-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathaushape.schema.json
504 lines (504 loc) · 38.8 KB
/
aushape.schema.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
{
"$schema": "http://json-schema.org/draft-04/schema#",
"description": "An aushape-parsed audit log",
"definitions": {
"field": {
"description": "A record field",
"type": "array",
"items": {
"type": "string"
},
"minItems": 1,
"maxItems": 2
},
"field_list": {
"description": "A list of fields",
"type": "array",
"items": { "$ref": "#/definitions/field" }
},
"generic_fields": {
"description": "Generic fields",
"type": "object",
"properties": {
"a0": { "$ref": "#/definitions/field" },
"a1": { "$ref": "#/definitions/field" },
"a2": { "$ref": "#/definitions/field" },
"a3": { "$ref": "#/definitions/field" },
"acct": { "$ref": "#/definitions/field" },
"acl": { "$ref": "#/definitions/field" },
"action": { "$ref": "#/definitions/field" },
"added": { "$ref": "#/definitions/field" },
"addr": { "$ref": "#/definitions/field" },
"algo": { "$ref": "#/definitions/field" },
"apparmor": { "$ref": "#/definitions/field" },
"arch": { "$ref": "#/definitions/field" },
"argc": { "$ref": "#/definitions/field" },
"audit_backlog_limit": { "$ref": "#/definitions/field" },
"audit_backlog_wait_time": { "$ref": "#/definitions/field" },
"audit_enabled": { "$ref": "#/definitions/field" },
"audit_failure": { "$ref": "#/definitions/field" },
"auid": { "$ref": "#/definitions/field" },
"banners": { "$ref": "#/definitions/field" },
"bool": { "$ref": "#/definitions/field" },
"bus": { "$ref": "#/definitions/field" },
"capability": { "$ref": "#/definitions/field" },
"cap_fe": { "$ref": "#/definitions/field" },
"cap_fi": { "$ref": "#/definitions/field" },
"cap_fp": { "$ref": "#/definitions/field" },
"cap_fver": { "$ref": "#/definitions/field" },
"cap_pe": { "$ref": "#/definitions/field" },
"cap_pi": { "$ref": "#/definitions/field" },
"cap_pp": { "$ref": "#/definitions/field" },
"category": { "$ref": "#/definitions/field" },
"cgroup": { "$ref": "#/definitions/field" },
"changed": { "$ref": "#/definitions/field" },
"cipher": { "$ref": "#/definitions/field" },
"class": { "$ref": "#/definitions/field" },
"cmd": { "$ref": "#/definitions/field" },
"code": { "$ref": "#/definitions/field" },
"comm": { "$ref": "#/definitions/field" },
"compat": { "$ref": "#/definitions/field" },
"cwd": { "$ref": "#/definitions/field" },
"daddr": { "$ref": "#/definitions/field" },
"data": { "$ref": "#/definitions/field" },
"default-context": { "$ref": "#/definitions/field" },
"dest": { "$ref": "#/definitions/field" },
"dev": { "$ref": "#/definitions/field" },
"device": { "$ref": "#/definitions/field" },
"dir": { "$ref": "#/definitions/field" },
"direction": { "$ref": "#/definitions/field" },
"dmac": { "$ref": "#/definitions/field" },
"dport": { "$ref": "#/definitions/field" },
"egid": { "$ref": "#/definitions/field" },
"enforcing": { "$ref": "#/definitions/field" },
"entries": { "$ref": "#/definitions/field" },
"euid": { "$ref": "#/definitions/field" },
"exe": { "$ref": "#/definitions/field" },
"exit": { "$ref": "#/definitions/field" },
"fam": { "$ref": "#/definitions/field" },
"family": { "$ref": "#/definitions/field" },
"fd": { "$ref": "#/definitions/field" },
"fe": { "$ref": "#/definitions/field" },
"feature": { "$ref": "#/definitions/field" },
"fi": { "$ref": "#/definitions/field" },
"file": { "$ref": "#/definitions/field" },
"flags": { "$ref": "#/definitions/field" },
"format": { "$ref": "#/definitions/field" },
"fp": { "$ref": "#/definitions/field" },
"fsgid": { "$ref": "#/definitions/field" },
"fsuid": { "$ref": "#/definitions/field" },
"fver": { "$ref": "#/definitions/field" },
"gid": { "$ref": "#/definitions/field" },
"grantors": { "$ref": "#/definitions/field" },
"grp": { "$ref": "#/definitions/field" },
