1<?xml version="1.0" standalone="yes"?> 2<!DOCTYPE specification SYSTEM "audit.dtd"> 3<!-- 4 CDDL HEADER START 5 6 The contents of this file are subject to the terms of the 7 Common Development and Distribution License (the "License"). 8 You may not use this file except in compliance with the License. 9 10 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 11 or http://www.opensolaris.org/os/licensing. 12 See the License for the specific language governing permissions 13 and limitations under the License. 14 15 When distributing Covered Code, include this CDDL HEADER in each 16 file and include the License file at usr/src/OPENSOLARIS.LICENSE. 17 If applicable, add the following below this CDDL HEADER, with the 18 fields enclosed by brackets "[]" replaced with your own identifying 19 information: Portions Copyright [yyyy] [name of copyright owner] 20 21 CDDL HEADER END 22 23Copyright 2007 Sun Microsystems, Inc. All rights reserved. 24Use is subject to license terms. 25 26 ident "%Z%%M% %I% %E% SMI" 27--> 28 29<specification> 30 31<!-- comments are displayed to stderr if debug is on --> 32<debug set="off"/> 33 34 <!-- The order of events is arbitrary EXCEPT generic events must 35 precede their instances --> 36 <!-- The order of entries within an event determine the order 37 data is defined in the external API --> 38 <!-- The order of internal / external is arbitrary --> 39 40<!-- 41 tags: 42 The following top level tags are defined: 43 <event> <token> <msg_list> <debug> 44 45 event defines an audit record 46 - id is the record id from audit_uevents.h 47 - reorder="yes" or "no". (default is "no"). 48 if "yes" then the order of the tokens to be 49 output does not match the order of the data 50 input. (see order attribute of <entry>) 51 - header defines the header file to contain the external 52 definitions for this event type. The header file 53 name is adt_event_N.h, where N is the value supplied 54 header="0" is for "stable" events, > 0 for new ones. 55 with this attribute. (header="1"). 56 - idNo is the number associated with the external 57 name of this event. (For AUE_login, ADT_login is 58 the external name and idNo is the value for 59 ADT_login.) 60 - omit is by default 'no' (i.e., don't omit) and can be 61 'always' or 'JNI'. In the latter case, C interface 62 code is generated but neither Java nor JNI code is. 63 - included text is just a comment 64 Within an event block, the following tags are defined: 65 <entry>, <debug>, <altname>, <title>, <program>, <see> 66 67 altname defines the internal name of an audit record; if 68 omitted, the internal name is the same as the 69 external name. 70 71 title, these tags are used by bsmrecord build to create 72 program, audit_record_attr database from adt events. 73 see Following example demonstrates their semantics: 74 75 bsmrecord -p passwd 76 passwd <- <title> 77 program various See passwd(1) 78 ^- <program> ^- <see> 79 event ID 6163 AUE_passwd 80 class lo (0x00001000) 81 header 82 subject 83 [text] username... 84 ^- <comment> 85 return 86 87 entry defines the correspondence between the data 88 supplied by the caller and the token to be 89 output. 90 - id is the data name that shows up in the structures 91 of adt_event.h If it is a comma separated list, 92 it is the list of names of data to be associated 93 with one output token. (See <external>, below) 94 Within an entry block, the following tags are defined: 95 <internal>, <external>, <debug>, <comment> 96 97 internal defines the token to be generated. 98 - token is a name that must also be defined with 99 a <token> tag elsewhere in this file. (order is 100 not important). 101 - order="some number" determines the order of the 102 tokens to be output, starting with 1. The subject 103 token is normally order="1". The use is to insure 104 that the order of fields listed in adt_event.h does 105 not change when we arbitrarily change the order of 106 tokens. If the <event reorder="yes"> is not set, 107 order is ignored. 108 - format is a printf-like string that will be used 109 in to format the data supplied by the user. 110 111 external defines the data to be supplied for creating the 112 token defined via <internal> 113 - opt is one of four values: "required", "optional", 114 "obsolete", or "none". The first two values 115 indicate that this token's data must or may 116 be supplied by the user; the third value is 117 equivalent to "optional" but shows in the 118 comment that this field is no longer used; 119 the forth value indicates that this token 120 does not require any user-supplied data. If 121 data is required, then a token is always 122 output, while optional data is output only 123 if data is supplied. 124 - type describes the C data type to be associated 125 with the <entry id="dataName">. The following 126 data types are representative: 127 128 au_asid_t (uint32_t) 129 char 130 char * (blank is optional) 131 char ** (blank is optional) 132 fd_t (int, a file descriptor) 133 uint_t, int, int32_t, uid_t, gid_t 134 uid_t *, gid_t * 135 long, ulong_t 136 m_label_t * 137 pid_t 138 priv_set_t * 139 uint16_t, unit32_t, uint64_t 140 uint32_t *, uint32_t[], uint64_t * 141 msg (not a C type, see below) 142 143 Below is what Tony said. Above seems to be 144 what is implemented 145 char 146 char * (blank is optional) 147 char ** (blank is optional) 148 int, uid_t, gid_t 149 int *, uid_t *, gid_t * 150 msg (not a C type, see below) 151 time_t 152 uint, uint * 153 154 The msg type refers to an enumerated type 155 that must be defined via a <msg> description 156 else where in this file. The syntax is 157 special. Example: <external opt="optional" 158 type="msg login_text"/> "login_text" is the 159 id of a <msg_list> descriptor given 160 elsewhere in this file. 161 162 If the <entry> id is a list, the type must also 163 be a comma-separated list, where the types are 164 in the same order as the id's. 165 If the type is an array, its length must be given 166 explicitly. 167 168 comment Used by bsmrecord build to generate audit_record_attr. 169 Comment is explanation note printed with token type. 170 See example above for other tags related to bsmrecord. 171 172 token Define allowed token names. 173 - id is the name of token; this name is used 174 as an <internal> id. 175 - usage is an optional value. At present, only 176 "TSOL" is defined; it means that this data is 177 to be used only in Trusted Solaris implementations. 