AppArmor access allowed (complain or learning mode)	N
1503	APPARMOR_DENIED	AppArmor access denied in enforce mode	N
1504	APPARMOR_HINT	AppArmor reserved audit type (unused in the current kernel)	N
1505	APPARMOR_STATUS	AppArmor policy load or status change	N
1506	APPARMOR_ERROR	AppArmor internal error	N
1507	APPARMOR_KILL	AppArmor access denied with task kill	N
1700	ANOM_PROMISCUOUS	Device changed promiscuous mode	Y
1701	ANOM_ABEND	Process ended abnormally	Y
1702	ANOM_LINK	Suspicious use of file links	Y
1703	ANOM_CREAT	Suspicious file creation	Y
1800	INTEGRITY_DATA	Data integrity verification	Y
1801	INTEGRITY_METADATA	Metadata integrity verification	Y
1802	INTEGRITY_STATUS	Integrity enable status	Y
1803	INTEGRITY_HASH	Integrity HASH type	N
1804	INTEGRITY_PCR	PCR (Platform Configuration Register) invalidation messages	Y
1805	INTEGRITY_RULE	Integrity Policy action	Y
1806	INTEGRITY_EVM_XATTR	EVM XATTRS modifications	Y
1807	INTEGRITY_POLICY_RULE	Integrity Policy rule	Y
1808	INTEGRITY_USERSPACE	IMA appraisal of userspace-supplied data	Y
2000	KERNEL	Kernel audit status	N
2100	ANOM_LOGIN_FAILURES	Failed login limit reached	Y
2101	ANOM_LOGIN_TIME	Login attempted at bad time	Y
2102	ANOM_LOGIN_SESSIONS	Maximum concurrent sessions reached	Y
2103	ANOM_LOGIN_ACCT	Login attempted to watched account	Y
2104	ANOM_LOGIN_LOCATION	Login from forbidden location	Y
2105	ANOM_MAX_DAC	Max DAC (Discretionary Access Control) failures reached	Y
2106	ANOM_MAX_MAC	Max MAC (Mandatory Access Control) failures reached	Y
2107	ANOM_AMTU_FAIL	AMTU (Abstract Machine Test Utility) failure	Y
2108	ANOM_RBAC_FAIL	RBAC (Role-Based Access Control) self test failure	Y
2109	ANOM_RBAC_INTEGRITY_FAIL	RBAC (Role-Based Access Control) file integrity test failure	Y
2110	ANOM_CRYPTO_FAIL	Crypto system test failure	Y
2111	ANOM_ACCESS_FS	Access of file or directory ended abnormally	Y
2112	ANOM_EXEC	Execution of file ended abnormally	Y
2113	ANOM_MK_EXEC	Make an executable	Y
2114	ANOM_ADD_ACCT	Adding a user account ended abnormally	Y
2115	ANOM_DEL_ACCT	Deleting a user account ended abnormally	Y
2116	ANOM_MOD_ACCT	Changing an account ended abnormally	Y
2117	ANOM_ROOT_TRANS	User became root	Y
2118	ANOM_LOGIN_SERVICE	Service acct attempted login	Y
2119	ANOM_LOGIN_ROOT	Root login attempted	Y
2120	ANOM_ORIGIN_FAILURES	Origin has too many failed login attempts	Y
2121	ANOM_SESSION	The user session is bad	Y
2200	RESP_ANOMALY	Anomaly not reacted to	Y
2201	RESP_ALERT	Alert notification action (email or log): the email/log reactions are unimplemented FIXME stubs in upstream audisp-ids 3.x (reactions.c:370-372); emittable by custom plugins	Y
2202	RESP_KILL_PROC	Kill program	Y
2203	RESP_TERM_ACCESS	Terminate session	Y
2204	RESP_ACCT_REMOTE	User account locked from remote access	Y
2205	RESP_ACCT_LOCK_TIMED	User account locked for time	Y
2206	RESP_ACCT_UNLOCK_TIMED	User account unlocked from time	Y
2207	RESP_ACCT_LOCK	User account was locked	Y
2208	RESP_TERM_LOCK	Terminal was locked	Y
2209	RESP_SEBOOL	Set an SELinux boolean	Y
2210	RESP_EXEC	Execute a script	Y
2211	RESP_SINGLE	Go to single user mode	Y
2212	RESP_HALT	Take the system down	Y
2213	RESP_ORIGIN_BLOCK	Remote address blocked by firewall rule (iptables or nftables depending on system configuration)	Y
2214	RESP_ORIGIN_BLOCK_TIMED	Address blocked for time	Y
2215	RESP_ORIGIN_UNBLOCK_TIMED	Address unblocked from timed	Y
2300	USER_ROLE_CHANGE	User changed to a new SELinux role	Y
2301	ROLE_ASSIGN	Administrator assigned user to SELinux role	Y
2302	ROLE_REMOVE	Administrator removed user from SELinux role	Y
2303	LABEL_OVERRIDE	Administrator is overriding a SELinux label	N
2304	LABEL_LEVEL_CHANGE	Object level SELinux label modified	N
2305	USER_LABELED_EXPORT	Object exported with SELinux label	N
2306	USER_UNLABELED_EXPORT	Object exported without SELinux label	N
2307	DEV_ALLOC	Device was allocated	N
2308	DEV_DEALLOC	Device was deallocated	N
2309	FS_RELABEL	Filesystem relabeled	Y
2310	USER_MAC_POLICY_LOAD	Userspace daemon loaded SELinux policy	Y
2311	ROLE_MODIFY	Administrator modified an SELinux role	N
2312	USER_MAC_CONFIG_CHANGE	Change made to MAC (Mandatory Access Control) policy	Y
2313	USER_MAC_STATUS	Userspace daemon enforcing change	N
2400	CRYPTO_TEST_USER	Cryptographic test results	Y
2401	CRYPTO_PARAM_CHANGE_USER	Cryptographic attribute change	Y
2402	CRYPTO_LOGIN	Cryptographic officer login	Y
2403	CRYPTO_LOGOUT	Cryptographic officer logout	Y
2404	CRYPTO_KEY_USER	Create, delete, negotiate cryptographic key identifier	Y
2405	CRYPTO_FAILURE_USER	Fail decrypt, encrypt or randomize operation	Y
2406	CRYPTO_REPLAY_USER	Cryptographic replay attack detected	N
2407	CRYPTO_SESSION	Parameters set during TLS session establishment	Y
2408	CRYPTO_IKE_SA	Parameters related to IKE SA	Y
2409	CRYPTO_IPSEC_SA	Parameters related to IPSEC SA	Y
2500	VIRT_CONTROL	Start, Pause, Stop VM	Y
2501	VIRT_RESOURCE	Resource assignment	Y
2502	VIRT_MACHINE_ID	Binding of label to VM	Y
2503	VIRT_INTEGRITY_CHECK	Guest integrity results	N
2504	VIRT_CREATE	Creation of guest image	N
2505	VIRT_DESTROY	Destruction of guest image	N
2506	VIRT_MIGRATE_IN	Inbound guest migration info	N
2507	VIRT_MIGRATE_OUT	Outbound guest migration info	N

USER msgtype 1005

Source: Linux auditd
Message type: 1005
Fires: Emitted by default (no audit rule required)

Description

Message from userspace -- deprecated

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/sbin/auditctl",
    "hostname": "?",
    "pid": "2909",
    "res": "success",
    "ses": "1",
    "subj": "unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023",
    "terminal": "?",
    "text": "CATALOG_RESP_DEMO",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USER msg=audit(1781634271.615:539452): pid=2909 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 msg='text=CATALOG_RESP_DEMO exe=\"/usr/sbin/auditctl\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "USER"
}

Community Notes #

Example injected with auditctl -m for catalog coverage (text=CATALOG_RESP_DEMO, exe=/usr/sbin/auditctl), not produced by organic activity. The record format is authentic but the field content is synthetic.

LOGIN msgtype 1006

Source: Linux auditd
Message type: 1006
Fires: Emitted by default (no audit rule required)

Description

Define the login ID and information

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`subj`	lspp subject's context string
`old-auid`	audit login UID before this login record set it
`auid`	login user ID
`tty`	tty udevice the user is running programs on
`old-ses`	session ID before this login record set it
`ses`	login session ID
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "old-auid": "4294967295",
    "old-ses": "4294967295",
    "pid": "51408",
    "res": "1",
    "ses": "13",
    "subj": "unconfined",
    "tty": "(none)",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=LOGIN msg=audit(1781632418.711:1874094): pid=51408 uid=0 subj=unconfined old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=13 res=1",
    "UID=\"root\" OLD-AUID=\"unset\" AUID=\"debian\""
  ],
  "record_type": "LOGIN"
}

References #

kernel emit site: kernel/audit.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/audit.c

USER_AUTH msgtype 1100

Source: Linux auditd
Message type: 1100
Fires: Emitted by default (no audit rule required)

Description

User system access authentication

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`grantors`	PAM modules that granted (or would deny) the operation
`acct`	a user's account name
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "acct": "debian",
    "addr": "10.2.20.61",
    "auid": "4294967295",
    "exe": "/usr/sbin/sshd",
    "grantors": "pam_permit",
    "hostname": "10.2.20.61",
    "op": "PAM:authentication",
    "pid": "996",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:sshd_t:s0",
    "terminal": "ssh",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USER_AUTH msg=audit(1781634177.456:177708): pid=996 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0 msg='op=PAM:authentication grantors=pam_permit acct=\"debian\" exe=\"/usr/sbin/sshd\" hostname=10.2.20.61 addr=10.2.20.61 terminal=ssh res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "USER_AUTH"
}

USER_ACCT msgtype 1101

Source: Linux auditd
Message type: 1101
Fires: Emitted by default (no audit rule required)

Description

User system access authorization

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`grantors`	PAM modules that granted (or would deny) the operation
`acct`	a user's account name
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "acct": "root",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/sudo",
    "grantors": "pam_permit",
    "hostname": "?",
    "op": "PAM:accounting",
    "pid": "2759",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:initrc_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USER_ACCT msg=audit(1781634264.630:525236): pid=2759 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:accounting grantors=pam_permit acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "USER_ACCT"
}

USER_MGMT msgtype 1102

Source: Linux auditd
Message type: 1102
Fires: Emitted by default (no audit rule required)

Description

User account attribute change

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "pid": "28128",
    "res": "success",
    "ses": "1",
    "subj": "unconfined",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USER_MGMT msg=audit(1781630147.568:1244746): pid=28128 uid=0 auid=1000 ses=1 subj=unconfined msg='test-user-mgmt exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "USER_MGMT"
}

Community Notes #

Example emitted through the libaudit userspace API (exe=/usr/bin/python3.11) with a scripted test payload, not by organic activity. The record format is authentic; the field values (the test string and exe=/usr/bin/python3.11) are synthetic catalog-coverage content.

CRED_ACQ msgtype 1103

Source: Linux auditd
Message type: 1103
Fires: Emitted by default (no audit rule required)

Description

User credential acquired

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`grantors`	PAM modules that granted (or would deny) the operation
`acct`	a user's account name
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "acct": "debian",
    "addr": "10.2.20.61",
    "auid": "4294967295",
    "exe": "/usr/sbin/sshd",
    "grantors": "pam_permit",
    "hostname": "10.2.20.61",
    "op": "PAM:setcred",
    "pid": "996",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:sshd_t:s0",
    "terminal": "ssh",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=CRED_ACQ msg=audit(1781634177.503:178599): pid=996 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0 msg='op=PAM:setcred grantors=pam_permit acct=\"debian\" exe=\"/usr/sbin/sshd\" hostname=10.2.20.61 addr=10.2.20.61 terminal=ssh res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "CRED_ACQ"
}

CRED_DISP msgtype 1104

Source: Linux auditd
Message type: 1104
Fires: Emitted by default (no audit rule required)

Description

User credential disposed

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`grantors`	PAM modules that granted (or would deny) the operation
`acct`	a user's account name
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "acct": "nobody",
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/bin/sudo",
    "grantors": "pam_permit",
    "hostname": "?",
    "op": "PAM:setcred",
    "pid": "2922",
    "res": "success",
    "ses": "1",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=CRED_DISP msg=audit(1781634272.680:540634): pid=2922 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_permit acct=\"nobody\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "CRED_DISP"
}

USER_START msgtype 1105

Source: Linux auditd
Message type: 1105
Fires: Emitted by default (no audit rule required)

Description

User session start

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`grantors`	PAM modules that granted (or would deny) the operation
`acct`	a user's account name
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "acct": "jovyan",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/sudo",
    "grantors": "pam_limits,pam_env,pam_env,pam_permit,pam_umask,pam_unix",
    "hostname": "?",
    "op": "PAM:session_open",
    "pid": "2759",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:initrc_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USER_START msg=audit(1781634264.634:525262): pid=2759 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open grantors=pam_limits,pam_env,pam_env,pam_permit,pam_umask,pam_unix acct=\"jovyan\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "USER_START"
}

USER_END msgtype 1106

Source: Linux auditd
Message type: 1106
Fires: Emitted by default (no audit rule required)

Description

User session end

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`grantors`	PAM modules that granted (or would deny) the operation
`acct`	a user's account name
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "acct": "nobody",
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/bin/sudo",
    "grantors": "pam_limits,pam_permit,pam_unix",
    "hostname": "?",
    "op": "PAM:session_close",
    "pid": "2922",
    "res": "success",
    "ses": "1",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USER_END msg=audit(1781634272.680:540627): pid=2922 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_limits,pam_permit,pam_unix acct=\"nobody\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "USER_END"
}

USER_AVC msgtype 1107

Source: Linux auditd
Message type: 1107
Fires: Emitted by default (no audit rule required)

Description

User space AVC (Access Vector Cache) message

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`msgtype`	userspace AVC message type
`interface`	D-Bus interface of the userspace AVC
`member`	D-Bus member (method or signal) of the userspace AVC
`dest`	D-Bus destination of the userspace AVC
`spid`	sent process ID
`tpid`	target process ID of the userspace AVC
`scontext`	the subject's context string
`tcontext`	the target's or object's context string
`tclass`	target's object classification
`permissive`	SELinux is in permissive mode
`exe`	executable name
`sauid`	sent login user ID
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "dest": "org.freedesktop.login1",
    "exe": "/usr/bin/dbus-daemon",
    "hostname": "?",
    "interface": "org.freedesktop.login1.Manager",
    "member": "Inhibit",
    "msgtype": "method_call",
    "permissive": "1",
    "pid": "504",
    "sauid": "100",
    "scontext": "system_u:system_r:virtd_t:s0",
    "ses": "4294967295",
    "spid": "538",
    "subj": "system_u:system_r:system_dbusd_t:s0",
    "tclass": "dbus",
    "tcontext": "system_u:system_r:systemd_logind_t:s0",
    "terminal": "?",
    "tpid": "514",
    "uid": "100"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USER_AVC msg=audit(1781634167.493:12046): pid=504 uid=100 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=Inhibit dest=org.freedesktop.login1 spid=538 tpid=514 scontext=system_u:system_r:virtd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=1  exe=\"/usr/bin/dbus-daemon\" sauid=100 hostname=? addr=? terminal=?'",
    "UID=\"messagebus\" AUID=\"unset\" SAUID=\"messagebus\""
  ],
  "record_type": "USER_AVC"
}

USER_CHAUTHTOK msgtype 1108

Source: Linux auditd
Message type: 1108
Fires: Emitted by default (no audit rule required)

Description

User account authentication token or attribute changed

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`acct`	a user's account name
`id`	during account changes
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/sbin/usermod",
    "hostname": "?",
    "id": "1003",
    "op": "changing",
    "pid": "51470",
    "res": "success",
    "ses": "15",
    "subj": "unconfined",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USER_CHAUTHTOK msg=audit(1781632419.651:1878678): pid=51470 uid=0 auid=1000 ses=15 subj=unconfined msg='op=changing comment id=1003 exe=\"/usr/sbin/usermod\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\" ID=\"r2usr\""
  ],
  "record_type": "USER_CHAUTHTOK"
}

USER_ERR msgtype 1109

Source: Linux auditd
Message type: 1109
Fires: Emitted by default (no audit rule required)

Description

User account state error

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`grantors`	PAM modules that granted (or would deny) the operation
`acct`	a user's account name
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "acct": "?",
    "addr": "127.0.0.1",
    "auid": "4294967295",
    "exe": "/usr/sbin/sshd",
    "grantors": "?",
    "hostname": "127.0.0.1",
    "op": "PAM:bad_ident",
    "pid": "29393",
    "res": "failed",
    "ses": "4294967295",
    "subj": "unconfined",
    "terminal": "ssh",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USER_ERR msg=audit(1781630253.984:1281274): pid=29393 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:bad_ident grantors=? acct=\"?\" exe=\"/usr/sbin/sshd\" hostname=127.0.0.1 addr=127.0.0.1 terminal=ssh res=failed'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "USER_ERR"
}

CRED_REFR msgtype 1110

Source: Linux auditd
Message type: 1110
Fires: Emitted by default (no audit rule required)

Description

User credential refreshed

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`grantors`	PAM modules that granted (or would deny) the operation
`acct`	a user's account name
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "acct": "jovyan",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/sudo",
    "grantors": "pam_permit",
    "hostname": "?",
    "op": "PAM:setcred",
    "pid": "2759",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:initrc_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=CRED_REFR msg=audit(1781634264.630:525252): pid=2759 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred grantors=pam_permit acct=\"jovyan\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "CRED_REFR"
}

USYS_CONFIG msgtype 1111

Source: Linux auditd
Message type: 1111
Fires: Emitted by default (no audit rule required)

Description

User space system config change

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "catalog-sample",
    "pid": "51615",
    "res": "success",
    "ses": "15",
    "subj": "unconfined",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USYS_CONFIG msg=audit(1781632421.163:1883911): pid=51615 uid=0 auid=1000 ses=15 subj=unconfined msg='op=catalog-sample config-change exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "USYS_CONFIG"
}

Community Notes #

USER_LOGIN msgtype 1112

Source: Linux auditd
Message type: 1112
Fires: Emitted by default (no audit rule required)

Description

User login attempt (success or failure)

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`acct`	a user's account name
`id`	during account changes
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "acct": "debian",
    "addr": "10.2.20.61",
    "auid": "4294967295",
    "exe": "/usr/sbin/sshd",
    "hostname": "?",
    "op": "login",
    "pid": "996",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:sshd_t:s0",
    "terminal": "sshd",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USER_LOGIN msg=audit(1781634177.416:176875): pid=996 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0 msg='op=login acct=\"debian\" exe=\"/usr/sbin/sshd\" hostname=? addr=10.2.20.61 terminal=sshd res=failed'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "USER_LOGIN"
}

USER_LOGOUT msgtype 1113

Source: Linux auditd
Message type: 1113
Fires: Emitted by default (no audit rule required)

Description

User has logged out

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "pid": "30544",
    "res": "success",
    "ses": "1",
    "subj": "unconfined",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USER_LOGOUT msg=audit(1781630361.843:1317281): pid=30544 uid=0 auid=1000 ses=1 subj=unconfined msg='user-logout-test exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "USER_LOGOUT"
}

Community Notes #

ADD_USER msgtype 1114

Source: Linux auditd
Message type: 1114
Fires: Emitted by default (no audit rule required)

Description

User account added

Fields #

Name	Description	Rules
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`id`	during account changes
`exe`	executable name	1 detection rule
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/sbin/useradd",
    "hostname": "?",
    "id": "1004",
    "op": "adding",
    "pid": "2811",
    "res": "success",
    "ses": "1",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ADD_USER msg=audit(1781634268.083:529550): pid=2811 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding user id=1004 exe=\"/usr/sbin/useradd\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\" ID=\"r3usr\""
  ],
  "record_type": "ADD_USER"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`type`	eq	`ADD_USER`	1 rule	sigma, splunk
`type`	eq	`SYSCALL`	1 rule	sigma, splunk

DEL_USER msgtype 1115

Source: Linux auditd
Message type: 1115
Fires: Emitted by default (no audit rule required)

Description

User account deleted

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`acct`	a user's account name
`id`	during account changes
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/sbin/userdel",
    "hostname": "?",
    "id": "1004",
    "op": "deleting",
    "pid": "2901",
    "res": "success",
    "ses": "1",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=DEL_USER msg=audit(1781634271.403:539248): pid=2901 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=deleting user entries id=1004 exe=\"/usr/sbin/userdel\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\" ID=\"r3usr\""
  ],
  "record_type": "DEL_USER"
}

ADD_GROUP msgtype 1116

Source: Linux auditd
Message type: 1116
Fires: Emitted by default (no audit rule required)

Description

Group account added

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`acct`	a user's account name
`id`	during account changes
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "acct": "r3usr",
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/sbin/useradd",
    "hostname": "?",
    "op": "adding",
    "pid": "2811",
    "res": "success",
    "ses": "1",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ADD_GROUP msg=audit(1781634268.083:529538): pid=2811 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding group acct=\"r3usr\" exe=\"/usr/sbin/useradd\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "ADD_GROUP"
}

DEL_GROUP msgtype 1117

Source: Linux auditd
Message type: 1117
Fires: Emitted by default (no audit rule required)

Description

Group account deleted

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`acct`	a user's account name
`id`	during account changes
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "acct": "r3usr",
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/sbin/userdel",
    "hostname": "?",
    "op": "deleting",
    "pid": "2901",
    "res": "success",
    "ses": "1",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=DEL_GROUP msg=audit(1781634271.403:539258): pid=2901 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=deleting group acct=\"r3usr\" exe=\"/usr/sbin/userdel\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "DEL_GROUP"
}

DAC_CHECK msgtype 1118

Source: Linux auditd
Message type: 1118
Fires: Emitted by default (no audit rule required)

Description

User space DAC check results

Community Notes #

No shipped Debian program emits this record. DAC_CHECK is a userspace (1100-1199) record type whose constant is defined by libaudit, but no service on a stock Debian system produces it during normal operation. Documented for catalog completeness.

CHGRP_ID msgtype 1119

Source: Linux auditd
Message type: 1119
Fires: Emitted by default (no audit rule required)

Description

User space group ID changed

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "pid": "28407",
    "res": "success",
    "ses": "1",
    "subj": "unconfined",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=CHGRP_ID msg=audit(1781630168.165:1252640): pid=28407 uid=0 auid=1000 ses=1 subj=unconfined msg='test-chgrp-id exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "CHGRP_ID"
}

Community Notes #

TEST msgtype 1120

Source: Linux auditd
Message type: 1120
Fires: Emitted by default (no audit rule required)

Description

Used for test success messages

Community Notes #

A test/diagnostic record type used to verify audit message delivery. No shipped Debian service emits it during normal operation; only audit test tooling produces it through libaudit. Documented for catalog completeness.

TRUSTED_APP msgtype 1121

Source: Linux auditd
Message type: 1121
Fires: Emitted by default (no audit rule required)

Description

Trusted app msg - freestyle text

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "catalog-sample",
    "pid": "51615",
    "res": "success",
    "ses": "15",
    "subj": "unconfined",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=TRUSTED_APP msg=audit(1781632421.163:1883922): pid=51615 uid=0 auid=1000 ses=15 subj=unconfined msg='op=catalog-sample trusted-app exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'"
  ],
  "record_type": "TRUSTED_APP"
}

Community Notes #

USER_SELINUX_ERR msgtype 1122

Source: Linux auditd
Message type: 1122
Fires: Emitted by default (no audit rule required)

Description

SELinux user space error

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Community Notes #

Userspace SELinux error reported via libaudit; the standard user-message envelope is shown. Not captured on the reference host.

USER_CMD msgtype 1123

Source: Linux auditd
Message type: 1123
Fires: Emitted by default (no audit rule required)

Description

User shell command and args

Fields #

Name	Description
`pid`	Process ID
`uid`	User ID
`auid`	Audit user ID (login UID)
`ses`	Session ID
`cmd`	Command that was executed
`exe`	Executable that ran the command (sudo)
`cwd`	Current working directory when the command ran
`subj`	SELinux security context of the subject
`terminal`	Terminal
`res`	Result (success or failed)

Example Event #

{
  "fields": {
    "auid": "4294967295",
    "cmd": "6A757079746572206C6162202D2D5365727665724170702E616C6C6F775F72656D6F74655F6163636573733D74727565202D2D5365727665724170702E6F70656E5F62726F777365723D66616C7365202D2D4964656E7469747950726F76696465722E746F6B656E3D6D7974686963202D2D5365727665724170702E626173655F75726C3D2F6A757079746572202D2D5365727665724170702E64656661756C745F75726C3D2F6A757079746572202D2D706F72743D38383838202D2D69703D302E302E302E30",
    "cwd": "/projects",
    "exe": "/usr/bin/sudo",
    "pid": "2759",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:initrc_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USER_CMD msg=audit(1781634264.630:525243): pid=2759 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='cwd=\"/projects\" cmd=6A757079746572206C6162202D2D5365727665724170702E616C6C6F775F72656D6F74655F6163636573733D74727565202D2D5365727665724170702E6F70656E5F62726F777365723D66616C7365202D2D4964656E7469747950726F76696465722E746F6B656E3D6D7974686963202D2D5365727665724170702E626173655F75726C3D2F6A757079746572202D2D5365727665724170702E64656661756C745F75726C3D2F6A757079746572202D2D706F72743D38383838202D2D69703D302E302E302E30 exe=\"/usr/bin/sudo\" terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "USER_CMD"
}

USER_TTY msgtype 1124

Source: Linux auditd
Message type: 1124
Fires: Emitted by default (no audit rule required)

Description

Non-ICANON TTY input meaning

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`data`	TTY text

Community Notes #

Not emitted by the Debian TTY-input auditing path. When pam_tty_audit / auditctl --tty_audit capture keystrokes, the kernel emits TTY (1319), not USER_TTY (1124); no shipped Debian program emits USER_TTY during normal operation. Sources: pam_tty_audit(8), kernel drivers/tty/tty_audit.c (emits AUDIT_TTY). The field list below documents the record format.

