1# audit_record_attr.txt 2# Two "#" are comments that are copied to audit_record_attr 3# other comments are removed. 4## 5## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. 6## Copyright 2019 Joyent, Inc. 7## 8## CDDL HEADER START 9## 10## The contents of this file are subject to the terms of the 11## Common Development and Distribution License (the "License"). 12## You may not use this file except in compliance with the License. 13## 14## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 15## or http://www.opensolaris.org/os/licensing. 16## See the License for the specific language governing permissions 17## and limitations under the License. 18## 19## When distributing Covered Code, include this CDDL HEADER in each 20## file and include the License file at usr/src/OPENSOLARIS.LICENSE. 21## If applicable, add the following below this CDDL HEADER, with the 22## fields enclosed by brackets "[]" replaced with your own identifying 23## information: Portions Copyright [yyyy] [name of copyright owner] 24## 25## CDDL HEADER END 26## 27## 28 29# source file for describing audit records. 30 31# This file is in two sections. The first is a list of attribute / 32# value pairs used to provide short cuts in annotating the audit 33# records. The second is for annotation for each audit record. 34 35# first section: general attributes 36 37# skipClass=<class name of items to skip if only in that class> 38# skipClass=no # uncomment to filter unused events 39 40# token name abbreviations 41# token=alias:fullname -- short names for key tokens 42 43token=arg:argument 44token=attr:attribute 45token=acl:acl_entry 46token=cmd:command 47token=data:data 48token=exec_args:exec_arguments 49token=exec_env:exec_environment 50token=group:group 51token=inaddr:ip_addr 52token=inet:socket 53token=ipc:ipc 54token=ipc_perm:ipc_perm 55token=newgroup:newgroups 56token=path:path 57token=path_attr:attribute_path 58token=privset:privilege 59token=proc:process 60token=text:text 61token=tid:terminal_adr 62token=uauth:use_of_authorization 63token=upriv:use_of_privilege 64token=user:user_object 65token=zone:zonename 66token=fmri:service_instance 67token=label:mandatory_label 68 69token=head:header 70token=subj:subject 71token=ret:return 72token=exit:exit 73 74# note names -- certain notes show up repeatedly; collected here 75# 76# To achieve the maximum line length to be less than 80 characters, the 77# note names (message=) can be defined as a multi line, each line except the 78# last one finished with the backslash character. 79 80message=ipc_perm:The ipc and ipc_perm tokens are not included if \ 81 the message ID is not valid. 82 83 84# basic record pattern ("insert" is where event-specific tokens 85# are listed.) 86 87kernel=head:insert:subj:[upriv]:ret 88user=head:subj:insert:ret 89 90# Second Section 91# Annotation Section 92# 93# Most audit records need annotation beyond what is provided by 94# the files audit_event and audit_class. At a minimum, a record 95# is represented by a label and a format. 96# 97# label=record_id like AUE_ACCEPT 98# format=token_alias 99# 100# there is no end line; a new label= end the preceding definition 101# and starts the next. 102# 103# format values are a list of token names, separated by colons. The 104# name is either one of the values described above (token=) or is 105# a value to be taken literally. If a token name ends with a digit, 106# the digit is an index into an array of comments. In the few cases 107# where there are no tokens (other than header, subject, return/exit), 108# use "format=kernel" or "format="user". 109# 110# comment is an array of strings separated by colons. If comments 111# are listed on separate lines (recommended due to better 112# readability/sustainability of the file), the preceding comment 113# must end with a colon. The array starts at 1. (If the comment 114# contains a colon, use ":" without the quotes.) 115# 116# case is used to generate alternate descriptions for a given 117# record. 118# 119# Constraints - the string length; bear in mind, that any annotation of 120# primitives below longer than is specified, will be silently truncated 121# to given/defined amount of characters in the auditrecord(1M) runtime: 122# 123# primitive <= max (non-truncated) string length 124# case <= unlimited; if necessary, text continues on a new line 125# comment <= unlimited; if necessary, text continues on a new line 126# label <= 43 127# note <= unlimited; if necessary, text continues on a new line 128# program <= 20 129# see <= 39 130# syscall <= 20 131# title <= 46 132# token <= 28 (full name) 133# 134# To achieve the maximum line length to be less than 80 characters, one can 135# define the unlimited primitives as a multi line, each line except the 136# last one finished with the backslash character. In addition to above 137# mentioned, the "format=" record attribute follows the same rule. 138# 139# 140# AUE_ACCEPT illustrates the use of all the above. Note that 141# case is not nested; ellipsis (...) is used to give the effect 142# of nesting. 143 144label=AUE_ACCEPT 145#accept(2) failure 146 case=Invalid socket file descriptor 147 format=arg1 148 comment=1, file descriptor, "so" 149#accept(2) non SOCK_STREAM socket 150 case=If the socket address is not part of the AF_INET family 151 format=arg1:arg2:arg3 152 comment=1, "so", file descriptor: 153 comment="family", so_family: 154 comment="type", so_type 155 case=If the socket address is part of the AF_INET family 156 case=...If there is no vnode for this file descriptor 157 format=[arg]1 158 comment=1, file descriptor, "Bad so" 159#accept(2) SOCK_STREAM socket-not bound 160 case=...or if the socket is not bound 161 format=[arg]1:[inet]2 162 comment=1, file descriptor, "so": 163 comment=local/foreign address (0.0.0.0) 164 case=...or if the socket address length = 0 165 format=[arg]1:[inet]2 166 comment=1, file descriptor, "so": 167 comment=local/foreign address (0.0.0.0) 168 case=...or for all other conditions 169 format=inet1:[inet]1 170 comment=socket address 171#accept(2) failure 172# header 173# au_to_arg32 "so",file descriptor 174# subject 175# return <errno != 0> 176# 177#accept(2) non SOCK_STREAM socket 178# header 179# au_to_arg32 "so", file descriptor 180# au_to_arg32 "family", so_family 181# au_to_arg32 "type", so_type 182# subject 183# return success 184# 185#accept(2) SOCK_STREAM socket-not bound 186# header 187# au_to_arg32 "so", file descriptor 188# au_to_socket_ex local/foreign address (0.0.0.0) 189# subject 190# return success 191# 192#accept(2) SOCK_STREAM socket-bound 193# header 194# au_to_arg32 "so", file descriptor 195# au_to_socket_ex 196# subject 197# return success 198 199 200 201label=AUE_ACCESS 202 format=path1:[attr] 203 comment=may be truncated in failure case 204# header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec 205# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ 206# attribute,100777,41416,staff,8388608,402255,0 207# subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30 208# return,success,0 209# trailer,163 210# 211# header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec 212# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail 213# attribute,100000,root,other,8388608,402257,0 214# subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30 215# return,failure: Permission denied,-1 216# trailer,163 217# 218# header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec 219# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2 220# subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30 221# return,failure: No such file or directory,-1 222# trailer,135 223 224label=AUE_ACCT 225 case=Zero path 226 format=arg1 227 comment=1, 0, "accounting off" 228 case=Non-zero path 229 format=path1:[attr]2 230 comment=may be truncated in failure case: 231 comment=omitted if failure 232 233label=AUE_ACLSET 234 syscall=acl 235 format=arg1:arg2:(0..n)[acl]3 236 comment=2, SETACL, "cmd": 237 comment=3, number of ACL entries, "nentries": 238 comment=Access Control List entries 239 240label=AUE_ADJTIME 241 format=kernel 242 243label=AUE_ASYNC_DAEMON 244 skip=Not used 245 246label=AUE_ASYNC_DAEMON_EXIT 247 skip=Not used 248 249label=AUE_AUDIT 250 skip=Not used. (Placeholder for the set AUE_AUDIT_*.) 251 252label=AUE_AUDITON 253 skip=Not used. (Placeholder for the set AUE_AUDITON_*.) 