"hook": { "$ref": "#/definitions/field" },
"hostname": { "$ref": "#/definitions/field" },
"icmp_type": { "$ref": "#/definitions/field" },
"id": { "$ref": "#/definitions/field" },
"igid": { "$ref": "#/definitions/field" },
"img-ctx": { "$ref": "#/definitions/field" },
"inif": { "$ref": "#/definitions/field" },
"ino": { "$ref": "#/definitions/field" },
"inode": { "$ref": "#/definitions/field" },
"inode_gid": { "$ref": "#/definitions/field" },
"inode_uid": { "$ref": "#/definitions/field" },
"invalid_context": { "$ref": "#/definitions/field" },
"ioctlcmd": { "$ref": "#/definitions/field" },
"ip": { "$ref": "#/definitions/field" },
"ipid": { "$ref": "#/definitions/field" },
"ipx-net": { "$ref": "#/definitions/field" },
"items": { "$ref": "#/definitions/field" },
"iuid": { "$ref": "#/definitions/field" },
"kernel": { "$ref": "#/definitions/field" },
"key": { "$ref": "#/definitions/field" },
"kind": { "$ref": "#/definitions/field" },
"ksize": { "$ref": "#/definitions/field" },
"laddr": { "$ref": "#/definitions/field" },
"len": { "$ref": "#/definitions/field" },
"list": { "$ref": "#/definitions/field" },
"lport": { "$ref": "#/definitions/field" },
"mac": { "$ref": "#/definitions/field" },
"macproto": { "$ref": "#/definitions/field" },
"maj": { "$ref": "#/definitions/field" },
"major": { "$ref": "#/definitions/field" },
"minor": { "$ref": "#/definitions/field" },
"mode": { "$ref": "#/definitions/field" },
"model": { "$ref": "#/definitions/field" },
"msg": { "$ref": "#/definitions/field" },
"name": { "$ref": "#/definitions/field" },
"nametype": { "$ref": "#/definitions/field" },
"nargs": { "$ref": "#/definitions/field" },
"net": { "$ref": "#/definitions/field" },
"new": { "$ref": "#/definitions/field" },
"new-chardev": { "$ref": "#/definitions/field" },
"new-disk": { "$ref": "#/definitions/field" },
"new-enabled": { "$ref": "#/definitions/field" },
"new-fs": { "$ref": "#/definitions/field" },
"new_gid": { "$ref": "#/definitions/field" },
"new-level": { "$ref": "#/definitions/field" },
"new_lock": { "$ref": "#/definitions/field" },
"new-log_passwd": { "$ref": "#/definitions/field" },
"new-mem": { "$ref": "#/definitions/field" },
"new-net": { "$ref": "#/definitions/field" },
"new_pe": { "$ref": "#/definitions/field" },
"new_pi": { "$ref": "#/definitions/field" },
"new_pp": { "$ref": "#/definitions/field" },
"new-range": { "$ref": "#/definitions/field" },
"new-rng": { "$ref": "#/definitions/field" },
"new-role": { "$ref": "#/definitions/field" },
"new-seuser": { "$ref": "#/definitions/field" },
"new-vcpu": { "$ref": "#/definitions/field" },
"nlnk-fam": { "$ref": "#/definitions/field" },
"nlnk-grp": { "$ref": "#/definitions/field" },
"nlnk-pid": { "$ref": "#/definitions/field" },
"oauid": { "$ref": "#/definitions/field" },
"obj": { "$ref": "#/definitions/field" },
"obj_gid": { "$ref": "#/definitions/field" },
"obj_uid": { "$ref": "#/definitions/field" },
"objtype": { "$ref": "#/definitions/field" },
"ocomm": { "$ref": "#/definitions/field" },
"oflag": { "$ref": "#/definitions/field" },
"ogid": { "$ref": "#/definitions/field" },
"old": { "$ref": "#/definitions/field" },
"old-auid": { "$ref": "#/definitions/field" },
"old-chardev": { "$ref": "#/definitions/field" },
"old-disk": { "$ref": "#/definitions/field" },
"old-enabled": { "$ref": "#/definitions/field" },
"old_enforcing": { "$ref": "#/definitions/field" },
"old-fs": { "$ref": "#/definitions/field" },
"old-level": { "$ref": "#/definitions/field" },
"old_lock": { "$ref": "#/definitions/field" },
"old-log_passwd": { "$ref": "#/definitions/field" },
"old-mem": { "$ref": "#/definitions/field" },
"old-net": { "$ref": "#/definitions/field" },
"old_pe": { "$ref": "#/definitions/field" },
"old_pi": { "$ref": "#/definitions/field" },
"old_pp": { "$ref": "#/definitions/field" },
"old_prom": { "$ref": "#/definitions/field" },
