# # Copyright 2005 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License, Version 1.0 only # (the "License"). You may not use this file except in compliance # with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE. # If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "[]" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # ident "%Z%%M% %I% %E% SMI" # # Audit Event Database # # File Format: # # event number:event name:event description:event classes (comma separated) # # Used to map audit events to audit classes for preselection and post-selection. # Used by TCB programs that write audit records to preselect audit events # based on event to class mappings. # # NOTE: several events are obsolete but must continue to be defined here for # compatibility reasons. Obsolete events are defined in the "no" (invalid) # class to indicate they will not be generated. Other events in the "no" # class which are not obsolete (but are in this class for other reasons), # are individually noted with a comment for explanation. # # System Adminstrators: Do NOT modify or add events with an event number less # than 32768. These are reserved by the system. # # 0 Reserved as an invalid event number. # 1 - 2047 Reserved for the Solaris Kernel events. # 2048 - 32767 Reserved for the Solaris TCB programs. # 32768 - 65535 Available for third party TCB applications. # # 6144 - 32767 SunOS 5.X user level audit events # # # kernel audit events # 0:AUE_NULL:indir system call:no 1:AUE_EXIT:exit(2):ps 2:AUE_FORK:fork(2):ps # AUE_OPEN is a placeholder and will not be generated 3:AUE_OPEN:open(2) - place holder:no 4:AUE_CREAT:creat(2):fc 5:AUE_LINK:link(2):fc 6:AUE_UNLINK:unlink(2):fd 7:AUE_EXEC:exec(2):ps,ex 8:AUE_CHDIR:chdir(2):pm 9:AUE_MKNOD:mknod(2):fc 10:AUE_CHMOD:chmod(2):fm 11:AUE_CHOWN:chown(2):fm 12:AUE_UMOUNT:umount(2) - old version:as 13:AUE_JUNK:junk:no 14:AUE_ACCESS:access(2):fa 15:AUE_KILL:kill(2):pm 16:AUE_STAT:stat(2):fa 17:AUE_LSTAT:lstat(2):fa 18:AUE_ACCT:acct(2):as 19:AUE_MCTL:mctl(2):no 20:AUE_REBOOT:reboot(2):no 21:AUE_SYMLINK:symlink(2):fc 22:AUE_READLINK:readlink(2):fr 23:AUE_EXECVE:execve(2):ps,ex 24:AUE_CHROOT:chroot(2):pm 25:AUE_VFORK:vfork(2):ps 26:AUE_SETGROUPS:setgroups(2):pm 27:AUE_SETPGRP:setpgrp(2):pm 28:AUE_SWAPON:swapon(2):no 29:AUE_SETHOSTNAME:sethostname(2):no 30:AUE_FCNTL:fcntl(2):fm 31:AUE_SETPRIORITY:setpriority(2):no 32:AUE_CONNECT:connect(2):nt 33:AUE_ACCEPT:accept(2):nt 34:AUE_BIND:bind(2):nt 35:AUE_SETSOCKOPT:setsockopt(2):nt 36:AUE_VTRACE:vtrace(2):pm 37:AUE_SETTIMEOFDAY:settimeofday(2):no 38:AUE_FCHOWN:fchown(2):fm 