254 255label=AUE_AUDITON_GESTATE 256 skip=Not used 257 258label=AUE_AUDITON_GETAMASK 259 format=kernel 260 syscall=auditon: GETAMASK 261 262label=AUE_AUDITON_GETCAR 263 format=kernel 264 syscall=auditon: GETCAR 265# header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec 266# subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30 267# return,success,0 268# trailer,68 269 270label=AUE_AUDITON_GETCLASS 271 format=kernel 272 syscall=auditon: GETCLASS 273# header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec 274# subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1 275# return,success,0 276# trailer,68 277 278label=AUE_AUDITON_GETCOND 279 format=kernel 280 syscall=auditon: GETCOND 281# header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec 282# subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1 283# return,success,0 284# trailer,68 285 286label=AUE_AUDITON_GETCWD 287 format=kernel 288 syscall=auditon: GETCWD 289# header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec 290# subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1 291# return,success,0 292# trailer,68 293 294label=AUE_AUDITON_GETKMASK 295 format=kernel 296 syscall=auditon: GETKMASK 297# header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec 298# subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1 299# return,success,0 300# trailer,68 301 302label=AUE_AUDITON_GETSTAT 303 format=kernel 304 syscall=auditon: A_GETSTAT 305# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec 306# subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1 307# return,success,0 308# trailer,68 309 310label=AUE_AUDITON_GPOLICY 311 format=kernel 312 syscall=auditon: GPOLICY 313# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec 314# subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1 315# return,success,0 316# trailer,68 317 318label=AUE_AUDITON_GQCTRL 319 format=kernel 320 syscall=auditon: GQCTRL 321# header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec 322# subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1 323# return,success,0 324# trailer,68 325 326 327label=AUE_AUDITON_GTERMID 328 skip=Not used. 329 330label=AUE_AUDITON_SESTATE 331 skip=Not used. 332 333label=AUE_AUDITON_SETAMASK 334 format=[arg]1:[arg]2 335 comment=2, "setamask as_success", user default audit preselection mask: 336 comment=2, "setamask as_failure", user default audit preselection mask 337 syscall=auditon: SETAMASK 338 339label=AUE_AUDITON_SETCLASS 340 format=[arg]1:[arg]2 341 comment=2, "setclass:ec_event", event number: 342 comment=3, "setclass:ec_class", class mask 343 syscall=auditon: SETCLASS 344# header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec 345# argument,2,0x0,setclass:ec_event 346# argument,3,0x0,setclass:ec_class 347# subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1 348# return,success,0 349# trailer,120 350 351label=AUE_AUDITON_SETCOND 352 format=[arg]1 353 comment=3, "setcond", audit state 354 syscall=auditon: SETCOND 355 356label=AUE_AUDITON_SETKMASK 357 format=[arg]1:[arg]2 358 comment=2, "setkmask as_success", kernel non-attributable mask: 359 comment=2, "setkmask as_failure", kernel non-attributable mask 360 syscall=auditon: SETKMASK 361# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec 362# argument,2,0x0,setkmask:as_success 363# argument,2,0x0,setkmask:as_failure 364# subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1 365# return,success,0 366# trailer,124 367# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec 368# argument,2,0x0,setkmask:as_success 369# argument,2,0x0,setkmask:as_failure 370# subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1 371# return,failure: Not owner,-1 372# trailer,124 373 374label=AUE_AUDITON_SETSMASK 375 format=[arg]1:[arg]2 376 comment=3, "setsmask:as_success", session ID mask: 377 comment=3, "setsmask:as_failure", session ID mask 378 syscall=auditon: SETSMASK 379# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec 380# argument,3,0x400,setsmask:as_success 381# argument,3,0x400,setsmask:as_failure 382# subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1 383# return,success,0 384# trailer,124 385# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec 386# argument,3,0x400,setsmask:as_success 387# argument,3,0x400,setsmask:as_failure 388# subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1 389# return,failure: Not owner,-1 390# trailer,124 391 392label=AUE_AUDITON_SETSTAT 393 format=kernel 394 syscall=auditon: SETSTAT 395# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec 396# subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1 397# return,success,0 398# trailer,68 399# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec 400# subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1 401# return,failure: Not owner,-1 402# trailer,68 403 404label=AUE_AUDITON_SETUMASK 405 format=[arg]1:[arg]2 406 comment=3, "setumask:as_success", audit ID mask: 407 comment=3, "setumask:as_failure", audit ID mask 408 syscall=auditon: SETUMASK 409# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec 410# argument,3,0x400,setumask:as_success 411# argument,3,0x400,setumask:as_failure 412# subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1 413# return,success,0 414# trailer,124 415# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec 416# argument,3,0x400,setumask:as_success 417# argument,3,0x400,setumask:as_failure 418# subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1 419# return,failure: Not owner,-1 420# trailer,124 421 422label=AUE_AUDITON_SPOLICY 423 format=[arg]1 424 comment=1, audit policy flags, "setpolicy" 425 syscall=auditon: SPOLICY 426# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec 427# argument,3,0x200,setpolicy 428# subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1 429# return,success,0 430# trailer,86 431# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec 432# argument,3,0x200,setpolicy 433# subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1 434# return,failure: Not owner,-1 435# trailer,86 436 437label=AUE_AUDITON_SQCTRL 438 format=[arg]1:[arg]2:[arg]3:[arg]4 439 comment=3, "setqctrl:aq_hiwater", queue control param.: 440 comment=3, "setqctrl:aq_lowater", queue control param.: 441 comment=3, "setqctrl:aq_bufsz", queue control param.: 442 comment=3, "setqctrl:aq_delay", queue control param. 443 syscall=auditon: SQCTRL 444# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec 445# argument,3,0x64,setqctrl:aq_hiwater 446# argument,3,0xa,setqctrl:aq_lowater 447# argument,3,0x400,setqctrl:aq_bufsz 448# argument,3,0x14,setqctrl:aq_delay 449# subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1 450# return,success,0 451# trailer,176 452# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec 453# argument,3,0x64,setqctrl:aq_hiwater 454# argument,3,0xa,setqctrl:aq_lowater 455# argument,3,0x400,setqctrl:aq_bufsz 456# argument,3,0x14,setqctrl:aq_delay 457# subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1 458# return,failure: Not owner,-1 459# trailer,176 460 461label=AUE_AUDITON_STERMID 462 skip=Not used. 463 464label=AUE_AUDITSTAT 465 skip=Not used. 466 467label=AUE_AUDITSVC 468 skip=Not used. 469 470label=AUE_AUDITSYS 471 skip=Not used. (Place holder for various auditing events.) 472 473label=AUE_BIND 474# differs from documented version. 475# cases "no vnode" not fully confirmed 476# family and type need argument number 477 case=Invalid socket handle 478 format=arg1 479 comment=1, file descriptor, "so" 480 case=If there is no vnode for this file descriptor 481 case=or if the socket is not of the AF_INET family 482 format=arg1:arg2:arg3 483 comment=1, file descriptor, "so": 484 comment=1, socket family, "family": 485 comment=1, socket type, "type" 486 case=or for all other conditions 487 format=arg1:inet2 488 comment=1, file descriptor, "so": 489 comment=socket address 490 491label=AUE_BRANDSYS 492# generic mechanism to allow user-space and kernel components of a brand 493# to communicate. The interpretation of the arguments to the call is 494# left entirely up to the brand. 495 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7 496 comment=1, command, "cmd": 497 comment=2, command args, "arg": 498 comment=3, command args, "arg": 499 comment=4, command args, "arg": 500 comment=5, command args, "arg": 501 comment=6, command args, "arg": 502 comment=7, command args, "arg" 503 504label=AUE_BSMSYS 505 skip=Not used. 506 507label=AUE_CHDIR 508 format=path:[attr] 509# header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec 510# path,/export/home/CC_final/icenine/arv/chdir/obj_succ 511# attribute,40777,root,other,8388608,231558,0 512# subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1 513# return,success,0 514# trailer,151 515# header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec 516# path,/export/home/CC_final/icenine/arv/chdir/obj_fail 517# attribute,40000,root,other,8388608,237646,0 518# subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1 519# return,failure: Permission denied,-1 520# trailer,151 521 522label=AUE_CHMOD 523 format=arg1:path:[attr] 524 comment=2, mode, "new file mode" 525# header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec 526# argument,2,0x1f8,new file mode 527# path,/export/home/CC_final/icenine/arv/chmod/obj_succ 528# attribute,100770,tuser10,other,8388608,243608,0 529# subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1 530# return,success,0 531# trailer,173 532# header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec 533# argument,2,0x1f8,new file mode 534# path,/export/home/CC_final/icenine/arv/chmod/obj_fail 