1# audit_record_attr.txt 2# Two "#" are comments that are copied to audit_record_attr 3# other comments are removed. 4## 5## Copyright 2010 Sun Microsystems, Inc. All rights reserved. 6## Use is subject to license terms. 7## 8## CDDL HEADER START 9## 10## The contents of this file are subject to the terms of the 11## Common Development and Distribution License (the "License"). 12## You may not use this file except in compliance with the License. 13## 14## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 15## or http://www.opensolaris.org/os/licensing. 16## See the License for the specific language governing permissions 17## and limitations under the License. 18## 19## When distributing Covered Code, include this CDDL HEADER in each 20## file and include the License file at usr/src/OPENSOLARIS.LICENSE. 21## If applicable, add the following below this CDDL HEADER, with the 22## fields enclosed by brackets "[]" replaced with your own identifying 23## information: Portions Copyright [yyyy] [name of copyright owner] 24## 25## CDDL HEADER END 26## 27## 28 29# source file for describing audit records. 30 31# This file is in two sections. The first is a list of attribute / 32# value pairs used to provide short cuts in annotating the audit 33# records. The second is for annotation for each audit record. 34 35# first section: general attributes 36 37# skipClass=<class name of items to skip if only in that class> 38# skipClass=no # uncomment to filter unused events 39 40# token name abbreviations 41# token=alias:fullname -- short names for key tokens 42 43token=arg:argument 44token=attr:attribute 45token=acl:acl_entry 46token=cmd:command 47token=data:data 48token=exec_args:exec_arguments 49token=exec_env:exec_environment 50token=group:group 51token=inaddr:ip_addr 52token=inet:socket 53token=ipc:ipc 54token=ipc_perm:ipc_perm 55token=newgroup:newgroups 56token=path:path 57token=path_attr:attribute_path 58token=privset:privilege 59token=proc:process 60token=text:text 61token=tid:terminal_adr 62token=uauth:use_of_authorization 63token=upriv:use_of_privilege 64token=user:user_object 65token=zone:zonename 66token=fmri:service_instance 67token=label:mandatory_label 68 69token=head:header 70token=subj:subject 71token=ret:return 72token=exit:exit 73 74# note names -- certain notes show up repeatedly; collected here 75# 76# To achieve the maximum line length to be less than 80 characters, the 77# note names (message=) can be defined as a multi line, each line except the 78# last one finished with the backslash character. 79 80message=ipc_perm:The ipc and ipc_perm tokens are not included if \ 81 the message ID is not valid. 82 83 84# basic record pattern ("insert" is where event-specific tokens 85# are listed.) 86 87kernel=head:insert:subj:[upriv]:ret 88user=head:subj:insert:ret 89 90# Second Section 91# Annotation Section 92# 93# Most audit records need annotation beyond what is provided by 94# the files audit_event and audit_class. At a minimum, a record 95# is represented by a label and a format. 96# 97# label=record_id like AUE_ACCEPT 98# format=token_alias 99# 100# there is no end line; a new label= end the preceding definition 101# and starts the next. 102# 103# format values are a list of token names, separated by colons. The 104# name is either one of the values described above (token=) or is 105# a value to be taken literally. If a token name ends with a digit, 106# the digit is an index into an array of comments. In the few cases 107# where there are no tokens (other than header, subject, return/exit), 108# use "format=kernel" or "format="user". 109# 110# comment is an array of strings separated by colons. If comments 111# are listed on separate lines (recommended due to better 112# readability/sustainability of the file), the preceding comment 113# must end with a colon. The array starts at 1. (If the comment 114# contains a colon, use ":" without the quotes.) 115# 116# case is used to generate alternate descriptions for a given 117# record. 118# 119# Constraints - the string length; bear in mind, that any annotation of 120# primitives below longer than is specified, will be silently truncated 121# to given/defined amount of characters in the auditrecord(1M) runtime: 122# 123# primitive <= max (non-truncated) string length 124# case <= unlimited; if necessary, text continues on a new line 125# comment <= unlimited; if necessary, text continues on a new line 126# label <= 43 127# note <= unlimited; if necessary, text continues on a new line 128# program <= 20 129# see <= 39 130# syscall <= 20 131# title <= 46 132# token <= 28 (full name) 133# 134# To achieve the maximum line length to be less than 80 characters, one can 135# define the unlimited primitives as a multi line, each line except the 136# last one finished with the backslash character. In addition to above 137# mentioned, the "format=" record attribute follows the same rule. 138# 139# 140# AUE_ACCEPT illustrates the use of all the above. Note that 141# case is not nested; ellipsis (...) is used to give the effect 142# of nesting. 143 144label=AUE_ACCEPT 145#accept(2) failure 146 case=Invalid socket file descriptor 147 format=arg1 148 comment=1, file descriptor, "so" 149#accept(2) non SOCK_STREAM socket 150 case=If the socket address is not part of the AF_INET family 151 format=arg1:arg2:arg3 152 comment=1, "so", file descriptor: 153 comment="family", so_family: 154 comment="type", so_type 155 case=If the socket address is part of the AF_INET family 156 case=...If there is no vnode for this file descriptor 157 format=[arg]1 158 comment=1, file descriptor, "Bad so" 159#accept(2) SOCK_STREAM socket-not bound 160 case=...or if the socket is not bound 161 format=[arg]1:[inet]2 162 comment=1, file descriptor, "so": 163 comment=local/foreign address (0.0.0.0) 164 case=...or if the socket address length = 0 165 format=[arg]1:[inet]2 166 comment=1, file descriptor, "so": 167 comment=local/foreign address (0.0.0.0) 168 case=...or for all other conditions 169 format=inet1:[inet]1 170 comment=socket address 171#accept(2) failure 172# header 173# au_to_arg32 "so",file descriptor 174# subject 175# return <errno != 0> 176# 177#accept(2) non SOCK_STREAM socket 178# header 179# au_to_arg32 "so", file descriptor 180# au_to_arg32 "family", so_family 181# au_to_arg32 "type", so_type 182# subject 183# return success 184# 185#accept(2) SOCK_STREAM socket-not bound 186# header 187# au_to_arg32 "so", file descriptor 188# au_to_socket_ex local/foreign address (0.0.0.0) 189# subject 190# return success 191# 192#accept(2) SOCK_STREAM socket-bound 193# header 194# au_to_arg32 "so", file descriptor 195# au_to_socket_ex 196# subject 197# return success 198 199 200 201label=AUE_ACCESS 202 format=path1:[attr] 203 comment=may be truncated in failure case 204# header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec 205# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ 206# attribute,100777,41416,staff,8388608,402255,0 207# subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30 208# return,success,0 209# trailer,163 210# 211# header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec 212# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail 213# attribute,100000,root,other,8388608,402257,0 214# subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30 215# return,failure: Permission denied,-1 216# trailer,163 217# 218# header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec 219# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2 220# subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30 221# return,failure: No such file or directory,-1 222# trailer,135 223 224label=AUE_ACCT 225 case=Zero path 226 format=arg1 227 comment=1, 0, "accounting off" 228 case=Non-zero path 229 format=path1:[attr]2 230 comment=may be truncated in failure case: 231 comment=omitted if failure 232 233label=AUE_ACLSET 234 syscall=acl 235 format=arg1:arg2:(0..n)[acl]3 236 comment=2, SETACL, "cmd": 237 comment=3, number of ACL entries, "nentries": 238 comment=Access Control List entries 239 240label=AUE_ADJTIME 241 format=kernel 242 243label=AUE_ASYNC_DAEMON 244 skip=Not used 245 246label=AUE_ASYNC_DAEMON_EXIT 247 skip=Not used 248 249label=AUE_AUDIT 250 skip=Not used. (Placeholder for the set AUE_AUDIT_*.) 251 252label=AUE_AUDITON 253 skip=Not used. (Placeholder for the set AUE_AUDITON_*.) 