178 179 msg_list Define a set of text strings. 180 - id is the name to be used for this group of text 181 strings in adt_event.h 182 - header is as defined for <event> 183 - start is a number where produced enum type begins; 184 ensure msg lists do not overlap 185 Within a msg_list block, <msg> and <debug> are defined. 186 The order of <msg> tags in a msg_list is reflected 187 directly in adt_event.h. Also add ADT_LIST_<<id>> to 188 enum adt_msg_list in adt_xlate.h. 189 190 msg Define one string. 191 - id is the name to be used in the enum describing 192 this set of strings. Convention: use upper case. 193 The content (text between <msg> and </msg>) is the 194 actual string. Extra white space, including line 195 feeds, is ignored. If empty, no output token 196 is generated unless the <external> opt attribute is 197 set to "required", in which case a blank text token 198 is generated. 199 Within a msg block, <debug> is defined, but has not been 200 tested and may have no effect. 201 202 debug This turns on/off debug messages during the processing 203 of the xml data. It affects the block within which it 204 is defined. 205 - set may have one of two values: "on" or "off". If 206 set is omitted, the debug state for the current block 207 is toggled. 208 The use of the <debug> tag does not affect the output 209 of data to the various files created, but does generate 210 potentially large amounts of output to stderr. 211 212--> 213<!-- template for an event record definition 214 215 <event id="" header="0" idNo=""> 216 <entry id="subject"> 217 <internal token="subject"/> 218 <external opt="none"/> 219 </entry> 220 <entry id=""> 221 <internal token=""/> 222 <external opt="" type="" /> 223 </entry> 224 <entry id="return"> 225 <internal token="return"/> 226 <external opt="none"/> 227 </entry> 228 </event> 229 230 Generic events must precede Instance events; within each 231 group, please group the AUE_* by area and event idNo-s in order, 232 gaps in idNo-s are OK. 233 N.B. Renumbering idNo-s requires recompilation of consumers. See 234 the contracts for whom to notify if/when this happens. 235--> 236 237<!-- generic events --> 238 239 <!-- 240 'omit="always"' means that this record type is not reflected 241 in the generated header and table files. 242 --> 243 244 <event id="AUE_generic_basic" type="generic" omit="always"> 245 <!-- 246 247 This is a template for the event types that have no tokens 248 other than the header and return. There is no allowed_type 249 list because the template is not externally visible due to the 250 omit="always". 251 252 --> 253 <entry id="subject"> 254 <internal token="subject"/> 255 <external opt="none"/> 256 </entry> 257 <entry id="return"> 258 <internal token="return"/> 259 <external opt="none"/> 260 </entry> 261 </event> 262 263 <event id="AUE_generic_login" type="generic" omit="always"> 264 <!-- 265 266 This is a template for the various login event types 267 AUE_login, AUE_ftp, etc which match this template. There is 268 no allowed_type list because the template is not externally 269 visible due to the omit="always". 270 271 --> 272 <entry id="subject"> 273 <internal token="subject"/> 274 <external opt="none"/> 275 </entry> 276 277 <!-- This field is still in use for SMC until it is cleaned up, 278 it must remain, see login_text msg list at the end of the 279 file. 280 --> 281 <entry id="message"> 282 <internal token="text"/> 283 <external opt="optional" type="msg login_text"/> 284 <comment>error message</comment> 285 </entry> 286 <entry id="return"> 287 <internal token="return"/> 288 <external opt="none"/> 289 </entry> 290 </event> 291 292<!-- generic SMC events --> 293 294 <event id="AUE_generic_SMC_add" type="generic" omit="always"> 295 <entry id="subject"> 296 <internal token="subject"/> 297 <external opt="none"/> 298 </entry> 299 <entry id="object_name"> 300 <internal token="text"/> 301 <external opt="required" type="char *"/> 302 <comment>object name</comment> 303 </entry> 304 <entry id="domain"> 305 <internal token="text"/> 306 <external opt="optional" type="char *"/> 307 <comment>domain</comment> 308 </entry> 309 <entry id="name_service"> 310 <internal token="text"/> 311 <external opt="required" type="char *"/> 312 <comment>name_service</comment> 313 </entry> 314 <entry id="auth_used"> 315 <internal token="uauth"/> 316 <external opt="optional" type="char *"/> 317 <comment>authorization used</comment> 318 </entry> 319 <!-- 320 This should really be its own token type, not "text" 321 --> 322 <entry id="initial_values"> 323 <internal token="text"/> 324 <external opt="required" type="char *"/> 325 <comment>initial values</comment> 326 </entry> 327 <entry id="return"> 328 <internal token="return"/> 329 <external opt="none"/> 330 </entry> 331 </event> 332 333 <event id="AUE_generic_SMC_delete" type="generic" omit="always"> 334 <entry id="subject"> 335 <internal token="subject"/> 336 <external opt="none"/> 337 </entry> 338 <entry id="object_name"> 339 <internal token="text"/> 340 <external opt="required" type="char *"/> 341 <comment>object name</comment> 342 </entry> 343 <entry id="domain"> 344 <internal token="text"/> 345 <external opt="optional" type="char *"/> 346 <comment>domain</comment> 347 </entry> 348 <entry id="name_service"> 349 <internal token="text"/> 350 <external opt="required" type="char *"/> 351 <comment>name_service</comment> 352 </entry> 353 <entry id="auth_used"> 354 <internal token="uauth"/> 355 <external opt="optional" type="char *"/> 356 <comment>authorization used</comment> 357 </entry> 358 <entry id="delete_values"> 359 <internal token="text"/> 360 <external opt="required" type="char *"/> 361 <comment>deleted values</comment> 362 </entry> 363 <entry id="return"> 364 <internal token="return"/> 365 <external opt="none"/> 366 </entry> 367 </event> 368 369 <event id="AUE_generic_SMC_modify" type="generic" omit="always"> 370 <entry id="subject"> 371 <internal token="subject"/> 372 <external opt="none"/> 373 </entry> 374 <entry id="object_name"> 375 <internal token="text"/> 376 <external opt="required" type="char *"/> 377 <comment>object name</comment> 378 </entry> 379 <entry id="domain"> 380 <internal token="text"/> 381 <external opt="optional" type="char *"/> 382 <comment>domain</comment> 383 </entry> 384 <entry id="name_service"> 385 <internal token="text"/> 386 <external opt="required" type="char *"/> 387 <comment>name_service</comment> 388 </entry> 389 <entry id="auth_used"> 390 <internal token="uauth"/> 391 <external opt="optional" type="char *"/> 392 <comment>authorization used</comment> 393 </entry> 394 <entry id="changed_values"> 395 <internal token="text"/> 396 <external opt="required" type="char *"/> 397 <comment>changed values</comment> 398 </entry> 399 <entry id="return"> 400 <internal token="return"/> 401 <external opt="none"/> 402 </entry> 403 </event> 404 405<!