1# audit_record_attr.txt 2# Two "#" are comments that are copied to audit_record_attr 3# other comments are removed. 4## 5## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. 6## 7## CDDL HEADER START 8## 9## The contents of this file are subject to the terms of the 10## Common Development and Distribution License (the "License"). 11## You may not use this file except in compliance with the License. 12## 13## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 14## or http://www.opensolaris.org/os/licensing. 15## See the License for the specific language governing permissions 16## and limitations under the License. 17## 18## When distributing Covered Code, include this CDDL HEADER in each 19## file and include the License file at usr/src/OPENSOLARIS.LICENSE. 20## If applicable, add the following below this CDDL HEADER, with the 21## fields enclosed by brackets "[]" replaced with your own identifying 22## information: Portions Copyright [yyyy] [name of copyright owner] 23## 24## CDDL HEADER END 25## 26## 27 28# source file for describing audit records. 29 30# This file is in two sections. The first is a list of attribute / 31# value pairs used to provide short cuts in annotating the audit 32# records. The second is for annotation for each audit record. 33 34# first section: general attributes 35 36# skipClass=<class name of items to skip if only in that class> 37# skipClass=no # uncomment to filter unused events 38 39# token name abbreviations 40# token=alias:fullname -- short names for key tokens 41 42token=arg:argument 43token=attr:attribute 44token=acl:acl_entry 45token=cmd:command 46token=data:data 47token=exec_args:exec_arguments 48token=exec_env:exec_environment 49token=group:group 50token=inaddr:ip_addr 51token=inet:socket 52token=ipc:ipc 53token=ipc_perm:ipc_perm 54token=newgroup:newgroups 55token=path:path 56token=path_attr:attribute_path 57token=privset:privilege 58token=proc:process 59token=text:text 60token=tid:terminal_adr 61token=uauth:use_of_authorization 62token=upriv:use_of_privilege 63token=user:user_object 64token=zone:zonename 65token=fmri:service_instance 66token=label:mandatory_label 67 68token=head:header 69token=subj:subject 70token=ret:return 71token=exit:exit 72 73# note names -- certain notes show up repeatedly; collected here 74# 75# To achieve the maximum line length to be less than 80 characters, the 76# note names (message=) can be defined as a multi line, each line except the 77# last one finished with the backslash character. 78 79message=ipc_perm:The ipc and ipc_perm tokens are not included if \ 80 the message ID is not valid. 81 82 83# basic record pattern ("insert" is where event-specific tokens 84# are listed.) 85 86kernel=head:insert:subj:[upriv]:ret 87user=head:subj:insert:ret 88 89# Second Section 90# Annotation Section 91# 92# Most audit records need annotation beyond what is provided by 93# the files audit_event and audit_class. At a minimum, a record 94# is represented by a label and a format. 95# 96# label=record_id like AUE_ACCEPT 97# format=token_alias 98# 99# there is no end line; a new label= end the preceding definition 100# and starts the next. 101# 102# format values are a list of token names, separated by colons. The 103# name is either one of the values described above (token=) or is 104# a value to be taken literally. If a token name ends with a digit, 105# the digit is an index into an array of comments. In the few cases 106# where there are no tokens (other than header, subject, return/exit), 107# use "format=kernel" or "format="user". 108# 109# comment is an array of strings separated by colons. If comments 110# are listed on separate lines (recommended due to better 111# readability/sustainability of the file), the preceding comment 112# must end with a colon. The array starts at 1. (If the comment 113# contains a colon, use ":" without the quotes.) 114# 115# case is used to generate alternate descriptions for a given 116# record. 117# 118# Constraints - the string length; bear in mind, that any annotation of 119# primitives below longer than is specified, will be silently truncated 120# to given/defined amount of characters in the auditrecord(1M) runtime: 121# 122# primitive <= max (non-truncated) string length 123# case <= unlimited; if necessary, text continues on a new line 124# comment <= unlimited; if necessary, text continues on a new line 125# label <= 43 126# note <= unlimited; if necessary, text continues on a new line 127# program <= 20 128# see <= 39 129# syscall <= 20 130# title <= 46 131# token <= 28 (full name) 132# 133# To achieve the maximum line length to be less than 80 characters, one can 134# define the unlimited primitives as a multi line, each line except the 135# last one finished with the backslash character. In addition to above 136# mentioned, the "format=" record attribute follows the same rule. 137# 138# 139# AUE_ACCEPT illustrates the use of all the above. Note that 140# case is not nested; ellipsis (...) is used to give the effect 141# of nesting. 142 143label=AUE_ACCEPT 144#accept(2) failure 145 case=Invalid socket file descriptor 146 format=arg1 147 comment=1, file descriptor, "so" 148#accept(2) non SOCK_STREAM socket 149 case=If the socket address is not part of the AF_INET family 150 format=arg1:arg2:arg3 151 comment=1, "so", file descriptor: 152 comment="family", so_family: 153 comment="type", so_type 154 case=If the socket address is part of the AF_INET family 155 case=...If there is no vnode for this file descriptor 156 format=[arg]1 157 comment=1, file descriptor, "Bad so" 158#accept(2) SOCK_STREAM socket-not bound 159 case=...or if the socket is not bound 160 format=[arg]1:[inet]2 161 comment=1, file descriptor, "so": 162 comment=local/foreign address (0.0.0.0) 163 case=...or if the socket address length = 0 164 format=[arg]1:[inet]2 165 comment=1, file descriptor, "so": 166 comment=local/foreign address (0.0.0.0) 167 case=...or for all other conditions 168 format=inet1:[inet]1 169 comment=socket address 170#accept(2) failure 171# header 172# au_to_arg32 "so",file descriptor 173# subject 174# return <errno != 0> 175# 176#accept(2) non SOCK_STREAM socket 177# header 178# au_to_arg32 "so", file descriptor 179# au_to_arg32 "family", so_family 180# au_to_arg32 "type", so_type 181# subject 182# return success 183# 184#accept(2) SOCK_STREAM socket-not bound 185# header 186# au_to_arg32 "so", file descriptor 187# au_to_socket_ex local/foreign address (0.0.0.0) 188# subject 189# return success 190# 191#accept(2) SOCK_STREAM socket-bound 192# header 193# au_to_arg32 "so", file descriptor 194# au_to_socket_ex 195# subject 196# return success 197 198 199 200label=AUE_ACCESS 201 format=path1:[attr] 202 comment=may be truncated in failure case 203# header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec 204# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ 205# attribute,100777,41416,staff,8388608,402255,0 206# subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30 207# return,success,0 208# trailer,163 209# 210# header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec 211# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail 212# attribute,100000,root,other,8388608,402257,0 213# subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30 214# return,failure: Permission denied,-1 215# trailer,163 216# 217# header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec 218# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2 219# subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30 220# return,failure: No such file or directory,-1 221# trailer,135 222 223label=AUE_ACCT 224 case=Zero path 225 format=arg1 226 comment=1, 0, "accounting off" 227 case=Non-zero path 228 format=path1:[attr]2 229 comment=may be truncated in failure case: 230 comment=omitted if failure 231 232label=AUE_ACLSET 233 syscall=acl 234 format=arg1:arg2:(0..n)[acl]3 235 comment=2, SETACL, "cmd": 236 comment=3, number of ACL entries, "nentries": 237 comment=Access Control List entries 238 239label=AUE_ADJTIME 240 format=kernel 241 242label=AUE_ASYNC_DAEMON 243 skip=Not used 244 245label=AUE_ASYNC_DAEMON_EXIT 246 skip=Not used 247 248label=AUE_AUDIT 249 skip=Not used. (Placeholder for the set AUE_AUDIT_*.) 250 251label=AUE_AUDITON 252 skip=Not used. (Placeholder for the set AUE_AUDITON_*.) 