Additional log information

The descriptions for the details diaplayed in logs helps identify the type and reason for raising the log entry.

These are values for understanding the values that are displayed in the log records.

Log levels

Most events on the system generate logs. The level of the log helps you understand whether the log is just an information message or denotes some issue with the system. The log message and the log level allows you to understand more about the working of the system and also helps you identify and troubleshoot any system issues.

Protection logs: These logs are generated for Unprotect, Reprotect, and Protect (URP) operations.

  • SUCCESS: This log is generated for a successful URP operation.
  • WARNING: This log is generated if a user does not have access and the operation is unprotect.
  • EXCEPTION: This log is generated if a user does not have access, the operation is unprotect, and the return exception property is set.
  • ERROR: This log is generated for all other issues.

Application logs: These logs are generated by the application. The log level denotes the severity level of the log, however, levels 1 and 6 are used for the log configuration.

  • 1: OFF. This level is used to turn logging off.
  • 2: SEVERE. This level indicates a serious failure that prevents normal program execution.
  • 3: WARNING. This level indicates a potential problem or an issue with the system.
  • 4: INFO. This level is used to display information messages about the application.
  • 5: CONFIG. This level is used to display static configuration information that is useful during debugging.
  • 6: ALL. This level is used to log all messages.

Policy logs: These logs are used for the policy logs.

  • LOWEST
  • LOW
  • NORMAL
  • HIGH
  • CRITICAL
  • N/A

Protector information

The information displayed in the Protector-related fields of the audit log are listed in the table.

protector.familyprotector.vendorprotector.version
DATA SECURITY GATEWAY
gwpDSG3.3.0.0.x
APPLICATION PROTECTORS
sdkC9.1.0.0.x
sdkJava10.0.0+x, 9.1.0.0.x
sdkPython9.1.0.0.x
sdkGo9.1.0.0.x
sdkNodeJS9.1.0.0.x
sdkDotNet9.1.0.0.x
TRUSTED APPLICATION LOGS IN APPLICATION PROTECTORS
<process.name>C9.1.0.0.x
<process.name>Java9.1.0.0.x
<process.name>Python9.1.0.0.x
<process.name>Go9.1.0.0.x
<process.name>NodeJS9.1.0.0.x
<process.name>DotNet9.1.0.0.x
DATABASE PROTECTOR
dbpSqlServer9.1.0.0.x
dbpOracle9.1.0.0.x
dbpDb29.1.0.0.x
dwpTeradata10.0.0+x, 9.1.0.0.x
dwpExadata9.1.0.0.x
BIG DATA PROTECTOR
bdpImpala9.2.0.0.x, 9.1.0.0.x
bdpMapreduce9.2.0.0.x, 9.1.0.0.x
bdpPig9.2.0.0.x, 9.1.0.0.x
bdpHBase9.2.0.0.x, 9.1.0.0.x
bdpHive9.2.0.0.x, 9.1.0.0.x
bdpSpark9.2.0.0.x, 9.1.0.0.x
bdpSparkSQL9.2.0.0.x, 9.1.0.0.x

Protectors having CORE version 1.2.2+42.g01eb3.1.2 and higher are compatible with ESA v10.0.0. For more version-related information, refer to the Product Compatibility on My.Protegrity. The protector family might display the process.name for some protectors. This will be fixed in a later release.

Modules and components and the log type

Some of the components and modules and the logtype that they generate are provided in the following table.

Module / ComponentProtectionPolicyApplicationAuditKernelSystemVerification
as_image_management.pyc
as_memory_management.pyc
asmanagement.pyc
buffer_watch.pyc
devops
DSGPAP
ESAPAP
fluentbit
hubcontroller
imps
insight.pyc
insight_cron_executor.pyc
insight_cron_job_method_executor.pyc
kmgw_external
kmgw_internal
logfacade
membersource
meteringfacade
PIM_Cluster
Protegrity PEP Server
TRIGGERING_AGENT_policy_deploy.pyc

For more information and description about the components that can generate kernel logs, refer here.

Kernel logs

This section lists the various kernel logs that are generated.

Note: This list is compiled using information from https://pmhahn.github.io/audit/.

User and group account management:

  • ADD_USER: A user-space user account is added.
  • USER_MGMT: The user-space management data.
  • USER_CHAUTHTOK: A user account attribute is modified.
  • DEL_USER: A user-space user is deleted.
  • ADD_GROUP: A user-space group is added.
  • GRP_MGMT: The user-space group management data.
  • GRP_CHAUTHTOK: A group account attribute is modified.
  • DEL_GROUP: A user-space group is deleted.

