xref: /titanic_52/usr/src/lib/libbsm/audit_event.txt (revision 1a7c1b724419d3cb5fa6eea75123c6b2060ba31b)
1#
2# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
3# Use is subject to license terms.
4#
5# CDDL HEADER START
6#
7# The contents of this file are subject to the terms of the
8# Common Development and Distribution License, Version 1.0 only
9# (the "License").  You may not use this file except in compliance
10# with the License.
11#
12# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
13# or http://www.opensolaris.org/os/licensing.
14# See the License for the specific language governing permissions
15# and limitations under the License.
16#
17# When distributing Covered Code, include this CDDL HEADER in each
18# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
19# If applicable, add the following below this CDDL HEADER, with the
20# fields enclosed by brackets "[]" replaced with your own identifying
21# information: Portions Copyright [yyyy] [name of copyright owner]
22#
23# CDDL HEADER END
24#
25# ident	"%Z%%M%	%I%	%E% SMI"
26#
27# Audit Event Database
28#
29# File Format:
30#
31# event number:event name:event description:event classes (comma separated)
32#
33# Used to map audit events to audit classes for preselection and post-selection.
34# Used by TCB programs that write audit records to preselect audit events
35#     based on event to class mappings.
36#
37# NOTE: several events are obsolete but must continue to be defined here for
38# compatibility reasons. Obsolete events are defined in the "no" (invalid)
39# class to indicate they will not be generated.  Other events in the "no"
40# class which are not obsolete (but are in this class for other reasons),
41# are individually noted with a comment for explanation.
42#
43# System Adminstrators: Do NOT modify or add events with an event number less
44#   than 32768. These are reserved by the system.
45#
46#     0		Reserved as an invalid event number.
47#     1 - 2047	Reserved for the Solaris Kernel events.
48#  2048 - 32767	Reserved for the Solaris TCB programs.
49# 32768 - 65535	Available for third party TCB applications.
50#
51# 6144 - 32767  SunOS 5.X user level audit events
52#
53#
54# kernel audit events
55#
560:AUE_NULL:indir system call:no
571:AUE_EXIT:exit(2):ps
582:AUE_FORK:fork(2):ps
59# AUE_OPEN is a placeholder and will not be generated
603:AUE_OPEN:open(2) - place holder:no
614:AUE_CREAT:creat(2):fc
625:AUE_LINK:link(2):fc
636:AUE_UNLINK:unlink(2):fd
647:AUE_EXEC:exec(2):ps,ex
658:AUE_CHDIR:chdir(2):pm
669:AUE_MKNOD:mknod(2):fc
6710:AUE_CHMOD:chmod(2):fm
6811:AUE_CHOWN:chown(2):fm
6912:AUE_UMOUNT:umount(2) - old version:as
7013:AUE_JUNK:junk:no
7114:AUE_ACCESS:access(2):fa
7215:AUE_KILL:kill(2):pm
7316:AUE_STAT:stat(2):fa
7417:AUE_LSTAT:lstat(2):fa
7518:AUE_ACCT:acct(2):as
7619:AUE_MCTL:mctl(2):no
7720:AUE_REBOOT:reboot(2):no
