1# audit_record_attr.txt 2# Two "#" are comments that are copied to audit_record_attr 3# other comments are removed. 4## 5## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. 6## 7## CDDL HEADER START 8## 9## The contents of this file are subject to the terms of the 10## Common Development and Distribution License (the "License"). 11## You may not use this file except in compliance with the License. 12## 13## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 14## or http://www.opensolaris.org/os/licensing. 15## See the License for the specific language governing permissions 16## and limitations under the License. 17## 18## When distributing Covered Code, include this CDDL HEADER in each 19## file and include the License file at usr/src/OPENSOLARIS.LICENSE. 20## If applicable, add the following below this CDDL HEADER, with the 21## fields enclosed by brackets "[]" replaced with your own identifying 22## information: Portions Copyright [yyyy] [name of copyright owner] 23## 24## CDDL HEADER END 25## 26## 27 28# source file for describing audit records. 29 30# This file is in two sections. The first is a list of attribute / 31# value pairs used to provide short cuts in annotating the audit 32# records. The second is for annotation for each audit record. 33 34# first section: general attributes 35 36# skipClass=<class name of items to skip if only in that class> 37# skipClass=no # uncomment to filter unused events 38 39# token name abbreviations 40# token=alias:fullname -- short names for key tokens 41 42token=arg:argument 43token=attr:attribute 44token=acl:acl_entry 45token=cmd:command 46token=data:data 47token=exec_args:exec_arguments 48token=exec_env:exec_environment 49token=group:group 50token=inaddr:ip_addr 51token=inet:socket 52token=ipc:ipc 53token=ipc_perm:ipc_perm 54token=newgroup:newgroups 55token=path:path 56token=path_attr:attribute_path 57token=privset:privilege 58token=proc:process 59token=text:text 60token=tid:terminal_adr 61token=uauth:use_of_authorization 62token=upriv:use_of_privilege 63token=user:user_object 64token=zone:zonename 65token=fmri:service_instance 66token=label:mandatory_label 67 68token=head:header 69token=subj:subject 70token=ret:return 71token=exit:exit 72 73# note names -- certain notes show up repeatedly; collected here 74# 75# To achieve the maximum line length to be less than 80 characters, the 76# note names (message=) can be defined as a multi line, each line except the 77# last one finished with the backslash character. 78 79message=ipc_perm:The ipc and ipc_perm tokens are not included if \ 80 the message ID is not valid. 81 82 83# basic record pattern ("insert" is where event-specific tokens 84# are listed.) 85 86kernel=head:insert:subj:[upriv]:ret 87user=head:subj:insert:ret 88 89# Second Section 90# Annotation Section 91# 92# Most audit records need annotation beyond what is provided by 93# the files audit_event and audit_class. At a minimum, a record 94# is represented by a label and a format. 95# 96# label=record_id like AUE_ACCEPT 97# format=token_alias 98# 99# there is no end line; a new label= end the preceding definition 100# and starts the next. 101# 102# format values are a list of token names, separated by colons. The 103# name is either one of the values described above (token=) or is 104# a value to be taken literally. If a token name ends with a digit, 105# the digit is an index into an array of comments. In the few cases 106# where there are no tokens (other than header, subject, return/exit), 107# use "format=kernel" or "format="user". 108# 109# comment is an array of strings separated by colons. If comments 110# are listed on separate lines (recommended due to better 111# readability/sustainability of the file), the preceding comment 112# must end with a colon. The array starts at 1. (If the comment 113# contains a colon, use ":" without the quotes.) 114# 115# case is used to generate alternate descriptions for a given 116# record. 117# 118# Constraints - the string length; bear in mind, that any annotation of 119# primitives below longer than is specified, will be silently truncated 120# to given/defined amount of characters in the auditrecord(1M) runtime: 121# 122# primitive <= max (non-truncated) string length 123# case <= unlimited; if necessary, text continues on a new line 124# comment <= unlimited; if necessary, text continues on a new line 125# label <= 43 126# note <= unlimited; if necessary, text continues on a new line 127# program <= 20 128# see <= 39 129# syscall <= 20 130# title <= 46 131# token <= 28 (full name) 132# 133# To achieve the maximum line length to be less than 80 characters, one can 134# define the unlimited primitives as a multi line, each line except the 135# last one finished with the backslash character. In addition to above 136# mentioned, the "format=" record attribute follows the same rule. 137# 138# 139# AUE_ACCEPT illustrates the use of all the above. Note that 140# case is not nested; ellipsis (...) is used to give the effect 141# of nesting. 142 143label=AUE_ACCEPT 144#accept(2) failure 145 case=Invalid socket file descriptor 146 format=arg1 147 comment=1, file descriptor, "so" 148#accept(2) non SOCK_STREAM socket 149 case=If the socket address is not part of the AF_INET family 150 format=arg1:arg2:arg3 151 comment=1, "so", file descriptor: 152 comment="family", so_family: 153 comment="type", so_type 154 case=If the socket address is part of the AF_INET family 155 case=...If there is no vnode for this file descriptor 156 format=[arg]1 157 comment=1, file descriptor, "Bad so" 158#accept(2) SOCK_STREAM socket-not bound 159 case=...or if the socket is not bound 160 format=[arg]1:[inet]2 161 comment=1, file descriptor, "so": 162 comment=local/foreign address (0.0.0.0) 163 case=...or if the socket address length = 0 164 format=[arg]1:[inet]2 165 comment=1, file descriptor, "so": 166 comment=local/foreign address (0.0.0.0) 167 case=...or for all other conditions 168 format=inet1:[inet]1 169 comment=socket address 170#accept(2) failure 171# header 172# au_to_arg32 "so",file descriptor 173# subject 174# return <errno != 0> 175# 176#accept(2) non SOCK_STREAM socket 177# header 178# au_to_arg32 "so", file descriptor 179# au_to_arg32 "family", so_family 180# au_to_arg32 "type", so_type 181# subject 182# return success 183# 184#accept(2) SOCK_STREAM socket-not bound 185# header 186# au_to_arg32 "so", file descriptor 187# au_to_socket_ex local/foreign address (0.0.0.0) 188# subject 189# return success 190# 191#accept(2) SOCK_STREAM socket-bound 192# header 193# au_to_arg32 "so", file descriptor 194# au_to_socket_ex 195# subject 196# return success 197 198 199 200label=AUE_ACCESS 201 format=path1:[attr] 202 comment=may be truncated in failure case 203# header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec 204# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ 205# attribute,100777,41416,staff,8388608,402255,0 206# subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30 207# return,success,0 208# trailer,163 209# 210# header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec 211# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail 212# attribute,100000,root,other,8388608,402257,0 213# subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30 214# return,failure: Permission denied,-1 215# trailer,163 216# 217# header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec 218# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2 219# subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30 220# return,failure: No such file or directory,-1 221# trailer,135 222 223label=AUE_ACCT 224 case=Zero path 225 format=arg1 226 comment=1, 0, "accounting off" 227 case=Non-zero path 228 format=path1:[attr]2 229 comment=may be truncated in failure case: 230 comment=omitted if failure 231 232label=AUE_ACLSET 233 syscall=acl 234 format=arg1:arg2:(0..n)[acl]3 235 comment=2, SETACL, "cmd": 236 comment=3, number of ACL entries, "nentries": 237 comment=Access Control List entries 238 239label=AUE_ADJTIME 240 format=kernel 241 242label=AUE_ASYNC_DAEMON 243 skip=Not used 244 245label=AUE_ASYNC_DAEMON_EXIT 246 skip=Not used 247 248label=AUE_AUDIT 249 skip=Not used. (Placeholder for the set AUE_AUDIT_*.) 250 251label=AUE_AUDITON 252 skip=Not used. (Placeholder for the set AUE_AUDITON_*.) 