CHUSER_ID msgtype 1125

Source: Linux auditd
Message type: 1125
Fires: Emitted by default (no audit rule required)

Description

Changed user ID supplemental data

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Community Notes #

Userspace libaudit record (changed user ID supplemental data); the standard user-message envelope is shown. Inner payload depends on the emitting tool and was not captured on the reference host.

GRP_AUTH msgtype 1126

Source: Linux auditd
Message type: 1126
Fires: Emitted by default (no audit rule required)

Description

Authentication for group password

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "pid": "28917",
    "res": "success",
    "ses": "1",
    "subj": "unconfined",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=GRP_AUTH msg=audit(1781630215.758:1267010): pid=28917 uid=0 auid=1000 ses=1 subj=unconfined msg='grp-auth-test exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "GRP_AUTH"
}

Community Notes #

SYSTEM_BOOT msgtype 1127

Source: Linux auditd
Message type: 1127
Fires: Emitted by default (no audit rule required)

Description

System boot

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`comm`	command line program name
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "comm": "systemd-update-utmp",
    "exe": "/usr/lib/systemd/systemd-update-utmp",
    "hostname": "?",
    "pid": "500",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:initrc_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSTEM_BOOT msg=audit(1781634166.940:1739): pid=500 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg=' comm=\"systemd-update-utmp\" exe=\"/usr/lib/systemd/systemd-update-utmp\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "SYSTEM_BOOT"
}

SYSTEM_SHUTDOWN msgtype 1128

Source: Linux auditd
Message type: 1128
Fires: Emitted by default (no audit rule required)

Description

System shutdown

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`comm`	command line program name
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "comm": "systemd-update-utmp",
    "exe": "/usr/lib/systemd/systemd-update-utmp",
    "hostname": "?",
    "pid": "1261",
    "res": "success",
    "ses": "4294967295",
    "subj": "unconfined",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSTEM_SHUTDOWN msg=audit(1781627515.990:129066): pid=1261 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg=' comm=\"systemd-update-utmp\" exe=\"/usr/lib/systemd/systemd-update-utmp\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "SYSTEM_SHUTDOWN"
}

SYSTEM_RUNLEVEL msgtype 1129

Source: Linux auditd
Message type: 1129
Fires: Emitted by default (no audit rule required)

Description

System runlevel change

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`old-level`	previous system runlevel
`new-level`	new system runlevel
`comm`	command line program name
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "comm": "systemd-update-utmp",
    "exe": "/usr/lib/systemd/systemd-update-utmp",
    "hostname": "?",
    "new-level": "5",
    "old-level": "N",
    "pid": "3722",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:initrc_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSTEM_RUNLEVEL msg=audit(1781634283.021:560212): pid=3722 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='old-level=N new-level=5 comm=\"systemd-update-utmp\" exe=\"/usr/lib/systemd/systemd-update-utmp\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "SYSTEM_RUNLEVEL"
}

SERVICE_START msgtype 1130

Source: Linux auditd
Message type: 1130
Fires: Emitted by default (no audit rule required)

Description

Service (daemon) start

Fields #

Name	Description
`pid`	Process ID of the service manager
`uid`	User ID
`auid`	Audit user ID (login UID)
`ses`	Session ID
`unit`	Name of the service unit started
`comm`	Command name of the service manager
`exe`	Executable of the service manager
`hostname`	Hostname
`addr`	Network address
`terminal`	Terminal
`res`	Result (success or failed)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "comm": "systemd",
    "exe": "/usr/lib/systemd/systemd",
    "hostname": "?",
    "pid": "1",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:init_t:s0",
    "terminal": "?",
    "uid": "0",
    "unit": "auditd"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SERVICE_START msg=audit(1781634257.778:513027): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auditd comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "SERVICE_START"
}

SERVICE_STOP msgtype 1131

Source: Linux auditd
Message type: 1131
Fires: Emitted by default (no audit rule required)

Description

Service (daemon) stop

Fields #

Name	Description	Rules
`pid`	Process ID of the service manager
`uid`	User ID
`auid`	Audit user ID (login UID)
`ses`	Session ID
`unit`	Name of the service unit stopped	3 detection rules
`comm`	Command name of the service manager
`exe`	Executable of the service manager
`hostname`	Hostname
`addr`	Network address
`terminal`	Terminal
`res`	Result (success or failed)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "comm": "systemd",
    "exe": "/usr/lib/systemd/systemd",
    "hostname": "?",
    "pid": "1",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:init_t:s0",
    "terminal": "?",
    "uid": "0",
    "unit": "systemd-update-utmp-runlevel"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SERVICE_STOP msg=audit(1781634283.045:560313): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-update-utmp-runlevel comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "SERVICE_STOP"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`type`	eq	`SERVICE_STOP`	1 rule	sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Disable System Firewall source high: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.

GRP_MGMT msgtype 1132

Source: Linux auditd
Message type: 1132
Fires: Emitted by default (no audit rule required)

Description

Group account attribute was modified

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "pid": "28917",
    "res": "success",
    "ses": "1",
    "subj": "unconfined",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=GRP_MGMT msg=audit(1781630215.758:1266996): pid=28917 uid=0 auid=1000 ses=1 subj=unconfined msg='grp-mgmt-test exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "GRP_MGMT"
}

Community Notes #

GRP_CHAUTHTOK msgtype 1133

Source: Linux auditd
Message type: 1133
Fires: Emitted by default (no audit rule required)

Description

Group account password or PIN changed

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "pid": "28917",
    "res": "success",
    "ses": "1",
    "subj": "unconfined",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=GRP_CHAUTHTOK msg=audit(1781630215.758:1267003): pid=28917 uid=0 auid=1000 ses=1 subj=unconfined msg='grp-chauthtok-test exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "GRP_CHAUTHTOK"
}

Community Notes #

MAC_CHECK msgtype 1134

Source: Linux auditd
Message type: 1134
Fires: Emitted by default (no audit rule required)

Description

User space MAC (Mandatory Access Control) decision results

Community Notes #

No shipped Debian userspace object manager emits this record. Userspace MAC decisions on Debian (D-Bus / systemd / loginctl SELinux checks) produce USER_AVC (1107), not MAC_CHECK (1134). Verified empirically (2026-06): dbus/systemd/loginctl operations emit USER_AVC. Documented for catalog completeness.

ACCT_LOCK msgtype 1135

Source: Linux auditd
Message type: 1135
Fires: Emitted by default (no audit rule required)

Description

User's account locked by admin

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "pid": "29132",
    "res": "success",
    "ses": "1",
    "subj": "unconfined",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ACCT_LOCK msg=audit(1781630235.907:1273935): pid=29132 uid=0 auid=1000 ses=1 subj=unconfined msg='acct-lock-test exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "ACCT_LOCK"
}

Community Notes #

ACCT_UNLOCK msgtype 1136

Source: Linux auditd
Message type: 1136
Fires: Emitted by default (no audit rule required)

Description

User's account unlocked by admin

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "pid": "29132",
    "res": "success",
    "ses": "1",
    "subj": "unconfined",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ACCT_UNLOCK msg=audit(1781630235.907:1273942): pid=29132 uid=0 auid=1000 ses=1 subj=unconfined msg='acct-unlock-test exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "ACCT_UNLOCK"
}

Community Notes #

USER_DEVICE msgtype 1137

Source: Linux auditd
Message type: 1137
Fires: Emitted by default (no audit rule required)

Description

User space hotplug device changes

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`device`	device that was configured
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Community Notes #

Userspace hotplug device-change record via libaudit; the standard user-message envelope plus a device= field is shown. Not captured on the reference host.

SOFTWARE_UPDATE msgtype 1138

Source: Linux auditd
Message type: 1138
Fires: Emitted by default (no audit rule required)

Description

Software update event

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`sw`	name of the software package
`sw_type`	type of software update
`root_dir`	root directory the update applied to
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Community Notes #

Software-update record via libaudit; sw/sw_type/root_dir are the auparse-normalized fields (auparse/normalize.c). Inner payload depends on the update tool and was not captured on the reference host.

DAEMON_START msgtype 1200

Source: Linux auditd
Message type: 1200
Fires: Emitted by default (no audit rule required)

Description

Daemon startup record

Fields #

Name	Description
`op`	the operation being performed that is audited
`ver`	audit daemon's version number
`format`	audit log's format
`kernel`	kernel's version number
`auid`	login user ID
`pid`	process ID
`uid`	user ID
`ses`	login session ID
`subj`	lspp subject's context string
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "4294967295",
    "format": "enriched",
    "kernel": "6.1.0-44-amd64",
    "op": "start",
    "pid": "2322",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "uid": "0",
    "ver": "3.0.9"
  },
  "raw": [
    "node=JD-debian-12-workstation type=DAEMON_START msg=audit(1781634257.573:708): op=start ver=3.0.9 format=enriched kernel=6.1.0-44-amd64 auid=4294967295 pid=2322 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=success",
    "AUID=\"unset\" UID=\"root\""
  ],
  "record_type": "DAEMON_START"
}

DAEMON_END msgtype 1201

Source: Linux auditd
Message type: 1201
Fires: Emitted by default (no audit rule required)

Description

Daemon normal stop record

Fields #

Name	Description
`op`	the operation being performed that is audited
`auid`	login user ID
`uid`	user ID
`ses`	login session ID
`pid`	process ID
`subj`	lspp subject's context string
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "-1",
    "op": "terminate",
    "pid": "-1",
    "res": "success",
    "ses": "-1",
    "subj": "?",
    "uid": "-1"
  },
  "raw": [
    "node=JD-debian-12-workstation type=DAEMON_END msg=audit(1781634206.873:8602): op=terminate auid=-1 uid=-1 ses=-1 pid=-1 subj=? res=success",
    "AUID=\"unset\" UID=\"unset\""
  ],
  "record_type": "DAEMON_END"
}

DAEMON_ABORT msgtype 1202

Source: Linux auditd
Message type: 1202
Fires: Emitted by default (no audit rule required)

Description

Daemon error stop record

Fields #

Name	Description
`op`	the operation being performed that is audited
`auid`	login user ID
`uid`	user ID
`ses`	login session ID
`pid`	process ID
`subj`	lspp subject's context string
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "0",
    "op": "set-pid",
    "pid": "791",
    "res": "failed",
    "ses": "12",
    "subj": "unconfined",
    "uid": "0"
  },
  "raw": [
    "node=dw-disposable-vm type=DAEMON_ABORT msg=audit(1781731230.798:3442): op=set-pid auid=0 pid=791 uid=0 ses=12 subj=unconfined  res=failed",
    "AUID=\"root\" UID=\"root\""
  ],
  "record_type": "DAEMON_ABORT"
}

DAEMON_CONFIG msgtype 1203

Source: Linux auditd
Message type: 1203
Fires: Emitted by default (no audit rule required)

Description

Daemon config change

Fields #

Name	Description
`op`	the operation being performed that is audited
`state`	audit daemon configuration resulting state
`auid`	login user ID
`uid`	user ID
`ses`	login session ID
`pid`	process ID
`subj`	lspp subject's context string
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "op": "reconfigure",
    "pid": "51449",
    "res": "success",
    "state": "changed",
    "subj": "unconfined"
  },
  "raw": [
    "node=JD-debian-12-workstation type=DAEMON_CONFIG msg=audit(1781632421.227:3346): op=reconfigure state=changed auid=1000 pid=51449 subj=unconfined res=success",
    "AUID=\"debian\""
  ],
  "record_type": "DAEMON_CONFIG"
}

DAEMON_ROTATE msgtype 1205

Source: Linux auditd
Message type: 1205
Fires: Emitted by default (no audit rule required)

Description

Auditd should rotate logs

Fields #

Name	Description
`op`	the operation being performed that is audited
`auid`	login user ID
`uid`	user ID
`ses`	login session ID
`pid`	process ID
`subj`	lspp subject's context string
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "op": "rotate-logs",
    "pid": "51449",
    "res": "success",
    "ses": "15",
    "subj": "unconfined",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=DAEMON_ROTATE msg=audit(1781632422.224:77): op=rotate-logs auid=1000 uid=0 ses=15 pid=51449 subj=unconfined res=success",
    "AUID=\"debian\" UID=\"root\""
  ],
  "record_type": "DAEMON_ROTATE"
}

DAEMON_RESUME msgtype 1206

Source: Linux auditd
Message type: 1206
Fires: Emitted by default (no audit rule required)

Description

Auditd should resume logging

Fields #

Name	Description
`op`	the operation being performed that is audited
`auid`	login user ID
`uid`	user ID
`ses`	login session ID
`pid`	process ID
`subj`	lspp subject's context string
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "op": "resume-logging",
    "pid": "109949",
    "res": "success",
    "ses": "90",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=DAEMON_RESUME msg=audit(1781719930.237:7502): op=resume-logging auid=1000 uid=0 ses=90 pid=109949 res=success",
    "AUID=\"debian\" UID=\"root\""
  ],
  "record_type": "DAEMON_RESUME"
}

DAEMON_ACCEPT msgtype 1207

Source: Linux auditd
Message type: 1207
Fires: Emitted by default (no audit rule required)

Description

Auditd accepted remote connection

Fields #

Name	Description
`op`	the operation being performed that is audited
`addr`	the remote address that the user is connecting from
`port`	remote port of the audit connection
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "::ffff:127.0.0.1",
    "port": "37074",
    "res": "success"
  },
  "raw": [
    "node=JD-debian-12-workstation type=DAEMON_ACCEPT msg=audit(1781635296.535:3244): addr=::ffff:127.0.0.1 port=37074 res=success"
  ],
  "record_type": "DAEMON_ACCEPT"
}

DAEMON_CLOSE msgtype 1208

Source: Linux auditd
Message type: 1208
Fires: Emitted by default (no audit rule required)

Description

Auditd closed remote connection

Fields #

Name	Description
`addr`	the remote address that the user is connecting from
`port`	remote port of the audit connection
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "::ffff:127.0.0.1",
    "port": "57858",
    "res": "success"
  },
  "raw": [
    "node=JD-debian-12-workstation type=DAEMON_CLOSE msg=audit(1781641212.864:8400): addr=::ffff:127.0.0.1 port=57858 res=success"
  ],
  "record_type": "DAEMON_CLOSE"
}

DAEMON_ERR msgtype 1209

Source: Linux auditd
Message type: 1209
Fires: Emitted by default (no audit rule required)

Description

Auditd internal error

Fields #

Name	Description
`op`	the operation being performed that is audited
`res`	result of the audited operation(success/fail)

Community Notes #

auditd internal-error record, emitted only on a defensive failure path inside the daemon (e.g. a failed reconfiguration where the internal reply is NULL) that does not arise during normal operation. No organic sample is reachable without inducing an auditd fault. Source: audit-userspace auditd. The field list below documents the record format.

SYSCALL msgtype 1300

Source: Linux auditd
Message type: 1300
Fires: Requires a loaded audit rule

Description

System call event information

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S execve -k exec  # core record for every matched syscall

Fields #

Name	Description	Rules
`arch`	CPU architecture (e.g. c000003e for x86_64)
`syscall`	System call number
`success`	Whether the syscall succeeded (yes or no)
`exit`	Exit value or errno of the syscall
`a0`	First argument to the syscall (hex)	3 detection rules
`a1`	Second argument to the syscall (hex)
`a2`	Third argument to the syscall (hex)
`a3`	Fourth argument to the syscall (hex)
`items`	Number of PATH records attached to this event
`ppid`	Parent process ID
`pid`	Process ID
`auid`	Audit user ID (login UID)
`uid`	User ID
`gid`	Group ID
`euid`	Effective user ID	1 detection rule
`suid`	Saved set-user-ID
`fsuid`	File system user ID
`egid`	Effective group ID
`sgid`	Saved set-group-ID
`fsgid`	File system group ID
`tty`	Terminal associated with the process
`ses`	Session ID
`comm`	Command name of the process	2 detection rules
`exe`	Executable path of the process	24 detection rules
`key`	Audit rule key that triggered this record	1 detection rule
`subj`	lspp subject's context string

Example Event #

{
  "fields": {
    "a0": "2442de3bf7e8",
    "a1": "2442dd0f4cb0",
    "a2": "2442dd889e60",
    "a3": "0",
    "arch": "c000003e",
    "auid": "4294967295",
    "comm": "iptables",
    "egid": "0",
    "euid": "0",
    "exe": "/usr/sbin/xtables-nft-multi",
    "exit": "0",
    "fsgid": "0",
    "fsuid": "0",
    "gid": "0",
    "items": "2",
    "key": "T1059_exec",
    "pid": "2407",
    "ppid": "671",
    "ses": "4294967295",
    "sgid": "0",
    "subj": "system_u:system_r:iptables_t:s0",
    "success": "yes",
    "suid": "0",
    "syscall": "59",
    "tty": "(none)",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634257.762:512605): arch=c000003e syscall=59 success=yes exit=0 a0=2442de3bf7e8 a1=2442dd0f4cb0 a2=2442dd889e60 a3=0 items=2 ppid=671 pid=2407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-nft-multi\" subj=system_u:system_r:iptables_t:s0 key=\"T1059_exec\"",
    "ARCH=x86_64 SYSCALL=execve AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=EXECVE msg=audit(1781634257.762:512605): argc=13 a0=\"/usr/sbin/iptables\" a1=\"--wait\" a2=\"-t\" a3=\"raw\" a4=\"-C\" a5=\"PREROUTING\" a6=\"-d\" a7=\"172.18.0.6\" a8=\"!\" a9=\"-i\" a10=\"br-440f323861ca\" a11=\"-j\" a12=\"DROP\"",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781634257.762:512605): cwd=\"/\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634257.762:512605): item=0 name=\"/usr/sbin/iptables\" inode=5537074 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634257.762:512605): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=5505708 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634257.762:512605): proctitle=2F7573722F7362696E2F69707461626C6573002D2D77616974002D7400726177002D4300505245524F5554494E47002D64003137322E31382E302E360021002D690062722D343430663332333836316361002D6A0044524F50"
  ],
  "record_type": "SYSCALL"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`type`	eq	`SYSCALL`	11 rules	sigma, splunk
`type`	eq	`EXECVE`	2 rules	sigma
`type`	eq	`ADD_USER`	1 rule	sigma, splunk
`comm`	eq	`insmod`	1 rule	sigma, splunk
`comm`	eq	`split`	1 rule	sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall source medium: Detects the use of the syslog syscall with action code 5 (SYSLOG_ACTION_CLEAR), (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation or privilege escalation. A common technique is running dmesg -c, which triggers this syscall internally.
Loading of Kernel Module via Insmod source high: Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
Linux Network Service Scanning - Auditd source low: Detects enumeration of local or remote network services.

Show 5 more (8 total)

Split A File Into Pieces - Linux source low: Detection use of the command "split" to split files into parts and possible transfer.
System Info Discovery via Sysinfo Syscall source low: Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
Program Executions in Suspicious Folders source medium: Detects program executions in suspicious non-program folders related to malware or hacking activity
Special File Creation via Mknod Syscall source low: Detects usage of the mknod syscall to create special files (e.g., character or block devices). Attackers or malware might use mknod to create fake devices, interact with kernel interfaces, or establish covert channels in Linux systems. Monitoring the use of mknod is important because this syscall is rarely used by legitimate applications, and it can be abused to bypass file system restrictions or create backdoors.
Webshell Remote Command Execution source critical: Detects possible command execution by web application/web shell

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

PATH msgtype 1302

Source: Linux auditd
Message type: 1302
Fires: Requires a loaded audit rule

Description

Filename path information

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-w /etc/passwd -p wa -k identity  # file watches and path-bearing syscalls emit PATH

Fields #

Name	Description	Rules
`item`	Item number in the PATH record sequence
`name`	File or directory path	73 detection rules
`inode`	Inode number of the file
`dev`	Device identifier
`mode`	File permission mode (octal)
`ouid`	Owner user ID of the file
`ogid`	Owner group ID of the file
`rdev`	Device identifier for special files
`nametype`	Type of path operation (NORMAL, CREATE, DELETE, etc.)	1 detection rule
`obj`	lspp object context string
`cap_fp`	file permitted capability map
`cap_fi`	file inherited capability map
`cap_fe`	file assigned effective capability map
`cap_fver`	file system capabilities version number
`cap_frootid`	root user ID namespace owner of the file capability set

Example Event #

{
  "fields": {
    "cap_fe": "0",
    "cap_fi": "0",
    "cap_fp": "0",
    "cap_frootid": "0",
    "cap_fver": "0",
    "dev": "fe:01",
    "inode": "5537074",
    "item": "0",
    "mode": "0100755",
    "name": "/usr/sbin/iptables",
    "nametype": "NORMAL",
    "obj": "system_u:object_r:iptables_exec_t:s0",
    "ogid": "0",
    "ouid": "0",
    "rdev": "00:00"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634257.762:512605): arch=c000003e syscall=59 success=yes exit=0 a0=2442de3bf7e8 a1=2442dd0f4cb0 a2=2442dd889e60 a3=0 items=2 ppid=671 pid=2407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-nft-multi\" subj=system_u:system_r:iptables_t:s0 key=\"T1059_exec\"",
    "ARCH=x86_64 SYSCALL=execve AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=EXECVE msg=audit(1781634257.762:512605): argc=13 a0=\"/usr/sbin/iptables\" a1=\"--wait\" a2=\"-t\" a3=\"raw\" a4=\"-C\" a5=\"PREROUTING\" a6=\"-d\" a7=\"172.18.0.6\" a8=\"!\" a9=\"-i\" a10=\"br-440f323861ca\" a11=\"-j\" a12=\"DROP\"",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781634257.762:512605): cwd=\"/\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634257.762:512605): item=0 name=\"/usr/sbin/iptables\" inode=5537074 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634257.762:512605): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=5505708 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634257.762:512605): proctitle=2F7573722F7362696E2F69707461626C6573002D2D77616974002D7400726177002D4300505245524F5554494E47002D64003137322E31382E302E360021002D690062722D343430663332333836316361002D6A0044524F50"
  ],
  "record_type": "PATH"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`type`	eq	`PATH`	12 rules	sigma, splunk
`type`	eq	`EXECVE`	2 rules	sigma
`name`	eq	`/etc/issue`	2 rules	sigma
`name`	eq	`/etc/pam.d/system-auth`	2 rules	sigma
`a0`	eq	`hostname`	1 rule	sigma
`a0`	eq	`uname`	1 rule	sigma
`nametype`	eq	`CREATE`	1 rule	sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Linux Keylogging with Pam.d source high: Detect attempt to enable auditing of TTY input
Auditing Configuration Changes on Linux Host source high: Detect changes in auditd configuration files
BPFDoor Abnormal Process ID or Lock File Accessed source high: detects BPFDoor .lock and .pid files access in temporary file storage facility

Show 7 more (10 total)

Use Of Hidden Paths Or Files source low: Detects calls to hidden files or files located in hidden directories in NIX systems.
Modification of ld.so.preload source high: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
Logging Configuration Changes on Linux Host source high: Detect changes of syslog daemons configuration files
Potential Abuse of Linux Magic System Request Key source medium: Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes, or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
System and Hardware Information Discovery source informational: Detects system information discovery commands
Systemd Service Creation source medium: Detects a creation of systemd services which could be used by adversaries to execute malicious code.
Unix Shell Configuration Modification source medium: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

IPC msgtype 1303

Source: Linux auditd
Message type: 1303
Fires: Requires a loaded audit rule

Description

System call IPC (Inter-Process Communication) object

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S shmget,semget,msgget -k ipc

Fields #

Name	Description
`ouid`	Owner user ID of the IPC object
`ogid`	Owner group ID of the IPC object
`mode`	Permission mode of the IPC object
`obj`	SELinux context of the IPC object

Example Event #

{
  "fields": {
    "mode": "0600",
    "ogid": "0",
    "ouid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781632713.732:2113093): arch=c000003e syscall=66 success=yes exit=0 a0=0 a1=0 a2=10 a3=7fff00000001 items=0 ppid=56702 pid=56740 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=\"cryptsetup\" exe=\"/usr/sbin/cryptsetup\" subj=unconfined key=\"cat_ipc\"",
    "ARCH=x86_64 SYSCALL=semctl AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=IPC msg=audit(1781632713.732:2113093): ouid=0 ogid=0 mode=0600",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781632713.732:2113093): proctitle=63727970747365747570006C756B734F70656E002F746D702F7232622F6C756B736261636B00636174616C6F676C756B73002D"
  ],
  "record_type": "IPC"
}

SOCKETCALL msgtype 1304

Source: Linux auditd
Message type: 1304
Fires: Requires a loaded audit rule

Description

System call socketcall arguments

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S socketcall -k net

Fields #

Name	Description
`nargs`	Number of arguments to the socket call
`a0`	First argument (hex)
`a1`	Second argument (hex)
`a2`	Third argument (hex)
`a3`	argument to the syscall (hex)
`a4`	argument to the syscall (hex)
`a5`	argument to the syscall (hex)

Example Event #

{
  "fields": {
    "a0": "3",
    "a1": "ffde5b9c",
    "a2": "10",
    "nargs": "3"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781731984.980:1214350): arch=40000003 syscall=102 success=no exit=-111 a0=3 a1=ffde5b60 a2=0 a3=eafe1ff4 items=0 ppid=37557 pid=37579 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=48 comm=\"sock32\" exe=\"/tmp/recap/sock32\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"sockcap\"",
    "ARCH=i386 SYSCALL=socketcall(connect) AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=SOCKETCALL msg=audit(1781731984.980:1214350): nargs=3 a0=3 a1=ffde5b9c a2=10",
    "node=JD-debian-12-workstation type=SOCKADDR msg=audit(1781731984.980:1214350): saddr=020000097F0000010000000000000000",
    "SADDR={ saddr_fam=inet laddr=127.0.0.1 lport=9 }",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781731984.980:1214350): proctitle=\"/tmp/recap/sock32\""
  ],
  "record_type": "SOCKETCALL"
}

Community Notes #

Companion record: emitted only inside a SYSCALL event (the 32-bit socketcall multiplexer), never standalone, alongside SYSCALL + PROCTITLE under one audit serial. No complete-event sample was captured (32-bit compat path), so the example shows the isolated record.