254 255label=AUE_AUDITON_GESTATE 256 skip=Not used 257 258label=AUE_AUDITON_GETCAR 259 format=kernel 260 syscall=auditon: GETCAR 261# header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec 262# subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30 263# return,success,0 264# trailer,68 265 266label=AUE_AUDITON_GETCLASS 267 format=kernel 268 syscall=auditon: GETCLASS 269# header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec 270# subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1 271# return,success,0 272# trailer,68 273 274label=AUE_AUDITON_GETCOND 275 format=kernel 276 syscall=auditon: GETCOND 277# header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec 278# subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1 279# return,success,0 280# trailer,68 281 282label=AUE_AUDITON_GETCWD 283 format=kernel 284 syscall=auditon: GETCWD 285# header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec 286# subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1 287# return,success,0 288# trailer,68 289 290label=AUE_AUDITON_GETKMASK 291 format=kernel 292 syscall=auditon: GETKMASK 293# header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec 294# subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1 295# return,success,0 296# trailer,68 297 298label=AUE_AUDITON_GETSTAT 299 format=kernel 300 syscall=auditon: A_GETSTAT 301# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec 302# subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1 303# return,success,0 304# trailer,68 305 306label=AUE_AUDITON_GPOLICY 307 format=kernel 308 syscall=auditon: GPOLICY 309# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec 310# subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1 311# return,success,0 312# trailer,68 313 314label=AUE_AUDITON_GQCTRL 315 format=kernel 316 syscall=auditon: GQCTRL 317# header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec 318# subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1 319# return,success,0 320# trailer,68 321 322 323label=AUE_AUDITON_GTERMID 324 skip=Not used. 325 326label=AUE_AUDITON_SESTATE 327 skip=Not used. 328 329label=AUE_AUDITON_SETCLASS 330 format=[arg]1:[arg]2 331 comment=2, "setclass:ec_event", event number: 332 comment=3, "setclass:ec_class", class mask 333 syscall=auditon: SETCLASS 334# header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec 335# argument,2,0x0,setclass:ec_event 336# argument,3,0x0,setclass:ec_class 337# subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1 338# return,success,0 339# trailer,120 340 341label=AUE_AUDITON_SETCOND 342 format=[arg]1 343 comment=3, "setcond", audit state 344 syscall=auditon: SETCOND 345 346label=AUE_AUDITON_SETKMASK 347 format=[arg]1:[arg]2 348 comment=2, "setkmask as_success", kernel mask: 349 comment=2, "setkmask as_failure", kernel mask 350 syscall=auditon: SETKMASK 351# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec 352# argument,2,0x0,setkmask:as_success 353# argument,2,0x0,setkmask:as_failure 354# subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1 355# return,success,0 356# trailer,124 357# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec 358# argument,2,0x0,setkmask:as_success 359# argument,2,0x0,setkmask:as_failure 360# subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1 361# return,failure: Not owner,-1 362# trailer,124 363 364label=AUE_AUDITON_SETSMASK 365 format=[arg]1:[arg]2 366 comment=3, "setsmask:as_success", session ID mask: 367 comment=3, "setsmask:as_failure", session ID mask 368 syscall=auditon: SETSMASK 369# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec 370# argument,3,0x400,setsmask:as_success 371# argument,3,0x400,setsmask:as_failure 372# subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1 373# return,success,0 374# trailer,124 375# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec 376# argument,3,0x400,setsmask:as_success 377# argument,3,0x400,setsmask:as_failure 378# subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1 379# return,failure: Not owner,-1 380# trailer,124 381 382label=AUE_AUDITON_SETSTAT 383 format=kernel 384 syscall=auditon: SETSTAT 385# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec 386# subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1 387# return,success,0 388# trailer,68 389# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec 390# subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1 391# return,failure: Not owner,-1 392# trailer,68 393 394label=AUE_AUDITON_SETUMASK 395 format=[arg]1:[arg]2 396 comment=3, "setumask:as_success", audit ID mask: 397 comment=3, "setumask:as_failure", audit ID mask 398 syscall=auditon: SETUMASK 399# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec 400# argument,3,0x400,setumask:as_success 401# argument,3,0x400,setumask:as_failure 402# subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1 403# return,success,0 404# trailer,124 405# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec 406# argument,3,0x400,setumask:as_success 407# argument,3,0x400,setumask:as_failure 408# subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1 409# return,failure: Not owner,-1 410# trailer,124 411 412label=AUE_AUDITON_SPOLICY 413 format=[arg]1 414 comment=1, audit policy flags, "setpolicy" 415 syscall=auditon: SPOLICY 416# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec 417# argument,3,0x200,setpolicy 418# subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1 419# return,success,0 420# trailer,86 421# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec 422# argument,3,0x200,setpolicy 423# subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1 424# return,failure: Not owner,-1 425# trailer,86 426 427label=AUE_AUDITON_SQCTRL 428 format=[arg]1:[arg]2:[arg]3:[arg]4 429 comment=3, "setqctrl:aq_hiwater", queue control param.: 430 comment=3, "setqctrl:aq_lowater", queue control param.: 431 comment=3, "setqctrl:aq_bufsz", queue control param.: 432 comment=3, "setqctrl:aq_delay", queue control param. 433 syscall=auditon: SQCTRL 434# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec 435# argument,3,0x64,setqctrl:aq_hiwater 436# argument,3,0xa,setqctrl:aq_lowater 437# argument,3,0x400,setqctrl:aq_bufsz 438# argument,3,0x14,setqctrl:aq_delay 439# subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1 440# return,success,0 441# trailer,176 442# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec 443# argument,3,0x64,setqctrl:aq_hiwater 444# argument,3,0xa,setqctrl:aq_lowater 445# argument,3,0x400,setqctrl:aq_bufsz 446# argument,3,0x14,setqctrl:aq_delay 447# subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1 448# return,failure: Not owner,-1 449# trailer,176 450 451label=AUE_AUDITON_STERMID 452 skip=Not used. 453 454label=AUE_AUDITSTAT 455 skip=Not used. 456 457label=AUE_AUDITSVC 458 skip=Not used. 459 460label=AUE_AUDITSYS 461 skip=Not used. (Place holder for various auditing events.) 462 463label=AUE_BIND 464# differs from documented version. 465# cases "no vnode" not fully confirmed 466# family and type need argument number 467 case=Invalid socket handle 468 format=arg1 469 comment=1, file descriptor, "so" 470 case=If there is no vnode for this file descriptor 471 case=or if the socket is not of the AF_INET family 472 format=arg1:arg2:arg3 473 comment=1, file descriptor, "so": 474 comment=1, socket family, "family": 475 comment=1, socket type, "type" 476 case=or for all other conditions 477 format=arg1:inet2 478 comment=1, file descriptor, "so": 479 comment=socket address 480 481label=AUE_BRANDSYS 482# generic mechanism to allow user-space and kernel components of a brand 483# to communicate. The interpretation of the arguments to the call is 484# left entirely up to the brand. 485 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7 486 comment=1, command, "cmd": 487 comment=2, command args, "arg": 488 comment=3, command args, "arg": 489 comment=4, command args, "arg": 490 comment=5, command args, "arg": 491 comment=6, command args, "arg": 492 comment=7, command args, "arg" 493 494label=AUE_BSMSYS 495 skip=Not used. 496 497label=AUE_CHDIR 498 format=path:[attr] 499# header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec 500# path,/export/home/CC_final/icenine/arv/chdir/obj_succ 501# attribute,40777,root,other,8388608,231558,0 502# subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1 503# return,success,0 504# trailer,151 505# header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec 506# path,/export/home/CC_final/icenine/arv/chdir/obj_fail 507# attribute,40000,root,other,8388608,237646,0 508# subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1 509# return,failure: Permission denied,-1 510# trailer,151 511 512label=AUE_CHMOD 513 format=arg1:path:[attr] 514 comment=2, mode, "new file mode" 515# header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec 516# argument,2,0x1f8,new file mode 517# path,/export/home/CC_final/icenine/arv/chmod/obj_succ 518# attribute,100770,tuser10,other,8388608,243608,0 519# subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1 520# return,success,0 521# trailer,173 522# header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec 523# argument,2,0x1f8,new file mode 524# path,/export/home/CC_final/icenine/arv/chmod/obj_fail 525# attribute,100600,root,other,8388608,243609,0 526# subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1 