253 254label=AUE_AUDITON_GESTATE 255 skip=Not used 256 257label=AUE_AUDITON_GETAMASK 258 format=kernel 259 syscall=auditon: GETAMASK 260 261label=AUE_AUDITON_GETCAR 262 format=kernel 263 syscall=auditon: GETCAR 264# header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec 265# subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30 266# return,success,0 267# trailer,68 268 269label=AUE_AUDITON_GETCLASS 270 format=kernel 271 syscall=auditon: GETCLASS 272# header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec 273# subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1 274# return,success,0 275# trailer,68 276 277label=AUE_AUDITON_GETCOND 278 format=kernel 279 syscall=auditon: GETCOND 280# header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec 281# subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1 282# return,success,0 283# trailer,68 284 285label=AUE_AUDITON_GETCWD 286 format=kernel 287 syscall=auditon: GETCWD 288# header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec 289# subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1 290# return,success,0 291# trailer,68 292 293label=AUE_AUDITON_GETKMASK 294 format=kernel 295 syscall=auditon: GETKMASK 296# header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec 297# subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1 298# return,success,0 299# trailer,68 300 301label=AUE_AUDITON_GETSTAT 302 format=kernel 303 syscall=auditon: A_GETSTAT 304# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec 305# subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1 306# return,success,0 307# trailer,68 308 309label=AUE_AUDITON_GPOLICY 310 format=kernel 311 syscall=auditon: GPOLICY 312# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec 313# subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1 314# return,success,0 315# trailer,68 316 317label=AUE_AUDITON_GQCTRL 318 format=kernel 319 syscall=auditon: GQCTRL 320# header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec 321# subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1 322# return,success,0 323# trailer,68 324 325 326label=AUE_AUDITON_GTERMID 327 skip=Not used. 328 329label=AUE_AUDITON_SESTATE 330 skip=Not used. 331 332label=AUE_AUDITON_SETAMASK 333 format=[arg]1:[arg]2 334 comment=2, "setamask as_success", user default audit preselection mask: 335 comment=2, "setamask as_failure", user default audit preselection mask 336 syscall=auditon: SETAMASK 337 338label=AUE_AUDITON_SETCLASS 339 format=[arg]1:[arg]2 340 comment=2, "setclass:ec_event", event number: 341 comment=3, "setclass:ec_class", class mask 342 syscall=auditon: SETCLASS 343# header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec 344# argument,2,0x0,setclass:ec_event 345# argument,3,0x0,setclass:ec_class 346# subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1 347# return,success,0 348# trailer,120 349 350label=AUE_AUDITON_SETCOND 351 format=[arg]1 352 comment=3, "setcond", audit state 353 syscall=auditon: SETCOND 354 355label=AUE_AUDITON_SETKMASK 356 format=[arg]1:[arg]2 357 comment=2, "setkmask as_success", kernel non-attributable mask: 358 comment=2, "setkmask as_failure", kernel non-attributable mask 359 syscall=auditon: SETKMASK 360# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec 361# argument,2,0x0,setkmask:as_success 362# argument,2,0x0,setkmask:as_failure 363# subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1 364# return,success,0 365# trailer,124 366# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec 367# argument,2,0x0,setkmask:as_success 368# argument,2,0x0,setkmask:as_failure 369# subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1 370# return,failure: Not owner,-1 371# trailer,124 372 373label=AUE_AUDITON_SETSMASK 374 format=[arg]1:[arg]2 375 comment=3, "setsmask:as_success", session ID mask: 376 comment=3, "setsmask:as_failure", session ID mask 377 syscall=auditon: SETSMASK 378# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec 379# argument,3,0x400,setsmask:as_success 380# argument,3,0x400,setsmask:as_failure 381# subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1 382# return,success,0 383# trailer,124 384# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec 385# argument,3,0x400,setsmask:as_success 386# argument,3,0x400,setsmask:as_failure 387# subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1 388# return,failure: Not owner,-1 389# trailer,124 390 391label=AUE_AUDITON_SETSTAT 392 format=kernel 393 syscall=auditon: SETSTAT 394# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec 395# subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1 396# return,success,0 397# trailer,68 398# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec 399# subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1 400# return,failure: Not owner,-1 401# trailer,68 402 403label=AUE_AUDITON_SETUMASK 404 format=[arg]1:[arg]2 405 comment=3, "setumask:as_success", audit ID mask: 406 comment=3, "setumask:as_failure", audit ID mask 407 syscall=auditon: SETUMASK 408# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec 409# argument,3,0x400,setumask:as_success 410# argument,3,0x400,setumask:as_failure 411# subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1 412# return,success,0 413# trailer,124 414# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec 415# argument,3,0x400,setumask:as_success 416# argument,3,0x400,setumask:as_failure 417# subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1 418# return,failure: Not owner,-1 419# trailer,124 420 421label=AUE_AUDITON_SPOLICY 422 format=[arg]1 423 comment=1, audit policy flags, "setpolicy" 424 syscall=auditon: SPOLICY 425# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec 426# argument,3,0x200,setpolicy 427# subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1 428# return,success,0 429# trailer,86 430# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec 431# argument,3,0x200,setpolicy 432# subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1 433# return,failure: Not owner,-1 434# trailer,86 435 436label=AUE_AUDITON_SQCTRL 437 format=[arg]1:[arg]2:[arg]3:[arg]4 438 comment=3, "setqctrl:aq_hiwater", queue control param.: 439 comment=3, "setqctrl:aq_lowater", queue control param.: 440 comment=3, "setqctrl:aq_bufsz", queue control param.: 441 comment=3, "setqctrl:aq_delay", queue control param. 442 syscall=auditon: SQCTRL 443# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec 444# argument,3,0x64,setqctrl:aq_hiwater 445# argument,3,0xa,setqctrl:aq_lowater 446# argument,3,0x400,setqctrl:aq_bufsz 447# argument,3,0x14,setqctrl:aq_delay 448# subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1 449# return,success,0 450# trailer,176 451# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec 452# argument,3,0x64,setqctrl:aq_hiwater 453# argument,3,0xa,setqctrl:aq_lowater 454# argument,3,0x400,setqctrl:aq_bufsz 455# argument,3,0x14,setqctrl:aq_delay 456# subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1 457# return,failure: Not owner,-1 458# trailer,176 459 460label=AUE_AUDITON_STERMID 461 skip=Not used. 462 463label=AUE_AUDITSTAT 464 skip=Not used. 465 466label=AUE_AUDITSVC 467 skip=Not used. 468 469label=AUE_AUDITSYS 470 skip=Not used. (Place holder for various auditing events.) 471 472label=AUE_BIND 473# differs from documented version. 474# cases "no vnode" not fully confirmed 475# family and type need argument number 476 case=Invalid socket handle 477 format=arg1 478 comment=1, file descriptor, "so" 479 case=If there is no vnode for this file descriptor 480 case=or if the socket is not of the AF_INET family 481 format=arg1:arg2:arg3 482 comment=1, file descriptor, "so": 483 comment=1, socket family, "family": 484 comment=1, socket type, "type" 485 case=or for all other conditions 486 format=arg1:inet2 487 comment=1, file descriptor, "so": 488 comment=socket address 489 490label=AUE_BRANDSYS 491# generic mechanism to allow user-space and kernel components of a brand 492# to communicate. The interpretation of the arguments to the call is 493# left entirely up to the brand. 494 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7 495 comment=1, command, "cmd": 496 comment=2, command args, "arg": 497 comment=3, command args, "arg": 498 comment=4, command args, "arg": 499 comment=5, command args, "arg": 500 comment=6, command args, "arg": 501 comment=7, command args, "arg" 502 503label=AUE_BSMSYS 504 skip=Not used. 505 506label=AUE_CHDIR 507 format=path:[attr] 508# header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec 509# path,/export/home/CC_final/icenine/arv/chdir/obj_succ 510# attribute,40777,root,other,8388608,231558,0 511# subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1 512# return,success,0 513# trailer,151 514# header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec 515# path,/export/home/CC_final/icenine/arv/chdir/obj_fail 516# attribute,40000,root,other,8388608,237646,0 517# subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1 518# return,failure: Permission denied,-1 519# trailer,151 520 521label=AUE_CHMOD 522 format=arg1:path:[attr] 523 comment=2, mode, "new file mode" 524# header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec 525# argument,2,0x1f8,new file mode 526# path,/export/home/CC_final/icenine/arv/chmod/obj_succ 527# attribute,100770,tuser10,other,8388608,243608,0 528# subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1 529# return,success,0 530# trailer,173 531# header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec 532# argument,2,0x1f8,new file mode 533# path,/export/home/CC_final/icenine/arv/chmod/obj_fail 