1# audit_record_attr.txt 2# Two "#" are comments that are copied to audit_record_attr 3# other comments are removed. 4## 5## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. 6## 7## CDDL HEADER START 8## 9## The contents of this file are subject to the terms of the 10## Common Development and Distribution License (the "License"). 11## You may not use this file except in compliance with the License. 12## 13## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 14## or http://www.opensolaris.org/os/licensing. 15## See the License for the specific language governing permissions 16## and limitations under the License. 17## 18## When distributing Covered Code, include this CDDL HEADER in each 19## file and include the License file at usr/src/OPENSOLARIS.LICENSE. 20## If applicable, add the following below this CDDL HEADER, with the 21## fields enclosed by brackets "[]" replaced with your own identifying 22## information: Portions Copyright [yyyy] [name of copyright owner] 23## 24## CDDL HEADER END 25## 26## 27 28# source file for describing audit records. 29 30# This file is in two sections. The first is a list of attribute / 31# value pairs used to provide short cuts in annotating the audit 32# records. The second is for annotation for each audit record. 33 34# first section: general attributes 35 36# skipClass=<class name of items to skip if only in that class> 37# skipClass=no # uncomment to filter unused events 38 39# token name abbreviations 40# token=alias:fullname -- short names for key tokens 41 42token=arg:argument 43token=attr:attribute 44token=acl:acl_entry 45token=cmd:command 46token=data:data 47token=exec_args:exec_arguments 48token=exec_env:exec_environment 49token=group:group 50token=inaddr:ip_addr 51token=inet:socket 52token=ipc:ipc 53token=ipc_perm:ipc_perm 54token=newgroup:newgroups 55token=path:path 56token=path_attr:attribute_path 57token=privset:privilege 58token=proc:process 59token=text:text 60token=tid:terminal_adr 61token=uauth:use_of_authorization 62token=upriv:use_of_privilege 63token=user:user_object 64token=zone:zonename 65token=fmri:service_instance 66token=label:mandatory_label 67 68token=head:header 69token=subj:subject 70token=ret:return 71token=exit:exit 72 73# note names -- certain notes show up repeatedly; collected here 74# 75# To achieve the maximum line length to be less than 80 characters, the 76# note names (message=) can be defined as a multi line, each line except the 77# last one finished with the backslash character. 78 79message=ipc_perm:The ipc and ipc_perm tokens are not included if \ 80 the message ID is not valid. 81 82 83# basic record pattern ("insert" is where event-specific tokens 84# are listed.) 85 86kernel=head:insert:subj:[upriv]:ret 87user=head:subj:insert:ret 88 89# Second Section 90# Annotation Section 91# 92# Most audit records need annotation beyond what is provided by 93# the files audit_event and audit_class. At a minimum, a record 94# is represented by a label and a format. 95# 96# label=record_id like AUE_ACCEPT 97# format=token_alias 98# 99# there is no end line; a new label= end the preceding definition 100# and starts the next. 101# 102# format values are a list of token names, separated by colons. The 103# name is either one of the values described above (token=) or is 104# a value to be taken literally. If a token name ends with a digit, 105# the digit is an index into an array of comments. In the few cases 106# where there are no tokens (other than header, subject, return/exit), 107# use "format=kernel" or "format="user". 108# 109# comment is an array of strings separated by colons. If comments 110# are listed on separate lines (recommended due to better 111# readability/sustainability of the file), the preceding comment 112# must end with a colon. The array starts at 1. (If the comment 113# contains a colon, use ":" without the quotes.) 114# 115# case is used to generate alternate descriptions for a given 116# record. 117# 118# Constraints - the string length; bear in mind, that any annotation of 119# primitives below longer than is specified, will be silently truncated 120# to given/defined amount of characters in the auditrecord(1M) runtime: 121# 122# primitive <= max (non-truncated) string length 123# case <= unlimited; if necessary, text continues on a new line 124# comment <= unlimited; if necessary, text continues on a new line 125# label <= 43 126# note <= unlimited; if necessary, text continues on a new line 127# program <= 20 128# see <= 39 129# syscall <= 20 130# title <= 46 131# token <= 28 (full name) 132# 133# To achieve the maximum line length to be less than 80 characters, one can 134# define the unlimited primitives as a multi line, each line except the 135# last one finished with the backslash character. In addition to above 136# mentioned, the "format=" record attribute follows the same rule. 137# 138# 139# AUE_ACCEPT illustrates the use of all the above. Note that 140# case is not nested; ellipsis (...) is used to give the effect 141# of nesting. 142 143label=AUE_ACCEPT 144#accept(2) failure 145 case=Invalid socket file descriptor 146 format=arg1 147 comment=1, file descriptor, "so" 148#accept(2) non SOCK_STREAM socket 149 case=If the socket address is not part of the AF_INET family 150 format=arg1:arg2:arg3 151 comment=1, "so", file descriptor: 152 comment="family", so_family: 153 comment="type", so_type 154 case=If the socket address is part of the AF_INET family 155 case=...If there is no vnode for this file descriptor 156 format=[arg]1 157 comment=1, file descriptor, "Bad so" 158#accept(2) SOCK_STREAM socket-not bound 159 case=...or if the socket is not bound 160 format=[arg]1:[inet]2 161 comment=1, file descriptor, "so": 162 comment=local/foreign address (0.0.0.0) 163 case=...or if the socket address length = 0 164 format=[arg]1:[inet]2 165 comment=1, file descriptor, "so": 166 comment=local/foreign address (0.0.0.0) 167 case=...or for all other conditions 168 format=inet1:[inet]1 169 comment=socket address 170#accept(2) failure 171# header 172# au_to_arg32 "so",file descriptor 173# subject 174# return <errno != 0> 175# 176#accept(2) non SOCK_STREAM socket 177# header 178# au_to_arg32 "so", file descriptor 179# au_to_arg32 "family", so_family 180# au_to_arg32 "type", so_type 181# subject 182# return success 183# 184#accept(2) SOCK_STREAM socket-not bound 185# header 186# au_to_arg32 "so", file descriptor 187# au_to_socket_ex local/foreign address (0.0.0.0) 188# subject 189# return success 190# 191#accept(2) SOCK_STREAM socket-bound 192# header 193# au_to_arg32 "so", file descriptor 194# au_to_socket_ex 195# subject 196# return success 197 198 199 200label=AUE_ACCESS 201 format=path1:[attr] 202 comment=may be truncated in failure case 203# header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec 204# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ 205# attribute,100777,41416,staff,8388608,402255,0 206# subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30 207# return,success,0 208# trailer,163 209# 210# header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec 211# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail 212# attribute,100000,root,other,8388608,402257,0 213# subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30 214# return,failure: Permission denied,-1 215# trailer,163 216# 217# header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec 218# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2 219# subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30 220# return,failure: No such file or directory,-1 221# trailer,135 222 223label=AUE_ACCT 224 case=Zero path 225 format=arg1 226 comment=1, 0, "accounting off" 227 case=Non-zero path 228 format=path1:[attr]2 229 comment=may be truncated in failure case: 230 comment=omitted if failure 231 232label=AUE_ACLSET 233 syscall=acl 234 format=arg1:arg2:(0..n)[acl]3 235 comment=2, SETACL, "cmd": 236 comment=3, number of ACL entries, "nentries": 237 comment=Access Control List entries 238 239label=AUE_ADJTIME 240 format=kernel 241 242label=AUE_ASYNC_DAEMON 243 skip=Not used 244 245label=AUE_ASYNC_DAEMON_EXIT 246 skip=Not used 247 248label=AUE_AUDIT 249 skip=Not used. (Placeholder for the set AUE_AUDIT_*.) 250 251label=AUE_AUDITON 252 skip=Not used. (Placeholder for the set AUE_AUDITON_*.) 