1 # audit_record_attr.txt 2 # Two "#" are comments that are copied to audit_record_attr 3 # other comments are removed. 4 ## 5 ## Copyright 2009 Sun Microsystems, Inc. All rights reserved. 6 ## Use is subject to license terms. 7 ## 8 ## CDDL HEADER START 9 ## 10 ## The contents of this file are subject to the terms of the 11 ## Common Development and Distribution License (the "License"). 12 ## You may not use this file except in compliance with the License. 13 ## 14 ## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 15 ## or http://www.opensolaris.org/os/licensing. 16 ## See the License for the specific language governing permissions 17 ## and limitations under the License. 18 ## 19 ## When distributing Covered Code, include this CDDL HEADER in each 20 ## file and include the License file at usr/src/OPENSOLARIS.LICENSE. 21 ## If applicable, add the following below this CDDL HEADER, with the 22 ## fields enclosed by brackets "[]" replaced with your own identifying 23 ## information: Portions Copyright [yyyy] [name of copyright owner] 24 ## 25 ## CDDL HEADER END 26 ## 27 ## 28 29 # source file for describing audit records. 30 31 # This file is in two sections. The first is a list of attribute / 32 # value pairs used to provide short cuts in annotating the audit 33 # records. The second is for annotation for each audit record. 34 35 # first section: general attributes 36 37 # skipClass=<class name of items to skip if only in that class> 38 # skipClass=no # uncomment to filter unused events 39 40 # token name abbreviations 41 # token=alias:fullname -- short names for key tokens 42 43 token=arg:argument 44 token=attr:attribute 45 token=acl:acl_entry 46 token=cmd:command 47 token=data:data 48 token=exec_args:exec_arguments 49 token=exec_env:exec_environment 50 token=group:group 51 token=inaddr:ip_addr 52 token=inet:socket 53 token=ipc:ipc 54 token=ipc_perm:ipc_perm 55 token=newgroup:newgroups 56 token=path:path 57 token=path_attr:attribute_path 58 token=privset:privilege 59 token=proc:process 60 token=text:text 61 token=tid:terminal_adr 62 token=uauth:use_of_authorization 63 token=upriv:use_of_privilege 64 token=zone:zonename 65 token=fmri:service_instance 66 token=label:mandatory_label 67 68 token=head:header 69 token=subj:subject 70 token=ret:return 71 token=exit:exit 72 73 # note names -- certain notes show up repeatedly; collected here 74 # 75 # To achieve the maximum line length to be less than 80 characters, the 76 # note names (message=) can be defined as a multi line, each line except the 77 # last one finished with the backslash character. 78 79 message=ipc_perm:The ipc and ipc_perm tokens are not included if \ 80 the message ID is not valid. 81 82 83 # basic record pattern ("insert" is where event-specific tokens 84 # are listed.) 85 86 kernel=head:insert:subj:[upriv]:ret 87 user=head:subj:insert:ret 88 89 # Second Section 90 # Annotation Section 91 # 92 # Most audit records need annotation beyond what is provided by 93 # the files audit_event and audit_class. At a minimum, a record 94 # is represented by a label and a format. 95 # 96 # label=record_id like AUE_ACCEPT 97 # format=token_alias 98 # 99 # there is no end line; a new label= end the preceding definition 100 # and starts the next. 101 # 102 # format values are a list of token names, separated by colons. The 103 # name is either one of the values described above (token=) or is 104 # a value to be taken literally. If a token name ends with a digit, 105 # the digit is an index into an array of comments. In the few cases 106 # where there are no tokens (other than header, subject, return/exit), 107 # use "format=kernel" or "format="user". 108 # 109 # comment is an array of strings separated by colons. If comments 110 # are listed on separate lines (recommended due to better 111 # readability/sustainability of the file), the preceding comment 112 # must end with a colon. The array starts at 1. (If the comment 113 # contains a colon, use ":" without the quotes.) 114 # 115 # case is used to generate alternate descriptions for a given 116 # record. 117 # 118 # Constraints - the string length; bear in mind, that any annotation of 119 # primitives below longer than is specified, will be silently truncated 120 # to given/defined amount of characters in the auditrecord(1M) runtime: 121 # 122 # primitive <= max (non-truncated) string length 123 # case <= unlimited; if necessary, text continues on a new line 124 # comment <= unlimited; if necessary, text continues on a new line 125 # label <= 43 126 # note <= unlimited; if necessary, text continues on a new line 127 # program <= 20 128 # see <= 39 129 # syscall <= 20 130 # title <= 46 131 # token <= 28 (full name) 132 # 133 # To achieve the maximum line length to be less than 80 characters, one can 134 # define the unlimited primitives as a multi line, each line except the 135 # last one finished with the backslash character. In addition to above 136 # mentioned, the "format=" record attribute follows the same rule. 137 # 138 # 139 # AUE_ACCEPT illustrates the use of all the above. Note that 140 # case is not nested; ellipsis (...) is used to give the effect 141 # of nesting. 142 143 label=AUE_ACCEPT 144 #accept(2) failure 145 case=Invalid socket file descriptor 146 format=arg1 147 comment=1, file descriptor, "so" 148 #accept(2) non SOCK_STREAM socket 149 case=If the socket address is not part of the AF_INET family 150 format=arg1:arg2:arg3 151 comment=1, "so", file descriptor: 152 comment="family", so_family: 153 comment="type", so_type 154 case=If the socket address is part of the AF_INET family 155 case=...If there is no vnode for this file descriptor 156 format=[arg]1 157 comment=1, file descriptor, "Bad so" 158 #accept(2) SOCK_STREAM socket-not bound 159 case=...or if the socket is not bound 160 format=[arg]1:[inet]2 161 comment=1, file descriptor, "so": 162 comment=local/foreign address (0.0.0.0) 163 case=...or if the socket address length = 0 164 format=[arg]1:[inet]2 165 comment=1, file descriptor, "so": 166 comment=local/foreign address (0.0.0.0) 167 case=...or for all other conditions 168 format=inet1:[inet]1 169 comment=socket address 170 #accept(2) failure 171 # header 172 # au_to_arg32 "so",file descriptor 173 # subject 174 # return <errno != 0> 175 # 176 #accept(2) non SOCK_STREAM socket 177 # header 178 # au_to_arg32 "so", file descriptor 179 # au_to_arg32 "family", so_family 180 # au_to_arg32 "type", so_type 181 # subject 182 # return success 183 # 184 #accept(2) SOCK_STREAM socket-not bound 185 # header 186 # au_to_arg32 "so", file descriptor 187 # au_to_socket_ex local/foreign address (0.0.0.0) 188 # subject 189 # return success 190 # 191 #accept(2) SOCK_STREAM socket-bound 192 # header 193 # au_to_arg32 "so", file descriptor 194 # au_to_socket_ex 195 # subject 196 # return success 197 198 199 200 label=AUE_ACCESS 201 format=path1:[attr] 202 comment=may be truncated in failure case 203 # header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec 204 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ 205 # attribute,100777,41416,staff,8388608,402255,0 206 # subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30 207 # return,success,0 208 # trailer,163 209 # 210 # header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec 211 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail 212 # attribute,100000,root,other,8388608,402257,0 213 # subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30 214 # return,failure: Permission denied,-1 215 # trailer,163 216 # 217 # header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec 218 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2 219 # subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30 220 # return,failure: No such file or directory,-1 221 # trailer,135 222 223 label=AUE_ACCT 224 case=Zero path 225 format=arg1 226 comment=1, 0, "accounting off" 227 case=Non-zero path 228 format=path1:[attr]2 229 comment=may be truncated in failure case: 230 comment=omitted if failure 231 232 label=AUE_ACLSET 233 syscall=acl 234 format=arg1:arg2:(0..n)[acl]3 235 comment=2, SETACL, "cmd": 236 comment=3, number of ACL entries, "nentries": 237 comment=Access Control List entries 238 239 label=AUE_ADJTIME 240 format=kernel 241 242 label=AUE_ASYNC_DAEMON 243 skip=Not used 244 245 label=AUE_ASYNC_DAEMON_EXIT 246 skip=Not used 247 248 label=AUE_AUDIT 249 skip=Not used. (Placeholder for the set AUE_AUDIT_*.) 250 251 label=AUE_AUDITON 252 skip=Not used. (Placeholder for the set AUE_AUDITON_*.) 