CONFIG_CHANGE msgtype 1305

Source: Linux auditd
Message type: 1305
Fires: Emitted by default (no audit rule required)

Description

Audit system configuration change

Fields #

Name	Description
`auid`	Audit user ID (login UID) that made the change
`ses`	Session ID
`op`	Operation performed (e.g. add_rule, remove_rule)
`key`	Audit rule key associated with the change
`list`	Audit rule list affected
`res`	Result of the operation (1 for success, 0 for failure)
`subj`	lspp subject's context string

Example Event #

{
  "fields": {
    "auid": "4294967295",
    "key": "T1562_audit_log_tamper",
    "list": "4",
    "op": "remove_rule",
    "res": "1",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditctl_t:s0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=CONFIG_CHANGE msg=audit(1781634257.694:511157): auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 op=remove_rule key=\"T1562_audit_log_tamper\" list=4 res=1",
    "AUID=\"unset\"",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634257.694:511157): arch=c000003e syscall=44 success=yes exit=1092 a0=3 a1=7fff5edbde00 a2=444 a3=0 items=0 ppid=2328 pid=2390 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"auditctl\" exe=\"/usr/sbin/auditctl\" subj=system_u:system_r:auditctl_t:s0 key=\"T1071_data_transfer\"",
    "ARCH=x86_64 SYSCALL=sendto AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=SOCKADDR msg=audit(1781634257.694:511157): saddr=100000000000000000000000",
    "SADDR={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634257.694:511157): proctitle=2F7362696E2F617564697463746C002D52002F6574632F61756469742F61756469742E72756C6573"
  ],
  "record_type": "CONFIG_CHANGE"
}

References #

kernel emit site: kernel/audit.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/audit.c

SOCKADDR msgtype 1306

Source: Linux auditd
Message type: 1306
Fires: Requires a loaded audit rule

Description

System call socket address argument information

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S connect,accept,bind -k net

Fields #

Name	Description
`saddr`	Socket address structure (hex-encoded)

Example Event #

{
  "fields": {
    "saddr": "100000000000000000000000"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634257.690:510675): arch=c000003e syscall=45 success=yes exit=1092 a0=3 a1=7fff5edc2590 a2=231c a3=40 items=0 ppid=2328 pid=2390 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"auditctl\" exe=\"/usr/sbin/auditctl\" subj=system_u:system_r:auditctl_t:s0 key=\"T1071_data_transfer\"",
    "ARCH=x86_64 SYSCALL=recvfrom AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=SOCKADDR msg=audit(1781634257.690:510675): saddr=100000000000000000000000",
    "SADDR={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634257.690:510675): proctitle=2F7362696E2F617564697463746C002D52002F6574632F61756469742F61756469742E72756C6573"
  ],
  "record_type": "SOCKADDR"
}

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

CWD msgtype 1307

Source: Linux auditd
Message type: 1307
Fires: Requires a loaded audit rule

Description

Current working directory

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S execve -k exec  # companion to every syscall record

Fields #

Name	Description
`cwd`	Current working directory

Example Event #

{
  "fields": {
    "cwd": "/"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634257.762:512605): arch=c000003e syscall=59 success=yes exit=0 a0=2442de3bf7e8 a1=2442dd0f4cb0 a2=2442dd889e60 a3=0 items=2 ppid=671 pid=2407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-nft-multi\" subj=system_u:system_r:iptables_t:s0 key=\"T1059_exec\"",
    "ARCH=x86_64 SYSCALL=execve AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=EXECVE msg=audit(1781634257.762:512605): argc=13 a0=\"/usr/sbin/iptables\" a1=\"--wait\" a2=\"-t\" a3=\"raw\" a4=\"-C\" a5=\"PREROUTING\" a6=\"-d\" a7=\"172.18.0.6\" a8=\"!\" a9=\"-i\" a10=\"br-440f323861ca\" a11=\"-j\" a12=\"DROP\"",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781634257.762:512605): cwd=\"/\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634257.762:512605): item=0 name=\"/usr/sbin/iptables\" inode=5537074 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634257.762:512605): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=5505708 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634257.762:512605): proctitle=2F7573722F7362696E2F69707461626C6573002D2D77616974002D7400726177002D4300505245524F5554494E47002D64003137322E31382E302E360021002D690062722D343430663332333836316361002D6A0044524F50"
  ],
  "record_type": "CWD"
}

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

EXECVE msgtype 1309

Source: Linux auditd
Message type: 1309
Fires: Requires a loaded audit rule

Description

Arguments supplied to the execve system call

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S execve -k exec

Fields #

Name	Description	Rules
`argc`	Number of command-line arguments
`a0`	First command-line argument (the program path)	50 detection rules
`a1`	Second command-line argument	45 detection rules
`a2`	Third command-line argument	15 detection rules
`a3`	Fourth command-line argument	8 detection rules

Example Event #

{
  "fields": {
    "a0": "/usr/sbin/iptables",
    "a1": "--wait",
    "a10": "br-440f323861ca",
    "a11": "-j",
    "a12": "DROP",
    "a2": "-t",
    "a3": "raw",
    "a4": "-C",
    "a5": "PREROUTING",
    "a6": "-d",
    "a7": "172.18.0.6",
    "a8": "!",
    "a9": "-i",
    "argc": "13"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634257.762:512605): arch=c000003e syscall=59 success=yes exit=0 a0=2442de3bf7e8 a1=2442dd0f4cb0 a2=2442dd889e60 a3=0 items=2 ppid=671 pid=2407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-nft-multi\" subj=system_u:system_r:iptables_t:s0 key=\"T1059_exec\"",
    "ARCH=x86_64 SYSCALL=execve AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=EXECVE msg=audit(1781634257.762:512605): argc=13 a0=\"/usr/sbin/iptables\" a1=\"--wait\" a2=\"-t\" a3=\"raw\" a4=\"-C\" a5=\"PREROUTING\" a6=\"-d\" a7=\"172.18.0.6\" a8=\"!\" a9=\"-i\" a10=\"br-440f323861ca\" a11=\"-j\" a12=\"DROP\"",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781634257.762:512605): cwd=\"/\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634257.762:512605): item=0 name=\"/usr/sbin/iptables\" inode=5537074 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634257.762:512605): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=5505708 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634257.762:512605): proctitle=2F7573722F7362696E2F69707461626C6573002D2D77616974002D7400726177002D4300505245524F5554494E47002D64003137322E31382E302E360021002D690062722D343430663332333836316361002D6A0044524F50"
  ],
  "record_type": "EXECVE"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`type`	eq	`EXECVE`	28 rules	sigma
`type`	eq	`PATH`	2 rules	sigma, splunk
`type`	eq	`SYSCALL`	2 rules	sigma, splunk
`a1`	ends_with	`.jpg`	3 rules	sigma
`a1`	ends_with	`.png`	3 rules	sigma
`a1`	eq	`-sel`	2 rules	sigma
`a1`	eq	`-selection`	2 rules	sigma
`a0`	eq	`hostname`	2 rules	sigma
`a0`	eq	`steghide`	2 rules	sigma
`a0`	eq	`uname`	2 rules	sigma
`a0`	eq	`xclip`	2 rules	sigma
`a2`	eq	`clip`	2 rules	sigma
`a2`	eq	`clipboard`	2 rules	sigma
`a3`	ends_with	`.jpg`	2 rules	sigma
`a3`	ends_with	`.png`	2 rules	sigma

Community Notes #

argc gives the argument count; the arguments continue a0, a1, ... a{argc-1} (samples show up to a12). a0-a3 are declared as representative; higher indices are dynamic.

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Binary Padding - Linux source high: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Bpfdoor TCP Ports Redirect source medium: All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
Linux Capabilities Discovery source low: Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

Show 17 more (24 total)

File Time Attribute Change - Linux source medium: Detect file time attribute change to hide new or changes to existing files.
Remove Immutable File Attribute - Auditd source medium: Detects removing immutable file attribute.
Clipboard Collection with Xclip Tool - Auditd source low: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Clipboard Collection of Image Data with Xclip Tool source low: Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Data Exfiltration with Wget source medium: Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
Overwriting the File with Dev Zero or Null source low: Detects overwriting (effectively wiping/deleting) of a file.
File or Folder Permissions Change source low: Detects file and folder permission changes.
Credentials In Files - Linux source high: Detecting attempts to extract passwords with grep
Hidden Files and Directories source low: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
Steganography Hide Zip Information in Picture File source low: Detects appending of zip file to image
Modify System Firewall source medium: Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.
Screen Capture with Import Tool source low: Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.
Screen Capture with Xwd source low: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
Steganography Hide Files with Steghide source low: Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Steganography Extract Files with Steghide source low: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Suspicious Commands Linux source medium: Detects relevant commands often related to malware or hacking activity
Suspicious History File Operations - Linux source medium: Detects commandline operations on shell history files

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

IPC_SET_PERM msgtype 1311

Source: Linux auditd
Message type: 1311
Fires: Requires a loaded audit rule

Description

IPC new permissions record type

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S shmctl,semctl,msgctl -k ipc

Fields #

Name	Description
`qbytes`	ipc objects quantity of bytes
`ouid`	file owner user ID
`ogid`	file owner group ID
`mode`	Landlock domain enforcement mode (enforcing)

Example Event #

{
  "fields": {
    "mode": "0600",
    "ogid": "0",
    "ouid": "0",
    "qbytes": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781632420.555:1883815): arch=c000003e syscall=31 success=yes exit=0 a0=2 a1=1 a2=7f3361005c30 a3=10 items=0 ppid=51449 pid=51615 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=\"python3\" exe=\"/usr/bin/python3.11\" subj=unconfined key=\"cat_ipc\"",
    "ARCH=x86_64 SYSCALL=shmctl AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=IPC msg=audit(1781632420.555:1883815): ouid=0 ogid=0 mode=0600",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=IPC_SET_PERM msg=audit(1781632420.555:1883815): qbytes=0 ouid=0 ogid=0 mode=0600",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781632420.555:1883815): proctitle=707974686F6E33002F746D702F726F756E64322E7079"
  ],
  "record_type": "IPC_SET_PERM"
}

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

MQ_OPEN msgtype 1312

Source: Linux auditd
Message type: 1312
Fires: Requires a loaded audit rule

Description

POSIX MQ open record type

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S mq_open -k posixmq

Fields #

Name	Description
`oflag`	open syscall flags
`mode`	Landlock domain enforcement mode (enforcing)
`mq_flags`	POSIX message queue flags
`mq_maxmsg`	maximum number of messages on the POSIX message queue
`mq_msgsize`	maximum message size on the POSIX message queue
`mq_curmsgs`	current number of messages on the POSIX message queue

Example Event #

{
  "fields": {
    "mode": "0600",
    "mq_curmsgs": "0",
    "mq_flags": "0x0",
    "mq_maxmsg": "10",
    "mq_msgsize": "64",
    "oflag": "0x42"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781632420.559:1883818): arch=c000003e syscall=240 success=yes exit=3 a0=7f3360b29a61 a1=42 a2=180 a3=7f3360b2cb30 items=2 ppid=51449 pid=51615 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=\"python3\" exe=\"/usr/bin/python3.11\" subj=unconfined key=\"cat_mq\"",
    "ARCH=x86_64 SYSCALL=mq_open AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=MQ_OPEN msg=audit(1781632420.559:1883818): oflag=0x42 mode=0600 mq_flags=0x0 mq_maxmsg=10 mq_msgsize=64 mq_curmsgs=0",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781632420.559:1883818): cwd=\"/home/debian\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781632420.559:1883818): item=0 name=\"catalog_q2\" inode=264781 dev=00:13 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781632420.559:1883818): proctitle=707974686F6E33002F746D702F726F756E64322E7079"
  ],
  "record_type": "MQ_OPEN"
}

MQ_SENDRECV msgtype 1313

Source: Linux auditd
Message type: 1313
Fires: Requires a loaded audit rule

Description

POSIX MQ send/receive record type

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S mq_timedsend,mq_timedreceive -k posixmq

Fields #

Name	Description
`mqdes`	POSIX message queue descriptor
`msg_len`	message length for the message-queue send or receive
`msg_prio`	message priority for the message-queue send or receive
`abs_timeout_sec`	absolute timeout seconds for the message queue operation
`abs_timeout_nsec`	absolute timeout nanoseconds for the message queue operation

Example Event #

{
  "fields": {
    "abs_timeout_nsec": "0",
    "abs_timeout_sec": "1781632422",
    "mqdes": "3",
    "msg_len": "18",
    "msg_prio": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781632420.559:1883819): arch=c000003e syscall=242 success=yes exit=0 a0=3 a1=7f3360b1b190 a2=12 a3=0 items=1 ppid=51449 pid=51615 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=\"python3\" exe=\"/usr/bin/python3.11\" subj=unconfined key=\"cat_mq\"",
    "ARCH=x86_64 SYSCALL=mq_timedsend AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=MQ_SENDRECV msg=audit(1781632420.559:1883819): mqdes=3 msg_len=18 msg_prio=0 abs_timeout_sec=1781632422 abs_timeout_nsec=0",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781632420.559:1883819): cwd=\"/home/debian\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781632420.559:1883819): item=0 name=(null) inode=264781 dev=00:13 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781632420.559:1883819): proctitle=707974686F6E33002F746D702F726F756E64322E7079"
  ],
  "record_type": "MQ_SENDRECV"
}

MQ_NOTIFY msgtype 1314

Source: Linux auditd
Message type: 1314
Fires: Requires a loaded audit rule

Description

POSIX MQ notify record type

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S mq_notify -k posixmq

Fields #

Name	Description
`mqdes`	POSIX message queue descriptor
`sigev_signo`	signal number

Example Event #

{
  "fields": {
    "mqdes": "3",
    "sigev_signo": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781632420.559:1883821): arch=c000003e syscall=244 success=yes exit=0 a0=3 a1=0 a2=7f3360b1b3f0 a3=0 items=0 ppid=51449 pid=51615 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=\"python3\" exe=\"/usr/bin/python3.11\" subj=unconfined key=\"cat_mq\"",
    "ARCH=x86_64 SYSCALL=mq_notify AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=MQ_NOTIFY msg=audit(1781632420.559:1883821): mqdes=3 sigev_signo=0",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781632420.559:1883821): proctitle=707974686F6E33002F746D702F726F756E64322E7079"
  ],
  "record_type": "MQ_NOTIFY"
}

MQ_GETSETATTR msgtype 1315

Source: Linux auditd
Message type: 1315
Fires: Requires a loaded audit rule

Description

POSIX MQ get/set attribute record type

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S mq_getsetattr -k posixmq

Fields #

Name	Description
`mqdes`	POSIX message queue descriptor
`mq_flags`	POSIX message queue flags
`mq_maxmsg`	maximum number of messages on the POSIX message queue
`mq_msgsize`	maximum message size on the POSIX message queue
`mq_curmsgs`	current number of messages on the POSIX message queue

Example Event #

{
  "fields": {
    "mq_curmsgs": "0",
    "mq_flags": "0x0",
    "mq_maxmsg": "10",
    "mq_msgsize": "64",
    "mqdes": "3"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781632420.559:1883823): arch=c000003e syscall=245 success=yes exit=0 a0=3 a1=7f3360b56cb0 a2=0 a3=0 items=0 ppid=51449 pid=51615 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=\"python3\" exe=\"/usr/bin/python3.11\" subj=unconfined key=\"cat_mq\"",
    "ARCH=x86_64 SYSCALL=mq_getsetattr AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=MQ_GETSETATTR msg=audit(1781632420.559:1883823): mqdes=3 mq_flags=0x0 mq_maxmsg=10 mq_msgsize=64 mq_curmsgs=0 ",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781632420.559:1883823): proctitle=707974686F6E33002F746D702F726F756E64322E7079"
  ],
  "record_type": "MQ_GETSETATTR"
}

KERNEL_OTHER msgtype 1316

Source: Linux auditd
Message type: 1316
Fires: Emitted by default (no audit rule required)

Description

For use by 3rd party modules

Community Notes #

Reserved for third-party kernel modules to emit their own audit records (kernel UAPI include/uapi/linux/audit.h: AUDIT_KERNEL_OTHER 1316, 'For use by 3rd party modules'). No module shipped with Debian emits it, so it never appears in the log. Documented for catalog completeness.

FD_PAIR msgtype 1317

Source: Linux auditd
Message type: 1317
Fires: Requires a loaded audit rule

Description

Information for pipe and socketpair system calls

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S pipe,pipe2,socketpair -k fdpair

Fields #

Name	Description
`fd0`	first file descriptor of the created pair
`fd1`	second file descriptor of the created pair

Example Event #

{
  "fields": {
    "fd0": "7",
    "fd1": "9"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634258.158:513530): arch=c000003e syscall=53 success=yes exit=0 a0=1 a1=80001 a2=0 a3=c00012f078 items=0 ppid=1121 pid=2466 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"runc\" exe=\"/usr/bin/runc\" subj=system_u:system_r:initrc_t:s0 key=\"cat_fdpair\"",
    "ARCH=x86_64 SYSCALL=socketpair AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=FD_PAIR msg=audit(1781634258.158:513530): fd0=7 fd1=9",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634258.158:513530): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F36616133383239633966356566636632623230353437336565"
  ],
  "record_type": "FD_PAIR"
}

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

OBJ_PID msgtype 1318

Source: Linux auditd
Message type: 1318
Fires: Requires a loaded audit rule

Description

Target process information for ptrace, kill, tkill, and tgkill syscalls

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S ptrace -k ptrace

Fields #

Name	Description
`opid`	object's process ID
`oauid`	object's login user ID
`ouid`	file owner user ID
`oses`	object's session ID
`obj`	lspp object context string
`ocomm`	object's command line name

Example Event #

{
  "fields": {
    "oauid": "-1",
    "obj": "system_u:system_r:initrc_t:s0",
    "ocomm": "dockerd",
    "opid": "671",
    "oses": "-1",
    "ouid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634257.750:512329): arch=c000003e syscall=234 success=yes exit=0 a0=29f a1=8b9 a2=17 a3=7ffed2507080 items=0 ppid=1 pid=671 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"dockerd\" exe=\"/usr/bin/dockerd\" subj=system_u:system_r:initrc_t:s0 key=\"T1489_process_kill\"",
    "ARCH=x86_64 SYSCALL=tgkill AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=OBJ_PID msg=audit(1781634257.750:512329): opid=671 oauid=-1 ouid=0 oses=-1 obj=system_u:system_r:initrc_t:s0 ocomm=\"dockerd\"",
    "OAUID=\"unset\" OUID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634257.750:512329): proctitle=2F7573722F62696E2F646F636B657264002D480066643A2F2F002D2D636F6E7461696E6572643D2F72756E2F636F6E7461696E6572642F636F6E7461696E6572642E736F636B"
  ],
  "record_type": "OBJ_PID"
}

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

TTY msgtype 1319

Source: Linux auditd
Message type: 1319
Fires: Emitted by default (no audit rule required)

Description

Input on an administrative TTY

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`major`	device major number
`minor`	device minor number
`comm`	command line program name
`data`	TTY text

Example Event #

{
  "fields": {
    "auid": "1000",
    "comm": "bash",
    "data": "69640A657869740A",
    "major": "136",
    "minor": "0",
    "pid": "32503",
    "ses": "1",
    "uid": "1003"
  },
  "raw": [
    "node=JD-debian-12-workstation type=TTY msg=audit(1781630540.940:1378859): tty pid=32503 uid=1003 auid=1000 ses=1 major=136 minor=0 comm=\"bash\" data=69640A657869740A",
    "UID=\"testlogout123\" AUID=\"debian\""
  ],
  "record_type": "TTY"
}

EOE msgtype 1320

Source: Linux auditd
Message type: 1320
Fires: Emitted by default (no audit rule required)

Description

End of multi-record event

Example Event #

{
  "fields": {},
  "raw": [
    "node=JD-debian-12-workstation type=EOE msg=audit(1781641908.324:2323996): "
  ],
  "record_type": "EOE"
}

Community Notes #

Control marker ending a multi-record event. Emitted on auditd's real-time interface (audisp plugins see it) but filtered from the on-disk log, so it does not appear in /var/log/audit/audit.log. Class CTL in the audit message dictionary.