253 254label=AUE_AUDITON_GESTATE 255 skip=Not used 256 257label=AUE_AUDITON_GETCAR 258 format=kernel 259 syscall=auditon: GETCAR 260# header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec 261# subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30 262# return,success,0 263# trailer,68 264 265label=AUE_AUDITON_GETCLASS 266 format=kernel 267 syscall=auditon: GETCLASS 268# header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec 269# subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1 270# return,success,0 271# trailer,68 272 273label=AUE_AUDITON_GETCOND 274 format=kernel 275 syscall=auditon: GETCOND 276# header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec 277# subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1 278# return,success,0 279# trailer,68 280 281label=AUE_AUDITON_GETCWD 282 format=kernel 283 syscall=auditon: GETCWD 284# header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec 285# subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1 286# return,success,0 287# trailer,68 288 289label=AUE_AUDITON_GETKMASK 290 format=kernel 291 syscall=auditon: GETKMASK 292# header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec 293# subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1 294# return,success,0 295# trailer,68 296 297label=AUE_AUDITON_GETSTAT 298 format=kernel 299 syscall=auditon: A_GETSTAT 300# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec 301# subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1 302# return,success,0 303# trailer,68 304 305label=AUE_AUDITON_GPOLICY 306 format=kernel 307 syscall=auditon: GPOLICY 308# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec 309# subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1 310# return,success,0 311# trailer,68 312 313label=AUE_AUDITON_GQCTRL 314 format=kernel 315 syscall=auditon: GQCTRL 316# header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec 317# subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1 318# return,success,0 319# trailer,68 320 321 322label=AUE_AUDITON_GTERMID 323 skip=Not used. 324 325label=AUE_AUDITON_SESTATE 326 skip=Not used. 327 328label=AUE_AUDITON_SETCLASS 329 format=[arg]1:[arg]2 330 comment=2, "setclass:ec_event", event number: 331 comment=3, "setclass:ec_class", class mask 332 syscall=auditon: SETCLASS 333# header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec 334# argument,2,0x0,setclass:ec_event 335# argument,3,0x0,setclass:ec_class 336# subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1 337# return,success,0 338# trailer,120 339 340label=AUE_AUDITON_SETCOND 341 format=[arg]1 342 comment=3, "setcond", audit state 343 syscall=auditon: SETCOND 344 345label=AUE_AUDITON_SETKMASK 346 format=[arg]1:[arg]2 347 comment=2, "setkmask as_success", kernel mask: 348 comment=2, "setkmask as_failure", kernel mask 349 syscall=auditon: SETKMASK 350# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec 351# argument,2,0x0,setkmask:as_success 352# argument,2,0x0,setkmask:as_failure 353# subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1 354# return,success,0 355# trailer,124 356# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec 357# argument,2,0x0,setkmask:as_success 358# argument,2,0x0,setkmask:as_failure 359# subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1 360# return,failure: Not owner,-1 361# trailer,124 362 363label=AUE_AUDITON_SETSMASK 364 format=[arg]1:[arg]2 365 comment=3, "setsmask:as_success", session ID mask: 366 comment=3, "setsmask:as_failure", session ID mask 367 syscall=auditon: SETSMASK 368# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec 369# argument,3,0x400,setsmask:as_success 370# argument,3,0x400,setsmask:as_failure 371# subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1 372# return,success,0 373# trailer,124 374# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec 375# argument,3,0x400,setsmask:as_success 376# argument,3,0x400,setsmask:as_failure 377# subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1 378# return,failure: Not owner,-1 379# trailer,124 380 381label=AUE_AUDITON_SETSTAT 382 format=kernel 383 syscall=auditon: SETSTAT 384# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec 385# subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1 386# return,success,0 387# trailer,68 388# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec 389# subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1 390# return,failure: Not owner,-1 391# trailer,68 392 393label=AUE_AUDITON_SETUMASK 394 format=[arg]1:[arg]2 395 comment=3, "setumask:as_success", audit ID mask: 396 comment=3, "setumask:as_failure", audit ID mask 397 syscall=auditon: SETUMASK 398# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec 399# argument,3,0x400,setumask:as_success 400# argument,3,0x400,setumask:as_failure 401# subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1 402# return,success,0 403# trailer,124 404# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec 405# argument,3,0x400,setumask:as_success 406# argument,3,0x400,setumask:as_failure 407# subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1 408# return,failure: Not owner,-1 409# trailer,124 410 411label=AUE_AUDITON_SPOLICY 412 format=[arg]1 413 comment=1, audit policy flags, "setpolicy" 414 syscall=auditon: SPOLICY 415# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec 416# argument,3,0x200,setpolicy 417# subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1 418# return,success,0 419# trailer,86 420# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec 421# argument,3,0x200,setpolicy 422# subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1 423# return,failure: Not owner,-1 424# trailer,86 425 426label=AUE_AUDITON_SQCTRL 427 format=[arg]1:[arg]2:[arg]3:[arg]4 428 comment=3, "setqctrl:aq_hiwater", queue control param.: 429 comment=3, "setqctrl:aq_lowater", queue control param.: 430 comment=3, "setqctrl:aq_bufsz", queue control param.: 431 comment=3, "setqctrl:aq_delay", queue control param. 432 syscall=auditon: SQCTRL 433# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec 434# argument,3,0x64,setqctrl:aq_hiwater 435# argument,3,0xa,setqctrl:aq_lowater 436# argument,3,0x400,setqctrl:aq_bufsz 437# argument,3,0x14,setqctrl:aq_delay 438# subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1 439# return,success,0 440# trailer,176 441# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec 442# argument,3,0x64,setqctrl:aq_hiwater 443# argument,3,0xa,setqctrl:aq_lowater 444# argument,3,0x400,setqctrl:aq_bufsz 445# argument,3,0x14,setqctrl:aq_delay 446# subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1 447# return,failure: Not owner,-1 448# trailer,176 449 450label=AUE_AUDITON_STERMID 451 skip=Not used. 452 453label=AUE_AUDITSTAT 454 skip=Not used. 455 456label=AUE_AUDITSVC 457 skip=Not used. 458 459label=AUE_AUDITSYS 460 skip=Not used. (Place holder for various auditing events.) 461 462label=AUE_BIND 463# differs from documented version. 464# cases "no vnode" not fully confirmed 465# family and type need argument number 466 case=Invalid socket handle 467 format=arg1 468 comment=1, file descriptor, "so" 469 case=If there is no vnode for this file descriptor 470 case=or if the socket is not of the AF_INET family 471 format=arg1:arg2:arg3 472 comment=1, file descriptor, "so": 473 comment=1, socket family, "family": 474 comment=1, socket type, "type" 475 case=or for all other conditions 476 format=arg1:inet2 477 comment=1, file descriptor, "so": 478 comment=socket address 479 480label=AUE_BRANDSYS 481# generic mechanism to allow user-space and kernel components of a brand 482# to communicate. The interpretation of the arguments to the call is 483# left entirely up to the brand. 484 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7 485 comment=1, command, "cmd": 486 comment=2, command args, "arg": 487 comment=3, command args, "arg": 488 comment=4, command args, "arg": 489 comment=5, command args, "arg": 490 comment=6, command args, "arg": 491 comment=7, command args, "arg" 492 493label=AUE_BSMSYS 494 skip=Not used. 495 496label=AUE_CHDIR 497 format=path:[attr] 498# header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec 499# path,/export/home/CC_final/icenine/arv/chdir/obj_succ 500# attribute,40777,root,other,8388608,231558,0 501# subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1 502# return,success,0 503# trailer,151 504# header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec 505# path,/export/home/CC_final/icenine/arv/chdir/obj_fail 506# attribute,40000,root,other,8388608,237646,0 507# subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1 508# return,failure: Permission denied,-1 509# trailer,151 510 511label=AUE_CHMOD 512 format=arg1:path:[attr] 513 comment=2, mode, "new file mode" 514# header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec 515# argument,2,0x1f8,new file mode 516# path,/export/home/CC_final/icenine/arv/chmod/obj_succ 517# attribute,100770,tuser10,other,8388608,243608,0 518# subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1 519# return,success,0 520# trailer,173 521# header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec 522# argument,2,0x1f8,new file mode 523# path,/export/home/CC_final/icenine/arv/chmod/obj_fail 524# attribute,100600,root,other,8388608,243609,0 525# subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1 526# return,failure: Not owner,-1 527# trailer,173 528 529label=AUE_CHOWN 530 format=arg1:arg2 531 comment=2, uid, "new