253 254 label=AUE_AUDITON_GESTATE 255 skip=Not used 256 257 label=AUE_AUDITON_GETCAR 258 format=kernel 259 syscall=auditon: GETCAR 260 # header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec 261 # subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30 262 # return,success,0 263 # trailer,68 264 265 label=AUE_AUDITON_GETCLASS 266 format=kernel 267 syscall=auditon: GETCLASS 268 # header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec 269 # subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1 270 # return,success,0 271 # trailer,68 272 273 label=AUE_AUDITON_GETCOND 274 format=kernel 275 syscall=auditon: GETCOND 276 # header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec 277 # subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1 278 # return,success,0 279 # trailer,68 280 281 label=AUE_AUDITON_GETCWD 282 format=kernel 283 syscall=auditon: GETCWD 284 # header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec 285 # subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1 286 # return,success,0 287 # trailer,68 288 289 label=AUE_AUDITON_GETKMASK 290 format=kernel 291 syscall=auditon: GETKMASK 292 # header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec 293 # subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1 294 # return,success,0 295 # trailer,68 296 297 label=AUE_AUDITON_GETSTAT 298 format=kernel 299 syscall=auditon: A_GETSTAT 300 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec 301 # subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1 302 # return,success,0 303 # trailer,68 304 305 label=AUE_AUDITON_GPOLICY 306 format=kernel 307 syscall=auditon: GPOLICY 308 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec 309 # subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1 310 # return,success,0 311 # trailer,68 312 313 label=AUE_AUDITON_GQCTRL 314 format=kernel 315 syscall=auditon: GQCTRL 316 # header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec 317 # subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1 318 # return,success,0 319 # trailer,68 320 321 322 label=AUE_AUDITON_GTERMID 323 skip=Not used. 324 325 label=AUE_AUDITON_SESTATE 326 skip=Not used. 327 328 label=AUE_AUDITON_SETCLASS 329 format=[arg]1:[arg]2 330 comment=2, "setclass:ec_event", event number: 331 comment=3, "setclass:ec_class", class mask 332 syscall=auditon: SETCLASS 333 # header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec 334 # argument,2,0x0,setclass:ec_event 335 # argument,3,0x0,setclass:ec_class 336 # subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1 337 # return,success,0 338 # trailer,120 339 340 label=AUE_AUDITON_SETCOND 341 format=[arg]1 342 comment=3, "setcond", audit state 343 syscall=auditon: SETCOND 344 345 label=AUE_AUDITON_SETKMASK 346 format=[arg]1:[arg]2 347 comment=2, "setkmask as_success", kernel mask: 348 comment=2, "setkmask as_failure", kernel mask 349 syscall=auditon: SETKMASK 350 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec 351 # argument,2,0x0,setkmask:as_success 352 # argument,2,0x0,setkmask:as_failure 353 # subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1 354 # return,success,0 355 # trailer,124 356 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec 357 # argument,2,0x0,setkmask:as_success 358 # argument,2,0x0,setkmask:as_failure 359 # subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1 360 # return,failure: Not owner,-1 361 # trailer,124 362 363 label=AUE_AUDITON_SETSMASK 364 format=[arg]1:[arg]2 365 comment=3, "setsmask:as_success", session ID mask: 366 comment=3, "setsmask:as_failure", session ID mask 367 syscall=auditon: SETSMASK 368 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec 369 # argument,3,0x400,setsmask:as_success 370 # argument,3,0x400,setsmask:as_failure 371 # subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1 372 # return,success,0 373 # trailer,124 374 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec 375 # argument,3,0x400,setsmask:as_success 376 # argument,3,0x400,setsmask:as_failure 377 # subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1 378 # return,failure: Not owner,-1 379 # trailer,124 380 381 label=AUE_AUDITON_SETSTAT 382 format=kernel 383 syscall=auditon: SETSTAT 384 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec 385 # subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1 386 # return,success,0 387 # trailer,68 388 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec 389 # subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1 390 # return,failure: Not owner,-1 391 # trailer,68 392 393 label=AUE_AUDITON_SETUMASK 394 format=[arg]1:[arg]2 395 comment=3, "setumask:as_success", audit ID mask: 396 comment=3, "setumask:as_failure", audit ID mask 397 syscall=auditon: SETUMASK 398 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec 399 # argument,3,0x400,setumask:as_success 400 # argument,3,0x400,setumask:as_failure 401 # subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1 402 # return,success,0 403 # trailer,124 404 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec 405 # argument,3,0x400,setumask:as_success 406 # argument,3,0x400,setumask:as_failure 407 # subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1 408 # return,failure: Not owner,-1 409 # trailer,124 410 411 label=AUE_AUDITON_SPOLICY 412 format=[arg]1 413 comment=1, audit policy flags, "setpolicy" 414 syscall=auditon: SPOLICY 415 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec 416 # argument,3,0x200,setpolicy 417 # subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1 418 # return,success,0 419 # trailer,86 420 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec 421 # argument,3,0x200,setpolicy 422 # subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1 423 # return,failure: Not owner,-1 424 # trailer,86 425 426 label=AUE_AUDITON_SQCTRL 427 format=[arg]1:[arg]2:[arg]3:[arg]4 428 comment=3, "setqctrl:aq_hiwater", queue control param.: 429 comment=3, "setqctrl:aq_lowater", queue control param.: 430 comment=3, "setqctrl:aq_bufsz", queue control param.: 431 comment=3, "setqctrl:aq_delay", queue control param. 432 syscall=auditon: SQCTRL 433 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec 434 # argument,3,0x64,setqctrl:aq_hiwater 435 # argument,3,0xa,setqctrl:aq_lowater 436 # argument,3,0x400,setqctrl:aq_bufsz 437 # argument,3,0x14,setqctrl:aq_delay 438 # subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1 439 # return,success,0 440 # trailer,176 441 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec 442 # argument,3,0x64,setqctrl:aq_hiwater 443 # argument,3,0xa,setqctrl:aq_lowater 444 # argument,3,0x400,setqctrl:aq_bufsz 445 # argument,3,0x14,setqctrl:aq_delay 446 # subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1 447 # return,failure: Not owner,-1 448 # trailer,176 449 450 label=AUE_AUDITON_STERMID 451 skip=Not used. 452 453 label=AUE_AUDITSTAT 454 skip=Not used. 455 456 label=AUE_AUDITSVC 457 skip=Not used. 458 459 label=AUE_AUDITSYS 460 skip=Not used. (Place holder for various auditing events.) 461 462 label=AUE_BIND 463 # differs from documented version. 464 # cases "no vnode" not fully confirmed 465 # family and type need argument number 466 case=Invalid socket handle 467 format=arg1 468 comment=1, file descriptor, "so" 469 case=If there is no vnode for this file descriptor 470 case=or if the socket is not of the AF_INET family 471 format=arg1:arg2:arg3 472 comment=1, file descriptor, "so": 473 comment=1, socket family, "family": 474 comment=1, socket type, "type" 475 case=or for all other conditions 476 format=arg1:inet2 477 comment=1, file descriptor, "so": 478 comment=socket address 479 480 label=AUE_BRANDSYS 481 # generic mechanism to allow user-space and kernel components of a brand 482 # to communicate. The interpretation of the arguments to the call is 483 # left entirely up to the brand. 484 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7 485 comment=1, command, "cmd": 486 comment=2, command args, "arg": 487 comment=3, command args, "arg": 488 comment=4, command args, "arg": 489 comment=5, command args, "arg": 490 comment=6, command args, "arg": 491 comment=7, command args, "arg" 492 493 label=AUE_BSMSYS 494 skip=Not used. 495 496 label=AUE_CHDIR 497 format=path:[attr] 498 # header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec 499 # path,/export/home/CC_final/icenine/arv/chdir/obj_succ 500 # attribute,40777,root,other,8388608,231558,0 501 # subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1 502 # return,success,0 503 # trailer,151 504 # header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec 505 # path,/export/home/CC_final/icenine/arv/chdir/obj_fail 506 # attribute,40000,root,other,8388608,237646,0 507 # subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1 508 # return,failure: Permission denied,-1 509 # trailer,151 510 511 label=AUE_CHMOD 512 format=arg1:path:[attr] 513 comment=2, mode, "new file mode" 514 # header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec 515 # argument,2,0x1f8,new file mode 516 # path,/export/home/CC_final/icenine/arv/chmod/obj_succ 517 # attribute,100770,tuser10,other,8388608,243608,0 518 # subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1 519 # return,success,0 520 # trailer,173 521 # header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec 522 # argument,2,0x1f8,new file mode 523 # path,/export/home/CC_final/icenine/arv/chmod/obj_fail 524 # attribute,100600,root,other,8388608,243609,0 525 # subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1 526 # return,failure: Not owner,-1 527 # trailer,173 528 529 label=AUE_CHOWN 530 format=arg1:arg2 531 comment=2, uid, "new file uid": 532 comment=3, gid, "new file gid" 533 # header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec 534 # argument,2,0x271a,new file uid 535 # argument,3,0xffffffff,new file gid 536 # path,/export/home/CC_final/icenine/arv/chown/obj_succ 537 # attribute,100644,tuser10,other,8388608,268406,0 538 # subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1 539 # return,success,0 540 # trailer,193 541 # header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec 542 # argument,2,0x271a,new file uid 543 # argument,3,0xffffffff,new file gid 544 # path,/export/home/CC_final/icenine/arv/chown/obj_fail 545 # attribute,100644,root,other,8388608,268407,0 546 # subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1 547 # return,failure: Not owner,-1 548 # trailer,193 549 550 label=AUE_CHROOT 551 format=path:[attr] 552 # header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec 553 # path,/ 554 # attribute,40755,root,root,8388608,2,0 555 # subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1 556 # return,success,0 557 # trailer,104 558 # header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec 559 # path,/export/home/CC_final/icenine/arv/chroot/obj_fail 560 # attribute,40777,tuser10,other,8388608,335110,0 561 # subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1 562 # return,failure: Not owner,-1 563 # trailer,152 564 565 label=AUE_CLOCK_SETTIME 566 format=kernel 567 568 label=AUE_CLOSE 569 format=arg1:[path]:[attr] 570 comment=1, file descriptor, "fd" 571 572 label=AUE_CONFIGKSSL 573 case=Adding KSSL entry. 574 format=text1:inaddr2:text3:text4 575 comment=opcode, KSSL_ADD_ENTRY: 576 comment=local IP address: 577 comment=SSL port number: 578 comment=proxy port number 579 case=Deleting KSSL entry. 580 format=text1:inaddr2:text3 581 comment=opcode, KSSL_DELETE_ENTRY: 582 comment=local IP address: 583 comment=SSL port number 584 585 label=AUE_CONNECT 586 # cases "no vnode" not fully confirmed 587 case=If there is no vnode for this file descriptor 588 case=If the socket address is not part of the AF_INET family 589 format=arg1:arg2:arg3 590 comment=1, file descriptor, "so": 591 comment=1, socket family, "family": 592 comment=1, socket type, "type" 593 case=If the socket address is part of the AF_INET family 594 format=arg1:inet2 595 comment=1, file descriptor, "so": 596 comment=socket address 597 598 label=AUE_CORE 599 syscall=none 600 title=process dumped core 601 see=none 602 format=path:[attr]:arg1 603 comment=1, signal, "signal" 604 # see uts/common/c2/audit.c 605 606 label=AUE_CREAT 607 format=path:[attr] 608 # does not match old BSM manual 609 # header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec 610 # path,/export/home/CC_final/icenine/arv/creat/obj_succ 611 # attribute,100644,tuser10,other,8388608,49679,0 612 # subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1 613 # return,success,8 614 # trailer,151 615 # header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec 616 # path,/devices/pseudo/mm@0:null 617 # subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1 618 # return,success,8 619 # trailer,107 620 # header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec 621 # path,/obj_fail 622 # subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1 623 # return,failure: Permission denied,-1 624 # trailer,83 625 626 label=AUE_CRYPTOADM 627 title=kernel cryptographic framework 628 format=text1:(0..n)[text]2 629 comment=cryptoadm command/operation: 630 comment=mechanism list 631 632 label=AUE_DOORFS 633 skip=Not used. (Place holder for set of door audit events.) 634 635 label=AUE_DOORFS_DOOR_BIND 636 skip=Not used. 637 syscall=doorfs: DOOR_BIND 638 639 label=AUE_DOORFS_DOOR_CALL 640 format=arg1:proc2 641 comment=1, door ID, "door ID": 642 comment=for process that owns the door 643 syscall=doorfs: DOOR_CALL 644 645 label=AUE_DOORFS_DOOR_CREATE 646 format=arg1 647 comment=1, door attributes, "door attr" 648 syscall=doorfs: DOOR_CREATE 649 650 label=AUE_DOORFS_DOOR_CRED 651 skip=Not used. 652 syscall=doorfs: DOOR_CRED 653 654 label=AUE_DOORFS_DOOR_INFO 655 skip=Not used. 656 syscall=doorfs: DOOR_INFO 657 658 label=AUE_DOORFS_DOOR_RETURN 659 format=kernel 660 syscall=doorfs: DOOR_RETURN 661 662 label=AUE_DOORFS_DOOR_REVOKE 663 format=arg1 664 comment=1, door ID, "door ID" 665 syscall=doorfs: DOOR_REVOKE 666 667 label=AUE_DOORFS_DOOR_UNBIND 668 skip=Not used. 669 syscall=doorfs: DOOR_UNBIND 670 671 label=AUE_DUP2 672 skip=Not used. 673 674 label=AUE_ENTERPROM 675 title=enter prom 676 syscall=none 677 format=head:text1:ret 678 comment="kmdb" 679 # header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00 680 # text,kmdb 681 # return,success,0 682 683 label=AUE_EXEC 684 format=path:[attr]1:[exec_args]2:[exec_env]3 685 comment=omitted on error: 686 comment=output if argv policy is set: 687 comment=output if arge policy is set 688 689 label=AUE_EXECVE 690 format=path:[attr]1:[exec_args]2:[exec_env]3 691 comment=omitted on error: 692 comment=output if argv policy is set: 693 comment=output if arge policy is set 694 # header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec 695 # path,/devices/pseudo/mm@0:null 696 # subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1 697 # return,success,8 698 # trailer,107 699 # header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec 700 # path,/usr/bin/pig 701 # subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1 702 # return,failure: No such file or directory,-1 703 # trailer,86 704 705 label=AUE_EXIT 706 format=[text]1 707 comment=event aborted 708 709 label=AUE_EXITPROM 710 title=exit prom 711 syscall=none 712 format=head:text1:ret 713 comment="kmdb" 714 # header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00 715 # text,kmdb 716 # return,success,0 717 718 label=AUE_EXPORTFS 719 skip=Not used. 720 721 label=AUE_FACCESSAT 722 see=access(2) 723 format=path:[path_attr]:[attr] 724 725 label=AUE_FACLSET 726 syscall=facl 727 case=Invalid file descriptor 728 format=arg1:arg2 729 comment=2, SETACL, "cmd": 730 comment=3, number of ACL entries, "nentries" 731 case=Zero path 732 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4 733 comment=2, SETACL, "cmd": 734 comment=3, number of ACL entries, "nentries": 735 comment=1, file descriptor, "no path: fd": 736 comment=ACLs 737 case=Non-zero path 738 format=arg1:arg2:path:[attr]:(0..n)[acl]3 739 comment=2, SETACL, "cmd": 740 comment=3, number of ACL entries, "nentries": 741 comment=ACLs 742 743 label=AUE_FCHDIR 744 format=[path]:[attr] 745 # header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec 746 # path,/export/home/CC_final/icenine/arv/fchdir/obj_succ 747 # attribute,40777,tuser10,other,8388608,207662,0 748 # subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1 749 # return,success,0 750 # trailer,150 751 # header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec 752 # subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1 753 # return,failure: Permission denied,-1 754 # trailer,68 755 756 label=AUE_FCHMOD 757 case=With a valid file descriptor and path 758 format=arg1:path:[attr] 759 comment=2, mode, "new file mode" 760 case=With a valid file descriptor and invalid path 761 format=arg1:[arg]2:[attr] 762 comment=2, mode, "new file mode": 763 comment=1, file descriptor, "no path: fd" 764 case=With an invalid file descriptor 765 format=arg1 766 comment=2, mode, "new file mode" 767 # header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec 768 # argument,2,0x1a4,new file mode 769 # path,/export/home/CC/icenine/arv/fchmod/obj_succ 770 # attribute,100644,tuser10,other,7602240,26092,0 771 # subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1 772 # return,success,0 773 # trailer,168 774 # header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec 775 # argument,2,0x1a4,new file mode 776 # subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1 777 # return,failure: Bad file number,-1 778 # trailer,90 779 # header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec 780 # argument,2,0x1a4,new file mode 781 # path,/export/home/CC/icenine/arv/fchmod/obj_fail 782 # attribute,100644,root,other,7602240,26093,0 783 # subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1 784 # return,failure: Not owner,-1 785 # trailer,168 786 787 label=AUE_FCHOWN 788 case=With a valid file descriptor 789 format=arg1:arg2:[path]:[attr] 790 comment=2, uid, "new file uid": 791 comment=3, gid, "new file gid" 792 case=With an invalid file descriptor 793 format=arg1:arg2:[arg]3:[attr] 794 comment=2, uid, "new file uid": 795 comment=3, gid, "new file gid": 796 comment=1, file descriptor, "no path fd" 797 798 label=AUE_FCHOWNAT 799 see=openat(2) 800 case=With a valid absolute/relative file path 801 format=path:[path_attr]:[attr] 802 case=With an file path eq. NULL and valid file descriptor 803 format=kernel 804 805 label=AUE_FCHROOT 806 format=[path]:[attr] 807 # fchroot -> chdirec -> audit_chdirec 808 809 label=AUE_FCNTL 810 case=With a valid file descriptor 811 format=arg1:path:attr 812 comment=2, command, "cmd" 813 case=With an invalid file descriptor 814 format=arg1:arg2 815 comment=2, command, "cmd": 816 comment=1, file descriptor, "no path fd" 817 818 label=AUE_FLOCK 819 skip=Not used. 820 821 label=AUE_FORKALL 822 format=[arg]1 823 comment=0, pid, "child PID" 824 note=The forkall(2) return values are undefined because the audit record 825 note=is produced at the point that the child process is spawned. 