-- instances --> 406 407<!-- 408 Java needed for SMC events. Since the SMC events grow less 409 often than the C related events. They come first. It 410 would be nice to reorder the idNo-s, but that's an ABI 411 change and should rev libbsm version no. If reordered 412 start with 1 and eliminate the comment at the end about 413 the highest idNo. 414--> 415 <event id="AUE_admin_authenticate" instance_of="AUE_generic_login" 416 header="0" idNo="3"> 417 <title>Admin Server Authentication</title> 418 <program>admin (various)</program> 419 <see>SMC, WBEM, or AdminSuite</see> 420 </event> 421 422 <event id="AUE_filesystem_add" instance_of="AUE_generic_SMC_add" 423 header="0" idNo="4"> 424 <title>SMC: filesystem add</title> 425 <program>SMC server</program> 426 </event> 427 <event id="AUE_filesystem_delete" instance_of="AUE_generic_SMC_delete" 428 header="0" idNo="5"> 429 <title>SMC: filesystem delete</title> 430 <program>SMC server</program> 431 </event> 432 <event id="AUE_filesystem_modify" instance_of="AUE_generic_SMC_modify" 433 header="0" idNo="6"> 434 <title>SMC: filesystem modify</title> 435 <program>SMC server</program> 436 </event> 437 438 <event id="AUE_network_add" instance_of="AUE_generic_SMC_add" 439 header="0" idNo="7"> 440 <title>SMC: network add</title> 441 <program>SMC server</program> 442 </event> 443 <event id="AUE_network_delete" instance_of="AUE_generic_SMC_delete" 444 header="0" idNo="8"> 445 <title>SMC: network delete</title> 446 <program>SMC server</program> 447 </event> 448 <event id="AUE_network_modify" instance_of="AUE_generic_SMC_modify" 449 header="0" idNo="9"> 450 <title>SMC: network modify</title> 451 <program>SMC server</program> 452 </event> 453 454 <event id="AUE_printer_add" instance_of="AUE_generic_SMC_add" 455 header="0" idNo="10"> 456 <title>SMC: printer add</title> 457 <program>SMC server</program> 458 </event> 459 <event id="AUE_printer_delete" instance_of="AUE_generic_SMC_delete" 460 header="0" idNo="11"> 461 <title>SMC: printer delete</title> 462 <program>SMC server</program> 463 </event> 464 <event id="AUE_printer_modify" instance_of="AUE_generic_SMC_modify" 465 header="0" idNo="12"> 466 <title>SMC: printer modify</title> 467 <program>SMC server</program> 468 </event> 469 470<!-- 471 This is SMC; it's also used in su and should probably be used in 472 desktop role login. If we fix the SMC to not record NO_MSG here, 473 we can fix to record failed user. See su.c and AUE_su. 474--> 475 <event id="AUE_role_login" instance_of="AUE_generic_login" 476 header="0" idNo="13"> 477 <title>RBAC: role login</title> 478 <program>SMC server</program> 479 <program>/usr/bin/su</program> 480 </event> 481 482 <event id="AUE_scheduledjob_add" instance_of="AUE_generic_SMC_add" 483 header="0" idNo="14"> 484 <title>SMC: scheduled job add</title> 485 <program>SMC server</program> 486 </event> 487 <event id="AUE_scheduledjob_delete" instance_of="AUE_generic_SMC_delete" 488 header="0" idNo="15"> 489 <title>SMC: scheduled job delete</title> 490 <program>SMC server</program> 491 </event> 492 <event id="AUE_scheduledjob_modify" instance_of="AUE_generic_SMC_modify" 493 header="0" idNo="16"> 494 <title>SMC: scheduled job modify</title> 495 <program>SMC server</program> 496 </event> 497 498 <event id="AUE_serialport_add" instance_of="AUE_generic_SMC_add" 499 header="0" idNo="17"> 500 <title>SMC: serial port add</title> 501 <program>SMC server</program> 502 </event> 503 <event id="AUE_serialport_delete" instance_of="AUE_generic_SMC_delete" 504 header="0" idNo="18"> 505 <title>SMC: serial port delete</title> 506 <program>SMC server</program> 507 </event> 508 <event id="AUE_serialport_modify" instance_of="AUE_generic_SMC_modify" 509 header="0" idNo="19"> 510 <title>SMC: serial port modify</title> 511 <program>SMC server</program> 512 </event> 513 514<!-- This is SMC; should this also be used elsewhere? --> 515 <event id="AUE_uauth" header="0" idNo="20"> 516 <title>SMC: Use of Authorization</title> 517 <program>SMC server</program> 518 <entry id="subject"> 519 <internal token="subject"/> 520 <external opt="none"/> 521 </entry> 522 <entry id="auth_used"> 523 <internal token="uauth"/> 524 <external opt="required" type="char *"/> 525 <comment>authorization used</comment> 526 </entry> 527 <entry id="objectname"> 528 <internal token="text"/> 529 <external opt="required" type="char *"/> 530 <comment>object name</comment> 531 </entry> 532 <entry id="return"> 533 <internal token="return"/> 534 <external opt="none"/> 535 </entry> 536 </event> 537 538 <event id="AUE_usermgr_add" instance_of="AUE_generic_SMC_add" 539 header="0" idNo="21"> 540 <title>SMC: User Manager add</title> 541 <program>SMC server</program> 542 </event> 543 <event id="AUE_usermgr_delete" instance_of="AUE_generic_SMC_delete" 544 header="0" idNo="22"> 545 <title>SMC: User Manager delete</title> 546 <program>SMC server</program> 547 </event> 548 <event id="AUE_usermgr_modify" instance_of="AUE_generic_SMC_modify" 549 header="0" idNo="23"> 550 <title>SMC: User Manager modify</title> 551 <program>SMC server</program> 552 </event> 553<!-- end of Java needed for SMC events --> 554<!-- 555 while not used by SMC logout is used by Lockhart 556--> 557 <event id="AUE_logout" header="0" idNo="1"> 558 <title>login: logout</title> 559 <program>various</program> 560 <see>login(1)</see> 561 <entry id="subject"> 562 <internal token="subject"/> 563 <external opt="none"/> 564 </entry> 565<!