1# audit_record_attr.txt 2# Two "#" are comments that are copied to audit_record_attr 3# other comments are removed. 4## 5## Copyright 2009 Sun Microsystems, Inc. All rights reserved. 6## Use is subject to license terms. 7## 8## CDDL HEADER START 9## 10## The contents of this file are subject to the terms of the 11## Common Development and Distribution License (the "License"). 12## You may not use this file except in compliance with the License. 13## 14## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 15## or http://www.opensolaris.org/os/licensing. 16## See the License for the specific language governing permissions 17## and limitations under the License. 18## 19## When distributing Covered Code, include this CDDL HEADER in each 20## file and include the License file at usr/src/OPENSOLARIS.LICENSE. 21## If applicable, add the following below this CDDL HEADER, with the 22## fields enclosed by brackets "[]" replaced with your own identifying 23## information: Portions Copyright [yyyy] [name of copyright owner] 24## 25## CDDL HEADER END 26## 27## 28 29# source file for describing audit records. 30 31# This file is in two sections. The first is a list of attribute / 32# value pairs used to provide short cuts in annotating the audit 33# records. The second is for annotation for each audit record. 34 35# first section: general attributes 36 37# skipClass=<class name of items to skip if only in that class> 38# skipClass=no # uncomment to filter unused events 39 40# token name abbreviations 41# token=alias:fullname -- short names for key tokens 42 43token=arg:argument 44token=attr:attribute 45token=acl:acl_entry 46token=cmd:command 47token=data:data 48token=exec_args:exec_arguments 49token=exec_env:exec_environment 50token=group:group 51token=inaddr:ip_addr 52token=inet:socket 53token=ipc:ipc 54token=ipc_perm:ipc_perm 55token=newgroup:newgroups 56token=path:path 57token=path_attr:attribute_path 58token=privset:privilege 59token=proc:process 60token=text:text 61token=tid:terminal_adr 62token=uauth:use_of_authorization 63token=upriv:use_of_privilege 64token=zone:zonename 65token=fmri:service_instance 66token=label:mandatory_label 67 68token=head:header 69token=subj:subject 70token=ret:return 71token=exit:exit 72 73# note names -- certain notes show up repeatedly; collected here 74# 75# To achieve the maximum line length to be less than 80 characters, the 76# note names (message=) can be defined as a multi line, each line except the 77# last one finished with the backslash character. 78 79message=ipc_perm:The ipc and ipc_perm tokens are not included if \ 80 the message ID is not valid. 81 82 83# basic record pattern ("insert" is where event-specific tokens 84# are listed.) 85 86kernel=head:insert:subj:[upriv]:ret 87user=head:subj:insert:ret 88 89# Second Section 90# Annotation Section 91# 92# Most audit records need annotation beyond what is provided by 93# the files audit_event and audit_class. At a minimum, a record 94# is represented by a label and a format. 95# 96# label=record_id like AUE_ACCEPT 97# format=token_alias 98# 99# there is no end line; a new label= end the preceding definition 100# and starts the next. 101# 102# format values are a list of token names, separated by colons. The 103# name is either one of the values described above (token=) or is 104# a value to be taken literally. If a token name ends with a digit, 105# the digit is an index into an array of comments. In the few cases 106# where there are no tokens (other than header, subject, return/exit), 107# use "format=kernel" or "format="user". 108# 109# comment is an array of strings separated by colons. If comments 110# are listed on separate lines (recommended due to better 111# readability/sustainability of the file), the preceding comment 112# must end with a colon. The array starts at 1. (If the comment 113# contains a colon, use ":" without the quotes.) 114# 115# case is used to generate alternate descriptions for a given 116# record. 117# 118# Constraints - the string length; bear in mind, that any annotation of 119# primitives below longer than is specified, will be silently truncated 120# to given/defined amount of characters in the auditrecord(1M) runtime: 121# 122# primitive <= max (non-truncated) string length 123# case <= unlimited; if necessary, text continues on a new line 124# comment <= unlimited; if necessary, text continues on a new line 125# label <= 43 126# note <= unlimited; if necessary, text continues on a new line 127# program <= 20 128# see <= 39 129# syscall <= 20 130# title <= 46 131# token <= 28 (full name) 132# 133# To achieve the maximum line length to be less than 80 characters, one can 134# define the unlimited primitives as a multi line, each line except the 135# last one finished with the backslash character. In addition to above 136# mentioned, the "format=" record attribute follows the same rule. 137# 138# 139# AUE_ACCEPT illustrates the use of all the above. Note that 140# case is not nested; ellipsis (...) is used to give the effect 141# of nesting. 142 143label=AUE_ACCEPT 144#accept(2) failure 145 case=Invalid socket file descriptor 146 format=arg1 147 comment=1, file descriptor, "so" 148#accept(2) non SOCK_STREAM socket 149 case=If the socket address is not part of the AF_INET family 150 format=arg1:arg2:arg3 151 comment=1, "so", file descriptor: 152 comment="family", so_family: 153 comment="type", so_type 154 case=If the socket address is part of the AF_INET family 155 case=...If there is no vnode for this file descriptor 156 format=[arg]1 157 comment=1, file descriptor, "Bad so" 158#accept(2) SOCK_STREAM socket-not bound 159 case=...or if the socket is not bound 160 format=[arg]1:[inet]2 161 comment=1, file descriptor, "so": 162 comment=local/foreign address (0.0.0.0) 163 case=...or if the socket address length = 0 164 format=[arg]1:[inet]2 165 comment=1, file descriptor, "so": 166 comment=local/foreign address (0.0.0.0) 167 case=...or for all other conditions 168 format=inet1:[inet]1 169 comment=socket address 170#accept(2) failure 171# header 172# au_to_arg32 "so",file descriptor 173# subject 174# return <errno != 0> 175# 176#accept(2) non SOCK_STREAM socket 177# header 178# au_to_arg32 "so", file descriptor 179# au_to_arg32 "family", so_family 180# au_to_arg32 "type", so_type 181# subject 182# return success 183# 184#accept(2) SOCK_STREAM socket-not bound 185# header 186# au_to_arg32 "so", file descriptor 187# au_to_socket_ex local/foreign address (0.0.0.0) 188# subject 189# return success 190# 191#accept(2) SOCK_STREAM socket-bound 192# header 193# au_to_arg32 "so", file descriptor 194# au_to_socket_ex 195# subject 196# return success 197 198 199 200label=AUE_ACCESS 201 format=path1:[attr] 202 comment=may be truncated in failure case 203# header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec 204# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ 205# attribute,100777,41416,staff,8388608,402255,0 206# subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30 207# return,success,0 208# trailer,163 209# 210# header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec 211# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail 212# attribute,100000,root,other,8388608,402257,0 213# subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30 214# return,failure: Permission denied,-1 215# trailer,163 216# 217# header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec 218# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2 219# subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30 220# return,failure: No such file or directory,-1 221# trailer,135 222 223label=AUE_ACCT 224 case=Zero path 225 format=arg1 226 comment=1, 0, "accounting off" 227 case=Non-zero path 228 format=path1:[attr]2 229 comment=may be truncated in failure case: 230 comment=omitted if failure 231 232label=AUE_ACLSET 233 syscall=acl 234 format=arg1:arg2:(0..n)[acl]3 235 comment=2, SETACL, "cmd": 236 comment=3, number of ACL entries, "nentries": 237 comment=Access Control List entries 238 239label=AUE_ADJTIME 240 format=kernel 241 242label=AUE_ASYNC_DAEMON 243 skip=Not used 244 245label=AUE_ASYNC_DAEMON_EXIT 246 skip=Not used 247 248label=AUE_AUDIT 249 skip=Not used. (Placeholder for the set AUE_AUDIT_*.) 250 251label=AUE_AUDITON 252 skip=Not used. (Placeholder for the set AUE_AUDITON_*.) 