Auditd
Browse the Auditd mappings on this page, download the mappings (in CSV/STIX format), or visualize the sensor coverage in ATT&CK Navigator.
Download CSV Download STIX Open in ATT&CK Navigator
Enterprise
EVENT ID |
EVENT DESCRIPTION |
ATT&CK DATA SOURCE |
ATT&CK DATA COMPONENT |
---|---|---|---|
ADD_GROUP |
Triggered when a user-space group is added |
Group |
Group Creation |
ADD_USER |
Triggered when a user-space user account is created |
User Account |
User Account Creation |
ANOM_ABEND |
Triggered when a processes ends abnormally (with core dump, if enabled) |
Process |
Process Termination |
ANOM_ADD_ACCOUNT |
Triggered when a user-space account addition ends abnormally |
User Account |
User Account Creation |
ANOM_DEL_ACCOUNT |
Triggered when a user-space account deletion ends abnormally |
User Account |
User Account Deletion |
ANOM_LINK |
Triggered when suspicious use of file links is detected |
File |
File Access |
ANOM_LOGIN_FAILURES |
Triggered when the limit of failed login attempts is reached |
User Account |
User Account Authentication |
ANOM_LOGIN_LOCATION |
Triggered when a login atempt is made from forbidden location |
User Account |
User Account Authentication |
ANOM_LOGIN_SESSIONS |
Triggered when a login attempt reaches max amount of sessions |
User Account |
User Account Authentication |
ANOM_LOGIN_TIME |
Triggered when a login attempt is made at a time when prevented |
User Account |
User Account Authentication |
ANOM_PROMISCUOUS |
Triggered when a device enables or disables promiscuous mode |
Service |
Service Modification |
AVC |
Triggered to record an SELinux permission check |
Service |
Service Access |
CONFIG_CHANGE |
audit_enabled record field contains 1 or 2 |
Service |
Service Modification |
CONFIG_CHANGE |
audit_enabled record field contains 0 |
Service |
Service Modification |
CONFIG_CHANGE |
op record field contains add rule |
Service |
Service Modification |
CONFIG_CHANGE |
op record field contains remove rule |
Service |
Service Modification |
CONFIG_CHANGE |
audit_failure record field contains value 0 |
Service |
Service Modification |
CONFIG_CHANGE |
audit_failure record field contains value 1 |
Service |
Service Modification |
CONFIG_CHANGE |
audit_failure record field contains value 2 |
Service |
Service Modification |
CONFIG_CHANGE |
any other CONFIG_CHANGE cases not specified above |
Service |
Service Modification |
CRED_ACQ |
Triggered when a user acquires user-space credentials |
User Account |
User Account Metadata |
CRED_DISP |
Triggered when a user disposes of user-space credentials |
User Account |
User Account Metadata |
CRED_REFR |
Triggered when a user refreshes their user-space credentials |
User Account |
User Account Access |
CRYPTO_KEY_USER |
Triggered to record crypto key identifier used for crypto purposes |
Logon Session |
Logon Session Metadata |
CRYPTO_SESSION |
Triggered to record parameters set during a TLS session establishment |
Logon Session |
Logon Session Creation |
DAEMON_ABORT |
Triggered when a daemon is stopped due to an error |
Service |
Service Metadata |
DAEMON_CONFIG |
Triggered when a daemon configuration change is detected |
Service |
Service Modification |
DAEMON_END |
Triggered when a daemon is successfully stopped |
Service |
Service Metadata |
DAEMON_RESUME |
Triggered when the auditd daemon resumes logging |
Service |
Service Metadata |
DAEMON_ROTATE |
Triggered when the auditd daemon rotates the Audit log files |
Service |
Service Metadata |
DAEMON_START |
Triggered when the auditd daemon is started |
Service |
Service Creation |
DEL_GROUP |
Triggered when a user-space group is deleted |
Group |
Group Deletion |
DEL_USER |
Triggered when a user-space user is deleted |
User Account |
User Account Deletion |
FS_RELABEL |
Triggered when a file system relabel operation is detected |
Drive |
Drive Modification |
LABEL_LEVEL_CHANGE |
Triggered when an object’s level label is modified |
File |
File Modification |
LABEL_OVERRIDE |
Triggered when administrator overrides object’s level label |
File |
File Modification |
LOGIN |
Triggered to record relevant login information when user logs into system |
Logon Session |
Logon Session Metadata |
MAC_CIPSOV4_ADD |
Triggered when Commercial Internet Protocol Security Option user adds a new Domain of Interpretation (DOI) via NetLabel |
Service |
Service Modification |
MAC_CIPSOV4_DEL |
Triggered when a CIPSO user deletes an existing DOI. Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel. |
Service |
Service Modification |
MAC_CONFIG_CHANGE |
Triggered when an SELinux Boolean value is changed |
Service |
Service Modification |
MAC_MAP_ADD |
Triggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel. |
Service |
Service Modification |
MAC_MAP_DEL |
Triggered when existing LSM domain mapping is deleted |
Service |
Service Modification |
MAC_POLICY_LOAD |
Triggered when a SELinux Policy file is loaded |
Service |
Service Creation |
MAC_STATUS |
Triggered when the SELinux mode is changed (enforcing, permissive, etc) |
Service |
Service Modification |
MAC_UNLBL_ALLOW |
Triggered when unlabeled traffic is allowed when using packet labeling |
Network Traffic |
Network Traffic Content |
NETFILTER_CFG |
Triggered when Netfilter chain modifications are detected |
Firewall |
Firewall Rule Modification |
RESP_ACCT_LOCK |
Triggered when a user account is locked |
User Account |
User Account Authentication |
RESP_ACCT_UNLOCK_TIMED |
Triggered when user account is unlocked after configured time |
User Account |
User Account Authentication |
ROLE_ASSIGN |
Triggered when an administrator user assigns user to SELinux role |
Service |
Service Modification |
ROLE_REMOVE |
Triggered when an administrator removes a user from an SELinux role |
Service |
Service Modification |
SELINUX_ERR |
Triggered when an internal SELinux error is detected |
Service |
Service Metadata |
SYSTEM_RUNLEVEL |
Triggered when the system run level is changed |
Sensor Health |
Host Status |
SYSTEM_SHUTDOWN |
Triggered when the system is shut down |
Sensor Health |
Host Status |
TTY |
Triggered when TTY input was sent to an administrative process |
Process |
Process Access |
USER_ACCT |
Triggered when a user-space user authorization attempt is detected |