file uid": 532 comment=3, gid, "new file gid" 533# header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec 534# argument,2,0x271a,new file uid 535# argument,3,0xffffffff,new file gid 536# path,/export/home/CC_final/icenine/arv/chown/obj_succ 537# attribute,100644,tuser10,other,8388608,268406,0 538# subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1 539# return,success,0 540# trailer,193 541# header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec 542# argument,2,0x271a,new file uid 543# argument,3,0xffffffff,new file gid 544# path,/export/home/CC_final/icenine/arv/chown/obj_fail 545# attribute,100644,root,other,8388608,268407,0 546# subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1 547# return,failure: Not owner,-1 548# trailer,193 549 550label=AUE_CHROOT 551 format=path:[attr] 552# header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec 553# path,/ 554# attribute,40755,root,root,8388608,2,0 555# subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1 556# return,success,0 557# trailer,104 558# header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec 559# path,/export/home/CC_final/icenine/arv/chroot/obj_fail 560# attribute,40777,tuser10,other,8388608,335110,0 561# subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1 562# return,failure: Not owner,-1 563# trailer,152 564 565label=AUE_CLOCK_SETTIME 566 format=kernel 567 568label=AUE_CLOSE 569 format=arg1:[path]:[attr] 570 comment=1, file descriptor, "fd" 571 572label=AUE_CONFIGKSSL 573 case=Adding KSSL entry. 574 format=text1:inaddr2:text3:text4 575 comment=opcode, KSSL_ADD_ENTRY: 576 comment=local IP address: 577 comment=SSL port number: 578 comment=proxy port number 579 case=Deleting KSSL entry. 580 format=text1:inaddr2:text3 581 comment=opcode, KSSL_DELETE_ENTRY: 582 comment=local IP address: 583 comment=SSL port number 584 585label=AUE_CONNECT 586# cases "no vnode" not fully confirmed 587 case=If there is no vnode for this file descriptor 588 case=If the socket address is not part of the AF_INET family 589 format=arg1:arg2:arg3 590 comment=1, file descriptor, "so": 591 comment=1, socket family, "family": 592 comment=1, socket type, "type" 593 case=If the socket address is part of the AF_INET family 594 format=arg1:inet2 595 comment=1, file descriptor, "so": 596 comment=socket address 597 598label=AUE_CORE 599 syscall=none 600 title=process dumped core 601 see=none 602 format=path:[attr]:arg1 603 comment=1, signal, "signal" 604# see uts/common/c2/audit.c 605 606label=AUE_CREAT 607# obsolete - see open(2) 608 format=path:[attr] 609# does not match old BSM manual 610# header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec 611# path,/export/home/CC_final/icenine/arv/creat/obj_succ 612# attribute,100644,tuser10,other,8388608,49679,0 613# subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1 614# return,success,8 615# trailer,151 616# header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec 617# path,/devices/pseudo/mm@0:null 618# subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1 619# return,success,8 620# trailer,107 621# header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec 622# path,/obj_fail 623# subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1 624# return,failure: Permission denied,-1 625# trailer,83 626 627label=AUE_CRYPTOADM 628 title=kernel cryptographic framework 629 format=text1:(0..n)[text]2 630 comment=cryptoadm command/operation: 631 comment=mechanism list 632 633label=AUE_DOORFS 634 skip=Not used. (Place holder for set of door audit events.) 635 636label=AUE_DOORFS_DOOR_BIND 637 skip=Not used. 638 syscall=doorfs: DOOR_BIND 639 640label=AUE_DOORFS_DOOR_CALL 641 format=arg1:proc2 642 comment=1, door ID, "door ID": 643 comment=for process that owns the door 644 syscall=doorfs: DOOR_CALL 645 646label=AUE_DOORFS_DOOR_CREATE 647 format=arg1 648 comment=1, door attributes, "door attr" 649 syscall=doorfs: DOOR_CREATE 650 651label=AUE_DOORFS_DOOR_CRED 652 skip=Not used. 653 syscall=doorfs: DOOR_CRED 654 655label=AUE_DOORFS_DOOR_INFO 656 skip=Not used. 657 syscall=doorfs: DOOR_INFO 658 659label=AUE_DOORFS_DOOR_RETURN 660 format=kernel 661 syscall=doorfs: DOOR_RETURN 662 663label=AUE_DOORFS_DOOR_REVOKE 664 format=arg1 665 comment=1, door ID, "door ID" 666 syscall=doorfs: DOOR_REVOKE 667 668label=AUE_DOORFS_DOOR_UNBIND 669 skip=Not used. 670 syscall=doorfs: DOOR_UNBIND 671 672label=AUE_DUP2 673skip=Not used. 674 675label=AUE_ENTERPROM 676 title=enter prom 677 syscall=none 678 format=head:text1:ret 679 comment="kmdb" 680# header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00 681# text,kmdb 682# return,success,0 683 684label=AUE_EXEC 685# obsolete - see execve(2) 686 format=path:[attr]1:[exec_args]2:[exec_env]3 687 comment=omitted on error: 688 comment=output if argv policy is set: 689 comment=output if arge policy is set 690 691label=AUE_EXECVE 692 format=path:[attr]1:[exec_args]2:[exec_env]3 693 comment=omitted on error: 694 comment=output if argv policy is set: 695 comment=output if arge policy is set 696# header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec 697# path,/devices/pseudo/mm@0:null 698# subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1 699# return,success,8 700# trailer,107 701# header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec 702# path,/usr/bin/pig 703# subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1 704# return,failure: No such file or directory,-1 705# trailer,86 706 707label=AUE_PFEXEC 708 format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5 709 comment=pathname of the executable: 710 comment=pathname of working directory: 711 comment=privileges if the limit or inheritable set are changed: 712 comment=process if ruid, euid, rgid or egid is changed: 713 comment=output if arge policy is set 714 715label=AUE_EXIT 716 format=arg1:[text]2 717 comment=1, exit status, "exit status": 718 comment=event aborted 719 720label=AUE_EXITPROM 721 title=exit prom 722 syscall=none 723 format=head:text1:ret 724 comment="kmdb" 725# header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00 726# text,kmdb 727# return,success,0 728 729label=AUE_EXPORTFS 730 skip=Not used. 731 732label=AUE_FACCESSAT 733# obsolete 734 see=access(2) 735 format=path:[attr] 736 737label=AUE_FACLSET 738 syscall=facl 739 case=Invalid file descriptor 740 format=arg1:arg2 741 comment=2, SETACL, "cmd": 742 comment=3, number of ACL entries, "nentries" 743 case=Zero path 744 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4 745 comment=2, SETACL, "cmd": 746 comment=3, number of ACL entries, "nentries": 747 comment=1, file descriptor, "no path: fd": 748 comment=ACLs 749 case=Non-zero path 750 format=arg1:arg2:path:[attr]:(0..n)[acl]3 751 comment=2, SETACL, "cmd": 752 comment=3, number of ACL entries, "nentries": 753 comment=ACLs 754 755label=AUE_FCHDIR 756 format=[path]:[attr] 757# header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec 758# path,/export/home/CC_final/icenine/arv/fchdir/obj_succ 759# attribute,40777,tuser10,other,8388608,207662,0 760# subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1 761# return,success,0 762# trailer,150 763# header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec 764# subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1 765# return,failure: Permission denied,-1 766# trailer,68 767 768label=AUE_FCHMOD 769 case=With a valid file descriptor and path 770 format=arg1:path:[attr] 771 comment=2, mode, "new file mode" 772 case=With a valid file descriptor and invalid path 773 format=arg1:[arg]2:[attr] 774 comment=2, mode, "new file mode": 775 comment=1, file descriptor, "no path: fd" 776 case=With an invalid file descriptor 777 format=arg1 778 comment=2, mode, "new file mode" 779# header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec 780# argument,2,0x1a4,new file mode 781# path,/export/home/CC/icenine/arv/fchmod/obj_succ 782# attribute,100644,tuser10,other,7602240,26092,0 783# subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1 784# return,success,0 785# trailer,168 786# header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec 787# argument,2,0x1a4,new file mode 788# subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1 789# return,failure: Bad file number,-1 790# trailer,90 791# header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec 792# argument,2,0x1a4,new file mode 793# path,/export/home/CC/icenine/arv/fchmod/obj_fail 794# attribute,100644,root,other,7602240,26093,0 795# subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1 796# return,failure: Not owner,-1 797# trailer,168 798 799label=AUE_FCHOWN 800 case=With a valid file descriptor 801 format=arg1:arg2:[path]:[attr] 802 comment=2, uid, "new file uid": 803 comment=3, gid, "new file gid" 804 case=With an invalid file descriptor 805 format=arg1:arg2:[arg]3:[attr] 806 comment=2, uid, "new file uid": 807 comment=3, gid, "new file gid": 808 comment=1, file descriptor, "no path fd" 809 810label=AUE_FCHOWNAT 811# obsolete 812 see=openat(2) 813 case=With a valid absolute/relative file path 814 format=path:[attr] 815 case=With an file path eq. NULL and valid file descriptor 816 format=kernel 817 818label=AUE_FCHROOT 819 format=[path]:[attr] 820# fchroot -> chdirec -> audit_chdirec 821 822label=AUE_FCNTL 823 case=With a valid file descriptor 824 format=arg1:[arg]2:path:attr 825 comment=2, command, "cmd": 826 comment=3, flags, "flags" 827 case=With an invalid file descriptor 828 format=arg1:[arg]2:arg3 829 comment=2, command, "cmd": 830 comment=3, flags, "flags": 831 comment=1, file descriptor, "no path fd" 832 note=Flags are included only when cmd is F_SETFL. 