534# attribute,100600,root,other,8388608,243609,0 535# subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1 536# return,failure: Not owner,-1 537# trailer,173 538 539label=AUE_CHOWN 540 format=arg1:arg2 541 comment=2, uid, "new file uid": 542 comment=3, gid, "new file gid" 543# header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec 544# argument,2,0x271a,new file uid 545# argument,3,0xffffffff,new file gid 546# path,/export/home/CC_final/icenine/arv/chown/obj_succ 547# attribute,100644,tuser10,other,8388608,268406,0 548# subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1 549# return,success,0 550# trailer,193 551# header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec 552# argument,2,0x271a,new file uid 553# argument,3,0xffffffff,new file gid 554# path,/export/home/CC_final/icenine/arv/chown/obj_fail 555# attribute,100644,root,other,8388608,268407,0 556# subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1 557# return,failure: Not owner,-1 558# trailer,193 559 560label=AUE_CHROOT 561 format=path:[attr] 562# header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec 563# path,/ 564# attribute,40755,root,root,8388608,2,0 565# subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1 566# return,success,0 567# trailer,104 568# header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec 569# path,/export/home/CC_final/icenine/arv/chroot/obj_fail 570# attribute,40777,tuser10,other,8388608,335110,0 571# subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1 572# return,failure: Not owner,-1 573# trailer,152 574 575label=AUE_CLOCK_SETTIME 576 format=kernel 577 578label=AUE_CLOSE 579 format=arg1:[path]:[attr] 580 comment=1, file descriptor, "fd" 581 582label=AUE_CONFIGKSSL 583 case=Adding KSSL entry. 584 format=text1:inaddr2:text3:text4 585 comment=opcode, KSSL_ADD_ENTRY: 586 comment=local IP address: 587 comment=SSL port number: 588 comment=proxy port number 589 case=Deleting KSSL entry. 590 format=text1:inaddr2:text3 591 comment=opcode, KSSL_DELETE_ENTRY: 592 comment=local IP address: 593 comment=SSL port number 594 595label=AUE_CONNECT 596# cases "no vnode" not fully confirmed 597 case=If there is no vnode for this file descriptor 598 case=If the socket address is not part of the AF_INET family 599 format=arg1:arg2:arg3 600 comment=1, file descriptor, "so": 601 comment=1, socket family, "family": 602 comment=1, socket type, "type" 603 case=If the socket address is part of the AF_INET family 604 format=arg1:inet2 605 comment=1, file descriptor, "so": 606 comment=socket address 607 608label=AUE_CORE 609 syscall=none 610 title=process dumped core 611 see=none 612 format=path:[attr]:arg1 613 comment=1, signal, "signal" 614# see uts/common/c2/audit.c 615 616label=AUE_CREAT 617# obsolete - see open(2) 618 format=path:[attr] 619# does not match old BSM manual 620# header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec 621# path,/export/home/CC_final/icenine/arv/creat/obj_succ 622# attribute,100644,tuser10,other,8388608,49679,0 623# subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1 624# return,success,8 625# trailer,151 626# header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec 627# path,/devices/pseudo/mm@0:null 628# subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1 629# return,success,8 630# trailer,107 631# header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec 632# path,/obj_fail 633# subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1 634# return,failure: Permission denied,-1 635# trailer,83 636 637label=AUE_CRYPTOADM 638 title=kernel cryptographic framework 639 format=text1:(0..n)[text]2 640 comment=cryptoadm command/operation: 641 comment=mechanism list 642 643label=AUE_DOORFS 644 skip=Not used. (Place holder for set of door audit events.) 645 646label=AUE_DOORFS_DOOR_BIND 647 skip=Not used. 648 syscall=doorfs: DOOR_BIND 649 650label=AUE_DOORFS_DOOR_CALL 651 format=arg1:proc2 652 comment=1, door ID, "door ID": 653 comment=for process that owns the door 654 syscall=doorfs: DOOR_CALL 655 656label=AUE_DOORFS_DOOR_CREATE 657 format=arg1 658 comment=1, door attributes, "door attr" 659 syscall=doorfs: DOOR_CREATE 660 661label=AUE_DOORFS_DOOR_CRED 662 skip=Not used. 663 syscall=doorfs: DOOR_CRED 664 665label=AUE_DOORFS_DOOR_INFO 666 skip=Not used. 667 syscall=doorfs: DOOR_INFO 668 669label=AUE_DOORFS_DOOR_RETURN 670 format=kernel 671 syscall=doorfs: DOOR_RETURN 672 673label=AUE_DOORFS_DOOR_REVOKE 674 format=arg1 675 comment=1, door ID, "door ID" 676 syscall=doorfs: DOOR_REVOKE 677 678label=AUE_DOORFS_DOOR_UNBIND 679 skip=Not used. 680 syscall=doorfs: DOOR_UNBIND 681 682label=AUE_DUP2 683skip=Not used. 684 685label=AUE_ENTERPROM 686 title=enter prom 687 syscall=none 688 format=head:text1:ret 689 comment="kmdb" 690# header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00 691# text,kmdb 692# return,success,0 693 694label=AUE_EXEC 695# obsolete - see execve(2) 696 format=path:[attr]1:[exec_args]2:[exec_env]3 697 comment=omitted on error: 698 comment=output if argv policy is set: 699 comment=output if arge policy is set 700 701label=AUE_EXECVE 702 format=path:[attr]1:[exec_args]2:[exec_env]3 703 comment=omitted on error: 704 comment=output if argv policy is set: 705 comment=output if arge policy is set 706# header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec 707# path,/devices/pseudo/mm@0:null 708# subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1 709# return,success,8 710# trailer,107 711# header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec 712# path,/usr/bin/pig 713# subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1 714# return,failure: No such file or directory,-1 715# trailer,86 716 717label=AUE_PFEXEC 718 format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5 719 comment=pathname of the executable: 720 comment=pathname of working directory: 721 comment=privileges if the limit or inheritable set are changed: 722 comment=process if ruid, euid, rgid or egid is changed: 723 comment=output if arge policy is set 724 725label=AUE_EXIT 726 format=arg1:[text]2 727 comment=1, exit status, "exit status": 728 comment=event aborted 729 730label=AUE_EXITPROM 731 title=exit prom 732 syscall=none 733 format=head:text1:ret 734 comment="kmdb" 735# header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00 736# text,kmdb 737# return,success,0 738 739label=AUE_EXPORTFS 740 skip=Not used. 741 742label=AUE_FACCESSAT 743# obsolete 744 see=access(2) 745 format=path:[attr] 746 747label=AUE_FACLSET 748 syscall=facl 749 case=Invalid file descriptor 750 format=arg1:arg2 751 comment=2, SETACL, "cmd": 752 comment=3, number of ACL entries, "nentries" 753 case=Zero path 754 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4 755 comment=2, SETACL, "cmd": 756 comment=3, number of ACL entries, "nentries": 757 comment=1, file descriptor, "no path: fd": 758 comment=ACLs 759 case=Non-zero path 760 format=arg1:arg2:path:[attr]:(0..n)[acl]3 761 comment=2, SETACL, "cmd": 762 comment=3, number of ACL entries, "nentries": 763 comment=ACLs 764 765label=AUE_FCHDIR 766 format=[path]:[attr] 767# header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec 768# path,/export/home/CC_final/icenine/arv/fchdir/obj_succ 769# attribute,40777,tuser10,other,8388608,207662,0 770# subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1 771# return,success,0 772# trailer,150 773# header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec 774# subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1 775# return,failure: Permission denied,-1 776# trailer,68 777 778label=AUE_FCHMOD 779 case=With a valid file descriptor and path 780 format=arg1:path:[attr] 781 comment=2, mode, "new file mode" 782 case=With a valid file descriptor and invalid path 783 format=arg1:[arg]2:[attr] 784 comment=2, mode, "new file mode": 785 comment=1, file descriptor, "no path: fd" 786 case=With an invalid file descriptor 787 format=arg1 788 comment=2, mode, "new file mode" 789# header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec 790# argument,2,0x1a4,new file mode 791# path,/export/home/CC/icenine/arv/fchmod/obj_succ 792# attribute,100644,tuser10,other,7602240,26092,0 793# subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1 794# return,success,0 795# trailer,168 796# header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec 797# argument,2,0x1a4,new file mode 798# subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1 799# return,failure: Bad file number,-1 800# trailer,90 801# header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec 802# argument,2,0x1a4,new file mode 803# path,/export/home/CC/icenine/arv/fchmod/obj_fail 804# attribute,100644,root,other,7602240,26093,0 805# subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1 806# return,failure: Not owner,-1 807# trailer,168 808 809label=AUE_FCHOWN 810 case=With a valid file descriptor 811 format=arg1:arg2:[path]:[attr] 812 comment=2, uid, "new file uid": 813 comment=3, gid, "new file gid" 814 case=With an invalid file descriptor 815 format=arg1:arg2:[arg]3:[attr] 816 comment=2, uid, "new file uid": 817 comment=3, gid, "new file gid": 818 comment=1, file descriptor, "no path fd" 819 820label=AUE_FCHOWNAT 821# obsolete 822 see=openat(2) 823 case=With a valid absolute/relative file path 824 format=path:[attr] 825 case=With an file path eq. NULL and valid file descriptor 826 format=kernel 827 828label=AUE_FCHROOT 829 format=[path]:[attr] 830# fchroot -> chdirec -> audit_chdirec 831 832label=AUE_FCNTL 833 case=With a valid file descriptor 834 format=arg1:[arg]2:path:attr 835 comment=2, command, "cmd": 836 comment=3, flags, "flags" 837 case=With an invalid file descriptor 838 format=arg1:[arg]2:arg3 839 comment=2, command, "cmd": 840 comment=3, flags, "flags": 841 comment=1, file descriptor, "no path fd" 842 note=Flags are included only when cmd is F_SETFL. 