527# return,failure: Not owner,-1 528# trailer,173 529 530label=AUE_CHOWN 531 format=arg1:arg2 532 comment=2, uid, "new file uid": 533 comment=3, gid, "new file gid" 534# header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec 535# argument,2,0x271a,new file uid 536# argument,3,0xffffffff,new file gid 537# path,/export/home/CC_final/icenine/arv/chown/obj_succ 538# attribute,100644,tuser10,other,8388608,268406,0 539# subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1 540# return,success,0 541# trailer,193 542# header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec 543# argument,2,0x271a,new file uid 544# argument,3,0xffffffff,new file gid 545# path,/export/home/CC_final/icenine/arv/chown/obj_fail 546# attribute,100644,root,other,8388608,268407,0 547# subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1 548# return,failure: Not owner,-1 549# trailer,193 550 551label=AUE_CHROOT 552 format=path:[attr] 553# header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec 554# path,/ 555# attribute,40755,root,root,8388608,2,0 556# subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1 557# return,success,0 558# trailer,104 559# header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec 560# path,/export/home/CC_final/icenine/arv/chroot/obj_fail 561# attribute,40777,tuser10,other,8388608,335110,0 562# subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1 563# return,failure: Not owner,-1 564# trailer,152 565 566label=AUE_CLOCK_SETTIME 567 format=kernel 568 569label=AUE_CLOSE 570 format=arg1:[path]:[attr] 571 comment=1, file descriptor, "fd" 572 573label=AUE_CONFIGKSSL 574 case=Adding KSSL entry. 575 format=text1:inaddr2:text3:text4 576 comment=opcode, KSSL_ADD_ENTRY: 577 comment=local IP address: 578 comment=SSL port number: 579 comment=proxy port number 580 case=Deleting KSSL entry. 581 format=text1:inaddr2:text3 582 comment=opcode, KSSL_DELETE_ENTRY: 583 comment=local IP address: 584 comment=SSL port number 585 586label=AUE_CONNECT 587# cases "no vnode" not fully confirmed 588 case=If there is no vnode for this file descriptor 589 case=If the socket address is not part of the AF_INET family 590 format=arg1:arg2:arg3 591 comment=1, file descriptor, "so": 592 comment=1, socket family, "family": 593 comment=1, socket type, "type" 594 case=If the socket address is part of the AF_INET family 595 format=arg1:inet2 596 comment=1, file descriptor, "so": 597 comment=socket address 598 599label=AUE_CORE 600 syscall=none 601 title=process dumped core 602 see=none 603 format=path:[attr]:arg1 604 comment=1, signal, "signal" 605# see uts/common/c2/audit.c 606 607label=AUE_CREAT 608# obsolete - see open(2) 609 format=path:[attr] 610# does not match old BSM manual 611# header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec 612# path,/export/home/CC_final/icenine/arv/creat/obj_succ 613# attribute,100644,tuser10,other,8388608,49679,0 614# subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1 615# return,success,8 616# trailer,151 617# header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec 618# path,/devices/pseudo/mm@0:null 619# subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1 620# return,success,8 621# trailer,107 622# header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec 623# path,/obj_fail 624# subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1 625# return,failure: Permission denied,-1 626# trailer,83 627 628label=AUE_CRYPTOADM 629 title=kernel cryptographic framework 630 format=text1:(0..n)[text]2 631 comment=cryptoadm command/operation: 632 comment=mechanism list 633 634label=AUE_DOORFS 635 skip=Not used. (Place holder for set of door audit events.) 636 637label=AUE_DOORFS_DOOR_BIND 638 skip=Not used. 639 syscall=doorfs: DOOR_BIND 640 641label=AUE_DOORFS_DOOR_CALL 642 format=arg1:proc2 643 comment=1, door ID, "door ID": 644 comment=for process that owns the door 645 syscall=doorfs: DOOR_CALL 646 647label=AUE_DOORFS_DOOR_CREATE 648 format=arg1 649 comment=1, door attributes, "door attr" 650 syscall=doorfs: DOOR_CREATE 651 652label=AUE_DOORFS_DOOR_CRED 653 skip=Not used. 654 syscall=doorfs: DOOR_CRED 655 656label=AUE_DOORFS_DOOR_INFO 657 skip=Not used. 658 syscall=doorfs: DOOR_INFO 659 660label=AUE_DOORFS_DOOR_RETURN 661 format=kernel 662 syscall=doorfs: DOOR_RETURN 663 664label=AUE_DOORFS_DOOR_REVOKE 665 format=arg1 666 comment=1, door ID, "door ID" 667 syscall=doorfs: DOOR_REVOKE 668 669label=AUE_DOORFS_DOOR_UNBIND 670 skip=Not used. 671 syscall=doorfs: DOOR_UNBIND 672 673label=AUE_DUP2 674skip=Not used. 675 676label=AUE_ENTERPROM 677 title=enter prom 678 syscall=none 679 format=head:text1:ret 680 comment="kmdb" 681# header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00 682# text,kmdb 683# return,success,0 684 685label=AUE_EXEC 686# obsolete - see execve(2) 687 format=path:[attr]1:[exec_args]2:[exec_env]3 688 comment=omitted on error: 689 comment=output if argv policy is set: 690 comment=output if arge policy is set 691 692label=AUE_EXECVE 693 format=path:[attr]1:[exec_args]2:[exec_env]3 694 comment=omitted on error: 695 comment=output if argv policy is set: 696 comment=output if arge policy is set 697# header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec 698# path,/devices/pseudo/mm@0:null 699# subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1 700# return,success,8 701# trailer,107 702# header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec 703# path,/usr/bin/pig 704# subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1 705# return,failure: No such file or directory,-1 706# trailer,86 707 708label=AUE_EXIT 709 format=arg1:[text]2 710 comment=1, exit status, "exit status": 711 comment=event aborted 712 713label=AUE_EXITPROM 714 title=exit prom 715 syscall=none 716 format=head:text1:ret 717 comment="kmdb" 718# header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00 719# text,kmdb 720# return,success,0 721 722label=AUE_EXPORTFS 723 skip=Not used. 724 725label=AUE_FACCESSAT 726# obsolete 727 see=access(2) 728 format=path:[attr] 729 730label=AUE_FACLSET 731 syscall=facl 732 case=Invalid file descriptor 733 format=arg1:arg2 734 comment=2, SETACL, "cmd": 735 comment=3, number of ACL entries, "nentries" 736 case=Zero path 737 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4 738 comment=2, SETACL, "cmd": 739 comment=3, number of ACL entries, "nentries": 740 comment=1, file descriptor, "no path: fd": 741 comment=ACLs 742 case=Non-zero path 743 format=arg1:arg2:path:[attr]:(0..n)[acl]3 744 comment=2, SETACL, "cmd": 745 comment=3, number of ACL entries, "nentries": 746 comment=ACLs 747 748label=AUE_FCHDIR 749 format=[path]:[attr] 750# header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec 751# path,/export/home/CC_final/icenine/arv/fchdir/obj_succ 752# attribute,40777,tuser10,other,8388608,207662,0 753# subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1 754# return,success,0 755# trailer,150 756# header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec 757# subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1 758# return,failure: Permission denied,-1 759# trailer,68 760 761label=AUE_FCHMOD 762 case=With a valid file descriptor and path 763 format=arg1:path:[attr] 764 comment=2, mode, "new file mode" 765 case=With a valid file descriptor and invalid path 766 format=arg1:[arg]2:[attr] 767 comment=2, mode, "new file mode": 768 comment=1, file descriptor, "no path: fd" 769 case=With an invalid file descriptor 770 format=arg1 771 comment=2, mode, "new file mode" 772# header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec 773# argument,2,0x1a4,new file mode 774# path,/export/home/CC/icenine/arv/fchmod/obj_succ 775# attribute,100644,tuser10,other,7602240,26092,0 776# subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1 777# return,success,0 778# trailer,168 779# header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec 780# argument,2,0x1a4,new file mode 781# subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1 782# return,failure: Bad file number,-1 783# trailer,90 784# header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec 785# argument,2,0x1a4,new file mode 786# path,/export/home/CC/icenine/arv/fchmod/obj_fail 787# attribute,100644,root,other,7602240,26093,0 788# subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1 789# return,failure: Not owner,-1 790# trailer,168 791 792label=AUE_FCHOWN 793 case=With a valid file descriptor 794 format=arg1:arg2:[path]:[attr] 795 comment=2, uid, "new file uid": 796 comment=3, gid, "new file gid" 797 case=With an invalid file descriptor 798 format=arg1:arg2:[arg]3:[attr] 799 comment=2, uid, "new file uid": 800 comment=3, gid, "new file gid": 801 comment=1, file descriptor, "no path fd" 802 803label=AUE_FCHOWNAT 804# obsolete 805 see=openat(2) 806 case=With a valid absolute/relative file path 807 format=path:[attr] 808 case=With an file path eq. NULL and valid file descriptor 809 format=kernel 810 811label=AUE_FCHROOT 812 format=[path]:[attr] 813# fchroot -> chdirec -> audit_chdirec 814 815label=AUE_FCNTL 816 case=With a valid file descriptor 817 format=arg1:[arg]2:path:attr 818 comment=2, command, "cmd": 819 comment=3, flags, "flags" 820 case=With an invalid file descriptor 821 format=arg1:[arg]2:arg3 822 comment=2, command, "cmd": 823 comment=3, flags, "flags": 824 comment=1, file descriptor, "no path fd" 825 note=Flags are included only when cmd is F_SETFL. 