833 834label=AUE_FLOCK 835 skip=Not used. 836 837label=AUE_FORKALL 838 format=[arg]1 839 comment=0, pid, "child PID" 840 note=The forkall(2) return values are undefined because the audit record 841 note=is produced at the point that the child process is spawned. 842# see audit.c 843 844label=AUE_FORK1 845 format=[arg]1 846 comment=0, pid, "child PID" 847 note=The fork1(2) return values are undefined because the audit record 848 note=is produced at the point that the child process is spawned. 849# see audit.c 850 851label=AUE_FSAT 852# obsolete 853 skip=Not used. (Placeholder for AUE_*AT records) 854 855label=AUE_FSTAT 856 skip=Not used. 857 858label=AUE_FSTATAT 859# obsolete 860 format=path:[attr] 861 862label=AUE_FSTATFS 863 case=With a valid file descriptor 864 format=[path]:[attr] 865 case=With an invalid file descriptor 866 format=arg1 867 comment=1, file descriptor, "no path fd" 868 869label=AUE_FTRUNCATE 870 skip=Not used. 871 872label=AUE_FUSERS 873 syscall=utssys: UTS_FUSERS 874 format=path:attr 875 876label=AUE_FUTIMESAT 877# obsolete 878 format=[path]:[attr] 879 880label=AUE_GETAUDIT 881 format=kernel 882# header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec 883# subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1 884# return,success,0 885# trailer,68 886# header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec 887# subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1 888# return,success,0 889# trailer,68 890 891label=AUE_GETAUDIT_ADDR 892 format=kernel 893# header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec 894# subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2 895# return,success,0 896 897label=AUE_GETAUID 898 format=kernel 899# header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec 900# subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1 901# return,success,0 902# trailer,68 903# header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec 904# subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1 905# return,failure: Not owner,-1 906# trailer,68 907 908label=AUE_GETDENTS 909 skip=Not used. 910#Not security relevant 911 912label=AUE_GETKERNSTATE 913 skip=Not used. 914 915label=AUE_GETMSG 916 case=With a valid file descriptor 917 format=arg1:[path]:attr:arg2 918 comment=1, file descriptor, "fd": 919 comment=4, priority, "pri" 920 case=With an invalid file descriptor 921 format=arg1:arg2 922 comment=1, file descriptor, "fd": 923 comment=4, priority, "pri" 924 925label=AUE_GETPMSG 926 case=With a valid file descriptor 927 format=arg1:[path]:attr 928 comment=1, file descriptor, "fd" 929 case=With an invalid file descriptor 930 format=arg1 931 comment=1, file descriptor, "fd" 932 933label=AUE_GETPORTAUDIT 934 format=Not used. 935 936label=AUE_GETUSERAUDIT 937 skip=Not used. 938 939label=AUE_INST_SYNC 940 format=arg1 941 comment=2, flags value, "flags" 942 943label=AUE_IOCTL 944 case=With an invalid file descriptor 945 format=arg1:arg2:arg3 946 comment=1, file descriptor, "fd": 947 comment=2, command, "cmd": 948 comment=3, arg, "arg" 949 case=With a valid file descriptor 950 format=path:[attr]:arg1:arg2 951 comment=2, ioctl cmd, "cmd": 952 comment=3, ioctl arg, "arg" 953 case=Non-file file descriptor 954 format=arg1:arg2:arg3 955 comment=1, file descriptor, "fd": 956 comment=2, ioctl cmd, "cmd": 957 comment=3, ioctl arg, "arg" 958 case=Bad file name 959 format=arg1:arg2:arg3 960 comment=1, file descriptor, "no path: fd": 961 comment=2, ioctl cmd, "cmd": 962 comment=3, ioctl arg, "arg" 963# old BSM manual misses a case 964 965label=AUE_JUNK 966 skip=Not used. 967 968label=AUE_KILL 969 case=Valid process 970 format=arg1:[proc] 971 comment=2, signo, "signal" 972 case=Zero or negative process 973 format=arg1:arg2 974 comment=2, signo, "signal": 975 comment=1, pid, "process" 976 977label=AUE_KILLPG 978 skip=Not used. 979 980label=AUE_LCHOWN 981 format=arg1:arg2:path:[attr] 982 comment=2, uid, "new file uid": 983 comment=3, gid, "new file gid" 984 985label=AUE_LINK 986 format=path1:[attr]:path2 987 comment=from path: 988 comment=to path 989 990label=AUE_LSEEK 991 skip=Not used. 992 993label=AUE_LSTAT 994 format=path:[attr] 995 996label=AUE_LXSTAT 997# obsolete 998 skip=Not used. 999 1000label=AUE_MCTL 1001 skip=Not used. 1002 1003label=AUE_MEMCNTL 1004 format=arg1:arg2:arg3:arg4:arg5:arg6 1005 comment=1, base address, "base": 1006 comment=2, length, "len": 1007 comment=3, command, "cmd": 1008 comment=4, command args, "arg": 1009 comment=5, command attributes, "attr": 1010 comment=6, 0, "mask" 1011 1012label=AUE_MKDIR 1013 format=arg1:path:[attr] 1014 comment=2, mode, "mode" 1015 1016label=AUE_MKNOD 1017 format=arg1:arg2:path:[attr] 1018 comment=2, mode, "mode": 1019 comment=3, dev, "dev" 1020 1021label=AUE_MMAP 1022 case=With a valid file descriptor 1023 format=arg1:arg2:[path]3:[attr] 1024 comment=1, segment address, "addr": 1025 comment=2, segment address, "len": 1026 comment=if no path, then argument: \ 1027 1, "nopath: fd", file descriptor 1028 case=With an invalid file descriptor 1029 format=arg1:arg2:arg3 1030 comment=1, segment address, "addr": 1031 comment=2, segment address, "len": 1032 comment=1, file descriptor, "no path: fd" 1033 1034label=AUE_MODADDMAJ 1035 title=modctl: bind module 1036 syscall=modctl 1037 format=[text]1:[text]2:text3:arg4:(0..n)[text]5 1038 comment=driver major number: 1039 comment=driver name: 1040 comment=driver major number or "no drvname": 1041 comment=5, number of aliases, "": 1042 comment=aliases 1043 1044label=AUE_MODADDPRIV 1045 format=kernel 1046 1047label=AUE_MODCONFIG 1048 skip=Not used. 1049 1050label=AUE_MODCTL 1051 skip=Not used. (placeholder) 1052 1053label=AUE_MODDEVPLCY 1054 syscall=modctl 1055 title=modctl: set device policy 1056 case=If unknown minor name/pattern 1057 format=arg1:arg2:arg3:arg4:arg5 1058 comment=2, "major", major number: 1059 comment=2, "lomin", low minor number, if known: 1060 comment=2, "himin", hi minor number, if known: 1061 comment=privileges required for reading: 1062 comment=privileges required for writing 1063 case=else 1064 format=arg1:text2:arg3:arg4 1065 comment=2, "major", major number: 1066 comment=minor name/pattern: 1067 comment=privileges required for reading: 1068 comment=privileges required for writing 1069 1070label=AUE_MODLOAD 1071 syscall=modctl 1072 title=modctl: load module 1073 format=[text]1:text2 1074 comment=default path: 1075 comment=filename path 1076 1077label=AUE_MODUNLOAD 1078 syscall=modctl 1079 title=modctl: unload module 1080 format=arg1 1081 comment=1, module ID, "id" 1082 1083label=AUE_MOUNT 1084 case=UNIX file system 1085 format=arg1:text2:path:[attr] 1086 comment=3, flags, "flags": 1087 comment=filesystem type 1088 case=NFS file system 1089 format=arg1:text2:text3:arg4:path:[attr] 1090 comment=3, flags, "flags": 1091 comment=filesystem type: 1092 comment=host name: 1093 comment=3, flags, "internal flags" 1094# unix example: 1095# header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec 1096# argument,3,0x104,flags 1097# text,ufs 1098# path,/var2 1099# attribute,40755,root,root,32,12160,0 1100# path,/devices/pci@1f,4000/scsi@3/sd@0,0:e 1101# attribute,60640,root,sys,32,231268,137438953476 1102# subject,abc,root,other,root,other,1726,1715,255 66049 ohboy 1103# return,success,4290707268 1104# ^^^^^^^^^^ <- bugid 4333559 1105 1106label=AUE_MSGCTL 1107 format=arg1:[ipc]:[ipc_perm] 1108 comment=1, message ID, "msg ID" 1109 note=ipc_perm 1110# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1111 1112label=AUE_MSGCTL_RMID 1113 format=arg1:[ipc]:[ipc_perm] 1114 comment=1, message ID, "msg ID" 1115 note=ipc_perm 1116 syscall=msgctl: IPC_RMID 1117# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1118 1119label=AUE_MSGCTL_SET 1120 format=arg1:[ipc]:[ipc_perm] 1121 comment=1, message ID, "msg ID" 1122 note=ipc_perm 1123 syscall=msgctl: IPC_SET 1124# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1125 1126label=AUE_MSGCTL_STAT 1127 format=arg1:[ipc]:[ipc_perm] 1128 comment=1, message ID, "msg ID" 1129 note=ipc_perm 1130 syscall=msgctl: IPC_STAT 1131# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1132 1133label=AUE_MSGGET 1134 format=arg1:ipc 1135 comment=1, message key, "msg key" 1136 note=ipc_perm 1137 syscall=msgget 1138 1139label=AUE_MSGGETL 1140 skip=Not used. 1141 1142label=AUE_MSGRCV 1143 format=arg1:[ipc]:[ipc_perm] 1144 comment=1, message ID, "msg ID" 1145 note=ipc_perm 1146 syscall=msgrcv 1147# ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc 1148 1149label=AUE_MSGRCVL 1150 skip=Not used. 1151 1152label=AUE_MSGSND 1153 format=arg1:[ipc]:[ipc_perm] 1154 comment=1, message ID, "msg ID" 1155 note=ipc_perm 1156 syscall=msgsnd 1157# ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc 1158 1159label=AUE_MSGSNDL 1160 skip=Not used. 1161 1162label=AUE_MSGSYS 1163skip=Not used. (Placeholder for AUE_MSG* events.) 