7821:AUE_SYMLINK:symlink(2):fc
7922:AUE_READLINK:readlink(2):fr
8023:AUE_EXECVE:execve(2):ps,ex
8124:AUE_CHROOT:chroot(2):pm
8225:AUE_VFORK:vfork(2):ps
8326:AUE_SETGROUPS:setgroups(2):pm
8427:AUE_SETPGRP:setpgrp(2):pm
8528:AUE_SWAPON:swapon(2):no
8629:AUE_SETHOSTNAME:sethostname(2):no
8730:AUE_FCNTL:fcntl(2):fm
8831:AUE_SETPRIORITY:setpriority(2):no
8932:AUE_CONNECT:connect(2):nt
9033:AUE_ACCEPT:accept(2):nt
9134:AUE_BIND:bind(2):nt
9235:AUE_SETSOCKOPT:setsockopt(2):nt
9336:AUE_VTRACE:vtrace(2):pm
9437:AUE_SETTIMEOFDAY:settimeofday(2):no
9538:AUE_FCHOWN:fchown(2):fm
9639:AUE_FCHMOD:fchmod(2):fm
9740:AUE_SETREUID:setreuid(2):pm
9841:AUE_SETREGID:setregid(2):pm
9942:AUE_RENAME:rename(2):fc,fd
10043:AUE_TRUNCATE:truncate(2):no
10144:AUE_FTRUNCATE:ftruncate(2):no
10245:AUE_FLOCK:flock(2):no
10346:AUE_SHUTDOWN:shutdown(2):nt
10447:AUE_MKDIR:mkdir(2):fc
10548:AUE_RMDIR:rmdir(2):fd
10649:AUE_UTIMES:utimes(2):fm
10750:AUE_ADJTIME:adjtime(2):as
10851:AUE_SETRLIMIT:setrlimit(2):ua
10952:AUE_KILLPG:killpg(2):no
11053:AUE_NFS_SVC:nfs_svc(2):no
11154:AUE_STATFS:statfs(2):fa
11255:AUE_FSTATFS:fstatfs(2):fa
11356:AUE_UNMOUNT:unmount(2):no
11457:AUE_ASYNC_DAEMON:async_daemon(2):no
11558:AUE_NFS_GETFH:nfs_getfh(2):no
11659:AUE_SETDOMAINNAME:setdomainname(2):no
11760:AUE_QUOTACTL:quotactl(2):no
11861:AUE_EXPORTFS:exportfs(2):no
11962:AUE_MOUNT:mount(2):as
120# AUE_SEMSYS is a placeholder and will not be generated
12163:AUE_SEMSYS:semsys(2) - place holder:no
122# AUE_MSGSYS is a placeholder and will not be generated
12364:AUE_MSGSYS:msgsys(2) - place holder:no
124# AUE_SHMSYS is a placeholder and will not be generated
12565:AUE_SHMSYS:shmsys(2) - place holder:no
12666:AUE_BSMSYS:bsmsys(2) - place holder:no
12767:AUE_RFSSYS:rfssys(2) - place holder:no
12868:AUE_FCHDIR:fchdir(2):pm
12969:AUE_FCHROOT:fchroot(2):pm
13070:AUE_VPIXSYS:vpixsys(2) - place holder:no
13171:AUE_PATHCONF:pathconf(2):fa
13272:AUE_OPEN_R:open(2) - read:fr
13373:AUE_OPEN_RC:open(2) - read,creat:fc,fr
13474:AUE_OPEN_RT:open(2) - read,trunc:fd,fr
13575:AUE_OPEN_RTC:open(2) - read,creat,trunc:fc,fd,fr
13676:AUE_OPEN_W:open(2) - write:fw
13777:AUE_OPEN_WC:open(2) - write,creat:fc,fw
13878:AUE_OPEN_WT:open(2) - write,trunc:fd,fw
13979:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw
14080:AUE_OPEN_RW:open(2) - read,write:fr,fw
14181:AUE_OPEN_RWC:open(2) - read,write,creat:fc,fw,fr
14282:AUE_OPEN_RWT:open(2) - read,write,trunc:fd,fr,fw
14383:AUE_OPEN_RWTC:open(2) - read,write,creat,trunc:fc,fd,fw,fr
14484:AUE_MSGCTL:msgctl(2) - illegal command:ip
14585:AUE_MSGCTL_RMID:msgctl(2) - IPC_RMID command:ip
14686:AUE_MSGCTL_SET:msgctl(2) - IPC_SET command:ip
14787:AUE_MSGCTL_STAT:msgctl(2) - IPC_STAT command:ip
14888:AUE_MSGGET:msgget(2):ip
14989:AUE_MSGRCV:msgrcv(2):ip
15090:AUE_MSGSND:msgsnd(2):ip
15191:AUE_SHMCTL:shmctl(2) - illegal command:ip
15292:AUE_SHMCTL_RMID:shmctl(2) - IPC_RMID command:ip