253 254label=AUE_AUDITON_GESTATE 255 skip=Not used 256 257label=AUE_AUDITON_GETCAR 258 format=kernel 259 syscall=auditon: GETCAR 260# header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec 261# subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30 262# return,success,0 263# trailer,68 264 265label=AUE_AUDITON_GETCLASS 266 format=kernel 267 syscall=auditon: GETCLASS 268# header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec 269# subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1 270# return,success,0 271# trailer,68 272 273label=AUE_AUDITON_GETCOND 274 format=kernel 275 syscall=auditon: GETCOND 276# header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec 277# subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1 278# return,success,0 279# trailer,68 280 281label=AUE_AUDITON_GETCWD 282 format=kernel 283 syscall=auditon: GETCWD 284# header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec 285# subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1 286# return,success,0 287# trailer,68 288 289label=AUE_AUDITON_GETKMASK 290 format=kernel 291 syscall=auditon: GETKMASK 292# header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec 293# subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1 294# return,success,0 295# trailer,68 296 297label=AUE_AUDITON_GETSTAT 298 format=kernel 299 syscall=auditon: A_GETSTAT 300# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec 301# subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1 302# return,success,0 303# trailer,68 304 305label=AUE_AUDITON_GPOLICY 306 format=kernel 307 syscall=auditon: GPOLICY 308# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec 309# subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1 310# return,success,0 311# trailer,68 312 313label=AUE_AUDITON_GQCTRL 314 format=kernel 315 syscall=auditon: GQCTRL 316# header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec 317# subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1 318# return,success,0 319# trailer,68 320 321 322label=AUE_AUDITON_GTERMID 323 skip=Not used. 324 325label=AUE_AUDITON_SESTATE 326 skip=Not used. 327 328label=AUE_AUDITON_SETCLASS 329 format=[arg]1:[arg]2 330 comment=2, "setclass:ec_event", event number: 331 comment=3, "setclass:ec_class", class mask 332 syscall=auditon: SETCLASS 333# header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec 334# argument,2,0x0,setclass:ec_event 335# argument,3,0x0,setclass:ec_class 336# subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1 337# return,success,0 338# trailer,120 339 340label=AUE_AUDITON_SETCOND 341 format=[arg]1 342 comment=3, "setcond", audit state 343 syscall=auditon: SETCOND 344 345label=AUE_AUDITON_SETKMASK 346 format=[arg]1:[arg]2 347 comment=2, "setkmask as_success", kernel mask: 348 comment=2, "setkmask as_failure", kernel mask 349 syscall=auditon: SETKMASK 350# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec 351# argument,2,0x0,setkmask:as_success 352# argument,2,0x0,setkmask:as_failure 353# subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1 354# return,success,0 355# trailer,124 356# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec 357# argument,2,0x0,setkmask:as_success 358# argument,2,0x0,setkmask:as_failure 359# subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1 360# return,failure: Not owner,-1 361# trailer,124 362 363label=AUE_AUDITON_SETSMASK 364 format=[arg]1:[arg]2 365 comment=3, "setsmask:as_success", session ID mask: 366 comment=3, "setsmask:as_failure", session ID mask 367 syscall=auditon: SETSMASK 368# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec 369# argument,3,0x400,setsmask:as_success 370# argument,3,0x400,setsmask:as_failure 371# subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1 372# return,success,0 373# trailer,124 374# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec 375# argument,3,0x400,setsmask:as_success 376# argument,3,0x400,setsmask:as_failure 377# subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1 378# return,failure: Not owner,-1 379# trailer,124 380 381label=AUE_AUDITON_SETSTAT 382 format=kernel 383 syscall=auditon: SETSTAT 384# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec 385# subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1 386# return,success,0 387# trailer,68 388# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec 389# subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1 390# return,failure: Not owner,-1 391# trailer,68 392 393label=AUE_AUDITON_SETUMASK 394 format=[arg]1:[arg]2 395 comment=3, "setumask:as_success", audit ID mask: 396 comment=3, "setumask:as_failure", audit ID mask 397 syscall=auditon: SETUMASK 398# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec 399# argument,3,0x400,setumask:as_success 400# argument,3,0x400,setumask:as_failure 401# subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1 402# return,success,0 403# trailer,124 404# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec 405# argument,3,0x400,setumask:as_success 406# argument,3,0x400,setumask:as_failure 407# subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1 408# return,failure: Not owner,-1 409# trailer,124 410 411label=AUE_AUDITON_SPOLICY 412 format=[arg]1 413 comment=1, audit policy flags, "setpolicy" 414 syscall=auditon: SPOLICY 415# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec 416# argument,3,0x200,setpolicy 417# subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1 418# return,success,0 419# trailer,86 420# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec 421# argument,3,0x200,setpolicy 422# subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1 423# return,failure: Not owner,-1 424# trailer,86 425 426label=AUE_AUDITON_SQCTRL 427 format=[arg]1:[arg]2:[arg]3:[arg]4 428 comment=3, "setqctrl:aq_hiwater", queue control param.: 429 comment=3, "setqctrl:aq_lowater", queue control param.: 430 comment=3, "setqctrl:aq_bufsz", queue control param.: 431 comment=3, "setqctrl:aq_delay", queue control param. 432 syscall=auditon: SQCTRL 433# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec 434# argument,3,0x64,setqctrl:aq_hiwater 435# argument,3,0xa,setqctrl:aq_lowater 436# argument,3,0x400,setqctrl:aq_bufsz 437# argument,3,0x14,setqctrl:aq_delay 438# subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1 439# return,success,0 440# trailer,176 441# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec 442# argument,3,0x64,setqctrl:aq_hiwater 443# argument,3,0xa,setqctrl:aq_lowater 444# argument,3,0x400,setqctrl:aq_bufsz 445# argument,3,0x14,setqctrl:aq_delay 446# subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1 447# return,failure: Not owner,-1 448# trailer,176 449 450label=AUE_AUDITON_STERMID 451 skip=Not used. 452 453label=AUE_AUDITSTAT 454 skip=Not used. 455 456label=AUE_AUDITSVC 457 skip=Not used. 458 459label=AUE_AUDITSYS 460 skip=Not used. (Place holder for various auditing events.) 461 462label=AUE_BIND 463# differs from documented version. 464# cases "no vnode" not fully confirmed 465# family and type need argument number 466 case=Invalid socket handle 467 format=arg1 468 comment=1, file descriptor, "so" 469 case=If there is no vnode for this file descriptor 470 case=or if the socket is not of the AF_INET family 471 format=arg1:arg2:arg3 472 comment=1, file descriptor, "so": 473 comment=1, socket family, "family": 474 comment=1, socket type, "type" 475 case=or for all other conditions 476 format=arg1:inet2 477 comment=1, file descriptor, "so": 478 comment=socket address 479 480label=AUE_BRANDSYS 481# generic mechanism to allow user-space and kernel components of a brand 482# to communicate. The interpretation of the arguments to the call is 483# left entirely up to the brand. 484 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7 485 comment=1, command, "cmd": 486 comment=2, command args, "arg": 487 comment=3, command args, "arg": 488 comment=4, command args, "arg": 489 comment=5, command args, "arg": 490 comment=6, command args, "arg": 491 comment=7, command args, "arg" 492 493label=AUE_BSMSYS 494 skip=Not used. 495 496label=AUE_CHDIR 497 format=path:[attr] 498# header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec 499# path,/export/home/CC_final/icenine/arv/chdir/obj_succ 500# attribute,40777,root,other,8388608,231558,0 501# subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1 502# return,success,0 503# trailer,151 504# header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec 505# path,/export/home/CC_final/icenine/arv/chdir/obj_fail 506# attribute,40000,root,other,8388608,237646,0 507# subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1 508# return,failure: Permission denied,-1 509# trailer,151 510 511label=AUE_CHMOD 512 format=arg1:path:[attr] 513 comment=2, mode, "new file mode" 514# header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec 515# argument,2,0x1f8,new file mode 516# path,/export/home/CC_final/icenine/arv/chmod/obj_succ 517# attribute,100770,tuser10,other,8388608,243608,0 518# subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1 519# return,success,0 520# trailer,173 521# header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec 522# argument,2,0x1f8,new file mode 523# path,/export/home/CC_final/icenine/arv/chmod/obj_fail 524# attribute,100600,root,other,8388608,243609,0 525# subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1 526# return,failure: Not owner,-1 527# trailer,173 528 529label=AUE_CHOWN 530 