826 827label=AUE_FLOCK 828 skip=Not used. 829 830label=AUE_FORKALL 831 format=[arg]1 832 comment=0, pid, "child PID" 833 note=The forkall(2) return values are undefined because the audit record 834 note=is produced at the point that the child process is spawned. 835# see audit.c 836 837label=AUE_FORK1 838 format=[arg]1 839 comment=0, pid, "child PID" 840 note=The fork1(2) return values are undefined because the audit record 841 note=is produced at the point that the child process is spawned. 842# see audit.c 843 844label=AUE_FSAT 845# obsolete 846 skip=Not used. (Placeholder for AUE_*AT records) 847 848label=AUE_FSTAT 849 skip=Not used. 850 851label=AUE_FSTATAT 852# obsolete 853 format=path:[attr] 854 855label=AUE_FSTATFS 856 case=With a valid file descriptor 857 format=[path]:[attr] 858 case=With an invalid file descriptor 859 format=arg1 860 comment=1, file descriptor, "no path fd" 861 862label=AUE_FTRUNCATE 863 skip=Not used. 864 865label=AUE_FUSERS 866 syscall=utssys: UTS_FUSERS 867 format=path:attr 868 869label=AUE_FUTIMESAT 870# obsolete 871 format=[path]:[attr] 872 873label=AUE_GETAUDIT 874 format=kernel 875# header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec 876# subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1 877# return,success,0 878# trailer,68 879# header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec 880# subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1 881# return,success,0 882# trailer,68 883 884label=AUE_GETAUDIT_ADDR 885 format=kernel 886# header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec 887# subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2 888# return,success,0 889 890label=AUE_GETAUID 891 format=kernel 892# header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec 893# subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1 894# return,success,0 895# trailer,68 896# header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec 897# subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1 898# return,failure: Not owner,-1 899# trailer,68 900 901label=AUE_GETDENTS 902 skip=Not used. 903#Not security relevant 904 905label=AUE_GETKERNSTATE 906 skip=Not used. 907 908label=AUE_GETMSG 909 case=With a valid file descriptor 910 format=arg1:[path]:attr:arg2 911 comment=1, file descriptor, "fd": 912 comment=4, priority, "pri" 913 case=With an invalid file descriptor 914 format=arg1:arg2 915 comment=1, file descriptor, "fd": 916 comment=4, priority, "pri" 917 918label=AUE_GETPMSG 919 case=With a valid file descriptor 920 format=arg1:[path]:attr 921 comment=1, file descriptor, "fd" 922 case=With an invalid file descriptor 923 format=arg1 924 comment=1, file descriptor, "fd" 925 926label=AUE_GETPORTAUDIT 927 format=Not used. 928 929label=AUE_GETUSERAUDIT 930 skip=Not used. 931 932label=AUE_INST_SYNC 933 format=arg1 934 comment=2, flags value, "flags" 935 936label=AUE_IOCTL 937 case=With an invalid file descriptor 938 format=arg1:arg2:arg3 939 comment=1, file descriptor, "fd": 940 comment=2, command, "cmd": 941 comment=3, arg, "arg" 942 case=With a valid file descriptor 943 format=path:[attr]:arg1:arg2 944 comment=2, ioctl cmd, "cmd": 945 comment=3, ioctl arg, "arg" 946 case=Non-file file descriptor 947 format=arg1:arg2:arg3 948 comment=1, file descriptor, "fd": 949 comment=2, ioctl cmd, "cmd": 950 comment=3, ioctl arg, "arg" 951 case=Bad file name 952 format=arg1:arg2:arg3 953 comment=1, file descriptor, "no path: fd": 954 comment=2, ioctl cmd, "cmd": 955 comment=3, ioctl arg, "arg" 956# old BSM manual misses a case 957 958label=AUE_JUNK 959 skip=Not used. 960 961label=AUE_KILL 962 case=Valid process 963 format=arg1:[proc] 964 comment=2, signo, "signal" 965 case=Zero or negative process 966 format=arg1:arg2 967 comment=2, signo, "signal": 968 comment=1, pid, "process" 969 970label=AUE_KILLPG 971 skip=Not used. 972 973label=AUE_LCHOWN 974 format=arg1:arg2:path:[attr] 975 comment=2, uid, "new file uid": 976 comment=3, gid, "new file gid" 977 978label=AUE_LINK 979 format=path1:[attr]:path2 980 comment=from path: 981 comment=to path 982 983label=AUE_LSEEK 984 skip=Not used. 985 986label=AUE_LSTAT 987 format=path:[attr] 988 989label=AUE_LXSTAT 990# obsolete 991 skip=Not used. 992 993label=AUE_MCTL 994 skip=Not used. 995 996label=AUE_MEMCNTL 997 format=arg1:arg2:arg3:arg4:arg5:arg6 998 comment=1, base address, "base": 999 comment=2, length, "len": 1000 comment=3, command, "cmd": 1001 comment=4, command args, "arg": 1002 comment=5, command attributes, "attr": 1003 comment=6, 0, "mask" 1004 1005label=AUE_MKDIR 1006 format=arg1:path:[attr] 1007 comment=2, mode, "mode" 1008 1009label=AUE_MKNOD 1010 format=arg1:arg2:path:[attr] 1011 comment=2, mode, "mode": 1012 comment=3, dev, "dev" 1013 1014label=AUE_MMAP 1015 case=With a valid file descriptor 1016 format=arg1:arg2:[path]3:[attr] 1017 comment=1, segment address, "addr": 1018 comment=2, segment address, "len": 1019 comment=if no path, then argument: \ 1020 1, "nopath: fd", file descriptor 1021 case=With an invalid file descriptor 1022 format=arg1:arg2:arg3 1023 comment=1, segment address, "addr": 1024 comment=2, segment address, "len": 1025 comment=1, file descriptor, "no path: fd" 1026 1027label=AUE_MODADDMAJ 1028 title=modctl: bind module 1029 syscall=modctl 1030 format=[text]1:[text]2:text3:arg4:(0..n)[text]5 1031 comment=driver major number: 1032 comment=driver name: 1033 comment=driver major number or "no drvname": 1034 comment=5, number of aliases, "": 1035 comment=aliases 1036 1037label=AUE_MODADDPRIV 1038 format=kernel 1039 1040label=AUE_MODCONFIG 1041 skip=Not used. 1042 1043label=AUE_MODCTL 1044 skip=Not used. (placeholder) 1045 1046label=AUE_MODDEVPLCY 1047 syscall=modctl 1048 title=modctl: set device policy 1049 case=If unknown minor name/pattern 1050 format=arg1:arg2:arg3:arg4:arg5 1051 comment=2, "major", major number: 1052 comment=2, "lomin", low minor number, if known: 1053 comment=2, "himin", hi minor number, if known: 1054 comment=privileges required for reading: 1055 comment=privileges required for writing 1056 case=else 1057 format=arg1:text2:arg3:arg4 1058 comment=2, "major", major number: 1059 comment=minor name/pattern: 1060 comment=privileges required for reading: 1061 comment=privileges required for writing 1062 1063label=AUE_MODLOAD 1064 syscall=modctl 1065 title=modctl: load module 1066 format=[text]1:text2 1067 comment=default path: 1068 comment=filename path 1069 1070label=AUE_MODUNLOAD 1071 syscall=modctl 1072 title=modctl: unload module 1073 format=arg1 1074 comment=1, module ID, "id" 1075 1076label=AUE_MOUNT 1077 case=UNIX file system 1078 format=arg1:text2:path:[attr] 1079 comment=3, flags, "flags": 1080 comment=filesystem type 1081 case=NFS file system 1082 format=arg1:text2:text3:arg4:path:[attr] 1083 comment=3, flags, "flags": 1084 comment=filesystem type: 1085 comment=host name: 1086 comment=3, flags, "internal flags" 1087# unix example: 1088# header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec 1089# argument,3,0x104,flags 1090# text,ufs 1091# path,/var2 1092# attribute,40755,root,root,32,12160,0 1093# path,/devices/pci@1f,4000/scsi@3/sd@0,0:e 1094# attribute,60640,root,sys,32,231268,137438953476 1095# subject,abc,root,other,root,other,1726,1715,255 66049 ohboy 1096# return,success,4290707268 1097# ^^^^^^^^^^ <- bugid 4333559 1098 1099label=AUE_MSGCTL 1100 format=arg1:[ipc]:[ipc_perm] 1101 comment=1, message ID, "msg ID" 1102 note=ipc_perm 1103# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1104 1105label=AUE_MSGCTL_RMID 1106 format=arg1:[ipc]:[ipc_perm] 1107 comment=1, message ID, "msg ID" 1108 note=ipc_perm 1109 syscall=msgctl: IPC_RMID 1110# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1111 1112label=AUE_MSGCTL_SET 1113 format=arg1:[ipc]:[ipc_perm] 1114 comment=1, message ID, "msg ID" 1115 note=ipc_perm 1116 syscall=msgctl: IPC_SET 1117# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1118 1119label=AUE_MSGCTL_STAT 1120 format=arg1:[ipc]:[ipc_perm] 1121 comment=1, message ID, "msg ID" 1122 note=ipc_perm 1123 syscall=msgctl: IPC_STAT 1124# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1125 1126label=AUE_MSGGET 1127 format=arg1:ipc 1128 comment=1, message key, "msg key" 1129 note=ipc_perm 1130 syscall=msgget 1131 1132label=AUE_MSGGETL 1133 skip=Not used. 1134 1135label=AUE_MSGRCV 1136 format=arg1:[ipc]:[ipc_perm] 1137 comment=1, message ID, "msg ID" 1138 note=ipc_perm 1139 syscall=msgrcv 1140# ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc 1141 1142label=AUE_MSGRCVL 1143 skip=Not used. 1144 1145label=AUE_MSGSND 1146 format=arg1:[ipc]:[ipc_perm] 1147 comment=1, message ID, "msg ID" 1148 note=ipc_perm 1149 syscall=msgsnd 1150# ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc 1151 1152label=AUE_MSGSNDL 1153 skip=Not used. 1154 1155label=AUE_MSGSYS 1156skip=Not used. (Placeholder for AUE_MSG* events.) 