"old-range": { "$ref": "#/definitions/field" },
"old-rng": { "$ref": "#/definitions/field" },
"old-role": { "$ref": "#/definitions/field" },
"old-ses": { "$ref": "#/definitions/field" },
"old-seuser": { "$ref": "#/definitions/field" },
"old_val": { "$ref": "#/definitions/field" },
"old-vcpu": { "$ref": "#/definitions/field" },
"op": { "$ref": "#/definitions/field" },
"opid": { "$ref": "#/definitions/field" },
"oses": { "$ref": "#/definitions/field" },
"ouid": { "$ref": "#/definitions/field" },
"outif": { "$ref": "#/definitions/field" },
"parent": { "$ref": "#/definitions/field" },
"path": { "$ref": "#/definitions/field" },
"per": { "$ref": "#/definitions/field" },
"perm": { "$ref": "#/definitions/field" },
"permissive": { "$ref": "#/definitions/field" },
"perm_mask": { "$ref": "#/definitions/field" },
"pfs": { "$ref": "#/definitions/field" },
"pid": { "$ref": "#/definitions/field" },
"ppid": { "$ref": "#/definitions/field" },
"printer": { "$ref": "#/definitions/field" },
"proctitle": { "$ref": "#/definitions/field" },
"prom": { "$ref": "#/definitions/field" },
"proto": { "$ref": "#/definitions/field" },
"qbytes": { "$ref": "#/definitions/field" },
"range": { "$ref": "#/definitions/field" },
"rdev": { "$ref": "#/definitions/field" },
"reason": { "$ref": "#/definitions/field" },
"removed": { "$ref": "#/definitions/field" },
"res": { "$ref": "#/definitions/field" },
"resrc": { "$ref": "#/definitions/field" },
"result": { "$ref": "#/definitions/field" },
"role": { "$ref": "#/definitions/field" },
"rport": { "$ref": "#/definitions/field" },
"saddr": { "$ref": "#/definitions/field" },
"sauid": { "$ref": "#/definitions/field" },
"scontext": { "$ref": "#/definitions/field" },
"selected-context": { "$ref": "#/definitions/field" },
"seperm": { "$ref": "#/definitions/field" },
"seperms": { "$ref": "#/definitions/field" },
"seqno": { "$ref": "#/definitions/field" },
"seresult": { "$ref": "#/definitions/field" },
"ses": { "$ref": "#/definitions/field" },
"seuser": { "$ref": "#/definitions/field" },
"sgid": { "$ref": "#/definitions/field" },
"sig": { "$ref": "#/definitions/field" },
"sigev_signo": { "$ref": "#/definitions/field" },
"size": { "$ref": "#/definitions/field" },
"smac": { "$ref": "#/definitions/field" },
"spid": { "$ref": "#/definitions/field" },
"sport": { "$ref": "#/definitions/field" },
"state": { "$ref": "#/definitions/field" },
"subj": { "$ref": "#/definitions/field" },
"success": { "$ref": "#/definitions/field" },
"suid": { "$ref": "#/definitions/field" },
"syscall": { "$ref": "#/definitions/field" },
"table": { "$ref": "#/definitions/field" },
"tclass": { "$ref": "#/definitions/field" },
"tcontext": { "$ref": "#/definitions/field" },
"terminal": { "$ref": "#/definitions/field" },
"tty": { "$ref": "#/definitions/field" },
"type": { "$ref": "#/definitions/field" },
"uid": { "$ref": "#/definitions/field" },
"unit": { "$ref": "#/definitions/field" },
"uri": { "$ref": "#/definitions/field" },
"user": { "$ref": "#/definitions/field" },
"uuid": { "$ref": "#/definitions/field" },
"val": { "$ref": "#/definitions/field" },
"ver": { "$ref": "#/definitions/field" },
"virt": { "$ref": "#/definitions/field" },
"vm": { "$ref": "#/definitions/field" },
"vm-ctx": { "$ref": "#/definitions/field" },
"vm-pid": { "$ref": "#/definitions/field" },
"watch": { "$ref": "#/definitions/field" }
},
"additionalProperties": false
},
"single_record": { "$ref": "#/definitions/generic_fields" },
"repeated_record": {
"description": "A repeated, aggregated record list",
"type": "array",
"items": { "$ref": "#/definitions/generic_fields" }
},
"execve_record": {
"description": "An execve record",
"type": "array",
"items": {
"type": "string"
}
}
},
"type": "array",
"items": {
"description": "An audit event",
"type": "object",
"properties": {
"serial": {
"description": "Event serial number",