39:AUE_FCHMOD:fchmod(2):fm 40:AUE_SETREUID:setreuid(2):pm 41:AUE_SETREGID:setregid(2):pm 42:AUE_RENAME:rename(2):fc,fd 43:AUE_TRUNCATE:truncate(2):no 44:AUE_FTRUNCATE:ftruncate(2):no 45:AUE_FLOCK:flock(2):no 46:AUE_SHUTDOWN:shutdown(2):nt 47:AUE_MKDIR:mkdir(2):fc 48:AUE_RMDIR:rmdir(2):fd 49:AUE_UTIMES:utimes(2):fm 50:AUE_ADJTIME:adjtime(2):as 51:AUE_SETRLIMIT:setrlimit(2):ua 52:AUE_KILLPG:killpg(2):no 53:AUE_NFS_SVC:nfs_svc(2):no 54:AUE_STATFS:statfs(2):fa 55:AUE_FSTATFS:fstatfs(2):fa 56:AUE_UNMOUNT:unmount(2):no 57:AUE_ASYNC_DAEMON:async_daemon(2):no 58:AUE_NFS_GETFH:nfs_getfh(2):no 59:AUE_SETDOMAINNAME:setdomainname(2):no 60:AUE_QUOTACTL:quotactl(2):no 61:AUE_EXPORTFS:exportfs(2):no 62:AUE_MOUNT:mount(2):as # AUE_SEMSYS is a placeholder and will not be generated 63:AUE_SEMSYS:semsys(2) - place holder:no # AUE_MSGSYS is a placeholder and will not be generated 64:AUE_MSGSYS:msgsys(2) - place holder:no # AUE_SHMSYS is a placeholder and will not be generated 65:AUE_SHMSYS:shmsys(2) - place holder:no 66:AUE_BSMSYS:bsmsys(2) - place holder:no 67:AUE_RFSSYS:rfssys(2) - place holder:no 68:AUE_FCHDIR:fchdir(2):pm 69:AUE_FCHROOT:fchroot(2):pm 70:AUE_VPIXSYS:vpixsys(2) - place holder:no 71:AUE_PATHCONF:pathconf(2):fa 72:AUE_OPEN_R:open(2) - read:fr 73:AUE_OPEN_RC:open(2) - read,creat:fc,fr 74:AUE_OPEN_RT:open(2) - read,trunc:fd,fr 75:AUE_OPEN_RTC:open(2) - read,creat,trunc:fc,fd,fr 76:AUE_OPEN_W:open(2) - write:fw 77:AUE_OPEN_WC:open(2) - write,creat:fc,fw 78:AUE_OPEN_WT:open(2) - write,trunc:fd,fw 79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw 80:AUE_OPEN_RW:open(2) - read,write:fr,fw 81:AUE_OPEN_RWC:open(2) - read,write,creat:fc,fw,fr 82:AUE_OPEN_RWT:open(2) - read,write,trunc:fd,fr,fw 83:AUE_OPEN_RWTC:open(2) - read,write,creat,trunc:fc,fd,fw,fr 84:AUE_MSGCTL:msgctl(2) - illegal command:ip 85:AUE_MSGCTL_RMID:msgctl(2) - IPC_RMID command:ip 86:AUE_MSGCTL_SET:msgctl(2) - IPC_SET command:ip 87:AUE_MSGCTL_STAT:msgctl(2) - IPC_STAT command:ip 88:AUE_MSGGET:msgget(2):ip 89:AUE_MSGRCV:msgrcv(2):ip 90:AUE_MSGSND:msgsnd(2):ip 91:AUE_SHMCTL:shmctl(2) - illegal command:ip 92:AUE_SHMCTL_RMID:shmctl(2) - IPC_RMID command:ip 93:AUE_SHMCTL_SET:shmctl(2) - IPC_SET command:ip 94:AUE_SHMCTL_STAT:shmctl(2) - IPC_STAT command:ip 95:AUE_SHMGET:shmget(2):ip 96:AUE_SHMAT:shmat(2):ip 97:AUE_SHMDT:shmdt(2):ip 98:AUE_SEMCTL:semctl(2) - illegal command:ip 99:AUE_SEMCTL_RMID:semctl(2) - IPC_RMID command:ip 100:AUE_SEMCTL_SET:semctl(2) - IPC_SET command:ip 101:AUE_SEMCTL_STAT:semctl(2) - IPC_STAT command:ip 102:AUE_SEMCTL_GETNCNT:semctl(2) - GETNCNT command:ip 