-- 566 not used by C code, used by Lockhart, 567 get them to change and remove 568 event.user_name("logout " + session.getUserName()); 569 from /ws/lockhart-nv-gate/src/bundled/app/webmgt/lib/services/ 570 com/sun/management/services/audit/SolarisAuditEvent_Logout.java 571--> 572 <entry id="user_name"> 573 <internal token="text" format="logout %s"/> 574 <external opt="optional" type="char *"/> 575 <comment>"logout" username</comment> 576 </entry> 577 <entry id="return"> 578 <internal token="return"/> 579 <external opt="none"/> 580 </entry> 581 </event> 582 583 584<!-- C Only events --> 585 <event id="AUE_init_solaris" header="0" idNo="32" omit="JNI"> 586 <title>init</title> 587 <program>/sbin/init</program> 588 <program>/usr/sbin/init</program> 589 <program>/usr/sbin/shutdown</program> 590 <entry id="subject"> 591 <internal token="subject"/> 592 <external opt="none"/> 593 </entry> 594 <entry id="info"> 595 <internal token="text"/> 596 <external opt="optional" type="char *"/> 597 <comment>init level or zone name</comment> 598 </entry> 599 <entry id="return"> 600 <internal token="return"/> 601 <external opt="none"/> 602 </entry> 603 </event> 604 605 <event id="AUE_login" instance_of="AUE_generic_login" header="0" 606 idNo="25" omit="JNI"> 607 <title>terminal login</title> 608 <program>/usr/sbin/login</program> 609 <program>/usr/dt/bin/dtlogin</program> 610 <see>login(1)</see> 611 <see>dtlogin</see> 612 </event> 613 <event id="AUE_rlogin" instance_of="AUE_generic_login" header="0" 614 idNo="28" omit="JNI"> 615 <title>rlogin</title> 616 <program>/usr/sbin/login</program> 617 <see>login(1) - rlogin</see> 618 </event> 619 <event id="AUE_telnet" instance_of="AUE_generic_login" header="0" 620 idNo="29" omit="JNI"> 621 <title>telnet login</title> 622 <program>/usr/sbin/login</program> 623 <see>login(1) - telnet</see> 624 </event> 625 <event id="AUE_ssh" instance_of="AUE_generic_login" header="0" 626 idNo="2" omit="JNI"> 627 <program>/usr/lib/ssh/sshd</program> 628 </event> 629 630 <event id="AUE_zlogin" header="0" idNo="38" omit="JNI"> 631 <title>zone login</title> 632 <program>/usr/sbin/login</program> 633 <see>zlogin(1)</see> 634 <entry id="subject"> 635 <internal token="subject"/> 636 <external opt="none"/> 637 </entry> 638 <entry id="message"> 639 <internal token="text"/> 640 <external opt="optional" type="char *"/> 641 <comment>error message</comment> 642 </entry> 643 <entry id="return"> 644 <internal token="return"/> 645 <external opt="none"/> 646 </entry> 647 </event> 648 649 <event id="AUE_su" header="0" idNo="30" omit="JNI"> 650 <title>su</title> 651 <program>/usr/bin/su</program> 652 <see>su(1M)</see> 653 <entry id="subject"> 654 <internal token="subject"/> 655 <external opt="none"/> 656 </entry> 657<!-- 658 should be changed to "fail_user" and su.c updated 659 However, the jni stuff is broken, so for now it's "message" 660--> 661 <entry id="message"> 662 <internal token="text"/> 663 <external opt="optional" type="char *"/> 664 <comment>"user name" of failed new user/role</comment> 665 </entry> 666 <entry id="return"> 667 <internal token="return"/> 668 <external opt="none"/> 669 </entry> 670 </event> 671 672 <event id="AUE_passwd" header="0" idNo="27" omit="JNI"> 673 <title>passwd</title> 674 <program>various</program> 675 <see>passwd(1)</see> 676 <entry id="subject"> 677 <internal token="subject"/> 678 <external opt="none"/> 679 </entry> 680 <entry id="username"> 681 <internal token="text"/> 682 <external opt="optional" type="char *"/> 683 <comment>username if different than caller</comment> 684 </entry> 685 <entry id="return"> 686 <internal token="return"/> 687 <external opt="none"/> 688 </entry> 689 </event> 690 691 <event id="AUE_screenlock" instance_of="AUE_generic_basic" header="0" 692 idNo="26" omit="JNI"> 693 <program>desktop screen lock</program> 694 </event> 695 <event id="AUE_screenunlock" instance_of="AUE_generic_basic" header="0" 696 idNo="31" omit="JNI"> 697 <program>desktop screen unlock</program> 698 </event> 699 700 <!-- 701 AUE_prof_cmd is not supportable for Java due to the structure of 702 the priv token. When and if a Java program needs to generate 703 a priv token, we'll need to look at the data format in the 704 Java code and provide an appropriate java and jni implementation. 705 --> 706 707 <event id="AUE_prof_cmd" header="0" idNo="24" omit="JNI"> 708 <title>pfexec</title> 709 <program>/usr/bin/pfexec</program> 710 <see>pfexec(1)</see> 711 <entry id="subject"> 712 <internal token="subject"/> 713 <external opt="none"/> 714 </entry> 715 <entry id="cwdpath"> 716 <internal token="path"/> 717 <external opt="required" type="char*"/> 718 <comment>working directory</comment> 719 </entry> 720 <entry id="cmdpath"> 721 <internal token="path"/> 722 <external opt="required" type="char*"/> 723 <comment>command pathname</comment> 724 </entry> 725 <entry id="argc,argv,envp"> 726 <internal token="command"/> 727 <external opt="required" type="int,char**,char**"/> 728 </entry> 729 <entry id="proc_auid,proc_euid,proc_egid,proc_ruid,proc_rgid,proc_pid,proc_sid,proc_termid"> 730 <internal token="process"/> 731 <external opt="required" 732 type="uid_t,uid_t,gid_t,uid_t,gid_t,pid_t,au_asid_t,termid*"/> 733 </entry> 734 <entry id="limit_set"> 735 <internal token="priv_limit"/> 736 <external opt="optional" type="priv_set_t*"/> 737 </entry> 738 <entry id="inherit_set"> 739 <internal token="priv_inherit"/> 740 <external opt="optional" type="priv_set_t*"/> 741 </entry> 742 <entry id="return"> 743 <internal token="return"/> 744 <external opt="none"/> 745 </entry> 746 </event> 747 748 <event id="AUE_inetd_connect" header="0" idNo="34" omit="JNI"> 749 <title>inetd</title> 750 <program>/usr/sbin/inetd</program> 751 <entry id="subject"> 752 <internal token="subject"/> 753 <external opt="none"/> 754 </entry> 755 <entry id="service_name"> 756 <internal token="text"/> 757 <external opt="optional" type="char *"/> 758 <comment>service name</comment> 759 </entry> 760 <entry id="ip_type,ip_remote_port,ip_local_port,ip_adr"> 761 <internal token="tid"/> 762 <external opt="required" 763 type="uint32_t,uint16_t,uint16_t,uint32_t[4]"/> 764 <comment>client address</comment> 765 </entry> 766 <entry id="cmd"> 767 <internal token="command_1"/> 768 <external opt="required" type="char *"/> 769 <comment>inetd command</comment> 770 </entry> 771 <entry id="privileges"> 772 <internal token="priv_effective"/> 773 <external opt="required" type="priv_set_t *"/> 774 </entry> 775 <entry id="return"> 776 <internal token="return"/> 777 <external opt="none"/> 778 </entry> 779 </event> 780 781 <event id="AUE_inetd_ratelimit" header="0" idNo="35" omit="JNI"> 782 <title>inetd</title> 783 <program>/usr/sbin/inetd</program> 784 <entry id="subject"> 785 <internal token="subject"/> 786 <external opt="none"/> 787 </entry> 788 <entry id="service_name"> 789 <internal token="text"/> 790 <external opt="optional" type="char *"/> 791 <comment>service name</comment> 792 </entry> 793 <entry id="limit"> 794 <internal token="text"/> 795 <external opt="required" type="char *"/> 796 <comment>limit value</comment> 797 </entry> 798 <entry id="return"> 799 <internal token="return"/> 800 <external opt="none"/> 801 </entry> 802 </event> 803 804 <event id="AUE_inetd_copylimit" header="0" idNo="36" omit="JNI"> 805 <title>inetd</title> 806 <program>/usr/sbin/inetd</program> 807 <entry id="subject"> 808 <internal token="subject"/> 809 <external opt="none"/> 810 </entry> 811 <entry id="service_name"> 812 <internal token="text"/> 813 <external opt="optional" type="char *"/> 814 <comment>service name</comment> 815 </entry> 816 <entry id="limit"> 817 <internal token="text"/> 818 <external opt="required" type="char *"/> 819 <comment>limit value</comment> 820 </entry> 821 <entry id="return"> 822 <internal token="return"/> 823 <external opt="none"/> 824 </entry> 825 </event> 826 827 <event id="AUE_inetd_failrate" header="0" idNo="37" omit="JNI"> 828 <title>inetd</title> 829 <program>/usr/sbin/inetd</program> 830 <entry id="subject"> 831 <internal token="subject"/> 832 <external opt="none"/> 833 </entry> 834 <entry id="service_name"> 835 <internal token="text"/> 836 <external opt="optional" type="char *"/> 837 <comment>service name</comment> 838 </entry> 839 <entry id="values"> 840 <internal token="text"/> 841 <external opt="required" type="char *"/> 842 <comment>limit value, interval</comment> 843 </entry> 844 <entry id="return"> 845 <internal token="return"/> 846 <external opt="none"/> 847 </entry> 848 </event> 849 850 <event id="AUE_zone_state" header="0" idNo="33" omit="JNI"> 851 <entry id="subject"> 852 <internal token="subject"/> 853 <external opt="none"/> 854 </entry> 855 <entry id="new_state"> 856 <internal token="text"/> 857 <external opt="required" type="char *"/> 858 <comment>New zone state</comment> 859 </entry> 860 <entry id="zonename"> 861 <internal token="zonename"/> 862 <external opt="required" type="char *"/> 863 <comment>zone name</comment> 864 </entry> 865 <entry id="return"> 866 <internal token="return"/> 867 <external opt="none"/> 868 </entry> 869 </event> 870 871 <event id="AUE_su_logout" instance_of="AUE_generic_basic" 872 header="0" idNo="39" omit="JNI"> 873 <title>su</title> 874 <program>/usr/bin/su</program> 875 <see>su(1M)</see> 876 </event> 877 878 <event id="AUE_role_logout" instance_of="AUE_generic_basic" 879 header="0" idNo="40" omit="JNI"> 880 <title>su</title> 881 <program>/usr/bin/su</program> 882 <see>su(1M)</see> 883 </event> 884 885 <event id="AUE_newgrp_login" header="0" idNo="41" omit="JNI"> 886 <program>newgrp</program> 887 <entry id="subject"> 888 <internal token="subject"/> 889 <external opt="none"/> 890 </entry> 891 <entry id="groupname"> 892 <internal token="text"/> 893 <external opt="required" type="char *"/> 894 <comment>group name</comment> 895 </entry> 896 <entry id="return"> 897 <internal token="return"/> 898 <external opt="none"/> 899 </entry> 900 </event> 901 902 <event id="AUE_generic_mountable" type="generic" omit="always"> 903 <!-- 904 905 User device mounting related functions 906 907 --> 908 <entry id="subject"> 909 <internal token="subject"/> 910 <external opt="none"/> 911 </entry> 912 <entry id="auth_used"> 913 <internal token="uauth"/> 914 <external opt="required" type="char *"/> 915 <comment>authorization used</comment> 916 </entry> 917 <entry id="mount_point"> 918 <internal token="path"/> 919 <external opt="required" type="char *"/> 920 <comment>mount point</comment> 921 </entry> 922 <entry id="device"> 923 <internal token="path"/> 924 <external opt="required" type="char *"/> 925 <comment>device</comment> 926 </entry> 927 <entry id="options"> 928 <internal token="text"/> 929 <external opt="optional" type="char *"/> 930 <comment>options</comment> 931 </entry> 932 <entry id="return"> 933 <internal token="return"/> 934 <external opt="none"/> 935 </entry> 936 </event> 937 938 <event id="AUE_attach" instance_of="AUE_generic_mountable" 939 header="0" idNo="42" omit="JNI"> 940 <program>hald</program> 941 </event> 942 <event id="AUE_detach" instance_of="AUE_generic_mountable" 943 header="0" idNo="43" omit="JNI"> 944 <program>hald</program> 945 </event> 946 <event id="AUE_remove" header="0" idNo="44" omit="JNI"> 947 <program>hald</program> 948 <entry id="subject"> 949 <internal token="subject"/> 950 <external opt="none"/> 951 </entry> 952 <entry id="auth_used"> 953 <internal token="uauth"/> 954 <external opt="required" type="char *"/> 955 <comment>authorization used</comment> 956 </entry> 957 <entry id="mount_point"> 958 <internal token="path"/> 959 <external opt="optional" type="char *"/> 960 <comment>mount point</comment> 961 </entry> 962 <entry id="device"> 963 <internal token="path"/> 964 <external opt="required" type="char *"/> 965 <comment>device</comment> 966 </entry> 967 <entry id="return"> 968 <internal token="return"/> 969 <external opt="none"/> 970 </entry> 971 </event> 972 973 <event id="AUE_pool_import" header="0" idNo="45" omit="JNI"> 974 <program>hald</program> 975 <entry id="subject"> 976 <internal token="subject"/> 977 <external opt="none"/> 978 </entry> 979 <entry id="auth_used"> 980 <internal token="uauth"/> 981 <external opt="required" type="char *"/> 982 <comment>authorization used</comment> 983 </entry> 984 <entry id="pool"> 985 <internal token="text"/> 986 <external opt="required" type="char *"/> 987 <comment>pool</comment> 988 </entry> 989 <entry id="device"> 990 <internal token="path"/> 991 <external opt="required" type="char *"/> 992 <comment>device</comment> 993 </entry> 994 <entry id="return"> 995 <internal token="return"/> 996 <external opt="none"/> 997 </entry> 998 </event> 999 <event id="AUE_pool_export" header="0" idNo="46" omit="JNI"> 1000 <program>hald</program> 1001 <entry id="subject"> 1002 <internal token="subject"/> 1003 <external opt="none"/> 1004 </entry> 1005 <entry id="auth_used"> 1006 <internal token="uauth"/> 1007 <external opt="required" type="char *"/> 1008 <comment>authorization used</comment> 1009 </entry> 1010 <entry id="pool"> 1011 <internal token="text"/> 1012 <external opt="required" type="char *"/> 1013 <comment>pool</comment> 1014 </entry> 1015 <entry id="device"> 1016 <internal token="path"/> 1017 <external opt="required" type="char *"/> 1018 <comment>device</comment> 1019 </entry> 1020 <entry id="return"> 1021 <internal token="return"/> 1022 <external opt="none"/> 1023 </entry> 1024 </event> 1025 1026<!