"type": "integer",
"minimum": 1
},
"time": {
"description": "Event timestamp",
"type": "string",
"format": "date-time"
},
"node": {
"description": "Event hostname",
"type": "string"
},
"error": {
"description": "Conversion error message",
"type": "string"
},
"trimmed": {
"type": "array",
"description": "An array of JSONPath expressions relative to the event object, specifying objects/arrays with (some) contents removed as the result of event size limiting. Empty string means event itself. Empty array means trimming occurred at unspecified objects/arrays.",
"items": {
"type": "string"
}
},
"text": {
"type": "array",
"description": "An array of strings representing original audit log records",
"items": {
"type": "string"
}
},
"data": {
"type": "object",
"properties": {
"acct_lock": { "$ref": "#/definitions/single_record" },
"acct_unlock": { "$ref": "#/definitions/single_record" },
"add_group": { "$ref": "#/definitions/single_record" },
"add_user": { "$ref": "#/definitions/single_record" },
"anom_abend": { "$ref": "#/definitions/single_record" },
"anom_access_fs": { "$ref": "#/definitions/single_record" },
"anom_add_acct": { "$ref": "#/definitions/single_record" },
"anom_amtu_fail": { "$ref": "#/definitions/single_record" },
"anom_crypto_fail": { "$ref": "#/definitions/single_record" },
"anom_del_acct": { "$ref": "#/definitions/single_record" },
"anom_exec": { "$ref": "#/definitions/single_record" },
"anom_link": { "$ref": "#/definitions/single_record" },
"anom_login_acct": { "$ref": "#/definitions/single_record" },
"anom_login_failures": { "$ref": "#/definitions/single_record" },
"anom_login_location": { "$ref": "#/definitions/single_record" },
"anom_login_sessions": { "$ref": "#/definitions/single_record" },
"anom_login_time": { "$ref": "#/definitions/single_record" },
"anom_max_dac": { "$ref": "#/definitions/single_record" },
"anom_max_mac": { "$ref": "#/definitions/single_record" },
"anom_mk_exec": { "$ref": "#/definitions/single_record" },
"anom_mod_acct": { "$ref": "#/definitions/single_record" },
"anom_promiscuous": { "$ref": "#/definitions/single_record" },
"anom_rbac_fail": { "$ref": "#/definitions/single_record" },
"anom_rbac_integrity_fail": { "$ref": "#/definitions/single_record" },
"anom_root_trans": { "$ref": "#/definitions/single_record" },
"apparmor": { "$ref": "#/definitions/single_record" },
"apparmor_allowed": { "$ref": "#/definitions/single_record" },
"apparmor_audit": { "$ref": "#/definitions/single_record" },
"apparmor_denied": { "$ref": "#/definitions/single_record" },
"apparmor_error": { "$ref": "#/definitions/single_record" },
"apparmor_hint": { "$ref": "#/definitions/single_record" },
"apparmor_status": { "$ref": "#/definitions/single_record" },
"avc": { "$ref": "#/definitions/repeated_record" },
"avc_path": { "$ref": "#/definitions/single_record" },
"bprm_fcaps": { "$ref": "#/definitions/single_record" },
"capset": { "$ref": "#/definitions/single_record" },
"chgrp_id": { "$ref": "#/definitions/single_record" },
"chuser_id": { "$ref": "#/definitions/single_record" },
"config_change": { "$ref": "#/definitions/single_record" },
"cred_acq": { "$ref": "#/definitions/single_record" },
"cred_disp": { "$ref": "#/definitions/single_record" },
"cred_refr": { "$ref": "#/definitions/single_record" },
"crypto_failure_user": { "$ref": "#/definitions/single_record" },
"crypto_ike_sa": { "$ref": "#/definitions/single_record" },
"crypto_ipsec_sa": { "$ref": "#/definitions/single_record" },
"crypto_key_user": { "$ref": "#/definitions/single_record" },
"crypto_login": { "$ref": "#/definitions/single_record" },
"crypto_logout": { "$ref": "#/definitions/single_record" },
"crypto_param_change_user": { "$ref": "#/definitions/single_record" },
"crypto_replay_user": { "$ref": "#/definitions/single_record" },