253 254label=AUE_AUDITON_GESTATE 255 skip=Not used 256 257label=AUE_AUDITON_GETAMASK 258 format=kernel 259 syscall=auditon: GETAMASK 260 261label=AUE_AUDITON_GETCAR 262 format=kernel 263 syscall=auditon: GETCAR 264# header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec 265# subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30 266# return,success,0 267# trailer,68 268 269label=AUE_AUDITON_GETCLASS 270 format=kernel 271 syscall=auditon: GETCLASS 272# header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec 273# subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1 274# return,success,0 275# trailer,68 276 277label=AUE_AUDITON_GETCOND 278 format=kernel 279 syscall=auditon: GETCOND 280# header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec 281# subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1 282# return,success,0 283# trailer,68 284 285label=AUE_AUDITON_GETCWD 286 format=kernel 287 syscall=auditon: GETCWD 288# header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec 289# subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1 290# return,success,0 291# trailer,68 292 293label=AUE_AUDITON_GETKMASK 294 format=kernel 295 syscall=auditon: GETKMASK 296# header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec 297# subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1 298# return,success,0 299# trailer,68 300 301label=AUE_AUDITON_GETSTAT 302 format=kernel 303 syscall=auditon: A_GETSTAT 304# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec 305# subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1 306# return,success,0 307# trailer,68 308 309label=AUE_AUDITON_GPOLICY 310 format=kernel 311 syscall=auditon: GPOLICY 312# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec 313# subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1 314# return,success,0 315# trailer,68 316 317label=AUE_AUDITON_GQCTRL 318 format=kernel 319 syscall=auditon: GQCTRL 320# header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec 321# subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1 322# return,success,0 323# trailer,68 324 325 326label=AUE_AUDITON_GTERMID 327 skip=Not used. 328 329label=AUE_AUDITON_SESTATE 330 skip=Not used. 331 332label=AUE_AUDITON_SETAMASK 333 format=[arg]1:[arg]2 334 comment=2, "setamask as_success", user default audit preselection mask: 335 comment=2, "setamask as_failure", user default audit preselection mask 336 syscall=auditon: SETAMASK 337 338label=AUE_AUDITON_SETCLASS 339 format=[arg]1:[arg]2 340 comment=2, "setclass:ec_event", event number: 341 comment=3, "setclass:ec_class", class mask 342 syscall=auditon: SETCLASS 343# header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec 344# argument,2,0x0,setclass:ec_event 345# argument,3,0x0,setclass:ec_class 346# subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1 347# return,success,0 348# trailer,120 349 350label=AUE_AUDITON_SETCOND 351 format=[arg]1 352 comment=3, "setcond", audit state 353 syscall=auditon: SETCOND 354 355label=AUE_AUDITON_SETKMASK 356 format=[arg]1:[arg]2 357 comment=2, "setkmask as_success", kernel non-attributable mask: 358 comment=2, "setkmask as_failure", kernel non-attributable mask 359 syscall=auditon: SETKMASK 360# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec 361# argument,2,0x0,setkmask:as_success 362# argument,2,0x0,setkmask:as_failure 363# subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1 364# return,success,0 365# trailer,124 366# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec 367# argument,2,0x0,setkmask:as_success 368# argument,2,0x0,setkmask:as_failure 369# subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1 370# return,failure: Not owner,-1 371# trailer,124 372 373label=AUE_AUDITON_SETSMASK 374 format=[arg]1:[arg]2 375 comment=3, "setsmask:as_success", session ID mask: 376 comment=3, "setsmask:as_failure", session ID mask 377 syscall=auditon: SETSMASK 378# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec 379# argument,3,0x400,setsmask:as_success 380# argument,3,0x400,setsmask:as_failure 381# subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1 382# return,success,0 383# trailer,124 384# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec 385# argument,3,0x400,setsmask:as_success 386# argument,3,0x400,setsmask:as_failure 387# subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1 388# return,failure: Not owner,-1 389# trailer,124 390 391label=AUE_AUDITON_SETSTAT 392 format=kernel 393 syscall=auditon: SETSTAT 394# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec 395# subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1 396# return,success,0 397# trailer,68 398# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec 399# subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1 400# return,failure: Not owner,-1 401# trailer,68 402 403label=AUE_AUDITON_SETUMASK 404 format=[arg]1:[arg]2 405 comment=3, "setumask:as_success", audit ID mask: 406 comment=3, "setumask:as_failure", audit ID mask 407 syscall=auditon: SETUMASK 408# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec 409# argument,3,0x400,setumask:as_success 410# argument,3,0x400,setumask:as_failure 411# subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1 412# return,success,0 413# trailer,124 414# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec 415# argument,3,0x400,setumask:as_success 416# argument,3,0x400,setumask:as_failure 417# subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1 418# return,failure: Not owner,-1 419# trailer,124 420 421label=AUE_AUDITON_SPOLICY 422 format=[arg]1 423 comment=1, audit policy flags, "setpolicy" 424 syscall=auditon: SPOLICY 425# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec 426# argument,3,0x200,setpolicy 427# subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1 428# return,success,0 429# trailer,86 430# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec 431# argument,3,0x200,setpolicy 432# subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1 433# return,failure: Not owner,-1 434# trailer,86 435 436label=AUE_AUDITON_SQCTRL 437 format=[arg]1:[arg]2:[arg]3:[arg]4 438 comment=3, "setqctrl:aq_hiwater", queue control param.: 439 comment=3, "setqctrl:aq_lowater", queue control param.: 440 comment=3, "setqctrl:aq_bufsz", queue control param.: 441 comment=3, "setqctrl:aq_delay", queue control param. 442 syscall=auditon: SQCTRL 443# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec 444# argument,3,0x64,setqctrl:aq_hiwater 445# argument,3,0xa,setqctrl:aq_lowater 446# argument,3,0x400,setqctrl:aq_bufsz 447# argument,3,0x14,setqctrl:aq_delay 448# subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1 449# return,success,0 450# trailer,176 451# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec 452# argument,3,0x64,setqctrl:aq_hiwater 453# argument,3,0xa,setqctrl:aq_lowater 454# argument,3,0x400,setqctrl:aq_bufsz 455# argument,3,0x14,setqctrl:aq_delay 456# subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1 457# return,failure: Not owner,-1 458# trailer,176 459 460label=AUE_AUDITON_STERMID 461 skip=Not used. 462 463label=AUE_AUDITSTAT 464 skip=Not used. 465 466label=AUE_AUDITSVC 467 skip=Not used. 468 469label=AUE_AUDITSYS 470 skip=Not used. (Place holder for various auditing events.) 471 472label=AUE_BIND 473# differs from documented version. 474# cases "no vnode" not fully confirmed 475# family and type need argument number 476 case=Invalid socket handle 477 format=arg1 478 comment=1, file descriptor, "so" 479 case=If there is no vnode for this file descriptor 480 case=or if the socket is not of the AF_INET family 481 format=arg1:arg2:arg3 482 comment=1, file descriptor, "so": 483 comment=1, socket family, "family": 484 comment=1, socket type, "type" 485 case=or for all other conditions 486 format=arg1:inet2 487 comment=1, file descriptor, "so": 488 comment=socket address 489 490label=AUE_BRANDSYS 491# generic mechanism to allow user-space and kernel components of a brand 492# to communicate. The interpretation of the arguments to the call is 493# left entirely up to the brand. 494 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7 495 comment=1, command, "cmd": 496 comment=2, command args, "arg": 497 comment=3, command args, "arg": 498 comment=4, command args, "arg": 499 comment=5, command args, "arg": 500 comment=6, command args, "arg": 501 comment=7, command args, "arg" 502 503label=AUE_BSMSYS 504 skip=Not used. 505 506label=AUE_CHDIR 507 format=path:[attr] 508# header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec 509# path,/export/home/CC_final/icenine/arv/chdir/obj_succ 510# attribute,40777,root,other,8388608,231558,0 511# subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1 512# return,success,0 513# trailer,151 514# header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec 515# path,/export/home/CC_final/icenine/arv/chdir/obj_fail 516# attribute,40000,root,other,8388608,237646,0 517# subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1 518# return,failure: Permission denied,-1 519# trailer,151 520 521label=AUE_CHMOD 522 format=arg1:path:[attr] 523 comment=2, mode, "new file mode" 524# header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec 525# argument,2,0x1f8,new file mode 526# path,/export/home/CC_final/icenine/arv/chmod/obj_succ 527# attribute,100770,tuser10,other,8388608,243608,0 528# subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1 529# return,success,0 530# trailer,173 531# header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec 532# argument,2,0x1f8,new file mode 533# path,/export/home/CC_final/icenine/arv/chmod/obj_fail 534# attribute,100600,root,other,8388608,243609,0 535# subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1 536# return,failure: Not owner,-1 537# trailer,173 538 539label=AUE_CHOWN 540 format=arg1:arg2 541 comment=2, uid, "new file uid": 542 comment=3, gid, "new file gid" 543# header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec 544# argument,2,0x271a,new file uid 545# argument,3,0xffffffff,new file gid 546# path,/export/home/CC_final/icenine/arv/chown/obj_succ 547# attribute,100644,tuser10,other,8388608,268406,0 548# subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1 549# return,success,0 550# trailer,193 551# header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec 552# argument,2,0x271a,new file uid 553# argument,3,0xffffffff,new file gid 554# path,/export/home/CC_final/icenine/arv/chown/obj_fail 555# attribute,100644,root,other,8388608,268407,0 556# subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1 557# return,failure: Not owner,-1 558# trailer,193 559 560label=AUE_CHROOT 561 format=path:[attr] 562# header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec 563# path,/ 564# attribute,40755,root,root,8388608,2,0 565# subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1 566# return,success,0 567# trailer,104 568# header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec 569# path,/export/home/CC_final/icenine/arv/chroot/obj_fail 570# attribute,40777,tuser10,other,8388608,335110,0 571# subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1 572# return,failure: Not owner,-1 573# trailer,152 574 575label=AUE_CLOCK_SETTIME 576 format=kernel 577 578label=AUE_CLOSE 579 format=arg1:[path]:[attr] 580 comment=1, file descriptor, "fd" 581 582label=AUE_CONFIGKSSL 583 case=Adding KSSL entry. 584 format=text1:inaddr2:text3:text4 585 comment=opcode, KSSL_ADD_ENTRY: 586 comment=local IP address: 587 comment=SSL port number: 588 comment=proxy port number 589 case=Deleting KSSL entry. 590 format=text1:inaddr2:text3 591 comment=opcode, KSSL_DELETE_ENTRY: 592 comment=local IP address: 593 comment=SSL port number 594 595label=AUE_CONNECT 596# cases "no vnode" not fully confirmed 597 case=If there is no vnode for this file descriptor 598 case=If the socket address is not part of the AF_INET family 599 format=arg1:arg2:arg3 600 comment=1, file descriptor, "so": 601 comment=1, socket family, "family": 602 comment=1, socket type, "type" 603 case=If the socket address is part of the AF_INET family 604 format=arg1:inet2 605 comment=1, file descriptor, "so": 606 comment=socket address 607 608label=AUE_CORE 609 syscall=none 610 title=process dumped core 611 see=none 612 format=path:[attr]:arg1 613 comment=1, signal, "signal" 614# see uts/common/c2/audit.c 615 616label=AUE_CREAT 617# obsolete - see open(2) 618 format=path:[attr] 619# does not match old BSM manual 620# header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec 621# path,/export/home/CC_final/icenine/arv/creat/obj_succ 622# attribute,100644,tuser10,other,8388608,49679,0 623# subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1 624# return,success,8 625# trailer,151 626# header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec 627# path,/devices/pseudo/mm@0:null 628# subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1 629# return,success,8 630# trailer,107 631# header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec 632# path,/obj_fail 633# subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1 634# return,failure: Permission denied,-1 635# trailer,83 636 637label=AUE_CRYPTOADM 638 title=kernel cryptographic framework 639 format=text1:(0..n)[text]2 640 comment=cryptoadm command/operation: 641 comment=mechanism list 642 643label=AUE_DOORFS 644 skip=Not used. (Place holder for set of door audit events.) 645 646label=AUE_DOORFS_DOOR_BIND 647 skip=Not used. 648 syscall=doorfs: DOOR_BIND 649 650label=AUE_DOORFS_DOOR_CALL 651 format=arg1:proc2 652 comment=1, door ID, "door ID": 653 comment=for process that owns the door 654 syscall=doorfs: DOOR_CALL 655 656label=AUE_DOORFS_DOOR_CREATE 657 format=arg1 658 comment=1, door attributes, "door attr" 659 syscall=doorfs: DOOR_CREATE 660 661label=AUE_DOORFS_DOOR_CRED 662 skip=Not used. 663 syscall=doorfs: DOOR_CRED 664 665label=AUE_DOORFS_DOOR_INFO 666 skip=Not used. 667 syscall=doorfs: DOOR_INFO 668 669label=AUE_DOORFS_DOOR_RETURN 670 format=kernel 671 syscall=doorfs: DOOR_RETURN 672 673label=AUE_DOORFS_DOOR_REVOKE 674 format=arg1 675 comment=1, door ID, "door ID" 676 syscall=doorfs: DOOR_REVOKE 677 678label=AUE_DOORFS_DOOR_UNBIND 679 skip=Not used. 680 syscall=doorfs: DOOR_UNBIND 681 682label=AUE_DUP2 683skip=Not used. 684 685label=AUE_ENTERPROM 686 title=enter prom 687 syscall=none 688 format=head:text1:ret 689 comment="kmdb" 690# header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00 691# text,kmdb 692# return,success,0 693 694label=AUE_EXEC 695# obsolete - see execve(2) 696 format=path:[attr]1:[exec_args]2:[exec_env]3 697 comment=omitted on error: 698 comment=output if argv policy is set: 699 comment=output if arge policy is set 700 701label=AUE_EXECVE 702 format=path:[attr]1:[exec_args]2:[exec_env]3 703 comment=omitted on error: 704 comment=output if argv policy is set: 705 comment=output if arge policy is set 706# header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec 707# path,/devices/pseudo/mm@0:null 708# subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1 709# return,success,8 710# trailer,107 711# header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec 712# path,/usr/bin/pig 713# subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1 714# return,failure: No such file or directory,-1 715# trailer,86 716 717label=AUE_PFEXEC 718 format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5 719 comment=pathname of the executable: 720 comment=pathname of working directory: 721 comment=privileges if the limit or inheritable set are changed: 722 comment=process if ruid, euid, rgid or egid is changed: 723 comment=output if arge policy is set 724 725label=AUE_sudo 726 format=exec_args1:[text]2 727 comment=command args: 728 comment=error message (failure only) 729 730label=AUE_EXIT 731 format=arg1:[text]2 732 comment=1, exit status, "exit status": 733 comment=event aborted 734 735label=AUE_EXITPROM 736 title=exit prom 737 syscall=none 738 format=head:text1:ret 739 comment="kmdb" 740# header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00 741# text,kmdb 742# return,success,0 743 744label=AUE_EXPORTFS 745 skip=Not used. 746 747label=AUE_FACCESSAT 748# obsolete 749 see=access(2) 750 format=path:[attr] 751 752label=AUE_FACLSET 753 syscall=facl 754 case=Invalid file descriptor 755 format=arg1:arg2 756 comment=2, SETACL, "cmd": 757 comment=3, number of ACL entries, "nentries" 758 case=Zero path 759 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4 760 comment=2, SETACL, "cmd": 761 comment=3, number of ACL entries, "nentries": 762 comment=1, file descriptor, "no path: fd": 763 comment=ACLs 764 case=Non-zero path 765 format=arg1:arg2:path:[attr]:(0..n)[acl]3 766 comment=2, SETACL, "cmd": 767 comment=3, number of ACL entries, "nentries": 768 comment=ACLs 769 770label=AUE_FCHDIR 771 format=[path]:[attr] 772# header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec 773# path,/export/home/CC_final/icenine/arv/fchdir/obj_succ 774# attribute,40777,tuser10,other,8388608,207662,0 775# subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1 776# return,success,0 777# trailer,150 778# header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec 779# subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1 780# return,failure: Permission denied,-1 781# trailer,68 782 783label=AUE_FCHMOD 784 case=With a valid file descriptor and path 785 format=arg1:path:[attr] 786 comment=2, mode, "new file mode" 787 case=With a valid file descriptor and invalid path 788 format=arg1:[arg]2:[attr] 789 comment=2, mode, "new file mode": 790 comment=1, file descriptor, "no path: fd" 791 case=With an invalid file descriptor 792 format=arg1 793 comment=2, mode, "new file mode" 794# header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec 795# argument,2,0x1a4,new file mode 796# path,/export/home/CC/icenine/arv/fchmod/obj_succ 797# attribute,100644,tuser10,other,7602240,26092,0 798# subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1 799# return,success,0 800# trailer,168 801# header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec 802# argument,2,0x1a4,new file mode 803# subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1 804# return,failure: Bad file number,-1 805# trailer,90 806# header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec 807# argument,2,0x1a4,new file mode 808# path,/export/home/CC/icenine/arv/fchmod/obj_fail 809# attribute,100644,root,other,7602240,26093,0 810# subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1 811# return,failure: Not owner,-1 812# trailer,168 813 814label=AUE_FCHOWN 815 case=With a valid file descriptor 816 format=arg1:arg2:[path]:[attr] 817 comment=2, uid, "new file uid": 818 comment=3, gid, "new file gid" 819 case=With an invalid file descriptor 820 format=arg1:arg2:[arg]3:[attr] 821 comment=2, uid, "new file uid": 822 comment=3, gid, "new file gid": 823 comment=1, file descriptor, "no path fd" 824 825label=AUE_FCHOWNAT 826# obsolete 827 see=openat(2) 828 case=With a valid absolute/relative file path 829 format=path:[attr] 830 case=With an file path eq. NULL and valid file descriptor 831 format=kernel 832 833label=AUE_FCHROOT 834 format=[path]:[attr] 835# fchroot -> chdirec -> audit_chdirec 836 837label=AUE_FCNTL 838 case=With a valid file descriptor 839 format=arg1:[arg]2:path:attr 840 comment=2, command, "cmd": 841 comment=3, flags, "flags" 842 case=With an invalid file descriptor 843 format=arg1:[arg]2:arg3 844 comment=2, command, "cmd": 845 comment=3, flags, "flags": 846 comment=1, file descriptor, "no path fd" 847 note=Flags are included only when cmd is F_SETFL. 