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

BPRM_FCAPS msgtype 1321

Source: Linux auditd
Message type: 1321
Fires: Requires a loaded audit rule

Description

Information about file system capabilities increasing permissions

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S execve -k filecaps

Fields #

Name	Description
`fver`	file system capabilities version number
`fp`	file assigned permitted capability map
`fi`	file assigned inherited capability map
`fe`	file assigned effective capability map
`old_pp`	old process permitted capability map
`old_pi`	old process inherited capability map
`old_pe`	old process effective capability map
`old_pa`	old process ambient capability map
`pp`	process permitted capability map
`pi`	process inherited capability map
`pe`	process effective capability map
`pa`	process ambient capability map
`frootid`	root user ID namespace owner of the file capability set

Example Event #

{
  "fields": {
    "fe": "0",
    "fi": "0",
    "fp": "0",
    "frootid": "0",
    "fver": "0",
    "old_pa": "0",
    "old_pe": "000001f7fdffffff",
    "old_pi": "0",
    "old_pp": "000001f7fdffffff",
    "pa": "0",
    "pe": "000001f7fdffffff",
    "pi": "0",
    "pp": "000001f7fdffffff"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634257.766:512777): arch=c000003e syscall=59 success=yes exit=0 a0=5611885bc330 a1=56118918c5a0 a2=5611891898d0 a3=0 items=3 ppid=2408 pid=2410 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"ifupdown-hotplu\" exe=\"/usr/bin/dash\" subj=system_u:system_r:udev_t:s0 key=\"T1059_exec\"",
    "ARCH=x86_64 SYSCALL=execve AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=BPRM_FCAPS msg=audit(1781634257.766:512777): fver=0 fp=0 fi=0 fe=0 old_pp=000001f7fdffffff old_pi=0 old_pe=000001f7fdffffff old_pa=0 pp=000001f7fdffffff pi=0 pe=000001f7fdffffff pa=0 frootid=0",
    "node=JD-debian-12-workstation type=EXECVE msg=audit(1781634257.766:512777): argc=3 a0=\"/bin/sh\" a1=\"-e\" a2=\"/lib/udev/ifupdown-hotplug\"",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781634257.766:512777): cwd=\"/\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634257.766:512777): item=0 name=\"/lib/udev/ifupdown-hotplug\" inode=5512454 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634257.766:512777): item=1 name=\"/bin/sh\" inode=5506763 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634257.766:512777): item=2 name=\"/lib64/ld-linux-x86-64.so.2\" inode=5505708 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634257.766:512777): proctitle=\"(spawn)\""
  ],
  "record_type": "BPRM_FCAPS"
}

CAPSET msgtype 1322

Source: Linux auditd
Message type: 1322
Fires: Requires a loaded audit rule

Description

Record showing argument to sys_capset setting process-based capabilities

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S capset -k caps

Fields #

Name	Description
`pid`	process ID
`cap_pi`	process inherited capability map
`cap_pp`	process permitted capability map
`cap_pe`	process effective capability map
`cap_pa`	process ambient capability map

Example Event #

{
  "fields": {
    "cap_pa": "0",
    "cap_pe": "00000000a80425fb",
    "cap_pi": "00000000a80425fb",
    "cap_pp": "00000000a80425fb",
    "pid": "2474"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634258.214:513610): arch=c000003e syscall=126 success=yes exit=0 a0=c000098570 a1=c000098578 a2=0 a3=0 items=0 ppid=2466 pid=2474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"runc:[2:INIT]\" exe=\"/runc\" subj=system_u:system_r:initrc_t:s0 key=\"T1548_capabilities\"",
    "ARCH=x86_64 SYSCALL=capset AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=CAPSET msg=audit(1781634258.214:513610): pid=2474 cap_pi=00000000a80425fb cap_pp=00000000a80425fb cap_pe=00000000a80425fb cap_pa=0",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634258.214:513610): proctitle=72756E6300696E6974"
  ],
  "record_type": "CAPSET"
}

MMAP msgtype 1323

Source: Linux auditd
Message type: 1323
Fires: Requires a loaded audit rule

Description

Mmap system call file descriptor and flags

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S mmap -k mmap

Fields #

Name	Description
`fd`	file descriptor number
`flags`	mmap syscall flags

Example Event #

{
  "fields": {
    "fd": "3",
    "flags": "0x812"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634257.762:512610): arch=c000003e syscall=9 success=yes exit=140067170054144 a0=7f63edea7000 a1=8000 a2=5 a3=812 items=0 ppid=671 pid=2407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-nft-multi\" subj=system_u:system_r:iptables_t:s0 key=\"T1055_mmap_exec\"",
    "ARCH=x86_64 SYSCALL=mmap AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=MMAP msg=audit(1781634257.762:512610): fd=3 flags=0x812",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634257.762:512610): proctitle=2F7573722F7362696E2F69707461626C6573002D2D77616974002D7400726177002D4300505245524F5554494E47002D64003137322E31382E302E360021002D690062722D343430663332333836316361002D6A0044524F50"
  ],
  "record_type": "MMAP"
}

NETFILTER_PKT msgtype 1324

Source: Linux auditd
Message type: 1324
Fires: Emitted by default (no audit rule required)

Description

Packets traversing netfilter chains

Fields #

Name	Description
`mark`	netfilter packet mark
`saddr`	struct socket address structure
`daddr`	remote IP address
`proto`	network protocol
`sport`	local port number
`dport`	remote port number

Example Event #

{
  "fields": {
    "daddr": "127.0.0.1",
    "mark": "0x0",
    "proto": "1",
    "saddr": "127.0.0.1"
  },
  "raw": [
    "node=JD-debian-12-workstation type=NETFILTER_PKT msg=audit(1781632714.004:2114926): mark=0x0 saddr=127.0.0.1 daddr=127.0.0.1 proto=1"
  ],
  "record_type": "NETFILTER_PKT"
}

NETFILTER_CFG msgtype 1325

Source: Linux auditd
Message type: 1325
Fires: Emitted by default (no audit rule required)

Description

Netfilter chain modifications

Fields #

Name	Description
`table`	Netfilter table name
`family`	Address family (e.g. 2 for IPv4, 10 for IPv6)
`entries`	Number of entries in the table
`op`	the operation being performed that is audited
`pid`	process ID
`subj`	lspp subject's context string
`comm`	command line program name

Example Event #

{
  "fields": {
    "comm": "iptables",
    "entries": "1",
    "family": "2",
    "op": "nft_register_rule",
    "pid": "2409",
    "subj": "system_u:system_r:iptables_t:s0",
    "table": "raw:106"
  },
  "raw": [
    "node=JD-debian-12-workstation type=NETFILTER_CFG msg=audit(1781634257.766:512779): table=raw:106 family=2 entries=1 op=nft_register_rule pid=2409 subj=system_u:system_r:iptables_t:s0 comm=\"iptables\"",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634257.766:512779): arch=c000003e syscall=46 success=yes exit=396 a0=3 a1=7fff72384f90 a2=0 a3=7fff72384f7c items=0 ppid=671 pid=2409 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-nft-multi\" subj=system_u:system_r:iptables_t:s0 key=\"T1071_msg_transfer\"",
    "ARCH=x86_64 SYSCALL=sendmsg AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=SOCKADDR msg=audit(1781634257.766:512779): saddr=100000000000000000000000",
    "SADDR={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634257.766:512779): proctitle=2F7573722F7362696E2F69707461626C6573002D2D77616974002D7400726177002D4100505245524F5554494E47002D64003137322E31382E302E360021002D690062722D343430663332333836316361002D6A0044524F50"
  ],
  "record_type": "NETFILTER_CFG"
}

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

SECCOMP msgtype 1326

Source: Linux auditd
Message type: 1326
Fires: Emitted by default (no audit rule required)

Description

Secure Computing event

Fields #

Name	Description
`auid`	login user ID
`uid`	user ID
`gid`	group ID
`ses`	login session ID
`subj`	lspp subject's context string
`pid`	process ID
`comm`	command line program name
`exe`	executable name
`sig`	signal number
`arch`	the elf architecture flags
`syscall`	syscall number in effect when the event occurred
`compat`	is_compat_task result
`ip`	network address of a printer
`code`	seccomp action code

Example Event #

{
  "fields": {
    "arch": "c000003e",
    "auid": "4294967295",
    "code": "0x7ffc0000",
    "comm": "true",
    "compat": "0",
    "exe": "/usr/bin/true",
    "gid": "0",
    "ip": "0x7f13da9bb917",
    "pid": "5052",
    "ses": "4294967295",
    "sig": "0",
    "subj": "unconfined",
    "syscall": "3",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SECCOMP msg=audit(1781627806.180:583840): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5052 comm=\"true\" exe=\"/usr/bin/true\" sig=0 arch=c000003e syscall=3 compat=0 ip=0x7f13da9bb917 code=0x7ffc0000",
    "AUID=\"unset\" UID=\"root\" GID=\"root\" ARCH=x86_64 SYSCALL=close"
  ],
  "record_type": "SECCOMP"
}

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

PROCTITLE msgtype 1327

Source: Linux auditd
Message type: 1327
Fires: Requires a loaded audit rule

Description

Process Title info

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S execve -k exec  # companion to every syscall record

Fields #

Name	Description
`proctitle`	Process title (hex-encoded command line)

Example Event #

{
  "fields": {
    "proctitle": "2F7573722F7362696E2F69707461626C6573002D2D77616974002D7400726177002D4300505245524F5554494E47002D64003137322E31382E302E360021002D690062722D343430663332333836316361002D6A0044524F50"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634257.762:512605): arch=c000003e syscall=59 success=yes exit=0 a0=2442de3bf7e8 a1=2442dd0f4cb0 a2=2442dd889e60 a3=0 items=2 ppid=671 pid=2407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"iptables\" exe=\"/usr/sbin/xtables-nft-multi\" subj=system_u:system_r:iptables_t:s0 key=\"T1059_exec\"",
    "ARCH=x86_64 SYSCALL=execve AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=EXECVE msg=audit(1781634257.762:512605): argc=13 a0=\"/usr/sbin/iptables\" a1=\"--wait\" a2=\"-t\" a3=\"raw\" a4=\"-C\" a5=\"PREROUTING\" a6=\"-d\" a7=\"172.18.0.6\" a8=\"!\" a9=\"-i\" a10=\"br-440f323861ca\" a11=\"-j\" a12=\"DROP\"",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781634257.762:512605): cwd=\"/\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634257.762:512605): item=0 name=\"/usr/sbin/iptables\" inode=5537074 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634257.762:512605): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=5505708 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634257.762:512605): proctitle=2F7573722F7362696E2F69707461626C6573002D2D77616974002D7400726177002D4300505245524F5554494E47002D64003137322E31382E302E360021002D690062722D343430663332333836316361002D6A0044524F50"
  ],
  "record_type": "PROCTITLE"
}

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

FEATURE_CHANGE msgtype 1328

Source: Linux auditd
Message type: 1328
Fires: Emitted by default (no audit rule required)

Description

Audit feature changed value

Fields #

Name	Description
`ppid`	parent process ID
`pid`	process ID
`auid`	login user ID
`uid`	user ID
`gid`	group ID
`euid`	effective user ID
`suid`	sent user ID
`fsuid`	file system user ID
`egid`	effective group ID
`sgid`	set group ID
`fsgid`	file system group ID
`tty`	tty udevice the user is running programs on
`ses`	login session ID
`comm`	command line program name
`exe`	executable name
`subj`	lspp subject's context string
`feature`	kernel feature being changed
`old`	previous value
`new`	new value
`old_lock`	feature lock state before the change
`new_lock`	feature lock state after the change
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "comm": "auditctl",
    "egid": "0",
    "euid": "0",
    "exe": "/usr/sbin/auditctl",
    "feature": "loginuid_immutable",
    "fsgid": "0",
    "fsuid": "0",
    "gid": "0",
    "new": "1",
    "new_lock": "1",
    "old": "0",
    "old_lock": "0",
    "pid": "33977",
    "ppid": "33976",
    "res": "1",
    "ses": "1",
    "sgid": "0",
    "subj": "unconfined",
    "suid": "0",
    "tty": "(none)",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=FEATURE_CHANGE msg=audit(1781630669.800:1417007):  ppid=33976 pid=33977 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=\"auditctl\" exe=\"/usr/sbin/auditctl\" subj=unconfined feature=loginuid_immutable old=0 new=1 old_lock=0 new_lock=1 res=1",
    "AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\""
  ],
  "record_type": "FEATURE_CHANGE"
}

References #

kernel emit site: kernel/audit.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/audit.c

KERN_MODULE msgtype 1330

Source: Linux auditd
Message type: 1330
Fires: Requires a loaded audit rule

Description

Kernel Module events

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -k modules

Fields #

Name	Description
`name`	file name in avcs

Example Event #

{
  "fields": {
    "name": "nft_compat"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634171.392:79211): arch=c000003e syscall=313 success=yes exit=0 a0=0 a1=5566b4fed4a0 a2=0 a3=0 items=0 ppid=35 pid=701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:kmod_t:s0 key=\"T1547_kernel_modules\"",
    "ARCH=x86_64 SYSCALL=finit_module AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=KERN_MODULE msg=audit(1781634171.392:79211): name=\"nft_compat\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634171.392:79211): proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D006E666E65746C696E6B2D7375627379732D3131"
  ],
  "record_type": "KERN_MODULE"
}

FANOTIFY msgtype 1331

Source: Linux auditd
Message type: 1331
Fires: Emitted by default (no audit rule required)

Description

Fanotify access decision

Fields #

Name	Description
`resp`	fanotify permission response (allow or deny)
`fan_type`	fanotify response info type
`fan_info`	fanotify audit rule number
`subj_trust`	fanotify subject trust value (0 no, 1 yes, 2 unknown)
`obj_trust`	fanotify object trust value (0 no, 1 yes, 2 unknown)

Example Event #

{
  "fields": {
    "fan_info": "2A",
    "fan_type": "1",
    "obj_trust": "0",
    "resp": "1",
    "subj_trust": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=FANOTIFY msg=audit(1781717953.135:245162): resp=1 fan_type=1 fan_info=2A subj_trust=0 obj_trust=0",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781717953.135:245162): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=710119527dd0 a2=80000 a3=0 items=1 ppid=90046 pid=90047 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=59 comm=\"python3\" exe=\"/usr/bin/python3.11\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"fanotify\"",
    "ARCH=x86_64 SYSCALL=openat AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781717953.135:245162): cwd=\"/home/debian\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781717953.135:245162): item=0 name=\"/tmp/fant\" inode=1835017 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781717953.135:245162): proctitle=707974686F6E33002D"
  ],
  "record_type": "FANOTIFY"
}

TIME_INJOFFSET msgtype 1332

Source: Linux auditd
Message type: 1332
Fires: Requires a loaded audit rule

Description

Timekeeping offset injected

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S clock_settime,settimeofday -k time-change

Fields #

Name	Description
`sec`	seconds component of the time change
`nsec`	nanoseconds component of the time change

Example Event #

{
  "fields": {
    "nsec": "398226411",
    "sec": "-1"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781627806.598:582950): arch=c000003e syscall=164 success=yes exit=0 a0=7f5df5e12380 a1=0 a2=3befff30 a3=7f5df5db4bc0 items=0 ppid=4981 pid=4982 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=\"python3\" exe=\"/usr/bin/python3.11\" subj=unconfined key=\"T1070_time_change\"",
    "ARCH=x86_64 SYSCALL=settimeofday AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=TIME_INJOFFSET msg=audit(1781627806.598:582950): sec=-1 nsec=398226411",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781627806.598:582950): proctitle=7375646F002F7573722F62696E2F707974686F6E33002D"
  ],
  "record_type": "TIME_INJOFFSET"
}

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

TIME_ADJNTPVAL msgtype 1333

Source: Linux auditd
Message type: 1333
Fires: Requires a loaded audit rule

Description

NTP value adjustment

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S adjtimex,clock_adjtime -k time-change

Fields #

Name	Description
`op`	the operation being performed that is audited
`old`	previous value
`new`	new value

Example Event #

{
  "fields": {
    "new": "138842102107734",
    "old": "-721856555751",
    "op": "offset"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634263.290:518491): arch=c000003e syscall=305 success=yes exit=0 a0=0 a1=7ffc08480930 a2=0 a3=7ffc0858d080 items=0 ppid=1 pid=453 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm=\"systemd-timesyn\" exe=\"/usr/lib/systemd/systemd-timesyncd\" subj=system_u:system_r:ntpd_t:s0 key=\"cat_time\"",
    "ARCH=x86_64 SYSCALL=clock_adjtime AUID=\"unset\" UID=\"systemd-timesync\" GID=\"systemd-timesync\" EUID=\"systemd-timesync\" SUID=\"systemd-timesync\" FSUID=\"systemd-timesync\" EGID=\"systemd-timesync\" SGID=\"systemd-timesync\" FSGID=\"systemd-timesync\"",
    "node=JD-debian-12-workstation type=TIME_ADJNTPVAL msg=audit(1781634263.290:518491): op=offset old=-721856555751 new=138842102107734",
    "node=JD-debian-12-workstation type=TIME_ADJNTPVAL msg=audit(1781634263.290:518491): op=freq old=-87703970381824 new=47884019957760",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634263.290:518491): proctitle=\"/lib/systemd/systemd-timesyncd\""
  ],
  "record_type": "TIME_ADJNTPVAL"
}

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

BPF msgtype 1334

Source: Linux auditd
Message type: 1334
Fires: Emitted by default (no audit rule required)

Description

BPF load/unload

Fields #

Name	Description
`prog-id`	BPF program ID
`op`	the operation being performed that is audited

Example Event #

{
  "fields": {
    "op": "LOAD",
    "prog-id": "81"
  },
  "raw": [
    "node=JD-debian-12-workstation type=BPF msg=audit(1781634257.694:511163): prog-id=81 op=LOAD",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634257.694:511163): arch=c000003e syscall=321 success=yes exit=85 a0=5 a1=7ffc318bf920 a2=90 a3=4 items=0 ppid=0 pid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" subj=system_u:system_r:init_t:s0 key=\"cat_bpf\"",
    "ARCH=x86_64 SYSCALL=bpf AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634257.694:511163): proctitle=\"/sbin/init\""
  ],
  "record_type": "BPF"
}

EVENT_LISTENER msgtype 1335

Source: Linux auditd
Message type: 1335
Fires: Emitted by default (no audit rule required)

Description

audit mcast sock join/part

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`tty`	tty udevice the user is running programs on
`ses`	login session ID
`subj`	lspp subject's context string
`comm`	command line program name
`exe`	executable name
`nl-mcgrp`	audit netlink multicast group joined or left
`op`	the operation being performed that is audited
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "4294967295",
    "comm": "systemd",
    "exe": "/usr/lib/systemd/systemd",
    "nl-mcgrp": "1",
    "op": "connect",
    "pid": "1",
    "res": "1",
    "ses": "4294967295",
    "subj": "system_u:system_r:init_t:s0",
    "tty": "(none)",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=EVENT_LISTENER msg=audit(1781634165.636:9): pid=1 uid=0 auid=4294967295 tty=(none) ses=4294967295 subj=system_u:system_r:init_t:s0 comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" nl-mcgrp=1 op=connect res=1",
    "UID=\"root\" AUID=\"unset\"",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634165.636:9): arch=c000003e syscall=49 success=yes exit=0 a0=20 a1=55b6f362dc40 a2=c a3=7ffc318bfd84 items=0 ppid=0 pid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"systemd\" exe=\"/usr/lib/systemd/systemd\" subj=system_u:system_r:init_t:s0 key=(null)",
    "ARCH=x86_64 SYSCALL=bind AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634165.636:9): proctitle=\"/sbin/init\""
  ],
  "record_type": "EVENT_LISTENER"
}

References #

kernel emit site: kernel/audit.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/audit.c

URINGOP msgtype 1336

Source: Linux auditd
Message type: 1336
Fires: Requires a loaded audit rule

Description

io_uring operation

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S io_uring_enter -k uring

Fields #

Name	Description
`uring_op`	io_uring operation code
`success`	whether the syscall was successful or not
`exit`	syscall exit code
`items`	the number of path records in the event
`ppid`	parent process ID
`pid`	process ID
`uid`	user ID
`gid`	group ID
`euid`	effective user ID
`suid`	sent user ID
`fsuid`	file system user ID
`egid`	effective group ID
`sgid`	set group ID
`fsgid`	file system group ID
`subj`	lspp subject's context string
`key`	key assigned from triggered audit rule

Example Event #

{
  "fields": {
    "egid": "0",
    "euid": "0",
    "exit": "0",
    "fsgid": "0",
    "fsuid": "0",
    "gid": "0",
    "items": "1",
    "key": "uringcap",
    "pid": "38669",
    "ppid": "38651",
    "sgid": "0",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "success": "yes",
    "suid": "0",
    "uid": "0",
    "uring_op": "18"
  },
  "raw": [
    "node=JD-debian-12-workstation type=URINGOP msg=audit(1781732081.383:1214470): uring_op=18 success=yes exit=0 items=1 ppid=38651 pid=38669 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"uringcap\"",
    "UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781732081.383:1214470): arch=c000003e syscall=426 success=yes exit=1 a0=3 a1=1 a2=1 a3=1 items=1 ppid=38651 pid=38669 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=54 comm=\"uring\" exe=\"/tmp/recap/uring\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"uringcap\"",
    "ARCH=x86_64 SYSCALL=io_uring_enter AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781732081.383:1214470): cwd=\"/home/debian\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781732081.383:1214470): item=0 name=\"/etc/hostname\" inode=11010243 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781732081.383:1214470): proctitle=\"/tmp/recap/uring\""
  ],
  "record_type": "URINGOP"
}

Community Notes #

Companion record: emitted only inside an io_uring event (kernel audit_log_exit), never standalone, alongside SYSCALL and CWD/PATH for path-bearing operations under one audit serial. No complete-event sample was captured, so the example shows the isolated record.

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

OPENAT2 msgtype 1337

Source: Linux auditd
Message type: 1337
Fires: Requires a loaded audit rule

Description

Record showing openat2 how args

How it fires #

This record only appears when a matching auditctl / audit.rules syscall rule is loaded. Example rule:

-a always,exit -F arch=b64 -S openat2 -k open

Fields #

Name	Description
`oflag`	open syscall flags
`mode`	Landlock domain enforcement mode (enforcing)
`resolve`	openat2 RESOLVE_* flags

Example Event #

{
  "fields": {
    "mode": "00",
    "oflag": "012000000",
    "resolve": "0x14"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634257.690:510676): arch=c000003e syscall=437 success=yes exit=12 a0=ffffffffffffff9c a1=c00015de3a a2=c000140d88 a3=18 items=1 ppid=2351 pid=2392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"runc:[2:INIT]\" exe=\"/runc\" subj=system_u:system_r:initrc_t:s0 key=\"cat_openat2\"",
    "ARCH=x86_64 SYSCALL=openat2 AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=OPENAT2 msg=audit(1781634257.690:510676): oflag=012000000 mode=00 resolve=0x14",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781634257.690:510676): cwd=\"/var/lib/docker/rootfs/overlayfs/5532208236a5c5797a9da401566d1b5a1b0fc8324846bcf558a1b2d96fff977e\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634257.690:510676): item=0 name=\".\" inode=4755763 dev=00:35 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634257.690:510676): proctitle=72756E6300696E6974"
  ],
  "record_type": "OPENAT2"
}

DM_CTRL msgtype 1338

Source: Linux auditd
Message type: 1338
Fires: Emitted by default (no audit rule required)

Description

Device Mapper target control

Fields #

Name	Description
`module`	device-mapper target or kernel module name
`op`	the operation being performed that is audited
`ppid`	parent process ID
`pid`	process ID
`auid`	login user ID
`uid`	user ID
`gid`	group ID
`euid`	effective user ID
`suid`	sent user ID
`fsuid`	file system user ID
`egid`	effective group ID
`sgid`	set group ID
`fsgid`	file system group ID
`tty`	tty udevice the user is running programs on
`ses`	login session ID
`comm`	command line program name
`exe`	executable name
`subj`	lspp subject's context string
`dev`	device identifier
`error_msg`	device-mapper error message
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "comm": "cryptsetup",
    "dev": "253:0",
    "egid": "0",
    "error_msg": "success",
    "euid": "0",
    "exe": "/usr/sbin/cryptsetup",
    "fsgid": "0",
    "fsuid": "0",
    "gid": "0",
    "module": "crypt",
    "op": "ctr",
    "pid": "56740",
    "ppid": "56702",
    "res": "1",
    "ses": "15",
    "sgid": "0",
    "subj": "unconfined",
    "suid": "0",
    "tty": "(none)",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=UNKNOWN[1338] msg=audit(1781632713.732:2113127): module=crypt op=ctr ppid=56702 pid=56740 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=\"cryptsetup\" exe=\"/usr/sbin/cryptsetup\" subj=unconfined dev=253:0 error_msg='success' res=1",
    "AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\""
  ],
  "record_type": "DM_CTRL"
}

Community Notes #

On auditd 3.0.9 (Debian 12) this record logs as type=UNKNOWN[1338] because that auditd predates record type 1338; current auditd names it DM_CTRL. Fires whenever auditing is enabled (audit_enabled), not via a loaded auditctl rule (drivers/md/dm-audit.c:25).

DM_EVENT msgtype 1339

Source: Linux auditd
Message type: 1339
Fires: Emitted by default (no audit rule required)

Description

Device Mapper events

Fields #

Name	Description
`module`	device-mapper target or kernel module name
`op`	the operation being performed that is audited
`dev`	device identifier
`sector`	device-mapper device sector
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "dev": "7:0",
    "module": "verity",
    "op": "verify-data",
    "res": "0",
    "sector": "100"
  },
  "raw": [
    "node=JD-debian-12-workstation type=UNKNOWN[1339] msg=audit(1781674379.650:245044): module=verity op=verify-data dev=7:0 sector=100 res=0"
  ],
  "record_type": "DM_EVENT"
}

AVC msgtype 1400

Source: Linux auditd
Message type: 1400
Fires: Emitted by default (no audit rule required)

Description

SELinux AVC (Access Vector Cache) denial or grant

Fields #

Name	Description
`pid`	Process ID of the subject
`comm`	Command name of the subject
`path`	Target path, when the full path is resolved
`name`	Target object name, when the full path is not resolved
`dev`	Device of the target object
`ino`	Inode number of the target object
`scontext`	SELinux security context of the subject
`tcontext`	SELinux security context of the target object
`tclass`	Object class of the target (file, dir, sock_file, ...)
`permissive`	SELinux mode at decision time (1 permissive, 0 enforcing)
`ioctlcmd`	The request argument to the ioctl syscall

Example Event #

{
  "fields": {
    "comm": "avcprobe",
    "dev": "vda1",
    "ino": "2",
    "name": "/",
    "permissive": "1",
    "pid": "107789",
    "scontext": "unconfined_u:unconfined_r:dwbad_t:s0-s0:c0.c1023",
    "tclass": "dir",
    "tcontext": "system_u:object_r:root_t:s0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=AVC msg=audit(1781738979.016:2269224): avc:  denied  { search } for  pid=107789 comm=\"avcprobe\" name=\"/\" dev=\"vda1\" ino=2 scontext=unconfined_u:unconfined_r:dwbad_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1",
    "node=JD-debian-12-workstation type=AVC msg=audit(1781738979.016:2269224): avc:  denied  { search } for  pid=107789 comm=\"avcprobe\" name=\"etc\" dev=\"vda1\" ino=11010049 scontext=unconfined_u:unconfined_r:dwbad_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1",
    "node=JD-debian-12-workstation type=AVC msg=audit(1781738979.016:2269224): avc:  denied  { read } for  pid=107789 comm=\"avcprobe\" name=\"passwd\" dev=\"vda1\" ino=11011862 scontext=unconfined_u:unconfined_r:dwbad_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1",
    "node=JD-debian-12-workstation type=AVC msg=audit(1781738979.016:2269224): avc:  denied  { open } for  pid=107789 comm=\"avcprobe\" path=\"/etc/passwd\" dev=\"vda1\" ino=11011862 scontext=unconfined_u:unconfined_r:dwbad_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781738979.016:2269224): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=479004 a2=0 a3=22347680 items=1 ppid=107769 pid=107789 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=91 comm=\"avcprobe\" exe=\"/tmp/dwcap/avcprobe\" subj=unconfined_u:unconfined_r:dwbad_t:s0-s0:c0.c1023 key=\"dwavc\"",
    "ARCH=x86_64 SYSCALL=openat AUID=\"debian\" UID=\"debian\" GID=\"debian\" EUID=\"debian\" SUID=\"debian\" FSUID=\"debian\" EGID=\"debian\" SGID=\"debian\" FSGID=\"debian\"",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781738979.016:2269224): cwd=\"/home/debian\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781738979.016:2269224): item=0 name=\"/etc/passwd\" inode=11011862 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781738979.016:2269224): proctitle=\"/tmp/dwcap/avcprobe\""
  ],
  "record_type": "AVC"
}

Community Notes #

The stored samples are SELinux-variant AVC records (the collection host ran SELinux in permissive mode), so the fields below are the SELinux access-vector fields. AppArmor reuses type=AVC (1400) but emits a different field set (apparmor=, operation=, profile=, requested_mask=, denied_mask=, target=). The leading 'avc: denied|granted { perm } for' text is the decision preamble, not a key=value field. Sources: security/selinux/avc.c, security/lsm_audit.c.