826 # see audit.c 827 828 label=AUE_FORK1 829 format=[arg]1 830 comment=0, pid, "child PID" 831 note=The fork1(2) return values are undefined because the audit record 832 note=is produced at the point that the child process is spawned. 833 # see audit.c 834 835 label=AUE_FSAT 836 skip=Not used. (Placeholder for AUE_*AT records) 837 #openat AUE_OPENAT_{W,RW,R} appended with CT as needed 838 #openat64 AUE_OPENAT_{W,RW,R} appended with CT as needed 839 #fstatat64 AUE_FSTATAT 840 #fstat AUE_FSTATAT 841 #chownat AUE_FCHOWNAT 842 #unlinkat AUE_UNLINKAT 843 #futimesat AUE_FUTIMESAT 844 #renameat AUE_RENAMEAT 845 #faccessat AUE_FACCESSAT 846 847 label=AUE_FSTAT 848 skip=Not used. 849 850 label=AUE_FSTATAT 851 format=path:[path_attr]:[attr] 852 853 label=AUE_FSTATFS 854 case=With a valid file descriptor 855 format=[path]:[attr] 856 case=With an invalid file descriptor 857 format=arg1 858 comment=1, file descriptor, "no path fd" 859 860 label=AUE_FTRUNCATE 861 skip=Not used. 862 863 label=AUE_FUSERS 864 syscall=utssys: UTS_FUSERS 865 format=path:attr 866 867 868 label=AUE_FUTIMESAT 869 syscall=utimes(2) 870 format=[path]:[path_attr]:[attr] 871 872 label=AUE_GETAUDIT 873 format=kernel 874 # header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec 875 # subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1 876 # return,success,0 877 # trailer,68 878 # header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec 879 # subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1 880 # return,success,0 881 # trailer,68 882 883 label=AUE_GETAUDIT_ADDR 884 format=kernel 885 # header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec 886 # subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2 887 # return,success,0 888 889 label=AUE_GETAUID 890 format=kernel 891 # header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec 892 # subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1 893 # return,success,0 894 # trailer,68 895 # header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec 896 # subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1 897 # return,failure: Not owner,-1 898 # trailer,68 899 900 label=AUE_GETDENTS 901 skip=Not used. 902 #Not security relevant 903 904 label=AUE_GETKERNSTATE 905 skip=Not used. 906 907 label=AUE_GETMSG 908 case=With a valid file descriptor 909 format=arg1:[path]:attr:arg2 910 comment=1, file descriptor, "fd": 911 comment=4, priority, "pri" 912 case=With an invalid file descriptor 913 format=arg1:arg2 914 comment=1, file descriptor, "fd": 915 comment=4, priority, "pri" 916 917 label=AUE_GETPMSG 918 case=With a valid file descriptor 919 format=arg1:[path]:attr 920 comment=1, file descriptor, "fd" 921 case=With an invalid file descriptor 922 format=arg1 923 comment=1, file descriptor, "fd" 924 925 label=AUE_GETPORTAUDIT 926 format=Not used. 927 928 label=AUE_GETUSERAUDIT 929 skip=Not used. 930 931 label=AUE_INST_SYNC 932 format=arg1 933 comment=2, flags value, "flags" 934 935 label=AUE_IOCTL 936 case=With an invalid file descriptor 937 format=arg1:arg2:arg3 938 comment=1, file descriptor, "fd": 939 comment=2, command, "cmd": 940 comment=3, arg, "arg" 941 case=With a valid file descriptor 942 format=path:[attr]:arg1:arg2 943 comment=2, ioctl cmd, "cmd": 944 comment=3, ioctl arg, "arg" 945 case=Non-file file descriptor 946 format=arg1:arg2:arg3 947 comment=1, file descriptor, "fd": 948 comment=2, ioctl cmd, "cmd": 949 comment=3, ioctl arg, "arg" 950 case=Bad file name 951 format=arg1:arg2:arg3 952 comment=1, file descriptor, "no path: fd": 953 comment=2, ioctl cmd, "cmd": 954 comment=3, ioctl arg, "arg" 955 # old BSM manual misses a case 956 957 label=AUE_JUNK 958 skip=Not used. 959 960 label=AUE_KILL 961 case=Valid process 962 format=arg1:[proc] 963 comment=2, signo, "signal" 964 case=Zero or negative process 965 format=arg1:arg2 966 comment=2, signo, "signal": 967 comment=1, pid, "process" 968 969 label=AUE_KILLPG 970 skip=Not used. 971 972 label=AUE_LCHOWN 973 format=arg1:arg2:path:[attr] 974 comment=2, uid, "new file uid": 975 comment=3, gid, "new file gid" 976 977 label=AUE_LINK 978 format=path1:[attr]:path2 979 comment=from path: 980 comment=to path 981 982 label=AUE_LSEEK 983 skip=Not used. 984 985 label=AUE_LSTAT 986 format=path:[attr] 987 988 label=AUE_LXSTAT 989 skip=Not used. 990 # AUE_LXSTAT now maps to AUE_LSTAT 991 992 label=AUE_MCTL 993 skip=Not used. 994 995 label=AUE_MEMCNTL 996 format=arg1:arg2:arg3:arg4:arg5:arg6 997 comment=1, base address, "base": 998 comment=2, length, "len": 999 comment=3, command, "cmd": 1000 comment=4, command args, "arg": 1001 comment=5, command attributes, "attr": 1002 comment=6, 0, "mask" 1003 1004 label=AUE_MKDIR 1005 format=arg1:path:[attr] 1006 comment=2, mode, "mode" 1007 1008 label=AUE_MKNOD 1009 format=arg1:arg2:path:[attr] 1010 comment=2, mode, "mode": 1011 comment=3, dev, "dev" 1012 1013 label=AUE_MMAP 1014 case=With a valid file descriptor 1015 format=arg1:arg2:[path]3:[attr] 1016 comment=1, segment address, "addr": 1017 comment=2, segment address, "len": 1018 comment=if no path, then argument: \ 1019 1, "nopath: fd", file descriptor 1020 case=With an invalid file descriptor 1021 format=arg1:arg2:arg3 1022 comment=1, segment address, "addr": 1023 comment=2, segment address, "len": 1024 comment=1, file descriptor, "no path: fd" 1025 1026 label=AUE_MODADDMAJ 1027 title=modctl: bind module 1028 syscall=modctl 1029 format=[text]1:[text]2:text3:arg4:(0..n)[text]5 1030 comment=driver major number: 1031 comment=driver name: 1032 comment=driver major number or "no drvname": 1033 comment=5, number of aliases, "": 1034 comment=aliases 1035 1036 label=AUE_MODADDPRIV 1037 format=kernel 1038 1039 label=AUE_MODCONFIG 1040 skip=Not used. 1041 1042 label=AUE_MODCTL 1043 skip=Not used. (placeholder) 1044 1045 label=AUE_MODDEVPLCY 1046 syscall=modctl 1047 title=modctl: set device policy 1048 case=If unknown minor name/pattern 1049 format=arg1:arg2:arg3:arg4:arg5 1050 comment=2, "major", major number: 1051 comment=2, "lomin", low minor number, if known: 1052 comment=2, "himin", hi minor number, if known: 1053 comment=privileges required for reading: 1054 comment=privileges required for writing 1055 case=else 1056 format=arg1:text2:arg3:arg4 1057 comment=2, "major", major number: 1058 comment=minor name/pattern: 1059 comment=privileges required for reading: 1060 comment=privileges required for writing 1061 1062 label=AUE_MODLOAD 1063 syscall=modctl 1064 title=modctl: load module 1065 format=[text]1:text2 1066 comment=default path: 1067 comment=filename path 1068 1069 label=AUE_MODUNLOAD 1070 syscall=modctl 1071 title=modctl: unload module 1072 format=arg1 1073 comment=1, module ID, "id" 1074 1075 label=AUE_MOUNT 1076 case=UNIX file system 1077 format=arg1:text2:path:[attr] 1078 comment=3, flags, "flags": 1079 comment=filesystem type 1080 case=NFS file system 1081 format=arg1:text2:text3:arg4:path:[attr] 1082 comment=3, flags, "flags": 1083 comment=filesystem type: 1084 comment=host name: 1085 comment=3, flags, "internal flags" 1086 # unix example: 1087 # header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec 1088 # argument,3,0x104,flags 1089 # text,ufs 1090 # path,/var2 1091 # attribute,40755,root,root,32,12160,0 1092 # path,/devices/pci@1f,4000/scsi@3/sd@0,0:e 1093 # attribute,60640,root,sys,32,231268,137438953476 1094 # subject,abc,root,other,root,other,1726,1715,255 66049 ohboy 1095 # return,success,4290707268 1096 # ^^^^^^^^^^ <- bugid 4333559 1097 1098 label=AUE_MSGCTL 1099 format=arg1:[ipc]:[ipc_perm] 1100 comment=1, message ID, "msg ID" 1101 note=ipc_perm 1102 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1103 1104 label=AUE_MSGCTL_RMID 1105 format=arg1:[ipc]:[ipc_perm] 1106 comment=1, message ID, "msg ID" 1107 note=ipc_perm 1108 syscall=msgctl: IPC_RMID 1109 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1110 1111 label=AUE_MSGCTL_SET 1112 format=arg1:[ipc]:[ipc_perm] 1113 comment=1, message ID, "msg ID" 1114 note=ipc_perm 1115 syscall=msgctl: IPC_SET 1116 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1117 1118 label=AUE_MSGCTL_STAT 1119 format=arg1:[ipc]:[ipc_perm] 1120 comment=1, message ID, "msg ID" 1121 note=ipc_perm 1122 syscall=msgctl: IPC_STAT 1123 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1124 1125 label=AUE_MSGGET 1126 format=arg1:ipc 1127 comment=1, message key, "msg key" 1128 note=ipc_perm 1129 syscall=msgget 1130 1131 label=AUE_MSGGETL 1132 skip=Not used. 1133 1134 label=AUE_MSGRCV 1135 format=arg1:[ipc]:[ipc_perm] 1136 comment=1, message ID, "msg ID" 1137 note=ipc_perm 1138 syscall=msgrcv 1139 # ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc 1140 1141 label=AUE_MSGRCVL 1142 skip=Not used. 1143 1144 label=AUE_MSGSND 1145 format=arg1:[ipc]:[ipc_perm] 1146 comment=1, message ID, "msg ID" 1147 note=ipc_perm 1148 syscall=msgsnd 1149 # ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc 1150 1151 label=AUE_MSGSNDL 1152 skip=Not used. 1153 1154 label=AUE_MSGSYS 1155 skip=Not used. (Placeholder for AUE_MSG* events.) 