103:AUE_SEMCTL_GETPID:semctl(2) - GETPID command:ip 104:AUE_SEMCTL_GETVAL:semctl(2) - GETVAL command:ip 105:AUE_SEMCTL_GETALL:semctl(2) - GETALL command:ip 106:AUE_SEMCTL_GETZCNT:semctl(2) - GETZCNT command:ip 107:AUE_SEMCTL_SETVAL:semctl(2) - SETVAL command:ip 108:AUE_SEMCTL_SETALL:semctl(2) - SETALL command:ip 109:AUE_SEMGET:semget(2):ip 110:AUE_SEMOP:semop(2):ip 111:AUE_CORE:process dumped core:fc 112:AUE_CLOSE:close(2):cl 113:AUE_SYSTEMBOOT:system booted:na 114:AUE_ASYNC_DAEMON_EXIT:async_daemon(2) exited:no 115:AUE_NFSSVC_EXIT:nfssvc(2) exited:no 128:AUE_WRITEL:writel(2):no 129:AUE_WRITEVL:writevl(2):no 130:AUE_GETAUID:getauid(2):aa 131:AUE_SETAUID:setauid(2):aa 132:AUE_GETAUDIT:getaudit(2):aa 133:AUE_SETAUDIT:setaudit(2):aa 134:AUE_GETUSERAUDIT:getuseraudit(2):no 135:AUE_SETUSERAUDIT:setuseraudit(2):no 136:AUE_AUDITSVC:auditsvc(2):as # AUE_AUDITON is a placeholder and will not be generated 138:AUE_AUDITON:auditon(2) - place holder:no 139:AUE_AUDITON_GTERMID:auditon(2) - GETTERMID command:no 140:AUE_AUDITON_STERMID:auditon(2) - SETTERMID command:no 141:AUE_AUDITON_GPOLICY:auditon(2) - get audit policy flags:aa 142:AUE_AUDITON_SPOLICY:auditon(2) - set audit policy flags:as 143:AUE_AUDITON_GESTATE:auditon(2) - GESTATE command:no 144:AUE_AUDITON_SESTATE:auditon(2) - SESTATE command:no 145:AUE_AUDITON_GQCTRL:auditon(2) - get queue control parameters:as 146:AUE_AUDITON_SQCTRL:auditon(2) - set queue control parameters:as 147:AUE_GETKERNSTATE:getkernstate(2):no 148:AUE_SETKERNSTATE:setkernstate(2):no 149:AUE_GETPORTAUDIT:getportaudit(2):no 150:AUE_AUDITSTAT:auditstat(2):no 153:AUE_ENTERPROM:enter prom:na 154:AUE_EXITPROM:exit prom:na 158:AUE_IOCTL:ioctl(2):io 173:AUE_ONESIDE:one-sided session record:no 174:AUE_MSGGETL:msggetl(2):no 175:AUE_MSGRCVL:msgrcvl(2):no 176:AUE_MSGSNDL:msgsndl(2):no 177:AUE_SEMGETL:semgetl(2):no 178:AUE_SHMGETL:shmgetl(2):no 183:AUE_SOCKET:socket(2):nt 184:AUE_SENDTO:sendto(2):nt # AUE_PIPE is a potentially very high-volume event, use with caution 185:AUE_PIPE:pipe(2):no 186:AUE_SOCKETPAIR:socketpair(2):no 187:AUE_SEND:send(2):no 188:AUE_SENDMSG:sendmsg(2):nt 189:AUE_RECV:recv(2):no 190:AUE_RECVMSG:recvmsg(2):nt 191:AUE_RECVFROM:recvfrom(2):nt # AUE_READ is a potentially very high-volume event, use with caution 192:AUE_READ:read(2):no 193:AUE_GETDENTS:getdents(2):no 194:AUE_LSEEK:lseek(2):no # AUE_WRITE is a potentially very high-volume event, use with caution 195:AUE_WRITE:write(2):no 196:AUE_WRITEV:writev(2):no 197:AUE_NFS:nfs server:no 198:AUE_READV:readv(2):no 199:AUE_OSTAT:old stat(2):no 200:AUE_SETUID:old