-- dladm security objected events --> 1027 <event id="AUE_dladm_generic" type="generic" omit="always"> 1028 <entry id="subject"> 1029 <internal token="subject"/> 1030 <external opt="none"/> 1031 </entry> 1032 <entry id="auth_used"> 1033 <internal token="uauth"/> 1034 <external opt="required" type="char *"/> 1035 <comment>authorization used</comment> 1036 </entry> 1037 <entry id="obj_class"> 1038 <internal token="text"/> 1039 <external opt="required" type="char *"/> 1040 <comment>object class name</comment> 1041 </entry> 1042 <entry id="obj_name"> 1043 <internal token="text"/> 1044 <external opt="required" type="char *"/> 1045 <comment>object name</comment> 1046 </entry> 1047 <entry id="return"> 1048 <internal token="return"/> 1049 <external opt="none"/> 1050 </entry> 1051 </event> 1052 1053 <event id="AUE_dladm_create_secobj" instance_of="AUE_dladm_generic" 1054 header="0" idNo="47" omit="JNI"> 1055 <title>create wifi security object</title> 1056 <program>/usr/sbin/dladm</program> 1057 <see>dladm(1M)</see> 1058 </event> 1059 <event id="AUE_dladm_delete_secobj" instance_of="AUE_dladm_generic" 1060 header="0" idNo="48" omit="JNI"> 1061 <title>delete wifi security object</title> 1062 <program>/usr/sbin/dladm</program> 1063 <see>dladm(1M)</see> 1064 </event> 1065 1066<!-- Trusted eXtensions (TX) events --> 1067 1068 <!-- labeld events --> 1069 <event id="AUE_file_relabel" header="0" idNo="49" omit="JNI"> 1070 <title>relabel file from one zone to another</title> 1071 <program>setlabel(1)</program> 1072 <see>setflabel(3TSOL)</see> 1073 <entry id="subject"> 1074 <internal token="subject"/> 1075 <external opt="none"/> 1076 </entry> 1077 <entry id="auth_used"> 1078 <internal token="uauth"/> 1079 <external opt="required" type="char *"/> 1080 <comment>authorization used</comment> 1081 </entry> 1082 <entry id="file"> 1083 <internal token="path"/> 1084 <external opt="required" type="char *"/> 1085 <comment>file relabeled</comment> 1086 </entry> 1087 <entry id="src_label"> 1088 <internal token="label"/> 1089 <external opt="required" type="m_label_t *"/> 1090 <comment>original label</comment> 1091 </entry> 1092 <entry id="dst_label"> 1093 <internal token="label"/> 1094 <external opt="required" type="m_label_t *"/> 1095 <comment>new label</comment> 1096 </entry> 1097 <entry id="return"> 1098 <internal token="return"/> 1099 <external opt="none"/> 1100 </entry> 1101 </event> 1102 1103 <event id="AUE_file_copy" header="0" idNo="50" omit="JNI"> 1104 <title>copy file to another zone</title> 1105 <program>dtfile(1X)</program> 1106 <entry id="subject"> 1107 <internal token="subject"/> 1108 <external opt="none"/> 1109 </entry> 1110 <entry id="auth_used"> 1111 <internal token="uauth"/> 1112 <external opt="required" type="char *"/> 1113 <comment>authorization used</comment> 1114 </entry> 1115 <entry id="src_file"> 1116 <internal token="path"/> 1117 <external opt="required" type="char *"/> 1118 <comment>source file</comment> 1119 </entry> 1120 <entry id="src_label"> 1121 <internal token="label"/> 1122 <external opt="required" type="m_label_t *"/> 1123 <comment>source label</comment> 1124 </entry> 1125 <entry id="dst_file"> 1126 <internal token="path"/> 1127 <external opt="required" type="char *"/> 1128 <comment>destination directory</comment> 1129 </entry> 1130 <entry id="dst_label"> 1131 <internal token="label"/> 1132 <external opt="required" type="m_label_t *"/> 1133 <comment>destination label</comment> 1134 </entry> 1135 <entry id="return"> 1136 <internal token="return"/> 1137 <external opt="none"/> 1138 </entry> 1139 </event> 1140 1141 <!-- uadmin(1m) events --> 1142 <event id="AUE_uadmin_generic" type="generic" omit="always"> 1143 <entry id="subject"> 1144 <internal token="subject"/> 1145 <external opt="none"/> 1146 </entry> 1147 <entry id="fcn"> 1148 <internal token="text"/> 1149 <external opt="required" type="msg uadmin_fcn"/> 1150 <comment>next action</comment> 1151 </entry> 1152 <entry id="mdep"> 1153 <internal token="text"/> 1154 <external opt="optional" type="char *"/> 1155 <comment>machine dependent argument</comment> 1156 </entry> 1157 <entry id="return"> 1158 <internal token="return"/> 1159 <external opt="none"/> 1160 </entry> 1161 </event> 1162 <event id="AUE_uadmin_generic_fcn" type="generic" omit="always"> 1163 <entry id="subject"> 1164 <internal token="subject"/> 1165 <external opt="none"/> 1166 </entry> 1167 <entry id="fcn"> 1168 <internal token="text"/> 1169 <external opt="required" type="msg uadmin_fcn"/> 1170 <comment>next action</comment> 1171 </entry> 1172 <entry id="return"> 1173 <internal token="return"/> 1174 <external opt="none"/> 1175 </entry> 1176 </event> 1177 <event id="AUE_uadmin_shutdown" instance_of="AUE_uadmin_generic" 1178 header="0" idNo="51" omit="JNI"> 1179 <title>uadmin shutdown</title> 1180 <program>/sbin/uadmin</program> 1181 <program>/usr/sbin/uadmin</program> 1182 <see>uadmin(1M)</see> 1183 </event> 1184 <event id="AUE_uadmin_reboot" instance_of="AUE_uadmin_generic" 1185 header="0" idNo="52" omit="JNI"> 1186 <title>uadmin reboot</title> 1187 <program>/sbin/uadmin</program> 1188 <program>/usr/sbin/uadmin</program> 1189 <see>uadmin(1M)</see> 1190 </event> 1191 <event id="AUE_uadmin_dump" instance_of="AUE_uadmin_generic" 1192 header="0" idNo="53" omit="JNI"> 1193 <title>uadmin dump</title> 1194 <program>/sbin/uadmin</program> 1195 <program>/usr/sbin/uadmin</program> 1196 <see>uadmin(1M)</see> 1197 </event> 1198 <event id="AUE_uadmin_freeze" instance_of="AUE_uadmin_generic" 1199 header="0" idNo="54" omit="JNI"> 1200 <title>uadmin freeze</title> 1201 <program>/sbin/uadmin</program> 1202 <program>/usr/sbin/uadmin</program> 1203 <see>uadmin(1M)</see> 1204 </event> 1205 <event id="AUE_uadmin_remount" header="0" idNo="55" omit="JNI"> 1206 <title>uadmin remount</title> 1207 <program>/sbin/uadmin</program> 1208 <program>/usr/sbin/uadmin</program> 1209 <see>uadmin(1M)</see> 1210 <entry id="subject"> 1211 <internal token="subject"/> 1212 <external opt="none"/> 1213 </entry> 1214 <entry id="return"> 1215 <internal token="return"/> 1216 <external opt="none"/> 1217 </entry> 1218 </event> 1219 <!