848 849label=AUE_FLOCK 850 skip=Not used. 851 852label=AUE_FORKALL 853 format=[arg]1 854 comment=0, pid, "child PID" 855 note=The forkall(2) return values are undefined because the audit record 856 note=is produced at the point that the child process is spawned. 857# see audit.c 858 859label=AUE_FORK1 860 format=[arg]1 861 comment=0, pid, "child PID" 862 note=The fork1(2) return values are undefined because the audit record 863 note=is produced at the point that the child process is spawned. 864# see audit.c 865 866label=AUE_FSAT 867# obsolete 868 skip=Not used. (Placeholder for AUE_*AT records) 869 870label=AUE_FSTAT 871 skip=Not used. 872 873label=AUE_FSTATAT 874# obsolete 875 format=path:[attr] 876 877label=AUE_FSTATFS 878 case=With a valid file descriptor 879 format=[path]:[attr] 880 case=With an invalid file descriptor 881 format=arg1 882 comment=1, file descriptor, "no path fd" 883 884label=AUE_FTRUNCATE 885 skip=Not used. 886 887label=AUE_FUSERS 888 syscall=utssys: UTS_FUSERS 889 format=path:attr 890 891label=AUE_FUTIMESAT 892# obsolete 893 format=[path]:[attr] 894 895label=AUE_GETAUDIT 896 format=kernel 897# header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec 898# subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1 899# return,success,0 900# trailer,68 901# header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec 902# subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1 903# return,success,0 904# trailer,68 905 906label=AUE_GETAUDIT_ADDR 907 format=kernel 908# header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec 909# subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2 910# return,success,0 911 912label=AUE_GETAUID 913 format=kernel 914# header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec 915# subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1 916# return,success,0 917# trailer,68 918# header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec 919# subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1 920# return,failure: Not owner,-1 921# trailer,68 922 923label=AUE_GETDENTS 924 skip=Not used. 925#Not security relevant 926 927label=AUE_GETKERNSTATE 928 skip=Not used. 929 930label=AUE_GETMSG 931 case=With a valid file descriptor 932 format=arg1:[path]:attr:arg2 933 comment=1, file descriptor, "fd": 934 comment=4, priority, "pri" 935 case=With an invalid file descriptor 936 format=arg1:arg2 937 comment=1, file descriptor, "fd": 938 comment=4, priority, "pri" 939 940label=AUE_GETPMSG 941 case=With a valid file descriptor 942 format=arg1:[path]:attr 943 comment=1, file descriptor, "fd" 944 case=With an invalid file descriptor 945 format=arg1 946 comment=1, file descriptor, "fd" 947 948label=AUE_GETPORTAUDIT 949 format=Not used. 950 951label=AUE_GETUSERAUDIT 952 skip=Not used. 953 954label=AUE_INST_SYNC 955 format=arg1 956 comment=2, flags value, "flags" 957 958label=AUE_IOCTL 959 case=With an invalid file descriptor 960 format=arg1:arg2:arg3 961 comment=1, file descriptor, "fd": 962 comment=2, command, "cmd": 963 comment=3, arg, "arg" 964 case=With a valid file descriptor 965 format=path:[attr]:arg1:arg2 966 comment=2, ioctl cmd, "cmd": 967 comment=3, ioctl arg, "arg" 968 case=Non-file file descriptor 969 format=arg1:arg2:arg3 970 comment=1, file descriptor, "fd": 971 comment=2, ioctl cmd, "cmd": 972 comment=3, ioctl arg, "arg" 973 case=Bad file name 974 format=arg1:arg2:arg3 975 comment=1, file descriptor, "no path: fd": 976 comment=2, ioctl cmd, "cmd": 977 comment=3, ioctl arg, "arg" 978# old BSM manual misses a case 979 980label=AUE_JUNK 981 skip=Not used. 982 983label=AUE_KILL 984 case=Valid process 985 format=arg1:[proc] 986 comment=2, signo, "signal" 987 case=Zero or negative process 988 format=arg1:arg2 989 comment=2, signo, "signal": 990 comment=1, pid, "process" 991 992label=AUE_KILLPG 993 skip=Not used. 994 995label=AUE_LCHOWN 996 format=arg1:arg2:path:[attr] 997 comment=2, uid, "new file uid": 998 comment=3, gid, "new file gid" 999 1000label=AUE_LINK 1001 format=path1:[attr]:path2 1002 comment=from path: 1003 comment=to path 1004 1005label=AUE_LSEEK 1006 skip=Not used. 1007 1008label=AUE_LSTAT 1009 format=path:[attr] 1010 1011label=AUE_LXSTAT 1012# obsolete 1013 skip=Not used. 1014 1015label=AUE_MCTL 1016 skip=Not used. 1017 1018label=AUE_MEMCNTL 1019 format=arg1:arg2:arg3:arg4:arg5:arg6 1020 comment=1, base address, "base": 1021 comment=2, length, "len": 1022 comment=3, command, "cmd": 1023 comment=4, command args, "arg": 1024 comment=5, command attributes, "attr": 1025 comment=6, 0, "mask" 1026 1027label=AUE_MKDIR 1028 format=arg1:path:[attr] 1029 comment=2, mode, "mode" 1030 1031label=AUE_MKNOD 1032 format=arg1:arg2:path:[attr] 1033 comment=2, mode, "mode": 1034 comment=3, dev, "dev" 1035 1036label=AUE_MMAP 1037 case=With a valid file descriptor 1038 format=arg1:arg2:[path]3:[attr] 1039 comment=1, segment address, "addr": 1040 comment=2, segment address, "len": 1041 comment=if no path, then argument: \ 1042 1, "nopath: fd", file descriptor 1043 case=With an invalid file descriptor 1044 format=arg1:arg2:arg3 1045 comment=1, segment address, "addr": 1046 comment=2, segment address, "len": 1047 comment=1, file descriptor, "no path: fd" 1048 1049label=AUE_MODADDMAJ 1050 title=modctl: bind module 1051 syscall=modctl 1052 format=[text]1:[text]2:text3:arg4:(0..n)[text]5 1053 comment=driver major number: 1054 comment=driver name: 1055 comment=driver major number or "no drvname": 1056 comment=5, number of aliases, "": 1057 comment=aliases 1058 1059label=AUE_MODADDPRIV 1060 format=kernel 1061 1062label=AUE_MODCONFIG 1063 skip=Not used. 1064 1065label=AUE_MODCTL 1066 skip=Not used. (placeholder) 1067 1068label=AUE_MODDEVPLCY 1069 syscall=modctl 1070 title=modctl: set device policy 1071 case=If unknown minor name/pattern 1072 format=arg1:arg2:arg3:arg4:arg5 1073 comment=2, "major", major number: 1074 comment=2, "lomin", low minor number, if known: 1075 comment=2, "himin", hi minor number, if known: 1076 comment=privileges required for reading: 1077 comment=privileges required for writing 1078 case=else 1079 format=arg1:text2:arg3:arg4 1080 comment=2, "major", major number: 1081 comment=minor name/pattern: 1082 comment=privileges required for reading: 1083 comment=privileges required for writing 1084 1085label=AUE_MODLOAD 1086 syscall=modctl 1087 title=modctl: load module 1088 format=[text]1:text2 1089 comment=default path: 1090 comment=filename path 1091 1092label=AUE_MODUNLOAD 1093 syscall=modctl 1094 title=modctl: unload module 1095 format=arg1 1096 comment=1, module ID, "id" 1097 1098label=AUE_MOUNT 1099 case=UNIX file system 1100 format=arg1:text2:path:[attr] 1101 comment=3, flags, "flags": 1102 comment=filesystem type 1103 case=NFS file system 1104 format=arg1:text2:text3:arg4:path:[attr] 1105 comment=3, flags, "flags": 1106 comment=filesystem type: 1107 comment=host name: 1108 comment=3, flags, "internal flags" 1109# unix example: 1110# header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec 1111# argument,3,0x104,flags 1112# text,ufs 1113# path,/var2 1114# attribute,40755,root,root,32,12160,0 1115# path,/devices/pci@1f,4000/scsi@3/sd@0,0:e 1116# attribute,60640,root,sys,32,231268,137438953476 1117# subject,abc,root,other,root,other,1726,1715,255 66049 ohboy 1118# return,success,4290707268 1119# ^^^^^^^^^^ <- bugid 4333559 1120 1121label=AUE_MSGCTL 1122 format=arg1:[ipc]:[ipc_perm] 1123 comment=1, message ID, "msg ID" 1124 note=ipc_perm 1125# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1126 1127label=AUE_MSGCTL_RMID 1128 format=arg1:[ipc]:[ipc_perm] 1129 comment=1, message ID, "msg ID" 1130 note=ipc_perm 1131 syscall=msgctl: IPC_RMID 1132# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1133 1134label=AUE_MSGCTL_SET 1135 format=arg1:[ipc]:[ipc_perm] 1136 comment=1, message ID, "msg ID" 1137 note=ipc_perm 1138 syscall=msgctl: IPC_SET 1139# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1140 1141label=AUE_MSGCTL_STAT 1142 format=arg1:[ipc]:[ipc_perm] 1143 comment=1, message ID, "msg ID" 1144 note=ipc_perm 1145 syscall=msgctl: IPC_STAT 1146# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1147 1148label=AUE_MSGGET 1149 format=arg1:ipc 1150 comment=1, message key, "msg key" 1151 note=ipc_perm 1152 syscall=msgget 1153 1154label=AUE_MSGGETL 1155 skip=Not used. 1156 1157label=AUE_MSGRCV 1158 format=arg1:[ipc]:[ipc_perm] 1159 comment=1, message ID, "msg ID" 1160 note=ipc_perm 1161 syscall=msgrcv 1162# ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc 1163 1164label=AUE_MSGRCVL 1165 skip=Not used. 1166 1167label=AUE_MSGSND 1168 format=arg1:[ipc]:[ipc_perm] 1169 comment=1, message ID, "msg ID" 1170 note=ipc_perm 1171 syscall=msgsnd 1172# ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc 1173 1174label=AUE_MSGSNDL 1175 skip=Not used. 1176 1177label=AUE_MSGSYS 1178skip=Not used. (Placeholder for AUE_MSG* events.) 