1164 1165label=AUE_MUNMAP 1166 format=arg1:arg2 1167 comment=1, address of memory, "addr": 1168 comment=2, memory segment size, "len" 1169 1170label=AUE_NFS 1171 skip=Not used. 1172 1173label=AUE_NFSSVC_EXIT 1174 skip=Not used. 1175 1176label=AUE_NFS_GETFH 1177 skip=Not used. 1178 1179label=AUE_NFS_SVC 1180 skip=Not used. 1181 1182label=AUE_NICE 1183 format=kernel 1184 1185label=AUE_NULL 1186 skip=Not used. (placeholder) 1187# used internal to audit_event.c for minimal audit 1188 1189label=AUE_NTP_ADJTIME 1190 format=kernel 1191 1192label=AUE_ONESIDE 1193 skip=Not used. 1194 1195label=AUE_OPEN 1196 skip=Not used. (placeholder for AUE_OPEN_*). 1197 1198label=AUE_OPEN_R 1199 format=path:[path_attr]:[attr] 1200 see=open(2) - read 1201 1202label=AUE_OPENAT_R 1203# obsolete 1204 format=path:[path_attr]:[attr] 1205 see=openat(2) 1206 1207label=AUE_OPEN_RC 1208 format=path:[path_attr]:[attr] 1209 see=open(2) - read,creat 1210 1211label=AUE_OPENAT_RC 1212# obsolete 1213 see=openat(2) 1214 format=path:[path_attr]:[attr] 1215 1216label=AUE_OPEN_RT 1217 format=path:[path_attr]:[attr] 1218 see=open(2) - read,trunc 1219 1220label=AUE_OPENAT_RT 1221# obsolete 1222 see=openat(2) 1223 format=path:[path_attr]:[attr] 1224 1225label=AUE_OPEN_RTC 1226 format=path:[path_attr]:[attr] 1227 see=open(2) - read,trunc,creat 1228 1229label=AUE_OPENAT_RTC 1230# obsolete 1231 see=openat(2) 1232 format=path:[path_attr]:[attr] 1233 1234label=AUE_OPEN_RW 1235 format=path:[path_attr]:[attr] 1236 see=open(2) - read,write 1237 1238label=AUE_OPENAT_RW 1239# obsolete 1240 see=openat(2) 1241 format=path:[path_attr]:[attr] 1242# aui_fsat(): fm & O_RDWR 1243 1244label=AUE_OPEN_RWC 1245 format=path:[path_attr]:[attr] 1246 see=open(2) - read,write,creat 1247 1248label=AUE_OPENAT_RWC 1249# obsolete 1250 see=openat(2) 1251 format=path:[path_attr]:[attr] 1252 1253label=AUE_OPEN_RWT 1254 format=path:[path_attr]:[attr] 1255 see=open(2) - read,write,trunc 1256 1257label=AUE_OPENAT_RWT 1258# obsolete 1259 see=openat(2) 1260 format=path:[path_attr]:[attr] 1261 1262label=AUE_OPEN_RWTC 1263 format=path:[path_attr]:[attr] 1264 see=open(2) - read,write,trunc,creat 1265 1266label=AUE_OPENAT_RWTC 1267# obsolete 1268 see=openat(2) 1269 format=path:[path_attr]:[attr] 1270 1271label=AUE_OPEN_W 1272 format=path:[path_attr]:[attr] 1273 see=open(2) - write 1274 1275label=AUE_OPENAT_W 1276 see=openat(2) 1277 format=path:[path_attr]:[attr] 1278 1279label=AUE_OPEN_WC 1280 format=path:[path_attr]:[attr] 1281 see=open(2) - write,creat 1282 1283label=AUE_OPENAT_WC 1284 see=openat(2) 1285 format=path:[path_attr]:[attr] 1286 1287label=AUE_OPEN_WT 1288 format=path:[path_attr]:[attr] 1289 see=open(2) - write,trunc 1290 1291label=AUE_OPENAT_WT 1292 see=openat(2) 1293 format=path:[path_attr]:[attr] 1294 1295label=AUE_OPEN_WTC 1296 format=path:[path_attr]:[attr] 1297 see=open(2) - write,trunc,creat 1298 1299label=AUE_OPENAT_WTC 1300 see=openat(2) 1301 format=path:[path_attr]:[attr] 1302 1303label=AUE_OSETPGRP 1304 skip=Not used. 1305 1306label=AUE_OSTAT 1307# obsolete 1308 skip=Not used. 1309 1310label=AUE_PATHCONF 1311 format=path:[attr] 1312 1313label=AUE_PIPE 1314format=kernel 1315# class is no, not usually printed 1316 1317label=AUE_PORTFS 1318 skip=Not used (placeholder for AUE_PORTFS_*). 1319 1320label=AUE_PORTFS 1321 skip=Not used (placeholder for AUE_PORTFS_*). 1322 1323label=AUE_PORTFS_ASSOCIATE 1324 syscall=portfs 1325 see=port_associate(3C) 1326 case=Port association via PORT_SOURCE_FILE 1327 format=[path]1:attr 1328 comment=name of the file/directory to be watched 1329 1330label=AUE_PORTFS_DISSOCIATE 1331 syscall=portfs 1332 see=port_dissociate(3C) 1333 case=Port disassociation via PORT_SOURCE_FILE 1334 format=kernel 1335 1336label=AUE_PRIOCNTLSYS 1337 syscall=priocntl 1338 see=priocntl(2) 1339 format=arg1:arg2 1340 comment=1, priocntl version number, "pc_version": 1341 comment=3, command, "cmd" 1342 1343label=AUE_PROCESSOR_BIND 1344 case=No LWP/thread bound to the processor 1345 format=arg1:arg2:text3:[proc] 1346 comment=1, type of ID, "ID type": 1347 comment=2, ID value, "ID": 1348 comment="PBIND_NONE" 1349 case=With processor bound 1350 format=arg1:arg2:arg3:[proc] 1351 comment=1, type of ID, "ID type": 1352 comment=2, ID value, "ID": 1353 comment=3, processor ID, "processor_id" 1354 1355label=AUE_PUTMSG 1356 see=putmsg(2) 1357 format=arg1:[path]:[attr]:arg2 1358 comment=1, file descriptor, "fd": 1359 comment=4, priority, "pri" 1360 1361label=AUE_PUTPMSG 1362 see=putpmsg(2) 1363 format=arg1:[path]:[attr]:arg2:arg3 1364 comment=1, file descriptor, "fd": 1365 comment=4, priority, "pri": 1366 comment=5, flags, "flags" 1367 1368label=AUE_P_ONLINE 1369 format=arg1:arg2:text3 1370 comment=1, processor ID, "processor ID": 1371 comment=2, flags value, "flags": 1372 comment=text form of flags. Values: \ 1373 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS 1374 1375label=AUE_QUOTACTL 1376 skip=Not used. 1377 1378label=AUE_READ 1379 skip=Not used. (Placeholder for AUE_READ_* events) 1380 1381label=AUE_READL 1382 skip=Not used. (Obsolete) 1383 1384label=AUE_READLINK 1385 format=path:[attr] 1386 1387label=AUE_READV 1388 skip=Not used (obsolete) 1389# detritus from CMS 1390 1391label=AUE_READVL 1392 skip=Not used (obsolete) 1393# detritus from CMS 1394 1395label=AUE_REBOOT 1396 skip=Not used. 1397 1398label=AUE_RECV 1399 case=If address family is AF_INET or AF_INET6 1400 format=[arg]1:[inet] 1401 comment=1, file descriptor, "so" 1402 case=If address family is AF_UNIX and path is defined 1403 format=[path]1:[attr] 1404 comment=1, file descriptor, "so" 1405 case=If address family is AF_UNIX and path is NULL 1406 format=[path]1:[attr] 1407 comment=1, file descriptor, "no path: fd" 1408 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1409 format=[arg]1:[arg]2:[arg]3 1410 comment=1, file descriptor, "so": 1411 comment=1, family, "family": 1412 comment=1, type, "type" 1413# associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237]) 1414 1415label=AUE_RECVFROM 1416 format=inet:arg1:[arg]2:inet3:arg4 1417 comment=3, message length, "len": 1418 comment=4, flags, "flags": 1419 comment=from address: 1420 comment=6, address length, "tolen" 1421 note=The socket token for a bad socket is reported as "argument 1422 note=token (1, socket descriptor, "fd")" 1423 1424label=AUE_RECVMSG 1425 case=If invalid file descriptor 1426 format=arg1:arg2 1427 comment=1, file descriptor, "so": 1428 comment=3, flags, "flags" 1429 case=If valid file descriptor and socket is AF_UNIX and no path 1430 format=arg1:[attr] 1431 comment=1, file descriptor, "no path: fd" 1432 case=If valid file descriptor and socket is AF_UNIX and path defined 1433 format=path:attr 1434 case=If valid file descriptor and socket is AF_INET or AF_INET6 1435 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM 1436 format=arg1:arg2:inet 1437 comment=1, file descriptor, "so": 1438 comment=2, flags, "flags" 1439 case=.. if socket type is unknown 1440 format=arg1:arg2:arg3:arg4 1441 comment=1, file descriptor, "so": 1442 comment=1, family, "family": 1443 comment=1, type, "type": 1444 comment=3, flags, "flags" 1445 1446label=AUE_RENAME 1447 format=path1:[attr]1:[path]2 1448 comment=from name: 1449 comment=to name 1450 1451label=AUE_RENAMEAT 1452# obsolete 1453 format=path1:[attr]1:[path]2 1454 comment=from name: 1455 comment=to name 1456 1457label=AUE_RFSSYS 1458 skip=Not used. 1459# apparently replaced 1460 1461label=AUE_RMDIR 1462 format=path:[attr] 1463 1464label=AUE_SEMCTL 1465 format=arg1:[ipc]:[ipc_perm] 1466 comment=1, semaphore ID, "sem ID" 1467 note=ipc_perm 1468# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1469 1470label=AUE_SEMCTL_GETALL 1471 format=arg1:[ipc]:[ipc_perm] 1472 comment=1, semaphore ID, "sem ID" 1473 note=ipc_perm 1474 syscall=semctl: GETALL 1475# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1476 1477label=AUE_SEMCTL_GETNCNT 1478 format=arg1:[ipc]:[ipc_perm] 1479 comment=1, semaphore ID, "sem ID" 1480 note=ipc_perm 1481 syscall=semctl: GETNCNT 1482# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1483 1484label=AUE_SEMCTL_GETPID 1485 format=arg1:[ipc]:[ipc_perm] 1486 comment=1, semaphore ID, "sem ID" 1487 note=ipc_perm 1488 syscall=semctl: GETPID 