1# 2# Copyright 2005 Sun Microsystems, Inc. All rights reserved. 3# Use is subject to license terms. 4# 5# CDDL HEADER START 6# 7# The contents of this file are subject to the terms of the 8# Common Development and Distribution License, Version 1.0 only 9# (the "License"). You may not use this file except in compliance 10# with the License. 11# 12# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 13# or http://www.opensolaris.org/os/licensing. 14# See the License for the specific language governing permissions 15# and limitations under the License. 16# 17# When distributing Covered Code, include this CDDL HEADER in each 18# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 19# If applicable, add the following below this CDDL HEADER, with the 20# fields enclosed by brackets "[]" replaced with your own identifying 21# information: Portions Copyright [yyyy] [name of copyright owner] 22# 23# CDDL HEADER END 24# 25# ident "%Z%%M% %I% %E% SMI" 26# 27# Audit Event Database 28# 29# File Format: 30# 31# event number:event name:event description:event classes (comma separated) 32# 33# Used to map audit events to audit classes for preselection and post-selection. 34# Used by TCB programs that write audit records to preselect audit events 35# based on event to class mappings. 36# 37# NOTE: several events are obsolete but must continue to be defined here for 38# compatibility reasons. Obsolete events are defined in the "no" (invalid) 39# class to indicate they will not be generated. Other events in the "no" 40# class which are not obsolete (but are in this class for other reasons), 41# are individually noted with a comment for explanation. 42# 43# System Adminstrators: Do NOT modify or add events with an event number less 44# than 32768. These are reserved by the system. 45# 46# 0 Reserved as an invalid event number. 47# 1 - 2047 Reserved for the Solaris Kernel events. 48# 2048 - 32767 Reserved for the Solaris TCB programs. 49# 32768 - 65535 Available for third party TCB applications. 50# 51# 6144 - 32767 SunOS 5.X user level audit events 52# 53# 54# kernel audit events 55# 560:AUE_NULL:indir system call:no 571:AUE_EXIT:exit(2):ps 582:AUE_FORK:fork(2):ps 59# AUE_OPEN is a placeholder and will not be generated 603:AUE_OPEN:open(2) - place holder:no 614:AUE_CREAT:creat(2):fc 625:AUE_LINK:link(2):fc 636:AUE_UNLINK:unlink(2):fd 647:AUE_EXEC:exec(2):ps,ex 658:AUE_CHDIR:chdir(2):pm 669:AUE_MKNOD:mknod(2):fc 6710:AUE_CHMOD:chmod(2):fm 6811:AUE_CHOWN:chown(2):fm 6912:AUE_UMOUNT:umount(2) - old version:as 7013:AUE_JUNK:junk:no 7114:AUE_ACCESS:access(2):fa 7215:AUE_KILL:kill(2):pm 7316:AUE_STAT:stat(2):fa 7417:AUE_LSTAT:lstat(2):fa 7518:AUE_ACCT:acct(2):as 7619:AUE_MCTL:mctl(2):no 7720:AUE_REBOOT:reboot(2):no 7821:AUE_SYMLINK:symlink(2):fc 7922:AUE_READLINK:readlink(2):fr 8023:AUE_EXECVE:execve(2):ps,ex 8124:AUE_CHROOT:chroot(2):pm 