1156 1157 label=AUE_MUNMAP 1158 format=arg1:arg2 1159 comment=1, address of memory, "addr": 1160 comment=2, memory segment size, "len" 1161 1162 label=AUE_NFS 1163 skip=Not used. 1164 1165 label=AUE_NFSSVC_EXIT 1166 skip=Not used. 1167 1168 label=AUE_NFS_GETFH 1169 skip=Not used. 1170 1171 label=AUE_NFS_SVC 1172 skip=Not used. 1173 1174 label=AUE_NICE 1175 format=kernel 1176 1177 label=AUE_NULL 1178 skip=Not used. (placeholder) 1179 # used internal to audit_event.c for minimal audit 1180 1181 label=AUE_NTP_ADJTIME 1182 format=kernel 1183 1184 label=AUE_ONESIDE 1185 skip=Not used. 1186 1187 label=AUE_OPEN 1188 skip=Not used. (placeholder for AUE_OPEN_*). 1189 1190 label=AUE_OPEN_R 1191 format=path:[attr] 1192 see=open(2) - read 1193 1194 label=AUE_OPENAT_R 1195 format=path:[path_attr]:[attr] 1196 see=openat(2) 1197 1198 label=AUE_OPEN_RC 1199 format=path:[attr] 1200 see=open(2) - read,creat 1201 1202 label=AUE_OPENAT_RC 1203 see=openat(2) 1204 format=path:[path_attr]:[attr] 1205 # aui_fsat(): fm & O_CREAT mangling 1206 1207 label=AUE_OPEN_RT 1208 format=path:[attr] 1209 see=open(2) - read,trunc 1210 1211 label=AUE_OPENAT_RT 1212 see=openat(2) 1213 format=path:[path_attr]:[attr] 1214 # aui_fsat(): fm & O_TRUNC mangling 1215 1216 label=AUE_OPEN_RTC 1217 format=path:[attr] 1218 see=open(2) - read,trunc,creat 1219 1220 label=AUE_OPENAT_RTC 1221 see=openat(2) 1222 format=path:[path_attr]:[attr] 1223 # aui_fsat(): fm & O_TRUNC mangling, fm & O_CREAT mangling 1224 1225 label=AUE_OPEN_RW 1226 format=path:[attr] 1227 see=open(2) - read,write 1228 1229 label=AUE_OPENAT_RW 1230 see=openat(2) 1231 format=path:[path_attr]:[attr] 1232 # aui_fsat(): fm & O_RDWR 1233 1234 label=AUE_OPEN_RWC 1235 format=path:[attr] 1236 see=open(2) - read,write,creat 1237 1238 label=AUE_OPENAT_RWC 1239 see=openat(2) 1240 format=path:[path_attr]:[attr] 1241 # aui_fsat(): fm & O_RDWR, fm & O_CREAT mangling 1242 1243 label=AUE_OPEN_RWT 1244 format=path:[attr] 1245 see=open(2) - read,write,trunc 1246 1247 label=AUE_OPENAT_RWT 1248 see=openat(2) 1249 format=path:[path_attr]:[attr] 1250 # aui_fsat(): fm & O_RDWR, fm & O_TRUNC mangling 1251 1252 label=AUE_OPEN_RWTC 1253 format=path:[attr] 1254 see=open(2) - read,write,trunc,creat 1255 1256 label=AUE_OPENAT_RWTC 1257 see=openat(2) 1258 format=path:[path_attr]:[attr] 1259 # aui_fsat(): fm & O_RDWR, fm & O_TRUNC mangling, fm & O_CREAT mangling 1260 1261 label=AUE_OPEN_W 1262 format=path:[attr] 1263 see=open(2) - write 1264 1265 label=AUE_OPENAT_W 1266 see=openat(2) 1267 format=path:[path_attr]:[attr] 1268 1269 label=AUE_OPEN_WC 1270 format=path:[attr] 1271 see=open(2) - write,creat 1272 1273 label=AUE_OPENAT_WC 1274 see=openat(2) 1275 format=path:[path_attr]:[attr] 1276 # aui_fsat(): fm & O_WRONLY, fm & O_CREAT mangling 1277 1278 label=AUE_OPEN_WT 1279 format=path:[attr] 1280 see=open(2) - write,trunc 1281 1282 label=AUE_OPENAT_WT 1283 see=openat(2) 1284 format=path:[path_attr]:[attr] 1285 # aui_fsat(): fm & O_WRONLY, fm & O_TRUNC mangling 1286 1287 label=AUE_OPEN_WTC 1288 format=path:[attr] 1289 see=open(2) - write,trunc,creat 1290 1291 label=AUE_OPENAT_WTC 1292 see=openat(2) 1293 format=path:[path_attr]:[attr] 1294 # aui_fsat(): fm & O_WRONLY, fm & O_TRUNC mangling, fm & O_CREAT mangling 1295 1296 label=AUE_OSETPGRP 1297 skip=Not used. 1298 1299 label=AUE_OSTAT 1300 skip=Not used. 1301 1302 label=AUE_PATHCONF 1303 format=path:[attr] 1304 1305 label=AUE_PIPE 1306 format=kernel 1307 # class is no, not usually printed 1308 1309 label=AUE_PORTFS 1310 skip=Not used (placeholder for AUE_PORTFS_*). 1311 1312 label=AUE_PORTFS 1313 skip=Not used (placeholder for AUE_PORTFS_*). 1314 1315 label=AUE_PORTFS_ASSOCIATE 1316 syscall=portfs 1317 see=port_associate(3C) 1318 case=Port association via PORT_SOURCE_FILE 1319 format=[path]1:attr 1320 comment=name of the file/directory to be watched 1321 1322 label=AUE_PORTFS_DISSOCIATE 1323 syscall=portfs 1324 see=port_dissociate(3C) 1325 case=Port disassociation via PORT_SOURCE_FILE 1326 format=kernel 1327 1328 label=AUE_PRIOCNTLSYS 1329 syscall=priocntl 1330 see=priocntl(2) 1331 format=arg1:arg2 1332 comment=1, priocntl version number, "pc_version": 1333 comment=3, command, "cmd" 1334 1335 label=AUE_PROCESSOR_BIND 1336 case=No LWP/thread bound to the processor 1337 format=arg1:arg2:text3:[proc] 1338 comment=1, type of ID, "ID type": 1339 comment=2, ID value, "ID": 1340 comment="PBIND_NONE" 1341 case=With processor bound 1342 format=arg1:arg2:arg3:[proc] 1343 comment=1, type of ID, "ID type": 1344 comment=2, ID value, "ID": 1345 comment=3, processor ID, "processor_id" 1346 1347 label=AUE_PUTMSG 1348 see=putmsg(2) 1349 format=arg1:[path]:[attr]:arg2 1350 comment=1, file descriptor, "fd": 1351 comment=4, priority, "pri" 1352 1353 label=AUE_PUTPMSG 1354 see=putpmsg(2) 1355 format=arg1:[path]:[attr]:arg2:arg3 1356 comment=1, file descriptor, "fd": 1357 comment=4, priority, "pri": 1358 comment=5, flags, "flags" 1359 1360 label=AUE_P_ONLINE 1361 format=arg1:arg2:text3 1362 comment=1, processor ID, "processor ID": 1363 comment=2, flags value, "flags": 1364 comment=text form of flags. Values: \ 1365 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS 1366 1367 label=AUE_QUOTACTL 1368 skip=Not used. 1369 1370 label=AUE_READ 1371 skip=Not used. (Placeholder for AUE_READ_* events) 1372 1373 label=AUE_READL 1374 skip=Not used. (Obsolete) 1375 1376 label=AUE_READLINK 1377 format=path:[attr] 1378 1379 label=AUE_READV 1380 skip=Not used (obsolete) 1381 # detritus from CMS 1382 1383 label=AUE_READVL 1384 skip=Not used (obsolete) 1385 # detritus from CMS 1386 1387 label=AUE_REBOOT 1388 skip=Not used. 1389 1390 label=AUE_RECV 1391 case=If address family is AF_INET or AF_INET6 1392 format=[arg]1:[inet] 1393 comment=1, file descriptor, "so" 1394 case=If address family is AF_UNIX and path is defined 1395 format=[path]1:[attr] 1396 comment=1, file descriptor, "so" 1397 case=If address family is AF_UNIX and path is NULL 1398 format=[path]1:[attr] 1399 comment=1, file descriptor, "no path: fd" 1400 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1401 format=[arg]1:[arg]2:[arg]3 1402 comment=1, file descriptor, "so": 1403 comment=1, family, "family": 1404 comment=1, type, "type" 1405 # associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237]) 1406 1407 label=AUE_RECVFROM 1408 format=inet:arg1:[arg]2:inet3:arg4 1409 comment=3, message length, "len": 1410 comment=4, flags, "flags": 1411 comment=from address: 1412 comment=6, address length, "tolen" 1413 note=The socket token for a bad socket is reported as "argument 1414 note=token (1, socket descriptor, "fd")" 1415 1416 label=AUE_RECVMSG 1417 case=If invalid file descriptor 1418 format=arg1:arg2 1419 comment=1, file descriptor, "so": 1420 comment=3, flags, "flags" 1421 case=If valid file descriptor and socket is AF_UNIX and no path 1422 format=arg1:[attr] 1423 comment=1, file descriptor, "no path: fd" 1424 case=If valid file descriptor and socket is AF_UNIX and path defined 1425 format=path:attr 1426 case=If valid file descriptor and socket is AF_INET or AF_INET6 1427 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM 1428 format=arg1:arg2:inet 1429 comment=1, file descriptor, "so": 1430 comment=2, flags, "flags" 1431 case=.. if socket type is unknown 1432 format=arg1:arg2:arg3:arg4 1433 comment=1, file descriptor, "so": 1434 comment=1, family, "family": 1435 comment=1, type, "type": 1436 comment=3, flags, "flags" 1437 1438 label=AUE_RENAME 1439 format=path1:[attr]1:[path]2 1440 comment=from name: 1441 comment=to name 1442 1443 label=AUE_RENAMEAT 1444 # see openat(2) 1445 format=path1:[path_attr]:[attr]1:[path]2:[path_attr] 1446 comment=from name: 1447 comment=to name 1448 1449 label=AUE_RFSSYS 1450 skip=Not used. 1451 # apparently replaced 1452 1453 label=AUE_RMDIR 1454 format=path:[attr] 1455 1456 label=AUE_SEMCTL 1457 format=arg1:[ipc]:[ipc_perm] 1458 comment=1, semaphore ID, "sem ID" 1459 note=ipc_perm 1460 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1461 1462 label=AUE_SEMCTL_GETALL 1463 format=arg1:[ipc]:[ipc_perm] 1464 comment=1, semaphore ID, "sem ID" 1465 note=ipc_perm 1466 syscall=semctl: GETALL 1467 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1468 1469 label=AUE_SEMCTL_GETNCNT 1470 format=arg1:[ipc]:[ipc_perm] 1471 comment=1, semaphore ID, "sem ID" 1472 note=ipc_perm 1473 syscall=semctl: GETNCNT 1474 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1475 1476 label=AUE_SEMCTL_GETPID 1477 format=arg1:[ipc]:[ipc_perm] 1478 comment=1, semaphore ID, "sem ID" 1479 