format=arg1:arg2 531 comment=2, uid, "new file uid": 532 comment=3, gid, "new file gid" 533# header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec 534# argument,2,0x271a,new file uid 535# argument,3,0xffffffff,new file gid 536# path,/export/home/CC_final/icenine/arv/chown/obj_succ 537# attribute,100644,tuser10,other,8388608,268406,0 538# subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1 539# return,success,0 540# trailer,193 541# header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec 542# argument,2,0x271a,new file uid 543# argument,3,0xffffffff,new file gid 544# path,/export/home/CC_final/icenine/arv/chown/obj_fail 545# attribute,100644,root,other,8388608,268407,0 546# subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1 547# return,failure: Not owner,-1 548# trailer,193 549 550label=AUE_CHROOT 551 format=path:[attr] 552# header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec 553# path,/ 554# attribute,40755,root,root,8388608,2,0 555# subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1 556# return,success,0 557# trailer,104 558# header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec 559# path,/export/home/CC_final/icenine/arv/chroot/obj_fail 560# attribute,40777,tuser10,other,8388608,335110,0 561# subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1 562# return,failure: Not owner,-1 563# trailer,152 564 565label=AUE_CLOCK_SETTIME 566 format=kernel 567 568label=AUE_CLOSE 569 format=arg1:[path]:[attr] 570 comment=1, file descriptor, "fd" 571 572label=AUE_CONFIGKSSL 573 case=Adding KSSL entry. 574 format=text1:inaddr2:text3:text4 575 comment=opcode, KSSL_ADD_ENTRY: 576 comment=local IP address: 577 comment=SSL port number: 578 comment=proxy port number 579 case=Deleting KSSL entry. 580 format=text1:inaddr2:text3 581 comment=opcode, KSSL_DELETE_ENTRY: 582 comment=local IP address: 583 comment=SSL port number 584 585label=AUE_CONNECT 586# cases "no vnode" not fully confirmed 587 case=If there is no vnode for this file descriptor 588 case=If the socket address is not part of the AF_INET family 589 format=arg1:arg2:arg3 590 comment=1, file descriptor, "so": 591 comment=1, socket family, "family": 592 comment=1, socket type, "type" 593 case=If the socket address is part of the AF_INET family 594 format=arg1:inet2 595 comment=1, file descriptor, "so": 596 comment=socket address 597 598label=AUE_CORE 599 syscall=none 600 title=process dumped core 601 see=none 602 format=path:[attr]:arg1 603 comment=1, signal, "signal" 604# see uts/common/c2/audit.c 605 606label=AUE_CREAT 607 format=path:[attr] 608# does not match old BSM manual 609# header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec 610# path,/export/home/CC_final/icenine/arv/creat/obj_succ 611# attribute,100644,tuser10,other,8388608,49679,0 612# subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1 613# return,success,8 614# trailer,151 615# header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec 616# path,/devices/pseudo/mm@0:null 617# subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1 618# return,success,8 619# trailer,107 620# header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec 621# path,/obj_fail 622# subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1 623# return,failure: Permission denied,-1 624# trailer,83 625 626label=AUE_CRYPTOADM 627 title=kernel cryptographic framework 628 format=text1:(0..n)[text]2 629 comment=cryptoadm command/operation: 630 comment=mechanism list 631 632label=AUE_DOORFS 633 skip=Not used. (Place holder for set of door audit events.) 634 635label=AUE_DOORFS_DOOR_BIND 636 skip=Not used. 637 syscall=doorfs: DOOR_BIND 638 639label=AUE_DOORFS_DOOR_CALL 640 format=arg1:proc2 641 comment=1, door ID, "door ID": 642 comment=for process that owns the door 643 syscall=doorfs: DOOR_CALL 644 645label=AUE_DOORFS_DOOR_CREATE 646 format=arg1 647 comment=1, door attributes, "door attr" 648 syscall=doorfs: DOOR_CREATE 649 650label=AUE_DOORFS_DOOR_CRED 651 skip=Not used. 652 syscall=doorfs: DOOR_CRED 653 654label=AUE_DOORFS_DOOR_INFO 655 skip=Not used. 656 syscall=doorfs: DOOR_INFO 657 658label=AUE_DOORFS_DOOR_RETURN 659 format=kernel 660 syscall=doorfs: DOOR_RETURN 661 662label=AUE_DOORFS_DOOR_REVOKE 663 format=arg1 664 comment=1, door ID, "door ID" 665 syscall=doorfs: DOOR_REVOKE 666 667label=AUE_DOORFS_DOOR_UNBIND 668 skip=Not used. 669 syscall=doorfs: DOOR_UNBIND 670 671label=AUE_DUP2 672skip=Not used. 673 674label=AUE_ENTERPROM 675 title=enter prom 676 syscall=none 677 format=head:text1:ret 678 comment="kmdb" 679# header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00 680# text,kmdb 681# return,success,0 682 683label=AUE_EXEC 684 format=path:[attr]1:[exec_args]2:[exec_env]3 685 comment=omitted on error: 686 comment=output if argv policy is set: 687 comment=output if arge policy is set 688 689label=AUE_EXECVE 690 format=path:[attr]1:[exec_args]2:[exec_env]3 691 comment=omitted on error: 692 comment=output if argv policy is set: 693 comment=output if arge policy is set 694# header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec 695# path,/devices/pseudo/mm@0:null 696# subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1 697# return,success,8 698# trailer,107 699# header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec 700# path,/usr/bin/pig 701# subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1 702# return,failure: No such file or directory,-1 703# trailer,86 704 705label=AUE_EXIT 706 format=[text]1 707 comment=event aborted 708 709label=AUE_EXITPROM 710 title=exit prom 711 syscall=none 712 format=head:text1:ret 713 comment="kmdb" 714# header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00 715# text,kmdb 716# return,success,0 717 718label=AUE_EXPORTFS 719 skip=Not used. 720 721label=AUE_FACLSET 722 syscall=facl 723 case=Invalid file descriptor 724 format=arg1:arg2 725 comment=2, SETACL, "cmd": 726 comment=3, number of ACL entries, "nentries" 727 case=Zero path 728 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4 729 comment=2, SETACL, "cmd": 730 comment=3, number of ACL entries, "nentries": 731 comment=1, file descriptor, "no path: fd": 732 comment=ACLs 733 case=Non-zero path 734 format=arg1:arg2:path:[attr]:(0..n)[acl]3 735 comment=2, SETACL, "cmd": 736 comment=3, number of ACL entries, "nentries": 737 comment=ACLs 738 739label=AUE_FCHDIR 740 format=[path]:[attr] 741# header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec 742# path,/export/home/CC_final/icenine/arv/fchdir/obj_succ 743# attribute,40777,tuser10,other,8388608,207662,0 744# subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1 745# return,success,0 746# trailer,150 747# header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec 748# subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1 749# return,failure: Permission denied,-1 750# trailer,68 751 752label=AUE_FCHMOD 753 case=With a valid file descriptor and path 754 format=arg1:path:[attr] 755 comment=2, mode, "new file mode" 756 case=With a valid file descriptor and invalid path 757 format=arg1:[arg]2:[attr] 758 comment=2, mode, "new file mode": 759 comment=1, file descriptor, "no path: fd" 760 case=With an invalid file descriptor 761 format=arg1 762 comment=2, mode, "new file mode" 763# header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec 764# argument,2,0x1a4,new file mode 765# path,/export/home/CC/icenine/arv/fchmod/obj_succ 766# attribute,100644,tuser10,other,7602240,26092,0 767# subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1 768# return,success,0 769# trailer,168 770# header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec 771# argument,2,0x1a4,new file mode 772# subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1 773# return,failure: Bad file number,-1 774# trailer,90 775# header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec 776# argument,2,0x1a4,new file mode 777# path,/export/home/CC/icenine/arv/fchmod/obj_fail 778# attribute,100644,root,other,7602240,26093,0 779# subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1 780# return,failure: Not owner,-1 781# trailer,168 782 783label=AUE_FCHOWN 784 case=With a valid file descriptor 785 format=arg1:arg2:[path]:[attr] 786 comment=2, uid, "new file uid": 787 comment=3, gid, "new file gid" 788 case=With an invalid file descriptor 789 format=arg1:arg2:[arg]3:[attr] 790 comment=2, uid, "new file uid": 791 comment=3, gid, "new file gid": 792 comment=1, file descriptor, "no path fd" 793 794label=AUE_FCHOWNAT 795 see=openat(2) 796 case=With a valid absolute/relative file path 797 format=path:[path_attr]:[attr] 798 case=With an file path eq. NULL and valid file descriptor 799 format=kernel 800 801label=AUE_FCHROOT 802 format=[path]:[attr] 803# fchroot -> chdirec -> audit_chdirec 804 805label=AUE_FCNTL 806 case=With a valid file descriptor 807 format=arg1:path:attr 808 comment=2, command, "cmd" 809 case=With an invalid file descriptor 810 format=arg1:arg2 811 comment=2, command, "cmd": 812 comment=1, file descriptor, "no path fd" 813 814label=AUE_FLOCK 815 skip=Not used. 816 817label=AUE_FORKALL 818 format=[arg]1 819 comment=0, pid, "child PID" 820 note=The forkall(2) return values are undefined because the audit record 821 note=is produced at the point that the child process is spawned. 