References #

kernel emit site: security/lsm_audit.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/security/lsm_audit.c

SELINUX_ERR msgtype 1401

Source: Linux auditd
Message type: 1401
Fires: Emitted by default (no audit rule required)

Description

Internal SELinux errors

Fields #

Name	Description
`op`	the operation being performed that is audited
`reason`	reason for the operation
`scontext`	the subject's context string
`tcontext`	the target's or object's context string
`tclass`	target's object classification
`perms`	SELinux permissions involved in the error
`seresult`	SELinux access decision result
`oldcontext`	SELinux context before the error
`newcontext`	SELinux context after the error
`taskcontext`	SELinux context of the acting task
`invalid_context`	the SELinux context that failed validation

Example Event #

{
  "fields": {
    "invalid_context": "unconfined_u:unconfined_r:dwbad_t:s0-s0:c0.c1023",
    "op": "security_compute_sid",
    "scontext": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "tclass": "process",
    "tcontext": "unconfined_u:object_r:dwexec_t:s0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=SELINUX_ERR msg=audit(1781732167.209:1214562): op=security_compute_sid invalid_context=\"unconfined_u:unconfined_r:dwbad_t:s0-s0:c0.c1023\" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dwexec_t:s0 tclass=process",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781732167.209:1214562): arch=c000003e syscall=59 success=yes exit=0 a0=5bec7c15fa40 a1=5bec7c163d40 a2=5bec7c161240 a3=45fdd64043621a67 items=1 ppid=39588 pid=39651 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=58 comm=\"dwtrig\" exe=\"/tmp/dwtrig\" subj=unconfined_u:unconfined_r:dwbad_t:s0-s0:c0.c1023 key=\"selerr2\"",
    "ARCH=x86_64 SYSCALL=execve AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=EXECVE msg=audit(1781732167.209:1214562): argc=1 a0=\"/tmp/dwtrig\"",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781732167.209:1214562): cwd=\"/tmp/recap\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781732167.209:1214562): item=0 name=\"/tmp/dwtrig\" inode=1835021 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:dwexec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781732167.209:1214562): proctitle=\"/tmp/dwtrig\""
  ],
  "record_type": "SELINUX_ERR"
}

References #

kernel emit site: security/selinux/hooks.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/security/selinux/hooks.c

AVC_PATH msgtype 1402

Source: Linux auditd
Message type: 1402
Fires: Emitted by default (no audit rule required)

Description

dentry, vfsmount pair from AVC

Community Notes #

Not emitted as a distinct record on modern kernels. SELinux inlines the file path into the AVC (1400) record (path= field) via common_lsm_audit; the separate AVC_PATH record is legacy. Verified: security/selinux/avc.c v6.1 has no AUDIT_AVC_PATH emission. A confined-domain file-open denial appears as type=AVC with path=.

MAC_POLICY_LOAD msgtype 1403

Source: Linux auditd
Message type: 1403
Fires: Emitted by default (no audit rule required)

Description

SELinux Policy file load

Fields #

Name	Description
`auid`	login user ID
`ses`	login session ID
`lsm`	security module that produced the record (selinux, apparmor, ...)
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "lsm": "selinux",
    "res": "1",
    "ses": "1"
  },
  "raw": [
    "node=JD-debian-12-workstation type=MAC_POLICY_LOAD msg=audit(1781634267.690:528054): auid=1000 ses=1 lsm=selinux res=1",
    "AUID=\"debian\""
  ],
  "record_type": "MAC_POLICY_LOAD"
}

MAC_STATUS msgtype 1404

Source: Linux auditd
Message type: 1404
Fires: Emitted by default (no audit rule required)

Description

SELinux mode (enforcing, permissive, off) changed

Fields #

Name	Description
`enforcing`	whether enforcing mode is active (1) or permissive (0)
`old_enforcing`	MAC enforcing state before this change
`auid`	login user ID
`ses`	login session ID
`enabled`	MAC enabled state (1 enabled, 0 disabled)
`old-enabled`	MAC enabled state before this change
`lsm`	security module that produced the record (selinux, apparmor, ...)
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "enabled": "1",
    "enforcing": "1",
    "lsm": "selinux",
    "old-enabled": "1",
    "old_enforcing": "0",
    "res": "1",
    "ses": "1"
  },
  "raw": [
    "node=JD-debian-12-workstation type=MAC_STATUS msg=audit(1781635211.576:942323): enforcing=1 old_enforcing=0 auid=1000 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1",
    "AUID=\"debian\""
  ],
  "record_type": "MAC_STATUS"
}

MAC_CONFIG_CHANGE msgtype 1405

Source: Linux auditd
Message type: 1405
Fires: Emitted by default (no audit rule required)

Description

SELinux Boolean value modification

Fields #

Name	Description
`bool`	name of SELinux boolean
`val`	value associated with the operation
`old_val`	configuration value before the change
`auid`	login user ID
`ses`	login session ID

Example Event #

{
  "fields": {
    "auid": "1000",
    "bool": "aide_mmap_files",
    "old_val": "0",
    "ses": "1",
    "val": "1"
  },
  "raw": [
    "node=JD-debian-12-workstation type=MAC_CONFIG_CHANGE msg=audit(1781634267.903:529179): bool=aide_mmap_files val=1 old_val=0 auid=1000 ses=1",
    "AUID=\"debian\""
  ],
  "record_type": "MAC_CONFIG_CHANGE"
}

MAC_UNLBL_ALLOW msgtype 1406

Source: Linux auditd
Message type: 1406
Fires: Emitted by default (no audit rule required)

Description

NetLabel: allow unlabeled traffic

Fields #

Name	Description
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`unlbl_accept`	NetLabel unlabeled-traffic accept flag
`old`	previous value

Example Event #

{
  "fields": {
    "auid": "0",
    "old": "0",
    "ses": "0",
    "subj": "kernel",
    "unlbl_accept": "1"
  },
  "raw": [
    "node=JD-debian-12-workstation type=MAC_UNLBL_ALLOW msg=audit(1781634163.940:3): netlabel: auid=0 ses=0 subj=kernel unlbl_accept=1 old=0",
    "AUID=\"root\""
  ],
  "record_type": "MAC_UNLBL_ALLOW"
}

MAC_CIPSOV4_ADD msgtype 1407

Source: Linux auditd
Message type: 1407
Fires: Emitted by default (no audit rule required)

Description

NetLabel: add CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry

Fields #

Name	Description
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`cipso_doi`	CIPSO domain of interpretation
`cipso_type`	CIPSO mapping type
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "cipso_doi": "100",
    "cipso_type": "pass",
    "res": "1",
    "ses": "15",
    "subj": "unconfined"
  },
  "raw": [
    "node=JD-debian-12-workstation type=MAC_CIPSOV4_ADD msg=audit(1781632713.492:2112345): netlabel: auid=1000 ses=15 subj=unconfined cipso_doi=100 cipso_type=pass res=1",
    "AUID=\"debian\"",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781632713.492:2112345): arch=c000003e syscall=46 success=yes exit=48 a0=3 a1=7ffe48408fb0 a2=0 a3=7f749dc3a050 items=0 ppid=56702 pid=56718 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=\"netlabelctl\" exe=\"/usr/sbin/netlabelctl\" subj=unconfined key=\"T1071_msg_transfer\"",
    "ARCH=x86_64 SYSCALL=sendmsg AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=SOCKADDR msg=audit(1781632713.492:2112345): saddr=100000000000000000000000",
    "SADDR={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781632713.492:2112345): proctitle=6E65746C6162656C63746C00636970736F763400616464007061737300646F693A31303000746167733A31006C6576656C733A303D30"
  ],
  "record_type": "MAC_CIPSOV4_ADD"
}

MAC_CIPSOV4_DEL msgtype 1408

Source: Linux auditd
Message type: 1408
Fires: Emitted by default (no audit rule required)

Description

NetLabel: del CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry

Fields #

Name	Description
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`cipso_doi`	CIPSO domain of interpretation
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "cipso_doi": "100",
    "res": "1",
    "ses": "15",
    "subj": "unconfined"
  },
  "raw": [
    "node=JD-debian-12-workstation type=MAC_CIPSOV4_DEL msg=audit(1781632713.512:2112730): netlabel: auid=1000 ses=15 subj=unconfined cipso_doi=100 res=1",
    "AUID=\"debian\"",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781632713.512:2112730): arch=c000003e syscall=46 success=yes exit=28 a0=3 a1=7ffdb3875560 a2=0 a3=7f164ef2f050 items=0 ppid=56702 pid=56730 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=\"netlabelctl\" exe=\"/usr/sbin/netlabelctl\" subj=unconfined key=\"T1071_msg_transfer\"",
    "ARCH=x86_64 SYSCALL=sendmsg AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=SOCKADDR msg=audit(1781632713.512:2112730): saddr=100000000000000000000000",
    "SADDR={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781632713.512:2112730): proctitle=6E65746C6162656C63746C00636970736F76340064656C00646F693A313030"
  ],
  "record_type": "MAC_CIPSOV4_DEL"
}

MAC_MAP_ADD msgtype 1409

Source: Linux auditd
Message type: 1409
Fires: Emitted by default (no audit rule required)

Description

NetLabel: add LSM (Linux Security Module) domain mapping

Fields #

Name	Description
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`nlbl_domain`	NetLabel domain mapping name
`nlbl_protocol`	NetLabel protocol for the domain mapping
`cipso_doi`	CIPSO domain of interpretation
`calipso_doi`	CALIPSO domain of interpretation
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "cipso_doi": "100",
    "nlbl_domain": "catalog.test",
    "nlbl_protocol": "cipsov4",
    "res": "1",
    "ses": "15",
    "subj": "unconfined"
  },
  "raw": [
    "node=JD-debian-12-workstation type=MAC_MAP_ADD msg=audit(1781632713.492:2112401): netlabel: auid=1000 ses=15 subj=unconfined nlbl_domain=catalog.test nlbl_protocol=cipsov4 cipso_doi=100 res=1",
    "AUID=\"debian\""
  ],
  "record_type": "MAC_MAP_ADD"
}

MAC_MAP_DEL msgtype 1410

Source: Linux auditd
Message type: 1410
Fires: Emitted by default (no audit rule required)

Description

NetLabel: del LSM (Linux Security Module) domain mapping

Fields #

Name	Description
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`nlbl_domain`	NetLabel domain mapping name
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "nlbl_domain": "catalog.test",
    "res": "1",
    "ses": "15",
    "subj": "unconfined"
  },
  "raw": [
    "node=JD-debian-12-workstation type=MAC_MAP_DEL msg=audit(1781632713.508:2112660): netlabel: auid=1000 ses=15 subj=unconfined nlbl_domain=catalog.test res=1",
    "AUID=\"debian\"",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781632713.508:2112660): arch=c000003e syscall=46 success=yes exit=40 a0=3 a1=7ffe062e4fc0 a2=0 a3=7fde3f195050 items=0 ppid=56702 pid=56728 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=\"netlabelctl\" exe=\"/usr/sbin/netlabelctl\" subj=unconfined key=\"T1071_msg_transfer\"",
    "ARCH=x86_64 SYSCALL=sendmsg AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=SOCKADDR msg=audit(1781632713.508:2112660): saddr=100000000000000000000000",
    "SADDR={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781632713.508:2112660): proctitle=6E65746C6162656C63746C006D61700064656C00646F6D61696E3A636174616C6F672E74657374"
  ],
  "record_type": "MAC_MAP_DEL"
}

MAC_IPSEC_ADDSA msgtype 1411

Source: Linux auditd
Message type: 1411
Fires: Emitted by default (no audit rule required)

Description

Not used

Community Notes #

Deprecated: the kernel UAPI header marks this constant 'Not used'. Current kernels emit MAC_IPSEC_EVENT (1415) for xfrm IPsec state and policy changes. Source: include/uapi/linux/audit.h.

MAC_IPSEC_DELSA msgtype 1412

Source: Linux auditd
Message type: 1412
Fires: Emitted by default (no audit rule required)

Description

Not used

Community Notes #

Deprecated: the kernel UAPI header marks this constant 'Not used'. Current kernels emit MAC_IPSEC_EVENT (1415) for xfrm IPsec state and policy changes. Source: include/uapi/linux/audit.h.

MAC_IPSEC_ADDSPD msgtype 1413

Source: Linux auditd
Message type: 1413
Fires: Emitted by default (no audit rule required)

Description

Not used

Community Notes #

Deprecated: the kernel UAPI header marks this constant 'Not used'. Current kernels emit MAC_IPSEC_EVENT (1415) for xfrm IPsec state and policy changes. Source: include/uapi/linux/audit.h.

MAC_IPSEC_DELSPD msgtype 1414

Source: Linux auditd
Message type: 1414
Fires: Emitted by default (no audit rule required)

Description

Not used

Community Notes #

Deprecated: the kernel UAPI header marks this constant 'Not used'. Current kernels emit MAC_IPSEC_EVENT (1415) for xfrm IPsec state and policy changes. Source: include/uapi/linux/audit.h.

MAC_IPSEC_EVENT msgtype 1415

Source: Linux auditd
Message type: 1415
Fires: Emitted by default (no audit rule required)

Description

Audit an IPsec event

Fields #

Name	Description
`op`	the operation being performed that is audited
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`src`	source address of the IPsec security association
`dst`	destination address of the IPsec security association
`spi`	IPsec Security Parameter Index
`src_prefixlen`	source address prefix length
`dst_prefixlen`	destination address prefix length
`sec_obj`	security context label of the IPsec object
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "dst": "192.0.2.2",
    "op": "SAD-add",
    "res": "1",
    "ses": "15",
    "spi": "1(0x1)",
    "src": "192.0.2.1",
    "subj": "unconfined"
  },
  "raw": [
    "node=JD-debian-12-workstation type=MAC_IPSEC_EVENT msg=audit(1781632420.375:1883324): op=SAD-add auid=1000 ses=15 subj=unconfined src=192.0.2.1 dst=192.0.2.2 spi=1(0x1) res=1",
    "AUID=\"debian\"",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781632420.375:1883324): arch=c000003e syscall=46 success=yes exit=432 a0=4 a1=7ffdf4dabb80 a2=0 a3=7ffdf4dabc04 items=0 ppid=51449 pid=51553 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=\"ip\" exe=\"/usr/bin/ip\" subj=unconfined key=\"T1071_msg_transfer\"",
    "ARCH=x86_64 SYSCALL=sendmsg AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=SOCKADDR msg=audit(1781632420.375:1883324): saddr=100000000000000000000000",
    "SADDR={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781632420.375:1883324): proctitle=6970007866726D0073746174650061646400737263003139322E302E322E3100647374003139322E302E322E320070726F746F006573700073706900307831006D6F6465007472616E73706F72740061757468007368613235360030783031303230333034303530363037303830393061306230633064306530663130313131"
  ],
  "record_type": "MAC_IPSEC_EVENT"
}

MAC_UNLBL_STCADD msgtype 1416

Source: Linux auditd
Message type: 1416
Fires: Emitted by default (no audit rule required)

Description

NetLabel: add a static label

Fields #

Name	Description
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`netif`	network interface name
`src`	source address of the IPsec security association
`src_prefixlen`	source address prefix length
`sec_obj`	security context label of the IPsec object
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "netif": "lo",
    "res": "1",
    "sec_obj": "system_u:object_r:unlabeled_t:s0",
    "ses": "1",
    "src": "127.0.0.2",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
  },
  "raw": [
    "node=JD-debian-12-workstation type=MAC_UNLBL_STCADD msg=audit(1781635211.636:942601): netlabel: auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 netif=lo src=127.0.0.2 sec_obj=system_u:object_r:unlabeled_t:s0 res=1",
    "AUID=\"debian\""
  ],
  "record_type": "MAC_UNLBL_STCADD"
}

MAC_UNLBL_STCDEL msgtype 1417

Source: Linux auditd
Message type: 1417
Fires: Emitted by default (no audit rule required)

Description

NetLabel: del a static label

Fields #

Name	Description
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`netif`	network interface name
`src`	source address of the IPsec security association
`src_prefixlen`	source address prefix length
`sec_obj`	security context label of the IPsec object
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "netif": "lo",
    "res": "1",
    "sec_obj": "system_u:object_r:unlabeled_t:s0",
    "ses": "1",
    "src": "127.0.0.2",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
  },
  "raw": [
    "node=JD-debian-12-workstation type=MAC_UNLBL_STCDEL msg=audit(1781635211.640:942667): netlabel: auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 netif=lo src=127.0.0.2 sec_obj=system_u:object_r:unlabeled_t:s0 res=1",
    "AUID=\"debian\""
  ],
  "record_type": "MAC_UNLBL_STCDEL"
}

MAC_CALIPSO_ADD msgtype 1418

Source: Linux auditd
Message type: 1418
Fires: Emitted by default (no audit rule required)

Description

NetLabel: add CALIPSO DOI (Domain of Interpretation) entry

Fields #

Name	Description
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`calipso_doi`	CALIPSO domain of interpretation
`calipso_type`	CALIPSO mapping type
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "calipso_doi": "200",
    "calipso_type": "pass",
    "res": "1",
    "ses": "15",
    "subj": "unconfined"
  },
  "raw": [
    "node=JD-debian-12-workstation type=MAC_CALIPSO_ADD msg=audit(1781632713.500:2112517): netlabel: auid=1000 ses=15 subj=unconfined calipso_doi=200 calipso_type=pass res=1",
    "AUID=\"debian\"",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781632713.500:2112517): arch=c000003e syscall=46 success=yes exit=36 a0=3 a1=7ffd0bc59260 a2=0 a3=7f524c214050 items=0 ppid=56702 pid=56724 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=\"netlabelctl\" exe=\"/usr/sbin/netlabelctl\" subj=unconfined key=\"T1071_msg_transfer\"",
    "ARCH=x86_64 SYSCALL=sendmsg AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=SOCKADDR msg=audit(1781632713.500:2112517): saddr=100000000000000000000000",
    "SADDR={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781632713.500:2112517): proctitle=6E65746C6162656C63746C0063616C6970736F00616464007061737300646F693A323030"
  ],
  "record_type": "MAC_CALIPSO_ADD"
}

MAC_CALIPSO_DEL msgtype 1419

Source: Linux auditd
Message type: 1419
Fires: Emitted by default (no audit rule required)

Description

NetLabel: delete CALIPSO DOI (Domain of Interpretation) entry

Fields #

Name	Description
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`calipso_doi`	CALIPSO domain of interpretation
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "calipso_doi": "200",
    "res": "1",
    "ses": "15",
    "subj": "unconfined"
  },
  "raw": [
    "node=JD-debian-12-workstation type=MAC_CALIPSO_DEL msg=audit(1781632713.516:2112798): netlabel: auid=1000 ses=15 subj=unconfined calipso_doi=200 res=1",
    "AUID=\"debian\"",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781632713.516:2112798): arch=c000003e syscall=46 success=yes exit=28 a0=3 a1=7ffddedd1830 a2=0 a3=7f1209fc6050 items=0 ppid=56702 pid=56732 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=\"netlabelctl\" exe=\"/usr/sbin/netlabelctl\" subj=unconfined key=\"T1071_msg_transfer\"",
    "ARCH=x86_64 SYSCALL=sendmsg AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=SOCKADDR msg=audit(1781632713.516:2112798): saddr=100000000000000000000000",
    "SADDR={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781632713.516:2112798): proctitle=6E65746C6162656C63746C0063616C6970736F0064656C00646F693A323030"
  ],
  "record_type": "MAC_CALIPSO_DEL"
}

IPE_ACCESS msgtype 1420

Source: Linux auditd
Message type: 1420
Fires: Emitted by default (no audit rule required)

Description

Integrity Policy Enforcement (IPE) access decision (denial or grant)

Fields #

Name	Description
`ipe_op`	IPE operation being evaluated
`ipe_hook`	IPE enforcement hook point
`enforcing`	whether enforcing mode is active (1) or permissive (0)
`pid`	process ID
`comm`	command line program name
`path`	file system path name
`dev`	device identifier
`ino`	inode number
`rule`	the policy rule that matched
`action`	policy action taken (for example ALLOW or DENY)
`auid`	login user ID
`ses`	login session ID
`lsm`	security module that produced the record (selinux, apparmor, ...)
`res`	result of the audited operation(success/fail)
`errno`	error code of the audited operation

Example Event #

{
  "fields": {
    "comm": "kexec",
    "dev": "vda1",
    "enforcing": "1",
    "ino": "2490727",
    "ipe_hook": "KERNEL_READ",
    "ipe_op": "KEXEC_IMAGE",
    "path": "/boot/vmlinuz-6.19.14-ipe2",
    "pid": "5215",
    "rule": "op=KEXEC_IMAGE action=DENY"
  },
  "raw": [
    "node=JD-debian-12-workstation type=UNKNOWN[1420] msg=audit(1781728753.988:612193): ipe_op=KEXEC_IMAGE ipe_hook=KERNEL_READ enforcing=1 pid=5215 comm=\"kexec\" path=\"/boot/vmlinuz-6.19.14-ipe2\" dev=\"vda1\" ino=2490727 rule=\"op=KEXEC_IMAGE action=DENY\""
  ],
  "record_type": "IPE_ACCESS"
}

Community Notes #

Logs as type=UNKNOWN[1420] on current auditd (libaudit's msg_typetab.h does not yet name AUDIT_IPE_ACCESS). Emitted by the IPE LSM (mainline since kernel 6.12) when IPE is enabled; fields documented from the kernel emit site security/ipe/audit.c.

References #

kernel emit site: security/ipe/audit.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/security/ipe/audit.c

IPE_CONFIG_CHANGE msgtype 1421

Source: Linux auditd
Message type: 1421
Fires: Emitted by default (no audit rule required)

Description

IPE active policy change

Fields #

Name	Description
`old_active_pol_name`	previously active IPE policy name
`old_active_pol_version`	previously active IPE policy version
`new_active_pol_name`	newly active IPE policy name
`new_active_pol_version`	newly active IPE policy version
`auid`	login user ID
`ses`	login session ID
`lsm`	security module that produced the record (selinux, apparmor, ...)
`res`	result of the audited operation(success/fail)
`errno`	error code of the audited operation

Example Event #

{
  "fields": {
    "auid": "1000",
    "lsm": "ipe",
    "new_active_pol_name": "dwipe2",
    "new_active_pol_version": "1.0.0",
    "new_policy_digest": "sha256:51304269195B26473ACFAF49F0392662A180346AFEA5BFA6D09DD95D748A6B9F",
    "old_active_pol_name": "dwipe",
    "old_active_pol_version": "1.0.0",
    "old_policy_digest": "sha256:1CEE14128A111BD8D0A157CFE6025AB6119DF0589039DA709A949286ABBC6CA5",
    "res": "1",
    "ses": "27"
  },
  "raw": [
    "node=JD-debian-12-workstation type=UNKNOWN[1421] msg=audit(1781728753.955:612192): old_active_pol_name=\"dwipe\" old_active_pol_version=1.0.0 old_policy_digest=sha256:1CEE14128A111BD8D0A157CFE6025AB6119DF0589039DA709A949286ABBC6CA5 new_active_pol_name=\"dwipe2\" new_active_pol_version=1.0.0 new_policy_digest=sha256:51304269195B26473ACFAF49F0392662A180346AFEA5BFA6D09DD95D748A6B9F auid=1000 ses=27 lsm=ipe res=1",
    "AUID=\"debian\""
  ],
  "record_type": "IPE_CONFIG_CHANGE"
}

Community Notes #

Logs as type=UNKNOWN[1421] on current auditd (libaudit's msg_typetab.h does not yet name AUDIT_IPE_CONFIG_CHANGE). Emitted by the IPE LSM on active-policy change; fields documented from security/ipe/audit.c.