15393:AUE_SHMCTL_SET:shmctl(2) - IPC_SET command:ip
15494:AUE_SHMCTL_STAT:shmctl(2) - IPC_STAT command:ip
15595:AUE_SHMGET:shmget(2):ip
15696:AUE_SHMAT:shmat(2):ip
15797:AUE_SHMDT:shmdt(2):ip
15898:AUE_SEMCTL:semctl(2) - illegal command:ip
15999:AUE_SEMCTL_RMID:semctl(2) - IPC_RMID command:ip
160100:AUE_SEMCTL_SET:semctl(2) - IPC_SET command:ip
161101:AUE_SEMCTL_STAT:semctl(2) - IPC_STAT command:ip
162102:AUE_SEMCTL_GETNCNT:semctl(2) - GETNCNT command:ip
163103:AUE_SEMCTL_GETPID:semctl(2) - GETPID command:ip
164104:AUE_SEMCTL_GETVAL:semctl(2) - GETVAL command:ip
165105:AUE_SEMCTL_GETALL:semctl(2) - GETALL command:ip
166106:AUE_SEMCTL_GETZCNT:semctl(2) - GETZCNT command:ip
167107:AUE_SEMCTL_SETVAL:semctl(2) - SETVAL command:ip
168108:AUE_SEMCTL_SETALL:semctl(2) - SETALL command:ip
169109:AUE_SEMGET:semget(2):ip
170110:AUE_SEMOP:semop(2):ip
171111:AUE_CORE:process dumped core:fc
172112:AUE_CLOSE:close(2):cl
173113:AUE_SYSTEMBOOT:system booted:na
174114:AUE_ASYNC_DAEMON_EXIT:async_daemon(2) exited:no
175115:AUE_NFSSVC_EXIT:nfssvc(2) exited:no
176128:AUE_WRITEL:writel(2):no
177129:AUE_WRITEVL:writevl(2):no
178130:AUE_GETAUID:getauid(2):aa
179131:AUE_SETAUID:setauid(2):aa
180132:AUE_GETAUDIT:getaudit(2):aa
181133:AUE_SETAUDIT:setaudit(2):aa
182134:AUE_GETUSERAUDIT:getuseraudit(2):no
183135:AUE_SETUSERAUDIT:setuseraudit(2):no
184136:AUE_AUDITSVC:auditsvc(2):as
185# AUE_AUDITON is a placeholder and will not be generated
186138:AUE_AUDITON:auditon(2) - place holder:no
187139:AUE_AUDITON_GTERMID:auditon(2) - GETTERMID command:no
188140:AUE_AUDITON_STERMID:auditon(2) - SETTERMID command:no
189141:AUE_AUDITON_GPOLICY:auditon(2) - get audit policy flags:aa
190142:AUE_AUDITON_SPOLICY:auditon(2) - set audit policy flags:as
191143:AUE_AUDITON_GESTATE:auditon(2) - GESTATE command:no
192144:AUE_AUDITON_SESTATE:auditon(2) - SESTATE command:no
193145:AUE_AUDITON_GQCTRL:auditon(2) - get queue control parameters:as
194146:AUE_AUDITON_SQCTRL:auditon(2) - set queue control parameters:as
195147:AUE_GETKERNSTATE:getkernstate(2):no
196148:AUE_SETKERNSTATE:setkernstate(2):no
197149:AUE_GETPORTAUDIT:getportaudit(2):no
198150:AUE_AUDITSTAT:auditstat(2):no
199153:AUE_ENTERPROM:enter prom:na
200154:AUE_EXITPROM:exit prom:na
201158:AUE_IOCTL:ioctl(2):io
202173:AUE_ONESIDE:one-sided session record:no
203174:AUE_MSGGETL:msggetl(2):no
204175:AUE_MSGRCVL:msgrcvl(2):no
205176:AUE_MSGSNDL:msgsndl(2):no
206177:AUE_SEMGETL:semgetl(2):no
207178:AUE_SHMGETL:shmgetl(2):no
208183:AUE_SOCKET:socket(2):nt
209184:AUE_SENDTO:sendto(2):nt
210# AUE_PIPE is a potentially very high-volume event, use with caution
211185:AUE_PIPE:pipe(2):no
212186:AUE_SOCKETPAIR:socketpair(2):no
213187:AUE_SEND:send(2):no
214188:AUE_SENDMSG:sendmsg(2):nt
215189:AUE_RECV:recv(2):no
216190:AUE_RECVMSG:recvmsg(2):nt
217191:AUE_RECVFROM:recvfrom(2):nt
218# AUE_READ is a potentially very high-volume event, use with caution