8225:AUE_VFORK:vfork(2):ps 8326:AUE_SETGROUPS:setgroups(2):pm 8427:AUE_SETPGRP:setpgrp(2):pm 8528:AUE_SWAPON:swapon(2):no 8629:AUE_SETHOSTNAME:sethostname(2):no 8730:AUE_FCNTL:fcntl(2):fm 8831:AUE_SETPRIORITY:setpriority(2):no 8932:AUE_CONNECT:connect(2):nt 9033:AUE_ACCEPT:accept(2):nt 9134:AUE_BIND:bind(2):nt 9235:AUE_SETSOCKOPT:setsockopt(2):nt 9336:AUE_VTRACE:vtrace(2):pm 9437:AUE_SETTIMEOFDAY:settimeofday(2):no 9538:AUE_FCHOWN:fchown(2):fm 9639:AUE_FCHMOD:fchmod(2):fm 9740:AUE_SETREUID:setreuid(2):pm 9841:AUE_SETREGID:setregid(2):pm 9942:AUE_RENAME:rename(2):fc,fd 10043:AUE_TRUNCATE:truncate(2):no 10144:AUE_FTRUNCATE:ftruncate(2):no 10245:AUE_FLOCK:flock(2):no 10346:AUE_SHUTDOWN:shutdown(2):nt 10447:AUE_MKDIR:mkdir(2):fc 10548:AUE_RMDIR:rmdir(2):fd 10649:AUE_UTIMES:utimes(2):fm 10750:AUE_ADJTIME:adjtime(2):as 10851:AUE_SETRLIMIT:setrlimit(2):ua 10952:AUE_KILLPG:killpg(2):no 11053:AUE_NFS_SVC:nfs_svc(2):no 11154:AUE_STATFS:statfs(2):fa 11255:AUE_FSTATFS:fstatfs(2):fa 11356:AUE_UNMOUNT:unmount(2):no 11457:AUE_ASYNC_DAEMON:async_daemon(2):no 11558:AUE_NFS_GETFH:nfs_getfh(2):no 11659:AUE_SETDOMAINNAME:setdomainname(2):no 11760:AUE_QUOTACTL:quotactl(2):no 11861:AUE_EXPORTFS:exportfs(2):no 11962:AUE_MOUNT:mount(2):as 120# AUE_SEMSYS is a placeholder and will not be generated 12163:AUE_SEMSYS:semsys(2) - place holder:no 122# AUE_MSGSYS is a placeholder and will not be generated 12364:AUE_MSGSYS:msgsys(2) - place holder:no 124# AUE_SHMSYS is a placeholder and will not be generated 12565:AUE_SHMSYS:shmsys(2) - place holder:no 12666:AUE_BSMSYS:bsmsys(2) - place holder:no 12767:AUE_RFSSYS:rfssys(2) - place holder:no 12868:AUE_FCHDIR:fchdir(2):pm 12969:AUE_FCHROOT:fchroot(2):pm 13070:AUE_VPIXSYS:vpixsys(2) - place holder:no 13171:AUE_PATHCONF:pathconf(2):fa 13272:AUE_OPEN_R:open(2) - read:fr 13373:AUE_OPEN_RC:open(2) - read,creat:fc,fr 13474:AUE_OPEN_RT:open(2) - read,trunc:fd,fr 13575:AUE_OPEN_RTC:open(2) - read,creat,trunc:fc,fd,fr 13676:AUE_OPEN_W:open(2) - write:fw 13777:AUE_OPEN_WC:open(2) - write,creat:fc,fw 13878:AUE_OPEN_WT:open(2) - write,trunc:fd,fw 13979:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw 14080:AUE_OPEN_RW:open(2) - read,write:fr,fw 14181:AUE_OPEN_RWC:open(2) - read,write,creat:fc,fw,fr 14282:AUE_OPEN_RWT:open(2) - read,write,trunc:fd,fr,fw 14383:AUE_OPEN_RWTC:open(2) - read,write,creat,trunc:fc,fd,fw,fr 14484:AUE_MSGCTL:msgctl(2) - illegal command:ip 14585:AUE_MSGCTL_RMID:msgctl(2) - IPC_RMID command:ip 14686:AUE_MSGCTL_SET:msgctl(2) - IPC_SET command:ip 14787:AUE_MSGCTL_STAT:msgctl(2) - IPC_STAT command:ip 14888:AUE_MSGGET:msgget(2):ip 14989:AUE_MSGRCV:msgrcv(2):ip 15090:AUE_MSGSND:msgsnd(2):ip 15191:AUE_SHMCTL:shmctl(2) - illegal command:ip 15292:AUE_SHMCTL_RMID:shmctl(2) - IPC_RMID command:ip 15393:AUE_SHMCTL_SET:shmctl(2) - IPC_SET command:ip 