User Account |
User Account Authentication |
USER_AUTH |
Triggered when a user-space user authentication attempt is detected |
User Account |
User Account Authentication |
USER_AVC |
Triggered when a user-space AVC message is generated |
File |
File Access |
USER_CHAUTHTOK |
op record field contains value deleting mail file |
File |
File Deletion |
USER_CHAUTHTOK |
op record field contains value moving home directory |
User Account |
User Account Access |
USER_CHAUTHTOK |
op record field contains value user lookup |
User Account |
User Account Access |
USER_CHAUTHTOK |
op record field contains value deleting user entries |
User Account |
User Account Deletion |
USER_CHAUTHTOK |
op record field contains value deleting user not found |
User Account |
User Account Deletion |
USER_CHAUTHTOK |
op record field contains value deleting user |
User Account |
User Account Deletion |
USER_CHAUTHTOK |
op record field contains value deleting user logged in |
User Account |
User Account Deletion |
USER_CHAUTHTOK |
op record field contains value deleting home directory |
User Account |
User Account Deletion |
USER_CHAUTHTOK |
op record field contains value unlock password |
User Account |
User Account Metadata |
USER_CHAUTHTOK |
op record field contains value change password |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value changing password |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value change expired password |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value change age |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value change max age |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value change min age |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value change passwd warning |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value change inactive days |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value change passwd expiration |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value change last change date |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value change all aging information |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value password attribute change |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value password aging data updated |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value display aging info |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value password status display |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value password status displayed for user |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value adding to group |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value adding group member |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value adding user to group |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value adding user to shadow group |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value changing primary group |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value changing group member |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value changing admin name in shadow group |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value changing member in shadow group |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value deleting group password |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value deleting member |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value deleting user from group |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value deleting user from shadow group |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value removing group member |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value removing user from shadow group |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value adding group |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value deleting group |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value adding user |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value adding home directory |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value lock password |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value delete password |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value updating password |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value changing name |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value changing uid |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value changing home directory |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value changing mail file name |
User Account |
User Account Modification |
USER_CHAUTHTOK |
op record field contains value changing mail file owner |
User Account |
User Account Modification |
USER_CHAUTHTOK |
Triggered when a user account password or PIN is modified |
User Account |
User Account Modification |
USER_CMD |
Triggered when a user-space shell command is executed |
Process |
Process Creation |
USER_END |
Triggered when a user-space session is terminated |
Logon Session |
Logon Session Metadata |
USER_ERR |
Triggered when a user account state error is detected |
User Account |
User Account Metadata |
USER_LABELED_EXPORT |
Triggered when an object is exported with an SELinux label |
File |
File Metadata |
USER_LOGIN |
Triggered when a user logs in |
Logon Session |
Logon Session Creation |
USER_LOGOUT |
Triggered when a user logs out |
Logon Session |
Logon Session Metadata |
USER_ROLE_CHANGE |
op record field contains add SELinux user record |
User Account |
User Account Creation |
USER_ROLE_CHANGE |
op record field contains delete SELinux user record |
User Account |
User Account Deletion |
USER_ROLE_CHANGE |
any other USER_ROLE_CHANGE cases not specified above |
User Account |
User Account Modification |
USER_START |
Triggered when a user-space session is started |
Logon Session |
Logon Session Creation |
USER_TTY |
Triggered when an explanatory msg about TTY input to admin proc is sent |
Service |
Service Metadata |
USER_UNLABELED_EXPORT |
Triggered when an object is exported without an SELinux label |
File |
File Metadata |
USYS_CONFIG |
Triggered when a user-space system configuration change is detected |
Command |
Command Execution |