References #

kernel emit site: security/ipe/audit.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/security/ipe/audit.c

IPE_POLICY_LOAD msgtype 1422

Source: Linux auditd
Message type: 1422
Fires: Emitted by default (no audit rule required)

Description

IPE policy load

Fields #

Name	Description
`policy_name`	IPE policy name
`policy_version`	IPE policy version
`policy_digest`	IPE policy content digest
`auid`	login user ID
`ses`	login session ID
`lsm`	security module that produced the record (selinux, apparmor, ...)
`res`	result of the audited operation(success/fail)
`errno`	error code of the audited operation

Example Event #

{
  "fields": {
    "auid": "1000",
    "errno": "0",
    "lsm": "ipe",
    "policy_digest": "sha256:51304269195B26473ACFAF49F0392662A180346AFEA5BFA6D09DD95D748A6B9F",
    "policy_name": "dwipe2",
    "policy_version": "1.0.0",
    "res": "1",
    "ses": "27"
  },
  "raw": [
    "node=JD-debian-12-workstation type=UNKNOWN[1422] msg=audit(1781728753.951:612191): policy_name=\"dwipe2\" policy_version=1.0.0 policy_digest=sha256:51304269195B26473ACFAF49F0392662A180346AFEA5BFA6D09DD95D748A6B9F auid=1000 ses=27 lsm=ipe res=1 errno=0",
    "AUID=\"debian\""
  ],
  "record_type": "IPE_POLICY_LOAD"
}

Community Notes #

Captured on Linux 6.19.14 (lab). Logs as type=UNKNOWN[1422] on auditd 3.0.9 because libaudit's msg_typetab.h does not yet name AUDIT_IPE_POLICY_LOAD. Emitted by the IPE LSM on policy load (security/ipe/audit.c). The captured sample is a rejected unsigned-policy load (res=0 errno=-74 EBADMSG), so the policy_* values are '?'.

References #

kernel emit site: security/ipe/audit.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/security/ipe/audit.c

LANDLOCK_ACCESS msgtype 1423

Source: Linux auditd
Message type: 1423
Fires: Emitted by default (no audit rule required)

Description

Landlock access denial

Fields #

Name	Description
`domain`	Landlock domain identifier
`blockers`	Landlock access rights that blocked the operation
`path`	file system path name
`dev`	device identifier
`ino`	inode number

Example Event #

{
  "fields": {
    "blockers": "fs.read_file",
    "dev": "vda1",
    "domain": "1dd9c92db",
    "ino": "11011796",
    "path": "/etc/ld.so.cache"
  },
  "raw": [
    "node=JD-debian-12-workstation type=UNKNOWN[1423] msg=audit(1781666556.057:244234): domain=1dd9c92db blockers=fs.read_file path=\"/etc/ld.so.cache\" dev=\"vda1\" ino=11011796",
    "node=JD-debian-12-workstation type=UNKNOWN[1424] msg=audit(1781666556.057:244234): domain=1dd9c92db status=allocated mode=enforcing pid=6720 uid=1000 exe=\"/tmp/sb2\" comm=\"sb2\"",
    "UID=\"debian\""
  ],
  "record_type": "LANDLOCK_ACCESS"
}

Community Notes #

Captured on Linux 6.19.14 (lab). Logs as type=UNKNOWN[1423] on auditd 3.0.9 (libaudit's msg_typetab.h does not yet name AUDIT_LANDLOCK_ACCESS). Emitted by the Landlock LSM (audit support mainline since kernel 6.15) on a denied access (security/landlock/audit.c). Denial logging is default-on for the restricting exec but commits on the next execve (LANDLOCK_LOG_PENDING).

References #

kernel emit site: security/landlock/audit.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/security/landlock/audit.c

LANDLOCK_DOMAIN msgtype 1424

Source: Linux auditd
Message type: 1424
Fires: Emitted by default (no audit rule required)

Description

Landlock domain allocation or deallocation status

Fields #

Name	Description
`domain`	Landlock domain identifier
`status`	Landlock domain status (allocated or deallocated)
`mode`	Landlock domain enforcement mode (enforcing)
`pid`	process ID
`uid`	user ID
`exe`	executable name
`comm`	command line program name
`denials`	count of Landlock denials attributed to the domain

Example Event #

{
  "fields": {
    "comm": "sb2",
    "domain": "1dd9c92db",
    "exe": "/tmp/sb2",
    "mode": "enforcing",
    "pid": "6720",
    "status": "allocated",
    "uid": "1000"
  },
  "raw": [
    "node=JD-debian-12-workstation type=UNKNOWN[1423] msg=audit(1781666556.057:244234): domain=1dd9c92db blockers=fs.read_file path=\"/etc/ld.so.cache\" dev=\"vda1\" ino=11011796",
    "node=JD-debian-12-workstation type=UNKNOWN[1424] msg=audit(1781666556.057:244234): domain=1dd9c92db status=allocated mode=enforcing pid=6720 uid=1000 exe=\"/tmp/sb2\" comm=\"sb2\"",
    "UID=\"debian\""
  ],
  "record_type": "LANDLOCK_DOMAIN"
}

Community Notes #

Captured on Linux 6.19.14 (lab). Logs as type=UNKNOWN[1424] on auditd 3.0.9 (libaudit's msg_typetab.h does not yet name AUDIT_LANDLOCK_DOMAIN). Emitted by the Landlock LSM on domain allocation (status=allocated, with mode/pid/uid/exe/comm) and deallocation (status=deallocated denials=N).

References #

kernel emit site: security/landlock/audit.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/security/landlock/audit.c

MAC_TASK_CONTEXTS msgtype 1425

Source: Linux auditd
Message type: 1425
Fires: Emitted by default (no audit rule required)

Description

Subject security contexts when multiple LSMs are active

Community Notes #

Logs as type=UNKNOWN[1425] on current auditd (libaudit's msg_typetab.h does not yet name AUDIT_MAC_TASK_CONTEXTS). Companion record the kernel (kernel/audit.c) emits only when more than one LSM is active (stacked LSMs); it carries one subj_<lsm>= field per active module.

References #

kernel emit site: kernel/audit.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/audit.c

MAC_OBJ_CONTEXTS msgtype 1426

Source: Linux auditd
Message type: 1426
Fires: Emitted by default (no audit rule required)

Description

Object security contexts when multiple LSMs are active

Community Notes #

Logs as type=UNKNOWN[1426] on current auditd (libaudit's msg_typetab.h does not yet name AUDIT_MAC_OBJ_CONTEXTS). Companion record the kernel (kernel/audit.c) emits only when more than one LSM is active (stacked LSMs); it carries one obj_<lsm>= field per active module.

References #

kernel emit site: kernel/audit.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/audit.c

APPARMOR msgtype 1500

Source: Linux auditd
Message type: 1500
Fires: Emitted by default (no audit rule required)

Description

AppArmor LSM audit event

Community Notes #

Never reaches the log as a distinct type. AppArmor sets this constant internally to select the apparmor= field value, but the record is emitted as type=AVC (1400): common_lsm_audit() hardcodes AUDIT_AVC and ignores the caller type. AppArmor events appear as AVC records carrying an apparmor= field. Sources: security/apparmor/audit.c, security/lsm_audit.c.

APPARMOR_AUDIT msgtype 1501

Source: Linux auditd
Message type: 1501
Fires: Emitted by default (no audit rule required)

Description

AppArmor access decision logged in audit mode

Community Notes #

APPARMOR_ALLOWED msgtype 1502

Source: Linux auditd
Message type: 1502
Fires: Emitted by default (no audit rule required)

Description

AppArmor access allowed (complain or learning mode)

Community Notes #

APPARMOR_DENIED msgtype 1503

Source: Linux auditd
Message type: 1503
Fires: Emitted by default (no audit rule required)

Description

AppArmor access denied in enforce mode

Community Notes #

APPARMOR_HINT msgtype 1504

Source: Linux auditd
Message type: 1504
Fires: Emitted by default (no audit rule required)

Description

AppArmor reserved audit type (unused in the current kernel)

Community Notes #

APPARMOR_STATUS msgtype 1505

Source: Linux auditd
Message type: 1505
Fires: Emitted by default (no audit rule required)

Description

AppArmor policy load or status change

Community Notes #

APPARMOR_ERROR msgtype 1506

Source: Linux auditd
Message type: 1506
Fires: Emitted by default (no audit rule required)

Description

AppArmor internal error

Community Notes #

APPARMOR_KILL msgtype 1507

Source: Linux auditd
Message type: 1507
Fires: Emitted by default (no audit rule required)

Description

AppArmor access denied with task kill

Community Notes #

ANOM_PROMISCUOUS msgtype 1700

Source: Linux auditd
Message type: 1700
Fires: Emitted by default (no audit rule required)

Description

Device changed promiscuous mode

Fields #

Name	Description
`dev`	Network device name
`prom`	Promiscuous mode state (256 for on, 0 for off)
`old_prom`	Previous promiscuous mode state
`auid`	Audit user ID (login UID)
`uid`	User ID
`gid`	Group ID
`ses`	Session ID

Example Event #

{
  "fields": {
    "auid": "4294967295",
    "dev": "vethe2919bc",
    "gid": "0",
    "old_prom": "0",
    "prom": "256",
    "ses": "4294967295",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_PROMISCUOUS msg=audit(1781634257.762:512597): dev=vethe2919bc prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295",
    "AUID=\"unset\" UID=\"root\" GID=\"root\"",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634257.762:512597): arch=c000003e syscall=44 success=yes exit=40 a0=f a1=2442de196c00 a2=28 a3=0 items=0 ppid=1 pid=671 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"dockerd\" exe=\"/usr/bin/dockerd\" subj=system_u:system_r:initrc_t:s0 key=\"T1071_data_transfer\"",
    "ARCH=x86_64 SYSCALL=sendto AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=SOCKADDR msg=audit(1781634257.762:512597): saddr=100000000000000000000000",
    "SADDR={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634257.762:512597): proctitle=2F7573722F62696E2F646F636B657264002D480066643A2F2F002D2D636F6E7461696E6572643D2F72756E2F636F6E7461696E6572642F636F6E7461696E6572642E736F636B"
  ],
  "record_type": "ANOM_PROMISCUOUS"
}

ANOM_ABEND msgtype 1701

Source: Linux auditd
Message type: 1701
Fires: Emitted by default (no audit rule required)

Description

Process ended abnormally

Fields #

Name	Description
`auid`	login user ID
`uid`	user ID
`gid`	group ID
`ses`	login session ID
`subj`	lspp subject's context string
`pid`	process ID
`comm`	command line program name
`exe`	executable name
`sig`	signal number
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "comm": "python3",
    "exe": "/usr/bin/python3.11",
    "gid": "0",
    "pid": "2916",
    "res": "1",
    "ses": "1",
    "sig": "6",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_ABEND msg=audit(1781634272.640:540321): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2916 comm=\"python3\" exe=\"/usr/bin/python3.11\" sig=6 res=1",
    "AUID=\"debian\" UID=\"root\" GID=\"root\""
  ],
  "record_type": "ANOM_ABEND"
}

References #

kernel emit site: kernel/auditsc.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/kernel/auditsc.c

ANOM_LINK msgtype 1702

Source: Linux auditd
Message type: 1702
Fires: Emitted by default (no audit rule required)

Description

Suspicious use of file links

Fields #

Name	Description
`op`	the operation being performed that is audited
`ppid`	parent process ID
`pid`	process ID
`auid`	login user ID
`uid`	user ID
`gid`	group ID
`euid`	effective user ID
`suid`	sent user ID
`fsuid`	file system user ID
`egid`	effective group ID
`sgid`	set group ID
`fsgid`	file system group ID
`tty`	tty udevice the user is running programs on
`ses`	login session ID
`comm`	command line program name
`exe`	executable name
`subj`	lspp subject's context string
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "comm": "python3",
    "egid": "65534",
    "euid": "65534",
    "exe": "/usr/bin/python3.11",
    "fsgid": "65534",
    "fsuid": "65534",
    "gid": "65534",
    "op": "linkat",
    "pid": "2923",
    "ppid": "2922",
    "res": "0",
    "ses": "1",
    "sgid": "65534",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "suid": "65534",
    "tty": "(none)",
    "uid": "65534"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_LINK msg=audit(1781634272.680:540622): op=linkat ppid=2922 pid=2923 auid=1000 uid=65534 gid=65534 euid=65534 suid=65534 fsuid=65534 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=1 comm=\"python3\" exe=\"/usr/bin/python3.11\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=0",
    "AUID=\"debian\" UID=\"nobody\" GID=\"nogroup\" EUID=\"nobody\" SUID=\"nobody\" FSUID=\"nobody\" EGID=\"nogroup\" SGID=\"nogroup\" FSGID=\"nogroup\"",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781634272.680:540622): arch=c000003e syscall=86 success=no exit=-1 a0=7fd459e6e570 a1=7fd459e6e540 a2=0 a3=7fd459e9ba18 items=2 ppid=2922 pid=2923 auid=1000 uid=65534 gid=65534 euid=65534 suid=65534 fsuid=65534 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=1 comm=\"python3\" exe=\"/usr/bin/python3.11\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"T1136_identity_file\"",
    "ARCH=x86_64 SYSCALL=link AUID=\"debian\" UID=\"nobody\" GID=\"nogroup\" EUID=\"nobody\" SUID=\"nobody\" FSUID=\"nobody\" EGID=\"nogroup\" SGID=\"nogroup\" FSGID=\"nogroup\"",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781634272.680:540622): cwd=\"/home/debian\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634272.680:540622): item=0 name=\"/tmp/\" inode=1835009 dev=fe:01 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781634272.680:540622): item=1 name=\"/etc/passwd\" inode=11011764 dev=fe:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"root\" OGID=\"root\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781634272.680:540622): proctitle=7375646F002D75006E6F626F647900707974686F6E33002D6300696D706F7274206F730A7472793A206F732E6C696E6B28272F6574632F706173737764272C272F746D702F72336C696E6B27290A657863657074204F534572726F723A2070617373"
  ],
  "record_type": "ANOM_LINK"
}

ANOM_CREAT msgtype 1703

Source: Linux auditd
Message type: 1703
Fires: Emitted by default (no audit rule required)

Description

Suspicious file creation

Fields #

Name	Description
`op`	the operation being performed that is audited
`ppid`	parent process ID
`pid`	process ID
`auid`	login user ID
`uid`	user ID
`gid`	group ID
`euid`	effective user ID
`suid`	sent user ID
`fsuid`	file system user ID
`egid`	effective group ID
`sgid`	set group ID
`fsgid`	file system group ID
`tty`	tty udevice the user is running programs on
`ses`	login session ID
`comm`	command line program name
`exe`	executable name
`subj`	lspp subject's context string
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "auid": "1000",
    "comm": "bash",
    "egid": "65534",
    "euid": "65534",
    "exe": "/usr/bin/bash",
    "fsgid": "65534",
    "fsuid": "65534",
    "gid": "65534",
    "op": "sticky_create",
    "pid": "84413",
    "ppid": "84412",
    "res": "0",
    "ses": "49",
    "sgid": "65534",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "suid": "65534",
    "tty": "(none)",
    "uid": "65534"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_CREAT msg=audit(1781674283.166:244935): op=sticky_create ppid=84412 pid=84413 auid=1000 uid=65534 gid=65534 euid=65534 suid=65534 fsuid=65534 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=49 comm=\"bash\" exe=\"/usr/bin/bash\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=0",
    "AUID=\"debian\" UID=\"nobody\" GID=\"nogroup\" EUID=\"nobody\" SUID=\"nobody\" FSUID=\"nobody\" EGID=\"nogroup\" SGID=\"nogroup\" FSGID=\"nogroup\"",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781674283.166:244935): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=634277626d20 a2=241 a3=1b6 items=1 ppid=84412 pid=84413 auid=1000 uid=65534 gid=65534 euid=65534 suid=65534 fsuid=65534 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=49 comm=\"bash\" exe=\"/usr/bin/bash\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"anomcreat\"",
    "ARCH=x86_64 SYSCALL=openat AUID=\"debian\" UID=\"nobody\" GID=\"nogroup\" EUID=\"nobody\" SUID=\"nobody\" FSUID=\"nobody\" EGID=\"nogroup\" SGID=\"nogroup\" FSGID=\"nogroup\"",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781674283.166:244935): cwd=\"/home/debian\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781674283.166:244935): item=0 name=\"/tmp/stickytest/victim\" inode=4757372 dev=fd:01 mode=0100666 ouid=1 ogid=1 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"daemon\" OGID=\"daemon\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781674283.166:244935): proctitle=62617368002D63006563686F20686178203E202F746D702F737469636B79746573742F76696374696D"
  ],
  "record_type": "ANOM_CREAT"
}

INTEGRITY_DATA msgtype 1800

Source: Linux auditd
Message type: 1800
Fires: Emitted by default (no audit rule required)

Description

Data integrity verification

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`cause`	reason the integrity operation produced this result
`comm`	command line program name
`res`	result of the audited operation(success/fail)
`errno`	error code of the audited operation
`name`	file name in avcs
`dev`	device identifier
`ino`	inode number

Example Event #

{
  "fields": {
    "auid": "4294967295",
    "cause": "missing-hash",
    "comm": "erts_dios_2",
    "dev": "overlay",
    "errno": "0",
    "ino": "3816061",
    "name": "/opt/erlang/lib/erlang/lib/kernel-9.2.4.10/ebin/erl_boot_server.beam",
    "op": "appraise_data",
    "pid": "1464",
    "res": "0",
    "ses": "4294967295",
    "subj": "system_u:system_r:initrc_t:s0",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=INTEGRITY_DATA msg=audit(1781635478.609:548189): pid=1464 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 op=appraise_data cause=missing-hash comm=\"erts_dios_2\" name=\"/opt/erlang/lib/erlang/lib/kernel-9.2.4.10/ebin/erl_boot_server.beam\" dev=\"overlay\" ino=3816061 res=0 errno=0",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "INTEGRITY_DATA"
}

INTEGRITY_METADATA msgtype 1801

Source: Linux auditd
Message type: 1801
Fires: Emitted by default (no audit rule required)

Description

Metadata integrity verification

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`cause`	reason the integrity operation produced this result
`comm`	command line program name
`res`	result of the audited operation(success/fail)
`errno`	error code of the audited operation
`name`	file name in avcs
`dev`	device identifier
`ino`	inode number

Example Event #

{
  "fields": {
    "auid": "4294967295",
    "cause": "no_label",
    "comm": "dockerd",
    "dev": "vda1",
    "errno": "0",
    "ino": "4756199",
    "name": "hostname",
    "op": "appraise_metadata",
    "pid": "737",
    "res": "0",
    "ses": "4294967295",
    "subj": "system_u:system_r:initrc_t:s0",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=INTEGRITY_METADATA msg=audit(1781644799.132:3070202): pid=737 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 op=appraise_metadata cause=no_label comm=\"dockerd\" name=\"hostname\" dev=\"vda1\" ino=4756199 res=0 errno=0",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "INTEGRITY_METADATA"
}

INTEGRITY_STATUS msgtype 1802

Source: Linux auditd
Message type: 1802
Fires: Emitted by default (no audit rule required)

Description

Integrity enable status

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`cause`	reason the integrity operation produced this result
`comm`	command line program name
`res`	result of the audited operation(success/fail)
`errno`	error code of the audited operation

Example Event #

{
  "fields": {
    "auid": "1000",
    "cause": "completed",
    "comm": "tee",
    "errno": "0",
    "op": "policy_update",
    "pid": "76552",
    "res": "1",
    "ses": "15",
    "subj": "unconfined",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=INTEGRITY_STATUS msg=audit(1781633139.102:2169048): pid=76552 uid=0 auid=1000 ses=15 subj=unconfined op=policy_update cause=completed comm=\"tee\" res=1 errno=0",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "INTEGRITY_STATUS"
}

INTEGRITY_HASH msgtype 1803

Source: Linux auditd
Message type: 1803
Fires: Emitted by default (no audit rule required)

Description

Integrity HASH type

Community Notes #

Not reachable on the stock Debian kernel. This record fires from an IMA hash-action policy rule, but adding such a rule at runtime requires CONFIG_IMA_WRITE_POLICY=y, which is off on the Debian 6.1 kernel (its IMA policy is fixed at boot via the ima_appraise= cmdline). Capturing it would need a custom-kernel build. Source: security/integrity/ima/ima_policy.c, verified against the Debian kernel config.

INTEGRITY_PCR msgtype 1804

Source: Linux auditd
Message type: 1804
Fires: Emitted by default (no audit rule required)

Description

PCR (Platform Configuration Register) invalidation messages

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`cause`	reason the integrity operation produced this result
`comm`	command line program name
`res`	result of the audited operation(success/fail)
`errno`	error code of the audited operation
`name`	file name in avcs
`dev`	device identifier
`ino`	inode number

Example Event #

{
  "fields": {
    "auid": "4294967295",
    "cause": "open_writers",
    "comm": "journalctl",
    "dev": "vda1",
    "errno": "0",
    "ino": "2887054",
    "name": "/var/log/journal/370e939bc3344c2e8efe8cb82c4bc43a/system.journal",
    "op": "invalid_pcr",
    "pid": "744",
    "res": "1",
    "ses": "4294967295",
    "subj": "system_u:system_r:initrc_t:s0",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=INTEGRITY_PCR msg=audit(1781635954.969:374954): pid=744 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 op=invalid_pcr cause=open_writers comm=\"journalctl\" name=\"/var/log/journal/370e939bc3344c2e8efe8cb82c4bc43a/system.journal\" dev=\"vda1\" ino=2887054 res=1 errno=0",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "INTEGRITY_PCR"
}

INTEGRITY_RULE msgtype 1805

Source: Linux auditd
Message type: 1805
Fires: Emitted by default (no audit rule required)

Description

Integrity Policy action

Fields #

Name	Description
`file`	file name
`hash`	hash of the IMA policy or measured file
`ppid`	parent process ID
`pid`	process ID
`auid`	login user ID
`uid`	user ID
`gid`	group ID
`euid`	effective user ID
`suid`	sent user ID
`fsuid`	file system user ID
`egid`	effective group ID
`sgid`	set group ID
`fsgid`	file system group ID
`tty`	tty udevice the user is running programs on
`ses`	login session ID
`comm`	command line program name
`exe`	executable name
`subj`	lspp subject's context string

Example Event #

{
  "fields": {
    "auid": "4294967295",
    "comm": "sh",
    "egid": "0",
    "euid": "0",
    "exe": "/bin/busybox",
    "file": "/health_check.sh",
    "fsgid": "0",
    "fsuid": "0",
    "gid": "0",
    "hash": "sha256:38744345348ee83905d0f018826d9baa84704d55c3ed1babe13c62e32064be3a",
    "pid": "76553",
    "ppid": "76539",
    "ses": "4294967295",
    "sgid": "0",
    "subj": "unconfined",
    "suid": "0",
    "tty": "(none)",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=INTEGRITY_RULE msg=audit(1781633139.126:2169049): file=\"/health_check.sh\" hash=\"sha256:38744345348ee83905d0f018826d9baa84704d55c3ed1babe13c62e32064be3a\" ppid=76539 pid=76553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"sh\" exe=\"/bin/busybox\" subj=unconfined",
    "AUID=\"unset\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\""
  ],
  "record_type": "INTEGRITY_RULE"
}

References #

kernel emit site: security/integrity/ima/ima_api.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/security/integrity/ima/ima_api.c

INTEGRITY_EVM_XATTR msgtype 1806

Source: Linux auditd
Message type: 1806
Fires: Emitted by default (no audit rule required)

Description

EVM XATTRS modifications

Fields #

Name	Description
`xattr`	extended attribute name involved in the EVM operation
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "res": "0",
    "xattr": "security.detectionwiki"
  },
  "raw": [
    "node=JD-debian-12-workstation type=INTEGRITY_EVM_XATTR msg=audit(1781674118.342:244839): xattr=\"security.detectionwiki\" res=0"
  ],
  "record_type": "INTEGRITY_EVM_XATTR"
}

References #

kernel emit site: security/integrity/evm/evm_secfs.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/security/integrity/evm/evm_secfs.c

INTEGRITY_POLICY_RULE msgtype 1807

Source: Linux auditd
Message type: 1807
Fires: Emitted by default (no audit rule required)

Description

Integrity Policy rule

Fields #

Name	Description
`action`	policy action taken (for example ALLOW or DENY)
`res`	result of the audited operation(success/fail)
`func`	IMA policy hook the rule applies to
`mask`	IMA policy permission mask the rule matches

Example Event #

{
  "fields": {
    "action": "measure",
    "func": "BPRM_CHECK",
    "res": "1"
  },
  "raw": [
    "node=JD-debian-12-workstation type=INTEGRITY_POLICY_RULE msg=audit(1781633139.102:2169045): action=measure func=BPRM_CHECK res=1"
  ],
  "record_type": "INTEGRITY_POLICY_RULE"
}

References #

kernel emit site: security/integrity/ima/ima_policy.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/security/integrity/ima/ima_policy.c

INTEGRITY_USERSPACE msgtype 1808

Source: Linux auditd
Message type: 1808
Fires: Emitted by default (no audit rule required)

Description

IMA appraisal of userspace-supplied data

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`cause`	reason the integrity operation produced this result
`comm`	command line program name
`res`	result of the audited operation(success/fail)
`errno`	error code of the audited operation
`name`	file name in avcs
`dev`	device identifier
`ino`	inode number

Example Event #

{
  "fields": {
    "auid": "1000",
    "cause": "missing-hash",
    "comm": "dwtrigger",
    "dev": "vda1",
    "errno": "0",
    "ino": "2887116",
    "name": "/var/tmp/dwexec",
    "op": "appraise_data",
    "pid": "100540",
    "res": "0",
    "ses": "72",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=UNKNOWN[1808] msg=audit(1781719000.505:245392): pid=100540 uid=0 auid=1000 ses=72 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=appraise_data cause=missing-hash comm=\"dwtrigger\" name=\"/var/tmp/dwexec\" dev=\"vda1\" ino=2887116 res=0 errno=0",
    "UID=\"root\" AUID=\"debian\"",
    "node=JD-debian-12-workstation type=SYSCALL msg=audit(1781719000.505:245392): arch=c000003e syscall=322 success=no exit=-13 a0=3 a1=612293e7800d a2=7ffee3d07a58 a3=7ffee3d07a50 items=1 ppid=100522 pid=100540 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=72 comm=\"dwtrigger\" exe=\"/var/tmp/dwtrigger\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"integuser\"",
    "ARCH=x86_64 SYSCALL=execveat AUID=\"debian\" UID=\"root\" GID=\"root\" EUID=\"root\" SUID=\"root\" FSUID=\"root\" EGID=\"root\" SGID=\"root\" FSGID=\"root\"",
    "node=JD-debian-12-workstation type=CWD msg=audit(1781719000.505:245392): cwd=\"/home/debian\"",
    "node=JD-debian-12-workstation type=PATH msg=audit(1781719000.505:245392): item=0 name=\"\" inode=2887116 dev=fd:01 mode=0100755 ouid=9999 ogid=9999 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0",
    "OUID=\"unknown(9999)\" OGID=\"unknown(9999)\"",
    "node=JD-debian-12-workstation type=PROCTITLE msg=audit(1781719000.505:245392): proctitle=2F7661722F746D702F647774726967676572002F7661722F746D702F647765786563"
  ],
  "record_type": "INTEGRITY_USERSPACE"
}

Community Notes #

Logs as type=UNKNOWN[1808] on current auditd (libaudit's msg_typetab.h does not yet name AUDIT_INTEGRITY_USERSPACE). Emitted by IMA (security/integrity/ima/ima_appraise.c) when appraising userspace-supplied data.