15494:AUE_SHMCTL_STAT:shmctl(2) - IPC_STAT command:ip 15595:AUE_SHMGET:shmget(2):ip 15696:AUE_SHMAT:shmat(2):ip 15797:AUE_SHMDT:shmdt(2):ip 15898:AUE_SEMCTL:semctl(2) - illegal command:ip 15999:AUE_SEMCTL_RMID:semctl(2) - IPC_RMID command:ip 160100:AUE_SEMCTL_SET:semctl(2) - IPC_SET command:ip 161101:AUE_SEMCTL_STAT:semctl(2) - IPC_STAT command:ip 162102:AUE_SEMCTL_GETNCNT:semctl(2) - GETNCNT command:ip 163103:AUE_SEMCTL_GETPID:semctl(2) - GETPID command:ip 164104:AUE_SEMCTL_GETVAL:semctl(2) - GETVAL command:ip 165105:AUE_SEMCTL_GETALL:semctl(2) - GETALL command:ip 166106:AUE_SEMCTL_GETZCNT:semctl(2) - GETZCNT command:ip 167107:AUE_SEMCTL_SETVAL:semctl(2) - SETVAL command:ip 168108:AUE_SEMCTL_SETALL:semctl(2) - SETALL command:ip 169109:AUE_SEMGET:semget(2):ip 170110:AUE_SEMOP:semop(2):ip 171111:AUE_CORE:process dumped core:fc 172112:AUE_CLOSE:close(2):cl 173113:AUE_SYSTEMBOOT:system booted:na 174114:AUE_ASYNC_DAEMON_EXIT:async_daemon(2) exited:no 175115:AUE_NFSSVC_EXIT:nfssvc(2) exited:no 176128:AUE_WRITEL:writel(2):no 177129:AUE_WRITEVL:writevl(2):no 178130:AUE_GETAUID:getauid(2):aa 179131:AUE_SETAUID:setauid(2):aa 180132:AUE_GETAUDIT:getaudit(2):aa 181133:AUE_SETAUDIT:setaudit(2):aa 182134:AUE_GETUSERAUDIT:getuseraudit(2):no 183135:AUE_SETUSERAUDIT:setuseraudit(2):no 184136:AUE_AUDITSVC:auditsvc(2):as 185# AUE_AUDITON is a placeholder and will not be generated 186138:AUE_AUDITON:auditon(2) - place holder:no 187139:AUE_AUDITON_GTERMID:auditon(2) - GETTERMID command:no 188140:AUE_AUDITON_STERMID:auditon(2) - SETTERMID command:no 189141:AUE_AUDITON_GPOLICY:auditon(2) - get audit policy flags:aa 190142:AUE_AUDITON_SPOLICY:auditon(2) - set audit policy flags:as 191143:AUE_AUDITON_GESTATE:auditon(2) - GESTATE command:no 192144:AUE_AUDITON_SESTATE:auditon(2) - SESTATE command:no 193145:AUE_AUDITON_GQCTRL:auditon(2) - get queue control parameters:as 194146:AUE_AUDITON_SQCTRL:auditon(2) - set queue control parameters:as 195147:AUE_GETKERNSTATE:getkernstate(2):no 196148:AUE_SETKERNSTATE:setkernstate(2):no 197149:AUE_GETPORTAUDIT:getportaudit(2):no 198150:AUE_AUDITSTAT:auditstat(2):no 199153:AUE_ENTERPROM:enter prom:na 200154:AUE_EXITPROM:exit prom:na 201158:AUE_IOCTL:ioctl(2):io 202173:AUE_ONESIDE:one-sided session record:no 203174:AUE_MSGGETL:msggetl(2):no 204175:AUE_MSGRCVL:msgrcvl(2):no 205176:AUE_MSGSNDL:msgsndl(2):no 206177:AUE_SEMGETL:semgetl(2):no 207178:AUE_SHMGETL:shmgetl(2):no 208183:AUE_SOCKET:socket(2):nt 209184:AUE_SENDTO:sendto(2):nt 210# AUE_PIPE is a potentially very high-volume event, use with caution 211185:AUE_PIPE:pipe(2):no 212186:AUE_SOCKETPAIR:socketpair(2):no 213187:AUE_SEND:send(2):no 214188:AUE_SENDMSG:sendmsg(2):nt 215189:AUE_RECV:recv(2):no 216190:AUE_RECVMSG:recvmsg(2):nt 217191:AUE_RECVFROM:recvfrom(2):nt 218# AUE_READ is a potentially very high-volume event, use with caution 219192:AUE_READ:read(2):no 