822# see audit.c 823 824label=AUE_FORK1 825 format=[arg]1 826 comment=0, pid, "child PID" 827 note=The fork1(2) return values are undefined because the audit record 828 note=is produced at the point that the child process is spawned. 829# see audit.c 830 831label=AUE_FSAT 832 skip=Not used. (Placeholder for AUE_*AT records) 833#openat AUE_OPENAT_{W,RW,R} appended with CT as needed 834#openat64 AUE_OPENAT_{W,RW,R} appended with CT as needed 835#fstatat64 AUE_FSTATAT 836#fstat AUE_FSTATAT 837#chownat AUE_FCHOWNAT 838#unlinkat AUE_UNLINKAT 839#futimesat AUE_FUTIMESAT 840#renameat AUE_RENAMEAT 841 842label=AUE_FSTAT 843 skip=Not used. 844 845label=AUE_FSTATAT 846 format=path:[path_attr]:[attr] 847 848label=AUE_FSTATFS 849 case=With a valid file descriptor 850 format=[path]:[attr] 851 case=With an invalid file descriptor 852 format=arg1 853 comment=1, file descriptor, "no path fd" 854 855label=AUE_FTRUNCATE 856 skip=Not used. 857 858label=AUE_FUSERS 859 syscall=utssys: UTS_FUSERS 860 format=path:attr 861 862 863label=AUE_FUTIMESAT 864 syscall=utimes(2) 865 format=[path]:[path_attr]:[attr] 866 867label=AUE_GETAUDIT 868 format=kernel 869# header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec 870# subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1 871# return,success,0 872# trailer,68 873# header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec 874# subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1 875# return,success,0 876# trailer,68 877 878label=AUE_GETAUDIT_ADDR 879 format=kernel 880# header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec 881# subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2 882# return,success,0 883 884label=AUE_GETAUID 885 format=kernel 886# header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec 887# subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1 888# return,success,0 889# trailer,68 890# header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec 891# subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1 892# return,failure: Not owner,-1 893# trailer,68 894 895label=AUE_GETDENTS 896 skip=Not used. 897#Not security relevant 898 899label=AUE_GETKERNSTATE 900 skip=Not used. 901 902label=AUE_GETMSG 903 case=With a valid file descriptor 904 format=arg1:[path]:attr:arg2 905 comment=1, file descriptor, "fd": 906 comment=4, priority, "pri" 907 case=With an invalid file descriptor 908 format=arg1:arg2 909 comment=1, file descriptor, "fd": 910 comment=4, priority, "pri" 911 912label=AUE_GETPMSG 913 case=With a valid file descriptor 914 format=arg1:[path]:attr 915 comment=1, file descriptor, "fd" 916 case=With an invalid file descriptor 917 format=arg1 918 comment=1, file descriptor, "fd" 919 920label=AUE_GETPORTAUDIT 921 format=Not used. 922 923label=AUE_GETUSERAUDIT 924 skip=Not used. 925 926label=AUE_INST_SYNC 927 format=arg1 928 comment=2, flags value, "flags" 929 930label=AUE_IOCTL 931 case=With an invalid file descriptor 932 format=arg1:arg2:arg3 933 comment=1, file descriptor, "fd": 934 comment=2, command, "cmd": 935 comment=3, arg, "arg" 936 case=With a valid file descriptor 937 format=path:[attr]:arg1:arg2 938 comment=2, ioctl cmd, "cmd": 939 comment=3, ioctl arg, "arg" 940 case=Non-file file descriptor 941 format=arg1:arg2:arg3 942 comment=1, file descriptor, "fd": 943 comment=2, ioctl cmd, "cmd": 944 comment=3, ioctl arg, "arg" 945 case=Bad file name 946 format=arg1:arg2:arg3 947 comment=1, file descriptor, "no path: fd": 948 comment=2, ioctl cmd, "cmd": 949 comment=3, ioctl arg, "arg" 950# old BSM manual misses a case 951 952label=AUE_JUNK 953 skip=Not used. 954 955label=AUE_KILL 956 case=Valid process 957 format=arg1:[proc] 958 comment=2, signo, "signal" 959 case=Zero or negative process 960 format=arg1:arg2 961 comment=2, signo, "signal": 962 comment=1, pid, "process" 963 964label=AUE_KILLPG 965 skip=Not used. 966 967label=AUE_LCHOWN 968 format=arg1:arg2:path:[attr] 969 comment=2, uid, "new file uid": 970 comment=3, gid, "new file gid" 971 972label=AUE_LINK 973 format=path1:[attr]:path2 974 comment=from path: 975 comment=to path 976 977label=AUE_LSEEK 978 skip=Not used. 979 980label=AUE_LSTAT 981 format=path:[attr] 982 983label=AUE_LXSTAT 984 skip=Not used. 985# AUE_LXSTAT now maps to AUE_LSTAT 986 987label=AUE_MCTL 988 skip=Not used. 989 990label=AUE_MEMCNTL 991 format=arg1:arg2:arg3:arg4:arg5:arg6 992 comment=1, base address, "base": 993 comment=2, length, "len": 994 comment=3, command, "cmd": 995 comment=4, command args, "arg": 996 comment=5, command attributes, "attr": 997 comment=6, 0, "mask" 998 999label=AUE_MKDIR 1000 format=arg1:path:[attr] 1001 comment=2, mode, "mode" 1002 1003label=AUE_MKNOD 1004 format=arg1:arg2:path:[attr] 1005 comment=2, mode, "mode": 1006 comment=3, dev, "dev" 1007 1008label=AUE_MMAP 1009 case=With a valid file descriptor 1010 format=arg1:arg2:[path]3:[attr] 1011 comment=1, segment address, "addr": 1012 comment=2, segment address, "len": 1013 comment=if no path, then argument: \ 1014 1, "nopath: fd", file descriptor 1015 case=With an invalid file descriptor 1016 format=arg1:arg2:arg3 1017 comment=1, segment address, "addr": 1018 comment=2, segment address, "len": 1019 comment=1, file descriptor, "no path: fd" 1020 1021label=AUE_MODADDMAJ 1022 title=modctl: bind module 1023 syscall=modctl 1024 format=[text]1:[text]2:text3:arg4:(0..n)[text]5 1025 comment=driver major number: 1026 comment=driver name: 1027 comment=driver major number or "no drvname": 1028 comment=5, number of aliases, "": 1029 comment=aliases 1030 1031label=AUE_MODADDPRIV 1032 format=kernel 1033 1034label=AUE_MODCONFIG 1035 skip=Not used. 1036 1037label=AUE_MODCTL 1038 skip=Not used. (placeholder) 1039 1040label=AUE_MODDEVPLCY 1041 syscall=modctl 1042 title=modctl: set device policy 1043 case=If unknown minor name/pattern 1044 format=arg1:arg2:arg3:arg4:arg5 1045 comment=2, "major", major number: 1046 comment=2, "lomin", low minor number, if known: 1047 comment=2, "himin", hi minor number, if known: 1048 comment=privileges required for reading: 1049 comment=privileges required for writing 1050 case=else 1051 format=arg1:text2:arg3:arg4 1052 comment=2, "major", major number: 1053 comment=minor name/pattern: 1054 comment=privileges required for reading: 1055 comment=privileges required for writing 1056 1057label=AUE_MODLOAD 1058 syscall=modctl 1059 title=modctl: load module 1060 format=[text]1:text2 1061 comment=default path: 1062 comment=filename path 1063 1064label=AUE_MODUNLOAD 1065 syscall=modctl 1066 title=modctl: unload module 1067 format=arg1 1068 comment=1, module ID, "id" 1069 1070label=AUE_MOUNT 1071 case=UNIX file system 1072 format=arg1:text2:path:[attr] 1073 comment=3, flags, "flags": 1074 comment=filesystem type 1075 case=NFS file system 1076 format=arg1:text2:text3:arg4:path:[attr] 1077 comment=3, flags, "flags": 1078 comment=filesystem type: 1079 comment=host name: 1080 comment=3, flags, "internal flags" 1081# unix example: 1082# header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec 1083# argument,3,0x104,flags 1084# text,ufs 1085# path,/var2 1086# attribute,40755,root,root,32,12160,0 1087# path,/devices/pci@1f,4000/scsi@3/sd@0,0:e 1088# attribute,60640,root,sys,32,231268,137438953476 1089# subject,abc,root,other,root,other,1726,1715,255 66049 ohboy 1090# return,success,4290707268 1091# ^^^^^^^^^^ <- bugid 4333559 1092 1093label=AUE_MSGCTL 1094 format=arg1:[ipc]:[ipc_perm] 1095 comment=1, message ID, "msg ID" 1096 note=ipc_perm 1097# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1098 1099label=AUE_MSGCTL_RMID 1100 format=arg1:[ipc]:[ipc_perm] 1101 comment=1, message ID, "msg ID" 1102 note=ipc_perm 1103 syscall=msgctl: IPC_RMID 1104# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1105 1106label=AUE_MSGCTL_SET 1107 format=arg1:[ipc]:[ipc_perm] 1108 comment=1, message ID, "msg ID" 1109 note=ipc_perm 1110 syscall=msgctl: IPC_SET 1111# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1112 1113label=AUE_MSGCTL_STAT 1114 format=arg1:[ipc]:[ipc_perm] 1115 comment=1, message ID, "msg ID" 1116 note=ipc_perm 1117 syscall=msgctl: IPC_STAT 1118# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1119 1120label=AUE_MSGGET 1121 format=arg1:ipc 1122 comment=1, message key, "msg key" 1123 note=ipc_perm 1124 syscall=msgget 1125 1126label=AUE_MSGGETL 1127 skip=Not used. 1128 1129label=AUE_MSGRCV 1130 format=arg1:[ipc]:[ipc_perm] 1131 comment=1, message ID, "msg ID" 1132 note=ipc_perm 1133 syscall=msgrcv 1134# ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc 1135 1136label=AUE_MSGRCVL 1137 skip=Not used. 1138 1139label=AUE_MSGSND 1140 format=arg1:[ipc]:[ipc_perm] 1141 comment=1, message ID, "msg ID" 1142 note=ipc_perm 1143 syscall=msgsnd 1144# ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc 1145 1146label=AUE_MSGSNDL 1147 skip=Not used. 1148 1149label=AUE_MSGSYS 1150skip=Not used. (Placeholder for AUE_MSG* events.) 