References #

kernel emit site: security/integrity/ima/ima_appraise.c https://github.com/torvalds/linux/blob/f3e334fb7f82cd63734faeb395419ab713b4bb5c/security/integrity/ima/ima_appraise.c

KERNEL msgtype 2000

Source: Linux auditd
Message type: 2000
Fires: Emitted by default (no audit rule required)

Description

Kernel audit status

Fields #

Name	Description
`state`	audit daemon configuration resulting state
`audit_enabled`	audit subsystem enabled state
`res`	result of the audited operation(success/fail)

Community Notes #

Asynchronous kernel audit-status record emitted at audit subsystem initialization. Queued before auditd connects and not observed in the on-disk log on Debian 12 / kernel 6.1.

ANOM_LOGIN_FAILURES msgtype 2100

Source: Linux auditd
Message type: 2100
Fires: Emitted by default (no audit rule required)

Description

Failed login limit reached

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "failures": "3",
    "hostname": "?",
    "op": "login",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_LOGIN_FAILURES msg=audit(1781634271.619:539463): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_LOGIN_FAILURES op=login acct=\"catalog\" failures=3 res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_LOGIN_FAILURES"
}

Community Notes #

ANOM_LOGIN_TIME msgtype 2101

Source: Linux auditd
Message type: 2101
Fires: Emitted by default (no audit rule required)

Description

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "login",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_LOGIN_TIME msg=audit(1781634271.619:539470): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_LOGIN_TIME op=login acct=\"catalog\" res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_LOGIN_TIME"
}

Community Notes #

ANOM_LOGIN_SESSIONS msgtype 2102

Source: Linux auditd
Message type: 2102
Fires: Emitted by default (no audit rule required)

Description

Maximum concurrent sessions reached

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "maxsessions": "1",
    "op": "login",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_LOGIN_SESSIONS msg=audit(1781634271.619:539477): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_LOGIN_SESSIONS op=login acct=\"catalog\" maxsessions=1 res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_LOGIN_SESSIONS"
}

Community Notes #

ANOM_LOGIN_ACCT msgtype 2103

Source: Linux auditd
Message type: 2103
Fires: Emitted by default (no audit rule required)

Description

Fields #

Name	Description
`acct`	a user's account name
`daddr`	remote IP address

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "login",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_LOGIN_ACCT msg=audit(1781634271.619:539484): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_LOGIN_ACCT op=login acct=\"catalog\" res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_LOGIN_ACCT"
}

Community Notes #

Example emitted by the catalog-resp audisp active-response plugin (exe=/usr/bin/python3.11, subj=...:auditd_t), not by an organic anomaly or response action. The 2100-2999 range is userspace-emittable by design; this sample documents the record format with plugin-authored field content, not organic field values. Field-name caveat: the real upstream emitter (audisp-ids origin.c:212) uses acct= and daddr=; this synthetic sample omits daddr= and adds a non-standard op=.

ANOM_LOGIN_LOCATION msgtype 2104

Source: Linux auditd
Message type: 2104
Fires: Emitted by default (no audit rule required)

Description

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "198.51.100.9",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "login",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_LOGIN_LOCATION msg=audit(1781634271.619:539491): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_LOGIN_LOCATION op=login acct=\"catalog\" addr=198.51.100.9 res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_LOGIN_LOCATION"
}

Community Notes #

ANOM_MAX_DAC msgtype 2105

Source: Linux auditd
Message type: 2105
Fires: Emitted by default (no audit rule required)

Description

Max DAC (Discretionary Access Control) failures reached

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "dac-check",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_MAX_DAC msg=audit(1781634271.619:539498): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_MAX_DAC op=dac-check acct=\"catalog\" res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_MAX_DAC"
}

Community Notes #

ANOM_MAX_MAC msgtype 2106

Source: Linux auditd
Message type: 2106
Fires: Emitted by default (no audit rule required)

Description

Max MAC (Mandatory Access Control) failures reached

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "mac-check",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_MAX_MAC msg=audit(1781634271.619:539505): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_MAX_MAC op=mac-check acct=\"catalog\" res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_MAX_MAC"
}

Community Notes #

ANOM_AMTU_FAIL msgtype 2107

Source: Linux auditd
Message type: 2107
Fires: Emitted by default (no audit rule required)

Description

AMTU (Abstract Machine Test Utility) failure

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "amtu",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_AMTU_FAIL msg=audit(1781634271.619:539512): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_AMTU_FAIL op=amtu res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_AMTU_FAIL"
}

Community Notes #

ANOM_RBAC_FAIL msgtype 2108

Source: Linux auditd
Message type: 2108
Fires: Emitted by default (no audit rule required)

Description

RBAC (Role-Based Access Control) self test failure

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "rbac-check",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_RBAC_FAIL msg=audit(1781634271.619:539519): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_RBAC_FAIL op=rbac-check res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_RBAC_FAIL"
}

Community Notes #

ANOM_RBAC_INTEGRITY_FAIL msgtype 2109

Source: Linux auditd
Message type: 2109
Fires: Emitted by default (no audit rule required)

Description

RBAC (Role-Based Access Control) file integrity test failure

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "rbac-integrity",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_RBAC_INTEGRITY_FAIL msg=audit(1781634271.619:539526): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_RBAC_INTEGRITY_FAIL op=rbac-integrity res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_RBAC_INTEGRITY_FAIL"
}

Community Notes #

ANOM_CRYPTO_FAIL msgtype 2110

Source: Linux auditd
Message type: 2110
Fires: Emitted by default (no audit rule required)

Description

Crypto system test failure

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "crypto",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_CRYPTO_FAIL msg=audit(1781634271.619:539533): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_CRYPTO_FAIL op=crypto res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_CRYPTO_FAIL"
}

Community Notes #

ANOM_ACCESS_FS msgtype 2111

Source: Linux auditd
Message type: 2111
Fires: Emitted by default (no audit rule required)

Description

Access of file or directory ended abnormally

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "fs-access",
    "path": "/etc/shadow",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_ACCESS_FS msg=audit(1781634271.619:539540): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_ACCESS_FS op=fs-access path=\"/etc/shadow\" res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_ACCESS_FS"
}

Community Notes #

ANOM_EXEC msgtype 2112

Source: Linux auditd
Message type: 2112
Fires: Emitted by default (no audit rule required)

Description

Execution of file ended abnormally

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "cmd": "/tmp/suspicious",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "exec",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_EXEC msg=audit(1781634271.619:539547): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_EXEC op=exec cmd=\"/tmp/suspicious\" res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_EXEC"
}

Community Notes #

ANOM_MK_EXEC msgtype 2113

Source: Linux auditd
Message type: 2113
Fires: Emitted by default (no audit rule required)

Description

Make an executable

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "mk-exec",
    "path": "/tmp/x",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_MK_EXEC msg=audit(1781634271.619:539554): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_MK_EXEC op=mk-exec path=\"/tmp/x\" res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_MK_EXEC"
}

Community Notes #

ANOM_ADD_ACCT msgtype 2114

Source: Linux auditd
Message type: 2114
Fires: Emitted by default (no audit rule required)

Description

Adding a user account ended abnormally

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "add-acct",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_ADD_ACCT msg=audit(1781634271.619:539561): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_ADD_ACCT op=add-acct acct=\"catalog\" res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_ADD_ACCT"
}

Community Notes #

ANOM_DEL_ACCT msgtype 2115

Source: Linux auditd
Message type: 2115
Fires: Emitted by default (no audit rule required)

Description

Deleting a user account ended abnormally

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "del-acct",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_DEL_ACCT msg=audit(1781634271.619:539568): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_DEL_ACCT op=del-acct acct=\"catalog\" res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_DEL_ACCT"
}

Community Notes #

ANOM_MOD_ACCT msgtype 2116

Source: Linux auditd
Message type: 2116
Fires: Emitted by default (no audit rule required)

Description

Changing an account ended abnormally

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "mod-acct",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_MOD_ACCT msg=audit(1781634271.619:539575): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_MOD_ACCT op=mod-acct acct=\"catalog\" res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_MOD_ACCT"
}

Community Notes #

ANOM_ROOT_TRANS msgtype 2117

Source: Linux auditd
Message type: 2117
Fires: Emitted by default (no audit rule required)

Description

User became root

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "root-trans",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_ROOT_TRANS msg=audit(1781634271.619:539582): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_ROOT_TRANS op=root-trans acct=\"catalog\" res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_ROOT_TRANS"
}

Community Notes #

ANOM_LOGIN_SERVICE msgtype 2118

Source: Linux auditd
Message type: 2118
Fires: Emitted by default (no audit rule required)

Description

Service acct attempted login

Fields #

Name	Description
`acct`	a user's account name
`daddr`	remote IP address

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "login",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "svc": "sshd",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_LOGIN_SERVICE msg=audit(1781634271.619:539589): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_LOGIN_SERVICE op=login svc=sshd res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_LOGIN_SERVICE"
}

Community Notes #

Example emitted by the catalog-resp audisp active-response plugin (exe=/usr/bin/python3.11, subj=...:auditd_t), not by an organic anomaly or response action. The 2100-2999 range is userspace-emittable by design; this sample documents the record format with plugin-authored field content, not organic field values. Field-name caveat: the real upstream emitter (audisp-ids origin.c:200) uses acct= and daddr=; this synthetic sample's op=/svc= field names do not match production logs.

ANOM_LOGIN_ROOT msgtype 2119

Source: Linux auditd
Message type: 2119
Fires: Emitted by default (no audit rule required)

Description

Root login attempted

Example Event #

{
  "fields": {
    "acct": "root",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "login",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_LOGIN_ROOT msg=audit(1781634271.619:539596): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_LOGIN_ROOT op=login acct=\"root\" res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_LOGIN_ROOT"
}

Community Notes #

ANOM_ORIGIN_FAILURES msgtype 2120

Source: Linux auditd
Message type: 2120
Fires: Emitted by default (no audit rule required)

Description

Origin has too many failed login attempts

Example Event #

{
  "fields": {
    "addr": "198.51.100.9",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "failures": "5",
    "hostname": "?",
    "op": "origin",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_ORIGIN_FAILURES msg=audit(1781634271.619:539603): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_ORIGIN_FAILURES op=origin addr=198.51.100.9 failures=5 res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_ORIGIN_FAILURES"
}

Community Notes #

Example emitted by the catalog-resp audisp active-response plugin (exe=/usr/bin/python3.11, subj=...:auditd_t), not by an organic anomaly or response action. The 2100-2999 range is userspace-emittable by design; this sample documents the record format with plugin-authored field content, not organic field values. Emission caveat: upstream audisp-ids never writes this record; its log_audit_event call is a commented-out TODO (model_bad_event.c:162, model_behavior.c:129). Only custom plugins emit it.

ANOM_SESSION msgtype 2121

Source: Linux auditd
Message type: 2121
Fires: Emitted by default (no audit rule required)

Description

The user session is bad

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "session",
    "pid": "2324",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ANOM_SESSION msg=audit(1781634271.619:539610): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='ANOM_SESSION op=session acct=\"catalog\" res=failed exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "ANOM_SESSION"
}

Community Notes #

Example emitted by the catalog-resp audisp active-response plugin (exe=/usr/bin/python3.11, subj=...:auditd_t), not by an organic anomaly or response action. The 2100-2999 range is userspace-emittable by design; this sample documents the record format with plugin-authored field content, not organic field values. Emission caveat: upstream audisp-ids never writes this record; its log_audit_event call is a commented-out TODO (model_behavior.c:117). Only custom plugins emit it.

RESP_ANOMALY msgtype 2200

Source: Linux auditd
Message type: 2200
Fires: Emitted by default (no audit rule required)

Description

Anomaly not reacted to

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "anomaly-detected",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_ANOMALY msg=audit(1781634271.619:539617): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_ANOMALY op=anomaly-detected res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_ANOMALY"
}

Community Notes #

RESP_ALERT msgtype 2201

Source: Linux auditd
Message type: 2201
Fires: Emitted by default (no audit rule required)

Description

Alert notification action (email or log): the email/log reactions are unimplemented FIXME stubs in upstream audisp-ids 3.x (reactions.c:370-372); emittable by custom plugins

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "alert",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_ALERT msg=audit(1781634258.314:513673): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_ALERT op=alert res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_ALERT"
}

Community Notes #

RESP_KILL_PROC msgtype 2202

Source: Linux auditd
Message type: 2202
Fires: Emitted by default (no audit rule required)

Description

Kill program

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "kill-process",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_KILL_PROC msg=audit(1781634271.619:539631): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_KILL_PROC op=kill-process pid=12345 res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_KILL_PROC"
}

Community Notes #

RESP_TERM_ACCESS msgtype 2203

Source: Linux auditd
Message type: 2203
Fires: Emitted by default (no audit rule required)

Description

Terminate session

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "terminate-session",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_TERM_ACCESS msg=audit(1781634271.619:539638): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_TERM_ACCESS op=terminate-session res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_TERM_ACCESS"
}

Community Notes #

RESP_ACCT_REMOTE msgtype 2204

Source: Linux auditd
Message type: 2204
Fires: Emitted by default (no audit rule required)

Description

User account locked from remote access

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "lock-acct-remote",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_ACCT_REMOTE msg=audit(1781634271.623:539645): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_ACCT_REMOTE op=lock-acct-remote acct=\"catalog\" res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_ACCT_REMOTE"
}

Community Notes #

RESP_ACCT_LOCK_TIMED msgtype 2205

Source: Linux auditd
Message type: 2205
Fires: Emitted by default (no audit rule required)

Description

User account locked for time

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "lock-acct-timed",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "timeout": "600",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_ACCT_LOCK_TIMED msg=audit(1781634271.623:539652): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_ACCT_LOCK_TIMED op=lock-acct-timed acct=\"catalog\" timeout=600 res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_ACCT_LOCK_TIMED"
}

Community Notes #

RESP_ACCT_UNLOCK_TIMED msgtype 2206

Source: Linux auditd
Message type: 2206
Fires: Emitted by default (no audit rule required)

Description

User account unlocked from time

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "unlock-acct-timed",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_ACCT_UNLOCK_TIMED msg=audit(1781634271.623:539659): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_ACCT_UNLOCK_TIMED op=unlock-acct-timed acct=\"catalog\" res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_ACCT_UNLOCK_TIMED"
}

Community Notes #

RESP_ACCT_LOCK msgtype 2207

Source: Linux auditd
Message type: 2207
Fires: Emitted by default (no audit rule required)

Description

User account was locked

Example Event #

{
  "fields": {
    "acct": "catalog",
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "lock-acct",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_ACCT_LOCK msg=audit(1781634271.623:539667): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_ACCT_LOCK op=lock-acct acct=\"catalog\" res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_ACCT_LOCK"
}

Community Notes #

RESP_TERM_LOCK msgtype 2208

Source: Linux auditd
Message type: 2208
Fires: Emitted by default (no audit rule required)

Description

Terminal was locked

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "lock-session",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_TERM_LOCK msg=audit(1781634271.623:539674): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_TERM_LOCK op=lock-session res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_TERM_LOCK"
}

Community Notes #

RESP_SEBOOL msgtype 2209

Source: Linux auditd
Message type: 2209
Fires: Emitted by default (no audit rule required)

Description

Set an SELinux boolean

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "bool": "httpd_enable_homedirs",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "set-sebool",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0",
    "val": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_SEBOOL msg=audit(1781634271.623:539681): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_SEBOOL op=set-sebool bool=httpd_enable_homedirs val=0 res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_SEBOOL"
}

Community Notes #

RESP_EXEC msgtype 2210

Source: Linux auditd
Message type: 2210
Fires: Emitted by default (no audit rule required)

Description

Execute a script

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "cmd": "/usr/local/sbin/respond",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "exec-response",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_EXEC msg=audit(1781634271.623:539688): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_EXEC op=exec-response cmd=\"/usr/local/sbin/respond\" res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_EXEC"
}

Community Notes #

RESP_SINGLE msgtype 2211

Source: Linux auditd
Message type: 2211
Fires: Emitted by default (no audit rule required)

Description

Go to single user mode

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "single-user-mode",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_SINGLE msg=audit(1781634271.623:539695): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_SINGLE op=single-user-mode res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_SINGLE"
}

Community Notes #

RESP_HALT msgtype 2212

Source: Linux auditd
Message type: 2212
Fires: Emitted by default (no audit rule required)

Description

Take the system down

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "halt",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_HALT msg=audit(1781634271.623:539702): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_HALT op=halt res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_HALT"
}

Community Notes #

RESP_ORIGIN_BLOCK msgtype 2213

Source: Linux auditd
Message type: 2213
Fires: Emitted by default (no audit rule required)

Description

Remote address blocked by firewall rule (iptables or nftables depending on system configuration)

Fields #

Name	Description
`daddr`	remote IP address
`reason`	reason for the operation
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "198.51.100.9",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "block-origin",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_ORIGIN_BLOCK msg=audit(1781634258.314:513680): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_ORIGIN_BLOCK op=block-origin addr=198.51.100.9 res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_ORIGIN_BLOCK"
}

Community Notes #

Example emitted by the catalog-resp audisp active-response plugin (exe=/usr/bin/python3.11, subj=...:auditd_t), not by an organic anomaly or response action. The 2100-2999 range is userspace-emittable by design; this sample documents the record format with plugin-authored field content, not organic field values. Field-name caveat: the real upstream emitter (audisp-ids reactions.c:297) uses daddr= and reason=; this synthetic sample's addr=/op= field names do not match production logs.

RESP_ORIGIN_BLOCK_TIMED msgtype 2214

Source: Linux auditd
Message type: 2214
Fires: Emitted by default (no audit rule required)

Description

Address blocked for time

Fields #

Name	Description
`daddr`	remote IP address
`reason`	reason for the operation
`time_out`	block timeout in seconds for the timed response
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "198.51.100.9",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "block-origin-timed",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "timeout": "600",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_ORIGIN_BLOCK_TIMED msg=audit(1781634271.627:539743): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_ORIGIN_BLOCK_TIMED op=block-origin-timed addr=198.51.100.9 timeout=600 res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_ORIGIN_BLOCK_TIMED"
}

Community Notes #

Example emitted by the catalog-resp audisp active-response plugin (exe=/usr/bin/python3.11, subj=...:auditd_t), not by an organic anomaly or response action. The 2100-2999 range is userspace-emittable by design; this sample documents the record format with plugin-authored field content, not organic field values. Field-name caveat: the real upstream emitter (audisp-ids reactions.c:302) uses daddr=, reason=, time_out=; this synthetic sample diverges.

RESP_ORIGIN_UNBLOCK_TIMED msgtype 2215

Source: Linux auditd
Message type: 2215
Fires: Emitted by default (no audit rule required)

Description

Address unblocked from timed

Fields #

Name	Description
`daddr`	remote IP address
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "198.51.100.9",
    "auid": "4294967295",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "op": "unblock-origin-timed",
    "pid": "2324",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:auditd_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=RESP_ORIGIN_UNBLOCK_TIMED msg=audit(1781634271.627:539750): pid=2324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 msg='RESP_ORIGIN_UNBLOCK_TIMED op=unblock-origin-timed addr=198.51.100.9 res=success exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "RESP_ORIGIN_UNBLOCK_TIMED"
}

Community Notes #

Example emitted by the catalog-resp audisp active-response plugin (exe=/usr/bin/python3.11, subj=...:auditd_t), not by an organic anomaly or response action. The 2100-2999 range is userspace-emittable by design; this sample documents the record format with plugin-authored field content, not organic field values. Field-name caveat: the real upstream emitter (audisp-ids timer-services.c:73) uses daddr=; this synthetic sample diverges.

USER_ROLE_CHANGE msgtype 2300

Source: Linux auditd
Message type: 2300
Fires: Emitted by default (no audit rule required)

Description

User changed to a new SELinux role

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`default-context`	SELinux context offered as the default at login
`selected-context`	SELinux context the user selected at login
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "default-context": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "exe": "/usr/lib/systemd/systemd",
    "hostname": "?",
    "pid": "1044",
    "res": "success",
    "selected-context": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "ses": "4294967295",
    "subj": "system_u:system_r:init_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USER_ROLE_CHANGE msg=audit(1781634177.591:179572): pid=1044 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe=\"/usr/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "USER_ROLE_CHANGE"
}

ROLE_ASSIGN msgtype 2301

Source: Linux auditd
Message type: 2301
Fires: Emitted by default (no audit rule required)

Description

Administrator assigned user to SELinux role

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`acct`	a user's account name
`old-seuser`	SELinux user before the role change
`old-role`	SELinux role before the role change
`old-range`	SELinux MLS range before the role change
`new-seuser`	SELinux user after the role change
`new-role`	SELinux role after the role change
`new-range`	SELinux MLS range after the role change
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "acct": "r3usr",
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "new-range": "s0",
    "new-role": "user_r",
    "new-seuser": "user_u",
    "old-range": "?",
    "old-role": "?",
    "old-seuser": "?",
    "op": "login-sename,role,range",
    "pid": "2819",
    "res": "success",
    "ses": "1",
    "subj": "unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ROLE_ASSIGN msg=audit(1781634269.359:532608): pid=2819 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 msg='op=login-sename,role,range acct=\"r3usr\" old-seuser=? old-role=? old-range=? new-seuser=user_u new-role=user_r new-range=s0 exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "ROLE_ASSIGN"
}

ROLE_REMOVE msgtype 2302

Source: Linux auditd
Message type: 2302
Fires: Emitted by default (no audit rule required)

Description

Administrator removed user from SELinux role

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`acct`	a user's account name
`old-seuser`	SELinux user before the role change
`old-role`	SELinux role before the role change
`old-range`	SELinux MLS range before the role change
`new-seuser`	SELinux user after the role change
`new-role`	SELinux role after the role change
`new-range`	SELinux MLS range after the role change
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "acct": "r3usr",
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/bin/python3.11",
    "hostname": "?",
    "new-range": "?",
    "new-role": "?",
    "new-seuser": "?",
    "old-range": "s0",
    "old-role": "user_r",
    "old-seuser": "user_u",
    "op": "login",
    "pid": "2884",
    "res": "success",
    "ses": "1",
    "subj": "unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=ROLE_REMOVE msg=audit(1781634270.619:537790): pid=2884 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 msg='op=login acct=\"r3usr\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=? new-role=? new-range=? exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "ROLE_REMOVE"
}

LABEL_OVERRIDE msgtype 2303

Source: Linux auditd
Message type: 2303
Fires: Emitted by default (no audit rule required)

Description

Administrator is overriding a SELinux label

Community Notes #

LSPP/MLS labeling record (manual label override); emitted only on a labeled/MLS-configured system, not captured on the reference host.

LABEL_LEVEL_CHANGE msgtype 2304

Source: Linux auditd
Message type: 2304
Fires: Emitted by default (no audit rule required)

Description

Object level SELinux label modified

Community Notes #

LSPP/MLS labeling record (sensitivity-level change); emitted only on a labeled/MLS-configured system, not captured on the reference host.

USER_LABELED_EXPORT msgtype 2305

Source: Linux auditd
Message type: 2305
Fires: Emitted by default (no audit rule required)

Description

Object exported with SELinux label

Community Notes #

MLS labeled-data export record (an MLS print spooler / lp subsystem labeling exported output). No tool shipped with Debian emits it even under an MLS policy: verified 2026-06 against the installed SELinux userland, only the libaudit bindings define the constant, and the MLS print spooler / device allocator that would emit it is not packaged. Documented for catalog completeness.