User login live cycle events:

  • CRYPTO_KEY_USER: The cryptographic key identifier used for cryptographic purposes.
  • CRYPTO_SESSION: The parameters set during a TLS session establishment.
  • USER_AUTH: A user-space authentication attempt is detected.
  • LOGIN: The user log in to access the system.
  • USER_CMD: A user-space shell command is executed.
  • GRP_AUTH: The group password is used to authenticate against a user-space group.
  • CHUSER_ID: A user-space user ID is changed.
  • CHGRP_ID: A user-space group ID is changed.
  • Pluggable Authentication Modules (PAM) Authentication:
    • USER_LOGIN: A user logs in.
    • USER_LOGOUT: A user logs out.
  • PAM account:
    • USER_ERR: A user account state error is detected.
    • USER_ACCT: A user-space user account is modified.
    • ACCT_LOCK: A user-space user account is locked by the administrator.
    • ACCT_UNLOCK: A user-space user account is unlocked by the administrator.
  • PAM session:
    • USER_START: A user-space session is started.
    • USER_END: A user-space session is terminated.
  • Credentials:
    • CRED_ACQ: A user acquires user-space credentials.
    • CRED_REFR: A user refreshes their user-space credentials.
    • CRED_DISP: A user disposes of user-space credentials.

Linux Security Model events:

  • DAC_CHECK: The record discretionary access control (DAC) check results.
  • MAC_CHECK: The user space Mandatory Access Control (MAC) decision is made.
  • USER_AVC: A user-space AVC message is generated.
  • USER_MAC_CONFIG_CHANGE:
  • SELinux Mandatory Access Control:
    • AVC_PATH: dentry and vfsmount pair when an SELinux permission check.
    • AVC: SELinux permission check.
    • FS_RELABEL: file system relabel operation is detected.
    • LABEL_LEVEL_CHANGE: object’s level label is modified.
    • LABEL_OVERRIDE: administrator overrides an object’s level label.
    • MAC_CONFIG_CHANGE: SELinux Boolean value is changed.
    • MAC_STATUS: SELinux mode (enforcing, permissive, off) is changed.
    • MAC_POLICY_LOAD: SELinux policy file is loaded.
    • ROLE_ASSIGN: administrator assigns a user to an SELinux role.
    • ROLE_MODIFY: administrator modifies an SELinux role.
    • ROLE_REMOVE: administrator removes a user from an SELinux role.
    • SELINUX_ERR: internal SELinux error is detected.
    • USER_LABELED_EXPORT: object is exported with an SELinux label.
    • USER_MAC_POLICY_LOAD: user-space daemon loads an SELinux policy.
    • USER_ROLE_CHANGE: user’s SELinux role is changed.
    • USER_SELINUX_ERR: user-space SELinux error is detected.
    • USER_UNLABELED_EXPORT: object is exported without SELinux label.
    • AppArmor Mandatory Access Control:
      • APPARMOR_ALLOWED
      • APPARMOR_AUDIT
      • APPARMOR_DENIED
      • APPARMOR_ERROR
      • APPARMOR_HINT
      • APPARMOR_STATUS APPARMOR

Audit framework events:

  • KERNEL: Record the initialization of the Audit system.
  • CONFIG_CHANGE: The Audit system configuration is modified.
  • DAEMON_ABORT: An Audit daemon is stopped due to an error.
  • DAEMON_ACCEPT: The auditd daemon accepts a remote connection.
  • DAEMON_CLOSE: The auditd daemon closes a remote connection.
  • DAEMON_CONFIG: An Audit daemon configuration change is detected.
  • DAEMON_END: The Audit daemon is successfully stopped.
  • DAEMON_ERR: An auditd daemon internal error is detected.
  • DAEMON_RESUME: The auditd daemon resumes logging.
  • DAEMON_ROTATE: The auditd daemon rotates the Audit log files.
  • DAEMON_START: The auditd daemon is started.
  • FEATURE_CHANGE: An Audit feature changed value.

Networking related:

  • IPSec:
    • MAC_IPSEC_ADDSA
    • MAC_IPSEC_ADDSPD
    • MAC_IPSEC_DELSA
    • MAC_IPSEC_DELSPD
    • MAC_IPSEC_EVENT: The IPSec event, when one is detected, or when the IPSec configuration changes.
  • NetLabel:
    • MAC_CALIPSO_ADD: The NetLabel CALIPSO DoI entry is added.
    • MAC_CALIPSO_DEL: The NetLabel CALIPSO DoI entry is deleted.
    • MAC_MAP_ADD: A new Linux Security Module (LSM) domain mapping is added.
    • MAC_MAP_DEL: An existing LSM domain mapping is added.
    • MAC_UNLBL_ALLOW: An unlabeled traffic is allowed.
    • MAC_UNLBL_STCADD: A static label is added.
    • MAC_UNLBL_STCDEL: A static label is deleted.
  • Message Queue:
    • MQ_GETSETATTR: The mq_getattr and mq_setattr message queue attributes.
    • MQ_NOTIFY: The arguments of the mq_notify system call.
    • MQ_OPEN: The arguments of the mq_open system call.
    • MQ_SENDRECV: The arguments of the mq_send and mq_receive system calls.
  • Netfilter firewall:
    • NETFILTER_CFG: The Netfilter chain modifications are detected.
    • NETFILTER_PKT: The packets traversing Netfilter chains.
  • Commercial Internet Protocol Security Option:
    • MAC_CIPSOV4_ADD: A user adds a new Domain of Interpretation (DoI).
    • MAC_CIPSOV4_DEL: A user deletes an existing DoI.