setuid(2):pm 201:AUE_STIME:old stime(2):as 202:AUE_UTIME:old utime(2):fm 203:AUE_NICE:old nice(2):pm 204:AUE_OSETPGRP:old setpgrp(2):no 205:AUE_SETGID:old setgid(2):pm 206:AUE_READL:readl(2):no 207:AUE_READVL:readvl(2):no 208:AUE_FSTAT:fstat(2):no 209:AUE_DUP2:dup2(2):no # AUE_MMAP is a potentially very high-volume event, use with caution 210:AUE_MMAP:mmap(2):no # AUE_AUDIT is a potentially very high-volume event, use with caution 211:AUE_AUDIT:audit(2):no 212:AUE_PRIOCNTLSYS:priocntlsys(2):pm 213:AUE_MUNMAP:munmap(2):cl 214:AUE_SETEGID:setegid(2):pm 215:AUE_SETEUID:seteuid(2):pm 216:AUE_PUTMSG:putmsg(2):nt 217:AUE_GETMSG:getmsg(2):nt 218:AUE_PUTPMSG:putpmsg(2):nt 219:AUE_GETPMSG:getpmsg(2):nt # AUE_AUDITSYS is a placeholder and will not be generated 220:AUE_AUDITSYS:audit system calls place holder:no 221:AUE_AUDITON_GETKMASK:auditon(2) - get kernel mask:aa 222:AUE_AUDITON_SETKMASK:auditon(2) - set kernel mask:as 223:AUE_AUDITON_GETCWD:auditon(2) - get current working directory:aa,as 224:AUE_AUDITON_GETCAR:auditon(2) - get current active root:aa,as 225:AUE_AUDITON_GETSTAT:auditon(2) - get audit statistics:as 226:AUE_AUDITON_SETSTAT:auditon(2) - reset audit statistics:as 227:AUE_AUDITON_SETUMASK:auditon(2) - set mask per audit uid:as 228:AUE_AUDITON_SETSMASK:auditon(2) - set mask per session ID:as 229:AUE_AUDITON_GETCOND:auditon(2) - get audit state:aa 230:AUE_AUDITON_SETCOND:auditon(2) - set audit state:as 231:AUE_AUDITON_GETCLASS:auditon(2) - get event class:aa,as 232:AUE_AUDITON_SETCLASS:auditon(2) - set event class:as 233:AUE_FUSERS:utssys(2) - fusers:fa 234:AUE_STATVFS:statvfs(2):fa 235:AUE_XSTAT:xstat(2):no 236:AUE_LXSTAT:lxstat(2):no 237:AUE_LCHOWN:lchown(2):fm 238:AUE_MEMCNTL:memcntl(2):ot 239:AUE_SYSINFO:sysinfo(2):as 240:AUE_XMKNOD:xmknod(2):no 241:AUE_FORK1:fork1(2):ps # AUE_MODCTL is a placeholder and will not be generated 242:AUE_MODCTL:modctl(2) system call place holder:no 243:AUE_MODLOAD:modctl(2) - load module:as 244:AUE_MODUNLOAD:modctl(2) - unload module:as # AUE_MODCONFIG is a place holder and will not be generated 245:AUE_MODCONFIG:modctl(2) - no longer generated:no 246:AUE_MODADDMAJ:modctl(2) - bind module:as 247:AUE_SOCKACCEPT:getmsg-accept:nt 248:AUE_SOCKCONNECT:putmsg-connect:nt 249:AUE_SOCKSEND:putmsg-send:nt 250:AUE_SOCKRECEIVE:getmsg-receive:nt 251:AUE_ACLSET:acl(2) - SETACL command:fm 252:AUE_FACLSET:facl(2) - SETACL command:fm # AUE_DOORFS is a placeholder and will not be generated 253:AUE_DOORFS:doorfs(2) - system call place holder:no 254:AUE_DOORFS_DOOR_CALL:doorfs(2) - DOOR_CALL:ip 