1179 1180label=AUE_MUNMAP 1181 format=arg1:arg2 1182 comment=1, address of memory, "addr": 1183 comment=2, memory segment size, "len" 1184 1185label=AUE_NFS 1186 skip=Not used. 1187 1188label=AUE_NFSSVC_EXIT 1189 skip=Not used. 1190 1191label=AUE_NFS_GETFH 1192 skip=Not used. 1193 1194label=AUE_NFS_SVC 1195 skip=Not used. 1196 1197label=AUE_NICE 1198 format=kernel 1199 1200label=AUE_NULL 1201 skip=Not used. (placeholder) 1202# used internal to audit_event.c for minimal audit 1203 1204label=AUE_NTP_ADJTIME 1205 format=kernel 1206 1207label=AUE_ONESIDE 1208 skip=Not used. 1209 1210label=AUE_OPEN 1211 skip=Not used. (placeholder for AUE_OPEN_*). 1212 1213label=AUE_OPEN_R 1214 format=path:[path_attr]:[attr] 1215 see=open(2) - read 1216 1217label=AUE_OPENAT_R 1218# obsolete 1219 format=path:[path_attr]:[attr] 1220 see=openat(2) 1221 1222label=AUE_OPEN_RC 1223 format=path:[path_attr]:[attr] 1224 see=open(2) - read,creat 1225 1226label=AUE_OPENAT_RC 1227# obsolete 1228 see=openat(2) 1229 format=path:[path_attr]:[attr] 1230 1231label=AUE_OPEN_RT 1232 format=path:[path_attr]:[attr] 1233 see=open(2) - read,trunc 1234 1235label=AUE_OPENAT_RT 1236# obsolete 1237 see=openat(2) 1238 format=path:[path_attr]:[attr] 1239 1240label=AUE_OPEN_RTC 1241 format=path:[path_attr]:[attr] 1242 see=open(2) - read,trunc,creat 1243 1244label=AUE_OPENAT_RTC 1245# obsolete 1246 see=openat(2) 1247 format=path:[path_attr]:[attr] 1248 1249label=AUE_OPEN_RW 1250 format=path:[path_attr]:[attr] 1251 see=open(2) - read,write 1252 1253label=AUE_OPENAT_RW 1254# obsolete 1255 see=openat(2) 1256 format=path:[path_attr]:[attr] 1257# aui_fsat(): fm & O_RDWR 1258 1259label=AUE_OPEN_RWC 1260 format=path:[path_attr]:[attr] 1261 see=open(2) - read,write,creat 1262 1263label=AUE_OPENAT_RWC 1264# obsolete 1265 see=openat(2) 1266 format=path:[path_attr]:[attr] 1267 1268label=AUE_OPEN_RWT 1269 format=path:[path_attr]:[attr] 1270 see=open(2) - read,write,trunc 1271 1272label=AUE_OPENAT_RWT 1273# obsolete 1274 see=openat(2) 1275 format=path:[path_attr]:[attr] 1276 1277label=AUE_OPEN_RWTC 1278 format=path:[path_attr]:[attr] 1279 see=open(2) - read,write,trunc,creat 1280 1281label=AUE_OPENAT_RWTC 1282# obsolete 1283 see=openat(2) 1284 format=path:[path_attr]:[attr] 1285 1286label=AUE_OPEN_W 1287 format=path:[path_attr]:[attr] 1288 see=open(2) - write 1289 1290label=AUE_OPENAT_W 1291 see=openat(2) 1292 format=path:[path_attr]:[attr] 1293 1294label=AUE_OPEN_WC 1295 format=path:[path_attr]:[attr] 1296 see=open(2) - write,creat 1297 1298label=AUE_OPENAT_WC 1299 see=openat(2) 1300 format=path:[path_attr]:[attr] 1301 1302label=AUE_OPEN_WT 1303 format=path:[path_attr]:[attr] 1304 see=open(2) - write,trunc 1305 1306label=AUE_OPENAT_WT 1307 see=openat(2) 1308 format=path:[path_attr]:[attr] 1309 1310label=AUE_OPEN_WTC 1311 format=path:[path_attr]:[attr] 1312 see=open(2) - write,trunc,creat 1313 1314label=AUE_OPENAT_WTC 1315 see=openat(2) 1316 format=path:[path_attr]:[attr] 1317 1318label=AUE_OPEN_S 1319 format=path:[path_attr]:[attr] 1320 see=open(2) - search 1321 1322label=AUE_OPEN_E 1323 format=path:[path_attr]:[attr] 1324 see=open(2) - exec 1325 1326label=AUE_OSETPGRP 1327 skip=Not used. 1328 1329label=AUE_OSTAT 1330# obsolete 1331 skip=Not used. 1332 1333label=AUE_PATHCONF 1334 format=path:[attr] 1335 1336label=AUE_PIPE 1337format=kernel 1338# class is no, not usually printed 1339 1340label=AUE_PORTFS 1341 skip=Not used (placeholder for AUE_PORTFS_*). 1342 1343label=AUE_PORTFS 1344 skip=Not used (placeholder for AUE_PORTFS_*). 1345 1346label=AUE_PORTFS_ASSOCIATE 1347 syscall=portfs 1348 see=port_associate(3C) 1349 case=Port association via PORT_SOURCE_FILE 1350 format=[path]1:attr 1351 comment=name of the file/directory to be watched 1352 1353label=AUE_PORTFS_DISSOCIATE 1354 syscall=portfs 1355 see=port_dissociate(3C) 1356 case=Port disassociation via PORT_SOURCE_FILE 1357 format=kernel 1358 1359label=AUE_PRIOCNTLSYS 1360 syscall=priocntl 1361 see=priocntl(2) 1362 format=arg1:arg2 1363 comment=1, priocntl version number, "pc_version": 1364 comment=3, command, "cmd" 1365 1366label=AUE_PROCESSOR_BIND 1367 case=No LWP/thread bound to the processor 1368 format=arg1:arg2:text3:[proc] 1369 comment=1, type of ID, "ID type": 1370 comment=2, ID value, "ID": 1371 comment="PBIND_NONE" 1372 case=With processor bound 1373 format=arg1:arg2:arg3:[proc] 1374 comment=1, type of ID, "ID type": 1375 comment=2, ID value, "ID": 1376 comment=3, processor ID, "processor_id" 1377 1378label=AUE_PUTMSG 1379 see=putmsg(2) 1380 format=arg1:[path]:[attr]:arg2 1381 comment=1, file descriptor, "fd": 1382 comment=4, priority, "pri" 1383 1384label=AUE_PUTPMSG 1385 see=putpmsg(2) 1386 format=arg1:[path]:[attr]:arg2:arg3 1387 comment=1, file descriptor, "fd": 1388 comment=4, priority, "pri": 1389 comment=5, flags, "flags" 1390 1391label=AUE_P_ONLINE 1392 format=arg1:arg2:text3 1393 comment=1, processor ID, "processor ID": 1394 comment=2, flags value, "flags": 1395 comment=text form of flags. Values: \ 1396 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS 1397 1398label=AUE_QUOTACTL 1399 skip=Not used. 1400 1401label=AUE_READ 1402 skip=Not used. (Placeholder for AUE_READ_* events) 1403 1404label=AUE_READL 1405 skip=Not used. (Obsolete) 1406 1407label=AUE_READLINK 1408 format=path:[attr] 1409 1410label=AUE_READV 1411 skip=Not used (obsolete) 1412# detritus from CMS 1413 1414label=AUE_READVL 1415 skip=Not used (obsolete) 1416# detritus from CMS 1417 1418label=AUE_REBOOT 1419 skip=Not used. 1420 1421label=AUE_RECV 1422 case=If address family is AF_INET or AF_INET6 1423 format=[arg]1:[inet] 1424 comment=1, file descriptor, "so" 1425 case=If address family is AF_UNIX and path is defined 1426 format=[path]1:[attr] 1427 comment=1, file descriptor, "so" 1428 case=If address family is AF_UNIX and path is NULL 1429 format=[path]1:[attr] 1430 comment=1, file descriptor, "no path: fd" 1431 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1432 format=[arg]1:[arg]2:[arg]3 1433 comment=1, file descriptor, "so": 1434 comment=1, family, "family": 1435 comment=1, type, "type" 1436# associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237]) 1437 1438label=AUE_RECVFROM 1439 format=inet:arg1:[arg]2:inet3:arg4 1440 comment=3, message length, "len": 1441 comment=4, flags, "flags": 1442 comment=from address: 1443 comment=6, address length, "tolen" 1444 note=The socket token for a bad socket is reported as "argument 1445 note=token (1, socket descriptor, "fd")" 1446 1447label=AUE_RECVMSG 1448 case=If invalid file descriptor 1449 format=arg1:arg2 1450 comment=1, file descriptor, "so": 1451 comment=3, flags, "flags" 1452 case=If valid file descriptor and socket is AF_UNIX and no path 1453 format=arg1:[attr] 1454 comment=1, file descriptor, "no path: fd" 1455 case=If valid file descriptor and socket is AF_UNIX and path defined 1456 format=path:attr 1457 case=If valid file descriptor and socket is AF_INET or AF_INET6 1458 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM 1459 format=arg1:arg2:inet 1460 comment=1, file descriptor, "so": 1461 comment=2, flags, "flags" 1462 case=.. if socket type is unknown 1463 format=arg1:arg2:arg3:arg4 1464 comment=1, file descriptor, "so": 1465 comment=1, family, "family": 1466 comment=1, type, "type": 1467 comment=3, flags, "flags" 1468 1469label=AUE_RENAME 1470 format=path1:[attr]1:[path]2 1471 comment=from name: 1472 comment=to name 1473 1474label=AUE_RENAMEAT 1475# obsolete 1476 format=path1:[attr]1:[path]2 1477 comment=from name: 1478 comment=to name 1479 1480label=AUE_RFSSYS 1481 skip=Not used. 1482# apparently replaced 1483 1484label=AUE_RMDIR 1485 format=path:[attr] 1486 1487label=AUE_SEMCTL 1488 format=arg1:[ipc]:[ipc_perm] 1489 comment=1, semaphore ID, "sem ID" 1490 note=ipc_perm 1491# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1492 1493label=AUE_SEMCTL_GETALL 1494 format=arg1:[ipc]:[ipc_perm] 1495 comment=1, semaphore ID, "sem ID" 1496 note=ipc_perm 1497 syscall=semctl: GETALL 1498# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1499 1500label=AUE_SEMCTL_GETNCNT 1501 format=arg1:[ipc]:[ipc_perm] 1502 comment=1, semaphore ID, "sem ID" 1503 note=ipc_perm 1504 