535# attribute,100600,root,other,8388608,243609,0 536# subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1 537# return,failure: Not owner,-1 538# trailer,173 539 540label=AUE_CHOWN 541 format=arg1:arg2 542 comment=2, uid, "new file uid": 543 comment=3, gid, "new file gid" 544# header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec 545# argument,2,0x271a,new file uid 546# argument,3,0xffffffff,new file gid 547# path,/export/home/CC_final/icenine/arv/chown/obj_succ 548# attribute,100644,tuser10,other,8388608,268406,0 549# subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1 550# return,success,0 551# trailer,193 552# header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec 553# argument,2,0x271a,new file uid 554# argument,3,0xffffffff,new file gid 555# path,/export/home/CC_final/icenine/arv/chown/obj_fail 556# attribute,100644,root,other,8388608,268407,0 557# subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1 558# return,failure: Not owner,-1 559# trailer,193 560 561label=AUE_CHROOT 562 format=path:[attr] 563# header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec 564# path,/ 565# attribute,40755,root,root,8388608,2,0 566# subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1 567# return,success,0 568# trailer,104 569# header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec 570# path,/export/home/CC_final/icenine/arv/chroot/obj_fail 571# attribute,40777,tuser10,other,8388608,335110,0 572# subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1 573# return,failure: Not owner,-1 574# trailer,152 575 576label=AUE_CLOCK_SETTIME 577 format=kernel 578 579label=AUE_CLOSE 580 format=arg1:[path]:[attr] 581 comment=1, file descriptor, "fd" 582 583label=AUE_CONFIGKSSL 584 case=Adding KSSL entry. 585 format=text1:inaddr2:text3:text4 586 comment=opcode, KSSL_ADD_ENTRY: 587 comment=local IP address: 588 comment=SSL port number: 589 comment=proxy port number 590 case=Deleting KSSL entry. 591 format=text1:inaddr2:text3 592 comment=opcode, KSSL_DELETE_ENTRY: 593 comment=local IP address: 594 comment=SSL port number 595 596label=AUE_CONNECT 597# cases "no vnode" not fully confirmed 598 case=If there is no vnode for this file descriptor 599 case=If the socket address is not part of the AF_INET family 600 format=arg1:arg2:arg3 601 comment=1, file descriptor, "so": 602 comment=1, socket family, "family": 603 comment=1, socket type, "type" 604 case=If the socket address is part of the AF_INET family 605 format=arg1:inet2 606 comment=1, file descriptor, "so": 607 comment=socket address 608 609label=AUE_CORE 610 syscall=none 611 title=process dumped core 612 see=none 613 format=path:[attr]:arg1 614 comment=1, signal, "signal" 615# see uts/common/c2/audit.c 616 617label=AUE_CREAT 618# obsolete - see open(2) 619 format=path:[attr] 620# does not match old BSM manual 621# header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec 622# path,/export/home/CC_final/icenine/arv/creat/obj_succ 623# attribute,100644,tuser10,other,8388608,49679,0 624# subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1 625# return,success,8 626# trailer,151 627# header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec 628# path,/devices/pseudo/mm@0:null 629# subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1 630# return,success,8 631# trailer,107 632# header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec 633# path,/obj_fail 634# subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1 635# return,failure: Permission denied,-1 636# trailer,83 637 638label=AUE_CRYPTOADM 639 title=kernel cryptographic framework 640 format=text1:(0..n)[text]2 641 comment=cryptoadm command/operation: 642 comment=mechanism list 643 644label=AUE_DOORFS 645 skip=Not used. (Place holder for set of door audit events.) 646 647label=AUE_DOORFS_DOOR_BIND 648 skip=Not used. 649 syscall=doorfs: DOOR_BIND 650 651label=AUE_DOORFS_DOOR_CALL 652 format=arg1:proc2 653 comment=1, door ID, "door ID": 654 comment=for process that owns the door 655 syscall=doorfs: DOOR_CALL 656 657label=AUE_DOORFS_DOOR_CREATE 658 format=arg1 659 comment=1, door attributes, "door attr" 660 syscall=doorfs: DOOR_CREATE 661 662label=AUE_DOORFS_DOOR_CRED 663 skip=Not used. 664 syscall=doorfs: DOOR_CRED 665 666label=AUE_DOORFS_DOOR_INFO 667 skip=Not used. 668 syscall=doorfs: DOOR_INFO 669 670label=AUE_DOORFS_DOOR_RETURN 671 format=kernel 672 syscall=doorfs: DOOR_RETURN 673 674label=AUE_DOORFS_DOOR_REVOKE 675 format=arg1 676 comment=1, door ID, "door ID" 677 syscall=doorfs: DOOR_REVOKE 678 679label=AUE_DOORFS_DOOR_UNBIND 680 skip=Not used. 681 syscall=doorfs: DOOR_UNBIND 682 683label=AUE_DUP2 684skip=Not used. 685 686label=AUE_ENTERPROM 687 title=enter prom 688 syscall=none 689 format=head:text1:ret 690 comment="kmdb" 691# header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00 692# text,kmdb 693# return,success,0 694 695label=AUE_EXEC 696# obsolete - see execve(2) 697 format=path:[attr]1:[exec_args]2:[exec_env]3 698 comment=omitted on error: 699 comment=output if argv policy is set: 700 comment=output if arge policy is set 701 702label=AUE_EXECVE 703 format=path:[attr]1:[exec_args]2:[exec_env]3 704 comment=omitted on error: 705 comment=output if argv policy is set: 706 comment=output if arge policy is set 707# header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec 708# path,/devices/pseudo/mm@0:null 709# subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1 710# return,success,8 711# trailer,107 712# header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec 713# path,/usr/bin/pig 714# subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1 715# return,failure: No such file or directory,-1 716# trailer,86 717 718label=AUE_PFEXEC 719 format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5 720 comment=pathname of the executable: 721 comment=pathname of working directory: 722 comment=privileges if the limit or inheritable set are changed: 723 comment=process if ruid, euid, rgid or egid is changed: 724 comment=output if arge policy is set 725 726label=AUE_sudo 727 format=exec_args1:[text]2 728 comment=command args: 729 comment=error message (failure only) 730 731label=AUE_EXIT 732 format=arg1:[text]2 733 comment=1, exit status, "exit status": 734 comment=event aborted 735 736label=AUE_EXITPROM 737 title=exit prom 738 syscall=none 739 format=head:text1:ret 740 comment="kmdb" 741# header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00 742# text,kmdb 743# return,success,0 744 745label=AUE_EXPORTFS 746 skip=Not used. 747 748label=AUE_FACCESSAT 749# obsolete 750 see=access(2) 751 format=path:[attr] 752 753label=AUE_FACLSET 754 syscall=facl 755 case=Invalid file descriptor 756 format=arg1:arg2 757 comment=2, SETACL, "cmd": 758 comment=3, number of ACL entries, "nentries" 759 case=Zero path 760 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4 761 comment=2, SETACL, "cmd": 762 comment=3, number of ACL entries, "nentries": 763 comment=1, file descriptor, "no path: fd": 764 comment=ACLs 765 case=Non-zero path 766 format=arg1:arg2:path:[attr]:(0..n)[acl]3 767 comment=2, SETACL, "cmd": 768 comment=3, number of ACL entries, "nentries": 769 comment=ACLs 770 771label=AUE_FCHDIR 772 format=[path]:[attr] 773# header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec 774# path,/export/home/CC_final/icenine/arv/fchdir/obj_succ 775# attribute,40777,tuser10,other,8388608,207662,0 776# subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1 777# return,success,0 778# trailer,150 779# header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec 780# subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1 781# return,failure: Permission denied,-1 782# trailer,68 783 784label=AUE_FCHMOD 785 case=With a valid file descriptor and path 786 format=arg1:path:[attr] 787 comment=2, mode, "new file mode" 788 case=With a valid file descriptor and invalid path 789 format=arg1:[arg]2:[attr] 790 comment=2, mode, "new file mode": 791 comment=1, file descriptor, "no path: fd" 792 case=With an invalid file descriptor 793 format=arg1 794 comment=2, mode, "new file mode" 795# header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec 796# argument,2,0x1a4,new file mode 797# path,/export/home/CC/icenine/arv/fchmod/obj_succ 798# attribute,100644,tuser10,other,7602240,26092,0 799# subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1 800# return,success,0 801# trailer,168 802# header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec 803# argument,2,0x1a4,new file mode 804# subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1 805# return,failure: Bad file number,-1 806# trailer,90 807# header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec 808# argument,2,0x1a4,new file mode 809# path,/export/home/CC/icenine/arv/fchmod/obj_fail 810# attribute,100644,root,other,7602240,26093,0 811# subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1 812# return,failure: Not owner,-1 813# trailer,168 814 815label=AUE_FCHOWN 816 case=With a valid file descriptor 817 format=arg1:arg2:[path]:[attr] 818 comment=2, uid, "new file uid": 819 comment=3, gid, "new file gid" 820 case=With an invalid file descriptor 821 format=arg1:arg2:[arg]3:[attr] 822 comment=2, uid, "new file uid": 823 comment=3, gid, "new file gid": 824 comment=1, file descriptor, "no path fd" 825 826label=AUE_FCHOWNAT 827# obsolete 828 see=openat(2) 829 case=With a valid absolute/relative file path 830 format=path:[attr] 831 case=With an file path eq. NULL and valid file descriptor 832 format=kernel 833 834label=AUE_FCHROOT 835 format=[path]:[attr] 836# fchroot -> chdirec -> audit_chdirec 837 838label=AUE_FCNTL 839 case=With a valid file descriptor 840 format=arg1:[arg]2:path:attr 841 comment=2, command, "cmd": 842 comment=3, flags, "flags" 843 case=With an invalid file descriptor 844 format=arg1:[arg]2:arg3 845 comment=2, command, "cmd": 846 comment=3, flags, "flags": 847 comment=1, file descriptor, "no path fd" 848 note=Flags are included only when cmd is F_SETFL. 