1489# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1490 1491label=AUE_SEMCTL_GETVAL 1492 format=arg1:[ipc]:[ipc_perm] 1493 comment=1, semaphore ID, "sem ID" 1494 note=ipc_perm 1495 syscall=semctl: GETVAL 1496# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1497 1498label=AUE_SEMCTL_GETZCNT 1499 format=arg1:[ipc]:[ipc_perm] 1500 comment=1, semaphore ID, "sem ID" 1501 note=ipc_perm 1502 syscall=semctl: GETZCNT 1503# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1504 1505label=AUE_SEMCTL_RMID 1506 format=arg1:[ipc]:[ipc_perm] 1507 comment=1, semaphore ID, "sem ID" 1508 note=ipc_perm 1509 syscall=semctl: IPC_RMID 1510# ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1511 1512label=AUE_SEMCTL_SET 1513 format=arg1:[ipc]:[ipc_perm] 1514 comment=1, semaphore ID, "sem ID" 1515 note=ipc_perm 1516 syscall=semctl: IPC_SET 1517# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1518 1519label=AUE_SEMCTL_SETALL 1520 format=arg1:[ipc]:[ipc_perm] 1521 comment=1, semaphore ID, "sem ID" 1522 note=ipc_perm 1523 syscall=semctl: SETALL 1524# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1525 1526label=AUE_SEMCTL_SETVAL 1527 format=arg1:[ipc]:[ipc_perm] 1528 comment=1, semaphore ID, "sem ID" 1529 note=ipc_perm 1530 syscall=semctl: SETVAL 1531# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1532 1533label=AUE_SEMCTL_STAT 1534 format=arg1:[ipc]:[ipc_perm] 1535 comment=1, semaphore ID, "sem ID" 1536 note=ipc_perm 1537 syscall=semctl: IPC_STAT 1538# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1539 1540label=AUE_SEMGET 1541 format=arg1:[ipc_perm]:ipc 1542 comment=1, semaphore ID, "sem key" 1543 note=ipc_perm 1544 syscall=semctl: SETVAL 1545# ipc_perm token: semget -> audit_ipcget 1546 1547label=AUE_SEMGETL 1548 skip=Not used. 1549 1550label=AUE_SEMOP 1551 format=arg1:[ipc]:[ipc_perm] 1552 comment=1, semaphore ID, "sem ID" 1553 note=ipc_perm 1554# ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc 1555 1556label=AUE_SEMSYS 1557 skip=Not used. (place holder) -- defaults to a semget variant 1558 1559label=AUE_SEND 1560 case=If address family is AF_INET or AF_INET6 1561 format=[arg]1:[inet] 1562 comment=1, file descriptor, "so" 1563 case=If address family is AF_UNIX and path is defined 1564 format=[path]1:[attr] 1565 comment=1, file descriptor, "so" 1566 case=If address family is AF_UNIX and path is NULL 1567 format=[path]1:[attr] 1568 comment=1, file descriptor, "no path: fd" 1569 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1570 format=[arg]1:[arg]2:[arg]3 1571 comment=1, file descriptor, "so": 1572 comment=1, family, "family": 1573 comment=1, type, "type" 1574# associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240]) 1575 1576label=AUE_SENDMSG 1577 case=If invalid file descriptor 1578 format=arg1:arg2 1579 comment=1, file descriptor, "so": 1580 comment=3, flags, "flags" 1581 case=If valid file descriptor 1582 case=...and address family is AF_UNIX and path is defined 1583 format=path:attr 1584 case=...and address family is AF_UNIX and path is NULL 1585 format=path1:attr 1586 comment=1, file descriptor, "nopath: fd" 1587 case=...and address family is AF_INET or AF_INET6, \ 1588 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1589 format=arg1:arg2:inet 1590 comment=1, file descriptor, "so": 1591 comment=3, flags, "flags" 1592 case=...and unknown address family or address family AF_INET or AF_INET6 \ 1593 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1594 format=arg1:arg2:arg3:arg4 1595 comment=1, file descriptor, "so": 1596 comment=1, family, "family": 1597 comment=1, type, "type": 1598 comment=1, flags, "flags" 1599 1600label=AUE_SENDTO 1601 case=If invalid file descriptor 1602 format=arg1:arg2 1603 comment=1, file descriptor, "so": 1604 comment=3, flags, "flags" 1605 case=If valid file descriptor 1606 case=...and socket is AF_UNIX and path is defined 1607 format=path:attr 1608 case=...and address family is AF_UNIX and path is NULL 1609 format=path1:attr 1610 comment=1, file descriptor, "nopath: fd" 1611 case=...and address family is AF_INET or AF_INET6 1612 format=arg1:arg2:inet 1613 comment=1, file descriptor, "so": 1614 comment=3, flags, "flags" 1615 case=...and unknown address family 1616 format=arg1:arg2:arg3:arg4 1617 comment=1, file descriptor, "so": 1618 comment=1, family, "family": 1619 comment=1, type, "type": 1620 comment=1, flags, "flags" 1621 1622label=AUE_SETAUDIT 1623 case=With a valid program stack address 1624 format=arg1:arg2:arg3:arg4:arg5:arg6 1625 comment=1, audit user ID, "setaudit:auid": 1626 comment=1, terminal ID, "setaudit:port": 1627 comment=1, terminal ID, "setaudit:machine": 1628 comment=1, preselection mask, "setaudit:as_success": 1629 comment=1, preselection mask, "setaudit:as_failure": 1630 comment=1, audit session ID, "setaudit:asid" 1631 case=With an invalid program stack address 1632 format=kernel 1633# header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec 1634# argument,1,0x271a,setaudit:auid 1635# argument,1,0x3ff0201,setaudit:port 1636# argument,1,0x8192591e,setaudit:machine 1637# argument,1,0x400,setaudit:as_success 1638# argument,1,0x400,setaudit:as_failure 1639# argument,1,0x16f,setaudit:asid 1640# subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1 1641# return,success,0 1642# trailer,215 1643# header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec 1644# argument,1,0x271a,setaudit:auid 1645# argument,1,0x3ff0201,setaudit:port 1646# argument,1,0x8192591e,setaudit:machine 1647# argument,1,0x400,setaudit:as_success 1648# argument,1,0x400,setaudit:as_failure 1649# argument,1,0x16f,setaudit:asid 1650# subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1 1651# return,success,0 1652# trailer,215 1653 1654label=AUE_SETAUDIT_ADDR 1655 case=With a valid program stack address 1656 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7 1657 comment=1, audit user ID, "auid": 1658 comment=1, terminal ID, "port": 1659 comment=1, type, "type": 1660 comment=1, terminal ID, "ip address": 1661 comment=1, preselection mask, "as_success": 1662 comment=1, preselection mask, "as_failure": 1663 comment=1, audit session ID, "asid" 1664 case=With an invalid program stack address 1665 format=kernel 1666# header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec 1667# argument,1,0x15fa7,auid 1668# argument,1,0x0,port 1669# argument,1,0x4,type 1670# ip address,tmach2 1671# argument,1,0x9c00,as_success 1672# argument,1,0x9c00,as_failure 1673# argument,1,0x1f1,asid 1674# subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2 1675# return,success,0 1676 1677label=AUE_SETAUID 1678 format=arg1 1679 comment=2, audit user ID, "setauid" 1680 1681label=AUE_SETDOMAINNAME 1682 skip=Not used. (See AUE_SYSINFO) 1683# See AUE_SYSINFO with SI_SET_SRPC_DOMAIN 1684 1685label=AUE_SETEGID 1686 format=arg1 1687 comment=1, group ID, "gid" 1688 1689label=AUE_SETEUID 1690 format=arg1 1691 comment=1, user ID, "euid" 1692 1693label=AUE_SETGID 1694 format=arg1 1695 comment=1, group ID, "gid" 1696 1697label=AUE_SETGROUPS 1698 note=If more than NGROUPS_MAX_DEFAULT groups listed, 1699 note=no tokens are generated. 1700 case=If no groups in list 1701 format=[arg]1 1702 comment=1, 0, "setgroups" 1703 case=If 1 or more groups in list 1704 format=(1..n)arg1 1705 comment=1, gid, "setgroups" 1706 1707label=AUE_SETHOSTNAME 1708 skip=Not used. (See AUE_SYSINFO) 1709# See sysinfo call with command SI_SET_HOSTNAME 1710 1711label=AUE_SETKERNSTATE 1712 skip=Not used. 1713 1714label=AUE_SETPGID 1715 format=[proc]:[arg]1 1716 comment=2, pgid, "pgid" 1717 1718label=AUE_SETPGRP 1719 format=kernel 1720 1721label=AUE_SETPRIORITY 1722 skip=Not used. 1723 1724label=AUE_SETPPRIV 1725 case=operation privileges off 1726 format=arg1:privset2 1727 comment=setppriv operation: 1728 comment=privileges actually switched off 1729 case=operation privileges on 1730 format=arg1:privset2 1731 comment=setppriv operation: 1732 comment=privileges actually switched on 1733 case=operation privileges off 1734 format=arg1:privset2:privset3 1735 comment=setppriv operation: 1736 comment=privileges before privset: 1737 comment=privileges after privset 1738#header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec 1739#argument,2,0x2,op 1740#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1741#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1742#subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0 1743#return,success,0 1744 1745label=AUE_SETREGID 1746 format=arg1:arg2 1747 comment=1, real group ID, "rgid": 1748 comment=2, effective group ID, "egid" 1749 1750label=AUE_SETREUID 1751 format=arg1:arg2 1752 comment=1, real user ID, "ruid": 1753 comment=2, effective user ID, "euid" 1754 1755label=AUE_SETRLIMIT 1756 format=kernel 1757# header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec 1758# subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2 1759# return,success,0 1760 1761label=AUE_SETSID 1762 format=kernel 1763 