255:AUE_DOORFS_DOOR_RETURN:doorfs(2) - DOOR_RETURN:ip 256:AUE_DOORFS_DOOR_CREATE:doorfs(2) - DOOR_CREATE:ip 257:AUE_DOORFS_DOOR_REVOKE:doorfs(2) - DOOR_REVOKE:ip 258:AUE_DOORFS_DOOR_INFO:doorfs(2) - DOOR_INFO:ip 259:AUE_DOORFS_DOOR_CRED:doorfs(2) - DOOR_CRED:ip 260:AUE_DOORFS_DOOR_BIND:doorfs(2) - DOOR_BIND:ip 261:AUE_DOORFS_DOOR_UNBIND:doorfs(2) - DOOR_UNBIND:ip 262:AUE_P_ONLINE:p_online(2):as 263:AUE_PROCESSOR_BIND:processor_bind(2):as 264:AUE_INST_SYNC:inst_sync(2):as 265:AUE_SOCKCONFIG:configure socket:nt 266:AUE_SETAUDIT_ADDR:setaudit_addr(2):aa 267:AUE_GETAUDIT_ADDR:getaudit_addr(2):aa 268:AUE_UMOUNT2:umount2(2):as # AUE_FSAT is a placeholder and will not be generated 269:AUE_FSAT:fsat(2) - place holder:no 270:AUE_OPENAT_R:openat(2) - read:fr 271:AUE_OPENAT_RC:openat(2) - read,creat:fc,fr 272:AUE_OPENAT_RT:openat(2) - read,trunc:fd,fr 273:AUE_OPENAT_RTC:openat(2) - read,creat,trunc:fc,fd,fr 274:AUE_OPENAT_W:openat(2) - write:fw 275:AUE_OPENAT_WC:openat(2) - write,creat:fc,fw 276:AUE_OPENAT_WT:openat(2) - write,trunc:fd,fw 277:AUE_OPENAT_WTC:openat(2) - write,creat,trunc:fc,fd,fw 278:AUE_OPENAT_RW:openat(2) - read,write:fr,fw 279:AUE_OPENAT_RWC:openat(2) - read,write,creat:fc,fw,fr 280:AUE_OPENAT_RWT:openat(2) - read,write,trunc:fd,fr,fw 281:AUE_OPENAT_RWTC:openat(2) - read,write,creat,trunc:fc,fd,fw,fr 282:AUE_RENAMEAT:renameat(2):fc,fd # AUE_FSTATAT is a potentially very high-volume event, use with caution 283:AUE_FSTATAT:fstatat(2):no 284:AUE_FCHOWNAT:fchownat(2):fm 285:AUE_FUTIMESAT:futimesat(2):fm 286:AUE_UNLINKAT:unlinkat(2):fd 287:AUE_CLOCK_SETTIME:clock_settime(3RT):as 288:AUE_NTP_ADJTIME:ntp_adjtime(2):as 289:AUE_SETPPRIV:setppriv(2):pm 290:AUE_MODDEVPLCY:modctl(2) - configure device policy:as 291:AUE_MODADDPRIV:modctl(2) - configure additional privilege:as 292:AUE_CRYPTOADM:kernel cryptographic framework:as 293:AUE_CONFIGSSL:configure kernel SSL:as # # user level audit events # # 2048 - 6143 Reserved # 6144:AUE_at_create:at-create atjob:ua 6145:AUE_at_delete:at-delete atjob (at or atrm):ua 6146:AUE_at_perm:at-permission:no 6147:AUE_cron_invoke:cron-invoke:ua 6148:AUE_crontab_create:crontab-crontab created:ua 6149:AUE_crontab_delete:crontab-crontab deleted:ua 6150:AUE_crontab_perm:crontab-persmisson:no 6151:AUE_inetd_connect:inetd connect:na 6152:AUE_login:login - local:lo 6153:AUE_logout:logout:lo 6154:AUE_telnet:login - telnet:lo 6155:AUE_rlogin:login - rlogin:lo 6156:AUE_mountd_mount:mount:na 6157:AUE_mountd_umount:unmount:na 6158:AUE_rshd:rsh access:lo 6159:AUE_su:su:lo 6160:AUE_halt_solaris:halt(1m):ss 6161:AUE_reboot_solaris:reboot(1m):ss 