849 850label=AUE_FLOCK 851 skip=Not used. 852 853label=AUE_FORKALL 854 format=[arg]1 855 comment=0, pid, "child PID" 856 note=The forkall(2) return values are undefined because the audit record 857 note=is produced at the point that the child process is spawned. 858# see audit.c 859 860label=AUE_FORK1 861 format=[arg]1 862 comment=0, pid, "child PID" 863 note=The fork1(2) return values are undefined because the audit record 864 note=is produced at the point that the child process is spawned. 865# see audit.c 866 867label=AUE_FSAT 868# obsolete 869 skip=Not used. (Placeholder for AUE_*AT records) 870 871label=AUE_FSTAT 872 skip=Not used. 873 874label=AUE_FSTATAT 875# obsolete 876 format=path:[attr] 877 878label=AUE_FSTATFS 879 case=With a valid file descriptor 880 format=[path]:[attr] 881 case=With an invalid file descriptor 882 format=arg1 883 comment=1, file descriptor, "no path fd" 884 885label=AUE_FTRUNCATE 886 skip=Not used. 887 888label=AUE_FUSERS 889 syscall=utssys: UTS_FUSERS 890 format=path:attr 891 892label=AUE_FUTIMESAT 893# obsolete 894 format=[path]:[attr] 895 896label=AUE_GETAUDIT 897 format=kernel 898# header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec 899# subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1 900# return,success,0 901# trailer,68 902# header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec 903# subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1 904# return,success,0 905# trailer,68 906 907label=AUE_GETAUDIT_ADDR 908 format=kernel 909# header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec 910# subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2 911# return,success,0 912 913label=AUE_GETAUID 914 format=kernel 915# header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec 916# subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1 917# return,success,0 918# trailer,68 919# header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec 920# subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1 921# return,failure: Not owner,-1 922# trailer,68 923 924label=AUE_GETDENTS 925 skip=Not used. 926#Not security relevant 927 928label=AUE_GETKERNSTATE 929 skip=Not used. 930 931label=AUE_GETMSG 932 case=With a valid file descriptor 933 format=arg1:[path]:attr:arg2 934 comment=1, file descriptor, "fd": 935 comment=4, priority, "pri" 936 case=With an invalid file descriptor 937 format=arg1:arg2 938 comment=1, file descriptor, "fd": 939 comment=4, priority, "pri" 940 941label=AUE_GETPMSG 942 case=With a valid file descriptor 943 format=arg1:[path]:attr 944 comment=1, file descriptor, "fd" 945 case=With an invalid file descriptor 946 format=arg1 947 comment=1, file descriptor, "fd" 948 949label=AUE_GETPORTAUDIT 950 format=Not used. 951 952label=AUE_GETUSERAUDIT 953 skip=Not used. 954 955label=AUE_INST_SYNC 956 format=arg1 957 comment=2, flags value, "flags" 958 959label=AUE_IOCTL 960 case=With an invalid file descriptor 961 format=arg1:arg2:arg3 962 comment=1, file descriptor, "fd": 963 comment=2, command, "cmd": 964 comment=3, arg, "arg" 965 case=With a valid file descriptor 966 format=path:[attr]:arg1:arg2 967 comment=2, ioctl cmd, "cmd": 968 comment=3, ioctl arg, "arg" 969 case=Non-file file descriptor 970 format=arg1:arg2:arg3 971 comment=1, file descriptor, "fd": 972 comment=2, ioctl cmd, "cmd": 973 comment=3, ioctl arg, "arg" 974 case=Bad file name 975 format=arg1:arg2:arg3 976 comment=1, file descriptor, "no path: fd": 977 comment=2, ioctl cmd, "cmd": 978 comment=3, ioctl arg, "arg" 979# old BSM manual misses a case 980 981label=AUE_JUNK 982 skip=Not used. 983 984label=AUE_KILL 985 case=Valid process 986 format=arg1:[proc] 987 comment=2, signo, "signal" 988 case=Zero or negative process 989 format=arg1:arg2 990 comment=2, signo, "signal": 991 comment=1, pid, "process" 992 993label=AUE_KILLPG 994 skip=Not used. 995 996label=AUE_LCHOWN 997 format=arg1:arg2:path:[attr] 998 comment=2, uid, "new file uid": 999 comment=3, gid, "new file gid" 1000 1001label=AUE_LINK 1002 format=path1:[attr]:path2 1003 comment=from path: 1004 comment=to path 1005 1006label=AUE_LSEEK 1007 skip=Not used. 1008 1009label=AUE_LSTAT 1010 format=path:[attr] 1011 1012label=AUE_LXSTAT 1013# obsolete 1014 skip=Not used. 1015 1016label=AUE_MCTL 1017 skip=Not used. 1018 1019label=AUE_MEMCNTL 1020 format=arg1:arg2:arg3:arg4:arg5:arg6 1021 comment=1, base address, "base": 1022 comment=2, length, "len": 1023 comment=3, command, "cmd": 1024 comment=4, command args, "arg": 1025 comment=5, command attributes, "attr": 1026 comment=6, 0, "mask" 1027 1028label=AUE_MKDIR 1029 format=arg1:path:[attr] 1030 comment=2, mode, "mode" 1031 1032label=AUE_MKNOD 1033 format=arg1:arg2:path:[attr] 1034 comment=2, mode, "mode": 1035 comment=3, dev, "dev" 1036 1037label=AUE_MMAP 1038 case=With a valid file descriptor 1039 format=arg1:arg2:[path]3:[attr] 1040 comment=1, segment address, "addr": 1041 comment=2, segment address, "len": 1042 comment=if no path, then argument: \ 1043 1, "nopath: fd", file descriptor 1044 case=With an invalid file descriptor 1045 format=arg1:arg2:arg3 1046 comment=1, segment address, "addr": 1047 comment=2, segment address, "len": 1048 comment=1, file descriptor, "no path: fd" 1049 1050label=AUE_MODADDMAJ 1051 title=modctl: bind module 1052 syscall=modctl 1053 format=[text]1:[text]2:text3:arg4:(0..n)[text]5 1054 comment=driver major number: 1055 comment=driver name: 1056 comment=driver major number or "no drvname": 1057 comment=5, number of aliases, "": 1058 comment=aliases 1059 1060label=AUE_MODADDPRIV 1061 format=kernel 1062 1063label=AUE_MODCONFIG 1064 skip=Not used. 1065 1066label=AUE_MODCTL 1067 skip=Not used. (placeholder) 1068 1069label=AUE_MODDEVPLCY 1070 syscall=modctl 1071 title=modctl: set device policy 1072 case=If unknown minor name/pattern 1073 format=arg1:arg2:arg3:arg4:arg5 1074 comment=2, "major", major number: 1075 comment=2, "lomin", low minor number, if known: 1076 comment=2, "himin", hi minor number, if known: 1077 comment=privileges required for reading: 1078 comment=privileges required for writing 1079 case=else 1080 format=arg1:text2:arg3:arg4 1081 comment=2, "major", major number: 1082 comment=minor name/pattern: 1083 comment=privileges required for reading: 1084 comment=privileges required for writing 1085 1086label=AUE_MODLOAD 1087 syscall=modctl 1088 title=modctl: load module 1089 format=[text]1:text2 1090 comment=default path: 1091 comment=filename path 1092 1093label=AUE_MODUNLOAD 1094 syscall=modctl 1095 title=modctl: unload module 1096 format=arg1 1097 comment=1, module ID, "id" 1098 1099label=AUE_MOUNT 1100 case=UNIX file system 1101 format=arg1:text2:path:[attr] 1102 comment=3, flags, "flags": 1103 comment=filesystem type 1104 case=NFS file system 1105 format=arg1:text2:text3:arg4:path:[attr] 1106 comment=3, flags, "flags": 1107 comment=filesystem type: 1108 comment=host name: 1109 comment=3, flags, "internal flags" 1110# unix example: 1111# header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec 1112# argument,3,0x104,flags 1113# text,ufs 1114# path,/var2 1115# attribute,40755,root,root,32,12160,0 1116# path,/devices/pci@1f,4000/scsi@3/sd@0,0:e 1117# attribute,60640,root,sys,32,231268,137438953476 1118# subject,abc,root,other,root,other,1726,1715,255 66049 ohboy 1119# return,success,4290707268 1120# ^^^^^^^^^^ <- bugid 4333559 1121 1122label=AUE_MSGCTL 1123 format=arg1:[ipc]:[ipc_perm] 1124 comment=1, message ID, "msg ID" 1125 note=ipc_perm 1126# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1127 1128label=AUE_MSGCTL_RMID 1129 format=arg1:[ipc]:[ipc_perm] 1130 comment=1, message ID, "msg ID" 1131 note=ipc_perm 1132 syscall=msgctl: IPC_RMID 1133# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1134 1135label=AUE_MSGCTL_SET 1136 format=arg1:[ipc]:[ipc_perm] 1137 comment=1, message ID, "msg ID" 1138 note=ipc_perm 1139 syscall=msgctl: IPC_SET 1140# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1141 1142label=AUE_MSGCTL_STAT 1143 format=arg1:[ipc]:[ipc_perm] 1144 comment=1, message ID, "msg ID" 1145 note=ipc_perm 1146 syscall=msgctl: IPC_STAT 1147# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1148 1149label=AUE_MSGGET 1150 format=arg1:ipc 1151 comment=1, message key, "msg key" 1152 note=ipc_perm 1153 syscall=msgget 1154 1155label=AUE_MSGGETL 1156 skip=Not used. 1157 1158label=AUE_MSGRCV 1159 format=arg1:[ipc]:[ipc_perm] 1160 comment=1, message ID, "msg ID" 1161 note=ipc_perm 1162 syscall=msgrcv 1163# ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc 1164 1165label=AUE_MSGRCVL 1166 skip=Not used. 1167 1168label=AUE_MSGSND 1169 format=arg1:[ipc]:[ipc_perm] 1170 comment=1, message ID, "msg ID" 1171 note=ipc_perm 1172 syscall=msgsnd 1173# ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc 1174 1175label=AUE_MSGSNDL 1176 skip=Not used. 1177 1178label=AUE_MSGSYS 1179skip=Not used. (Placeholder for AUE_MSG* events.) 