1764label=AUE_SETSOCKOPT 1765 case=Invalid file descriptor 1766 format=arg1:arg2 1767 comment=1, file descriptor, "so": 1768 comment=2, level, "level" 1769 case=Valid file descriptor 1770 case=...and socket is AF_UNIX 1771 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8 1772 comment=if no path, will be argument: 1, "nopath: fd", \ 1773 file descriptor: 1774 comment=1, file descriptor, "so": 1775 comment=1, family, "family": 1776 comment=1, type, "type": 1777 comment=2, protocol level, "level": 1778 comment=3, option name, "optname": 1779 comment=5, option length, "optlen": 1780 comment=option data 1781 case=...and socket is AF_INET or AF_INET6 1782 format=arg1:arg2:arg3:[arg]4:[data]5:inet 1783 comment=1, file descriptor, "so": 1784 comment=2, protocol level, "level": 1785 comment=3, option name, "optname": 1786 comment=5, option length, "optlen": 1787 comment=option data 1788 case=...and socket adddress family is unknown 1789 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7 1790 comment=1, file descriptor, "so": 1791 comment=1, family, "family": 1792 comment=1, type, "type": 1793 comment=2, protocol level, "level": 1794 comment=3, option name, "optname": 1795 comment=5, option length, "optlen": 1796 comment=option data 1797 1798label=AUE_SETTIMEOFDAY 1799 skip=Not used. 1800 1801label=AUE_SETUID 1802 syscall=setuid 1803 format=arg1 1804 comment=1, "uid" to be set 1805 1806label=AUE_SETUSERAUDIT 1807 skip=Not used. 1808 1809label=AUE_SHMAT 1810 format=arg1:arg2:[ipc]:[ipc_perm] 1811 comment=1, shared memory ID, "shm ID": 1812 comment=2, shared mem addr, "shm addr" 1813 note=ipc_perm 1814# ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc 1815 1816label=AUE_SHMCTL 1817 format=arg1:[ipc]:[ipc_perm] 1818 comment=1, shared memory ID, "shm ID" 1819 note=ipc_perm 1820# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1821 1822label=AUE_SHMCTL_RMID 1823 format=arg1:[ipc]:[ipc_perm] 1824 comment=1, shared memory ID, "shm ID" 1825 note=ipc_perm 1826 syscall=semctl: IPC_RMID 1827# ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1828 1829label=AUE_SHMCTL_SET 1830 format=arg1:[ipc]:[ipc_perm] 1831 comment=1, shared memory ID, "shm ID" 1832 note=ipc_perm 1833 syscall=semctl: IPC_SET 1834# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1835 1836label=AUE_SHMCTL_STAT 1837 format=arg1:[ipc]:[ipc_perm] 1838 comment=1, shared memory ID, "shm ID" 1839 note=ipc_perm 1840 syscall=semctl: IPC_STAT 1841# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1842 1843label=AUE_SHMDT 1844 format=arg1 1845 comment=1, shared memory address, "shm adr" 1846 1847label=AUE_SHMGET 1848 format=arg1:[ipc_perm]:[ipc] 1849 comment=0, shared memory key, "shm key" 1850 note=ipc_perm 1851# ipc_perm: shmget -> audit_ipcget 1852 1853label=AUE_SHMGETL 1854 skip=Not used. 1855 1856label=AUE_SHMSYS 1857 skip=Not used. (Placeholder for shmget and shmctl*) 1858 1859label=AUE_SHUTDOWN 1860 case=If the socket address is invalid 1861 format=[arg]1:[text]2:[text]3 1862 comment=1, file descriptor, "fd": 1863 comment=bad socket address: 1864 comment=bad peer address 1865 case=If the socket address is part of the AF_INET family 1866 case=..with zero file descriptor 1867 format=arg1:[arg]2:[arg]3:[arg]4 1868 comment=1, file descriptor, "so": 1869 comment=1, family, "family": 1870 comment=1, type, "type": 1871 comment=2, how shutdown code, "how" 1872 case=...with non-zero file descriptor 1873 format=arg1:arg2:inet 1874 comment=1, file descriptor, "so": 1875 comment=2, how shutdown code, "how" 1876 case=If the socket address is AF_UNIX 1877 case=...with zero file descriptor 1878 format=path1:arg2:[arg]3:[arg]4:[arg]5 1879 comment=If error: argument: \ 1880 1, "no path: fd", file descriptor: 1881 comment=1, file descriptor, "so": 1882 comment=1, family, "family": 1883 comment=1, type, "type": 1884 comment=2, how shutdown code, "how" 1885 case=...with non-zero file descriptor 1886 format=path1:arg2:arg3:inet 1887 comment=If error: argument: \ 1888 1, file descriptor, "no path: fd": 1889 comment=1, file descriptor, "so": 1890 comment=2, how shutdown code, "how" 1891#old BSM manual wrong; used audit_event.c 1892 1893label=AUE_SOCKACCEPT 1894 syscall=getmsg: socket accept 1895 format=inet:arg1:[path]:attr:arg2 1896 comment=1, file descriptor, "fd": 1897 comment=4, priority, "pri" 1898# see putmsg and getmsg for record format 1899# See audit.c for inet token and audit_start.c for other reference 1900 1901label=AUE_SOCKCONFIG 1902 format=arg1:arg2:arg3:[path]4 1903 comment=1, domain address, "domain": 1904 comment=2, type, "type": 1905 comment=3, protocol, "protocol": 1906 comment=If no path:argument -- 3, 0, "devpath" 1907 1908label=AUE_SOCKCONNECT 1909 syscall=putmsg: socket connect 1910 format=inet:arg1:[path]:attr:arg2 1911 comment=1, file descriptor, "fd": 1912 comment=4, priority, "pri" 1913# same as AUE_SOCKACCEPT 1914 1915label=AUE_SOCKET 1916 format=arg1:[arg]2:arg3 1917 comment=1, socket domain, "domain": 1918 comment=2, socket type, "type": 1919 comment=3, socket protocol, "protocol" 1920 1921label=AUE_SOCKETPAIR 1922 skip=Not used. 1923# unreferenced 1924 1925label=AUE_SOCKRECEIVE 1926 syscall=getmsg 1927 format=inet:arg1:[path]:attr:arg2 1928 comment=1, file descriptor, "fd": 1929 comment=4, priority, "pri" 1930# see AUE_SOCKACCEPT 1931 1932label=AUE_SOCKSEND 1933syscall=putmsg 1934 format=inet:arg1:[path]:attr:arg2 1935 comment=1, file descriptor, "fd": 1936 comment=4, priority, "pri" 1937# see AUE_SOCKACCEPT 1938 1939label=AUE_STAT 1940 format=path:[attr] 1941 1942label=AUE_STATFS 1943 format=path:[attr] 1944 1945label=AUE_STATVFS 1946 format=path:[attr] 1947 1948label=AUE_STIME 1949 format=kernel 1950 1951label=AUE_SWAPON 1952 skip=Not used. 1953 1954label=AUE_SYMLINK 1955 format=path:text1:[attr] 1956 comment=symbolic link string 1957 1958label=AUE_SYSINFO 1959 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands 1960 note=are currently audited. 1961 format=arg1:[text]2 1962 comment=1, command, "cmd": 1963 comment=name 1964 1965label=AUE_SYSTEMBOOT 1966 title=system booted 1967 syscall=none 1968 format=head:text1 1969 comment="booting kernel" 1970# see audit_start.c and audit_io.c 1971# no subject or return / exit token 1972# header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec 1973# text,booting kernel 1974 1975label=AUE_TRUNCATE 1976 skip=Not used. 1977 1978label=AUE_UMOUNT 1979 syscall=umount: old version 1980 note=Implemented as call of the newer umount2(2). 1981 format=path:arg1:[path]:[attr] 1982 comment=2, mflag value = 0, "flags" 1983 1984label=AUE_UMOUNT2 1985 syscall=umount2 1986 format=path:arg1:[path]:[attr] 1987 comment=2, mflag value, "flags" 1988 1989label=AUE_UNLINK 1990 format=path:[attr] 1991 1992label=AUE_UNLINKAT 1993# obsolete 1994 see=openat(2) 1995 format=path:[attr] 1996 1997label=AUE_UNMOUNT 1998 skip=Not used. 1999 2000label=AUE_UTIME 2001# obsolete 2002 format=path:[attr] 2003 2004label=AUE_UTIMES 2005 see=futimens(2) 2006 format=path:[attr] 2007 2008label=AUE_VFORK 2009 format=arg1 2010 comment=0, pid, "child PID" 2011 note=The vfork(2) return values are undefined because the audit record is 2012 note=produced at the point that the child process is spawned. 2013 2014label=AUE_VPIXSYS 2015 skip=Not used. 2016 2017label=AUE_VTRACE 2018 skip=Not used. 2019 2020label=AUE_WRITE 2021 format=path1:attr 2022 comment=if no path, argument -- "1, file descriptor, "no path: fd" 2023 note:An audit record is generated for write only once per file close. 2024 2025label=AUE_WRITEV 2026 skip=Not used. (obsolete) 2027 2028label=AUE_XMKNOD 2029# obsolete 2030 skip=Not used. 2031 2032label=AUE_XSTAT 2033# obsolete 2034 skip=Not Used. 2035 2036label=AUE_PF_POLICY_ADDRULE 2037 title=Add IPsec policy rule 2038 see= 2039 syscall=none 2040 format=arg1:arg2:[zone]3:[text]4 2041 comment=Operation applied to active policy (1 is active, 0 is inactive): 2042 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2043 comment=affected zone: 2044 comment=Name of target tunnel 2045 2046label=AUE_PF_POLICY_DELRULE 2047 title=Delete IPsec policy rule 2048 see= 2049 syscall=none 2050 format=arg1:arg2:[zone]3:[text]4 2051 comment=Operation applied to active policy (1 is active, 0 is inactive): 2052 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2053 comment=affected zone: 2054 comment=Name of target tunnel 2055 2056label=AUE_PF_POLICY_CLONE 2057 title=Clone IPsec policy 2058 see= 2059 syscall=none 2060 format=arg1:arg2:[zone]3:[text]4 2061 comment=Operation applied to active policy (1 is active, 0 is inactive): 2062 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2063 comment=affected zone: 2064 comment=Name of target tunnel 2065 2066label=AUE_PF_POLICY_FLIP 2067 title=Flip IPsec policy 2068 see= 2069 syscall=none 2070 format=arg1:arg2:[zone]3:[text]4 2071 comment=Operation applied to active policy (1 is active, 0 is inactive): 2072 