1157 1158label=AUE_MUNMAP 1159 format=arg1:arg2 1160 comment=1, address of memory, "addr": 1161 comment=2, memory segment size, "len" 1162 1163label=AUE_NFS 1164 skip=Not used. 1165 1166label=AUE_NFSSVC_EXIT 1167 skip=Not used. 1168 1169label=AUE_NFS_GETFH 1170 skip=Not used. 1171 1172label=AUE_NFS_SVC 1173 skip=Not used. 1174 1175label=AUE_NICE 1176 format=kernel 1177 1178label=AUE_NULL 1179 skip=Not used. (placeholder) 1180# used internal to audit_event.c for minimal audit 1181 1182label=AUE_NTP_ADJTIME 1183 format=kernel 1184 1185label=AUE_ONESIDE 1186 skip=Not used. 1187 1188label=AUE_OPEN 1189 skip=Not used. (placeholder for AUE_OPEN_*). 1190 1191label=AUE_OPEN_R 1192 format=path:[path_attr]:[attr] 1193 see=open(2) - read 1194 1195label=AUE_OPENAT_R 1196# obsolete 1197 format=path:[path_attr]:[attr] 1198 see=openat(2) 1199 1200label=AUE_OPEN_RC 1201 format=path:[path_attr]:[attr] 1202 see=open(2) - read,creat 1203 1204label=AUE_OPENAT_RC 1205# obsolete 1206 see=openat(2) 1207 format=path:[path_attr]:[attr] 1208 1209label=AUE_OPEN_RT 1210 format=path:[path_attr]:[attr] 1211 see=open(2) - read,trunc 1212 1213label=AUE_OPENAT_RT 1214# obsolete 1215 see=openat(2) 1216 format=path:[path_attr]:[attr] 1217 1218label=AUE_OPEN_RTC 1219 format=path:[path_attr]:[attr] 1220 see=open(2) - read,trunc,creat 1221 1222label=AUE_OPENAT_RTC 1223# obsolete 1224 see=openat(2) 1225 format=path:[path_attr]:[attr] 1226 1227label=AUE_OPEN_RW 1228 format=path:[path_attr]:[attr] 1229 see=open(2) - read,write 1230 1231label=AUE_OPENAT_RW 1232# obsolete 1233 see=openat(2) 1234 format=path:[path_attr]:[attr] 1235# aui_fsat(): fm & O_RDWR 1236 1237label=AUE_OPEN_RWC 1238 format=path:[path_attr]:[attr] 1239 see=open(2) - read,write,creat 1240 1241label=AUE_OPENAT_RWC 1242# obsolete 1243 see=openat(2) 1244 format=path:[path_attr]:[attr] 1245 1246label=AUE_OPEN_RWT 1247 format=path:[path_attr]:[attr] 1248 see=open(2) - read,write,trunc 1249 1250label=AUE_OPENAT_RWT 1251# obsolete 1252 see=openat(2) 1253 format=path:[path_attr]:[attr] 1254 1255label=AUE_OPEN_RWTC 1256 format=path:[path_attr]:[attr] 1257 see=open(2) - read,write,trunc,creat 1258 1259label=AUE_OPENAT_RWTC 1260# obsolete 1261 see=openat(2) 1262 format=path:[path_attr]:[attr] 1263 1264label=AUE_OPEN_W 1265 format=path:[path_attr]:[attr] 1266 see=open(2) - write 1267 1268label=AUE_OPENAT_W 1269 see=openat(2) 1270 format=path:[path_attr]:[attr] 1271 1272label=AUE_OPEN_WC 1273 format=path:[path_attr]:[attr] 1274 see=open(2) - write,creat 1275 1276label=AUE_OPENAT_WC 1277 see=openat(2) 1278 format=path:[path_attr]:[attr] 1279 1280label=AUE_OPEN_WT 1281 format=path:[path_attr]:[attr] 1282 see=open(2) - write,trunc 1283 1284label=AUE_OPENAT_WT 1285 see=openat(2) 1286 format=path:[path_attr]:[attr] 1287 1288label=AUE_OPEN_WTC 1289 format=path:[path_attr]:[attr] 1290 see=open(2) - write,trunc,creat 1291 1292label=AUE_OPENAT_WTC 1293 see=openat(2) 1294 format=path:[path_attr]:[attr] 1295 1296label=AUE_OSETPGRP 1297 skip=Not used. 1298 1299label=AUE_OSTAT 1300# obsolete 1301 skip=Not used. 1302 1303label=AUE_PATHCONF 1304 format=path:[attr] 1305 1306label=AUE_PIPE 1307format=kernel 1308# class is no, not usually printed 1309 1310label=AUE_PORTFS 1311 skip=Not used (placeholder for AUE_PORTFS_*). 1312 1313label=AUE_PORTFS 1314 skip=Not used (placeholder for AUE_PORTFS_*). 1315 1316label=AUE_PORTFS_ASSOCIATE 1317 syscall=portfs 1318 see=port_associate(3C) 1319 case=Port association via PORT_SOURCE_FILE 1320 format=[path]1:attr 1321 comment=name of the file/directory to be watched 1322 1323label=AUE_PORTFS_DISSOCIATE 1324 syscall=portfs 1325 see=port_dissociate(3C) 1326 case=Port disassociation via PORT_SOURCE_FILE 1327 format=kernel 1328 1329label=AUE_PRIOCNTLSYS 1330 syscall=priocntl 1331 see=priocntl(2) 1332 format=arg1:arg2 1333 comment=1, priocntl version number, "pc_version": 1334 comment=3, command, "cmd" 1335 1336label=AUE_PROCESSOR_BIND 1337 case=No LWP/thread bound to the processor 1338 format=arg1:arg2:text3:[proc] 1339 comment=1, type of ID, "ID type": 1340 comment=2, ID value, "ID": 1341 comment="PBIND_NONE" 1342 case=With processor bound 1343 format=arg1:arg2:arg3:[proc] 1344 comment=1, type of ID, "ID type": 1345 comment=2, ID value, "ID": 1346 comment=3, processor ID, "processor_id" 1347 1348label=AUE_PUTMSG 1349 see=putmsg(2) 1350 format=arg1:[path]:[attr]:arg2 1351 comment=1, file descriptor, "fd": 1352 comment=4, priority, "pri" 1353 1354label=AUE_PUTPMSG 1355 see=putpmsg(2) 1356 format=arg1:[path]:[attr]:arg2:arg3 1357 comment=1, file descriptor, "fd": 1358 comment=4, priority, "pri": 1359 comment=5, flags, "flags" 1360 1361label=AUE_P_ONLINE 1362 format=arg1:arg2:text3 1363 comment=1, processor ID, "processor ID": 1364 comment=2, flags value, "flags": 1365 comment=text form of flags. Values: \ 1366 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS 1367 1368label=AUE_QUOTACTL 1369 skip=Not used. 1370 1371label=AUE_READ 1372 skip=Not used. (Placeholder for AUE_READ_* events) 1373 1374label=AUE_READL 1375 skip=Not used. (Obsolete) 1376 1377label=AUE_READLINK 1378 format=path:[attr] 1379 1380label=AUE_READV 1381 skip=Not used (obsolete) 1382# detritus from CMS 1383 1384label=AUE_READVL 1385 skip=Not used (obsolete) 1386# detritus from CMS 1387 1388label=AUE_REBOOT 1389 skip=Not used. 1390 1391label=AUE_RECV 1392 case=If address family is AF_INET or AF_INET6 1393 format=[arg]1:[inet] 1394 comment=1, file descriptor, "so" 1395 case=If address family is AF_UNIX and path is defined 1396 format=[path]1:[attr] 1397 comment=1, file descriptor, "so" 1398 case=If address family is AF_UNIX and path is NULL 1399 format=[path]1:[attr] 1400 comment=1, file descriptor, "no path: fd" 1401 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1402 format=[arg]1:[arg]2:[arg]3 1403 comment=1, file descriptor, "so": 1404 comment=1, family, "family": 1405 comment=1, type, "type" 1406# associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237]) 1407 1408label=AUE_RECVFROM 1409 format=inet:arg1:[arg]2:inet3:arg4 1410 comment=3, message length, "len": 1411 comment=4, flags, "flags": 1412 comment=from address: 1413 comment=6, address length, "tolen" 1414 note=The socket token for a bad socket is reported as "argument 1415 note=token (1, socket descriptor, "fd")" 1416 1417label=AUE_RECVMSG 1418 case=If invalid file descriptor 1419 format=arg1:arg2 1420 comment=1, file descriptor, "so": 1421 comment=3, flags, "flags" 1422 case=If valid file descriptor and socket is AF_UNIX and no path 1423 format=arg1:[attr] 1424 comment=1, file descriptor, "no path: fd" 1425 case=If valid file descriptor and socket is AF_UNIX and path defined 1426 format=path:attr 1427 case=If valid file descriptor and socket is AF_INET or AF_INET6 1428 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM 1429 format=arg1:arg2:inet 1430 comment=1, file descriptor, "so": 1431 comment=2, flags, "flags" 1432 case=.. if socket type is unknown 1433 format=arg1:arg2:arg3:arg4 1434 comment=1, file descriptor, "so": 1435 comment=1, family, "family": 1436 comment=1, type, "type": 1437 comment=3, flags, "flags" 1438 1439label=AUE_RENAME 1440 format=path1:[attr]1:[path]2 1441 comment=from name: 1442 comment=to name 1443 1444label=AUE_RENAMEAT 1445# obsolete 1446 format=path1:[attr]1:[path]2 1447 comment=from name: 1448 comment=to name 1449 1450label=AUE_RFSSYS 1451 skip=Not used. 1452# apparently replaced 1453 1454label=AUE_RMDIR 1455 format=path:[attr] 1456 1457label=AUE_SEMCTL 1458 format=arg1:[ipc]:[ipc_perm] 1459 comment=1, semaphore ID, "sem ID" 1460 note=ipc_perm 1461# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1462 1463label=AUE_SEMCTL_GETALL 1464 format=arg1:[ipc]:[ipc_perm] 1465 comment=1, semaphore ID, "sem ID" 1466 note=ipc_perm 1467 syscall=semctl: GETALL 1468# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1469 1470label=AUE_SEMCTL_GETNCNT 1471 format=arg1:[ipc]:[ipc_perm] 1472 comment=1, semaphore ID, "sem ID" 1473 note=ipc_perm 1474 syscall=semctl: GETNCNT 1475# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1476 1477label=AUE_SEMCTL_GETPID 1478 format=arg1:[ipc]:[ipc_perm] 1479 comment=1, semaphore ID, "sem ID" 1480 note=ipc_perm 1481 syscall=semctl: GETPID 1482# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1483 1484label=AUE_SEMCTL_GETVAL 1485 format=arg1:[ipc]:[ipc_perm] 1486 