1180 1181label=AUE_MUNMAP 1182 format=arg1:arg2 1183 comment=1, address of memory, "addr": 1184 comment=2, memory segment size, "len" 1185 1186label=AUE_NFS 1187 skip=Not used. 1188 1189label=AUE_NFSSVC_EXIT 1190 skip=Not used. 1191 1192label=AUE_NFS_GETFH 1193 skip=Not used. 1194 1195label=AUE_NFS_SVC 1196 skip=Not used. 1197 1198label=AUE_NICE 1199 format=kernel 1200 1201label=AUE_NULL 1202 skip=Not used. (placeholder) 1203# used internal to audit_event.c for minimal audit 1204 1205label=AUE_NTP_ADJTIME 1206 format=kernel 1207 1208label=AUE_ONESIDE 1209 skip=Not used. 1210 1211label=AUE_OPEN 1212 skip=Not used. (placeholder for AUE_OPEN_*). 1213 1214label=AUE_OPEN_R 1215 format=path:[path_attr]:[attr] 1216 see=open(2) - read 1217 1218label=AUE_OPENAT_R 1219# obsolete 1220 format=path:[path_attr]:[attr] 1221 see=openat(2) 1222 1223label=AUE_OPEN_RC 1224 format=path:[path_attr]:[attr] 1225 see=open(2) - read,creat 1226 1227label=AUE_OPENAT_RC 1228# obsolete 1229 see=openat(2) 1230 format=path:[path_attr]:[attr] 1231 1232label=AUE_OPEN_RT 1233 format=path:[path_attr]:[attr] 1234 see=open(2) - read,trunc 1235 1236label=AUE_OPENAT_RT 1237# obsolete 1238 see=openat(2) 1239 format=path:[path_attr]:[attr] 1240 1241label=AUE_OPEN_RTC 1242 format=path:[path_attr]:[attr] 1243 see=open(2) - read,trunc,creat 1244 1245label=AUE_OPENAT_RTC 1246# obsolete 1247 see=openat(2) 1248 format=path:[path_attr]:[attr] 1249 1250label=AUE_OPEN_RW 1251 format=path:[path_attr]:[attr] 1252 see=open(2) - read,write 1253 1254label=AUE_OPENAT_RW 1255# obsolete 1256 see=openat(2) 1257 format=path:[path_attr]:[attr] 1258# aui_fsat(): fm & O_RDWR 1259 1260label=AUE_OPEN_RWC 1261 format=path:[path_attr]:[attr] 1262 see=open(2) - read,write,creat 1263 1264label=AUE_OPENAT_RWC 1265# obsolete 1266 see=openat(2) 1267 format=path:[path_attr]:[attr] 1268 1269label=AUE_OPEN_RWT 1270 format=path:[path_attr]:[attr] 1271 see=open(2) - read,write,trunc 1272 1273label=AUE_OPENAT_RWT 1274# obsolete 1275 see=openat(2) 1276 format=path:[path_attr]:[attr] 1277 1278label=AUE_OPEN_RWTC 1279 format=path:[path_attr]:[attr] 1280 see=open(2) - read,write,trunc,creat 1281 1282label=AUE_OPENAT_RWTC 1283# obsolete 1284 see=openat(2) 1285 format=path:[path_attr]:[attr] 1286 1287label=AUE_OPEN_W 1288 format=path:[path_attr]:[attr] 1289 see=open(2) - write 1290 1291label=AUE_OPENAT_W 1292 see=openat(2) 1293 format=path:[path_attr]:[attr] 1294 1295label=AUE_OPEN_WC 1296 format=path:[path_attr]:[attr] 1297 see=open(2) - write,creat 1298 1299label=AUE_OPENAT_WC 1300 see=openat(2) 1301 format=path:[path_attr]:[attr] 1302 1303label=AUE_OPEN_WT 1304 format=path:[path_attr]:[attr] 1305 see=open(2) - write,trunc 1306 1307label=AUE_OPENAT_WT 1308 see=openat(2) 1309 format=path:[path_attr]:[attr] 1310 1311label=AUE_OPEN_WTC 1312 format=path:[path_attr]:[attr] 1313 see=open(2) - write,trunc,creat 1314 1315label=AUE_OPENAT_WTC 1316 see=openat(2) 1317 format=path:[path_attr]:[attr] 1318 1319label=AUE_OPEN_S 1320 format=path:[path_attr]:[attr] 1321 see=open(2) - search 1322 1323label=AUE_OPEN_E 1324 format=path:[path_attr]:[attr] 1325 see=open(2) - exec 1326 1327label=AUE_OSETPGRP 1328 skip=Not used. 1329 1330label=AUE_OSTAT 1331# obsolete 1332 skip=Not used. 1333 1334label=AUE_PATHCONF 1335 format=path:[attr] 1336 1337label=AUE_PIPE 1338format=kernel 1339# class is no, not usually printed 1340 1341label=AUE_PORTFS 1342 skip=Not used (placeholder for AUE_PORTFS_*). 1343 1344label=AUE_PORTFS 1345 skip=Not used (placeholder for AUE_PORTFS_*). 1346 1347label=AUE_PORTFS_ASSOCIATE 1348 syscall=portfs 1349 see=port_associate(3C) 1350 case=Port association via PORT_SOURCE_FILE 1351 format=[path]1:attr 1352 comment=name of the file/directory to be watched 1353 1354label=AUE_PORTFS_DISSOCIATE 1355 syscall=portfs 1356 see=port_dissociate(3C) 1357 case=Port disassociation via PORT_SOURCE_FILE 1358 format=kernel 1359 1360label=AUE_PRIOCNTLSYS 1361 syscall=priocntl 1362 see=priocntl(2) 1363 format=arg1:arg2 1364 comment=1, priocntl version number, "pc_version": 1365 comment=3, command, "cmd" 1366 1367label=AUE_PROCESSOR_BIND 1368 case=No LWP/thread bound to the processor 1369 format=arg1:arg2:text3:[proc] 1370 comment=1, type of ID, "ID type": 1371 comment=2, ID value, "ID": 1372 comment="PBIND_NONE" 1373 case=With processor bound 1374 format=arg1:arg2:arg3:[proc] 1375 comment=1, type of ID, "ID type": 1376 comment=2, ID value, "ID": 1377 comment=3, processor ID, "processor_id" 1378 1379label=AUE_PUTMSG 1380 see=putmsg(2) 1381 format=arg1:[path]:[attr]:arg2 1382 comment=1, file descriptor, "fd": 1383 comment=4, priority, "pri" 1384 1385label=AUE_PUTPMSG 1386 see=putpmsg(2) 1387 format=arg1:[path]:[attr]:arg2:arg3 1388 comment=1, file descriptor, "fd": 1389 comment=4, priority, "pri": 1390 comment=5, flags, "flags" 1391 1392label=AUE_P_ONLINE 1393 format=arg1:arg2:text3 1394 comment=1, processor ID, "processor ID": 1395 comment=2, flags value, "flags": 1396 comment=text form of flags. Values: \ 1397 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS, P_DISABLED 1398 1399label=AUE_QUOTACTL 1400 skip=Not used. 1401 1402label=AUE_READ 1403 skip=Not used. (Placeholder for AUE_READ_* events) 1404 1405label=AUE_READL 1406 skip=Not used. (Obsolete) 1407 1408label=AUE_READLINK 1409 format=path:[attr] 1410 1411label=AUE_READV 1412 skip=Not used (obsolete) 1413# detritus from CMS 1414 1415label=AUE_READVL 1416 skip=Not used (obsolete) 1417# detritus from CMS 1418 1419label=AUE_REBOOT 1420 skip=Not used. 1421 1422label=AUE_RECV 1423 case=If address family is AF_INET or AF_INET6 1424 format=[arg]1:[inet] 1425 comment=1, file descriptor, "so" 1426 case=If address family is AF_UNIX and path is defined 1427 format=[path]1:[attr] 1428 comment=1, file descriptor, "so" 1429 case=If address family is AF_UNIX and path is NULL 1430 format=[path]1:[attr] 1431 comment=1, file descriptor, "no path: fd" 1432 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1433 format=[arg]1:[arg]2:[arg]3 1434 comment=1, file descriptor, "so": 1435 comment=1, family, "family": 1436 comment=1, type, "type" 1437# associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237]) 1438 1439label=AUE_RECVFROM 1440 format=inet:arg1:[arg]2:inet3:arg4 1441 comment=3, message length, "len": 1442 comment=4, flags, "flags": 1443 comment=from address: 1444 comment=6, address length, "tolen" 1445 note=The socket token for a bad socket is reported as "argument 1446 note=token (1, socket descriptor, "fd")" 1447 1448label=AUE_RECVMSG 1449 case=If invalid file descriptor 1450 format=arg1:arg2 1451 comment=1, file descriptor, "so": 1452 comment=3, flags, "flags" 1453 case=If valid file descriptor and socket is AF_UNIX and no path 1454 format=arg1:[attr] 1455 comment=1, file descriptor, "no path: fd" 1456 case=If valid file descriptor and socket is AF_UNIX and path defined 1457 format=path:attr 1458 case=If valid file descriptor and socket is AF_INET or AF_INET6 1459 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM 1460 format=arg1:arg2:inet 1461 comment=1, file descriptor, "so": 1462 comment=2, flags, "flags" 1463 case=.. if socket type is unknown 1464 format=arg1:arg2:arg3:arg4 1465 comment=1, file descriptor, "so": 1466 comment=1, family, "family": 1467 comment=1, type, "type": 1468 comment=3, flags, "flags" 1469 1470label=AUE_RENAME 1471 format=path1:[attr]1:[path]2 1472 comment=from name: 1473 comment=to name 1474 1475label=AUE_RENAMEAT 1476# obsolete 1477 format=path1:[attr]1:[path]2 1478 comment=from name: 1479 comment=to name 1480 1481label=AUE_RFSSYS 1482 skip=Not used. 1483# apparently replaced 1484 1485label=AUE_RMDIR 1486 format=path:[attr] 1487 1488label=AUE_SEMCTL 1489 format=arg1:[ipc]:[ipc_perm] 1490 comment=1, semaphore ID, "sem ID" 1491 note=ipc_perm 1492# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1493 1494label=AUE_SEMCTL_GETALL 1495 format=arg1:[ipc]:[ipc_perm] 1496 comment=1, semaphore ID, "sem ID" 1497 note=ipc_perm 1498 syscall=semctl: GETALL 1499# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1500 1501label=AUE_SEMCTL_GETNCNT 1502 format=arg1:[ipc]:[ipc_perm] 1503 comment=1, semaphore ID, "sem ID" 1504 note=ipc_perm 