syscall=semctl: GETNCNT 1505# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1506 1507label=AUE_SEMCTL_GETPID 1508 format=arg1:[ipc]:[ipc_perm] 1509 comment=1, semaphore ID, "sem ID" 1510 note=ipc_perm 1511 syscall=semctl: GETPID 1512# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1513 1514label=AUE_SEMCTL_GETVAL 1515 format=arg1:[ipc]:[ipc_perm] 1516 comment=1, semaphore ID, "sem ID" 1517 note=ipc_perm 1518 syscall=semctl: GETVAL 1519# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1520 1521label=AUE_SEMCTL_GETZCNT 1522 format=arg1:[ipc]:[ipc_perm] 1523 comment=1, semaphore ID, "sem ID" 1524 note=ipc_perm 1525 syscall=semctl: GETZCNT 1526# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1527 1528label=AUE_SEMCTL_RMID 1529 format=arg1:[ipc]:[ipc_perm] 1530 comment=1, semaphore ID, "sem ID" 1531 note=ipc_perm 1532 syscall=semctl: IPC_RMID 1533# ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1534 1535label=AUE_SEMCTL_SET 1536 format=arg1:[ipc]:[ipc_perm] 1537 comment=1, semaphore ID, "sem ID" 1538 note=ipc_perm 1539 syscall=semctl: IPC_SET 1540# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1541 1542label=AUE_SEMCTL_SETALL 1543 format=arg1:[ipc]:[ipc_perm] 1544 comment=1, semaphore ID, "sem ID" 1545 note=ipc_perm 1546 syscall=semctl: SETALL 1547# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1548 1549label=AUE_SEMCTL_SETVAL 1550 format=arg1:[ipc]:[ipc_perm] 1551 comment=1, semaphore ID, "sem ID" 1552 note=ipc_perm 1553 syscall=semctl: SETVAL 1554# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1555 1556label=AUE_SEMCTL_STAT 1557 format=arg1:[ipc]:[ipc_perm] 1558 comment=1, semaphore ID, "sem ID" 1559 note=ipc_perm 1560 syscall=semctl: IPC_STAT 1561# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1562 1563label=AUE_SEMGET 1564 format=arg1:[ipc_perm]:ipc 1565 comment=1, semaphore ID, "sem key" 1566 note=ipc_perm 1567 syscall=semctl: SETVAL 1568# ipc_perm token: semget -> audit_ipcget 1569 1570label=AUE_SEMGETL 1571 skip=Not used. 1572 1573label=AUE_SEMOP 1574 format=arg1:[ipc]:[ipc_perm] 1575 comment=1, semaphore ID, "sem ID" 1576 note=ipc_perm 1577# ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc 1578 1579label=AUE_SEMSYS 1580 skip=Not used. (place holder) -- defaults to a semget variant 1581 1582label=AUE_SEND 1583 case=If address family is AF_INET or AF_INET6 1584 format=[arg]1:[inet] 1585 comment=1, file descriptor, "so" 1586 case=If address family is AF_UNIX and path is defined 1587 format=[path]1:[attr] 1588 comment=1, file descriptor, "so" 1589 case=If address family is AF_UNIX and path is NULL 1590 format=[path]1:[attr] 1591 comment=1, file descriptor, "no path: fd" 1592 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1593 format=[arg]1:[arg]2:[arg]3 1594 comment=1, file descriptor, "so": 1595 comment=1, family, "family": 1596 comment=1, type, "type" 1597# associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240]) 1598 1599label=AUE_SENDMSG 1600 case=If invalid file descriptor 1601 format=arg1:arg2 1602 comment=1, file descriptor, "so": 1603 comment=3, flags, "flags" 1604 case=If valid file descriptor 1605 case=...and address family is AF_UNIX and path is defined 1606 format=path:attr 1607 case=...and address family is AF_UNIX and path is NULL 1608 format=path1:attr 1609 comment=1, file descriptor, "nopath: fd" 1610 case=...and address family is AF_INET or AF_INET6, \ 1611 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1612 format=arg1:arg2:inet 1613 comment=1, file descriptor, "so": 1614 comment=3, flags, "flags" 1615 case=...and unknown address family or address family AF_INET or AF_INET6 \ 1616 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1617 format=arg1:arg2:arg3:arg4 1618 comment=1, file descriptor, "so": 1619 comment=1, family, "family": 1620 comment=1, type, "type": 1621 comment=1, flags, "flags" 1622 1623label=AUE_SENDTO 1624 case=If invalid file descriptor 1625 format=arg1:arg2 1626 comment=1, file descriptor, "so": 1627 comment=3, flags, "flags" 1628 case=If valid file descriptor 1629 case=...and socket is AF_UNIX and path is defined 1630 format=path:attr 1631 case=...and address family is AF_UNIX and path is NULL 1632 format=path1:attr 1633 comment=1, file descriptor, "nopath: fd" 1634 case=...and address family is AF_INET or AF_INET6 1635 format=arg1:arg2:inet 1636 comment=1, file descriptor, "so": 1637 comment=3, flags, "flags" 1638 case=...and unknown address family 1639 format=arg1:arg2:arg3:arg4 1640 comment=1, file descriptor, "so": 1641 comment=1, family, "family": 1642 comment=1, type, "type": 1643 comment=1, flags, "flags" 1644 1645label=AUE_SETAUDIT 1646 case=With a valid program stack address 1647 format=arg1:arg2:arg3:arg4:arg5:arg6 1648 comment=1, audit user ID, "setaudit:auid": 1649 comment=1, terminal ID, "setaudit:port": 1650 comment=1, terminal ID, "setaudit:machine": 1651 comment=1, preselection mask, "setaudit:as_success": 1652 comment=1, preselection mask, "setaudit:as_failure": 1653 comment=1, audit session ID, "setaudit:asid" 1654 case=With an invalid program stack address 1655 format=kernel 1656# header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec 1657# argument,1,0x271a,setaudit:auid 1658# argument,1,0x3ff0201,setaudit:port 1659# argument,1,0x8192591e,setaudit:machine 1660# argument,1,0x400,setaudit:as_success 1661# argument,1,0x400,setaudit:as_failure 1662# argument,1,0x16f,setaudit:asid 1663# subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1 1664# return,success,0 1665# trailer,215 1666# header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec 1667# argument,1,0x271a,setaudit:auid 1668# argument,1,0x3ff0201,setaudit:port 1669# argument,1,0x8192591e,setaudit:machine 1670# argument,1,0x400,setaudit:as_success 1671# argument,1,0x400,setaudit:as_failure 1672# argument,1,0x16f,setaudit:asid 1673# subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1 1674# return,success,0 1675# trailer,215 1676 1677label=AUE_SETAUDIT_ADDR 1678 case=With a valid program stack address 1679 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7 1680 comment=1, audit user ID, "auid": 1681 comment=1, terminal ID, "port": 1682 comment=1, type, "type": 1683 comment=1, terminal ID, "ip address": 1684 comment=1, preselection mask, "as_success": 1685 comment=1, preselection mask, "as_failure": 1686 comment=1, audit session ID, "asid" 1687 case=With an invalid program stack address 1688 format=kernel 1689# header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec 1690# argument,1,0x15fa7,auid 1691# argument,1,0x0,port 1692# argument,1,0x4,type 1693# ip address,tmach2 1694# argument,1,0x9c00,as_success 1695# argument,1,0x9c00,as_failure 1696# argument,1,0x1f1,asid 1697# subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2 1698# return,success,0 1699 1700label=AUE_SETAUID 1701 format=arg1 1702 comment=2, audit user ID, "setauid" 1703 1704label=AUE_SETDOMAINNAME 1705 skip=Not used. (See AUE_SYSINFO) 1706# See AUE_SYSINFO with SI_SET_SRPC_DOMAIN 1707 1708label=AUE_SETEGID 1709 format=arg1 1710 comment=1, group ID, "gid" 1711 1712label=AUE_SETEUID 1713 format=arg1 1714 comment=1, user ID, "euid" 1715 1716label=AUE_SETGID 1717 format=arg1 1718 comment=1, group ID, "gid" 1719 1720label=AUE_SETGROUPS 1721 note=If more than NGROUPS_MAX_DEFAULT groups listed, 1722 note=no tokens are generated. 1723 case=If no groups in list 1724 format=[arg]1 1725 comment=1, 0, "setgroups" 1726 case=If 1 or more groups in list 1727 format=(1..n)arg1 1728 comment=1, gid, "setgroups" 1729 1730label=AUE_SETHOSTNAME 1731 skip=Not used. (See AUE_SYSINFO) 1732# See sysinfo call with command SI_SET_HOSTNAME 1733 1734label=AUE_SETKERNSTATE 1735 skip=Not used. 1736 1737label=AUE_SETPGID 1738 format=[proc]:[arg]1 1739 comment=2, pgid, "pgid" 1740 1741label=AUE_SETPGRP 1742 format=kernel 1743 1744label=AUE_SETPRIORITY 1745 skip=Not used. 1746 1747label=AUE_SETPPRIV 1748 case=operation privileges off 1749 format=arg1:privset2 1750 comment=setppriv operation: 1751 comment=privileges actually switched off 1752 case=operation privileges on 1753 format=arg1:privset2 1754 comment=setppriv operation: 1755 comment=privileges actually switched on 1756 case=operation privileges off 1757 format=arg1:privset2:privset3 1758 comment=setppriv operation: 1759 comment=privileges before privset: 1760 comment=privileges after privset 1761#header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec 1762#argument,2,0x2,op 1763#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1764#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1765#subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0 1766#return,success,0 1767 1768label=AUE_SETREGID 1769 format=arg1:arg2 1770 comment=1, real group ID, "rgid": 1771 comment=2, effective group ID, "egid" 1772 1773label=AUE_SETREUID 1774 format=arg1:arg2 1775 comment=1, real user ID, "ruid": 1776 comment=2, effective user ID, "euid" 1777 1778label=AUE_SETRLIMIT 1779 format=kernel 1780# header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec 1781# subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2 1782# return,success,0 1783 1784label=AUE_SETSID 1785 format=kernel 1786 1787label=AUE_SETSOCKOPT 1788 case=Invalid file descriptor 1789 format=arg1:arg2 1790 comment=1, file descriptor, "so": 1791 comment=2, level, "level" 1792 case=Valid file descriptor 1793 case=...and socket is AF_UNIX 1794 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8 1795 comment=if no path, will be argument: 1, "nopath: fd", \ 1796 file descriptor: 1797 comment=1, file descriptor, "so": 1798 comment=1, family, "family": 1799 comment=1, type, "type": 1800 comment=2, protocol level, "level": 1801 comment=3, option name, "optname": 1802 comment=5, option length, "optlen": 1803 comment=option data 1804 case=...and socket is AF_INET or AF_INET6 1805 format=arg1:arg2:arg3:[arg]4:[data]5:inet 1806 comment=1, file descriptor, "so": 1807 comment=2, protocol level, "level": 1808 comment=3, option name, "optname": 1809 comment=5, option length, "optlen": 1810 comment=option data 1811 case=...and socket adddress family is unknown 1812 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7 1813 comment=1, file descriptor, "so": 1814 comment=1, family, "family": 1815 comment=1, type, "type": 1816 comment=2, protocol level, "level": 1817 comment=3, option name, "optname": 1818 comment=5, option length, "optlen": 1819 comment=option data 1820 1821label=AUE_SETTIMEOFDAY 1822 skip=Not used. 1823 1824label=AUE_SETUID 1825 syscall=setuid 1826 format=arg1 1827 comment=1, "uid" to be set 1828 1829label=AUE_SETUSERAUDIT 1830 skip=Not used. 1831 1832label=AUE_SHMAT 1833 format=arg1:arg2:[ipc]:[ipc_perm] 1834 comment=1, shared memory ID, "shm ID": 1835 comment=2, shared mem addr, "shm addr" 1836 note=ipc_perm 1837# ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc 1838 1839label=AUE_SHMCTL 1840 format=arg1:[ipc]:[ipc_perm] 1841 comment=1, shared memory ID, "shm ID" 1842 note=ipc_perm 1843# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1844 1845label=AUE_SHMCTL_RMID 1846 format=arg1:[ipc]:[ipc_perm] 1847 comment=1, shared memory ID, "shm ID" 1848 note=ipc_perm 1849 syscall=semctl: IPC_RMID 1850# ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1851 1852label=AUE_SHMCTL_SET 1853 format=arg1:[ipc]:[ipc_perm] 1854 comment=1, shared memory ID, "shm ID" 1855 note=ipc_perm 1856 syscall=semctl: IPC_SET 1857# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1858 1859label=AUE_SHMCTL_STAT 1860 format=arg1:[ipc]:[ipc_perm] 1861 comment=1, shared memory ID, "shm ID" 1862 note=ipc_perm 1863 syscall=semctl: IPC_STAT 1864# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1865 1866label=AUE_SHMDT 1867 format=arg1 1868 comment=1, shared memory address, "shm adr" 1869 1870label=AUE_SHMGET 1871 format=arg1:[ipc_perm]:[ipc] 1872 comment=0, shared memory key, "shm key" 1873 note=ipc_perm 1874# ipc_perm: shmget -> audit_ipcget 1875 1876label=AUE_SHMGETL 1877 skip=Not used. 1878 1879label=AUE_SHMSYS 1880 skip=Not used. (Placeholder for shmget and shmctl*) 1881 1882label=AUE_SHUTDOWN 1883 case=If the socket address is invalid 1884 format=[arg]1:[text]2:[text]3 1885 comment=1, file descriptor, "fd": 1886 comment=bad socket address: 1887 comment=bad peer address 1888 case=If the socket address is part of the AF_INET family 1889 case=..with zero file descriptor 1890 format=arg1:[arg]2:[arg]3:[arg]4 1891 comment=1, file descriptor, "so": 1892 comment=1, family, "family": 1893 comment=1, type, "type": 1894 comment=2, how shutdown code, "how" 1895 case=...with non-zero file descriptor 1896 format=arg1:arg2:inet 1897 comment=1, file descriptor, "so": 1898 comment=2, how shutdown code, "how" 1899 case=If the socket address is AF_UNIX 1900 case=...with zero file descriptor 1901 format=path1:arg2:[arg]3:[arg]4:[arg]5 1902 comment=If error: argument: \ 1903 1, "no path: fd", file descriptor: 1904 comment=1, file descriptor, "so": 1905 comment=1, family, "family": 1906 comment=1, type, "type": 1907 comment=2, how shutdown code, "how" 1908 case=...with non-zero file descriptor 1909 format=path1:arg2:arg3:inet 1910 comment=If error: argument: \ 1911 1, file descriptor, "no path: fd": 1912 comment=1, file descriptor, "so": 1913 comment=2, how shutdown code, "how" 1914#old BSM manual wrong; used audit_event.c 1915 1916label=AUE_SOCKACCEPT 1917 syscall=getmsg: socket accept 1918 format=inet:arg1:[path]:attr:arg2 1919 comment=1, file descriptor, "fd": 1920 comment=4, priority, "pri" 1921# see putmsg and getmsg for record format 1922# See audit.c for inet token and audit_start.c for other reference 1923 1924label=AUE_SOCKCONFIG 1925 format=arg1:arg2:arg3:[path]4 1926 comment=1, domain address, "domain": 1927 comment=2, type, "type": 1928 comment=3, protocol, "protocol": 1929 comment=If no path:argument -- 3, 0, "devpath" 1930 1931label=AUE_SOCKCONNECT 1932 syscall=putmsg: socket connect 1933 format=inet:arg1:[path]:attr:arg2 1934 comment=1, file descriptor, "fd": 1935 comment=4, priority, "pri" 1936# same as AUE_SOCKACCEPT 1937 1938label=AUE_SOCKET 1939 format=arg1:[arg]2:arg3 1940 comment=1, socket domain, "domain": 1941 comment=2, socket type, "type": 1942 comment=3, socket protocol, "protocol" 1943 1944label=AUE_SOCKETPAIR 1945 skip=Not used. 1946# unreferenced 1947 1948label=AUE_SOCKRECEIVE 1949 syscall=getmsg 1950 format=inet:arg1:[path]:attr:arg2 1951 comment=1, file descriptor, "fd": 1952 comment=4, priority, "pri" 1953# see AUE_SOCKACCEPT 1954 1955label=AUE_SOCKSEND 1956syscall=putmsg 1957 format=inet:arg1:[path]:attr:arg2 1958 comment=1, file descriptor, "fd": 1959 comment=4, priority, "pri" 1960# see AUE_SOCKACCEPT 1961 1962label=AUE_STAT 1963 format=path:[attr] 1964 1965label=AUE_STATFS 1966 format=path:[attr] 1967 1968label=AUE_STATVFS 1969 format=path:[attr] 1970 1971label=AUE_STIME 1972 format=kernel 1973 1974label=AUE_SWAPON 1975 skip=Not used. 1976 1977label=AUE_SYMLINK 1978 format=path:text1:[attr] 1979 comment=symbolic link string 1980 1981label=AUE_SYSINFO 1982 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands 1983 note=are currently audited. 1984 format=arg1:[text]2 1985 comment=1, command, "cmd": 1986 comment=name 1987 1988label=AUE_SYSTEMBOOT 1989 title=system booted 1990 syscall=none 1991 format=head:text1 1992 comment="booting kernel" 1993# see audit_start.c and audit_io.c 1994# no subject or return / exit token 1995# header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec 1996# text,booting kernel 1997 1998label=AUE_TRUNCATE 1999 skip=Not used. 2000 2001label=AUE_UMOUNT 2002 syscall=umount: old version 2003 note=Implemented as call of the newer umount2(2). 2004 format=path:arg1:[path]:[attr] 2005 comment=2, mflag value = 0, "flags" 2006 2007label=AUE_UMOUNT2 2008 syscall=umount2 2009 format=path:arg1:[path]:[attr] 2010 comment=2, mflag value, "flags" 2011 2012label=AUE_UNLINK 2013 format=path:[attr] 2014 2015label=AUE_UNLINKAT 2016# obsolete 2017 see=openat(2) 2018 format=path:[attr] 2019 2020label=AUE_UNMOUNT 2021 skip=Not used. 2022 2023label=AUE_UTIME 2024# obsolete 2025 format=path:[attr] 2026 2027label=AUE_UTIMES 2028 see=futimens(2) 2029 format=path:[attr] 2030 2031label=AUE_VFORK 2032 format=arg1 2033 comment=0, pid, "child PID" 2034 note=The vfork(2) return values are undefined because the audit record is 2035 note=produced at the point that the child process is spawned. 2036 2037label=AUE_VPIXSYS 2038 skip=Not used. 2039 2040label=AUE_VTRACE 2041 skip=Not used. 2042 2043label=AUE_WRITE 2044 format=path1:attr 2045 comment=if no path, argument -- "1, file descriptor, "no path: fd" 2046 note:An audit record is generated for write only once per file close. 