6162:AUE_rexecd:rexecd:lo 6163:AUE_passwd:passwd:lo 6164:AUE_rexd:rexd:lo 6165:AUE_ftpd:ftp access:lo 6166:AUE_init_solaris:init(1m):ss 6167:AUE_uadmin_solaris:uadmin(1m):ss 6168:AUE_shutdown_solaris:shutdown(1b):ss 6169:AUE_poweroff_solaris:poweroff(1m):ss 6170:AUE_crontab_mod:crontab-modify:ua 6171:AUE_ftpd_logout:ftp logout:lo 6172:AUE_ssh:login - ssh:lo 6173:AUE_role_login:role login:lo 6180:AUE_prof_cmd:profile command:ua,as 6181:AUE_filesystem_add:add filesystem:as 6182:AUE_filesystem_delete:delete filesystem:as 6183:AUE_filesystem_modify:modify filesystem:as 6184:AUE_network_add:add network attributes:as 6185:AUE_network_delete:delete network attributes:as 6186:AUE_network_modify:modify network attributes:as 6187:AUE_printer_add:add printer:as 6188:AUE_printer_delete:delete printer:as 6189:AUE_printer_modify:modify printer:as 6190:AUE_scheduledjob_add:add scheduled job:ua 6191:AUE_scheduledjob_delete:delete scheduled job:ua 6192:AUE_scheduledjob_modify:modify scheduled job:ua 6193:AUE_serialport_add:add serial port:as 6194:AUE_serialport_delete:delete serial port:as 6195:AUE_serialport_modify:modify serial port:as 6196:AUE_usermgr_add:add user/user attributes:ua 6197:AUE_usermgr_delete:delete user/user attributes:ua 6198:AUE_usermgr_modify:modify user/user attributes:ua 6199:AUE_uauth:authorization used:ua,as 6200:AUE_allocate_succ:allocate-device success:ot 6201:AUE_allocate_fail:allocate-device failure:ot 6202:AUE_deallocate_succ:deallocate-device success:ot 6203:AUE_deallocate_fail:deallocate-device failure:ot 6205:AUE_listdevice_succ:allocate-list devices success:ot 6206:AUE_listdevice_fail:allocate-list devices failure:ot 6207:AUE_create_user:create user:ua 6208:AUE_modify_user:modify user:ua 6209:AUE_delete_user:delete user:ua 6210:AUE_disable_user:disable user:ua 6211:AUE_enable_user:enable user:ua 6212:AUE_newgrp_login:newgrp login:lo 6213:AUE_admin_authenticate:admin login:lo 6214:AUE_kadmind_auth:authenticated kadmind request:ua 6215:AUE_kadmind_unauth:unauthenticated kadmind req:ua 6216:AUE_krb5kdc_as_req:kdc authentication svc request:ap 6217:AUE_krb5kdc_tgs_req:kdc tkt-grant svc request:ap 6218:AUE_krb5kdc_tgs_req_2ndtktmm:kdc tgs 2ndtkt mismtch:ap 6219:AUE_krb5kdc_tgs_req_alt_tgt:kdc tgs issue alt tgt:ap 6220:AUE_smserverd:smserverd:ot 6221:AUE_screenlock:screenlock - lock:lo 6222:AUE_screenunlock:screenlock - unlock:lo 6223:AUE_zone_state:zoneadmd:ss 6224:AUE_inetd_copylimit:inetd copylimit:na 6225:AUE_inetd_failrate:inetd failrate:na 6226:AUE_inetd_ratelimit:inetd ratelimit:na 6227:AUE_zlogin:login - zlogin:lo