1505 syscall=semctl: GETNCNT 1506# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1507 1508label=AUE_SEMCTL_GETPID 1509 format=arg1:[ipc]:[ipc_perm] 1510 comment=1, semaphore ID, "sem ID" 1511 note=ipc_perm 1512 syscall=semctl: GETPID 1513# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1514 1515label=AUE_SEMCTL_GETVAL 1516 format=arg1:[ipc]:[ipc_perm] 1517 comment=1, semaphore ID, "sem ID" 1518 note=ipc_perm 1519 syscall=semctl: GETVAL 1520# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1521 1522label=AUE_SEMCTL_GETZCNT 1523 format=arg1:[ipc]:[ipc_perm] 1524 comment=1, semaphore ID, "sem ID" 1525 note=ipc_perm 1526 syscall=semctl: GETZCNT 1527# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1528 1529label=AUE_SEMCTL_RMID 1530 format=arg1:[ipc]:[ipc_perm] 1531 comment=1, semaphore ID, "sem ID" 1532 note=ipc_perm 1533 syscall=semctl: IPC_RMID 1534# ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1535 1536label=AUE_SEMCTL_SET 1537 format=arg1:[ipc]:[ipc_perm] 1538 comment=1, semaphore ID, "sem ID" 1539 note=ipc_perm 1540 syscall=semctl: IPC_SET 1541# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1542 1543label=AUE_SEMCTL_SETALL 1544 format=arg1:[ipc]:[ipc_perm] 1545 comment=1, semaphore ID, "sem ID" 1546 note=ipc_perm 1547 syscall=semctl: SETALL 1548# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1549 1550label=AUE_SEMCTL_SETVAL 1551 format=arg1:[ipc]:[ipc_perm] 1552 comment=1, semaphore ID, "sem ID" 1553 note=ipc_perm 1554 syscall=semctl: SETVAL 1555# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1556 1557label=AUE_SEMCTL_STAT 1558 format=arg1:[ipc]:[ipc_perm] 1559 comment=1, semaphore ID, "sem ID" 1560 note=ipc_perm 1561 syscall=semctl: IPC_STAT 1562# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1563 1564label=AUE_SEMGET 1565 format=arg1:[ipc_perm]:ipc 1566 comment=1, semaphore ID, "sem key" 1567 note=ipc_perm 1568 syscall=semctl: SETVAL 1569# ipc_perm token: semget -> audit_ipcget 1570 1571label=AUE_SEMGETL 1572 skip=Not used. 1573 1574label=AUE_SEMOP 1575 format=arg1:[ipc]:[ipc_perm] 1576 comment=1, semaphore ID, "sem ID" 1577 note=ipc_perm 1578# ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc 1579 1580label=AUE_SEMSYS 1581 skip=Not used. (place holder) -- defaults to a semget variant 1582 1583label=AUE_SEND 1584 case=If address family is AF_INET or AF_INET6 1585 format=[arg]1:[inet] 1586 comment=1, file descriptor, "so" 1587 case=If address family is AF_UNIX and path is defined 1588 format=[path]1:[attr] 1589 comment=1, file descriptor, "so" 1590 case=If address family is AF_UNIX and path is NULL 1591 format=[path]1:[attr] 1592 comment=1, file descriptor, "no path: fd" 1593 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1594 format=[arg]1:[arg]2:[arg]3 1595 comment=1, file descriptor, "so": 1596 comment=1, family, "family": 1597 comment=1, type, "type" 1598# associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240]) 1599 1600label=AUE_SENDMSG 1601 case=If invalid file descriptor 1602 format=arg1:arg2 1603 comment=1, file descriptor, "so": 1604 comment=3, flags, "flags" 1605 case=If valid file descriptor 1606 case=...and address family is AF_UNIX and path is defined 1607 format=path:attr 1608 case=...and address family is AF_UNIX and path is NULL 1609 format=path1:attr 1610 comment=1, file descriptor, "nopath: fd" 1611 case=...and address family is AF_INET or AF_INET6, \ 1612 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1613 format=arg1:arg2:inet 1614 comment=1, file descriptor, "so": 1615 comment=3, flags, "flags" 1616 case=...and unknown address family or address family AF_INET or AF_INET6 \ 1617 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1618 format=arg1:arg2:arg3:arg4 1619 comment=1, file descriptor, "so": 1620 comment=1, family, "family": 1621 comment=1, type, "type": 1622 comment=1, flags, "flags" 1623 1624label=AUE_SENDTO 1625 case=If invalid file descriptor 1626 format=arg1:arg2 1627 comment=1, file descriptor, "so": 1628 comment=3, flags, "flags" 1629 case=If valid file descriptor 1630 case=...and socket is AF_UNIX and path is defined 1631 format=path:attr 1632 case=...and address family is AF_UNIX and path is NULL 1633 format=path1:attr 1634 comment=1, file descriptor, "nopath: fd" 1635 case=...and address family is AF_INET or AF_INET6 1636 format=arg1:arg2:inet 1637 comment=1, file descriptor, "so": 1638 comment=3, flags, "flags" 1639 case=...and unknown address family 1640 format=arg1:arg2:arg3:arg4 1641 comment=1, file descriptor, "so": 1642 comment=1, family, "family": 1643 comment=1, type, "type": 1644 comment=1, flags, "flags" 1645 1646label=AUE_SETAUDIT 1647 case=With a valid program stack address 1648 format=arg1:arg2:arg3:arg4:arg5:arg6 1649 comment=1, audit user ID, "setaudit:auid": 1650 comment=1, terminal ID, "setaudit:port": 1651 comment=1, terminal ID, "setaudit:machine": 1652 comment=1, preselection mask, "setaudit:as_success": 1653 comment=1, preselection mask, "setaudit:as_failure": 1654 comment=1, audit session ID, "setaudit:asid" 1655 case=With an invalid program stack address 1656 format=kernel 1657# header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec 1658# argument,1,0x271a,setaudit:auid 1659# argument,1,0x3ff0201,setaudit:port 1660# argument,1,0x8192591e,setaudit:machine 1661# argument,1,0x400,setaudit:as_success 1662# argument,1,0x400,setaudit:as_failure 1663# argument,1,0x16f,setaudit:asid 1664# subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1 1665# return,success,0 1666# trailer,215 1667# header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec 1668# argument,1,0x271a,setaudit:auid 1669# argument,1,0x3ff0201,setaudit:port 1670# argument,1,0x8192591e,setaudit:machine 1671# argument,1,0x400,setaudit:as_success 1672# argument,1,0x400,setaudit:as_failure 1673# argument,1,0x16f,setaudit:asid 1674# subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1 1675# return,success,0 1676# trailer,215 1677 1678label=AUE_SETAUDIT_ADDR 1679 case=With a valid program stack address 1680 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7 1681 comment=1, audit user ID, "auid": 1682 comment=1, terminal ID, "port": 1683 comment=1, type, "type": 1684 comment=1, terminal ID, "ip address": 1685 comment=1, preselection mask, "as_success": 1686 comment=1, preselection mask, "as_failure": 1687 comment=1, audit session ID, "asid" 1688 case=With an invalid program stack address 1689 format=kernel 1690# header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec 1691# argument,1,0x15fa7,auid 1692# argument,1,0x0,port 1693# argument,1,0x4,type 1694# ip address,tmach2 1695# argument,1,0x9c00,as_success 1696# argument,1,0x9c00,as_failure 1697# argument,1,0x1f1,asid 1698# subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2 1699# return,success,0 1700 1701label=AUE_SETAUID 1702 format=arg1 1703 comment=2, audit user ID, "setauid" 1704 1705label=AUE_SETDOMAINNAME 1706 skip=Not used. (See AUE_SYSINFO) 1707# See AUE_SYSINFO with SI_SET_SRPC_DOMAIN 1708 1709label=AUE_SETEGID 1710 format=arg1 1711 comment=1, group ID, "gid" 1712 1713label=AUE_SETEUID 1714 format=arg1 1715 comment=1, user ID, "euid" 1716 1717label=AUE_SETGID 1718 format=arg1 1719 comment=1, group ID, "gid" 1720 1721label=AUE_SETGROUPS 1722 note=If more than NGROUPS_MAX_DEFAULT groups listed, 1723 note=no tokens are generated. 1724 case=If no groups in list 1725 format=[arg]1 1726 comment=1, 0, "setgroups" 1727 case=If 1 or more groups in list 1728 format=(1..n)arg1 1729 comment=1, gid, "setgroups" 1730 1731label=AUE_SETHOSTNAME 1732 skip=Not used. (See AUE_SYSINFO) 1733# See sysinfo call with command SI_SET_HOSTNAME 1734 1735label=AUE_SETKERNSTATE 1736 skip=Not used. 1737 1738label=AUE_SETPGID 1739 format=[proc]:[arg]1 1740 comment=2, pgid, "pgid" 1741 1742label=AUE_SETPGRP 1743 format=kernel 1744 1745label=AUE_SETPRIORITY 1746 skip=Not used. 1747 1748label=AUE_SETPPRIV 1749 case=operation privileges off 1750 format=arg1:privset2 1751 comment=setppriv operation: 1752 comment=privileges actually switched off 1753 case=operation privileges on 1754 format=arg1:privset2 1755 comment=setppriv operation: 1756 comment=privileges actually switched on 1757 case=operation privileges off 1758 format=arg1:privset2:privset3 1759 comment=setppriv operation: 1760 comment=privileges before privset: 1761 comment=privileges after privset 1762#header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec 1763#argument,2,0x2,op 1764#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1765#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1766#subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0 1767#return,success,0 1768 1769label=AUE_SETREGID 1770 format=arg1:arg2 1771 comment=1, real group ID, "rgid": 1772 comment=2, effective group ID, "egid" 1773 1774label=AUE_SETREUID 1775 format=arg1:arg2 1776 comment=1, real user ID, "ruid": 1777 comment=2, effective user ID, "euid" 1778 1779label=AUE_SETRLIMIT 1780 format=kernel 