220193:AUE_GETDENTS:getdents(2):no 221194:AUE_LSEEK:lseek(2):no 222# AUE_WRITE is a potentially very high-volume event, use with caution 223195:AUE_WRITE:write(2):no 224196:AUE_WRITEV:writev(2):no 225197:AUE_NFS:nfs server:no 226198:AUE_READV:readv(2):no 227199:AUE_OSTAT:old stat(2):no 228200:AUE_SETUID:old setuid(2):pm 229201:AUE_STIME:old stime(2):as 230202:AUE_UTIME:old utime(2):fm 231203:AUE_NICE:old nice(2):pm 232204:AUE_OSETPGRP:old setpgrp(2):no 233205:AUE_SETGID:old setgid(2):pm 234206:AUE_READL:readl(2):no 235207:AUE_READVL:readvl(2):no 236208:AUE_FSTAT:fstat(2):no 237209:AUE_DUP2:dup2(2):no 238# AUE_MMAP is a potentially very high-volume event, use with caution 239210:AUE_MMAP:mmap(2):no 240# AUE_AUDIT is a potentially very high-volume event, use with caution 241211:AUE_AUDIT:audit(2):no 242212:AUE_PRIOCNTLSYS:priocntlsys(2):pm 243213:AUE_MUNMAP:munmap(2):cl 244214:AUE_SETEGID:setegid(2):pm 245215:AUE_SETEUID:seteuid(2):pm 246216:AUE_PUTMSG:putmsg(2):nt 247217:AUE_GETMSG:getmsg(2):nt 248218:AUE_PUTPMSG:putpmsg(2):nt 249219:AUE_GETPMSG:getpmsg(2):nt 250# AUE_AUDITSYS is a placeholder and will not be generated 251220:AUE_AUDITSYS:audit system calls place holder:no 252221:AUE_AUDITON_GETKMASK:auditon(2) - get kernel mask:aa 253222:AUE_AUDITON_SETKMASK:auditon(2) - set kernel mask:as 254223:AUE_AUDITON_GETCWD:auditon(2) - get current working directory:aa,as 255224:AUE_AUDITON_GETCAR:auditon(2) - get current active root:aa,as 256225:AUE_AUDITON_GETSTAT:auditon(2) - get audit statistics:as 257226:AUE_AUDITON_SETSTAT:auditon(2) - reset audit statistics:as 258227:AUE_AUDITON_SETUMASK:auditon(2) - set mask per audit uid:as 259228:AUE_AUDITON_SETSMASK:auditon(2) - set mask per session ID:as 260229:AUE_AUDITON_GETCOND:auditon(2) - get audit state:aa 261230:AUE_AUDITON_SETCOND:auditon(2) - set audit state:as 262231:AUE_AUDITON_GETCLASS:auditon(2) - get event class:aa,as 263232:AUE_AUDITON_SETCLASS:auditon(2) - set event class:as 264233:AUE_FUSERS:utssys(2) - fusers:fa 265234:AUE_STATVFS:statvfs(2):fa 266235:AUE_XSTAT:xstat(2):no 267236:AUE_LXSTAT:lxstat(2):no 268237:AUE_LCHOWN:lchown(2):fm 269238:AUE_MEMCNTL:memcntl(2):ot 270239:AUE_SYSINFO:sysinfo(2):as 271240:AUE_XMKNOD:xmknod(2):no 272241:AUE_FORK1:fork1(2):ps 273# AUE_MODCTL is a placeholder and will not be generated 274242:AUE_MODCTL:modctl(2) system call place holder:no 275243:AUE_MODLOAD:modctl(2) - load module:as 276244:AUE_MODUNLOAD:modctl(2) - unload module:as 277# AUE_MODCONFIG is a place holder and will not be generated 278245:AUE_MODCONFIG:modctl(2) - no longer generated:no 279246:AUE_MODADDMAJ:modctl(2) - bind module:as 280247:AUE_SOCKACCEPT:getmsg-accept:nt 281248:AUE_SOCKCONNECT:putmsg-connect:nt 282249:AUE_SOCKSEND:putmsg-send:nt 283250:AUE_SOCKRECEIVE:getmsg-receive:nt 284251:AUE_ACLSET:acl(2) - SETACL command:fm 285252:AUE_FACLSET:facl(2) - SETACL