219192:AUE_READ:read(2):no
220193:AUE_GETDENTS:getdents(2):no
221194:AUE_LSEEK:lseek(2):no
222# AUE_WRITE is a potentially very high-volume event, use with caution
223195:AUE_WRITE:write(2):no
224196:AUE_WRITEV:writev(2):no
225197:AUE_NFS:nfs server:no
226198:AUE_READV:readv(2):no
227199:AUE_OSTAT:old stat(2):no
228200:AUE_SETUID:old setuid(2):pm
229201:AUE_STIME:old stime(2):as
230202:AUE_UTIME:old utime(2):fm
231203:AUE_NICE:old nice(2):pm
232204:AUE_OSETPGRP:old setpgrp(2):no
233205:AUE_SETGID:old setgid(2):pm
234206:AUE_READL:readl(2):no
235207:AUE_READVL:readvl(2):no
236208:AUE_FSTAT:fstat(2):no
237209:AUE_DUP2:dup2(2):no
238# AUE_MMAP is a potentially very high-volume event, use with caution
239210:AUE_MMAP:mmap(2):no
240# AUE_AUDIT is a potentially very high-volume event, use with caution
241211:AUE_AUDIT:audit(2):no
242212:AUE_PRIOCNTLSYS:priocntlsys(2):pm
243213:AUE_MUNMAP:munmap(2):cl
244214:AUE_SETEGID:setegid(2):pm
245215:AUE_SETEUID:seteuid(2):pm
246216:AUE_PUTMSG:putmsg(2):nt
247217:AUE_GETMSG:getmsg(2):nt
248218:AUE_PUTPMSG:putpmsg(2):nt
249219:AUE_GETPMSG:getpmsg(2):nt
250# AUE_AUDITSYS is a placeholder and will not be generated
251220:AUE_AUDITSYS:audit system calls place holder:no
252221:AUE_AUDITON_GETKMASK:auditon(2) - get kernel mask:aa
253222:AUE_AUDITON_SETKMASK:auditon(2) - set kernel mask:as
254223:AUE_AUDITON_GETCWD:auditon(2) - get current working directory:aa,as
255224:AUE_AUDITON_GETCAR:auditon(2) - get current active root:aa,as
256225:AUE_AUDITON_GETSTAT:auditon(2) - get audit statistics:as
257226:AUE_AUDITON_SETSTAT:auditon(2) - reset audit statistics:as
258227:AUE_AUDITON_SETUMASK:auditon(2) - set mask per audit uid:as
259228:AUE_AUDITON_SETSMASK:auditon(2) - set mask per session ID:as
260229:AUE_AUDITON_GETCOND:auditon(2) - get audit state:aa
261230:AUE_AUDITON_SETCOND:auditon(2) - set audit state:as
262231:AUE_AUDITON_GETCLASS:auditon(2) - get event class:aa,as
263232:AUE_AUDITON_SETCLASS:auditon(2) - set event class:as
264233:AUE_FUSERS:utssys(2) - fusers:fa
265234:AUE_STATVFS:statvfs(2):fa
266235:AUE_XSTAT:xstat(2):no
267236:AUE_LXSTAT:lxstat(2):no
268237:AUE_LCHOWN:lchown(2):fm
269238:AUE_MEMCNTL:memcntl(2):ot
270239:AUE_SYSINFO:sysinfo(2):as
271240:AUE_XMKNOD:xmknod(2):no
272241:AUE_FORK1:fork1(2):ps
273# AUE_MODCTL is a placeholder and will not be generated
274242:AUE_MODCTL:modctl(2) system call place holder:no
275243:AUE_MODLOAD:modctl(2) - load module:as
276244:AUE_MODUNLOAD:modctl(2) - unload module:as
277# AUE_MODCONFIG is a place holder and will not be generated
278245:AUE_MODCONFIG:modctl(2) - no longer generated:no
279246:AUE_MODADDMAJ:modctl(2) - bind module:as
280247:AUE_SOCKACCEPT:getmsg-accept:nt
281248:AUE_SOCKCONNECT:putmsg-connect:nt
282249:AUE_SOCKSEND:putmsg-send:nt
283250:AUE_SOCKRECEIVE:getmsg-receive:nt
284251:AUE_ACLSET:acl(2) - SETACL command:fm