"crypto_session": { "$ref": "#/definitions/single_record" },
"crypto_test_user": { "$ref": "#/definitions/single_record" },
"cwd": { "$ref": "#/definitions/single_record" },
"dac_check": { "$ref": "#/definitions/single_record" },
"daemon_abort": { "$ref": "#/definitions/single_record" },
"daemon_accept": { "$ref": "#/definitions/single_record" },
"daemon_close": { "$ref": "#/definitions/single_record" },
"daemon_config": { "$ref": "#/definitions/single_record" },
"daemon_end": { "$ref": "#/definitions/single_record" },
"daemon_err": { "$ref": "#/definitions/single_record" },
"daemon_resume": { "$ref": "#/definitions/single_record" },
"daemon_rotate": { "$ref": "#/definitions/single_record" },
"daemon_start": { "$ref": "#/definitions/single_record" },
"del_group": { "$ref": "#/definitions/single_record" },
"del_user": { "$ref": "#/definitions/single_record" },
"dev_alloc": { "$ref": "#/definitions/single_record" },
"dev_dealloc": { "$ref": "#/definitions/single_record" },
"execve": { "$ref": "#/definitions/execve_record" },
"fd_pair": { "$ref": "#/definitions/single_record" },
"feature_change": { "$ref": "#/definitions/single_record" },
"fs_relabel": { "$ref": "#/definitions/single_record" },
"grp_auth": { "$ref": "#/definitions/single_record" },
"grp_chauthtok": { "$ref": "#/definitions/single_record" },
"grp_mgmt": { "$ref": "#/definitions/single_record" },
"integrity_data": { "$ref": "#/definitions/single_record" },
"integrity_hash": { "$ref": "#/definitions/single_record" },
"integrity_metadata": { "$ref": "#/definitions/single_record" },
"integrity_pcr": { "$ref": "#/definitions/single_record" },
"integrity_rule": { "$ref": "#/definitions/single_record" },
"integrity_status": { "$ref": "#/definitions/single_record" },
"ipc": { "$ref": "#/definitions/single_record" },
"ipc_set_perm": { "$ref": "#/definitions/single_record" },
"kernel": { "$ref": "#/definitions/single_record" },
"kernel_other": { "$ref": "#/definitions/single_record" },
"label_level_change": { "$ref": "#/definitions/single_record" },
"label_override": { "$ref": "#/definitions/single_record" },
"login": { "$ref": "#/definitions/single_record" },
"mac_check": { "$ref": "#/definitions/single_record" },
"mac_cipsov4_add": { "$ref": "#/definitions/single_record" },
"mac_cipsov4_del": { "$ref": "#/definitions/single_record" },
"mac_config_change": { "$ref": "#/definitions/single_record" },
"mac_ipsec_addsa": { "$ref": "#/definitions/single_record" },
"mac_ipsec_addspd": { "$ref": "#/definitions/single_record" },
"mac_ipsec_delsa": { "$ref": "#/definitions/single_record" },
"mac_ipsec_delspd": { "$ref": "#/definitions/single_record" },
"mac_ipsec_event": { "$ref": "#/definitions/single_record" },
"mac_map_add": { "$ref": "#/definitions/single_record" },
"mac_map_del": { "$ref": "#/definitions/single_record" },
"mac_policy_load": { "$ref": "#/definitions/single_record" },
"mac_status": { "$ref": "#/definitions/single_record" },
"mac_unlbl_allow": { "$ref": "#/definitions/single_record" },
"mac_unlbl_stcadd": { "$ref": "#/definitions/single_record" },
"mac_unlbl_stcdel": { "$ref": "#/definitions/single_record" },
"mmap": { "$ref": "#/definitions/single_record" },
"mq_getsetattr": { "$ref": "#/definitions/single_record" },
"mq_notify": { "$ref": "#/definitions/single_record" },
"mq_open": { "$ref": "#/definitions/single_record" },
"mq_sendrecv": { "$ref": "#/definitions/single_record" },
"netfilter_cfg": { "$ref": "#/definitions/repeated_record" },
"netfilter_pkt": { "$ref": "#/definitions/single_record" },
"obj_pid": { "$ref": "#/definitions/repeated_record" },
"path": { "$ref": "#/definitions/repeated_record" },
"proctitle": { "$ref": "#/definitions/single_record" },
"resp_acct_lock": { "$ref": "#/definitions/single_record" },
"resp_acct_lock_timed": { "$ref": "#/definitions/single_record" },