command:fm 286# AUE_DOORFS is a placeholder and will not be generated 287253:AUE_DOORFS:doorfs(2) - system call place holder:no 288254:AUE_DOORFS_DOOR_CALL:doorfs(2) - DOOR_CALL:ip 289255:AUE_DOORFS_DOOR_RETURN:doorfs(2) - DOOR_RETURN:ip 290256:AUE_DOORFS_DOOR_CREATE:doorfs(2) - DOOR_CREATE:ip 291257:AUE_DOORFS_DOOR_REVOKE:doorfs(2) - DOOR_REVOKE:ip 292258:AUE_DOORFS_DOOR_INFO:doorfs(2) - DOOR_INFO:ip 293259:AUE_DOORFS_DOOR_CRED:doorfs(2) - DOOR_CRED:ip 294260:AUE_DOORFS_DOOR_BIND:doorfs(2) - DOOR_BIND:ip 295261:AUE_DOORFS_DOOR_UNBIND:doorfs(2) - DOOR_UNBIND:ip 296262:AUE_P_ONLINE:p_online(2):as 297263:AUE_PROCESSOR_BIND:processor_bind(2):as 298264:AUE_INST_SYNC:inst_sync(2):as 299265:AUE_SOCKCONFIG:configure socket:nt 300266:AUE_SETAUDIT_ADDR:setaudit_addr(2):aa 301267:AUE_GETAUDIT_ADDR:getaudit_addr(2):aa 302268:AUE_UMOUNT2:umount2(2):as 303# AUE_FSAT is a placeholder and will not be generated 304269:AUE_FSAT:fsat(2) - place holder:no 305270:AUE_OPENAT_R:openat(2) - read:fr 306271:AUE_OPENAT_RC:openat(2) - read,creat:fc,fr 307272:AUE_OPENAT_RT:openat(2) - read,trunc:fd,fr 308273:AUE_OPENAT_RTC:openat(2) - read,creat,trunc:fc,fd,fr 309274:AUE_OPENAT_W:openat(2) - write:fw 310275:AUE_OPENAT_WC:openat(2) - write,creat:fc,fw 311276:AUE_OPENAT_WT:openat(2) - write,trunc:fd,fw 312277:AUE_OPENAT_WTC:openat(2) - write,creat,trunc:fc,fd,fw 313278:AUE_OPENAT_RW:openat(2) - read,write:fr,fw 314279:AUE_OPENAT_RWC:openat(2) - read,write,creat:fc,fw,fr 315280:AUE_OPENAT_RWT:openat(2) - read,write,trunc:fd,fr,fw 316281:AUE_OPENAT_RWTC:openat(2) - read,write,creat,trunc:fc,fd,fw,fr 317282:AUE_RENAMEAT:renameat(2):fc,fd 318# AUE_FSTATAT is a potentially very high-volume event, use with caution 319283:AUE_FSTATAT:fstatat(2):no 320284:AUE_FCHOWNAT:fchownat(2):fm 321285:AUE_FUTIMESAT:futimesat(2):fm 322286:AUE_UNLINKAT:unlinkat(2):fd 323287:AUE_CLOCK_SETTIME:clock_settime(3RT):as 324288:AUE_NTP_ADJTIME:ntp_adjtime(2):as 325289:AUE_SETPPRIV:setppriv(2):pm 326290:AUE_MODDEVPLCY:modctl(2) - configure device policy:as 327291:AUE_MODADDPRIV:modctl(2) - configure additional privilege:as 328292:AUE_CRYPTOADM:kernel cryptographic framework:as 329# 330# user level audit events 331# 332# 2048 - 6143 Reserved 333# 3346144:AUE_at_create:at-create atjob:ua 3356145:AUE_at_delete:at-delete atjob (at or atrm):ua 3366146:AUE_at_perm:at-permission:no 3376147:AUE_cron_invoke:cron-invoke:ua 3386148:AUE_crontab_create:crontab-crontab created:ua 3396149:AUE_crontab_delete:crontab-crontab deleted:ua 3406150:AUE_crontab_perm:crontab-persmisson:no 3416151:AUE_inetd_connect:inetd connect:na 3426152:AUE_login:login - local:lo 3436153:AUE_logout:logout:lo 3446154:AUE_telnet:login - telnet:lo 3456155:AUE_rlogin:login - rlogin:lo 3466156:AUE_mountd_mount:mount:na 3476157:AUE_mountd_umount:unmount:na 3486158:AUE_rshd:rsh access:lo 