285252:AUE_FACLSET:facl(2) - SETACL command:fm
286# AUE_DOORFS is a placeholder and will not be generated
287253:AUE_DOORFS:doorfs(2) - system call place holder:no
288254:AUE_DOORFS_DOOR_CALL:doorfs(2) - DOOR_CALL:ip
289255:AUE_DOORFS_DOOR_RETURN:doorfs(2) - DOOR_RETURN:ip
290256:AUE_DOORFS_DOOR_CREATE:doorfs(2) - DOOR_CREATE:ip
291257:AUE_DOORFS_DOOR_REVOKE:doorfs(2) - DOOR_REVOKE:ip
292258:AUE_DOORFS_DOOR_INFO:doorfs(2) - DOOR_INFO:ip
293259:AUE_DOORFS_DOOR_CRED:doorfs(2) - DOOR_CRED:ip
294260:AUE_DOORFS_DOOR_BIND:doorfs(2) - DOOR_BIND:ip
295261:AUE_DOORFS_DOOR_UNBIND:doorfs(2) - DOOR_UNBIND:ip
296262:AUE_P_ONLINE:p_online(2):as
297263:AUE_PROCESSOR_BIND:processor_bind(2):as
298264:AUE_INST_SYNC:inst_sync(2):as
299265:AUE_SOCKCONFIG:configure socket:nt
300266:AUE_SETAUDIT_ADDR:setaudit_addr(2):aa
301267:AUE_GETAUDIT_ADDR:getaudit_addr(2):aa
302268:AUE_UMOUNT2:umount2(2):as
303# AUE_FSAT is a placeholder and will not be generated
304269:AUE_FSAT:fsat(2) - place holder:no
305270:AUE_OPENAT_R:openat(2) - read:fr
306271:AUE_OPENAT_RC:openat(2) - read,creat:fc,fr
307272:AUE_OPENAT_RT:openat(2) - read,trunc:fd,fr
308273:AUE_OPENAT_RTC:openat(2) - read,creat,trunc:fc,fd,fr
309274:AUE_OPENAT_W:openat(2) - write:fw
310275:AUE_OPENAT_WC:openat(2) - write,creat:fc,fw
311276:AUE_OPENAT_WT:openat(2) - write,trunc:fd,fw
312277:AUE_OPENAT_WTC:openat(2) - write,creat,trunc:fc,fd,fw
313278:AUE_OPENAT_RW:openat(2) - read,write:fr,fw
314279:AUE_OPENAT_RWC:openat(2) - read,write,creat:fc,fw,fr
315280:AUE_OPENAT_RWT:openat(2) - read,write,trunc:fd,fr,fw
316281:AUE_OPENAT_RWTC:openat(2) - read,write,creat,trunc:fc,fd,fw,fr
317282:AUE_RENAMEAT:renameat(2):fc,fd
318# AUE_FSTATAT is a potentially very high-volume event, use with caution
319283:AUE_FSTATAT:fstatat(2):no
320284:AUE_FCHOWNAT:fchownat(2):fm
321285:AUE_FUTIMESAT:futimesat(2):fm
322286:AUE_UNLINKAT:unlinkat(2):fd
323287:AUE_CLOCK_SETTIME:clock_settime(3RT):as
324288:AUE_NTP_ADJTIME:ntp_adjtime(2):as
325289:AUE_SETPPRIV:setppriv(2):pm
326290:AUE_MODDEVPLCY:modctl(2) - configure device policy:as
327291:AUE_MODADDPRIV:modctl(2) - configure additional privilege:as
328292:AUE_CRYPTOADM:kernel cryptographic framework:as
329#
330# user level audit events
331#
332# 2048 - 6143	Reserved
333#
3346144:AUE_at_create:at-create atjob:ua
3356145:AUE_at_delete:at-delete atjob (at or atrm):ua
3366146:AUE_at_perm:at-permission:no
3376147:AUE_cron_invoke:cron-invoke:ua
3386148:AUE_crontab_create:crontab-crontab created:ua
3396149:AUE_crontab_delete:crontab-crontab deleted:ua
3406150:AUE_crontab_perm:crontab-persmisson:no
3416151:AUE_inetd_connect:inetd connect:na
3426152:AUE_login:login - local:lo
3436153:AUE_logout:logout:lo
3446154:AUE_telnet:login - telnet:lo
3456155:AUE_rlogin:login - rlogin:lo
3466156:AUE_mountd_mount:mount:na
3476157:AUE_mountd_umount:unmount:na