843 844label=AUE_FLOCK 845 skip=Not used. 846 847label=AUE_FORKALL 848 format=[arg]1 849 comment=0, pid, "child PID" 850 note=The forkall(2) return values are undefined because the audit record 851 note=is produced at the point that the child process is spawned. 852# see audit.c 853 854label=AUE_FORK1 855 format=[arg]1 856 comment=0, pid, "child PID" 857 note=The fork1(2) return values are undefined because the audit record 858 note=is produced at the point that the child process is spawned. 859# see audit.c 860 861label=AUE_FSAT 862# obsolete 863 skip=Not used. (Placeholder for AUE_*AT records) 864 865label=AUE_FSTAT 866 skip=Not used. 867 868label=AUE_FSTATAT 869# obsolete 870 format=path:[attr] 871 872label=AUE_FSTATFS 873 case=With a valid file descriptor 874 format=[path]:[attr] 875 case=With an invalid file descriptor 876 format=arg1 877 comment=1, file descriptor, "no path fd" 878 879label=AUE_FTRUNCATE 880 skip=Not used. 881 882label=AUE_FUSERS 883 syscall=utssys: UTS_FUSERS 884 format=path:attr 885 886label=AUE_FUTIMESAT 887# obsolete 888 format=[path]:[attr] 889 890label=AUE_GETAUDIT 891 format=kernel 892# header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec 893# subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1 894# return,success,0 895# trailer,68 896# header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec 897# subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1 898# return,success,0 899# trailer,68 900 901label=AUE_GETAUDIT_ADDR 902 format=kernel 903# header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec 904# subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2 905# return,success,0 906 907label=AUE_GETAUID 908 format=kernel 909# header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec 910# subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1 911# return,success,0 912# trailer,68 913# header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec 914# subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1 915# return,failure: Not owner,-1 916# trailer,68 917 918label=AUE_GETDENTS 919 skip=Not used. 920#Not security relevant 921 922label=AUE_GETKERNSTATE 923 skip=Not used. 924 925label=AUE_GETMSG 926 case=With a valid file descriptor 927 format=arg1:[path]:attr:arg2 928 comment=1, file descriptor, "fd": 929 comment=4, priority, "pri" 930 case=With an invalid file descriptor 931 format=arg1:arg2 932 comment=1, file descriptor, "fd": 933 comment=4, priority, "pri" 934 935label=AUE_GETPMSG 936 case=With a valid file descriptor 937 format=arg1:[path]:attr 938 comment=1, file descriptor, "fd" 939 case=With an invalid file descriptor 940 format=arg1 941 comment=1, file descriptor, "fd" 942 943label=AUE_GETPORTAUDIT 944 format=Not used. 945 946label=AUE_GETUSERAUDIT 947 skip=Not used. 948 949label=AUE_INST_SYNC 950 format=arg1 951 comment=2, flags value, "flags" 952 953label=AUE_IOCTL 954 case=With an invalid file descriptor 955 format=arg1:arg2:arg3 956 comment=1, file descriptor, "fd": 957 comment=2, command, "cmd": 958 comment=3, arg, "arg" 959 case=With a valid file descriptor 960 format=path:[attr]:arg1:arg2 961 comment=2, ioctl cmd, "cmd": 962 comment=3, ioctl arg, "arg" 963 case=Non-file file descriptor 964 format=arg1:arg2:arg3 965 comment=1, file descriptor, "fd": 966 comment=2, ioctl cmd, "cmd": 967 comment=3, ioctl arg, "arg" 968 case=Bad file name 969 format=arg1:arg2:arg3 970 comment=1, file descriptor, "no path: fd": 971 comment=2, ioctl cmd, "cmd": 972 comment=3, ioctl arg, "arg" 973# old BSM manual misses a case 974 975label=AUE_JUNK 976 skip=Not used. 977 978label=AUE_KILL 979 case=Valid process 980 format=arg1:[proc] 981 comment=2, signo, "signal" 982 case=Zero or negative process 983 format=arg1:arg2 984 comment=2, signo, "signal": 985 comment=1, pid, "process" 986 987label=AUE_KILLPG 988 skip=Not used. 989 990label=AUE_LCHOWN 991 format=arg1:arg2:path:[attr] 992 comment=2, uid, "new file uid": 993 comment=3, gid, "new file gid" 994 995label=AUE_LINK 996 format=path1:[attr]:path2 997 comment=from path: 998 comment=to path 999 1000label=AUE_LSEEK 1001 skip=Not used. 1002 1003label=AUE_LSTAT 1004 format=path:[attr] 1005 1006label=AUE_LXSTAT 1007# obsolete 1008 skip=Not used. 1009 1010label=AUE_MCTL 1011 skip=Not used. 1012 1013label=AUE_MEMCNTL 1014 format=arg1:arg2:arg3:arg4:arg5:arg6 1015 comment=1, base address, "base": 1016 comment=2, length, "len": 1017 comment=3, command, "cmd": 1018 comment=4, command args, "arg": 1019 comment=5, command attributes, "attr": 1020 comment=6, 0, "mask" 1021 1022label=AUE_MKDIR 1023 format=arg1:path:[attr] 1024 comment=2, mode, "mode" 1025 1026label=AUE_MKNOD 1027 format=arg1:arg2:path:[attr] 1028 comment=2, mode, "mode": 1029 comment=3, dev, "dev" 1030 1031label=AUE_MMAP 1032 case=With a valid file descriptor 1033 format=arg1:arg2:[path]3:[attr] 1034 comment=1, segment address, "addr": 1035 comment=2, segment address, "len": 1036 comment=if no path, then argument: \ 1037 1, "nopath: fd", file descriptor 1038 case=With an invalid file descriptor 1039 format=arg1:arg2:arg3 1040 comment=1, segment address, "addr": 1041 comment=2, segment address, "len": 1042 comment=1, file descriptor, "no path: fd" 1043 1044label=AUE_MODADDMAJ 1045 title=modctl: bind module 1046 syscall=modctl 1047 format=[text]1:[text]2:text3:arg4:(0..n)[text]5 1048 comment=driver major number: 1049 comment=driver name: 1050 comment=driver major number or "no drvname": 1051 comment=5, number of aliases, "": 1052 comment=aliases 1053 1054label=AUE_MODADDPRIV 1055 format=kernel 1056 1057label=AUE_MODCONFIG 1058 skip=Not used. 1059 1060label=AUE_MODCTL 1061 skip=Not used. (placeholder) 1062 1063label=AUE_MODDEVPLCY 1064 syscall=modctl 1065 title=modctl: set device policy 1066 case=If unknown minor name/pattern 1067 format=arg1:arg2:arg3:arg4:arg5 1068 comment=2, "major", major number: 1069 comment=2, "lomin", low minor number, if known: 1070 comment=2, "himin", hi minor number, if known: 1071 comment=privileges required for reading: 1072 comment=privileges required for writing 1073 case=else 1074 format=arg1:text2:arg3:arg4 1075 comment=2, "major", major number: 1076 comment=minor name/pattern: 1077 comment=privileges required for reading: 1078 comment=privileges required for writing 1079 1080label=AUE_MODLOAD 1081 syscall=modctl 1082 title=modctl: load module 1083 format=[text]1:text2 1084 comment=default path: 1085 comment=filename path 1086 1087label=AUE_MODUNLOAD 1088 syscall=modctl 1089 title=modctl: unload module 1090 format=arg1 1091 comment=1, module ID, "id" 1092 1093label=AUE_MOUNT 1094 case=UNIX file system 1095 format=arg1:text2:path:[attr] 1096 comment=3, flags, "flags": 1097 comment=filesystem type 1098 case=NFS file system 1099 format=arg1:text2:text3:arg4:path:[attr] 1100 comment=3, flags, "flags": 1101 comment=filesystem type: 1102 comment=host name: 1103 comment=3, flags, "internal flags" 1104# unix example: 1105# header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec 1106# argument,3,0x104,flags 1107# text,ufs 1108# path,/var2 1109# attribute,40755,root,root,32,12160,0 1110# path,/devices/pci@1f,4000/scsi@3/sd@0,0:e 1111# attribute,60640,root,sys,32,231268,137438953476 1112# subject,abc,root,other,root,other,1726,1715,255 66049 ohboy 1113# return,success,4290707268 1114# ^^^^^^^^^^ <- bugid 4333559 1115 1116label=AUE_MSGCTL 1117 format=arg1:[ipc]:[ipc_perm] 1118 comment=1, message ID, "msg ID" 1119 note=ipc_perm 1120# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1121 1122label=AUE_MSGCTL_RMID 1123 format=arg1:[ipc]:[ipc_perm] 1124 comment=1, message ID, "msg ID" 1125 note=ipc_perm 1126 syscall=msgctl: IPC_RMID 1127# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1128 1129label=AUE_MSGCTL_SET 1130 format=arg1:[ipc]:[ipc_perm] 1131 comment=1, message ID, "msg ID" 1132 note=ipc_perm 1133 syscall=msgctl: IPC_SET 1134# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1135 1136label=AUE_MSGCTL_STAT 1137 format=arg1:[ipc]:[ipc_perm] 1138 comment=1, message ID, "msg ID" 1139 note=ipc_perm 1140 syscall=msgctl: IPC_STAT 1141# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1142 1143label=AUE_MSGGET 1144 format=arg1:ipc 1145 comment=1, message key, "msg key" 1146 note=ipc_perm 1147 syscall=msgget 1148 1149label=AUE_MSGGETL 1150 skip=Not used. 1151 1152label=AUE_MSGRCV 1153 format=arg1:[ipc]:[ipc_perm] 1154 comment=1, message ID, "msg ID" 1155 note=ipc_perm 1156 syscall=msgrcv 1157# ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc 1158 1159label=AUE_MSGRCVL 1160 skip=Not used. 1161 1162label=AUE_MSGSND 1163 format=arg1:[ipc]:[ipc_perm] 1164 comment=1, message ID, "msg ID" 1165 note=ipc_perm 1166 syscall=msgsnd 1167# ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc 1168 1169label=AUE_MSGSNDL 1170 skip=Not used. 1171 1172label=AUE_MSGSYS 1173skip=Not used. (Placeholder for AUE_MSG* events.) 