comment=1, semaphore ID, "sem ID" 1487 note=ipc_perm 1488 syscall=semctl: GETVAL 1489# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1490 1491label=AUE_SEMCTL_GETZCNT 1492 format=arg1:[ipc]:[ipc_perm] 1493 comment=1, semaphore ID, "sem ID" 1494 note=ipc_perm 1495 syscall=semctl: GETZCNT 1496# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1497 1498label=AUE_SEMCTL_RMID 1499 format=arg1:[ipc]:[ipc_perm] 1500 comment=1, semaphore ID, "sem ID" 1501 note=ipc_perm 1502 syscall=semctl: IPC_RMID 1503# ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1504 1505label=AUE_SEMCTL_SET 1506 format=arg1:[ipc]:[ipc_perm] 1507 comment=1, semaphore ID, "sem ID" 1508 note=ipc_perm 1509 syscall=semctl: IPC_SET 1510# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1511 1512label=AUE_SEMCTL_SETALL 1513 format=arg1:[ipc]:[ipc_perm] 1514 comment=1, semaphore ID, "sem ID" 1515 note=ipc_perm 1516 syscall=semctl: SETALL 1517# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1518 1519label=AUE_SEMCTL_SETVAL 1520 format=arg1:[ipc]:[ipc_perm] 1521 comment=1, semaphore ID, "sem ID" 1522 note=ipc_perm 1523 syscall=semctl: SETVAL 1524# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1525 1526label=AUE_SEMCTL_STAT 1527 format=arg1:[ipc]:[ipc_perm] 1528 comment=1, semaphore ID, "sem ID" 1529 note=ipc_perm 1530 syscall=semctl: IPC_STAT 1531# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1532 1533label=AUE_SEMGET 1534 format=arg1:[ipc_perm]:ipc 1535 comment=1, semaphore ID, "sem key" 1536 note=ipc_perm 1537 syscall=semctl: SETVAL 1538# ipc_perm token: semget -> audit_ipcget 1539 1540label=AUE_SEMGETL 1541 skip=Not used. 1542 1543label=AUE_SEMOP 1544 format=arg1:[ipc]:[ipc_perm] 1545 comment=1, semaphore ID, "sem ID" 1546 note=ipc_perm 1547# ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc 1548 1549label=AUE_SEMSYS 1550 skip=Not used. (place holder) -- defaults to a semget variant 1551 1552label=AUE_SEND 1553 case=If address family is AF_INET or AF_INET6 1554 format=[arg]1:[inet] 1555 comment=1, file descriptor, "so" 1556 case=If address family is AF_UNIX and path is defined 1557 format=[path]1:[attr] 1558 comment=1, file descriptor, "so" 1559 case=If address family is AF_UNIX and path is NULL 1560 format=[path]1:[attr] 1561 comment=1, file descriptor, "no path: fd" 1562 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1563 format=[arg]1:[arg]2:[arg]3 1564 comment=1, file descriptor, "so": 1565 comment=1, family, "family": 1566 comment=1, type, "type" 1567# associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240]) 1568 1569label=AUE_SENDMSG 1570 case=If invalid file descriptor 1571 format=arg1:arg2 1572 comment=1, file descriptor, "so": 1573 comment=3, flags, "flags" 1574 case=If valid file descriptor 1575 case=...and address family is AF_UNIX and path is defined 1576 format=path:attr 1577 case=...and address family is AF_UNIX and path is NULL 1578 format=path1:attr 1579 comment=1, file descriptor, "nopath: fd" 1580 case=...and address family is AF_INET or AF_INET6, \ 1581 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1582 format=arg1:arg2:inet 1583 comment=1, file descriptor, "so": 1584 comment=3, flags, "flags" 1585 case=...and unknown address family or address family AF_INET or AF_INET6 \ 1586 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1587 format=arg1:arg2:arg3:arg4 1588 comment=1, file descriptor, "so": 1589 comment=1, family, "family": 1590 comment=1, type, "type": 1591 comment=1, flags, "flags" 1592 1593label=AUE_SENDTO 1594 case=If invalid file descriptor 1595 format=arg1:arg2 1596 comment=1, file descriptor, "so": 1597 comment=3, flags, "flags" 1598 case=If valid file descriptor 1599 case=...and socket is AF_UNIX and path is defined 1600 format=path:attr 1601 case=...and address family is AF_UNIX and path is NULL 1602 format=path1:attr 1603 comment=1, file descriptor, "nopath: fd" 1604 case=...and address family is AF_INET or AF_INET6 1605 format=arg1:arg2:inet 1606 comment=1, file descriptor, "so": 1607 comment=3, flags, "flags" 1608 case=...and unknown address family 1609 format=arg1:arg2:arg3:arg4 1610 comment=1, file descriptor, "so": 1611 comment=1, family, "family": 1612 comment=1, type, "type": 1613 comment=1, flags, "flags" 1614 1615label=AUE_SETAUDIT 1616 case=With a valid program stack address 1617 format=arg1:arg2:arg3:arg4:arg5:arg6 1618 comment=1, audit user ID, "setaudit:auid": 1619 comment=1, terminal ID, "setaudit:port": 1620 comment=1, terminal ID, "setaudit:machine": 1621 comment=1, preselection mask, "setaudit:as_success": 1622 comment=1, preselection mask, "setaudit:as_failure": 1623 comment=1, audit session ID, "setaudit:asid" 1624 case=With an invalid program stack address 1625 format=kernel 1626# header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec 1627# argument,1,0x271a,setaudit:auid 1628# argument,1,0x3ff0201,setaudit:port 1629# argument,1,0x8192591e,setaudit:machine 1630# argument,1,0x400,setaudit:as_success 1631# argument,1,0x400,setaudit:as_failure 1632# argument,1,0x16f,setaudit:asid 1633# subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1 1634# return,success,0 1635# trailer,215 1636# header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec 1637# argument,1,0x271a,setaudit:auid 1638# argument,1,0x3ff0201,setaudit:port 1639# argument,1,0x8192591e,setaudit:machine 1640# argument,1,0x400,setaudit:as_success 1641# argument,1,0x400,setaudit:as_failure 1642# argument,1,0x16f,setaudit:asid 1643# subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1 1644# return,success,0 1645# trailer,215 1646 1647label=AUE_SETAUDIT_ADDR 1648 case=With a valid program stack address 1649 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7 1650 comment=1, audit user ID, "auid": 1651 comment=1, terminal ID, "port": 1652 comment=1, type, "type": 1653 comment=1, terminal ID, "ip address": 1654 comment=1, preselection mask, "as_success": 1655 comment=1, preselection mask, "as_failure": 1656 comment=1, audit session ID, "asid" 1657 case=With an invalid program stack address 1658 format=kernel 1659# header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec 1660# argument,1,0x15fa7,auid 1661# argument,1,0x0,port 1662# argument,1,0x4,type 1663# ip address,tmach2 1664# argument,1,0x9c00,as_success 1665# argument,1,0x9c00,as_failure 1666# argument,1,0x1f1,asid 1667# subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2 1668# return,success,0 1669 1670label=AUE_SETAUID 1671 format=arg1 1672 comment=2, audit user ID, "setauid" 1673 1674label=AUE_SETDOMAINNAME 1675 skip=Not used. (See AUE_SYSINFO) 1676# See AUE_SYSINFO with SI_SET_SRPC_DOMAIN 1677 1678label=AUE_SETEGID 1679 format=arg1 1680 comment=1, group ID, "gid" 1681 1682label=AUE_SETEUID 1683 format=arg1 1684 comment=1, user ID, "euid" 1685 1686label=AUE_SETGID 1687 format=arg1 1688 comment=1, group ID, "gid" 1689 1690label=AUE_SETGROUPS 1691 note=If more than NGROUPS_MAX_DEFAULT groups listed, 1692 note=no tokens are generated. 1693 case=If no groups in list 1694 format=[arg]1 1695 comment=1, 0, "setgroups" 1696 case=If 1 or more groups in list 1697 format=(1..n)arg1 1698 comment=1, gid, "setgroups" 1699 1700label=AUE_SETHOSTNAME 1701 skip=Not used. (See AUE_SYSINFO) 1702# See sysinfo call with command SI_SET_HOSTNAME 1703 1704label=AUE_SETKERNSTATE 1705 skip=Not used. 1706 1707label=AUE_SETPGID 1708 format=[proc]:[arg]1 1709 comment=2, pgid, "pgid" 1710 1711label=AUE_SETPGRP 1712 format=kernel 1713 1714label=AUE_SETPRIORITY 1715 skip=Not used. 1716 1717label=AUE_SETPPRIV 1718 case=operation privileges off 1719 format=arg1:privset2 1720 comment=setppriv operation: 1721 comment=privileges actually switched off 1722 case=operation privileges on 1723 format=arg1:privset2 1724 comment=setppriv operation: 1725 comment=privileges actually switched on 1726 case=operation privileges off 1727 format=arg1:privset2:privset3 1728 comment=setppriv operation: 1729 comment=privileges before privset: 1730 comment=privileges after privset 1731#header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec 1732#argument,2,0x2,op 1733#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1734#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1735#subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0 1736#return,success,0 1737 1738label=AUE_SETREGID 1739 format=arg1:arg2 1740 comment=1, real group ID, "rgid": 1741 comment=2, effective group ID, "egid" 1742 1743label=AUE_SETREUID 1744 format=arg1:arg2 1745 comment=1, real user ID, "ruid": 1746 comment=2, effective user ID, "euid" 1747 1748label=AUE_SETRLIMIT 1749 format=kernel 1750# header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec 1751# subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2 1752# return,success,0 1753 1754label=AUE_SETSID 1755 format=kernel 1756 1757label=AUE_SETSOCKOPT 1758 case=Invalid file descriptor 1759 format=arg1:arg2 