-- uadmin ftrace and swapctl are not documented in uadmin(2) --> 1220 <event id="AUE_uadmin_ftrace" instance_of="AUE_uadmin_generic_fcn" 1221 header="0" idNo="56" omit="JNI"> 1222 <title>uadmin ftrace</title> 1223 <program>/sbin/uadmin</program> 1224 <program>/usr/sbin/uadmin</program> 1225 <see>uadmin(1M)</see> 1226 </event> 1227 <event id="AUE_uadmin_swapctl" instance_of="AUE_uadmin_generic_fcn" 1228 header="0" idNo="57" omit="JNI"> 1229 <title>uadmin swapctl</title> 1230 <program>/sbin/uadmin</program> 1231 <program>/usr/sbin/uadmin</program> 1232 <see>uadmin(1M)</see> 1233 </event> 1234 1235<!-- smbd service event; smbd session setup --> 1236 <event id="AUE_smbd_session" header="0" idNo="58" omit="JNI"> 1237 <title>smbd</title> 1238 <program>/usr/lib/smbsrv/smbd</program> 1239 <entry id="subject"> 1240 <internal token="subject"/> 1241 <external opt="none"/> 1242 </entry> 1243 <entry id="domain"> 1244 <internal token="text"/> 1245 <external opt="required" type="char*"/> 1246 <comment>domain</comment> 1247 </entry> 1248 <entry id="username"> 1249 <internal token="text"/> 1250 <external opt="required" type="char*"/> 1251 <comment>username</comment> 1252 </entry> 1253 <entry id="sid"> 1254 <internal token="text"/> 1255 <external opt="optional" type="char*"/> 1256 <comment>sid</comment> 1257 </entry> 1258 <entry id="return"> 1259 <internal token="return"/> 1260 <external opt="none"/> 1261 </entry> 1262 </event> 1263 1264<!-- smbd service event; smbd session logoff --> 1265 <event id="AUE_smbd_logoff" header="0" idNo="59" omit="JNI"> 1266 <title>smbd</title> 1267 <program>/usr/lib/smbsrv/smbd</program> 1268 <entry id="subject"> 1269 <internal token="subject"/> 1270 <external opt="none"/> 1271 </entry> 1272 <entry id="domain"> 1273 <internal token="text"/> 1274 <external opt="required" type="char*"/> 1275 <comment>domain</comment> 1276 </entry> 1277 <entry id="username"> 1278 <internal token="text"/> 1279 <external opt="required" type="char*"/> 1280 <comment>username</comment> 1281 </entry> 1282 <entry id="return"> 1283 <internal token="return"/> 1284 <external opt="none"/> 1285 </entry> 1286 </event> 1287 1288<!-- vscan service event; infected file detected --> 1289 <event id="AUE_vscan_quarantine" header="0" idNo="60" omit="JNI"> 1290 <title>VSCAN: quarantine infected file</title> 1291 <program>/usr/lib/vscan/vscand</program> 1292 <see>vscand(1M), ICAP RFC 3507 (Extensions)</see> 1293 <entry id="subject"> 1294 <internal token="subject"/> 1295 <external opt="none"/> 1296 </entry> 1297 <entry id="file"> 1298 <internal token="path"/> 1299 <external opt="required" type="char*"/> 1300 <comment>infected file</comment> 1301 </entry> 1302 <entry id="violations,nviolations"> 1303 <internal token="text"/> 1304 <external opt="optional" type="char**,int"/> 1305 <comment>ID - threat description</comment> 1306 </entry> 1307 <entry id="return"> 1308 <internal token="return"/> 1309 <external opt="none"/> 1310 </entry> 1311 </event> 1312 1313<!-- ndmp service event; ndmp client connect --> 1314 <event id="AUE_ndmp_connect" instance_of="AUE_generic_basic" header="0" 1315 idNo="61" omit="JNI"> 1316 <title>NDMP Connect</title> 1317 <program>/usr/lib/ndmp/ndmpd</program> 1318 <see>ndmpd(1M)</see> 1319 </event> 1320 1321<!-- ndmp service event; ndmp client disconnect --> 1322 <event id="AUE_ndmp_disconnect" instance_of="AUE_generic_basic" header="0" 1323 idNo="62" omit="JNI"> 1324 <title>NDMP Disconnect</title> 1325 <program>/usr/lib/ndmp/ndmpd</program> 1326 <see>ndmpd(1M)</see> 1327 </event> 1328 1329<!-- ndmp service event; ndmp backup --> 1330 <event id="AUE_ndmp_backup" header="0" idNo="63" omit="JNI"> 1331 <title>NDMP Backup</title> 1332 <program>/usr/lib/ndmp/ndmpd</program> 1333 <see>ndmpd(1M)</see> 1334 <entry id="subject"> 1335 <internal token="subject"/> 1336 <external opt="none"/> 1337 </entry> 1338 <entry id="source"> 1339 <internal token="path"/> 1340 <external opt="required" type="char *"/> 1341 <comment>path to be backed up</comment> 1342 </entry> 1343 <entry id="local_dest"> 1344 <internal token="path"/> 1345 <external opt="optional" type="char *"/> 1346 <comment>local path of backup destination</comment> 1347 </entry> 1348 <entry id="remote_dest"> 1349 <internal token="in_peer"/> 1350 <external opt="optional" type="fd_t"/> 1351 <comment>remote ip address and port of backup destination</comment> 1352 </entry> 1353 <entry id="return"> 1354 <internal token="return"/> 1355 <external opt="none"/> 1356 </entry> 1357 </event> 1358 1359<!-- ndmp service event; ndmp restore --> 1360 <event id="AUE_ndmp_restore" header="0" idNo="64" omit="JNI"> 1361 <title>NDMP Restore</title> 1362 <program>/usr/lib/ndmp/ndmpd</program> 1363 <see>ndmpd(1M)</see> 1364 <entry id="subject"> 1365 <internal token="subject"/> 1366 <external opt="none"/> 1367 </entry> 1368 <entry id="destination"> 1369 <internal token="path"/> 1370 <external opt="required" type="char *"/> 1371 <comment>path to restore to</comment> 1372 </entry> 1373 <entry id="local_source"> 1374 <internal token="path"/> 1375 <external opt="optional" type="char *"/> 1376 <comment>local path to restore from</comment> 1377 </entry> 1378 <entry id="remote_source"> 1379 <internal token="in_peer"/> 1380 <external opt="optional" type="fd_t"/> 1381 <comment>remote ip address and port to restore from</comment> 1382 </entry> 1383 <entry id="return"> 1384 <internal token="return"/> 1385 <external opt="none"/> 1386 </entry> 1387 </event> 1388 1389<!-- add new events here with the next higher idNo --> 1390<!-- Highest idNo is 64, so next is 65, then fix this comment --> 1391<!-- end of C Only events --> 1392 1393 1394<!-- 1395 token definitions are partially implemented. All they do for now 1396 is create a list of defined token names. In the future they may 1397 become a way of describing token structure. 