1781# header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec 1782# subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2 1783# return,success,0 1784 1785label=AUE_SETSID 1786 format=kernel 1787 1788label=AUE_SETSOCKOPT 1789 case=Invalid file descriptor 1790 format=arg1:arg2 1791 comment=1, file descriptor, "so": 1792 comment=2, level, "level" 1793 case=Valid file descriptor 1794 case=...and socket is AF_UNIX 1795 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8 1796 comment=if no path, will be argument: 1, "nopath: fd", \ 1797 file descriptor: 1798 comment=1, file descriptor, "so": 1799 comment=1, family, "family": 1800 comment=1, type, "type": 1801 comment=2, protocol level, "level": 1802 comment=3, option name, "optname": 1803 comment=5, option length, "optlen": 1804 comment=option data 1805 case=...and socket is AF_INET or AF_INET6 1806 format=arg1:arg2:arg3:[arg]4:[data]5:inet 1807 comment=1, file descriptor, "so": 1808 comment=2, protocol level, "level": 1809 comment=3, option name, "optname": 1810 comment=5, option length, "optlen": 1811 comment=option data 1812 case=...and socket adddress family is unknown 1813 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7 1814 comment=1, file descriptor, "so": 1815 comment=1, family, "family": 1816 comment=1, type, "type": 1817 comment=2, protocol level, "level": 1818 comment=3, option name, "optname": 1819 comment=5, option length, "optlen": 1820 comment=option data 1821 1822label=AUE_SETTIMEOFDAY 1823 skip=Not used. 1824 1825label=AUE_SETUID 1826 syscall=setuid 1827 format=arg1 1828 comment=1, "uid" to be set 1829 1830label=AUE_SETUSERAUDIT 1831 skip=Not used. 1832 1833label=AUE_SHMAT 1834 format=arg1:arg2:[ipc]:[ipc_perm] 1835 comment=1, shared memory ID, "shm ID": 1836 comment=2, shared mem addr, "shm addr" 1837 note=ipc_perm 1838# ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc 1839 1840label=AUE_SHMCTL 1841 format=arg1:[ipc]:[ipc_perm] 1842 comment=1, shared memory ID, "shm ID" 1843 note=ipc_perm 1844# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1845 1846label=AUE_SHMCTL_RMID 1847 format=arg1:[ipc]:[ipc_perm] 1848 comment=1, shared memory ID, "shm ID" 1849 note=ipc_perm 1850 syscall=semctl: IPC_RMID 1851# ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1852 1853label=AUE_SHMCTL_SET 1854 format=arg1:[ipc]:[ipc_perm] 1855 comment=1, shared memory ID, "shm ID" 1856 note=ipc_perm 1857 syscall=semctl: IPC_SET 1858# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1859 1860label=AUE_SHMCTL_STAT 1861 format=arg1:[ipc]:[ipc_perm] 1862 comment=1, shared memory ID, "shm ID" 1863 note=ipc_perm 1864 syscall=semctl: IPC_STAT 1865# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1866 1867label=AUE_SHMDT 1868 format=arg1 1869 comment=1, shared memory address, "shm adr" 1870 1871label=AUE_SHMGET 1872 format=arg1:[ipc_perm]:[ipc] 1873 comment=0, shared memory key, "shm key" 1874 note=ipc_perm 1875# ipc_perm: shmget -> audit_ipcget 1876 1877label=AUE_SHMGETL 1878 skip=Not used. 1879 1880label=AUE_SHMSYS 1881 skip=Not used. (Placeholder for shmget and shmctl*) 1882 1883label=AUE_SHUTDOWN 1884 case=If the socket address is invalid 1885 format=[arg]1:[text]2:[text]3 1886 comment=1, file descriptor, "fd": 1887 comment=bad socket address: 1888 comment=bad peer address 1889 case=If the socket address is part of the AF_INET family 1890 case=..with zero file descriptor 1891 format=arg1:[arg]2:[arg]3:[arg]4 1892 comment=1, file descriptor, "so": 1893 comment=1, family, "family": 1894 comment=1, type, "type": 1895 comment=2, how shutdown code, "how" 1896 case=...with non-zero file descriptor 1897 format=arg1:arg2:inet 1898 comment=1, file descriptor, "so": 1899 comment=2, how shutdown code, "how" 1900 case=If the socket address is AF_UNIX 1901 case=...with zero file descriptor 1902 format=path1:arg2:[arg]3:[arg]4:[arg]5 1903 comment=If error: argument: \ 1904 1, "no path: fd", file descriptor: 1905 comment=1, file descriptor, "so": 1906 comment=1, family, "family": 1907 comment=1, type, "type": 1908 comment=2, how shutdown code, "how" 1909 case=...with non-zero file descriptor 1910 format=path1:arg2:arg3:inet 1911 comment=If error: argument: \ 1912 1, file descriptor, "no path: fd": 1913 comment=1, file descriptor, "so": 1914 comment=2, how shutdown code, "how" 1915#old BSM manual wrong; used audit_event.c 1916 1917label=AUE_SOCKACCEPT 1918 syscall=getmsg: socket accept 1919 format=inet:arg1:[path]:attr:arg2 1920 comment=1, file descriptor, "fd": 1921 comment=4, priority, "pri" 1922# see putmsg and getmsg for record format 1923# See audit.c for inet token and audit_start.c for other reference 1924 1925label=AUE_SOCKCONFIG 1926 format=arg1:arg2:arg3:[path]4 1927 comment=1, domain address, "domain": 1928 comment=2, type, "type": 1929 comment=3, protocol, "protocol": 1930 comment=If no path:argument -- 3, 0, "devpath" 1931 1932label=AUE_SOCKCONNECT 1933 syscall=putmsg: socket connect 1934 format=inet:arg1:[path]:attr:arg2 1935 comment=1, file descriptor, "fd": 1936 comment=4, priority, "pri" 1937# same as AUE_SOCKACCEPT 1938 1939label=AUE_SOCKET 1940 format=arg1:[arg]2:arg3 1941 comment=1, socket domain, "domain": 1942 comment=2, socket type, "type": 1943 comment=3, socket protocol, "protocol" 1944 1945label=AUE_SOCKETPAIR 1946 skip=Not used. 1947# unreferenced 1948 1949label=AUE_SOCKRECEIVE 1950 syscall=getmsg 1951 format=inet:arg1:[path]:attr:arg2 1952 comment=1, file descriptor, "fd": 1953 comment=4, priority, "pri" 1954# see AUE_SOCKACCEPT 1955 1956label=AUE_SOCKSEND 1957syscall=putmsg 1958 format=inet:arg1:[path]:attr:arg2 1959 comment=1, file descriptor, "fd": 1960 comment=4, priority, "pri" 1961# see AUE_SOCKACCEPT 1962 1963label=AUE_STAT 1964 format=path:[attr] 1965 1966label=AUE_STATFS 1967 format=path:[attr] 1968 1969label=AUE_STATVFS 1970 format=path:[attr] 1971 1972label=AUE_STIME 1973 format=kernel 1974 1975label=AUE_SWAPON 1976 skip=Not used. 1977 1978label=AUE_SYMLINK 1979 format=path:text1:[attr] 1980 comment=symbolic link string 1981 1982label=AUE_SYSINFO 1983 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands 1984 note=are currently audited. 1985 format=arg1:[text]2 1986 comment=1, command, "cmd": 1987 comment=name 1988 1989label=AUE_SYSTEMBOOT 1990 title=system booted 1991 syscall=none 1992 format=head:text1 1993 comment="booting kernel" 1994# see audit_start.c and audit_io.c 1995# no subject or return / exit token 1996# header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec 1997# text,booting kernel 1998 1999label=AUE_TRUNCATE 2000 skip=Not used. 2001 2002label=AUE_UMOUNT 2003 syscall=umount: old version 2004 note=Implemented as call of the newer umount2(2). 2005 format=path:arg1:[path]:[attr] 2006 comment=2, mflag value = 0, "flags" 2007 2008label=AUE_UMOUNT2 2009 syscall=umount2 2010 format=path:arg1:[path]:[attr] 2011 comment=2, mflag value, "flags" 2012 2013label=AUE_UNLINK 2014 format=path:[attr] 2015 2016label=AUE_UNLINKAT 2017# obsolete 2018 see=openat(2) 2019 format=path:[attr] 2020 2021label=AUE_UNMOUNT 2022 skip=Not used. 2023 2024label=AUE_UTIME 2025# obsolete 2026 format=path:[attr] 2027 2028label=AUE_UTIMES 2029 see=futimens(2) 2030 format=path:[attr] 2031 2032label=AUE_VFORK 2033 format=arg1 2034 comment=0, pid, "child PID" 2035 note=The vfork(2) return values are undefined because the audit record is 2036 note=produced at the point that the child process is spawned. 2037 2038label=AUE_VPIXSYS 2039 skip=Not used. 2040 2041label=AUE_VTRACE 2042 skip=Not used. 2043 2044label=AUE_WRITE 2045 format=path1:attr 2046 comment=if no path, argument -- "1, file descriptor, "no path: fd" 2047 note:An audit record is generated for write only once per file close. 