1760 comment=1, file descriptor, "so": 1761 comment=2, level, "level" 1762 case=Valid file descriptor 1763 case=...and socket is AF_UNIX 1764 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8 1765 comment=if no path, will be argument: 1, "nopath: fd", \ 1766 file descriptor: 1767 comment=1, file descriptor, "so": 1768 comment=1, family, "family": 1769 comment=1, type, "type": 1770 comment=2, protocol level, "level": 1771 comment=3, option name, "optname": 1772 comment=5, option length, "optlen": 1773 comment=option data 1774 case=...and socket is AF_INET or AF_INET6 1775 format=arg1:arg2:arg3:[arg]4:[data]5:inet 1776 comment=1, file descriptor, "so": 1777 comment=2, protocol level, "level": 1778 comment=3, option name, "optname": 1779 comment=5, option length, "optlen": 1780 comment=option data 1781 case=...and socket adddress family is unknown 1782 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7 1783 comment=1, file descriptor, "so": 1784 comment=1, family, "family": 1785 comment=1, type, "type": 1786 comment=2, protocol level, "level": 1787 comment=3, option name, "optname": 1788 comment=5, option length, "optlen": 1789 comment=option data 1790 1791label=AUE_SETTIMEOFDAY 1792 skip=Not used. 1793 1794label=AUE_SETUID 1795 syscall=setuid 1796 format=arg1 1797 comment=1, "uid" to be set 1798 1799label=AUE_SETUSERAUDIT 1800 skip=Not used. 1801 1802label=AUE_SHMAT 1803 format=arg1:arg2:[ipc]:[ipc_perm] 1804 comment=1, shared memory ID, "shm ID": 1805 comment=2, shared mem addr, "shm addr" 1806 note=ipc_perm 1807# ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc 1808 1809label=AUE_SHMCTL 1810 format=arg1:[ipc]:[ipc_perm] 1811 comment=1, shared memory ID, "shm ID" 1812 note=ipc_perm 1813# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1814 1815label=AUE_SHMCTL_RMID 1816 format=arg1:[ipc]:[ipc_perm] 1817 comment=1, shared memory ID, "shm ID" 1818 note=ipc_perm 1819 syscall=semctl: IPC_RMID 1820# ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1821 1822label=AUE_SHMCTL_SET 1823 format=arg1:[ipc]:[ipc_perm] 1824 comment=1, shared memory ID, "shm ID" 1825 note=ipc_perm 1826 syscall=semctl: IPC_SET 1827# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1828 1829label=AUE_SHMCTL_STAT 1830 format=arg1:[ipc]:[ipc_perm] 1831 comment=1, shared memory ID, "shm ID" 1832 note=ipc_perm 1833 syscall=semctl: IPC_STAT 1834# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1835 1836label=AUE_SHMDT 1837 format=arg1 1838 comment=1, shared memory address, "shm adr" 1839 1840label=AUE_SHMGET 1841 format=arg1:[ipc_perm]:[ipc] 1842 comment=0, shared memory key, "shm key" 1843 note=ipc_perm 1844# ipc_perm: shmget -> audit_ipcget 1845 1846label=AUE_SHMGETL 1847 skip=Not used. 1848 1849label=AUE_SHMSYS 1850 skip=Not used. (Placeholder for shmget and shmctl*) 1851 1852label=AUE_SHUTDOWN 1853 case=If the socket address is invalid 1854 format=[arg]1:[text]2:[text]3 1855 comment=1, file descriptor, "fd": 1856 comment=bad socket address: 1857 comment=bad peer address 1858 case=If the socket address is part of the AF_INET family 1859 case=..with zero file descriptor 1860 format=arg1:[arg]2:[arg]3:[arg]4 1861 comment=1, file descriptor, "so": 1862 comment=1, family, "family": 1863 comment=1, type, "type": 1864 comment=2, how shutdown code, "how" 1865 case=...with non-zero file descriptor 1866 format=arg1:arg2:inet 1867 comment=1, file descriptor, "so": 1868 comment=2, how shutdown code, "how" 1869 case=If the socket address is AF_UNIX 1870 case=...with zero file descriptor 1871 format=path1:arg2:[arg]3:[arg]4:[arg]5 1872 comment=If error: argument: \ 1873 1, "no path: fd", file descriptor: 1874 comment=1, file descriptor, "so": 1875 comment=1, family, "family": 1876 comment=1, type, "type": 1877 comment=2, how shutdown code, "how" 1878 case=...with non-zero file descriptor 1879 format=path1:arg2:arg3:inet 1880 comment=If error: argument: \ 1881 1, file descriptor, "no path: fd": 1882 comment=1, file descriptor, "so": 1883 comment=2, how shutdown code, "how" 1884#old BSM manual wrong; used audit_event.c 1885 1886label=AUE_SOCKACCEPT 1887 syscall=getmsg: socket accept 1888 format=inet:arg1:[path]:attr:arg2 1889 comment=1, file descriptor, "fd": 1890 comment=4, priority, "pri" 1891# see putmsg and getmsg for record format 1892# See audit.c for inet token and audit_start.c for other reference 1893 1894label=AUE_SOCKCONFIG 1895 format=arg1:arg2:arg3:[path]4 1896 comment=1, domain address, "domain": 1897 comment=2, type, "type": 1898 comment=3, protocol, "protocol": 1899 comment=If no path:argument -- 3, 0, "devpath" 1900 1901label=AUE_SOCKCONNECT 1902 syscall=putmsg: socket connect 1903 format=inet:arg1:[path]:attr:arg2 1904 comment=1, file descriptor, "fd": 1905 comment=4, priority, "pri" 1906# same as AUE_SOCKACCEPT 1907 1908label=AUE_SOCKET 1909 format=arg1:[arg]2:arg3 1910 comment=1, socket domain, "domain": 1911 comment=2, socket type, "type": 1912 comment=3, socket protocol, "protocol" 1913 1914label=AUE_SOCKETPAIR 1915 skip=Not used. 1916# unreferenced 1917 1918label=AUE_SOCKRECEIVE 1919 syscall=getmsg 1920 format=inet:arg1:[path]:attr:arg2 1921 comment=1, file descriptor, "fd": 1922 comment=4, priority, "pri" 1923# see AUE_SOCKACCEPT 1924 1925label=AUE_SOCKSEND 1926syscall=putmsg 1927 format=inet:arg1:[path]:attr:arg2 1928 comment=1, file descriptor, "fd": 1929 comment=4, priority, "pri" 1930# see AUE_SOCKACCEPT 1931 1932label=AUE_STAT 1933 format=path:[attr] 1934 1935label=AUE_STATFS 1936 format=path:[attr] 1937 1938label=AUE_STATVFS 1939 format=path:[attr] 1940 1941label=AUE_STIME 1942 format=kernel 1943 1944label=AUE_SWAPON 1945 skip=Not used. 1946 1947label=AUE_SYMLINK 1948 format=path:text1:[attr] 1949 comment=symbolic link string 1950 1951label=AUE_SYSINFO 1952 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands 1953 note=are currently audited. 1954 format=arg1:[text]2 1955 comment=1, command, "cmd": 1956 comment=name 1957 1958label=AUE_SYSTEMBOOT 1959 title=system booted 1960 syscall=none 1961 format=head:text1 1962 comment="booting kernel" 1963# see audit_start.c and audit_io.c 1964# no subject or return / exit token 1965# header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec 1966# text,booting kernel 1967 1968label=AUE_TRUNCATE 1969 skip=Not used. 1970 1971label=AUE_UMOUNT 1972 syscall=umount: old version 1973 note=Implemented as call of the newer umount2(2). 1974 format=path:arg1:[path]:[attr] 1975 comment=2, mflag value = 0, "flags" 1976 1977label=AUE_UMOUNT2 1978 syscall=umount2 1979 format=path:arg1:[path]:[attr] 1980 comment=2, mflag value, "flags" 1981 1982label=AUE_UNLINK 1983 format=path:[attr] 1984 1985label=AUE_UNLINKAT 1986# obsolete 1987 see=openat(2) 1988 format=path:[attr] 1989 1990label=AUE_UNMOUNT 1991 skip=Not used. 1992 1993label=AUE_UTIME 1994# obsolete 1995 format=path:[attr] 1996 1997label=AUE_UTIMES 1998 see=futimens(2) 1999 format=path:[attr] 2000 2001label=AUE_VFORK 2002 format=arg1 2003 comment=0, pid, "child PID" 2004 note=The vfork(2) return values are undefined because the audit record is 2005 note=produced at the point that the child process is spawned. 2006 2007label=AUE_VPIXSYS 2008 skip=Not used. 2009 2010label=AUE_VTRACE 2011 skip=Not used. 2012 2013label=AUE_WRITE 2014 format=path1:attr 2015 comment=if no path, argument -- "1, file descriptor, "no path: fd" 2016 note:An audit record is generated for write only once per file close. 2017 2018label=AUE_WRITEV 2019 skip=Not used. (obsolete) 2020 2021label=AUE_XMKNOD 2022# obsolete 2023 skip=Not used. 2024 2025label=AUE_XSTAT 2026# obsolete 2027 skip=Not Used. 2028 2029label=AUE_PF_POLICY_ADDRULE 2030 title=Add IPsec policy rule 2031 see= 2032 syscall=none 2033 format=arg1:arg2:[zone]3:[text]4 2034 comment=Operation applied to active policy (1 is active, 0 is inactive): 2035 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2036 comment=affected zone: 2037 comment=Name of target tunnel 2038 2039label=AUE_PF_POLICY_DELRULE 2040 title=Delete IPsec policy rule 2041 see= 2042 syscall=none 2043 format=arg1:arg2:[zone]3:[text]4 2044 comment=Operation applied to active policy (1 is active, 0 is inactive): 2045 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2046 comment=affected zone: 2047 comment=Name of target tunnel 2048 2049label=AUE_PF_POLICY_CLONE 2050 title=Clone IPsec policy 2051 see= 2052 syscall=none 2053 format=arg1:arg2:[zone]3:[text]4 2054 comment=Operation applied to active policy (1 is active, 0 is inactive): 2055 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2056 comment=affected zone: 2057 comment=Name of target tunnel 2058 2059label=AUE_PF_POLICY_FLIP 2060 title=Flip IPsec policy 2061 see= 2062 syscall=none 2063 format=arg1:arg2:[zone]3:[text]4 2064 comment=Operation applied to active policy (1 is active, 0 is inactive): 2065 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2066 