On Tuesday, October 2, 2018 7:43:04 AM EDT Maupertuis Philippe wrote: > According to the Redhat 7 security guide ANOM_ROOT_TRANS is triggered when > a user becomes root. It seems that using sudo doesn't trigger this event. > I would like to know how this event is triggered.
Looking at the blame view of libaudit.h on github, this was imported as far back as 1.7.4 over 10 years ago. Back then, work was being done around prelude IDS and feeding it with events for correlation and escalation. That work was mothballed when prelude upstream became inactive. Prelude support has also been removed from audit-3.0 when it gets released. > There are also several ANOM_ types that I can't see generated. > Is there a document describing from where these event would come. The event types in libaudit.h are not 100% supported. Some were supported and are now not in use. (Can't remove them since you really might run across the event in a heterogenous network.) Many in the ANOM and RESP categories are placeholders for future use. The description is accurate wrt the intended use. At the moment nothing I know of is sending that event. But the roadmap for audit 3.1 has a mention for a basic IDS capability. That might be when ANOM and RESP categories get better supported. I wouldn't expect sudo or su to send these. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
