Vendor Documentation
|
N/A |
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Kernel Audit |
Base Rule |
General Kernel Information |
Information |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
type |
<vmid> |
Number |
N/A |
|
N/A |
<serialnumber> |
Number |
Records a time stamp and a unique ID of the record in the form audit(time_stamp:ID). |
|
apparmor |
<status> |
Text/String |
The status of the operation. |
|
operation |
<action> |
Text/String |
The system action being attempted. |
|
profile |
N/A |
N/A |
The name of the specific AppArmor profile confining the process. |
|
name |
<parentprocesspath> |
Text/String |
The target file, path, or resource being accessed. |
|
pid |
<parentprocessid> |
Text/String |
The Process ID of the application performing the attempt. |
|
comm |
<parentprocessname> |
Text/String |
The name of the command or executable trying to run the action. |
|
requested_mask |
N/A |
N/A |
The permission the process asked for. |
|
denied_mask |
N/A |
N/A |
The permission AppArmor blocked. |
|
fsuid |
N/A |
N/A |
The Filesystem User ID running the process. |
|
ouid |
N/A |
N/A |
The User ID of the owner of the target file. |