note=ipc_perm 1480 syscall=semctl: GETPID 1481 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1482 1483 label=AUE_SEMCTL_GETVAL 1484 format=arg1:[ipc]:[ipc_perm] 1485 comment=1, semaphore ID, "sem ID" 1486 note=ipc_perm 1487 syscall=semctl: GETVAL 1488 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1489 1490 label=AUE_SEMCTL_GETZCNT 1491 format=arg1:[ipc]:[ipc_perm] 1492 comment=1, semaphore ID, "sem ID" 1493 note=ipc_perm 1494 syscall=semctl: GETZCNT 1495 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1496 1497 label=AUE_SEMCTL_RMID 1498 format=arg1:[ipc]:[ipc_perm] 1499 comment=1, semaphore ID, "sem ID" 1500 note=ipc_perm 1501 syscall=semctl: IPC_RMID 1502 # ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1503 1504 label=AUE_SEMCTL_SET 1505 format=arg1:[ipc]:[ipc_perm] 1506 comment=1, semaphore ID, "sem ID" 1507 note=ipc_perm 1508 syscall=semctl: IPC_SET 1509 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1510 1511 label=AUE_SEMCTL_SETALL 1512 format=arg1:[ipc]:[ipc_perm] 1513 comment=1, semaphore ID, "sem ID" 1514 note=ipc_perm 1515 syscall=semctl: SETALL 1516 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1517 1518 label=AUE_SEMCTL_SETVAL 1519 format=arg1:[ipc]:[ipc_perm] 1520 comment=1, semaphore ID, "sem ID" 1521 note=ipc_perm 1522 syscall=semctl: SETVAL 1523 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1524 1525 label=AUE_SEMCTL_STAT 1526 format=arg1:[ipc]:[ipc_perm] 1527 comment=1, semaphore ID, "sem ID" 1528 note=ipc_perm 1529 syscall=semctl: IPC_STAT 1530 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1531 1532 label=AUE_SEMGET 1533 format=arg1:[ipc_perm]:ipc 1534 comment=1, semaphore ID, "sem key" 1535 note=ipc_perm 1536 syscall=semctl: SETVAL 1537 # ipc_perm token: semget -> audit_ipcget 1538 1539 label=AUE_SEMGETL 1540 skip=Not used. 1541 1542 label=AUE_SEMOP 1543 format=arg1:[ipc]:[ipc_perm] 1544 comment=1, semaphore ID, "sem ID" 1545 note=ipc_perm 1546 # ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc 1547 1548 label=AUE_SEMSYS 1549 skip=Not used. (place holder) -- defaults to a semget variant 1550 1551 label=AUE_SEND 1552 case=If address family is AF_INET or AF_INET6 1553 format=[arg]1:[inet] 1554 comment=1, file descriptor, "so" 1555 case=If address family is AF_UNIX and path is defined 1556 format=[path]1:[attr] 1557 comment=1, file descriptor, "so" 1558 case=If address family is AF_UNIX and path is NULL 1559 format=[path]1:[attr] 1560 comment=1, file descriptor, "no path: fd" 1561 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1562 format=[arg]1:[arg]2:[arg]3 1563 comment=1, file descriptor, "so": 1564 comment=1, family, "family": 1565 comment=1, type, "type" 1566 # associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240]) 1567 1568 label=AUE_SENDMSG 1569 case=If invalid file descriptor 1570 format=arg1:arg2 1571 comment=1, file descriptor, "so": 1572 comment=3, flags, "flags" 1573 case=If valid file descriptor 1574 case=...and address family is AF_UNIX and path is defined 1575 format=path:attr 1576 case=...and address family is AF_UNIX and path is NULL 1577 format=path1:attr 1578 comment=1, file descriptor, "nopath: fd" 1579 case=...and address family is AF_INET or AF_INET6, \ 1580 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1581 format=arg1:arg2:inet 1582 comment=1, file descriptor, "so": 1583 comment=3, flags, "flags" 1584 case=...and unknown address family or address family AF_INET or AF_INET6 \ 1585 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1586 format=arg1:arg2:arg3:arg4 1587 comment=1, file descriptor, "so": 1588 comment=1, family, "family": 1589 comment=1, type, "type": 1590 comment=1, flags, "flags" 1591 1592 label=AUE_SENDTO 1593 case=If invalid file descriptor 1594 format=arg1:arg2 1595 comment=1, file descriptor, "so": 1596 comment=3, flags, "flags" 1597 case=If valid file descriptor 1598 case=...and socket is AF_UNIX and path is defined 1599 format=path:attr 1600 case=...and address family is AF_UNIX and path is NULL 1601 format=path1:attr 1602 comment=1, file descriptor, "nopath: fd" 1603 case=...and address family is AF_INET or AF_INET6 1604 format=arg1:arg2:inet 1605 comment=1, file descriptor, "so": 1606 comment=3, flags, "flags" 1607 case=...and unknown address family 1608 format=arg1:arg2:arg3:arg4 1609 comment=1, file descriptor, "so": 1610 comment=1, family, "family": 1611 comment=1, type, "type": 1612 comment=1, flags, "flags" 1613 1614 label=AUE_SETAUDIT 1615 case=With a valid program stack address 1616 format=arg1:arg2:arg3:arg4:arg5:arg6 1617 comment=1, audit user ID, "setaudit:auid": 1618 comment=1, terminal ID, "setaudit:port": 1619 comment=1, terminal ID, "setaudit:machine": 1620 comment=1, preselection mask, "setaudit:as_success": 1621 comment=1, preselection mask, "setaudit:as_failure": 1622 comment=1, audit session ID, "setaudit:asid" 1623 case=With an invalid program stack address 1624 format=kernel 1625 # header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec 1626 # argument,1,0x271a,setaudit:auid 1627 # argument,1,0x3ff0201,setaudit:port 1628 # argument,1,0x8192591e,setaudit:machine 1629 # argument,1,0x400,setaudit:as_success 1630 # argument,1,0x400,setaudit:as_failure 1631 # argument,1,0x16f,setaudit:asid 1632 # subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1 1633 # return,success,0 1634 # trailer,215 1635 # header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec 1636 # argument,1,0x271a,setaudit:auid 1637 # argument,1,0x3ff0201,setaudit:port 1638 # argument,1,0x8192591e,setaudit:machine 1639 # argument,1,0x400,setaudit:as_success 1640 # argument,1,0x400,setaudit:as_failure 1641 # argument,1,0x16f,setaudit:asid 1642 # subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1 1643 # return,success,0 1644 # trailer,215 1645 1646 label=AUE_SETAUDIT_ADDR 1647 case=With a valid program stack address 1648 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7 1649 comment=1, audit user ID, "auid": 1650 comment=1, terminal ID, "port": 1651 comment=1, type, "type": 1652 comment=1, terminal ID, "ip address": 1653 comment=1, preselection mask, "as_success": 1654 comment=1, preselection mask, "as_failure": 1655 comment=1, audit session ID, "asid" 1656 case=With an invalid program stack address 1657 format=kernel 1658 # header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec 1659 # argument,1,0x15fa7,auid 1660 # argument,1,0x0,port 1661 # argument,1,0x4,type 1662 # ip address,tmach2 1663 # argument,1,0x9c00,as_success 1664 # argument,1,0x9c00,as_failure 1665 # argument,1,0x1f1,asid 1666 # subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2 1667 # return,success,0 1668 1669 label=AUE_SETAUID 1670 format=arg1 1671 comment=2, audit user ID, "setauid" 1672 1673 label=AUE_SETDOMAINNAME 1674 skip=Not used. (See AUE_SYSINFO) 1675 # See AUE_SYSINFO with SI_SET_SRPC_DOMAIN 1676 1677 label=AUE_SETEGID 1678 format=arg1 1679 comment=1, group ID, "gid" 1680 1681 label=AUE_SETEUID 1682 format=arg1 1683 comment=1, user ID, "euid" 1684 1685 label=AUE_SETGID 1686 format=arg1 1687 comment=1, group ID, "gid" 1688 1689 label=AUE_SETGROUPS 1690 note=If more than NGROUPS_MAX_DEFAULT groups listed, 1691 note=no tokens are generated. 1692 case=If no groups in list 1693 format=[arg]1 1694 comment=1, 0, "setgroups" 1695 case=If 1 or more groups in list 1696 format=(1..n)arg1 1697 comment=1, gid, "setgroups" 1698 1699 label=AUE_SETHOSTNAME 1700 skip=Not used. (See AUE_SYSINFO) 1701 # See sysinfo call with command SI_SET_HOSTNAME 1702 1703 label=AUE_SETKERNSTATE 1704 skip=Not used. 1705 1706 label=AUE_SETPGID 1707 format=[proc]:[arg]1 1708 comment=2, pgid, "pgid" 1709 1710 label=AUE_SETPGRP 1711 format=kernel 1712 1713 label=AUE_SETPRIORITY 1714 skip=Not used. 1715 1716 label=AUE_SETPPRIV 1717 case=operation privileges off 1718 format=arg1:privset2 1719 comment=setppriv operation: 1720 comment=privileges actually switched off 1721 case=operation privileges on 1722 format=arg1:privset2 1723 comment=setppriv operation: 1724 comment=privileges actually switched on 1725 case=operation privileges off 1726 format=arg1:privset2:privset3 1727 comment=setppriv operation: 1728 comment=privileges before privset: 1729 comment=privileges after privset 1730 #header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec 1731 #argument,2,0x2,op 1732 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1733 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1734 #subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0 1735 #return,success,0 1736 1737 label=AUE_SETREGID 1738 format=arg1:arg2 1739 comment=1, real group ID, "rgid": 1740 comment=2, effective group ID, "egid" 1741 1742 label=AUE_SETREUID 1743 format=arg1:arg2 1744 comment=1, real user ID, "ruid": 1745 comment=2, effective user ID, "euid" 1746 1747 label=AUE_SETRLIMIT 1748 format=kernel 1749 # header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec 1750 # subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2 1751 # return,success,0 1752 1753 label=AUE_SETSID 1754 format=kernel 