1151 1152label=AUE_MUNMAP 1153 format=arg1:arg2 1154 comment=1, address of memory, "addr": 1155 comment=2, memory segment size, "len" 1156 1157label=AUE_NFS 1158 skip=Not used. 1159 1160label=AUE_NFSSVC_EXIT 1161 skip=Not used. 1162 1163label=AUE_NFS_GETFH 1164 skip=Not used. 1165 1166label=AUE_NFS_SVC 1167 skip=Not used. 1168 1169label=AUE_NICE 1170 format=kernel 1171 1172label=AUE_NULL 1173 skip=Not used. (placeholder) 1174# used internal to audit_event.c for minimal audit 1175 1176label=AUE_NTP_ADJTIME 1177 format=kernel 1178 1179label=AUE_ONESIDE 1180 skip=Not used. 1181 1182label=AUE_OPEN 1183 skip=Not used. (placeholder for AUE_OPEN_*). 1184 1185label=AUE_OPEN_R 1186 format=path:[attr] 1187 see=open(2) - read 1188 1189label=AUE_OPENAT_R 1190 format=path:[path_attr]:[attr] 1191 see=openat(2) 1192 1193label=AUE_OPEN_RC 1194 format=path:[attr] 1195 see=open(2) - read,creat 1196 1197label=AUE_OPENAT_RC 1198 see=openat(2) 1199 format=path:[path_attr]:[attr] 1200# aui_fsat(): fm & O_CREAT mangling 1201 1202label=AUE_OPEN_RT 1203 format=path:[attr] 1204 see=open(2) - read,trunc 1205 1206label=AUE_OPENAT_RT 1207 see=openat(2) 1208 format=path:[path_attr]:[attr] 1209# aui_fsat(): fm & O_TRUNC mangling 1210 1211label=AUE_OPEN_RTC 1212 format=path:[attr] 1213 see=open(2) - read,trunc,creat 1214 1215label=AUE_OPENAT_RTC 1216 see=openat(2) 1217 format=path:[path_attr]:[attr] 1218# aui_fsat(): fm & O_TRUNC mangling, fm & O_CREAT mangling 1219 1220label=AUE_OPEN_RW 1221 format=path:[attr] 1222 see=open(2) - read,write 1223 1224label=AUE_OPENAT_RW 1225 see=openat(2) 1226 format=path:[path_attr]:[attr] 1227# aui_fsat(): fm & O_RDWR 1228 1229label=AUE_OPEN_RWC 1230 format=path:[attr] 1231 see=open(2) - read,write,creat 1232 1233label=AUE_OPENAT_RWC 1234 see=openat(2) 1235 format=path:[path_attr]:[attr] 1236# aui_fsat(): fm & O_RDWR, fm & O_CREAT mangling 1237 1238label=AUE_OPEN_RWT 1239 format=path:[attr] 1240 see=open(2) - read,write,trunc 1241 1242label=AUE_OPENAT_RWT 1243 see=openat(2) 1244 format=path:[path_attr]:[attr] 1245# aui_fsat(): fm & O_RDWR, fm & O_TRUNC mangling 1246 1247label=AUE_OPEN_RWTC 1248 format=path:[attr] 1249 see=open(2) - read,write,trunc,creat 1250 1251label=AUE_OPENAT_RWTC 1252 see=openat(2) 1253 format=path:[path_attr]:[attr] 1254# aui_fsat(): fm & O_RDWR, fm & O_TRUNC mangling, fm & O_CREAT mangling 1255 1256label=AUE_OPEN_W 1257 format=path:[attr] 1258 see=open(2) - write 1259 1260label=AUE_OPENAT_W 1261 see=openat(2) 1262 format=path:[path_attr]:[attr] 1263 1264label=AUE_OPEN_WC 1265 format=path:[attr] 1266 see=open(2) - write,creat 1267 1268label=AUE_OPENAT_WC 1269 see=openat(2) 1270 format=path:[path_attr]:[attr] 1271# aui_fsat(): fm & O_WRONLY, fm & O_CREAT mangling 1272 1273label=AUE_OPEN_WT 1274 format=path:[attr] 1275 see=open(2) - write,trunc 1276 1277label=AUE_OPENAT_WT 1278 see=openat(2) 1279 format=path:[path_attr]:[attr] 1280# aui_fsat(): fm & O_WRONLY, fm & O_TRUNC mangling 1281 1282label=AUE_OPEN_WTC 1283 format=path:[attr] 1284 see=open(2) - write,trunc,creat 1285 1286label=AUE_OPENAT_WTC 1287 see=openat(2) 1288 format=path:[path_attr]:[attr] 1289# aui_fsat(): fm & O_WRONLY, fm & O_TRUNC mangling, fm & O_CREAT mangling 1290 1291label=AUE_OSETPGRP 1292 skip=Not used. 1293 1294label=AUE_OSTAT 1295 skip=Not used. 1296 1297label=AUE_PATHCONF 1298 format=path:[attr] 1299 1300label=AUE_PIPE 1301format=kernel 1302# class is no, not usually printed 1303 1304label=AUE_PORTFS 1305 skip=Not used (placeholder for AUE_PORTFS_*). 1306 1307label=AUE_PORTFS 1308 skip=Not used (placeholder for AUE_PORTFS_*). 1309 1310label=AUE_PORTFS_ASSOCIATE 1311 syscall=portfs 1312 see=port_associate(3C) 1313 case=Port association via PORT_SOURCE_FILE 1314 format=[path]1:attr 1315 comment=name of the file/directory to be watched 1316 1317label=AUE_PORTFS_DISSOCIATE 1318 syscall=portfs 1319 see=port_dissociate(3C) 1320 case=Port disassociation via PORT_SOURCE_FILE 1321 format=kernel 1322 1323label=AUE_PRIOCNTLSYS 1324 syscall=priocntl 1325 see=priocntl(2) 1326 format=arg1:arg2 1327 comment=1, priocntl version number, "pc_version": 1328 comment=3, command, "cmd" 1329 1330label=AUE_PROCESSOR_BIND 1331 case=No LWP/thread bound to the processor 1332 format=arg1:arg2:text3:[proc] 1333 comment=1, type of ID, "ID type": 1334 comment=2, ID value, "ID": 1335 comment="PBIND_NONE" 1336 case=With processor bound 1337 format=arg1:arg2:arg3:[proc] 1338 comment=1, type of ID, "ID type": 1339 comment=2, ID value, "ID": 1340 comment=3, processor ID, "processor_id" 1341 1342label=AUE_PUTMSG 1343 see=putmsg(2) 1344 format=arg1:[path]:[attr]:arg2 1345 comment=1, file descriptor, "fd": 1346 comment=4, priority, "pri" 1347 1348label=AUE_PUTPMSG 1349 see=putpmsg(2) 1350 format=arg1:[path]:[attr]:arg2:arg3 1351 comment=1, file descriptor, "fd": 1352 comment=4, priority, "pri": 1353 comment=5, flags, "flags" 1354 1355label=AUE_P_ONLINE 1356 format=arg1:arg2:text3 1357 comment=1, processor ID, "processor ID": 1358 comment=2, flags value, "flags": 1359 comment=text form of flags. Values: \ 1360 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS 1361 1362label=AUE_QUOTACTL 1363 skip=Not used. 1364 1365label=AUE_READ 1366 skip=Not used. (Placeholder for AUE_READ_* events) 1367 1368label=AUE_READL 1369 skip=Not used. (Obsolete) 1370 1371label=AUE_READLINK 1372 format=path:[attr] 1373 1374label=AUE_READV 1375 skip=Not used (obsolete) 1376# detritus from CMS 1377 1378label=AUE_READVL 1379 skip=Not used (obsolete) 1380# detritus from CMS 1381 1382label=AUE_REBOOT 1383 skip=Not used. 1384 1385label=AUE_RECV 1386 case=If address family is AF_INET or AF_INET6 1387 format=[arg]1:[inet] 1388 comment=1, file descriptor, "so" 1389 case=If address family is AF_UNIX and path is defined 1390 format=[path]1:[attr] 1391 comment=1, file descriptor, "so" 1392 case=If address family is AF_UNIX and path is NULL 1393 format=[path]1:[attr] 1394 comment=1, file descriptor, "no path: fd" 1395 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1396 format=[arg]1:[arg]2:[arg]3 1397 comment=1, file descriptor, "so": 1398 comment=1, family, "family": 1399 comment=1, type, "type" 1400# associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237]) 1401 1402label=AUE_RECVFROM 1403 format=inet:arg1:[arg]2:inet3:arg4 1404 comment=3, message length, "len": 1405 comment=4, flags, "flags": 1406 comment=from address: 1407 comment=6, address length, "tolen" 1408 note=The socket token for a bad socket is reported as "argument 1409 note=token (1, socket descriptor, "fd")" 1410 1411label=AUE_RECVMSG 1412 case=If invalid file descriptor 1413 format=arg1:arg2 1414 comment=1, file descriptor, "so": 1415 comment=3, flags, "flags" 1416 case=If valid file descriptor and socket is AF_UNIX and no path 1417 format=arg1:[attr] 1418 comment=1, file descriptor, "no path: fd" 1419 case=If valid file descriptor and socket is AF_UNIX and path defined 1420 format=path:attr 1421 case=If valid file descriptor and socket is AF_INET or AF_INET6 1422 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM 1423 format=arg1:arg2:inet 1424 comment=1, file descriptor, "so": 1425 comment=2, flags, "flags" 1426 case=.. if socket type is unknown 1427 format=arg1:arg2:arg3:arg4 1428 comment=1, file descriptor, "so": 1429 comment=1, family, "family": 1430 comment=1, type, "type": 1431 comment=3, flags, "flags" 1432 1433label=AUE_RENAME 1434 format=path1:[attr]1:[path]2 1435 comment=from name: 1436 comment=to name 1437 1438label=AUE_RENAMEAT 1439# see openat(2) 1440 format=path1:[path_attr]:[attr]1:[path]2:[path_attr] 1441 comment=from name: 1442 comment=to name 1443 1444label=AUE_RFSSYS 1445 skip=Not used. 1446# apparently replaced 1447 1448label=AUE_RMDIR 1449 format=path:[attr] 1450 1451label=AUE_SEMCTL 1452 format=arg1:[ipc]:[ipc_perm] 1453 comment=1, semaphore ID, "sem ID" 1454 note=ipc_perm 1455# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1456 1457label=AUE_SEMCTL_GETALL 1458 format=arg1:[ipc]:[ipc_perm] 1459 comment=1, semaphore ID, "sem ID" 1460 note=ipc_perm 1461 syscall=semctl: GETALL 1462# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1463 1464label=AUE_SEMCTL_GETNCNT 1465 format=arg1:[ipc]:[ipc_perm] 1466 comment=1, semaphore ID, "sem ID" 1467 note=ipc_perm 1468 syscall=semctl: GETNCNT 1469# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1470 1471label=AUE_SEMCTL_GETPID 1472 format=arg1:[ipc]:[ipc_perm] 1473 comment=1, semaphore ID, "sem ID" 1474 note=ipc_perm 1475 syscall=semctl: GETPID 1476# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1477 