1398--> 1399 1400 <token id="acl"> 1401 </token> 1402 <token id="arbitrary"> 1403 </token> 1404 <token id="arg"> 1405 </token> 1406 <token id="attr"> 1407 </token> 1408 <token id="command"> 1409 </token> 1410 <token id="command_1"> 1411 </token> 1412 <token id="date"> 1413 </token> 1414 <token id="exec_args"> 1415 </token> 1416 <token id="exec_env"> 1417 </token> 1418 <token id="exit"> 1419 </token> 1420 <token id="file"> 1421 </token> 1422 <token id="fmri"> 1423 </token> 1424 <token id="groups"> 1425 </token> 1426 <!-- pseudo token; in_addr and in_port of peer --> 1427 <token id="in_peer"> 1428 </token> 1429 <token id="ipc"> 1430 </token> 1431 <token id="ipc_perm"> 1432 </token> 1433 <token id="label"> 1434 </token> 1435 <token id="newgroups"> 1436 </token> 1437 <token id="opaque"> 1438 </token> 1439 <token id="path"> 1440 </token> 1441 <!-- pseudo token; path list generates 0 or more path tokens --> 1442 <token id="path_list"> 1443 </token> 1444 <token id="tid"> 1445 </token> 1446 1447 <!-- 1448 privilege token is implemented as one of the pseudo tokens 1449 priv_limit, priv_effective, or priv_inherit 1450 1451 <token id="privilege"> 1452 </token> 1453 --> 1454 <token id="priv_effective"> 1455 </token> 1456 <token id="priv_inherit"> 1457 </token> 1458 <token id="priv_limit"> 1459 </token> 1460 <token id="process"> 1461 </token> 1462 <token id="return"> 1463 </token> 1464 <token id="seq"> 1465 </token> 1466 <token id="socket"> 1467 </token> 1468 <token id="socket-inet"> 1469 </token> 1470 <token id="subject"> 1471 </token> 1472 <token id="text"> 1473 </token> 1474 <token id="uauth"> 1475 </token> 1476 <token id="zonename"> 1477 </token> 1478 1479<!-- 1480 error value list for return values with success/fail code of fail. 1481 These values start at 1000 so praudit can tell the difference 1482 between the libbsm/common/audit_*.c broken error values and 1483 the new adt_ error value list. It is public so that praudit 1484 can find it. 1485 1486 praudit outputs "failure" %s" for these strings, so there is 1487 no need to use words such as "failed" in the message. 1488 1489 ** Add to the end only to maintain validity across versions of 1490 the audit log. ** 1491--> 1492 1493 <msg_list id="fail_value" header="0" start="1000" public="true"> 1494 <msg id="PW_ATTR">Attribute update</msg> 1495 <msg id="PW">Password update</msg> 1496 <msg id="USERNAME">bad username</msg> 1497 <msg id="AUTH">authorization failed</msg> 1498 <msg id="UID">bad uid</msg> 1499 <msg id="UNKNOWN">unknown failure</msg> 1500 <msg id="EXPIRED">password expired</msg> 1501 <msg id="ACCOUNT_LOCKED">Account is locked</msg> 1502 <msg id="BAD_DIALUP">Bad dial up</msg> 1503 <msg id="BAD_ID">Invalid ID</msg> 1504 <msg id="BAD_PW">Invalid password</msg> 1505 <msg id="CONSOLE">Not on console</msg> 1506 <msg id="MAX_TRIES">Too many failed attempts</msg> 1507 <msg id="PROTOCOL_FAILURE">Protocol failure</msg> 1508 <msg id="EXCLUDED_USER">Excluded user</msg> 1509 <msg id="ANON_USER">No anonymous</msg> 1510 <msg id="BAD_CMD">Invalid command</msg> 1511 <msg id="BAD_TTY">Standard input not a tty line</msg> 1512 <msg id="PROGRAM">Program failure</msg> 1513 <msg id="CHDIR_FAILED">chdir to home directory</msg> 1514 <msg id="INPUT_OVERFLOW">Input line too long.</msg> 1515 <msg id="DEVICE_PERM">login device override</msg> 1516 <msg id="AUTH_BYPASS">authorization bypass</msg> 1517 <msg id="LOGIN_DISABLED">login disabled</msg> 1518 </msg_list> 1519 1520<!-- 1521 The following empty list is used for PAM errors; the "start" 1522 value is used by praudit to know to use the PAM infrastructure 1523 for generating error strings 1524--> 1525 <msg_list id="fail_pam" header="0" start="2000" public="true"> 1526 </msg_list> 1527 1528<!-- 1529 This is still in use by SMC. See AUE_generic_login. When 1530 either SMC is fixed to stop using this, or SMC goes away. 1531 REMOVE this stuff and the corresponding AUE_generic_login 1532 message field. 1533 1534 Message list for the various authentication events, such 1535 as AUE_login and AUE_admin_authenticate. Add new entries 1536 at the end. The order of msg_list entries and the order 1537 of msg entries both affect the names in adt.h and the value 1538 of the associated enumerated types. 1539 1540 Each of these messages except NO_MSG is also in the failure_attribute 1541 list; the difference is that the messages below use a text token 1542 in the audit record, while the failure_attribute messages are 1543 associated with the return value of the return token. 1544 1545 This list is deprecated; please don't use text tokens for error 1546 messages. 1547--> 1548 1549 <msg_list id="login_text" header="0" deprecated="true"> 1550 <msg id="NO_MSG"></msg> 1551 <msg id="ACCOUNT_LOCKED">Account is locked</msg> 1552 <msg id="BAD_DIALUP">Bad dial up</msg> 1553 <msg id="BAD_ID">Invalid ID</msg> 1554 <msg id="BAD_PW">Invalid password</msg> 1555 <msg id="CONSOLE">Not on console</msg> 1556 <msg id="MAX_TRIES">Too many failed attempts</msg> 1557 <msg id="PROTOCOL_FAILURE">Protocol failure</msg> 1558 <msg id="EXCLUDED_USER">Excluded user</msg> 1559 <msg id="ANON_USER">No anonymous</msg> 1560 </msg_list> 1561 1562<!-- msg list for uadmin(1m) fcn argument (next action, see uadmin(2)) --> 1563 <msg_list id="uadmin_fcn" header="0" start="3000" public="true"> 1564 <msg id="AD_HALT">Halt the processor(s)</msg> 1565 <msg id="AD_POWEROFF">Halt the processor(s) and turn off the power</msg> 1566 <msg id="AD_BOOT">Reboot the system using the kernel file</msg> 1567 <msg id="AD_IBOOT">Interactive reboot</msg> 1568 <msg id="AD_SUSPEND_TO_DISK">Save the system state to the state file</msg> 1569 <msg id="AD_CHECK_SUSPEND_TO_DISK">Check if system supports suspend to disk</msg> 1570 <msg id="AD_FORCE">Force suspend to disk even when threads of user 1571 applications are not suspendable</msg> 1572 <msg id="AD_SUSPEND_TO_RAM">Save the system state to memory</msg> 1573 <msg id="AD_CHECK_SUSPEND_TO_RAM">Check if system supports suspend to memory</msg> 1574 <msg id="AD_SBOOT">Single-user reboot</msg> 1575 <msg id="AD_SIBOOT">Single-user interactive reboot</msg> 1576 <msg id="AD_NOSYNC">Do not sync filesystems on next A_DUMP</msg> 1577 <msg id="AD_REUSEINIT">Prepare for AD_REUSABLE</msg> 1578 <msg id="AD_REUSABLE">Create reusable statefile</msg> 1579 <msg id="AD_REUSEFINI">Revert to normal CPR mode (not reusable)</msg> 1580 <msg id="AD_FTRACE_START">ftrace start</msg> 1581 <msg id="AD_FTRACE_STOP">ftrace stop</msg> 1582 </msg_list> 1583</specification> 1584