3486158:AUE_rshd:rsh access:lo
3496159:AUE_su:su:lo
3506160:AUE_halt_solaris:halt(1m):ss
3516161:AUE_reboot_solaris:reboot(1m):ss
3526162:AUE_rexecd:rexecd:lo
3536163:AUE_passwd:passwd:lo
3546164:AUE_rexd:rexd:lo
3556165:AUE_ftpd:ftp access:lo
3566166:AUE_init_solaris:init(1m):ss
3576167:AUE_uadmin_solaris:uadmin(1m):ss
3586168:AUE_shutdown_solaris:shutdown(1b):ss
3596169:AUE_poweroff_solaris:poweroff(1m):ss
3606170:AUE_crontab_mod:crontab-modify:ua
3616171:AUE_ftpd_logout:ftp logout:lo
3626172:AUE_ssh:login - ssh:lo
3636173:AUE_role_login:role login:lo
3646180:AUE_prof_cmd:profile command:ua,as
3656181:AUE_filesystem_add:add filesystem:as
3666182:AUE_filesystem_delete:delete filesystem:as
3676183:AUE_filesystem_modify:modify filesystem:as
3686184:AUE_network_add:add network attributes:as
3696185:AUE_network_delete:delete network attributes:as
3706186:AUE_network_modify:modify network attributes:as
3716187:AUE_printer_add:add printer:as
3726188:AUE_printer_delete:delete printer:as
3736189:AUE_printer_modify:modify printer:as
3746190:AUE_scheduledjob_add:add scheduled job:ua
3756191:AUE_scheduledjob_delete:delete scheduled job:ua
3766192:AUE_scheduledjob_modify:modify scheduled job:ua
3776193:AUE_serialport_add:add serial port:as
3786194:AUE_serialport_delete:delete serial port:as
3796195:AUE_serialport_modify:modify serial port:as
3806196:AUE_usermgr_add:add user/user attributes:ua
3816197:AUE_usermgr_delete:delete user/user attributes:ua
3826198:AUE_usermgr_modify:modify user/user attributes:ua
3836199:AUE_uauth:authorization used:ua,as
3846200:AUE_allocate_succ:allocate-device success:ot
3856201:AUE_allocate_fail:allocate-device failure:ot
3866202:AUE_deallocate_succ:deallocate-device success:ot
3876203:AUE_deallocate_fail:deallocate-device failure:ot
3886205:AUE_listdevice_succ:allocate-list devices success:ot
3896206:AUE_listdevice_fail:allocate-list devices failure:ot
3906207:AUE_create_user:create user:ua
3916208:AUE_modify_user:modify user:ua
3926209:AUE_delete_user:delete user:ua
3936210:AUE_disable_user:disable user:ua
3946211:AUE_enable_user:enable user:ua
3956212:AUE_newgrp_login:newgrp login:lo
3966213:AUE_admin_authenticate:admin login:lo
3976214:AUE_kadmind_auth:authenticated kadmind request:ua
3986215:AUE_kadmind_unauth:unauthenticated kadmind req:ua
3996216:AUE_krb5kdc_as_req:kdc authentication svc request:ap
4006217:AUE_krb5kdc_tgs_req:kdc tkt-grant svc request:ap
4016218:AUE_krb5kdc_tgs_req_2ndtktmm:kdc tgs 2ndtkt mismtch:ap
4026219:AUE_krb5kdc_tgs_req_alt_tgt:kdc tgs issue alt tgt:ap
4036220:AUE_smserverd:smserverd:ot
4046221:AUE_screenlock:screenlock - lock:lo
4056222:AUE_screenunlock:screenlock - unlock:lo
4066223:AUE_zone_state:zoneadmd:ss
4076224:AUE_inetd_copylimit:inetd copylimit:na
4086225:AUE_inetd_failrate:inetd failrate:na
4096226:AUE_inetd_ratelimit:inetd ratelimit:na
4106227:AUE_zlogin:login - zlogin:lo
411