1478label=AUE_SEMCTL_GETVAL 1479 format=arg1:[ipc]:[ipc_perm] 1480 comment=1, semaphore ID, "sem ID" 1481 note=ipc_perm 1482 syscall=semctl: GETVAL 1483# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1484 1485label=AUE_SEMCTL_GETZCNT 1486 format=arg1:[ipc]:[ipc_perm] 1487 comment=1, semaphore ID, "sem ID" 1488 note=ipc_perm 1489 syscall=semctl: GETZCNT 1490# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1491 1492label=AUE_SEMCTL_RMID 1493 format=arg1:[ipc]:[ipc_perm] 1494 comment=1, semaphore ID, "sem ID" 1495 note=ipc_perm 1496 syscall=semctl: IPC_RMID 1497# ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1498 1499label=AUE_SEMCTL_SET 1500 format=arg1:[ipc]:[ipc_perm] 1501 comment=1, semaphore ID, "sem ID" 1502 note=ipc_perm 1503 syscall=semctl: IPC_SET 1504# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1505 1506label=AUE_SEMCTL_SETALL 1507 format=arg1:[ipc]:[ipc_perm] 1508 comment=1, semaphore ID, "sem ID" 1509 note=ipc_perm 1510 syscall=semctl: SETALL 1511# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1512 1513label=AUE_SEMCTL_SETVAL 1514 format=arg1:[ipc]:[ipc_perm] 1515 comment=1, semaphore ID, "sem ID" 1516 note=ipc_perm 1517 syscall=semctl: SETVAL 1518# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1519 1520label=AUE_SEMCTL_STAT 1521 format=arg1:[ipc]:[ipc_perm] 1522 comment=1, semaphore ID, "sem ID" 1523 note=ipc_perm 1524 syscall=semctl: IPC_STAT 1525# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1526 1527label=AUE_SEMGET 1528 format=arg1:[ipc_perm]:ipc 1529 comment=1, semaphore ID, "sem key" 1530 note=ipc_perm 1531 syscall=semctl: SETVAL 1532# ipc_perm token: semget -> audit_ipcget 1533 1534label=AUE_SEMGETL 1535 skip=Not used. 1536 1537label=AUE_SEMOP 1538 format=arg1:[ipc]:[ipc_perm] 1539 comment=1, semaphore ID, "sem ID" 1540 note=ipc_perm 1541# ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc 1542 1543label=AUE_SEMSYS 1544 skip=Not used. (place holder) -- defaults to a semget variant 1545 1546label=AUE_SEND 1547 case=If address family is AF_INET or AF_INET6 1548 format=[arg]1:[inet] 1549 comment=1, file descriptor, "so" 1550 case=If address family is AF_UNIX and path is defined 1551 format=[path]1:[attr] 1552 comment=1, file descriptor, "so" 1553 case=If address family is AF_UNIX and path is NULL 1554 format=[path]1:[attr] 1555 comment=1, file descriptor, "no path: fd" 1556 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1557 format=[arg]1:[arg]2:[arg]3 1558 comment=1, file descriptor, "so": 1559 comment=1, family, "family": 1560 comment=1, type, "type" 1561# associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240]) 1562 1563label=AUE_SENDMSG 1564 case=If invalid file descriptor 1565 format=arg1:arg2 1566 comment=1, file descriptor, "so": 1567 comment=3, flags, "flags" 1568 case=If valid file descriptor 1569 case=...and address family is AF_UNIX and path is defined 1570 format=path:attr 1571 case=...and address family is AF_UNIX and path is NULL 1572 format=path1:attr 1573 comment=1, file descriptor, "nopath: fd" 1574 case=...and address family is AF_INET or AF_INET6, \ 1575 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1576 format=arg1:arg2:inet 1577 comment=1, file descriptor, "so": 1578 comment=3, flags, "flags" 1579 case=...and unknown address family or address family AF_INET or AF_INET6 \ 1580 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1581 format=arg1:arg2:arg3:arg4 1582 comment=1, file descriptor, "so": 1583 comment=1, family, "family": 1584 comment=1, type, "type": 1585 comment=1, flags, "flags" 1586 1587label=AUE_SENDTO 1588 case=If invalid file descriptor 1589 format=arg1:arg2 1590 comment=1, file descriptor, "so": 1591 comment=3, flags, "flags" 1592 case=If valid file descriptor 1593 case=...and socket is AF_UNIX and path is defined 1594 format=path:attr 1595 case=...and address family is AF_UNIX and path is NULL 1596 format=path1:attr 1597 comment=1, file descriptor, "nopath: fd" 1598 case=...and address family is AF_INET or AF_INET6 1599 format=arg1:arg2:inet 1600 comment=1, file descriptor, "so": 1601 comment=3, flags, "flags" 1602 case=...and unknown address family 1603 format=arg1:arg2:arg3:arg4 1604 comment=1, file descriptor, "so": 1605 comment=1, family, "family": 1606 comment=1, type, "type": 1607 comment=1, flags, "flags" 1608 1609label=AUE_SETAUDIT 1610 case=With a valid program stack address 1611 format=arg1:arg2:arg3:arg4:arg5:arg6 1612 comment=1, audit user ID, "setaudit:auid": 1613 comment=1, terminal ID, "setaudit:port": 1614 comment=1, terminal ID, "setaudit:machine": 1615 comment=1, preselection mask, "setaudit:as_success": 1616 comment=1, preselection mask, "setaudit:as_failure": 1617 comment=1, audit session ID, "setaudit:asid" 1618 case=With an invalid program stack address 1619 format=kernel 1620# header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec 1621# argument,1,0x271a,setaudit:auid 1622# argument,1,0x3ff0201,setaudit:port 1623# argument,1,0x8192591e,setaudit:machine 1624# argument,1,0x400,setaudit:as_success 1625# argument,1,0x400,setaudit:as_failure 1626# argument,1,0x16f,setaudit:asid 1627# subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1 1628# return,success,0 1629# trailer,215 1630# header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec 1631# argument,1,0x271a,setaudit:auid 1632# argument,1,0x3ff0201,setaudit:port 1633# argument,1,0x8192591e,setaudit:machine 1634# argument,1,0x400,setaudit:as_success 1635# argument,1,0x400,setaudit:as_failure 1636# argument,1,0x16f,setaudit:asid 1637# subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1 1638# return,success,0 1639# trailer,215 1640 1641label=AUE_SETAUDIT_ADDR 1642 case=With a valid program stack address 1643 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7 1644 comment=1, audit user ID, "auid": 1645 comment=1, terminal ID, "port": 1646 comment=1, type, "type": 1647 comment=1, terminal ID, "ip address": 1648 comment=1, preselection mask, "as_success": 1649 comment=1, preselection mask, "as_failure": 1650 comment=1, audit session ID, "asid" 1651 case=With an invalid program stack address 1652 format=kernel 1653# header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec 1654# argument,1,0x15fa7,auid 1655# argument,1,0x0,port 1656# argument,1,0x4,type 1657# ip address,tmach2 1658# argument,1,0x9c00,as_success 1659# argument,1,0x9c00,as_failure 1660# argument,1,0x1f1,asid 1661# subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2 1662# return,success,0 1663 1664label=AUE_SETAUID 1665 format=arg1 1666 comment=2, audit user ID, "setauid" 1667 1668label=AUE_SETDOMAINNAME 1669 skip=Not used. (See AUE_SYSINFO) 1670# See AUE_SYSINFO with SI_SET_SRPC_DOMAIN 1671 1672label=AUE_SETEGID 1673 format=arg1 1674 comment=1, group ID, "gid" 1675 1676label=AUE_SETEUID 1677 format=arg1 1678 comment=1, user ID, "euid" 1679 1680label=AUE_SETGID 1681 format=arg1 1682 comment=1, group ID, "gid" 1683 1684label=AUE_SETGROUPS 1685 note=If more than NGROUPS_MAX_DEFAULT groups listed, 1686 note=no tokens are generated. 1687 case=If no groups in list 1688 format=[arg]1 1689 comment=1, 0, "setgroups" 1690 case=If 1 or more groups in list 1691 format=(1..n)arg1 1692 comment=1, gid, "setgroups" 1693 1694label=AUE_SETHOSTNAME 1695 skip=Not used. (See AUE_SYSINFO) 1696# See sysinfo call with command SI_SET_HOSTNAME 1697 1698label=AUE_SETKERNSTATE 1699 skip=Not used. 1700 1701label=AUE_SETPGID 1702 format=[proc]:[arg]1 1703 comment=2, pgid, "pgid" 1704 1705label=AUE_SETPGRP 1706 format=kernel 1707 1708label=AUE_SETPRIORITY 1709 skip=Not used. 1710 1711label=AUE_SETPPRIV 1712 case=operation privileges off 1713 format=arg1:privset2 1714 comment=setppriv operation: 1715 comment=privileges actually switched off 1716 case=operation privileges on 1717 format=arg1:privset2 1718 comment=setppriv operation: 1719 comment=privileges actually switched on 1720 case=operation privileges off 1721 format=arg1:privset2:privset3 1722 comment=setppriv operation: 1723 comment=privileges before privset: 1724 comment=privileges after privset 1725#header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec 1726#argument,2,0x2,op 1727#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1728#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1729#subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0 1730#return,success,0 1731 1732label=AUE_SETREGID 1733 format=arg1:arg2 1734 comment=1, real group ID, "rgid": 1735 comment=2, effective group ID, "egid" 1736 1737label=AUE_SETREUID 1738 format=arg1:arg2 1739 comment=1, real user ID, "ruid": 1740 comment=2, effective user ID, "euid" 1741 1742label=AUE_SETRLIMIT 1743 format=kernel 1744# header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec 1745# subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2 1746# return,success,0 1747 1748label=AUE_SETSID 1749 format=kernel 1750 1751label=AUE_SETSOCKOPT 