2047 2048label=AUE_WRITEV 2049 skip=Not used. (obsolete) 2050 2051label=AUE_XMKNOD 2052# obsolete 2053 skip=Not used. 2054 2055label=AUE_XSTAT 2056# obsolete 2057 skip=Not Used. 2058 2059label=AUE_PF_POLICY_ADDRULE 2060 title=Add IPsec policy rule 2061 see= 2062 syscall=none 2063 format=arg1:arg2:[zone]3:[text]4 2064 comment=Operation applied to active policy (1 is active, 0 is inactive): 2065 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2066 comment=affected zone: 2067 comment=Name of target tunnel 2068 2069label=AUE_PF_POLICY_DELRULE 2070 title=Delete IPsec policy rule 2071 see= 2072 syscall=none 2073 format=arg1:arg2:[zone]3:[text]4 2074 comment=Operation applied to active policy (1 is active, 0 is inactive): 2075 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2076 comment=affected zone: 2077 comment=Name of target tunnel 2078 2079label=AUE_PF_POLICY_CLONE 2080 title=Clone IPsec policy 2081 see= 2082 syscall=none 2083 format=arg1:arg2:[zone]3:[text]4 2084 comment=Operation applied to active policy (1 is active, 0 is inactive): 2085 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2086 comment=affected zone: 2087 comment=Name of target tunnel 2088 2089label=AUE_PF_POLICY_FLIP 2090 title=Flip IPsec policy 2091 see= 2092 syscall=none 2093 format=arg1:arg2:[zone]3:[text]4 2094 comment=Operation applied to active policy (1 is active, 0 is inactive): 2095 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2096 comment=affected zone: 2097 comment=Name of target tunnel 2098 2099label=AUE_PF_POLICY_FLUSH 2100 title=Flip IPsec policy rules 2101 see= 2102 syscall=none 2103 format=arg1:arg2:[zone]3:[text]4 2104 comment=Operation applied to active policy (1 is active, 0 is inactive): 2105 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2106 comment=affected zone: 2107 comment=Name of target tunnel 2108 2109label=AUE_PF_POLICY_ALGS 2110 title=Update IPsec algorithms 2111 see= 2112 syscall=none 2113 format=arg1:arg2:[zone]3:[text]4 2114 comment=Operation applied to active policy (1 is active, 0 is inactive): 2115 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2116 comment=affected zone: 2117 comment=Name of target tunnel 2118 2119label=AUE_allocate_fail 2120 program=/usr/sbin/allocate 2121 title=allocate: allocate-device failure 2122 format=(0..n)[text]1 2123 comment=command line arguments 2124# see audit_allocate.c 2125 2126label=AUE_allocate_succ 2127 program=/usr/sbin/allocate 2128 title=allocate: allocate-device success 2129 format=(0..n)[text]1 2130 comment=command line arguments 2131# see audit_allocate.c 2132 2133label=AUE_at_create 2134 program=/usr/bin/at 2135 title=at: at-create crontab 2136 format=path 2137 2138label=AUE_at_delete 2139 program=/usr/bin/at 2140 title=at: at-delete atjob (at or atrm) 2141 format=text1:path 2142 comment="ancillary file:" filename or "bad format of at-job name" 2143 2144label=AUE_at_perm 2145 skip=Not used. 2146# not referenced outside uevents.h 2147 2148label=AUE_create_user 2149 skip=Not used. 2150 2151label=AUE_cron_invoke 2152 program=/usr/sbin/cron 2153 title=cron: cron-invoke at or cron 2154 case=If issue with account find 2155 format=text1 2156 comment="bad user" name or "user <name> account expired" 2157 case=else 2158 format=text1:text2 2159 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \ 2160 or "unknown job type (<job_type_id>)": 2161 comment=command 2162 2163label=AUE_crontab_create 2164 program=/usr/bin/crontab 2165 title=crontab: crontab created 2166 format=path 2167# See audit_crontab.c 2168 2169label=AUE_crontab_delete 2170 program=/usr/bin/crontab 2171 title=crontab: crontab delete 2172 format=path 2173# See audit_crontab.c 2174 2175label=AUE_crontab_mod 2176 program=/usr/bin/crontab 2177 title=crontab: crontab modify 2178 format=path 2179# See audit_crontab.c 2180 2181label=AUE_crontab_perm 2182 skip=Not used. 2183 2184label=AUE_deallocate_fail 2185 program=/usr/sbin/deallocate 2186 title=deallocate-device failure 2187 format=(0..n)[text]1 2188 comment=command line arguments 2189# See audit_allocate.c 2190 2191label=AUE_deallocate_succ 2192 program=/usr/sbin/deallocate 2193 title=deallocate-device success 2194 format=(0..n)[text]1 2195 comment=command line arguments 2196# See audit_allocate.c 2197 2198label=AUE_delete_user 2199 skip=Not used. 2200 2201label=AUE_disable_user 2202 skip=Not used. 2203 2204label=AUE_enable_user 2205 skip=Not used. 2206 2207label=AUE_ftpd 2208 program=/usr/sbin/in.ftpd 2209 title=in.ftpd 2210 format=[text]1 2211 comment=error message 2212# See audit_ftpd 2213 2214label=AUE_ftpd_logout 2215 program=/usr/sbin/in.ftpd 2216 title=in.ftpd 2217 format=user 2218# See audit_ftpd 2219 2220label=AUE_halt_solaris 2221 program=/usr/sbin/halt 2222 title=halt 2223 format=user 2224# See audit_halt.c 2225 2226label=AUE_kadmind_auth 2227 format=text1:text2:text3 2228 comment=Op: <requested information>: 2229 comment=Arg: <argument for Op>: 2230 comment=Client: <client principal name> 2231# See audit_kadmin.c / common_audit() 2232 2233label=AUE_kadmind_unauth 2234 format=text1:text2:text3 2235 comment=Op: <requested information>: 2236 comment=Arg: <argument for Op>: 2237 comment=Client: <client principal name> 2238# See audit_kadmin.c / common_audit() 2239 2240label=AUE_krb5kdc_as_req 2241 format=text1:text2 2242 comment=Client: <client principal name>: 2243 comment=Service: <requested service name> 2244# See audit_krb5kdc.c / common_audit() 2245 2246label=AUE_krb5kdc_tgs_req 2247 format=text1:text2 2248 comment=Client: <client principal name>: 2249 comment=Service: <requested service name> 2250# See audit_krb5kdc.c / common_audit() 2251 2252label=AUE_krb5kdc_tgs_req_alt_tgt 2253 format=text1:text2 2254 comment=Client: <client principal name>: 2255 comment=Service: <requested service name> 2256# See audit_krb5kdc.c / common_audit() 2257 2258label=AUE_krb5kdc_tgs_req_2ndtktmm 2259 format=text1:text2 2260 comment=Client: <client principal name>: 2261 comment=Service: <requested service name> 2262# See audit_krb5kdc.c / common_audit() 2263 2264label=AUE_listdevice_fail 2265 title=allocate-list devices failure 2266 program=/usr/sbin/allocate 2267 format=(0..n)[text]1 2268 comment=command line arguments 2269# See audit_allocate.c 2270 2271label=AUE_listdevice_succ 2272 title=allocate-list devices success 2273 program=/usr/sbin/allocate 2274 format=(0..n)[text]1 2275 comment=command line arguments 2276# See audit_allocate.c 2277 2278label=AUE_modify_user 2279 skip=Not used. 2280 2281label=AUE_mountd_mount 2282 title=mountd: NFS mount 2283 program=/usr/lib/nfs/mountd 2284 see=mountd(1M) 2285 format=text1:path2 2286 comment=remote client hostname: 2287 comment=mount dir 2288# See audit_mountd.c 2289 2290label=AUE_mountd_umount 2291 title=mountd: NFS unmount 2292 program=/usr/lib/nfs/mountd 2293 format=text1:path2 2294 comment=remote client hostname: 2295 comment=mount dir 2296# See audit_mountd.c 2297 2298label=AUE_poweroff_solaris 2299 program=/usr/sbin/poweroff 2300 title=poweroff 2301 format=user 2302# See audit_halt.c 2303 2304label=AUE_reboot_solaris 2305 program=/usr/sbin/reboot 2306 title=reboot 2307 format=user 2308# See audit_reboot.c 2309# header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec 2310# subject,tuser1,root,other,root,other,10422,497,0 0 tmach2 2311# return,success,0 2312 2313label=AUE_rexd 2314 program=/usr/sbin/rpc.rexd 2315 title=rpc.rexd 2316 format=[text]1:text2:text3:[text]4:[text]5 2317 comment=error message (failure only): 2318 comment="Remote execution requested by:" hostname: 2319 comment="Username:" username: 2320 comment="User id:" user ID (failure only): 2321 comment="Command line:" command attempted 2322# See audit_rexd.c 2323 2324label=AUE_rexecd 2325 program=/usr/sbin/rpc.rexecd 2326 title=rpc.rexecd 2327 format=[text]1:text2:text3:text4 2328 comment=error message (failure only): 2329 comment="Remote execution requested by:" hostname: 2330 comment="Username:" username: 2331 comment="Command line:" command attempted 2332# See audit_rexecd.c 2333 2334label=AUE_rshd 2335 program=/usr/sbin/in.rshd 2336 title=in.rshd 2337 format=text1:text2:[text]3:[text]4 2338 comment="cmd" command: 2339 comment="remote user" remote user: 2340 comment="local user" local user: 2341 comment=failure message 2342# See audit_rshd.c 2343 2344label=AUE_shutdown_solaris 2345 title=shutdown 2346 program=/usr/ucb/shutdown 2347 format=user 2348# See audit_shutdown.c 2349 2350label=AUE_smserverd 2351 program=/usr/lib/smedia/rpc.smserverd 2352 format=[text]1:[text]2 2353 comment=state change: 2354 comment=vid, pid, major/minor device 2355# see usr/src/cmd/smserverd 2356# code shows a third token, path, but it isn't implemented. 2357 2358label=AUE_uadmin_solaris 2359 title=uadmin (obsolete) 2360 program= 2361 see= 2362 format=text1:text2 2363 comment=function code: 2364 comment=argument code 2365# not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml 2366 2367label=AUE_LABELSYS_TNRH 2368 title=config Trusted Network remote host cache 2369 see=tnrh(2) 2370 syscall=labelsys: TSOL_TNRH 2371 case=With the flush command (cmd=3) 2372 format=arg1 2373 comment=1, command, "cmd" 2374 case=With the load (cmd=1) and delete (cmd=2) commands 2375 format=arg1:inaddr2:arg3 2376 comment=1, command, "cmd": 2377 comment=ip address of host: 2378 comment=2, prefix length, "prefix len" 2379 2380label=AUE_LABELSYS_TNRHTP 2381 title=config Trusted Network remote host template 2382 see=tnrhtp(2) 2383 syscall=labelsys: TSOL_TNRHTP 2384 case=With the flush command (cmd=3) 2385 format=arg1 2386 comment=1, command, "cmd" 2387 case=With the load (cmd=1) and delete (cmd=2) commands 2388 format=arg1:text2 2389 comment=1, command, "cmd": 2390 comment=name of template 2391 2392label=AUE_LABELSYS_TNMLP 2393 title=config Trusted Network multi-level port entry 2394 see=tnmlp(2) 2395 syscall=labelsys: TSOL_TNMLP 2396 case=With the flush command (cmd=3) 2397 format=arg1:text2 2398 comment=1, command, "cmd": 2399 comment="shared", or name of zone 2400 case=With the load (cmd=1) and delete (cmd=2) commands 2401 format=arg1:text2:arg3:arg4:[arg]5 2402 comment=1, command, "cmd": 2403 comment="shared", or name of zone: 2404 comment=2, protocol number, "proto num": 2405 comment=2, starting mlp port number, "mlp_port": 2406 comment=2, ending mlp port number, "mlp_port_upper" 2407