1174 1175label=AUE_MUNMAP 1176 format=arg1:arg2 1177 comment=1, address of memory, "addr": 1178 comment=2, memory segment size, "len" 1179 1180label=AUE_NFS 1181 skip=Not used. 1182 1183label=AUE_NFSSVC_EXIT 1184 skip=Not used. 1185 1186label=AUE_NFS_GETFH 1187 skip=Not used. 1188 1189label=AUE_NFS_SVC 1190 skip=Not used. 1191 1192label=AUE_NICE 1193 format=kernel 1194 1195label=AUE_NULL 1196 skip=Not used. (placeholder) 1197# used internal to audit_event.c for minimal audit 1198 1199label=AUE_NTP_ADJTIME 1200 format=kernel 1201 1202label=AUE_ONESIDE 1203 skip=Not used. 1204 1205label=AUE_OPEN 1206 skip=Not used. (placeholder for AUE_OPEN_*). 1207 1208label=AUE_OPEN_R 1209 format=path:[path_attr]:[attr] 1210 see=open(2) - read 1211 1212label=AUE_OPENAT_R 1213# obsolete 1214 format=path:[path_attr]:[attr] 1215 see=openat(2) 1216 1217label=AUE_OPEN_RC 1218 format=path:[path_attr]:[attr] 1219 see=open(2) - read,creat 1220 1221label=AUE_OPENAT_RC 1222# obsolete 1223 see=openat(2) 1224 format=path:[path_attr]:[attr] 1225 1226label=AUE_OPEN_RT 1227 format=path:[path_attr]:[attr] 1228 see=open(2) - read,trunc 1229 1230label=AUE_OPENAT_RT 1231# obsolete 1232 see=openat(2) 1233 format=path:[path_attr]:[attr] 1234 1235label=AUE_OPEN_RTC 1236 format=path:[path_attr]:[attr] 1237 see=open(2) - read,trunc,creat 1238 1239label=AUE_OPENAT_RTC 1240# obsolete 1241 see=openat(2) 1242 format=path:[path_attr]:[attr] 1243 1244label=AUE_OPEN_RW 1245 format=path:[path_attr]:[attr] 1246 see=open(2) - read,write 1247 1248label=AUE_OPENAT_RW 1249# obsolete 1250 see=openat(2) 1251 format=path:[path_attr]:[attr] 1252# aui_fsat(): fm & O_RDWR 1253 1254label=AUE_OPEN_RWC 1255 format=path:[path_attr]:[attr] 1256 see=open(2) - read,write,creat 1257 1258label=AUE_OPENAT_RWC 1259# obsolete 1260 see=openat(2) 1261 format=path:[path_attr]:[attr] 1262 1263label=AUE_OPEN_RWT 1264 format=path:[path_attr]:[attr] 1265 see=open(2) - read,write,trunc 1266 1267label=AUE_OPENAT_RWT 1268# obsolete 1269 see=openat(2) 1270 format=path:[path_attr]:[attr] 1271 1272label=AUE_OPEN_RWTC 1273 format=path:[path_attr]:[attr] 1274 see=open(2) - read,write,trunc,creat 1275 1276label=AUE_OPENAT_RWTC 1277# obsolete 1278 see=openat(2) 1279 format=path:[path_attr]:[attr] 1280 1281label=AUE_OPEN_W 1282 format=path:[path_attr]:[attr] 1283 see=open(2) - write 1284 1285label=AUE_OPENAT_W 1286 see=openat(2) 1287 format=path:[path_attr]:[attr] 1288 1289label=AUE_OPEN_WC 1290 format=path:[path_attr]:[attr] 1291 see=open(2) - write,creat 1292 1293label=AUE_OPENAT_WC 1294 see=openat(2) 1295 format=path:[path_attr]:[attr] 1296 1297label=AUE_OPEN_WT 1298 format=path:[path_attr]:[attr] 1299 see=open(2) - write,trunc 1300 1301label=AUE_OPENAT_WT 1302 see=openat(2) 1303 format=path:[path_attr]:[attr] 1304 1305label=AUE_OPEN_WTC 1306 format=path:[path_attr]:[attr] 1307 see=open(2) - write,trunc,creat 1308 1309label=AUE_OPENAT_WTC 1310 see=openat(2) 1311 format=path:[path_attr]:[attr] 1312 1313label=AUE_OPEN_S 1314 format=path:[path_attr]:[attr] 1315 see=open(2) - search 1316 1317label=AUE_OPEN_E 1318 format=path:[path_attr]:[attr] 1319 see=open(2) - exec 1320 1321label=AUE_OSETPGRP 1322 skip=Not used. 1323 1324label=AUE_OSTAT 1325# obsolete 1326 skip=Not used. 1327 1328label=AUE_PATHCONF 1329 format=path:[attr] 1330 1331label=AUE_PIPE 1332format=kernel 1333# class is no, not usually printed 1334 1335label=AUE_PORTFS 1336 skip=Not used (placeholder for AUE_PORTFS_*). 1337 1338label=AUE_PORTFS 1339 skip=Not used (placeholder for AUE_PORTFS_*). 1340 1341label=AUE_PORTFS_ASSOCIATE 1342 syscall=portfs 1343 see=port_associate(3C) 1344 case=Port association via PORT_SOURCE_FILE 1345 format=[path]1:attr 1346 comment=name of the file/directory to be watched 1347 1348label=AUE_PORTFS_DISSOCIATE 1349 syscall=portfs 1350 see=port_dissociate(3C) 1351 case=Port disassociation via PORT_SOURCE_FILE 1352 format=kernel 1353 1354label=AUE_PRIOCNTLSYS 1355 syscall=priocntl 1356 see=priocntl(2) 1357 format=arg1:arg2 1358 comment=1, priocntl version number, "pc_version": 1359 comment=3, command, "cmd" 1360 1361label=AUE_PROCESSOR_BIND 1362 case=No LWP/thread bound to the processor 1363 format=arg1:arg2:text3:[proc] 1364 comment=1, type of ID, "ID type": 1365 comment=2, ID value, "ID": 1366 comment="PBIND_NONE" 1367 case=With processor bound 1368 format=arg1:arg2:arg3:[proc] 1369 comment=1, type of ID, "ID type": 1370 comment=2, ID value, "ID": 1371 comment=3, processor ID, "processor_id" 1372 1373label=AUE_PUTMSG 1374 see=putmsg(2) 1375 format=arg1:[path]:[attr]:arg2 1376 comment=1, file descriptor, "fd": 1377 comment=4, priority, "pri" 1378 1379label=AUE_PUTPMSG 1380 see=putpmsg(2) 1381 format=arg1:[path]:[attr]:arg2:arg3 1382 comment=1, file descriptor, "fd": 1383 comment=4, priority, "pri": 1384 comment=5, flags, "flags" 1385 1386label=AUE_P_ONLINE 1387 format=arg1:arg2:text3 1388 comment=1, processor ID, "processor ID": 1389 comment=2, flags value, "flags": 1390 comment=text form of flags. Values: \ 1391 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS 1392 1393label=AUE_QUOTACTL 1394 skip=Not used. 1395 1396label=AUE_READ 1397 skip=Not used. (Placeholder for AUE_READ_* events) 1398 1399label=AUE_READL 1400 skip=Not used. (Obsolete) 1401 1402label=AUE_READLINK 1403 format=path:[attr] 1404 1405label=AUE_READV 1406 skip=Not used (obsolete) 1407# detritus from CMS 1408 1409label=AUE_READVL 1410 skip=Not used (obsolete) 1411# detritus from CMS 1412 1413label=AUE_REBOOT 1414 skip=Not used. 1415 1416label=AUE_RECV 1417 case=If address family is AF_INET or AF_INET6 1418 format=[arg]1:[inet] 1419 comment=1, file descriptor, "so" 1420 case=If address family is AF_UNIX and path is defined 1421 format=[path]1:[attr] 1422 comment=1, file descriptor, "so" 1423 case=If address family is AF_UNIX and path is NULL 1424 format=[path]1:[attr] 1425 comment=1, file descriptor, "no path: fd" 1426 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1427 format=[arg]1:[arg]2:[arg]3 1428 comment=1, file descriptor, "so": 1429 comment=1, family, "family": 1430 comment=1, type, "type" 1431# associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237]) 1432 1433label=AUE_RECVFROM 1434 format=inet:arg1:[arg]2:inet3:arg4 1435 comment=3, message length, "len": 1436 comment=4, flags, "flags": 1437 comment=from address: 1438 comment=6, address length, "tolen" 1439 note=The socket token for a bad socket is reported as "argument 1440 note=token (1, socket descriptor, "fd")" 1441 1442label=AUE_RECVMSG 1443 case=If invalid file descriptor 1444 format=arg1:arg2 1445 comment=1, file descriptor, "so": 1446 comment=3, flags, "flags" 1447 case=If valid file descriptor and socket is AF_UNIX and no path 1448 format=arg1:[attr] 1449 comment=1, file descriptor, "no path: fd" 1450 case=If valid file descriptor and socket is AF_UNIX and path defined 1451 format=path:attr 1452 case=If valid file descriptor and socket is AF_INET or AF_INET6 1453 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM 1454 format=arg1:arg2:inet 1455 comment=1, file descriptor, "so": 1456 comment=2, flags, "flags" 1457 case=.. if socket type is unknown 1458 format=arg1:arg2:arg3:arg4 1459 comment=1, file descriptor, "so": 1460 comment=1, family, "family": 1461 comment=1, type, "type": 1462 comment=3, flags, "flags" 1463 1464label=AUE_RENAME 1465 format=path1:[attr]1:[path]2 1466 comment=from name: 1467 comment=to name 1468 1469label=AUE_RENAMEAT 1470# obsolete 1471 format=path1:[attr]1:[path]2 1472 comment=from name: 1473 comment=to name 1474 1475label=AUE_RFSSYS 1476 skip=Not used. 1477# apparently replaced 1478 1479label=AUE_RMDIR 1480 format=path:[attr] 1481 1482label=AUE_SEMCTL 1483 format=arg1:[ipc]:[ipc_perm] 1484 comment=1, semaphore ID, "sem ID" 1485 note=ipc_perm 1486# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1487 1488label=AUE_SEMCTL_GETALL 1489 format=arg1:[ipc]:[ipc_perm] 1490 comment=1, semaphore ID, "sem ID" 1491 note=ipc_perm 1492 syscall=semctl: GETALL 1493# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1494 1495label=AUE_SEMCTL_GETNCNT 1496 format=arg1:[ipc]:[ipc_perm] 1497 comment=1, semaphore ID, "sem ID" 1498 note=ipc_perm 1499 syscall=semctl: GETNCNT 