Linux Cryptography:

  • CRYPTO_FAILURE_USER: A decrypt, encrypt, or randomize cryptographic operation fails.
  • CRYPTO_IKE_SA: The Internet Key Exchange Security Association is established.
  • CRYPTO_IPSEC_SA: The Internet Protocol Security Association is established.
  • CRYPTO_LOGIN: A cryptographic officer login attempt is detected.
  • CRYPTO_LOGOUT: A cryptographic officer logout attempt is detected.
  • CRYPTO_PARAM_CHANGE_USER: A change in a cryptographic parameter is detected.
  • CRYPTO_REPLAY_USER: A replay attack is detected.
  • CRYPTO_TEST_USER: The cryptographic test results as required by the FIPS-140 standard.

Process:

  • BPRM_FCAPS: A user executes a program with a file system capability.
  • CAPSET: Any changes in process-based capabilities.
  • CWD: The current working directory.
  • EXECVE; The arguments of the execve system call.
  • OBJ_PID: The information about a process to which a signal is sent.
  • PATH: The file name path information.
  • PROCTITLE: The full command-line of the command that was used to invoke the analyzed process.
  • SECCOMP: A Secure Computing event is detected.
  • SYSCALL: A system call to the kernel.

Special system calls:

  • FD_PAIR: The use of the pipe and socketpair system calls.
  • IPC_SET_PERM: The information about new values set by an IPC_SET control operation on an Inter-Process Communication (IPC) object.
  • IPC: The information about a IPC object referenced by a system call.
  • MMAP: The file descriptor and flags of the mmap system call.
  • SOCKADDR: Record a socket address.
  • SOCKETCALL: Record arguments of the sys_socketcall system call (used to multiplex many socket-related system calls).

Systemd:

  • SERVICE_START: A service is started.
  • SERVICE_STOP: A service is stopped.
  • SYSTEM_BOOT: The system is booted up.
  • SYSTEM_RUNLEVEL: The system’s run level is changed.
  • SYSTEM_SHUTDOWN: The system is shut down.

Virtual Machines and Container:

  • VIRT_CONTROL: The virtual machine is started, paused, or stopped.
  • VIRT_MACHINE_ID: The binding of a label to a virtual machine.
  • VIRT_RESOURCE: The resource assignment of a virtual machine.

Device management:

  • DEV_ALLOC: A device is allocated.
  • DEV_DEALLOC: A device is deallocated.

Trusted Computing Integrity Measurement Architecture:

  • INTEGRITY_DATA: The data integrity verification event run by the kernel.
  • INTEGRITY_EVM_XATTR: The EVM-covered extended attribute is modified.
  • INTEGRITY_HASH: The hash type integrity verification event run by the kernel.
  • INTEGRITY_METADATA: The metadata integrity verification event run by the kernel.
  • INTEGRITY_PCR: The Platform Configuration Register (PCR) invalidation messages.
  • INTEGRITY_RULE: A policy rule.
  • INTEGRITY_STATUS: The status of integrity verification.

Intrusion Prevention System:

  • Anomaly detected:
    • ANOM_ABEND
    • ANOM_ACCESS_FS
    • ANOM_ADD_ACCT
    • ANOM_AMTU_FAIL
    • ANOM_CRYPTO_FAIL
    • ANOM_DEL_ACCT
    • ANOM_EXEC
    • ANOM_LINK
    • ANOM_LOGIN_ACCT
    • ANOM_LOGIN_FAILURES
    • ANOM_LOGIN_LOCATION
    • ANOM_LOGIN_SESSIONS
    • ANOM_LOGIN_TIME
    • ANOM_MAX_DAC
    • ANOM_MAX_MAC
    • ANOM_MK_EXEC
    • ANOM_MOD_ACCT
    • ANOM_PROMISCUOUS
    • ANOM_RBAC_FAIL
    • ANOM_RBAC_INTEGRITY_FAIL
    • ANOM_ROOT_TRANS
  • Responses:
    • RESP_ACCT_LOCK_TIMED
    • RESP_ACCT_LOCK
    • RESP_ACCT_REMOTE
    • RESP_ACCT_UNLOCK_TIMED
    • RESP_ALERT
    • RESP_ANOMALY
    • RESP_EXEC
    • RESP_HALT
    • RESP_KILL_PROC
    • RESP_SEBOOL
    • RESP_SINGLE
    • RESP_TERM_ACCESS
    • RESP_TERM_LOCK

Miscellaneous:

  • ALL: Matches all types.
  • KERNEL_OTHER: The record information from third-party kernel modules.
  • EOE: An end of a multi-record event.
  • TEST: The success value of a test message.
  • TRUSTED_APP: The record of this type can be used by third-party application that require auditing.
  • TTY: The TTY input that was sent to an administrative process.
  • USER_TTY: An explanatory message about TTY input to an administrative process that is sent from the user-space.
  • USER: The user details.
  • USYS_CONFIG: A user-space system configuration change is detected.
  • TIME_ADJNTPVAL: The system clock is modified.
  • TIME_INJOFFSET: A Timekeeping offset is injected to the system clock.