2048 2049label=AUE_WRITEV 2050 skip=Not used. (obsolete) 2051 2052label=AUE_XMKNOD 2053# obsolete 2054 skip=Not used. 2055 2056label=AUE_XSTAT 2057# obsolete 2058 skip=Not Used. 2059 2060label=AUE_PF_POLICY_ADDRULE 2061 title=Add IPsec policy rule 2062 see= 2063 syscall=none 2064 format=arg1:arg2:[zone]3:[text]4 2065 comment=Operation applied to active policy (1 is active, 0 is inactive): 2066 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2067 comment=affected zone: 2068 comment=Name of target tunnel 2069 2070label=AUE_PF_POLICY_DELRULE 2071 title=Delete IPsec policy rule 2072 see= 2073 syscall=none 2074 format=arg1:arg2:[zone]3:[text]4 2075 comment=Operation applied to active policy (1 is active, 0 is inactive): 2076 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2077 comment=affected zone: 2078 comment=Name of target tunnel 2079 2080label=AUE_PF_POLICY_CLONE 2081 title=Clone IPsec policy 2082 see= 2083 syscall=none 2084 format=arg1:arg2:[zone]3:[text]4 2085 comment=Operation applied to active policy (1 is active, 0 is inactive): 2086 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2087 comment=affected zone: 2088 comment=Name of target tunnel 2089 2090label=AUE_PF_POLICY_FLIP 2091 title=Flip IPsec policy 2092 see= 2093 syscall=none 2094 format=arg1:arg2:[zone]3:[text]4 2095 comment=Operation applied to active policy (1 is active, 0 is inactive): 2096 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2097 comment=affected zone: 2098 comment=Name of target tunnel 2099 2100label=AUE_PF_POLICY_FLUSH 2101 title=Flip IPsec policy rules 2102 see= 2103 syscall=none 2104 format=arg1:arg2:[zone]3:[text]4 2105 comment=Operation applied to active policy (1 is active, 0 is inactive): 2106 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2107 comment=affected zone: 2108 comment=Name of target tunnel 2109 2110label=AUE_PF_POLICY_ALGS 2111 title=Update IPsec algorithms 2112 see= 2113 syscall=none 2114 format=arg1:arg2:[zone]3:[text]4 2115 comment=Operation applied to active policy (1 is active, 0 is inactive): 2116 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2117 comment=affected zone: 2118 comment=Name of target tunnel 2119 2120label=AUE_allocate_fail 2121 program=/usr/sbin/allocate 2122 title=allocate: allocate-device failure 2123 format=(0..n)[text]1 2124 comment=command line arguments 2125# see audit_allocate.c 2126 2127label=AUE_allocate_succ 2128 program=/usr/sbin/allocate 2129 title=allocate: allocate-device success 2130 format=(0..n)[text]1 2131 comment=command line arguments 2132# see audit_allocate.c 2133 2134label=AUE_at_create 2135 program=/usr/bin/at 2136 title=at: at-create crontab 2137 format=path 2138 2139label=AUE_at_delete 2140 program=/usr/bin/at 2141 title=at: at-delete atjob (at or atrm) 2142 format=text1:path 2143 comment="ancillary file:" filename or "bad format of at-job name" 2144 2145label=AUE_at_perm 2146 skip=Not used. 2147# not referenced outside uevents.h 2148 2149label=AUE_create_user 2150 skip=Not used. 2151 2152label=AUE_cron_invoke 2153 program=/usr/sbin/cron 2154 title=cron: cron-invoke at or cron 2155 case=If issue with account find 2156 format=text1 2157 comment="bad user" name or "user <name> account expired" 2158 case=else 2159 format=text1:text2 2160 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \ 2161 or "unknown job type (<job_type_id>)": 2162 comment=command 2163 2164label=AUE_crontab_create 2165 program=/usr/bin/crontab 2166 title=crontab: crontab created 2167 format=path 2168# See audit_crontab.c 2169 2170label=AUE_crontab_delete 2171 program=/usr/bin/crontab 2172 title=crontab: crontab delete 2173 format=path 2174# See audit_crontab.c 2175 2176label=AUE_crontab_mod 2177 program=/usr/bin/crontab 2178 title=crontab: crontab modify 2179 format=path 2180# See audit_crontab.c 2181 2182label=AUE_crontab_perm 2183 skip=Not used. 2184 2185label=AUE_deallocate_fail 2186 program=/usr/sbin/deallocate 2187 title=deallocate-device failure 2188 format=(0..n)[text]1 2189 comment=command line arguments 2190# See audit_allocate.c 2191 2192label=AUE_deallocate_succ 2193 program=/usr/sbin/deallocate 2194 title=deallocate-device success 2195 format=(0..n)[text]1 2196 comment=command line arguments 2197# See audit_allocate.c 2198 2199label=AUE_delete_user 2200 skip=Not used. 2201 2202label=AUE_disable_user 2203 skip=Not used. 2204 2205label=AUE_enable_user 2206 skip=Not used. 2207 2208label=AUE_ftpd 2209 program=/usr/sbin/in.ftpd 2210 title=in.ftpd 2211 format=[text]1 2212 comment=error message 2213# See audit_ftpd 2214 2215label=AUE_ftpd_logout 2216 program=/usr/sbin/in.ftpd 2217 title=in.ftpd 2218 format=user 2219# See audit_ftpd 2220 2221label=AUE_halt_solaris 2222 program=/usr/sbin/halt 2223 title=halt 2224 format=user 2225# See audit_halt.c 2226 2227label=AUE_kadmind_auth 2228 format=text1:text2:text3 2229 comment=Op: <requested information>: 2230 comment=Arg: <argument for Op>: 2231 comment=Client: <client principal name> 2232# See audit_kadmin.c / common_audit() 2233 2234label=AUE_kadmind_unauth 2235 format=text1:text2:text3 2236 comment=Op: <requested information>: 2237 comment=Arg: <argument for Op>: 2238 comment=Client: <client principal name> 2239# See audit_kadmin.c / common_audit() 2240 2241label=AUE_krb5kdc_as_req 2242 format=text1:text2 2243 comment=Client: <client principal name>: 2244 comment=Service: <requested service name> 2245# See audit_krb5kdc.c / common_audit() 2246 2247label=AUE_krb5kdc_tgs_req 2248 format=text1:text2 2249 comment=Client: <client principal name>: 2250 comment=Service: <requested service name> 2251# See audit_krb5kdc.c / common_audit() 2252 2253label=AUE_krb5kdc_tgs_req_alt_tgt 2254 format=text1:text2 2255 comment=Client: <client principal name>: 2256 comment=Service: <requested service name> 2257# See audit_krb5kdc.c / common_audit() 2258 2259label=AUE_krb5kdc_tgs_req_2ndtktmm 2260 format=text1:text2 2261 comment=Client: <client principal name>: 2262 comment=Service: <requested service name> 2263# See audit_krb5kdc.c / common_audit() 2264 2265label=AUE_listdevice_fail 2266 title=allocate-list devices failure 2267 program=/usr/sbin/allocate 2268 format=(0..n)[text]1 2269 comment=command line arguments 2270# See audit_allocate.c 2271 2272label=AUE_listdevice_succ 2273 title=allocate-list devices success 2274 program=/usr/sbin/allocate 2275 format=(0..n)[text]1 2276 comment=command line arguments 2277# See audit_allocate.c 2278 2279label=AUE_modify_user 2280 skip=Not used. 2281 2282label=AUE_mountd_mount 2283 title=mountd: NFS mount 2284 program=/usr/lib/nfs/mountd 2285 see=mountd(1M) 2286 format=text1:path2 2287 comment=remote client hostname: 2288 comment=mount dir 2289# See audit_mountd.c 2290 2291label=AUE_mountd_umount 2292 title=mountd: NFS unmount 2293 program=/usr/lib/nfs/mountd 2294 format=text1:path2 2295 comment=remote client hostname: 2296 comment=mount dir 2297# See audit_mountd.c 2298 2299label=AUE_poweroff_solaris 2300 program=/usr/sbin/poweroff 2301 title=poweroff 2302 format=user 2303# See audit_halt.c 2304 2305label=AUE_reboot_solaris 2306 program=/usr/sbin/reboot 2307 title=reboot 2308 format=user 2309# See audit_reboot.c 2310# header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec 2311# subject,tuser1,root,other,root,other,10422,497,0 0 tmach2 2312# return,success,0 2313 2314label=AUE_rexd 2315 program=/usr/sbin/rpc.rexd 2316 title=rpc.rexd 2317 format=[text]1:text2:text3:[text]4:[text]5 2318 comment=error message (failure only): 2319 comment="Remote execution requested by:" hostname: 2320 comment="Username:" username: 2321 comment="User id:" user ID (failure only): 2322 comment="Command line:" command attempted 2323# See audit_rexd.c 2324 2325label=AUE_rexecd 2326 program=/usr/sbin/rpc.rexecd 2327 title=rpc.rexecd 2328 format=[text]1:text2:text3:text4 2329 comment=error message (failure only): 2330 comment="Remote execution requested by:" hostname: 2331 comment="Username:" username: 2332 comment="Command line:" command attempted 2333# See audit_rexecd.c 2334 2335label=AUE_rshd 2336 program=/usr/sbin/in.rshd 2337 title=in.rshd 2338 format=text1:text2:[text]3:[text]4 2339 comment="cmd" command: 2340 comment="remote user" remote user: 2341 comment="local user" local user: 2342 comment=failure message 2343# See audit_rshd.c 2344 2345label=AUE_shutdown_solaris 2346 title=shutdown 2347 program=/usr/ucb/shutdown 2348 format=user 2349# See audit_shutdown.c 2350 2351label=AUE_smserverd 2352 program=/usr/lib/smedia/rpc.smserverd 2353 format=[text]1:[text]2 2354 comment=state change: 2355 comment=vid, pid, major/minor device 2356# see usr/src/cmd/smserverd 2357# code shows a third token, path, but it isn't implemented. 2358 2359label=AUE_uadmin_solaris 2360 title=uadmin (obsolete) 2361 program= 2362 see= 2363 format=text1:text2 2364 comment=function code: 2365 comment=argument code 2366# not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml 2367 2368label=AUE_LABELSYS_TNRH 2369 title=config Trusted Network remote host cache 2370 see=tnrh(2) 2371 syscall=labelsys: TSOL_TNRH 2372 case=With the flush command (cmd=3) 2373 format=arg1 2374 comment=1, command, "cmd" 2375 case=With the load (cmd=1) and delete (cmd=2) commands 2376 format=arg1:inaddr2:arg3 2377 comment=1, command, "cmd": 2378 comment=ip address of host: 2379 comment=2, prefix length, "prefix len" 2380 2381label=AUE_LABELSYS_TNRHTP 2382 title=config Trusted Network remote host template 2383 see=tnrhtp(2) 2384 syscall=labelsys: TSOL_TNRHTP 2385 case=With the flush command (cmd=3) 2386 format=arg1 2387 comment=1, command, "cmd" 2388 case=With the load (cmd=1) and delete (cmd=2) commands 2389 format=arg1:text2 2390 comment=1, command, "cmd": 2391 comment=name of template 2392 2393label=AUE_LABELSYS_TNMLP 2394 title=config Trusted Network multi-level port entry 2395 see=tnmlp(2) 2396 syscall=labelsys: TSOL_TNMLP 2397 case=With the flush command (cmd=3) 2398 format=arg1:text2 2399 comment=1, command, "cmd": 2400 comment="shared", or name of zone 2401 case=With the load (cmd=1) and delete (cmd=2) commands 2402 format=arg1:text2:arg3:arg4:[arg]5 2403 comment=1, command, "cmd": 2404 comment="shared", or name of zone: 2405 comment=2, protocol number, "proto num": 2406 comment=2, starting mlp port number, "mlp_port": 2407 comment=2, ending mlp port number, "mlp_port_upper" 2408