Event Description LAF audit events
Startup and shutdown of audit functions DAEMON_START, DAEMON_END are generated by
auditd
Modification of audit configuration files DAEMON_CONFIG, DAEMON_RECONFIG are
generated by auditd. Syscalls open, link,
unlink, rename, truncate, write on
configuration files
Successful and unsuccessful file read/write Syscall open
Audit storage space exceeds a threshold space_left_action,
admin_space_left_action configuration
parameters for auditd.
Audit storage space failure disk_full_action, disk_error_action
configuration parameters for auditd.
Operation on file system objects Syscalls chmod, chown, setxattr,
removexattr, link, symlink, mknod, open,
rename, truncate, unlink, rmdir, mount,
umount, semtimedop
Operations on message queue Syscalls msgctl, msgget
Operations on semaphores Syscalls semget, semctl, semop,
semtimedop.
Operations on shared memory segments Syscalls shmget, shmctl
Rejection or acceptance by the TSF of any tested
secret.
Audit record type: USER_AUTH from PAM
framework and audit record type:
USER_CHAUTHTOK from shadow utilities.
Use of identification and authentication
mechanism
Audit record type: USER_AUTH,
USER_CHAUTHTOK from PAM framework.
Success and failure of binding user security
attributes to a subject (e.g. success and failure to
create a subject)
Audit record type: LOGIN from pam_login.so
module. Syscalls: fork and clone.
All modification of subject security values Syscalls chmod, chown, setxattr, msgctl,
semctl, shmctl, removexattr, truncate
Modifications of the default setting of
permissive of restrictive rules
Syscalls umask, open
Modification of TSF data Syscalls open, rename, link, unlink,
truncate, chmod, chown, setxattr,
removexattr (of audit log files and audit
configuration files), messages from shadow suites,
audit record type: USER_CHAUTHTOK.
Modifications to the group of users that are part
of a role
Audit messages from trusted programs in the
shadow suite, audit record type:
USER_CHAUTHTOK.
145