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2073 comment=affected zone: 2074 comment=Name of target tunnel 2075 2076label=AUE_PF_POLICY_FLUSH 2077 title=Flip IPsec policy rules 2078 see= 2079 syscall=none 2080 format=arg1:arg2:[zone]3:[text]4 2081 comment=Operation applied to active policy (1 is active, 0 is inactive): 2082 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2083 comment=affected zone: 2084 comment=Name of target tunnel 2085 2086label=AUE_PF_POLICY_ALGS 2087 title=Update IPsec algorithms 2088 see= 2089 syscall=none 2090 format=arg1:arg2:[zone]3:[text]4 2091 comment=Operation applied to active policy (1 is active, 0 is inactive): 2092 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2093 comment=affected zone: 2094 comment=Name of target tunnel 2095 2096label=AUE_allocate_fail 2097 program=/usr/sbin/allocate 2098 title=allocate: allocate-device failure 2099 format=(0..n)[text]1 2100 comment=command line arguments 2101# see audit_allocate.c 2102 2103label=AUE_allocate_succ 2104 program=/usr/sbin/allocate 2105 title=allocate: allocate-device success 2106 format=(0..n)[text]1 2107 comment=command line arguments 2108# see audit_allocate.c 2109 2110label=AUE_at_create 2111 program=/usr/bin/at 2112 title=at: at-create crontab 2113 format=path 2114 2115label=AUE_at_delete 2116 program=/usr/bin/at 2117 title=at: at-delete atjob (at or atrm) 2118 format=text1:path 2119 comment="ancillary file:" filename or "bad format of at-job name" 2120 2121label=AUE_at_perm 2122 skip=Not used. 2123# not referenced outside uevents.h 2124 2125label=AUE_create_user 2126 skip=Not used. 2127 2128label=AUE_cron_invoke 2129 program=/usr/sbin/cron 2130 title=cron: cron-invoke at or cron 2131 case=If issue with account find 2132 format=text1 2133 comment="bad user" name or "user <name> account expired" 2134 case=else 2135 format=text1:text2 2136 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \ 2137 or "unknown job type (<job_type_id>)": 2138 comment=command 2139 2140label=AUE_crontab_create 2141 program=/usr/bin/crontab 2142 title=crontab: crontab created 2143 format=path 2144# See audit_crontab.c 2145 2146label=AUE_crontab_delete 2147 program=/usr/bin/crontab 2148 title=crontab: crontab delete 2149 format=path 2150# See audit_crontab.c 2151 2152label=AUE_crontab_mod 2153 program=/usr/bin/crontab 2154 title=crontab: crontab modify 2155 format=path 2156# See audit_crontab.c 2157 2158label=AUE_crontab_perm 2159 skip=Not used. 2160 2161label=AUE_deallocate_fail 2162 program=/usr/sbin/deallocate 2163 title=deallocate-device failure 2164 format=(0..n)[text]1 2165 comment=command line arguments 2166# See audit_allocate.c 2167 2168label=AUE_deallocate_succ 2169 program=/usr/sbin/deallocate 2170 title=deallocate-device success 2171 format=(0..n)[text]1 2172 comment=command line arguments 2173# See audit_allocate.c 2174 2175label=AUE_delete_user 2176 skip=Not used. 2177 2178label=AUE_disable_user 2179 skip=Not used. 2180 2181label=AUE_enable_user 2182 skip=Not used. 2183 2184label=AUE_ftpd 2185 program=/usr/sbin/in.ftpd 2186 title=in.ftpd 2187 format=[text]1 2188 comment=error message 2189# See audit_ftpd 2190 2191label=AUE_ftpd_logout 2192 program=/usr/sbin/in.ftpd 2193 title=in.ftpd 2194 format=user 2195# See audit_ftpd 2196 2197label=AUE_halt_solaris 2198 program=/usr/sbin/halt 2199 title=halt 2200 format=user 2201# See audit_halt.c 2202 2203label=AUE_kadmind_auth 2204 format=text1:text2:text3 2205 comment=Op: <requested information>: 2206 comment=Arg: <argument for Op>: 2207 comment=Client: <client principal name> 2208# See audit_kadmin.c / common_audit() 2209 2210label=AUE_kadmind_unauth 2211 format=text1:text2:text3 2212 comment=Op: <requested information>: 2213 comment=Arg: <argument for Op>: 2214 comment=Client: <client principal name> 2215# See audit_kadmin.c / common_audit() 2216 2217label=AUE_krb5kdc_as_req 2218 format=text1:text2 2219 comment=Client: <client principal name>: 2220 comment=Service: <requested service name> 2221# See audit_krb5kdc.c / common_audit() 2222 2223label=AUE_krb5kdc_tgs_req 2224 format=text1:text2 2225 comment=Client: <client principal name>: 2226 comment=Service: <requested service name> 2227# See audit_krb5kdc.c / common_audit() 2228 2229label=AUE_krb5kdc_tgs_req_alt_tgt 2230 format=text1:text2 2231 comment=Client: <client principal name>: 2232 comment=Service: <requested service name> 2233# See audit_krb5kdc.c / common_audit() 2234 2235label=AUE_krb5kdc_tgs_req_2ndtktmm 2236 format=text1:text2 2237 comment=Client: <client principal name>: 2238 comment=Service: <requested service name> 2239# See audit_krb5kdc.c / common_audit() 2240 2241label=AUE_listdevice_fail 2242 title=allocate-list devices failure 2243 program=/usr/sbin/allocate 2244 format=(0..n)[text]1 2245 comment=command line arguments 2246# See audit_allocate.c 2247 2248label=AUE_listdevice_succ 2249 title=allocate-list devices success 2250 program=/usr/sbin/allocate 2251 format=(0..n)[text]1 2252 comment=command line arguments 2253# See audit_allocate.c 2254 2255label=AUE_modify_user 2256 skip=Not used. 2257 2258label=AUE_mountd_mount 2259 title=mountd: NFS mount 2260 program=/usr/lib/nfs/mountd 2261 see=mountd(1M) 2262 format=text1:path2 2263 comment=remote client hostname: 2264 comment=mount dir 2265# See audit_mountd.c 2266 2267label=AUE_mountd_umount 2268 title=mountd: NFS unmount 2269 program=/usr/lib/nfs/mountd 2270 format=text1:path2 2271 comment=remote client hostname: 2272 comment=mount dir 2273# See audit_mountd.c 2274 2275label=AUE_poweroff_solaris 2276 program=/usr/sbin/poweroff 2277 title=poweroff 2278 format=user 2279# See audit_halt.c 2280 2281label=AUE_reboot_solaris 2282 program=/usr/sbin/reboot 2283 title=reboot 2284 format=user 2285# See audit_reboot.c 2286# header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec 2287# subject,tuser1,root,other,root,other,10422,497,0 0 tmach2 2288# return,success,0 2289 2290label=AUE_rexd 2291 program=/usr/sbin/rpc.rexd 2292 title=rpc.rexd 2293 format=[text]1:text2:text3:[text]4:[text]5 2294 comment=error message (failure only): 2295 comment="Remote execution requested by:" hostname: 2296 comment="Username:" username: 2297 comment="User id:" user ID (failure only): 2298 comment="Command line:" command attempted 2299# See audit_rexd.c 2300 2301label=AUE_rexecd 2302 program=/usr/sbin/rpc.rexecd 2303 title=rpc.rexecd 2304 format=[text]1:text2:text3:text4 2305 comment=error message (failure only): 2306 comment="Remote execution requested by:" hostname: 2307 comment="Username:" username: 2308 comment="Command line:" command attempted 2309# See audit_rexecd.c 2310 2311label=AUE_rshd 2312 program=/usr/sbin/in.rshd 2313 title=in.rshd 2314 format=text1:text2:[text]3:[text]4 2315 comment="cmd" command: 2316 comment="remote user" remote user: 2317 comment="local user" local user: 2318 comment=failure message 2319# See audit_rshd.c 2320 2321label=AUE_shutdown_solaris 2322 title=shutdown 2323 program=/usr/ucb/shutdown 2324 format=user 2325# See audit_shutdown.c 2326 2327label=AUE_smserverd 2328 program=/usr/lib/smedia/rpc.smserverd 2329 format=[text]1:[text]2 2330 comment=state change: 2331 comment=vid, pid, major/minor device 2332# see usr/src/cmd/smserverd 2333# code shows a third token, path, but it isn't implemented. 2334 2335label=AUE_uadmin_solaris 2336 title=uadmin (obsolete) 2337 program= 2338 see= 2339 format=text1:text2 2340 comment=function code: 2341 comment=argument code 2342# not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml 2343 2344label=AUE_LABELSYS_TNRH 2345 title=config Trusted Network remote host cache 2346 see=tnrh(2) 2347 syscall=labelsys: TSOL_TNRH 2348 case=With the flush command (cmd=3) 2349 format=arg1 2350 comment=1, command, "cmd" 2351 case=With the load (cmd=1) and delete (cmd=2) commands 2352 format=arg1:inaddr2:arg3 2353 comment=1, command, "cmd": 2354 comment=ip address of host: 2355 comment=2, prefix length, "prefix len" 2356 2357label=AUE_LABELSYS_TNRHTP 2358 title=config Trusted Network remote host template 2359 see=tnrhtp(2) 2360 syscall=labelsys: TSOL_TNRHTP 2361 case=With the flush command (cmd=3) 2362 format=arg1 2363 comment=1, command, "cmd" 2364 case=With the load (cmd=1) and delete (cmd=2) commands 2365 format=arg1:text2 2366 comment=1, command, "cmd": 2367 comment=name of template 2368 2369label=AUE_LABELSYS_TNMLP 2370 title=config Trusted Network multi-level port entry 2371 see=tnmlp(2) 2372 syscall=labelsys: TSOL_TNMLP 2373 case=With the flush command (cmd=3) 2374 format=arg1:text2 2375 comment=1, command, "cmd": 2376 comment="shared", or name of zone 2377 case=With the load (cmd=1) and delete (cmd=2) commands 2378 format=arg1:text2:arg3:arg4:[arg]5 2379 comment=1, command, "cmd": 2380 comment="shared", or name of zone: 2381 comment=2, protocol number, "proto num": 2382 comment=2, starting mlp port number, "mlp_port": 2383 comment=2, ending mlp port number, "mlp_port_upper" 2384