1500# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1501 1502label=AUE_SEMCTL_GETPID 1503 format=arg1:[ipc]:[ipc_perm] 1504 comment=1, semaphore ID, "sem ID" 1505 note=ipc_perm 1506 syscall=semctl: GETPID 1507# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1508 1509label=AUE_SEMCTL_GETVAL 1510 format=arg1:[ipc]:[ipc_perm] 1511 comment=1, semaphore ID, "sem ID" 1512 note=ipc_perm 1513 syscall=semctl: GETVAL 1514# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1515 1516label=AUE_SEMCTL_GETZCNT 1517 format=arg1:[ipc]:[ipc_perm] 1518 comment=1, semaphore ID, "sem ID" 1519 note=ipc_perm 1520 syscall=semctl: GETZCNT 1521# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1522 1523label=AUE_SEMCTL_RMID 1524 format=arg1:[ipc]:[ipc_perm] 1525 comment=1, semaphore ID, "sem ID" 1526 note=ipc_perm 1527 syscall=semctl: IPC_RMID 1528# ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1529 1530label=AUE_SEMCTL_SET 1531 format=arg1:[ipc]:[ipc_perm] 1532 comment=1, semaphore ID, "sem ID" 1533 note=ipc_perm 1534 syscall=semctl: IPC_SET 1535# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1536 1537label=AUE_SEMCTL_SETALL 1538 format=arg1:[ipc]:[ipc_perm] 1539 comment=1, semaphore ID, "sem ID" 1540 note=ipc_perm 1541 syscall=semctl: SETALL 1542# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1543 1544label=AUE_SEMCTL_SETVAL 1545 format=arg1:[ipc]:[ipc_perm] 1546 comment=1, semaphore ID, "sem ID" 1547 note=ipc_perm 1548 syscall=semctl: SETVAL 1549# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1550 1551label=AUE_SEMCTL_STAT 1552 format=arg1:[ipc]:[ipc_perm] 1553 comment=1, semaphore ID, "sem ID" 1554 note=ipc_perm 1555 syscall=semctl: IPC_STAT 1556# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1557 1558label=AUE_SEMGET 1559 format=arg1:[ipc_perm]:ipc 1560 comment=1, semaphore ID, "sem key" 1561 note=ipc_perm 1562 syscall=semctl: SETVAL 1563# ipc_perm token: semget -> audit_ipcget 1564 1565label=AUE_SEMGETL 1566 skip=Not used. 1567 1568label=AUE_SEMOP 1569 format=arg1:[ipc]:[ipc_perm] 1570 comment=1, semaphore ID, "sem ID" 1571 note=ipc_perm 1572# ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc 1573 1574label=AUE_SEMSYS 1575 skip=Not used. (place holder) -- defaults to a semget variant 1576 1577label=AUE_SEND 1578 case=If address family is AF_INET or AF_INET6 1579 format=[arg]1:[inet] 1580 comment=1, file descriptor, "so" 1581 case=If address family is AF_UNIX and path is defined 1582 format=[path]1:[attr] 1583 comment=1, file descriptor, "so" 1584 case=If address family is AF_UNIX and path is NULL 1585 format=[path]1:[attr] 1586 comment=1, file descriptor, "no path: fd" 1587 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1588 format=[arg]1:[arg]2:[arg]3 1589 comment=1, file descriptor, "so": 1590 comment=1, family, "family": 1591 comment=1, type, "type" 1592# associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240]) 1593 1594label=AUE_SENDMSG 1595 case=If invalid file descriptor 1596 format=arg1:arg2 1597 comment=1, file descriptor, "so": 1598 comment=3, flags, "flags" 1599 case=If valid file descriptor 1600 case=...and address family is AF_UNIX and path is defined 1601 format=path:attr 1602 case=...and address family is AF_UNIX and path is NULL 1603 format=path1:attr 1604 comment=1, file descriptor, "nopath: fd" 1605 case=...and address family is AF_INET or AF_INET6, \ 1606 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1607 format=arg1:arg2:inet 1608 comment=1, file descriptor, "so": 1609 comment=3, flags, "flags" 1610 case=...and unknown address family or address family AF_INET or AF_INET6 \ 1611 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1612 format=arg1:arg2:arg3:arg4 1613 comment=1, file descriptor, "so": 1614 comment=1, family, "family": 1615 comment=1, type, "type": 1616 comment=1, flags, "flags" 1617 1618label=AUE_SENDTO 1619 case=If invalid file descriptor 1620 format=arg1:arg2 1621 comment=1, file descriptor, "so": 1622 comment=3, flags, "flags" 1623 case=If valid file descriptor 1624 case=...and socket is AF_UNIX and path is defined 1625 format=path:attr 1626 case=...and address family is AF_UNIX and path is NULL 1627 format=path1:attr 1628 comment=1, file descriptor, "nopath: fd" 1629 case=...and address family is AF_INET or AF_INET6 1630 format=arg1:arg2:inet 1631 comment=1, file descriptor, "so": 1632 comment=3, flags, "flags" 1633 case=...and unknown address family 1634 format=arg1:arg2:arg3:arg4 1635 comment=1, file descriptor, "so": 1636 comment=1, family, "family": 1637 comment=1, type, "type": 1638 comment=1, flags, "flags" 1639 1640label=AUE_SETAUDIT 1641 case=With a valid program stack address 1642 format=arg1:arg2:arg3:arg4:arg5:arg6 1643 comment=1, audit user ID, "setaudit:auid": 1644 comment=1, terminal ID, "setaudit:port": 1645 comment=1, terminal ID, "setaudit:machine": 1646 comment=1, preselection mask, "setaudit:as_success": 1647 comment=1, preselection mask, "setaudit:as_failure": 1648 comment=1, audit session ID, "setaudit:asid" 1649 case=With an invalid program stack address 1650 format=kernel 1651# header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec 1652# argument,1,0x271a,setaudit:auid 1653# argument,1,0x3ff0201,setaudit:port 1654# argument,1,0x8192591e,setaudit:machine 1655# argument,1,0x400,setaudit:as_success 1656# argument,1,0x400,setaudit:as_failure 1657# argument,1,0x16f,setaudit:asid 1658# subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1 1659# return,success,0 1660# trailer,215 1661# header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec 1662# argument,1,0x271a,setaudit:auid 1663# argument,1,0x3ff0201,setaudit:port 1664# argument,1,0x8192591e,setaudit:machine 1665# argument,1,0x400,setaudit:as_success 1666# argument,1,0x400,setaudit:as_failure 1667# argument,1,0x16f,setaudit:asid 1668# subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1 1669# return,success,0 1670# trailer,215 1671 1672label=AUE_SETAUDIT_ADDR 1673 case=With a valid program stack address 1674 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7 1675 comment=1, audit user ID, "auid": 1676 comment=1, terminal ID, "port": 1677 comment=1, type, "type": 1678 comment=1, terminal ID, "ip address": 1679 comment=1, preselection mask, "as_success": 1680 comment=1, preselection mask, "as_failure": 1681 comment=1, audit session ID, "asid" 1682 case=With an invalid program stack address 1683 format=kernel 1684# header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec 1685# argument,1,0x15fa7,auid 1686# argument,1,0x0,port 1687# argument,1,0x4,type 1688# ip address,tmach2 1689# argument,1,0x9c00,as_success 1690# argument,1,0x9c00,as_failure 1691# argument,1,0x1f1,asid 1692# subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2 1693# return,success,0 1694 1695label=AUE_SETAUID 1696 format=arg1 1697 comment=2, audit user ID, "setauid" 1698 1699label=AUE_SETDOMAINNAME 1700 skip=Not used. (See AUE_SYSINFO) 1701# See AUE_SYSINFO with SI_SET_SRPC_DOMAIN 1702 1703label=AUE_SETEGID 1704 format=arg1 1705 comment=1, group ID, "gid" 1706 1707label=AUE_SETEUID 1708 format=arg1 1709 comment=1, user ID, "euid" 1710 1711label=AUE_SETGID 1712 format=arg1 1713 comment=1, group ID, "gid" 1714 1715label=AUE_SETGROUPS 1716 note=If more than NGROUPS_MAX_DEFAULT groups listed, 1717 note=no tokens are generated. 1718 case=If no groups in list 1719 format=[arg]1 1720 comment=1, 0, "setgroups" 1721 case=If 1 or more groups in list 1722 format=(1..n)arg1 1723 comment=1, gid, "setgroups" 1724 1725label=AUE_SETHOSTNAME 1726 skip=Not used. (See AUE_SYSINFO) 1727# See sysinfo call with command SI_SET_HOSTNAME 1728 1729label=AUE_SETKERNSTATE 1730 skip=Not used. 1731 1732label=AUE_SETPGID 1733 format=[proc]:[arg]1 1734 comment=2, pgid, "pgid" 1735 1736label=AUE_SETPGRP 1737 format=kernel 1738 1739label=AUE_SETPRIORITY 1740 skip=Not used. 1741 1742label=AUE_SETPPRIV 1743 case=operation privileges off 1744 format=arg1:privset2 1745 comment=setppriv operation: 1746 comment=privileges actually switched off 1747 case=operation privileges on 1748 format=arg1:privset2 1749 comment=setppriv operation: 1750 comment=privileges actually switched on 1751 case=operation privileges off 1752 format=arg1:privset2:privset3 1753 comment=setppriv operation: 1754 comment=privileges before privset: 1755 comment=privileges after privset 1756#header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec 1757#argument,2,0x2,op 1758#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1759#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1760#subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0 1761#return,success,0 1762 1763label=AUE_SETREGID 1764 format=arg1:arg2 1765 comment=1, real group ID, "rgid": 1766 comment=2, effective group ID, "egid" 1767 1768label=AUE_SETREUID 1769 format=arg1:arg2 1770 comment=1, real user ID, "ruid": 1771 comment=2, effective user ID, "euid" 1772 1773label=AUE_SETRLIMIT 1774 format=kernel 1775# header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec 1776# subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2 1777# return,success,0 1778 1779label=AUE_SETSID 1780 format=kernel 1781 1782label=AUE_SETSOCKOPT 1783 case=Invalid file descriptor 1784 format=arg1:arg2 1785 comment=1, file descriptor, "so": 1786 comment=2, level, "level" 1787 case=Valid file descriptor 1788 case=...and socket is AF_UNIX 1789 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8 1790 comment=if no path, will be argument: 1, "nopath: fd", \ 1791 file descriptor: 1792 comment=1, file descriptor, "so": 1793 comment=1, family, "family": 1794 comment=1, type, "type": 1795 comment=2, protocol level, "level": 1796 comment=3, option name, "optname": 1797 comment=5, option length, "optlen": 1798 comment=option data 1799 case=...and socket is AF_INET or AF_INET6 1800 format=arg1:arg2:arg3:[arg]4:[data]5:inet 1801 comment=1, file descriptor, "so": 1802 comment=2, protocol level, "level": 1803 comment=3, option name, "optname": 1804 comment=5, option length, "optlen": 1805 comment=option data 1806 case=...and socket adddress family is unknown 1807 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7 1808 comment=1, file descriptor, "so": 1809 comment=1, family, "family": 1810 comment=1, type, "type": 1811 comment=2, protocol level, "level": 1812 comment=3, option name, "optname": 1813 comment=5, option length, "optlen": 1814 comment=option data 1815 1816label=AUE_SETTIMEOFDAY 1817 skip=Not used. 1818 1819label=AUE_SETUID 1820 syscall=setuid 1821 format=arg1 1822 comment=1, "uid" to be set 1823 1824label=AUE_SETUSERAUDIT 1825 skip=Not used. 1826 1827label=AUE_SHMAT 1828 format=arg1:arg2:[ipc]:[ipc_perm] 1829 comment=1, shared memory ID, "shm ID": 1830 comment=2, shared mem addr, "shm addr" 1831 note=ipc_perm 1832# ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc 1833 1834label=AUE_SHMCTL 1835 format=arg1:[ipc]:[ipc_perm] 1836 comment=1, shared memory ID, "shm ID" 1837 note=ipc_perm 1838# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1839 1840label=AUE_SHMCTL_RMID 1841 format=arg1:[ipc]:[ipc_perm] 1842 comment=1, shared memory ID, "shm ID" 1843 note=ipc_perm 1844 syscall=semctl: IPC_RMID 1845# ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1846 1847label=AUE_SHMCTL_SET 1848 format=arg1:[ipc]:[ipc_perm] 1849 comment=1, shared memory ID, "shm ID" 1850 note=ipc_perm 1851 syscall=semctl: IPC_SET 1852# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1853 1854label=AUE_SHMCTL_STAT 1855 format=arg1:[ipc]:[ipc_perm] 1856 comment=1, shared memory ID, "shm ID" 1857 note=ipc_perm 1858 syscall=semctl: IPC_STAT 1859# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1860 1861label=AUE_SHMDT 1862 format=arg1 1863 comment=1, shared memory address, "shm adr" 1864 1865label=AUE_SHMGET 1866 format=arg1:[ipc_perm]:[ipc] 1867 comment=0, shared memory key, "shm key" 1868 note=ipc_perm 1869# ipc_perm: shmget -> audit_ipcget 1870 1871label=AUE_SHMGETL 1872 skip=Not used. 1873 1874label=AUE_SHMSYS 1875 skip=Not used. (Placeholder for shmget and shmctl*) 1876 1877label=AUE_SHUTDOWN 1878 case=If the socket address is invalid 1879 format=[arg]1:[text]2:[text]3 1880 comment=1, file descriptor, "fd": 1881 comment=bad socket address: 1882 comment=bad peer address 1883 case=If the socket address is part of the AF_INET family 1884 case=..with zero file descriptor 1885 format=arg1:[arg]2:[arg]3:[arg]4 1886 comment=1, file descriptor, "so": 1887 comment=1, family, "family": 1888 comment=1, type, "type": 1889 comment=2, how shutdown code, "how" 1890 case=...with non-zero file descriptor 1891 format=arg1:arg2:inet 1892 comment=1, file descriptor, "so": 1893 comment=2, how shutdown code, "how" 1894 case=If the socket address is AF_UNIX 1895 case=...with zero file descriptor 1896 format=path1:arg2:[arg]3:[arg]4:[arg]5 1897 comment=If error: argument: \ 1898 1, "no path: fd", file descriptor: 1899 comment=1, file descriptor, "so": 1900 comment=1, family, "family": 1901 comment=1, type, "type": 1902 comment=2, how shutdown code, "how" 1903 case=...with non-zero file descriptor 1904 format=path1:arg2:arg3:inet 1905 comment=If error: argument: \ 1906 1, file descriptor, "no path: fd": 1907 comment=1, file descriptor, "so": 1908 comment=2, how shutdown code, "how" 1909#old BSM manual wrong; used audit_event.c 1910 1911label=AUE_SOCKACCEPT 1912 syscall=getmsg: socket accept 1913 format=inet:arg1:[path]:attr:arg2 1914 comment=1, file descriptor, "fd": 1915 comment=4, priority, "pri" 1916# see putmsg and getmsg for record format 1917# See audit.c for inet token and audit_start.c for other reference 1918 1919label=AUE_SOCKCONFIG 1920 format=arg1:arg2:arg3:[path]4 1921 comment=1, domain address, "domain": 1922 comment=2, type, "type": 1923 comment=3, protocol, "protocol": 1924 comment=If no path:argument -- 3, 0, "devpath" 1925 1926label=AUE_SOCKCONNECT 1927 syscall=putmsg: socket connect 1928 format=inet:arg1:[path]:attr:arg2 1929 comment=1, file descriptor, "fd": 1930 comment=4, priority, "pri" 1931# same as AUE_SOCKACCEPT 1932 1933label=AUE_SOCKET 1934 format=arg1:[arg]2:arg3 1935 comment=1, socket domain, "domain": 1936 comment=2, socket type, "type": 1937 comment=3, socket protocol, "protocol" 1938 1939label=AUE_SOCKETPAIR 1940 skip=Not used. 1941# unreferenced 1942 1943label=AUE_SOCKRECEIVE 1944 syscall=getmsg 1945 format=inet:arg1:[path]:attr:arg2 1946 comment=1, file descriptor, "fd": 1947 comment=4, priority, "pri" 1948# see AUE_SOCKACCEPT 1949 1950label=AUE_SOCKSEND 1951syscall=putmsg 1952 format=inet:arg1:[path]:attr:arg2 1953 comment=1, file descriptor, "fd": 1954 comment=4, priority, "pri" 1955# see AUE_SOCKACCEPT 1956 1957label=AUE_STAT 1958 format=path:[attr] 1959 1960label=AUE_STATFS 1961 format=path:[attr] 1962 1963label=AUE_STATVFS 1964 format=path:[attr] 1965 1966label=AUE_STIME 1967 format=kernel 1968 1969label=AUE_SWAPON 1970 skip=Not used. 1971 1972label=AUE_SYMLINK 1973 format=path:text1:[attr] 1974 comment=symbolic link string 1975 1976label=AUE_SYSINFO 1977 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands 1978 note=are currently audited. 1979 format=arg1:[text]2 1980 comment=1, command, "cmd": 1981 comment=name 1982 1983label=AUE_SYSTEMBOOT 1984 title=system booted 1985 syscall=none 1986 format=head:text1 1987 comment="booting kernel" 1988# see audit_start.c and audit_io.c 1989# no subject or return / exit token 1990# header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec 1991# text,booting kernel 1992 1993label=AUE_TRUNCATE 1994 skip=Not used. 1995 1996label=AUE_UMOUNT 1997 syscall=umount: old version 1998 note=Implemented as call of the newer umount2(2). 1999 format=path:arg1:[path]:[attr] 2000 comment=2, mflag value = 0, "flags" 2001 2002label=AUE_UMOUNT2 2003 syscall=umount2 2004 format=path:arg1:[path]:[attr] 2005 comment=2, mflag value, "flags" 2006 2007label=AUE_UNLINK 2008 format=path:[attr] 2009 2010label=AUE_UNLINKAT 2011# obsolete 2012 see=openat(2) 2013 format=path:[attr] 2014 2015label=AUE_UNMOUNT 2016 skip=Not used. 2017 2018label=AUE_UTIME 2019# obsolete 2020 format=path:[attr] 2021 2022label=AUE_UTIMES 2023 see=futimens(2) 2024 format=path:[attr] 2025 2026label=AUE_VFORK 2027 format=arg1 2028 comment=0, pid, "child PID" 2029 note=The vfork(2) return values are undefined because the audit record is 2030 note=produced at the point that the child process is spawned. 2031 2032label=AUE_VPIXSYS 2033 skip=Not used. 2034 2035label=AUE_VTRACE 2036 skip=Not used. 2037 2038label=AUE_WRITE 2039 format=path1:attr 2040 comment=if no path, argument -- "1, file descriptor, "no path: fd" 2041 note:An audit record is generated for write only once per file close. 2042 2043label=AUE_WRITEV 2044 skip=Not used. (obsolete) 2045 2046label=AUE_XMKNOD 2047# obsolete 2048 skip=Not used. 2049 2050label=AUE_XSTAT 2051# obsolete 2052 skip=Not Used. 2053 2054label=AUE_PF_POLICY_ADDRULE 2055 title=Add IPsec policy rule 2056 see= 2057 syscall=none 2058 format=arg1:arg2:[zone]3:[text]4 2059 comment=Operation applied to active policy (1 is active, 0 is inactive): 2060 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2061 comment=affected zone: 2062 comment=Name of target tunnel 2063 2064label=AUE_PF_POLICY_DELRULE 2065 title=Delete IPsec policy rule 2066 see= 2067 syscall=none 2068 format=arg1:arg2:[zone]3:[text]4 2069 comment=Operation applied to active policy (1 is active, 0 is inactive): 2070 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2071 comment=affected zone: 2072 comment=Name of target tunnel 2073 2074label=AUE_PF_POLICY_CLONE 2075 title=Clone IPsec policy 2076 see= 2077 syscall=none 2078 format=arg1:arg2:[zone]3:[text]4 2079 comment=Operation applied to active policy (1 is active, 0 is inactive): 2080 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2081 comment=affected zone: 2082 comment=Name of target tunnel 2083 2084label=AUE_PF_POLICY_FLIP 2085 title=Flip IPsec policy 2086 see= 2087 syscall=none 2088 format=arg1:arg2:[zone]3:[text]4 2089 comment=Operation applied to active