"resp_acct_remote": { "$ref": "#/definitions/single_record" },
"resp_acct_unlock_timed": { "$ref": "#/definitions/single_record" },
"resp_alert": { "$ref": "#/definitions/single_record" },
"resp_anomaly": { "$ref": "#/definitions/single_record" },
"resp_exec": { "$ref": "#/definitions/single_record" },
"resp_halt": { "$ref": "#/definitions/single_record" },
"resp_kill_proc": { "$ref": "#/definitions/single_record" },
"resp_sebool": { "$ref": "#/definitions/single_record" },
"resp_single": { "$ref": "#/definitions/single_record" },
"resp_term_access": { "$ref": "#/definitions/single_record" },
"resp_term_lock": { "$ref": "#/definitions/single_record" },
"role_assign": { "$ref": "#/definitions/single_record" },
"role_modify": { "$ref": "#/definitions/single_record" },
"role_remove": { "$ref": "#/definitions/single_record" },
"seccomp": { "$ref": "#/definitions/single_record" },
"selinux_err": { "$ref": "#/definitions/single_record" },
"service_start": { "$ref": "#/definitions/single_record" },
"service_stop": { "$ref": "#/definitions/single_record" },
"sockaddr": { "$ref": "#/definitions/single_record" },
"socketcall": { "$ref": "#/definitions/single_record" },
"syscall": { "$ref": "#/definitions/single_record" },
"system_boot": { "$ref": "#/definitions/single_record" },
"system_runlevel": { "$ref": "#/definitions/single_record" },
"system_shutdown": { "$ref": "#/definitions/single_record" },
"test": { "$ref": "#/definitions/single_record" },
"trusted_app": { "$ref": "#/definitions/single_record" },
"tty": { "$ref": "#/definitions/single_record" },
"user": { "$ref": "#/definitions/single_record" },
"user_acct": { "$ref": "#/definitions/single_record" },
"user_auth": { "$ref": "#/definitions/single_record" },
"user_avc": { "$ref": "#/definitions/single_record" },
"user_chauthtok": { "$ref": "#/definitions/single_record" },
"user_cmd": { "$ref": "#/definitions/single_record" },
"user_end": { "$ref": "#/definitions/single_record" },
"user_err": { "$ref": "#/definitions/single_record" },
"user_labeled_export": { "$ref": "#/definitions/single_record" },
"user_login": { "$ref": "#/definitions/single_record" },
"user_logout": { "$ref": "#/definitions/single_record" },
"user_mac_config_change": { "$ref": "#/definitions/single_record" },
"user_mac_policy_load": { "$ref": "#/definitions/single_record" },
"user_mgmt": { "$ref": "#/definitions/single_record" },
"user_role_change": { "$ref": "#/definitions/single_record" },
"user_selinux_err": { "$ref": "#/definitions/single_record" },
"user_start": { "$ref": "#/definitions/single_record" },
"user_tty": { "$ref": "#/definitions/single_record" },
"user_unlabeled_export": { "$ref": "#/definitions/single_record" },
"usys_config": { "$ref": "#/definitions/single_record" },
"virt_control": { "$ref": "#/definitions/single_record" },
"virt_machine_id": { "$ref": "#/definitions/single_record" },
"virt_resource": { "$ref": "#/definitions/single_record" }
}
},
"norm": {
"type": "object",
"properties": {
"event_kind": { "$ref": "#/definitions/field" },
"session": { "$ref": "#/definitions/field" },
"subject_kind": { "$ref": "#/definitions/field" },
"subject_primary": { "$ref": "#/definitions/field" },
"subject_secondary": { "$ref": "#/definitions/field" },
"subject_attrs": { "$ref": "#/definitions/field_list" },
"action": { "$ref": "#/definitions/field" },
"object_kind": { "$ref": "#/definitions/field" },
"object_primary": { "$ref": "#/definitions/field" },
"object_secondary": { "$ref": "#/definitions/field" },
"object_primary2": { "$ref": "#/definitions/field" },
"object_attrs": { "$ref": "#/definitions/field_list" },
"result": { "$ref": "#/definitions/field" },
"how": { "$ref": "#/definitions/field" },
"key": { "$ref": "#/definitions/field" }
}
}
},
"required": [
"serial",
"time"
],
"additionalProperties": false
}
}