• Manufacturer: Red Hat
  • Version: 2.8
  • Website: https://people.redhat.com/sgrubb/audit/

Description

auditd is the userspace component to the Linux Auditing System. It’s responsible for writing audit records to the disk

Data Model Coverage

flow

  application_protocol content dest_fqdn dest_hostname dest_ip dest_port end_time exe fqdn hostname image_path in_bytes network_direction out_bytes packet_count pid ppid proto_info src_fqdn src_hostname src_ip src_port start_time tcp_flags transport_protocol uid user
end                                      
message                                                      
start                                      

driver

  base_address fqdn hostname image_path md5_hash module_name pid sha1_hash sha256_hash signature_valid signer
load            
unload                      

process

  access_level call_trace command_line current_working_directory env_vars exe fqdn guid hostname image_path integrity_level md5_hash parent_command_line parent_exe parent_guid parent_image_path pid ppid sha1_hash sha256_hash sid signature_valid signer target_address target_guid target_name target_pid uid user
access                                                          
create                                      
terminate                                                          

file

  company content creation_time extension file_name file_path fqdn gid group hostname image_path link_target md5_hash mime_type mode owner owner_uid pid ppid previous_creation_time sha1_hash sha256_hash signature_valid signer uid user
acl_modify                                                    
create                                
delete                                
modify                                
read                                                    
timestomp                                
write                                

Analytic Coverage