1755 1756 label=AUE_SETSOCKOPT 1757 case=Invalid file descriptor 1758 format=arg1:arg2 1759 comment=1, file descriptor, "so": 1760 comment=2, level, "level" 1761 case=Valid file descriptor 1762 case=...and socket is AF_UNIX 1763 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8 1764 comment=if no path, will be argument: 1, "nopath: fd", \ 1765 file descriptor: 1766 comment=1, file descriptor, "so": 1767 comment=1, family, "family": 1768 comment=1, type, "type": 1769 comment=2, protocol level, "level": 1770 comment=3, option name, "optname": 1771 comment=5, option length, "optlen": 1772 comment=option data 1773 case=...and socket is AF_INET or AF_INET6 1774 format=arg1:arg2:arg3:[arg]4:[data]5:inet 1775 comment=1, file descriptor, "so": 1776 comment=2, protocol level, "level": 1777 comment=3, option name, "optname": 1778 comment=5, option length, "optlen": 1779 comment=option data 1780 case=...and socket adddress family is unknown 1781 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7 1782 comment=1, file descriptor, "so": 1783 comment=1, family, "family": 1784 comment=1, type, "type": 1785 comment=2, protocol level, "level": 1786 comment=3, option name, "optname": 1787 comment=5, option length, "optlen": 1788 comment=option data 1789 1790 label=AUE_SETTIMEOFDAY 1791 skip=Not used. 1792 1793 label=AUE_SETUID 1794 syscall=setuid 1795 format=arg1 1796 comment=1, "uid" to be set 1797 1798 label=AUE_SETUSERAUDIT 1799 skip=Not used. 1800 1801 label=AUE_SHMAT 1802 format=arg1:arg2:[ipc]:[ipc_perm] 1803 comment=1, shared memory ID, "shm ID": 1804 comment=2, shared mem addr, "shm addr" 1805 note=ipc_perm 1806 # ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc 1807 1808 label=AUE_SHMCTL 1809 format=arg1:[ipc]:[ipc_perm] 1810 comment=1, shared memory ID, "shm ID" 1811 note=ipc_perm 1812 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1813 1814 label=AUE_SHMCTL_RMID 1815 format=arg1:[ipc]:[ipc_perm] 1816 comment=1, shared memory ID, "shm ID" 1817 note=ipc_perm 1818 syscall=semctl: IPC_RMID 1819 # ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1820 1821 label=AUE_SHMCTL_SET 1822 format=arg1:[ipc]:[ipc_perm] 1823 comment=1, shared memory ID, "shm ID" 1824 note=ipc_perm 1825 syscall=semctl: IPC_SET 1826 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1827 1828 label=AUE_SHMCTL_STAT 1829 format=arg1:[ipc]:[ipc_perm] 1830 comment=1, shared memory ID, "shm ID" 1831 note=ipc_perm 1832 syscall=semctl: IPC_STAT 1833 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1834 1835 label=AUE_SHMDT 1836 format=arg1 1837 comment=1, shared memory address, "shm adr" 1838 1839 label=AUE_SHMGET 1840 format=arg1:[ipc_perm]:[ipc] 1841 comment=0, shared memory key, "shm key" 1842 note=ipc_perm 1843 # ipc_perm: shmget -> audit_ipcget 1844 1845 label=AUE_SHMGETL 1846 skip=Not used. 1847 1848 label=AUE_SHMSYS 1849 skip=Not used. (Placeholder for shmget and shmctl*) 1850 1851 label=AUE_SHUTDOWN 1852 case=If the socket address is invalid 1853 format=[arg]1:[text]2:[text]3 1854 comment=1, file descriptor, "fd": 1855 comment=bad socket address: 1856 comment=bad peer address 1857 case=If the socket address is part of the AF_INET family 1858 case=..with zero file descriptor 1859 format=arg1:[arg]2:[arg]3:[arg]4 1860 comment=1, file descriptor, "so": 1861 comment=1, family, "family": 1862 comment=1, type, "type": 1863 comment=2, how shutdown code, "how" 1864 case=...with non-zero file descriptor 1865 format=arg1:arg2:inet 1866 comment=1, file descriptor, "so": 1867 comment=2, how shutdown code, "how" 1868 case=If the socket address is AF_UNIX 1869 case=...with zero file descriptor 1870 format=path1:arg2:[arg]3:[arg]4:[arg]5 1871 comment=If error: argument: \ 1872 1, "no path: fd", file descriptor: 1873 comment=1, file descriptor, "so": 1874 comment=1, family, "family": 1875 comment=1, type, "type": 1876 comment=2, how shutdown code, "how" 1877 case=...with non-zero file descriptor 1878 format=path1:arg2:arg3:inet 1879 comment=If error: argument: \ 1880 1, file descriptor, "no path: fd": 1881 comment=1, file descriptor, "so": 1882 comment=2, how shutdown code, "how" 1883 #old BSM manual wrong; used audit_event.c 1884 1885 label=AUE_SOCKACCEPT 1886 syscall=getmsg: socket accept 1887 format=inet:arg1:[path]:attr:arg2 1888 comment=1, file descriptor, "fd": 1889 comment=4, priority, "pri" 1890 # see putmsg and getmsg for record format 1891 # See audit.c for inet token and audit_start.c for other reference 1892 1893 label=AUE_SOCKCONFIG 1894 format=arg1:arg2:arg3:[path]4 1895 comment=1, domain address, "domain": 1896 comment=2, type, "type": 1897 comment=3, protocol, "protocol": 1898 comment=If no path:argument -- 3, 0, "devpath" 1899 1900 label=AUE_SOCKCONNECT 1901 syscall=putmsg: socket connect 1902 format=inet:arg1:[path]:attr:arg2 1903 comment=1, file descriptor, "fd": 1904 comment=4, priority, "pri" 1905 # same as AUE_SOCKACCEPT 1906 1907 label=AUE_SOCKET 1908 format=arg1:[arg]2:arg3 1909 comment=1, socket domain, "domain": 1910 comment=2, socket type, "type": 1911 comment=3, socket protocol, "protocol" 1912 1913 label=AUE_SOCKETPAIR 1914 skip=Not used. 1915 # unreferenced 1916 1917 label=AUE_SOCKRECEIVE 1918 syscall=getmsg 1919 format=inet:arg1:[path]:attr:arg2 1920 comment=1, file descriptor, "fd": 1921 comment=4, priority, "pri" 1922 # see AUE_SOCKACCEPT 1923 1924 label=AUE_SOCKSEND 1925 syscall=putmsg 1926 format=inet:arg1:[path]:attr:arg2 1927 comment=1, file descriptor, "fd": 1928 comment=4, priority, "pri" 1929 # see AUE_SOCKACCEPT 1930 1931 label=AUE_STAT 1932 format=path:[attr] 1933 1934 label=AUE_STATFS 1935 format=path:[attr] 1936 1937 label=AUE_STATVFS 1938 format=path:[attr] 1939 1940 label=AUE_STIME 1941 format=kernel 1942 1943 label=AUE_SWAPON 1944 skip=Not used. 1945 1946 label=AUE_SYMLINK 1947 format=path:text1:[attr] 1948 comment=symbolic link string 1949 1950 label=AUE_SYSINFO 1951 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands 1952 note=are currently audited. 1953 format=arg1:[text]2 1954 comment=1, command, "cmd": 1955 comment=name 1956 1957 label=AUE_SYSTEMBOOT 1958 title=system booted 1959 syscall=none 1960 format=head:text1 1961 comment="booting kernel" 1962 # see audit_start.c and audit_io.c 1963 # no subject or return / exit token 1964 # header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec 1965 # text,booting kernel 1966 1967 label=AUE_TRUNCATE 1968 skip=Not used. 1969 1970 label=AUE_UMOUNT 1971 syscall=umount: old version 1972 note=Implemented as call of the newer umount2(2). 1973 format=path:arg1:[path]:[attr] 1974 comment=2, mflag value = 0, "flags" 1975 1976 label=AUE_UMOUNT2 1977 syscall=umount2 1978 format=path:arg1:[path]:[attr] 1979 comment=2, mflag value, "flags" 1980 1981 label=AUE_UNLINK 1982 format=path:[attr] 1983 1984 label=AUE_UNLINKAT 1985 see=openat(2) 1986 format=path:[path_attr]:[attr] 1987 1988 label=AUE_UNMOUNT 1989 skip=Not used. 1990 1991 label=AUE_UTIME 1992 format=path:[attr] 1993 1994 label=AUE_UTIMES 1995 format=path:[attr] 1996 1997 label=AUE_VFORK 1998 format=arg1 1999 comment=0, pid, "child PID" 2000 note=The vfork(2) return values are undefined because the audit record is 2001 note=produced at the point that the child process is spawned. 2002 2003 label=AUE_VPIXSYS 2004 skip=Not used. 2005 2006 label=AUE_VTRACE 2007 skip=Not used. 2008 2009 label=AUE_WRITE 2010 format=path1:attr 2011 comment=if no path, argument -- "1, file descriptor, "no path: fd" 2012 note:An audit record is generated for write only once per file close. 2013 2014 label=AUE_WRITEV 2015 skip=Not used. (obsolete) 2016 2017 label=AUE_XMKNOD 2018 skip=Not used. xmknod() generates AUE_MKNOD 2019 2020 label=AUE_XSTAT 2021 skip=Not Used. xstat() generates AUE_STAT. 2022 2023 label=AUE_PF_POLICY_ADDRULE 2024 title=Add IPsec policy rule 2025 see= 2026 syscall=none 2027 format=arg1:arg2:[zone]3:[text]4 2028 comment=Operation applied to active policy (1 is active, 0 is inactive): 2029 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2030 comment=affected zone: 2031 comment=Name of target tunnel 2032 2033 label=AUE_PF_POLICY_DELRULE 2034 title=Delete IPsec policy rule 2035 see= 2036 syscall=none 2037 format=arg1:arg2:[zone]3:[text]4 2038 comment=Operation applied to active policy (1 is active, 0 is inactive): 2039 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2040 comment=affected zone: 2041 comment=Name of target tunnel 2042 2043 label=AUE_PF_POLICY_CLONE 2044 title=Clone IPsec policy 2045 see= 2046 syscall=none 2047 format=arg1:arg2:[zone]3:[text]4 2048 comment=Operation applied to active policy (1 is active, 0 is inactive): 2049 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2050 comment=affected zone: 2051 comment=Name of target tunnel 2052 2053 label=AUE_PF_POLICY_FLIP 2054 title=Flip IPsec policy 2055 see= 2056 syscall=none 2057 format=arg1:arg2:[zone]3:[text]4 2058 comment=Operation applied to active policy (1 is active, 0 is inactive): 2059 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2060 comment=affected zone: 