USER_UNLABELED_EXPORT msgtype 2306

Source: Linux auditd
Message type: 2306
Fires: Emitted by default (no audit rule required)

Description

Object exported without SELinux label

Community Notes #

MLS unlabeled-data export record, the unlabeled counterpart to USER_LABELED_EXPORT. Same status: no tool shipped with Debian emits it even under an MLS policy (verified 2026-06 against the installed SELinux userland). Documented for catalog completeness.

DEV_ALLOC msgtype 2307

Source: Linux auditd
Message type: 2307
Fires: Emitted by default (no audit rule required)

Description

Device was allocated

Community Notes #

LSPP device-allocation record; emitted only on an LSPP/MLS-configured system, not captured on the reference host.

DEV_DEALLOC msgtype 2308

Source: Linux auditd
Message type: 2308
Fires: Emitted by default (no audit rule required)

Description

Device was deallocated

Community Notes #

LSPP device-deallocation record; emitted only on an LSPP/MLS-configured system, not captured on the reference host.

FS_RELABEL msgtype 2309

Source: Linux auditd
Message type: 2309
Fires: Emitted by default (no audit rule required)

Description

Filesystem relabeled

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/sbin/setfiles",
    "hostname": "?",
    "op": "mass relabel",
    "pid": "54891",
    "res": "success",
    "ses": "4",
    "subj": "unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=FS_RELABEL msg=audit(1781641141.755:2056951): pid=54891 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 msg='op=mass relabel exe=\"/usr/sbin/setfiles\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "FS_RELABEL"
}

USER_MAC_POLICY_LOAD msgtype 2310

Source: Linux auditd
Message type: 2310
Fires: Emitted by default (no audit rule required)

Description

Userspace daemon loaded SELinux policy

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`lsm`	security module that produced the record (selinux, apparmor, ...)
`seqno`	sequence number
`res`	result of the audited operation(success/fail)
`exe`	executable name
`sauid`	sent login user ID
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/bin/dbus-daemon",
    "hostname": "?",
    "lsm": "selinux",
    "op": "load_policy",
    "pid": "504",
    "res": "1",
    "sauid": "100",
    "seqno": "2",
    "ses": "4294967295",
    "subj": "system_u:system_r:system_dbusd_t:s0",
    "terminal": "?",
    "uid": "100"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USER_MAC_POLICY_LOAD msg=audit(1781634267.778:528010): pid=504 uid=100 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  op=load_policy lsm=selinux seqno=2 res=1 exe=\"/usr/bin/dbus-daemon\" sauid=100 hostname=? addr=? terminal=?'",
    "UID=\"messagebus\" AUID=\"unset\" SAUID=\"messagebus\""
  ],
  "record_type": "USER_MAC_POLICY_LOAD"
}

ROLE_MODIFY msgtype 2311

Source: Linux auditd
Message type: 2311
Fires: Emitted by default (no audit rule required)

Description

Administrator modified an SELinux role

Community Notes #

SELinux role modification (semanage); not captured on the reference host.

USER_MAC_CONFIG_CHANGE msgtype 2312

Source: Linux auditd
Message type: 2312
Fires: Emitted by default (no audit rule required)

Description

Change made to MAC (Mandatory Access Control) policy

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`resrc`	resource the record applies to (disk, mem, net for VIRT; object type for MAC config changes)
`op`	the operation being performed that is audited
`tglob`	file-context glob pattern
`ftype`	file type the context rule applies to
`tcontext`	the target's or object's context string
`comm`	command line program name
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "comm": "semanage",
    "exe": "/usr/bin/python3.11",
    "ftype": "any",
    "hostname": "?",
    "op": "add",
    "pid": "57638",
    "res": "success",
    "resrc": "fcontext",
    "ses": "4",
    "subj": "unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023",
    "tcontext": "system_u:object_r:etc_t:",
    "terminal": "?",
    "tglob": "/catalogtest(/.*)?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=USER_MAC_CONFIG_CHANGE msg=audit(1781641146.679:2062570): pid=57638 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 msg='resrc=fcontext op=add tglob=\"/catalogtest(/.*)?\" ftype=any tcontext=system_u:object_r:etc_t: comm=\"semanage\" exe=\"/usr/bin/python3.11\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "USER_MAC_CONFIG_CHANGE"
}

USER_MAC_STATUS msgtype 2313

Source: Linux auditd
Message type: 2313
Fires: Emitted by default (no audit rule required)

Description

Userspace daemon enforcing change

Community Notes #

Userspace MAC enable/disable status change (for example setenforce via libselinux); not captured on the reference host.

CRYPTO_TEST_USER msgtype 2400

Source: Linux auditd
Message type: 2400
Fires: Emitted by default (no audit rule required)

Description

Cryptographic test results

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "exe": "/usr/bin/certutil",
    "hostname": "?",
    "pid": "147033",
    "res": "failed",
    "ses": "156",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=CRYPTO_TEST_USER msg=audit(1781742805.668:3014500): pid=147033 uid=0 auid=1000 ses=156 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='NSS libsoftokn3.so: C_Initialize()=0x00000030 power-up self-tests failed exe=\"/usr/bin/certutil\" hostname=? addr=? terminal=? res=failed'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "CRYPTO_TEST_USER"
}

Community Notes #

Userspace FIPS-mode crypto audit record emitted by FIPS crypto libraries (openssl-fips, libica, gnutls) or the kernel crypto API on power-on self-test, not by sshd; field set varies by emitter and was not captured on the reference host.

CRYPTO_PARAM_CHANGE_USER msgtype 2401

Source: Linux auditd
Message type: 2401
Fires: Emitted by default (no audit rule required)

Description

Cryptographic attribute change

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "ession": "0x80000004)=0x00000000",
    "exe": "/tmp/nss_fail",
    "hostname": "?",
    "pid": "146120",
    "res": "success",
    "ses": "150",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=CRYPTO_PARAM_CHANGE_USER msg=audit(1781742719.774:2986384): pid=146120 uid=0 auid=1000 ses=150 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='NSS libsoftokn3.so: C_SetPIN(hSession=0x80000004)=0x00000000 exe=\"/tmp/nss_fail\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "CRYPTO_PARAM_CHANGE_USER"
}

Community Notes #

Userspace FIPS-mode crypto audit record (crypto parameter change) emitted by FIPS crypto libraries, not by sshd; field set varies by emitter and was not captured on the reference host.

CRYPTO_LOGIN msgtype 2402

Source: Linux auditd
Message type: 2402
Fires: Emitted by default (no audit rule required)

Description

Cryptographic officer login

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "ession": "0x80000004,",
    "exe": "/tmp/nss_fips",
    "hostname": "?",
    "pid": "143186",
    "res": "success",
    "ses": "141",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0",
    "ype": "0)=0x00000000"
  },
  "raw": [
    "node=JD-debian-12-workstation type=CRYPTO_LOGIN msg=audit(1781742444.164:2919469): pid=143186 uid=0 auid=1000 ses=141 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='NSS libsoftokn3.so: C_Login(hSession=0x80000004, userType=0)=0x00000000 exe=\"/tmp/nss_fips\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "CRYPTO_LOGIN"
}

Community Notes #

Userspace crypto-hardware login audit record (PKCS#11 / HSM token), not emitted by sshd; field set varies by token middleware and was not captured on the reference host.

CRYPTO_LOGOUT msgtype 2403

Source: Linux auditd
Message type: 2403
Fires: Emitted by default (no audit rule required)

Description

Cryptographic officer logout

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "ession": "0x80000001)=0x00000101",
    "exe": "/tmp/nss_fail",
    "hostname": "?",
    "pid": "146120",
    "res": "failed",
    "ses": "150",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=CRYPTO_LOGOUT msg=audit(1781742719.774:2986394): pid=146120 uid=0 auid=1000 ses=150 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='NSS libsoftokn3.so: C_Logout(hSession=0x80000001)=0x00000101 exe=\"/tmp/nss_fail\" hostname=? addr=? terminal=? res=failed'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "CRYPTO_LOGOUT"
}

Community Notes #

Userspace crypto-hardware logout audit record (PKCS#11 / HSM token), not emitted by sshd; field set varies by token middleware and was not captured on the reference host.

CRYPTO_KEY_USER msgtype 2404

Source: Linux auditd
Message type: 2404
Fires: Emitted by default (no audit rule required)

Description

Create, delete, negotiate cryptographic key identifier

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`kind`	server or client in crypto operation
`fp`	crypto key fingerprint
`direction`	IPsec SA direction
`spid`	sent process ID
`suid`	user ID that initiated the crypto operation
`rport`	remote port number
`laddr`	local network address
`lport`	local network port
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "127.0.0.1",
    "auid": "1000",
    "exe": "/usr/local/libexec/sshd-session",
    "fp": "SHA256:c8:69:ef:ea:6f:6a:01:6d:1d:00:35:e9:97:0d:14:a8:74:9e:c0:a9:36:45:01:e0:3f:8a:b5:16:72:57:1f:f3",
    "hostname": "?",
    "kind": "auth-key",
    "op": "negotiate",
    "pid": "138898",
    "res": "success",
    "ses": "120",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=CRYPTO_KEY_USER msg=audit(1781721196.288:246632): pid=138898 uid=0 auid=1000 ses=120 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=negotiate kind=auth-key fp=SHA256:c8:69:ef:ea:6f:6a:01:6d:1d:00:35:e9:97:0d:14:a8:74:9e:c0:a9:36:45:01:e0:3f:8a:b5:16:72:57:1f:f3 exe=\"/usr/local/libexec/sshd-session\" hostname=? addr=127.0.0.1 terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "CRYPTO_KEY_USER"
}

Community Notes #

Not captured on the reference host. Field set documented from the OpenSSH (sshd) emit site, the Fedora/RHEL openssh audit patch (audit_session_key_free_body): op kind fp direction spid suid rport laddr lport, wrapped in the libaudit user-message envelope. Emitted on host-key use and session-key teardown.

CRYPTO_FAILURE_USER msgtype 2405

Source: Linux auditd
Message type: 2405
Fires: Emitted by default (no audit rule required)

Description

Fail decrypt, encrypt or randomize operation

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "1000",
    "echanism": "7ffcd29cca50",
    "ession": "0x80000005,",
    "exe": "/tmp/nss_fail2",
    "ey": "0x00000002)=0x00000063",
    "hostname": "?",
    "mechanism": "0x00000111,",
    "pid": "146639",
    "res": "failed",
    "ses": "153",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=CRYPTO_FAILURE_USER msg=audit(1781742765.075:3001374): pid=146639 uid=0 auid=1000 ses=153 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='NSS libsoftokn3.so: C_EncryptInit(hSession=0x80000005, pMechanism=7ffcd29cca50 {mechanism=0x00000111, ...}, hKey=0x00000002)=0x00000063 exe=\"/tmp/nss_fail2\" hostname=? addr=? terminal=? res=failed'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "CRYPTO_FAILURE_USER"
}

Community Notes #

Userspace FIPS-mode crypto audit record (crypto operation failure) emitted by FIPS crypto libraries, not by sshd; field set varies by emitter and was not captured on the reference host.

CRYPTO_REPLAY_USER msgtype 2406

Source: Linux auditd
Message type: 2406
Fires: Emitted by default (no audit rule required)

Description

Cryptographic replay attack detected

Community Notes #

Userspace FIPS-mode crypto audit record (replay detected) emitted by FIPS crypto libraries, not by sshd; field set varies by emitter and was not captured on the reference host.

CRYPTO_SESSION msgtype 2407

Source: Linux auditd
Message type: 2407
Fires: Emitted by default (no audit rule required)

Description

Parameters set during TLS session establishment

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`direction`	IPsec SA direction
`cipher`	name of crypto cipher selected
`ksize`	key size for crypto operation
`mac`	crypto MAC algorithm selected
`pfs`	key-exchange group negotiated for perfect forward secrecy
`spid`	sent process ID
`suid`	user ID that initiated the crypto operation
`rport`	remote port number
`laddr`	local network address
`lport`	local network port
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "127.0.0.1",
    "auid": "1000",
    "cipher": "chacha20-poly1305@openssh.com",
    "direction": "from-server",
    "exe": "/usr/local/libexec/sshd-session",
    "hostname": "?",
    "ksize": "512",
    "laddr": "127.0.0.1",
    "lport": "2222",
    "mac": "<implicit>",
    "op": "start",
    "pfs": "sntrup761x25519-sha512",
    "pid": "138898",
    "res": "success",
    "rport": "58318",
    "ses": "120",
    "spid": "138899",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "suid": "101",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=CRYPTO_SESSION msg=audit(1781721196.086:246626): pid=138898 uid=0 auid=1000 ses=120 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac=<implicit> pfs=sntrup761x25519-sha512 spid=138899 suid=101 rport=58318 laddr=127.0.0.1 lport=2222  exe=\"/usr/local/libexec/sshd-session\" hostname=? addr=127.0.0.1 terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\" SUID=\"sshd\""
  ],
  "record_type": "CRYPTO_SESSION"
}

Community Notes #

Not captured on the reference host. Field set documented from the OpenSSH (sshd) emit site, the Fedora/RHEL openssh audit patch (audit_kex_body): op=start direction cipher ksize mac pfs spid suid rport laddr lport, wrapped in the libaudit user-message envelope (addr is the remote IP). Emitted on SSH key exchange.

CRYPTO_IKE_SA msgtype 2408

Source: Linux auditd
Message type: 2408
Fires: Emitted by default (no audit rule required)

Description

Parameters related to IKE SA

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`direction`	IPsec SA direction
`conn-name`	IPsec connection name
`connstate`	IPsec connection state
`ike-version`	IKE protocol version
`auth`	authentication method negotiated for the IPsec SA
`cipher`	name of crypto cipher selected
`ksize`	key size for crypto operation
`integ`	integrity algorithm negotiated for the IPsec SA
`prf`	pseudo-random function negotiated for the IKE SA
`pfs`	key-exchange group negotiated for perfect forward secrecy
`raddr`	remote address of the connection
`addr`	the remote address that the user is connecting from
`hostname`	the hostname that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)
`exe`	executable name

Example Event #

{
  "fields": {
    "addr": "192.0.2.1",
    "auid": "4294967295",
    "auth": "PRESHARED_KEY",
    "cipher": "none",
    "conn-name": "r5",
    "connstate": "1",
    "direction": "initiator",
    "exe": "/usr/libexec/ipsec/pluto",
    "hostname": "?",
    "ike-version": "2.0",
    "integ": "none",
    "ksize": "0",
    "op": "start",
    "pfs": "MODP2048",
    "pid": "61499",
    "prf": "none",
    "raddr": "192.0.2.250",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:ipsec_t:s0",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=CRYPTO_IKE_SA msg=audit(1781641429.666:2206992): pid=61499 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 msg='op=start direction=initiator conn-name=\"r5\" connstate=1 ike-version=2.0 auth=PRESHARED_KEY cipher=none ksize=0 integ=none prf=none pfs=MODP2048  raddr=192.0.2.250 exe=\"/usr/libexec/ipsec/pluto\" hostname=? addr=192.0.2.1 terminal=? res=failed'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "CRYPTO_IKE_SA"
}

CRYPTO_IPSEC_SA msgtype 2409

Source: Linux auditd
Message type: 2409
Fires: Emitted by default (no audit rule required)

Description

Parameters related to IPSEC SA

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`op`	the operation being performed that is audited
`conn-name`	IPsec connection name
`connstate`	IPsec connection state
`satype`	IPsec SA type (esp, ah, ipcomp)
`samode`	IPsec SA mode (transport or tunnel)
`cipher`	name of crypto cipher selected
`ksize`	key size for crypto operation
`integ`	integrity algorithm negotiated for the IPsec SA
`in-spi`	inbound IPsec Security Parameter Index
`out-spi`	outbound IPsec Security Parameter Index
`in-ipcomp`	inbound IP compression CPI
`out-ipcomp`	outbound IP compression CPI
`raddr`	remote address of the connection
`addr`	the remote address that the user is connecting from
`hostname`	the hostname that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)
`exe`	executable name

Example Event #

{
  "fields": {
    "addr": "192.0.2.2",
    "auid": "1000",
    "cipher": "AES_GCM_C",
    "conn-name": "r5",
    "connstate": "2,",
    "exe": "/usr/libexec/ipsec/pluto",
    "hostname": "?",
    "in-ipcomp": "0(0x00000000)",
    "in-spi": "1618771218(0x1618771218)",
    "integ": "NONE",
    "ksize": "256",
    "op": "start",
    "out-ipcomp": "0(0x00000000)",
    "out-spi": "3601776787(0x3601776787)",
    "pid": "85989",
    "raddr": "192.0.2.1",
    "res": "success",
    "samode": "tunnel",
    "satype": "ipsec-esp",
    "ses": "7",
    "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
    "terminal": "?",
    "uid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=CRYPTO_IPSEC_SA msg=audit(1781643679.012:2779107): pid=85989 uid=0 auid=1000 ses=7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=start conn-name=\"r5\" connstate=2, satype=ipsec-esp samode=tunnel cipher=AES_GCM_C ksize=256 integ=NONE in-spi=1618771218(0x1618771218) out-spi=3601776787(0x3601776787) in-ipcomp=0(0x00000000) out-ipcomp=0(0x00000000) raddr=192.0.2.1 exe=\"/usr/libexec/ipsec/pluto\" hostname=? addr=192.0.2.2 terminal=? res=success'",
    "UID=\"root\" AUID=\"debian\""
  ],
  "record_type": "CRYPTO_IPSEC_SA"
}

VIRT_CONTROL msgtype 2500

Source: Linux auditd
Message type: 2500
Fires: Emitted by default (no audit rule required)

Description

Start, Pause, Stop VM

Fields #

Name	Description
`virt`	virtualization driver (qemu, lxc, ...)
`op`	the operation being performed that is audited
`reason`	reason for the operation
`vm`	name of the virtual machine
`uuid`	UUID of the virtual machine
`vm-pid`	process ID of the virtual machine (0 if not yet started)
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/sbin/libvirtd",
    "hostname": "?",
    "op": "start",
    "pid": "58538",
    "reason": "booted",
    "res": "failed",
    "ses": "4294967295",
    "subj": "system_u:system_r:virtd_t:s0",
    "terminal": "?",
    "uid": "0",
    "uuid": "fb5e54c6-0345-4b27-b694-688d88eb48d0",
    "virt": "qemu",
    "vm": "r5vm",
    "vm-pid": "0"
  },
  "raw": [
    "node=JD-debian-12-workstation type=VIRT_CONTROL msg=audit(1781641224.555:2099420): pid=58538 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0 msg='virt=qemu op=start reason=booted vm=\"r5vm\" uuid=fb5e54c6-0345-4b27-b694-688d88eb48d0 vm-pid=0 exe=\"/usr/sbin/libvirtd\" hostname=? addr=? terminal=? res=failed'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "VIRT_CONTROL"
}

VIRT_RESOURCE msgtype 2501

Source: Linux auditd
Message type: 2501
Fires: Emitted by default (no audit rule required)

Description

Resource assignment

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`virt`	virtualization driver (qemu, lxc, ...)
`resrc`	resource the record applies to (disk, mem, net for VIRT; object type for MAC config changes)
`reason`	reason for the operation
`vm`	name of the virtual machine
`uuid`	UUID of the virtual machine
`old-disk`	previous resource value; the field is named old-<resrc> (old-disk, old-mem, ...)
`new-disk`	new resource value; the field is named new-<resrc> (new-disk, new-mem, ...)
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/sbin/libvirtd",
    "hostname": "?",
    "new-disk": "/tmp/r5disk.qcow2",
    "old-disk": "?",
    "pid": "58538",
    "reason": "start",
    "res": "success",
    "resrc": "disk",
    "ses": "4294967295",
    "subj": "system_u:system_r:virtd_t:s0",
    "terminal": "?",
    "uid": "0",
    "uuid": "fb5e54c6-0345-4b27-b694-688d88eb48d0",
    "virt": "qemu",
    "vm": "r5vm"
  },
  "raw": [
    "node=JD-debian-12-workstation type=VIRT_RESOURCE msg=audit(1781641224.551:2099397): pid=58538 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0 msg='virt=qemu resrc=disk reason=start vm=\"r5vm\" uuid=fb5e54c6-0345-4b27-b694-688d88eb48d0 old-disk=\"?\" new-disk=\"/tmp/r5disk.qcow2\" exe=\"/usr/sbin/libvirtd\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "VIRT_RESOURCE"
}

VIRT_MACHINE_ID msgtype 2502

Source: Linux auditd
Message type: 2502
Fires: Emitted by default (no audit rule required)

Description

Binding of label to VM

Fields #

Name	Description
`pid`	process ID
`uid`	user ID
`auid`	login user ID
`ses`	login session ID
`subj`	lspp subject's context string
`virt`	virtualization driver (qemu, lxc, ...)
`vm`	name of the virtual machine
`uuid`	UUID of the virtual machine
`vm-ctx`	SELinux process context assigned to the VM
`img-ctx`	SELinux file context assigned to the VM image
`model`	security model used for VM labeling (selinux, apparmor, dac)
`exe`	executable name
`hostname`	the hostname that the user is connecting from
`addr`	the remote address that the user is connecting from
`terminal`	terminal name the user is running programs on
`res`	result of the audited operation(success/fail)

Example Event #

{
  "fields": {
    "addr": "?",
    "auid": "4294967295",
    "exe": "/usr/sbin/libvirtd",
    "hostname": "?",
    "img-ctx": "system_u:object_r:svirt_image_t:s0:c62,c990",
    "model": "selinux",
    "pid": "58538",
    "res": "success",
    "ses": "4294967295",
    "subj": "system_u:system_r:virtd_t:s0",
    "terminal": "?",
    "uid": "0",
    "uuid": "fb5e54c6-0345-4b27-b694-688d88eb48d0",
    "virt": "qemu",
    "vm": "r5vm",
    "vm-ctx": "system_u:system_r:svirt_t:s0:c62,c990"
  },
  "raw": [
    "node=JD-debian-12-workstation type=VIRT_MACHINE_ID msg=audit(1781641224.479:2099037): pid=58538 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0 msg='virt=qemu vm=\"r5vm\" uuid=fb5e54c6-0345-4b27-b694-688d88eb48d0 vm-ctx=system_u:system_r:svirt_t:s0:c62,c990 img-ctx=system_u:object_r:svirt_image_t:s0:c62,c990 model=selinux exe=\"/usr/sbin/libvirtd\" hostname=? addr=? terminal=? res=success'",
    "UID=\"root\" AUID=\"unset\""
  ],
  "record_type": "VIRT_MACHINE_ID"
}

VIRT_INTEGRITY_CHECK msgtype 2503

Source: Linux auditd
Message type: 2503
Fires: Emitted by default (no audit rule required)

Description

Guest integrity results

Community Notes #

Defined in the audit headers but produced by no shipping software. libvirt emits only VIRT_CONTROL (2500), VIRT_RESOURCE (2501), and VIRT_MACHINE_ID (2502); create/destroy/integrity-check/migrate are unimplemented. Source: libvirt src/conf/domain_audit.c.

VIRT_CREATE msgtype 2504

Source: Linux auditd
Message type: 2504
Fires: Emitted by default (no audit rule required)

Description

Creation of guest image

Community Notes #

VIRT_DESTROY msgtype 2505

Source: Linux auditd
Message type: 2505
Fires: Emitted by default (no audit rule required)

Description

Destruction of guest image

Community Notes #

VIRT_MIGRATE_IN msgtype 2506

Source: Linux auditd
Message type: 2506
Fires: Emitted by default (no audit rule required)

Description

Inbound guest migration info

Community Notes #

VIRT_MIGRATE_OUT msgtype 2507

Source: Linux auditd
Message type: 2507
Fires: Emitted by default (no audit rule required)

Description

Outbound guest migration info

Community Notes #

Provenance

Every record type in this catalog is derived from these pinned upstream sources (snapshots under data_sources/linux/SOURCES.yaml). Individual record pages cite only their kernel emit site, when one exists.

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Linux auditd

USER msgtype 1005

Description

Example Event #

Community Notes #

LOGIN msgtype 1006

Description

Fields #

Example Event #

References #

USER_AUTH msgtype 1100

Description

Fields #

Example Event #

USER_ACCT msgtype 1101

Description

Fields #

Example Event #

USER_MGMT msgtype 1102

Description

Fields #

Example Event #

Community Notes #

CRED_ACQ msgtype 1103

Description

Fields #

Example Event #

CRED_DISP msgtype 1104

Description

Fields #

Example Event #

USER_START msgtype 1105

Description

Fields #

Example Event #

USER_END msgtype 1106

Description

Fields #

Example Event #

USER_AVC msgtype 1107

Description

Fields #

Example Event #

USER_CHAUTHTOK msgtype 1108

Description

Fields #

Example Event #

USER_ERR msgtype 1109

Description

Fields #

Example Event #

CRED_REFR msgtype 1110

Description

Fields #

Example Event #

USYS_CONFIG msgtype 1111

Description

Fields #

Example Event #

Community Notes #

USER_LOGIN msgtype 1112

Description

Fields #

Example Event #

USER_LOGOUT msgtype 1113

Description

Fields #

Example Event #

Community Notes #

ADD_USER msgtype 1114

Description

Fields #

Example Event #

Common Indicators #

Related Events #

DEL_USER msgtype 1115

Description

Fields #

Example Event #

ADD_GROUP msgtype 1116