policy (1 is active, 0 is inactive): 2090 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2091 comment=affected zone: 2092 comment=Name of target tunnel 2093 2094label=AUE_PF_POLICY_FLUSH 2095 title=Flip IPsec policy rules 2096 see= 2097 syscall=none 2098 format=arg1:arg2:[zone]3:[text]4 2099 comment=Operation applied to active policy (1 is active, 0 is inactive): 2100 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2101 comment=affected zone: 2102 comment=Name of target tunnel 2103 2104label=AUE_PF_POLICY_ALGS 2105 title=Update IPsec algorithms 2106 see= 2107 syscall=none 2108 format=arg1:arg2:[zone]3:[text]4 2109 comment=Operation applied to active policy (1 is active, 0 is inactive): 2110 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2111 comment=affected zone: 2112 comment=Name of target tunnel 2113 2114label=AUE_allocate_fail 2115 program=/usr/sbin/allocate 2116 title=allocate: allocate-device failure 2117 format=(0..n)[text]1 2118 comment=command line arguments 2119# see audit_allocate.c 2120 2121label=AUE_allocate_succ 2122 program=/usr/sbin/allocate 2123 title=allocate: allocate-device success 2124 format=(0..n)[text]1 2125 comment=command line arguments 2126# see audit_allocate.c 2127 2128label=AUE_at_create 2129 program=/usr/bin/at 2130 title=at: at-create crontab 2131 format=path 2132 2133label=AUE_at_delete 2134 program=/usr/bin/at 2135 title=at: at-delete atjob (at or atrm) 2136 format=text1:path 2137 comment="ancillary file:" filename or "bad format of at-job name" 2138 2139label=AUE_at_perm 2140 skip=Not used. 2141# not referenced outside uevents.h 2142 2143label=AUE_create_user 2144 skip=Not used. 2145 2146label=AUE_cron_invoke 2147 program=/usr/sbin/cron 2148 title=cron: cron-invoke at or cron 2149 case=If issue with account find 2150 format=text1 2151 comment="bad user" name or "user <name> account expired" 2152 case=else 2153 format=text1:text2 2154 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \ 2155 or "unknown job type (<job_type_id>)": 2156 comment=command 2157 2158label=AUE_crontab_create 2159 program=/usr/bin/crontab 2160 title=crontab: crontab created 2161 format=path 2162# See audit_crontab.c 2163 2164label=AUE_crontab_delete 2165 program=/usr/bin/crontab 2166 title=crontab: crontab delete 2167 format=path 2168# See audit_crontab.c 2169 2170label=AUE_crontab_mod 2171 program=/usr/bin/crontab 2172 title=crontab: crontab modify 2173 format=path 2174# See audit_crontab.c 2175 2176label=AUE_crontab_perm 2177 skip=Not used. 2178 2179label=AUE_deallocate_fail 2180 program=/usr/sbin/deallocate 2181 title=deallocate-device failure 2182 format=(0..n)[text]1 2183 comment=command line arguments 2184# See audit_allocate.c 2185 2186label=AUE_deallocate_succ 2187 program=/usr/sbin/deallocate 2188 title=deallocate-device success 2189 format=(0..n)[text]1 2190 comment=command line arguments 2191# See audit_allocate.c 2192 2193label=AUE_delete_user 2194 skip=Not used. 2195 2196label=AUE_disable_user 2197 skip=Not used. 2198 2199label=AUE_enable_user 2200 skip=Not used. 2201 2202label=AUE_ftpd 2203 program=/usr/sbin/in.ftpd 2204 title=in.ftpd 2205 format=[text]1 2206 comment=error message 2207# See audit_ftpd 2208 2209label=AUE_ftpd_logout 2210 program=/usr/sbin/in.ftpd 2211 title=in.ftpd 2212 format=user 2213# See audit_ftpd 2214 2215label=AUE_halt_solaris 2216 program=/usr/sbin/halt 2217 title=halt 2218 format=user 2219# See audit_halt.c 2220 2221label=AUE_kadmind_auth 2222 format=text1:text2:text3 2223 comment=Op: <requested information>: 2224 comment=Arg: <argument for Op>: 2225 comment=Client: <client principal name> 2226# See audit_kadmin.c / common_audit() 2227 2228label=AUE_kadmind_unauth 2229 format=text1:text2:text3 2230 comment=Op: <requested information>: 2231 comment=Arg: <argument for Op>: 2232 comment=Client: <client principal name> 2233# See audit_kadmin.c / common_audit() 2234 2235label=AUE_krb5kdc_as_req 2236 format=text1:text2 2237 comment=Client: <client principal name>: 2238 comment=Service: <requested service name> 2239# See audit_krb5kdc.c / common_audit() 2240 2241label=AUE_krb5kdc_tgs_req 2242 format=text1:text2 2243 comment=Client: <client principal name>: 2244 comment=Service: <requested service name> 2245# See audit_krb5kdc.c / common_audit() 2246 2247label=AUE_krb5kdc_tgs_req_alt_tgt 2248 format=text1:text2 2249 comment=Client: <client principal name>: 2250 comment=Service: <requested service name> 2251# See audit_krb5kdc.c / common_audit() 2252 2253label=AUE_krb5kdc_tgs_req_2ndtktmm 2254 format=text1:text2 2255 comment=Client: <client principal name>: 2256 comment=Service: <requested service name> 2257# See audit_krb5kdc.c / common_audit() 2258 2259label=AUE_listdevice_fail 2260 title=allocate-list devices failure 2261 program=/usr/sbin/allocate 2262 format=(0..n)[text]1 2263 comment=command line arguments 2264# See audit_allocate.c 2265 2266label=AUE_listdevice_succ 2267 title=allocate-list devices success 2268 program=/usr/sbin/allocate 2269 format=(0..n)[text]1 2270 comment=command line arguments 2271# See audit_allocate.c 2272 2273label=AUE_modify_user 2274 skip=Not used. 2275 2276label=AUE_mountd_mount 2277 title=mountd: NFS mount 2278 program=/usr/lib/nfs/mountd 2279 see=mountd(1M) 2280 format=text1:path2 2281 comment=remote client hostname: 2282 comment=mount dir 2283# See audit_mountd.c 2284 2285label=AUE_mountd_umount 2286 title=mountd: NFS unmount 2287 program=/usr/lib/nfs/mountd 2288 format=text1:path2 2289 comment=remote client hostname: 2290 comment=mount dir 2291# See audit_mountd.c 2292 2293label=AUE_poweroff_solaris 2294 program=/usr/sbin/poweroff 2295 title=poweroff 2296 format=user 2297# See audit_halt.c 2298 2299label=AUE_reboot_solaris 2300 program=/usr/sbin/reboot 2301 title=reboot 2302 format=user 2303# See audit_reboot.c 2304# header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec 2305# subject,tuser1,root,other,root,other,10422,497,0 0 tmach2 2306# return,success,0 2307 2308label=AUE_rexd 2309 program=/usr/sbin/rpc.rexd 2310 title=rpc.rexd 2311 format=[text]1:text2:text3:[text]4:[text]5 2312 comment=error message (failure only): 2313 comment="Remote execution requested by:" hostname: 2314 comment="Username:" username: 2315 comment="User id:" user ID (failure only): 2316 comment="Command line:" command attempted 2317# See audit_rexd.c 2318 2319label=AUE_rexecd 2320 program=/usr/sbin/rpc.rexecd 2321 title=rpc.rexecd 2322 format=[text]1:text2:text3:text4 2323 comment=error message (failure only): 2324 comment="Remote execution requested by:" hostname: 2325 comment="Username:" username: 2326 comment="Command line:" command attempted 2327# See audit_rexecd.c 2328 2329label=AUE_rshd 2330 program=/usr/sbin/in.rshd 2331 title=in.rshd 2332 format=text1:text2:[text]3:[text]4 2333 comment="cmd" command: 2334 comment="remote user" remote user: 2335 comment="local user" local user: 2336 comment=failure message 2337# See audit_rshd.c 2338 2339label=AUE_shutdown_solaris 2340 title=shutdown 2341 program=/usr/ucb/shutdown 2342 format=user 2343# See audit_shutdown.c 2344 2345label=AUE_smserverd 2346 program=/usr/lib/smedia/rpc.smserverd 2347 format=[text]1:[text]2 2348 comment=state change: 2349 comment=vid, pid, major/minor device 2350# see usr/src/cmd/smserverd 2351# code shows a third token, path, but it isn't implemented. 2352 2353label=AUE_uadmin_solaris 2354 title=uadmin (obsolete) 2355 program= 2356 see= 2357 format=text1:text2 2358 comment=function code: 2359 comment=argument code 2360# not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml 2361 2362label=AUE_LABELSYS_TNRH 2363 title=config Trusted Network remote host cache 2364 see=tnrh(2) 2365 syscall=labelsys: TSOL_TNRH 2366 case=With the flush command (cmd=3) 2367 format=arg1 2368 comment=1, command, "cmd" 2369 case=With the load (cmd=1) and delete (cmd=2) commands 2370 format=arg1:inaddr2:arg3 2371 comment=1, command, "cmd": 2372 comment=ip address of host: 2373 comment=2, prefix length, "prefix len" 2374 2375label=AUE_LABELSYS_TNRHTP 2376 title=config Trusted Network remote host template 2377 see=tnrhtp(2) 2378 syscall=labelsys: TSOL_TNRHTP 2379 case=With the flush command (cmd=3) 2380 format=arg1 2381 comment=1, command, "cmd" 2382 case=With the load (cmd=1) and delete (cmd=2) commands 2383 format=arg1:text2 2384 comment=1, command, "cmd": 2385 comment=name of template 2386 2387label=AUE_LABELSYS_TNMLP 2388 title=config Trusted Network multi-level port entry 2389 see=tnmlp(2) 2390 syscall=labelsys: TSOL_TNMLP 2391 case=With the flush command (cmd=3) 2392 format=arg1:text2 2393 comment=1, command, "cmd": 2394 comment="shared", or name of zone 2395 case=With the load (cmd=1) and delete (cmd=2) commands 2396 format=arg1:text2:arg3:arg4:[arg]5 2397 comment=1, command, "cmd": 2398 comment="shared", or name of zone: 2399 comment=2, protocol number, "proto num": 2400 comment=2, starting mlp port number, "mlp_port": 2401 comment=2, ending mlp port number, "mlp_port_upper" 2402