1752 case=Invalid file descriptor 1753 format=arg1:arg2 1754 comment=1, file descriptor, "so": 1755 comment=2, level, "level" 1756 case=Valid file descriptor 1757 case=...and socket is AF_UNIX 1758 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8 1759 comment=if no path, will be argument: 1, "nopath: fd", \ 1760 file descriptor: 1761 comment=1, file descriptor, "so": 1762 comment=1, family, "family": 1763 comment=1, type, "type": 1764 comment=2, protocol level, "level": 1765 comment=3, option name, "optname": 1766 comment=5, option length, "optlen": 1767 comment=option data 1768 case=...and socket is AF_INET or AF_INET6 1769 format=arg1:arg2:arg3:[arg]4:[data]5:inet 1770 comment=1, file descriptor, "so": 1771 comment=2, protocol level, "level": 1772 comment=3, option name, "optname": 1773 comment=5, option length, "optlen": 1774 comment=option data 1775 case=...and socket adddress family is unknown 1776 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7 1777 comment=1, file descriptor, "so": 1778 comment=1, family, "family": 1779 comment=1, type, "type": 1780 comment=2, protocol level, "level": 1781 comment=3, option name, "optname": 1782 comment=5, option length, "optlen": 1783 comment=option data 1784 1785label=AUE_SETTIMEOFDAY 1786 skip=Not used. 1787 1788label=AUE_SETUID 1789 syscall=setuid 1790 format=arg1 1791 comment=1, "uid" to be set 1792 1793label=AUE_SETUSERAUDIT 1794 skip=Not used. 1795 1796label=AUE_SHMAT 1797 format=arg1:arg2:[ipc]:[ipc_perm] 1798 comment=1, shared memory ID, "shm ID": 1799 comment=2, shared mem addr, "shm addr" 1800 note=ipc_perm 1801# ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc 1802 1803label=AUE_SHMCTL 1804 format=arg1:[ipc]:[ipc_perm] 1805 comment=1, shared memory ID, "shm ID" 1806 note=ipc_perm 1807# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1808 1809label=AUE_SHMCTL_RMID 1810 format=arg1:[ipc]:[ipc_perm] 1811 comment=1, shared memory ID, "shm ID" 1812 note=ipc_perm 1813 syscall=semctl: IPC_RMID 1814# ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1815 1816label=AUE_SHMCTL_SET 1817 format=arg1:[ipc]:[ipc_perm] 1818 comment=1, shared memory ID, "shm ID" 1819 note=ipc_perm 1820 syscall=semctl: IPC_SET 1821# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1822 1823label=AUE_SHMCTL_STAT 1824 format=arg1:[ipc]:[ipc_perm] 1825 comment=1, shared memory ID, "shm ID" 1826 note=ipc_perm 1827 syscall=semctl: IPC_STAT 1828# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1829 1830label=AUE_SHMDT 1831 format=arg1 1832 comment=1, shared memory address, "shm adr" 1833 1834label=AUE_SHMGET 1835 format=arg1:[ipc_perm]:[ipc] 1836 comment=0, shared memory key, "shm key" 1837 note=ipc_perm 1838# ipc_perm: shmget -> audit_ipcget 1839 1840label=AUE_SHMGETL 1841 skip=Not used. 1842 1843label=AUE_SHMSYS 1844 skip=Not used. (Placeholder for shmget and shmctl*) 1845 1846label=AUE_SHUTDOWN 1847 case=If the socket address is invalid 1848 format=[arg]1:[text]2:[text]3 1849 comment=1, file descriptor, "fd": 1850 comment=bad socket address: 1851 comment=bad peer address 1852 case=If the socket address is part of the AF_INET family 1853 case=..with zero file descriptor 1854 format=arg1:[arg]2:[arg]3:[arg]4 1855 comment=1, file descriptor, "so": 1856 comment=1, family, "family": 1857 comment=1, type, "type": 1858 comment=2, how shutdown code, "how" 1859 case=...with non-zero file descriptor 1860 format=arg1:arg2:inet 1861 comment=1, file descriptor, "so": 1862 comment=2, how shutdown code, "how" 1863 case=If the socket address is AF_UNIX 1864 case=...with zero file descriptor 1865 format=path1:arg2:[arg]3:[arg]4:[arg]5 1866 comment=If error: argument: \ 1867 1, "no path: fd", file descriptor: 1868 comment=1, file descriptor, "so": 1869 comment=1, family, "family": 1870 comment=1, type, "type": 1871 comment=2, how shutdown code, "how" 1872 case=...with non-zero file descriptor 1873 format=path1:arg2:arg3:inet 1874 comment=If error: argument: \ 1875 1, file descriptor, "no path: fd": 1876 comment=1, file descriptor, "so": 1877 comment=2, how shutdown code, "how" 1878#old BSM manual wrong; used audit_event.c 1879 1880label=AUE_SOCKACCEPT 1881 syscall=getmsg: socket accept 1882 format=inet:arg1:[path]:attr:arg2 1883 comment=1, file descriptor, "fd": 1884 comment=4, priority, "pri" 1885# see putmsg and getmsg for record format 1886# See audit.c for inet token and audit_start.c for other reference 1887 1888label=AUE_SOCKCONFIG 1889 format=arg1:arg2:arg3:[path]4 1890 comment=1, domain address, "domain": 1891 comment=2, type, "type": 1892 comment=3, protocol, "protocol": 1893 comment=If no path:argument -- 3, 0, "devpath" 1894 1895label=AUE_SOCKCONNECT 1896 syscall=putmsg: socket connect 1897 format=inet:arg1:[path]:attr:arg2 1898 comment=1, file descriptor, "fd": 1899 comment=4, priority, "pri" 1900# same as AUE_SOCKACCEPT 1901 1902label=AUE_SOCKET 1903 format=arg1:[arg]2:arg3 1904 comment=1, socket domain, "domain": 1905 comment=2, socket type, "type": 1906 comment=3, socket protocol, "protocol" 1907 1908label=AUE_SOCKETPAIR 1909 skip=Not used. 1910# unreferenced 1911 1912label=AUE_SOCKRECEIVE 1913 syscall=getmsg 1914 format=inet:arg1:[path]:attr:arg2 1915 comment=1, file descriptor, "fd": 1916 comment=4, priority, "pri" 1917# see AUE_SOCKACCEPT 1918 1919label=AUE_SOCKSEND 1920syscall=putmsg 1921 format=inet:arg1:[path]:attr:arg2 1922 comment=1, file descriptor, "fd": 1923 comment=4, priority, "pri" 1924# see AUE_SOCKACCEPT 1925 1926label=AUE_STAT 1927 format=path:[attr] 1928 1929label=AUE_STATFS 1930 format=path:[attr] 1931 1932label=AUE_STATVFS 1933 format=path:[attr] 1934 1935label=AUE_STIME 1936 format=kernel 1937 1938label=AUE_SWAPON 1939 skip=Not used. 1940 1941label=AUE_SYMLINK 1942 format=path:text1:[attr] 1943 comment=symbolic link string 1944 1945label=AUE_SYSINFO 1946 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands 1947 note=are currently audited. 1948 format=arg1:[text]2 1949 comment=1, command, "cmd": 1950 comment=name 1951 1952label=AUE_SYSTEMBOOT 1953 title=system booted 1954 syscall=none 1955 format=head:text1 1956 comment="booting kernel" 1957# see audit_start.c and audit_io.c 1958# no subject or return / exit token 1959# header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec 1960# text,booting kernel 1961 1962label=AUE_TRUNCATE 1963 skip=Not used. 1964 1965label=AUE_UMOUNT 1966 syscall=umount: old version 1967 note=Implemented as call of the newer umount2(2). 1968 format=path:arg1:[path]:[attr] 1969 comment=2, mflag value = 0, "flags" 1970 1971label=AUE_UMOUNT2 1972 syscall=umount2 1973 format=path:arg1:[path]:[attr] 1974 comment=2, mflag value, "flags" 1975 1976label=AUE_UNLINK 1977 format=path:[attr] 1978 1979label=AUE_UNLINKAT 1980 see=openat(2) 1981 format=path:[path_attr]:[attr] 1982 1983label=AUE_UNMOUNT 1984 skip=Not used. 1985 1986label=AUE_UTIME 1987 format=path:[attr] 1988 1989label=AUE_UTIMES 1990 format=path:[attr] 1991 1992label=AUE_VFORK 1993 format=arg1 1994 comment=0, pid, "child PID" 1995 note=The vfork(2) return values are undefined because the audit record is 1996 note=produced at the point that the child process is spawned. 1997 1998label=AUE_VPIXSYS 1999 skip=Not used. 2000 2001label=AUE_VTRACE 2002 skip=Not used. 2003 2004label=AUE_WRITE 2005 format=path1:attr 2006 comment=if no path, argument -- "1, file descriptor, "no path: fd" 2007 note:An audit record is generated for write only once per file close. 2008 2009label=AUE_WRITEV 2010 skip=Not used. (obsolete) 2011 2012label=AUE_XMKNOD 2013 skip=Not used. xmknod() generates AUE_MKNOD 2014 2015label=AUE_XSTAT 2016 skip=Not Used. xstat() generates AUE_STAT. 2017 2018label=AUE_PF_POLICY_ADDRULE 2019 title=Add IPsec policy rule 2020 see= 2021 syscall=none 2022 format=arg1:arg2:[zone]3:[text]4 2023 comment=Operation applied to active policy (1 is active, 0 is inactive): 2024 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2025 comment=affected zone: 2026 comment=Name of target tunnel 2027 2028label=AUE_PF_POLICY_DELRULE 2029 title=Delete IPsec policy rule 2030 see= 2031 syscall=none 2032 format=arg1:arg2:[zone]3:[text]4 2033 comment=Operation applied to active policy (1 is active, 0 is inactive): 2034 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2035 comment=affected zone: 2036 comment=Name of target tunnel 2037 2038label=AUE_PF_POLICY_CLONE 2039 title=Clone IPsec policy 2040 see= 2041 syscall=none 2042 format=arg1:arg2:[zone]3:[text]4 2043 comment=Operation applied to active policy (1 is active, 0 is inactive): 2044 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2045 comment=affected zone: 2046 comment=Name of target tunnel 2047 2048label=AUE_PF_POLICY_FLIP 2049 title=Flip IPsec policy 2050 see= 2051 syscall=none 2052 format=arg1:arg2:[zone]3:[text]4 2053 comment=Operation applied to active policy (1 is active, 0 is inactive): 2054 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2055 