3496159:AUE_su:su:lo 3506160:AUE_halt_solaris:halt(1m):ss 3516161:AUE_reboot_solaris:reboot(1m):ss 3526162:AUE_rexecd:rexecd:lo 3536163:AUE_passwd:passwd:lo 3546164:AUE_rexd:rexd:lo 3556165:AUE_ftpd:ftp access:lo 3566166:AUE_init_solaris:init(1m):ss 3576167:AUE_uadmin_solaris:uadmin(1m):ss 3586168:AUE_shutdown_solaris:shutdown(1b):ss 3596169:AUE_poweroff_solaris:poweroff(1m):ss 3606170:AUE_crontab_mod:crontab-modify:ua 3616171:AUE_ftpd_logout:ftp logout:lo 3626172:AUE_ssh:login - ssh:lo 3636173:AUE_role_login:role login:lo 3646180:AUE_prof_cmd:profile command:ua,as 3656181:AUE_filesystem_add:add filesystem:as 3666182:AUE_filesystem_delete:delete filesystem:as 3676183:AUE_filesystem_modify:modify filesystem:as 3686184:AUE_network_add:add network attributes:as 3696185:AUE_network_delete:delete network attributes:as 3706186:AUE_network_modify:modify network attributes:as 3716187:AUE_printer_add:add printer:as 3726188:AUE_printer_delete:delete printer:as 3736189:AUE_printer_modify:modify printer:as 3746190:AUE_scheduledjob_add:add scheduled job:ua 3756191:AUE_scheduledjob_delete:delete scheduled job:ua 3766192:AUE_scheduledjob_modify:modify scheduled job:ua 3776193:AUE_serialport_add:add serial port:as 3786194:AUE_serialport_delete:delete serial port:as 3796195:AUE_serialport_modify:modify serial port:as 3806196:AUE_usermgr_add:add user/user attributes:ua 3816197:AUE_usermgr_delete:delete user/user attributes:ua 3826198:AUE_usermgr_modify:modify user/user attributes:ua 3836199:AUE_uauth:authorization used:ua,as 3846200:AUE_allocate_succ:allocate-device success:ot 3856201:AUE_allocate_fail:allocate-device failure:ot 3866202:AUE_deallocate_succ:deallocate-device success:ot 3876203:AUE_deallocate_fail:deallocate-device failure:ot 3886205:AUE_listdevice_succ:allocate-list devices success:ot 3896206:AUE_listdevice_fail:allocate-list devices failure:ot 3906207:AUE_create_user:create user:ua 3916208:AUE_modify_user:modify user:ua 3926209:AUE_delete_user:delete user:ua 3936210:AUE_disable_user:disable user:ua 3946211:AUE_enable_user:enable user:ua 3956212:AUE_newgrp_login:newgrp login:lo 3966213:AUE_admin_authenticate:admin login:lo 3976214:AUE_kadmind_auth:authenticated kadmind request:ua 3986215:AUE_kadmind_unauth:unauthenticated kadmind req:ua 3996216:AUE_krb5kdc_as_req:kdc authentication svc request:ap 4006217:AUE_krb5kdc_tgs_req:kdc tkt-grant svc request:ap 4016218:AUE_krb5kdc_tgs_req_2ndtktmm:kdc tgs 2ndtkt mismtch:ap 4026219:AUE_krb5kdc_tgs_req_alt_tgt:kdc tgs issue alt tgt:ap 4036220:AUE_smserverd:smserverd:ot 4046221:AUE_screenlock:screenlock - lock:lo 4056222:AUE_screenunlock:screenlock - unlock:lo 4066223:AUE_zone_state:zoneadmd:ss 4076224:AUE_inetd_copylimit:inetd copylimit:na 4086225:AUE_inetd_failrate:inetd failrate:na 4096226:AUE_inetd_ratelimit:inetd ratelimit:na 4106227:AUE_zlogin:login - zlogin:lo 411