2061 comment=Name of target tunnel 2062 2063 label=AUE_PF_POLICY_FLUSH 2064 title=Flip IPsec policy rules 2065 see= 2066 syscall=none 2067 format=arg1:arg2:[zone]3:[text]4 2068 comment=Operation applied to active policy (1 is active, 0 is inactive): 2069 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2070 comment=affected zone: 2071 comment=Name of target tunnel 2072 2073 label=AUE_PF_POLICY_ALGS 2074 title=Update IPsec algorithms 2075 see= 2076 syscall=none 2077 format=arg1:arg2:[zone]3:[text]4 2078 comment=Operation applied to active policy (1 is active, 0 is inactive): 2079 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2080 comment=affected zone: 2081 comment=Name of target tunnel 2082 2083 label=AUE_allocate_fail 2084 program=/usr/sbin/allocate 2085 title=allocate: allocate-device failure 2086 format=(0..n)[text]1 2087 comment=command line arguments 2088 # see audit_allocate.c 2089 2090 label=AUE_allocate_succ 2091 program=/usr/sbin/allocate 2092 title=allocate: allocate-device success 2093 format=(0..n)[text]1 2094 comment=command line arguments 2095 # see audit_allocate.c 2096 2097 label=AUE_at_create 2098 program=/usr/bin/at 2099 title=at: at-create crontab 2100 format=path 2101 2102 label=AUE_at_delete 2103 program=/usr/bin/at 2104 title=at: at-delete atjob (at or atrm) 2105 format=text1:path 2106 comment="ancillary file:" filename or "bad format of at-job name" 2107 2108 label=AUE_at_perm 2109 skip=Not used. 2110 # not referenced outside uevents.h 2111 2112 label=AUE_create_user 2113 skip=Not used. 2114 2115 label=AUE_cron_invoke 2116 program=/usr/sbin/cron 2117 title=cron: cron-invoke at or cron 2118 case=If issue with account find 2119 format=text1 2120 comment="bad user" name or "user <name> account expired" 2121 case=else 2122 format=text1:text2 2123 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \ 2124 or "unknown job type (<job_type_id>)": 2125 comment=command 2126 2127 label=AUE_crontab_create 2128 program=/usr/bin/crontab 2129 title=crontab: crontab created 2130 format=path 2131 # See audit_crontab.c 2132 2133 label=AUE_crontab_delete 2134 program=/usr/bin/crontab 2135 title=crontab: crontab delete 2136 format=path 2137 # See audit_crontab.c 2138 2139 label=AUE_crontab_mod 2140 program=/usr/bin/crontab 2141 title=crontab: crontab modify 2142 format=path 2143 # See audit_crontab.c 2144 2145 label=AUE_crontab_perm 2146 skip=Not used. 2147 2148 label=AUE_deallocate_fail 2149 program=/usr/sbin/deallocate 2150 title=deallocate-device failure 2151 format=(0..n)[text]1 2152 comment=command line arguments 2153 # See audit_allocate.c 2154 2155 label=AUE_deallocate_succ 2156 program=/usr/sbin/deallocate 2157 title=deallocate-device success 2158 format=(0..n)[text]1 2159 comment=command line arguments 2160 # See audit_allocate.c 2161 2162 label=AUE_delete_user 2163 skip=Not used. 2164 2165 label=AUE_disable_user 2166 skip=Not used. 2167 2168 label=AUE_enable_user 2169 skip=Not used. 2170 2171 label=AUE_ftpd 2172 program=/usr/sbin/in.ftpd 2173 title=in.ftpd 2174 format=[text]1 2175 comment=error message 2176 # See audit_ftpd 2177 2178 label=AUE_ftpd_logout 2179 program=/usr/sbin/in.ftpd 2180 title=in.ftpd 2181 format=user 2182 # See audit_ftpd 2183 2184 label=AUE_halt_solaris 2185 program=/usr/sbin/halt 2186 title=halt 2187 format=user 2188 # See audit_halt.c 2189 2190 label=AUE_kadmind_auth 2191 format=text1:text2:text3 2192 comment=Op: <requested information>: 2193 comment=Arg: <argument for Op>: 2194 comment=Client: <client principal name> 2195 # See audit_kadmin.c / common_audit() 2196 2197 label=AUE_kadmind_unauth 2198 format=text1:text2:text3 2199 comment=Op: <requested information>: 2200 comment=Arg: <argument for Op>: 2201 comment=Client: <client principal name> 2202 # See audit_kadmin.c / common_audit() 2203 2204 label=AUE_krb5kdc_as_req 2205 format=text1:text2 2206 comment=Client: <client principal name>: 2207 comment=Service: <requested service name> 2208 # See audit_krb5kdc.c / common_audit() 2209 2210 label=AUE_krb5kdc_tgs_req 2211 format=text1:text2 2212 comment=Client: <client principal name>: 2213 comment=Service: <requested service name> 2214 # See audit_krb5kdc.c / common_audit() 2215 2216 label=AUE_krb5kdc_tgs_req_alt_tgt 2217 format=text1:text2 2218 comment=Client: <client principal name>: 2219 comment=Service: <requested service name> 2220 # See audit_krb5kdc.c / common_audit() 2221 2222 label=AUE_krb5kdc_tgs_req_2ndtktmm 2223 format=text1:text2 2224 comment=Client: <client principal name>: 2225 comment=Service: <requested service name> 2226 # See audit_krb5kdc.c / common_audit() 2227 2228 label=AUE_listdevice_fail 2229 title=allocate-list devices failure 2230 program=/usr/sbin/allocate 2231 format=(0..n)[text]1 2232 comment=command line arguments 2233 # See audit_allocate.c 2234 2235 label=AUE_listdevice_succ 2236 title=allocate-list devices success 2237 program=/usr/sbin/allocate 2238 format=(0..n)[text]1 2239 comment=command line arguments 2240 # See audit_allocate.c 2241 2242 label=AUE_modify_user 2243 skip=Not used. 2244 2245 label=AUE_mountd_mount 2246 title=mountd: NFS mount 2247 program=/usr/lib/nfs/mountd 2248 see=mountd(1M) 2249 format=text1:path2 2250 comment=remote client hostname: 2251 comment=mount dir 2252 # See audit_mountd.c 2253 2254 label=AUE_mountd_umount 2255 title=mountd: NFS unmount 2256 program=/usr/lib/nfs/mountd 2257 format=text1:path2 2258 comment=remote client hostname: 2259 comment=mount dir 2260 # See audit_mountd.c 2261 2262 label=AUE_poweroff_solaris 2263 program=/usr/sbin/poweroff 2264 title=poweroff 2265 format=user 2266 # See audit_halt.c 2267 2268 label=AUE_reboot_solaris 2269 program=/usr/sbin/reboot 2270 title=reboot 2271 format=user 2272 # See audit_reboot.c 2273 # header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec 2274 # subject,tuser1,root,other,root,other,10422,497,0 0 tmach2 2275 # return,success,0 2276 2277 label=AUE_rexd 2278 program=/usr/sbin/rpc.rexd 2279 title=rpc.rexd 2280 format=[text]1:text2:text3:[text]4:[text]5 2281 comment=error message (failure only): 2282 comment="Remote execution requested by:" hostname: 2283 comment="Username:" username: 2284 comment="User id:" user ID (failure only): 2285 comment="Command line:" command attempted 2286 # See audit_rexd.c 2287 2288 label=AUE_rexecd 2289 program=/usr/sbin/rpc.rexecd 2290 title=rpc.rexecd 2291 format=[text]1:text2:text3:text4 2292 comment=error message (failure only): 2293 comment="Remote execution requested by:" hostname: 2294 comment="Username:" username: 2295 comment="Command line:" command attempted 2296 # See audit_rexecd.c 2297 2298 label=AUE_rshd 2299 program=/usr/sbin/in.rshd 2300 title=in.rshd 2301 format=text1:text2:[text]3:[text]4 2302 comment="cmd" command: 2303 comment="remote user" remote user: 2304 comment="local user" local user: 2305 comment=failure message 2306 # See audit_rshd.c 2307 2308 label=AUE_shutdown_solaris 2309 title=shutdown 2310 program=/usr/ucb/shutdown 2311 format=user 2312 # See audit_shutdown.c 2313 2314 label=AUE_smserverd 2315 program=/usr/lib/smedia/rpc.smserverd 2316 format=[text]1:[text]2 2317 comment=state change: 2318 comment=vid, pid, major/minor device 2319 # see usr/src/cmd/smserverd 2320 # code shows a third token, path, but it isn't implemented. 2321 2322 label=AUE_uadmin_solaris 2323 title=uadmin (obsolete) 2324 program= 2325 see= 2326 format=text1:text2 2327 comment=function code: 2328 comment=argument code 2329 # not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml 2330 2331 label=AUE_LABELSYS_TNRH 2332 title=config Trusted Network remote host cache 2333 see=tnrh(2) 2334 syscall=labelsys: TSOL_TNRH 2335 case=With the flush command (cmd=3) 2336 format=arg1 2337 comment=1, command, "cmd" 2338 case=With the load (cmd=1) and delete (cmd=2) commands 2339 format=arg1:inaddr2:arg3 2340 comment=1, command, "cmd": 2341 comment=ip address of host: 2342 comment=2, prefix length, "prefix len" 2343 2344 label=AUE_LABELSYS_TNRHTP 2345 title=config Trusted Network remote host template 2346 see=tnrhtp(2) 2347 syscall=labelsys: TSOL_TNRHTP 2348 case=With the flush command (cmd=3) 2349 format=arg1 2350 comment=1, command, "cmd" 2351 case=With the load (cmd=1) and delete (cmd=2) commands 2352 format=arg1:text2 2353 comment=1, command, "cmd": 2354 comment=name of template 2355 2356 label=AUE_LABELSYS_TNMLP 2357 title=config Trusted Network multi-level port entry 2358 see=tnmlp(2) 2359 syscall=labelsys: TSOL_TNMLP 2360 case=With the flush command (cmd=3) 2361 format=arg1:text2 2362 comment=1, command, "cmd": 2363 comment="shared", or name of zone 2364 case=With the load (cmd=1) and delete (cmd=2) commands 2365 format=arg1:text2:arg3:arg4:[arg]5 2366 comment=1, command, "cmd": 2367 comment="shared", or name of zone: 2368 comment=2, protocol number, "proto num": 2369 comment=2, starting mlp port number, "mlp_port": 2370 comment=2, ending mlp port number, "mlp_port_upper" 2371
Indexes created Wed Nov 25 23:03:41 UTC 2009
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.