comment=affected zone: 2056 comment=Name of target tunnel 2057 2058label=AUE_PF_POLICY_FLUSH 2059 title=Flip IPsec policy rules 2060 see= 2061 syscall=none 2062 format=arg1:arg2:[zone]3:[text]4 2063 comment=Operation applied to active policy (1 is active, 0 is inactive): 2064 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2065 comment=affected zone: 2066 comment=Name of target tunnel 2067 2068label=AUE_PF_POLICY_ALGS 2069 title=Update IPsec algorithms 2070 see= 2071 syscall=none 2072 format=arg1:arg2:[zone]3:[text]4 2073 comment=Operation applied to active policy (1 is active, 0 is inactive): 2074 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2075 comment=affected zone: 2076 comment=Name of target tunnel 2077 2078label=AUE_allocate_fail 2079 program=/usr/sbin/allocate 2080 title=allocate: allocate-device failure 2081 format=(0..n)[text]1 2082 comment=command line arguments 2083# see audit_allocate.c 2084 2085label=AUE_allocate_succ 2086 program=/usr/sbin/allocate 2087 title=allocate: allocate-device success 2088 format=(0..n)[text]1 2089 comment=command line arguments 2090# see audit_allocate.c 2091 2092label=AUE_at_create 2093 program=/usr/bin/at 2094 title=at: at-create crontab 2095 format=path 2096 2097label=AUE_at_delete 2098 program=/usr/bin/at 2099 title=at: at-delete atjob (at or atrm) 2100 format=text1:path 2101 comment="ancillary file:" filename or "bad format of at-job name" 2102 2103label=AUE_at_perm 2104 skip=Not used. 2105# not referenced outside uevents.h 2106 2107label=AUE_create_user 2108 skip=Not used. 2109 2110label=AUE_cron_invoke 2111 program=/usr/sbin/cron 2112 title=cron: cron-invoke at or cron 2113 case=If issue with account find 2114 format=text1 2115 comment="bad user" name or "user <name> account expired" 2116 case=else 2117 format=text1:text2 2118 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \ 2119 or "unknown job type (<job_type_id>)": 2120 comment=command 2121 2122label=AUE_crontab_create 2123 program=/usr/bin/crontab 2124 title=crontab: crontab created 2125 format=path 2126# See audit_crontab.c 2127 2128label=AUE_crontab_delete 2129 program=/usr/bin/crontab 2130 title=crontab: crontab delete 2131 format=path 2132# See audit_crontab.c 2133 2134label=AUE_crontab_mod 2135 program=/usr/bin/crontab 2136 title=crontab: crontab modify 2137 format=path 2138# See audit_crontab.c 2139 2140label=AUE_crontab_perm 2141 skip=Not used. 2142 2143label=AUE_deallocate_fail 2144 program=/usr/sbin/deallocate 2145 title=deallocate-device failure 2146 format=(0..n)[text]1 2147 comment=command line arguments 2148# See audit_allocate.c 2149 2150label=AUE_deallocate_succ 2151 program=/usr/sbin/deallocate 2152 title=deallocate-device success 2153 format=(0..n)[text]1 2154 comment=command line arguments 2155# See audit_allocate.c 2156 2157label=AUE_delete_user 2158 skip=Not used. 2159 2160label=AUE_disable_user 2161 skip=Not used. 2162 2163label=AUE_enable_user 2164 skip=Not used. 2165 2166label=AUE_ftpd 2167 program=/usr/sbin/in.ftpd 2168 title=in.ftpd 2169 format=[text]1 2170 comment=error message 2171# See audit_ftpd 2172 2173label=AUE_ftpd_logout 2174 program=/usr/sbin/in.ftpd 2175 title=in.ftpd 2176 format=user 2177# See audit_ftpd 2178 2179label=AUE_halt_solaris 2180 program=/usr/sbin/halt 2181 title=halt 2182 format=user 2183# See audit_halt.c 2184 2185label=AUE_kadmind_auth 2186 format=text1:text2:text3 2187 comment=Op: <requested information>: 2188 comment=Arg: <argument for Op>: 2189 comment=Client: <client principal name> 2190# See audit_kadmin.c / common_audit() 2191 2192label=AUE_kadmind_unauth 2193 format=text1:text2:text3 2194 comment=Op: <requested information>: 2195 comment=Arg: <argument for Op>: 2196 comment=Client: <client principal name> 2197# See audit_kadmin.c / common_audit() 2198 2199label=AUE_krb5kdc_as_req 2200 format=text1:text2 2201 comment=Client: <client principal name>: 2202 comment=Service: <requested service name> 2203# See audit_krb5kdc.c / common_audit() 2204 2205label=AUE_krb5kdc_tgs_req 2206 format=text1:text2 2207 comment=Client: <client principal name>: 2208 comment=Service: <requested service name> 2209# See audit_krb5kdc.c / common_audit() 2210 2211label=AUE_krb5kdc_tgs_req_alt_tgt 2212 format=text1:text2 2213 comment=Client: <client principal name>: 2214 comment=Service: <requested service name> 2215# See audit_krb5kdc.c / common_audit() 2216 2217label=AUE_krb5kdc_tgs_req_2ndtktmm 2218 format=text1:text2 2219 comment=Client: <client principal name>: 2220 comment=Service: <requested service name> 2221# See audit_krb5kdc.c / common_audit() 2222 2223label=AUE_listdevice_fail 2224 title=allocate-list devices failure 2225 program=/usr/sbin/allocate 2226 format=(0..n)[text]1 2227 comment=command line arguments 2228# See audit_allocate.c 2229 2230label=AUE_listdevice_succ 2231 title=allocate-list devices success 2232 program=/usr/sbin/allocate 2233 format=(0..n)[text]1 2234 comment=command line arguments 2235# See audit_allocate.c 2236 2237label=AUE_modify_user 2238 skip=Not used. 2239 2240label=AUE_mountd_mount 2241 title=mountd: NFS mount 2242 program=/usr/lib/nfs/mountd 2243 see=mountd(1M) 2244 format=text1:path2 2245 comment=remote client hostname: 2246 comment=mount dir 2247# See audit_mountd.c 2248 2249label=AUE_mountd_umount 2250 title=mountd: NFS unmount 2251 program=/usr/lib/nfs/mountd 2252 format=text1:path2 2253 comment=remote client hostname: 2254 comment=mount dir 2255# See audit_mountd.c 2256 2257label=AUE_poweroff_solaris 2258 program=/usr/sbin/poweroff 2259 title=poweroff 2260 format=user 2261# See audit_halt.c 2262 2263label=AUE_reboot_solaris 2264 program=/usr/sbin/reboot 2265 title=reboot 2266 format=user 2267# See audit_reboot.c 2268# header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec 2269# subject,tuser1,root,other,root,other,10422,497,0 0 tmach2 2270# return,success,0 2271 2272label=AUE_rexd 2273 program=/usr/sbin/rpc.rexd 2274 title=rpc.rexd 2275 format=[text]1:text2:text3:[text]4:[text]5 2276 comment=error message (failure only): 2277 comment="Remote execution requested by:" hostname: 2278 comment="Username:" username: 2279 comment="User id:" user ID (failure only): 2280 comment="Command line:" command attempted 2281# See audit_rexd.c 2282 2283label=AUE_rexecd 2284 program=/usr/sbin/rpc.rexecd 2285 title=rpc.rexecd 2286 format=[text]1:text2:text3:text4 2287 comment=error message (failure only): 2288 comment="Remote execution requested by:" hostname: 2289 comment="Username:" username: 2290 comment="Command line:" command attempted 2291# See audit_rexecd.c 2292 2293label=AUE_rshd 2294 program=/usr/sbin/in.rshd 2295 title=in.rshd 2296 format=text1:text2:[text]3:[text]4 2297 comment="cmd" command: 2298 comment="remote user" remote user: 2299 comment="local user" local user: 2300 comment=failure message 2301# See audit_rshd.c 2302 2303label=AUE_shutdown_solaris 2304 title=shutdown 2305 program=/usr/ucb/shutdown 2306 format=user 2307# See audit_shutdown.c 2308 2309label=AUE_smserverd 2310 program=/usr/lib/smedia/rpc.smserverd 2311 format=[text]1:[text]2 2312 comment=state change: 2313 comment=vid, pid, major/minor device 2314# see usr/src/cmd/smserverd 2315# code shows a third token, path, but it isn't implemented. 2316 2317label=AUE_uadmin_solaris 2318 title=uadmin (obsolete) 2319 program= 2320 see= 2321 format=text1:text2 2322 comment=function code: 2323 comment=argument code 2324# not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml 2325 2326label=AUE_LABELSYS_TNRH 2327 title=config Trusted Network remote host cache 2328 see=tnrh(2) 2329 syscall=labelsys: TSOL_TNRH 2330 case=With the flush command (cmd=3) 2331 format=arg1 2332 comment=1, command, "cmd" 2333 case=With the load (cmd=1) and delete (cmd=2) commands 2334 format=arg1:inaddr2:arg3 2335 comment=1, command, "cmd": 2336 comment=ip address of host: 2337 comment=2, prefix length, "prefix len" 2338 2339label=AUE_LABELSYS_TNRHTP 2340 title=config Trusted Network remote host template 2341 see=tnrhtp(2) 2342 syscall=labelsys: TSOL_TNRHTP 2343 case=With the flush command (cmd=3) 2344 format=arg1 2345 comment=1, command, "cmd" 2346 case=With the load (cmd=1) and delete (cmd=2) commands 2347 format=arg1:text2 2348 comment=1, command, "cmd": 2349 comment=name of template 2350 2351label=AUE_LABELSYS_TNMLP 2352 title=config Trusted Network multi-level port entry 2353 see=tnmlp(2) 2354 syscall=labelsys: TSOL_TNMLP 2355 case=With the flush command (cmd=3) 2356 format=arg1:text2 2357 comment=1, command, "cmd": 2358 comment="shared", or name of zone 2359 case=With the load (cmd=1) and delete (cmd=2) commands 2360 format=arg1:text2:arg3:arg4:[arg]5 2361 comment=1, command, "cmd": 2362 comment="shared", or name of zone: 2363 comment=2, protocol number, "proto num": 2364 comment=2, starting mlp port number, "mlp_port": 2365 comment=2, ending mlp port number, "mlp_port_upper" 2366