comment=affected zone: 2067 comment=Name of target tunnel 2068 2069label=AUE_PF_POLICY_FLUSH 2070 title=Flip IPsec policy rules 2071 see= 2072 syscall=none 2073 format=arg1:arg2:[zone]3:[text]4 2074 comment=Operation applied to active policy (1 is active, 0 is inactive): 2075 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2076 comment=affected zone: 2077 comment=Name of target tunnel 2078 2079label=AUE_PF_POLICY_ALGS 2080 title=Update IPsec algorithms 2081 see= 2082 syscall=none 2083 format=arg1:arg2:[zone]3:[text]4 2084 comment=Operation applied to active policy (1 is active, 0 is inactive): 2085 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2086 comment=affected zone: 2087 comment=Name of target tunnel 2088 2089label=AUE_allocate_fail 2090 program=/usr/sbin/allocate 2091 title=allocate: allocate-device failure 2092 format=(0..n)[text]1 2093 comment=command line arguments 2094# see audit_allocate.c 2095 2096label=AUE_allocate_succ 2097 program=/usr/sbin/allocate 2098 title=allocate: allocate-device success 2099 format=(0..n)[text]1 2100 comment=command line arguments 2101# see audit_allocate.c 2102 2103label=AUE_at_create 2104 program=/usr/bin/at 2105 title=at: at-create crontab 2106 format=path 2107 2108label=AUE_at_delete 2109 program=/usr/bin/at 2110 title=at: at-delete atjob (at or atrm) 2111 format=text1:path 2112 comment="ancillary file:" filename or "bad format of at-job name" 2113 2114label=AUE_at_perm 2115 skip=Not used. 2116# not referenced outside uevents.h 2117 2118label=AUE_create_user 2119 skip=Not used. 2120 2121label=AUE_cron_invoke 2122 program=/usr/sbin/cron 2123 title=cron: cron-invoke at or cron 2124 case=If issue with account find 2125 format=text1 2126 comment="bad user" name or "user <name> account expired" 2127 case=else 2128 format=text1:text2 2129 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \ 2130 or "unknown job type (<job_type_id>)": 2131 comment=command 2132 2133label=AUE_crontab_create 2134 program=/usr/bin/crontab 2135 title=crontab: crontab created 2136 format=path 2137# See audit_crontab.c 2138 2139label=AUE_crontab_delete 2140 program=/usr/bin/crontab 2141 title=crontab: crontab delete 2142 format=path 2143# See audit_crontab.c 2144 2145label=AUE_crontab_mod 2146 program=/usr/bin/crontab 2147 title=crontab: crontab modify 2148 format=path 2149# See audit_crontab.c 2150 2151label=AUE_crontab_perm 2152 skip=Not used. 2153 2154label=AUE_deallocate_fail 2155 program=/usr/sbin/deallocate 2156 title=deallocate-device failure 2157 format=(0..n)[text]1 2158 comment=command line arguments 2159# See audit_allocate.c 2160 2161label=AUE_deallocate_succ 2162 program=/usr/sbin/deallocate 2163 title=deallocate-device success 2164 format=(0..n)[text]1 2165 comment=command line arguments 2166# See audit_allocate.c 2167 2168label=AUE_delete_user 2169 skip=Not used. 2170 2171label=AUE_disable_user 2172 skip=Not used. 2173 2174label=AUE_enable_user 2175 skip=Not used. 2176 2177label=AUE_ftpd 2178 program=/usr/sbin/in.ftpd 2179 title=in.ftpd 2180 format=[text]1 2181 comment=error message 2182# See audit_ftpd 2183 2184label=AUE_ftpd_logout 2185 program=/usr/sbin/in.ftpd 2186 title=in.ftpd 2187 format=user 2188# See audit_ftpd 2189 2190label=AUE_halt_solaris 2191 program=/usr/sbin/halt 2192 title=halt 2193 format=user 2194# See audit_halt.c 2195 2196label=AUE_kadmind_auth 2197 format=text1:text2:text3 2198 comment=Op: <requested information>: 2199 comment=Arg: <argument for Op>: 2200 comment=Client: <client principal name> 2201# See audit_kadmin.c / common_audit() 2202 2203label=AUE_kadmind_unauth 2204 format=text1:text2:text3 2205 comment=Op: <requested information>: 2206 comment=Arg: <argument for Op>: 2207 comment=Client: <client principal name> 2208# See audit_kadmin.c / common_audit() 2209 2210label=AUE_krb5kdc_as_req 2211 format=text1:text2 2212 comment=Client: <client principal name>: 2213 comment=Service: <requested service name> 2214# See audit_krb5kdc.c / common_audit() 2215 2216label=AUE_krb5kdc_tgs_req 2217 format=text1:text2 2218 comment=Client: <client principal name>: 2219 comment=Service: <requested service name> 2220# See audit_krb5kdc.c / common_audit() 2221 2222label=AUE_krb5kdc_tgs_req_alt_tgt 2223 format=text1:text2 2224 comment=Client: <client principal name>: 2225 comment=Service: <requested service name> 2226# See audit_krb5kdc.c / common_audit() 2227 2228label=AUE_krb5kdc_tgs_req_2ndtktmm 2229 format=text1:text2 2230 comment=Client: <client principal name>: 2231 comment=Service: <requested service name> 2232# See audit_krb5kdc.c / common_audit() 2233 2234label=AUE_listdevice_fail 2235 title=allocate-list devices failure 2236 program=/usr/sbin/allocate 2237 format=(0..n)[text]1 2238 comment=command line arguments 2239# See audit_allocate.c 2240 2241label=AUE_listdevice_succ 2242 title=allocate-list devices success 2243 program=/usr/sbin/allocate 2244 format=(0..n)[text]1 2245 comment=command line arguments 2246# See audit_allocate.c 2247 2248label=AUE_modify_user 2249 skip=Not used. 2250 2251label=AUE_mountd_mount 2252 title=mountd: NFS mount 2253 program=/usr/lib/nfs/mountd 2254 see=mountd(1M) 2255 format=text1:path2 2256 comment=remote client hostname: 2257 comment=mount dir 2258# See audit_mountd.c 2259 2260label=AUE_mountd_umount 2261 title=mountd: NFS unmount 2262 program=/usr/lib/nfs/mountd 2263 format=text1:path2 2264 comment=remote client hostname: 2265 comment=mount dir 2266# See audit_mountd.c 2267 2268label=AUE_poweroff_solaris 2269 program=/usr/sbin/poweroff 2270 title=poweroff 2271 format=user 2272# See audit_halt.c 2273 2274label=AUE_reboot_solaris 2275 program=/usr/sbin/reboot 2276 title=reboot 2277 format=user 2278# See audit_reboot.c 2279# header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec 2280# subject,tuser1,root,other,root,other,10422,497,0 0 tmach2 2281# return,success,0 2282 2283label=AUE_rexd 2284 program=/usr/sbin/rpc.rexd 2285 title=rpc.rexd 2286 format=[text]1:text2:text3:[text]4:[text]5 2287 comment=error message (failure only): 2288 comment="Remote execution requested by:" hostname: 2289 comment="Username:" username: 2290 comment="User id:" user ID (failure only): 2291 comment="Command line:" command attempted 2292# See audit_rexd.c 2293 2294label=AUE_rexecd 2295 program=/usr/sbin/rpc.rexecd 2296 title=rpc.rexecd 2297 format=[text]1:text2:text3:text4 2298 comment=error message (failure only): 2299 comment="Remote execution requested by:" hostname: 2300 comment="Username:" username: 2301 comment="Command line:" command attempted 2302# See audit_rexecd.c 2303 2304label=AUE_rshd 2305 program=/usr/sbin/in.rshd 2306 title=in.rshd 2307 format=text1:text2:[text]3:[text]4 2308 comment="cmd" command: 2309 comment="remote user" remote user: 2310 comment="local user" local user: 2311 comment=failure message 2312# See audit_rshd.c 2313 2314label=AUE_shutdown_solaris 2315 title=shutdown 2316 program=/usr/ucb/shutdown 2317 format=user 2318# See audit_shutdown.c 2319 2320label=AUE_smserverd 2321 program=/usr/lib/smedia/rpc.smserverd 2322 format=[text]1:[text]2 2323 comment=state change: 2324 comment=vid, pid, major/minor device 2325# see usr/src/cmd/smserverd 2326# code shows a third token, path, but it isn't implemented. 2327 2328label=AUE_uadmin_solaris 2329 title=uadmin (obsolete) 2330 program= 2331 see= 2332 format=text1:text2 2333 comment=function code: 2334 comment=argument code 2335# not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml 2336 2337label=AUE_LABELSYS_TNRH 2338 title=config Trusted Network remote host cache 2339 see=tnrh(2) 2340 syscall=labelsys: TSOL_TNRH 2341 case=With the flush command (cmd=3) 2342 format=arg1 2343 comment=1, command, "cmd" 2344 case=With the load (cmd=1) and delete (cmd=2) commands 2345 format=arg1:inaddr2:arg3 2346 comment=1, command, "cmd": 2347 comment=ip address of host: 2348 comment=2, prefix length, "prefix len" 2349 2350label=AUE_LABELSYS_TNRHTP 2351 title=config Trusted Network remote host template 2352 see=tnrhtp(2) 2353 syscall=labelsys: TSOL_TNRHTP 2354 case=With the flush command (cmd=3) 2355 format=arg1 2356 comment=1, command, "cmd" 2357 case=With the load (cmd=1) and delete (cmd=2) commands 2358 format=arg1:text2 2359 comment=1, command, "cmd": 2360 comment=name of template 2361 2362label=AUE_LABELSYS_TNMLP 2363 title=config Trusted Network multi-level port entry 2364 see=tnmlp(2) 2365 syscall=labelsys: TSOL_TNMLP 2366 case=With the flush command (cmd=3) 2367 format=arg1:text2 2368 comment=1, command, "cmd": 2369 comment="shared", or name of zone 2370 case=With the load (cmd=1) and delete (cmd=2) commands 2371 format=arg1:text2:arg3:arg4:[arg]5 2372 comment=1, command, "cmd": 2373 comment="shared", or name of zone: 2374 comment=2, protocol number, "proto num": 2375 comment=2, starting mlp port number, "mlp_port": 2376 comment=2, ending mlp port number, "mlp_port_upper" 2377