1# audit_record_attr.txt 2# Two "#" are comments that are copied to audit_record_attr 3# other comments are removed. 4## 5## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. 6## Copyright 2018 Nexenta Systems, Inc. All rights reserved. 7## Copyright 2019 Joyent, Inc. 8## 9## CDDL HEADER START 10## 11## The contents of this file are subject to the terms of the 12## Common Development and Distribution License (the "License"). 13## You may not use this file except in compliance with the License. 14## 15## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 16## or http://www.opensolaris.org/os/licensing. 17## See the License for the specific language governing permissions 18## and limitations under the License. 19## 20## When distributing Covered Code, include this CDDL HEADER in each 21## file and include the License file at usr/src/OPENSOLARIS.LICENSE. 22## If applicable, add the following below this CDDL HEADER, with the 23## fields enclosed by brackets "[]" replaced with your own identifying 24## information: Portions Copyright [yyyy] [name of copyright owner] 25## 26## CDDL HEADER END 27## 28## 29 30# source file for describing audit records. 31 32# This file is in two sections. The first is a list of attribute / 33# value pairs used to provide short cuts in annotating the audit 34# records. The second is for annotation for each audit record. 35 36# first section: general attributes 37 38# skipClass=<class name of items to skip if only in that class> 39# skipClass=no # uncomment to filter unused events 40 41# token name abbreviations 42# token=alias:fullname -- short names for key tokens 43 44token=arg:argument 45token=attr:attribute 46token=acl:acl_entry 47token=cmd:command 48token=data:data 49token=exec_args:exec_arguments 50token=exec_env:exec_environment 51token=group:group 52token=inaddr:ip_addr 53token=inet:socket 54token=ipc:ipc 55token=ipc_perm:ipc_perm 56token=newgroup:newgroups 57token=path:path 58token=path_attr:attribute_path 59token=privset:privilege 60token=proc:process 61token=text:text 62token=tid:terminal_adr 63token=uauth:use_of_authorization 64token=upriv:use_of_privilege 65token=user:user_object 66token=zone:zonename 67token=fmri:service_instance 68token=label:mandatory_label 69 70token=head:header 71token=subj:subject 72token=ret:return 73token=exit:exit 74 75# note names -- certain notes show up repeatedly; collected here 76# 77# To achieve the maximum line length to be less than 80 characters, the 78# note names (message=) can be defined as a multi line, each line except the 79# last one finished with the backslash character. 80 81message=ipc_perm:The ipc and ipc_perm tokens are not included if \ 82 the message ID is not valid. 83 84 85# basic record pattern ("insert" is where event-specific tokens 86# are listed.) 87 88kernel=head:insert:subj:[upriv]:ret 89user=head:subj:insert:ret 90 91# Second Section 92# Annotation Section 93# 94# Most audit records need annotation beyond what is provided by 95# the files audit_event and audit_class. At a minimum, a record 96# is represented by a label and a format. 97# 98# label=record_id like AUE_ACCEPT 99# format=token_alias 100# 101# there is no end line; a new label= end the preceding definition 102# and starts the next. 103# 104# format values are a list of token names, separated by colons. The 105# name is either one of the values described above (token=) or is 106# a value to be taken literally. If a token name ends with a digit, 107# the digit is an index into an array of comments. In the few cases 108# where there are no tokens (other than header, subject, return/exit), 109# use "format=kernel" or "format="user". 110# 111# comment is an array of strings separated by colons. If comments 112# are listed on separate lines (recommended due to better 113# readability/sustainability of the file), the preceding comment 114# must end with a colon. The array starts at 1. (If the comment 115# contains a colon, use ":" without the quotes.) 116# 117# case is used to generate alternate descriptions for a given 118# record. 119# 120# Constraints - the string length; bear in mind, that any annotation of 121# primitives below longer than is specified, will be silently truncated 122# to given/defined amount of characters in the auditrecord(8) runtime: 123# 124# primitive <= max (non-truncated) string length 125# case <= unlimited; if necessary, text continues on a new line 126# comment <= unlimited; if necessary, text continues on a new line 127# label <= 43 128# note <= unlimited; if necessary, text continues on a new line 129# program <= 20 130# see <= 39 131# syscall <= 20 132# title <= 46 133# token <= 28 (full name) 134# 135# To achieve the maximum line length to be less than 80 characters, one can 136# define the unlimited primitives as a multi line, each line except the 137# last one finished with the backslash character. In addition to above 138# mentioned, the "format=" record attribute follows the same rule. 139# 140# 141# AUE_ACCEPT illustrates the use of all the above. Note that 142# case is not nested; ellipsis (...) is used to give the effect 143# of nesting. 144 145label=AUE_ACCEPT 146#accept(2) failure 147 case=Invalid socket file descriptor 148 format=arg1 149 comment=1, file descriptor, "so" 150#accept(2) non SOCK_STREAM socket 151 case=If the socket address is not part of the AF_INET family 152 format=arg1:arg2:arg3 153 comment=1, "so", file descriptor: 154 comment="family", so_family: 155 comment="type", so_type 156 case=If the socket address is part of the AF_INET family 157 case=...If there is no vnode for this file descriptor 158 format=[arg]1 159 comment=1, file descriptor, "Bad so" 160#accept(2) SOCK_STREAM socket-not bound 161 case=...or if the socket is not bound 162 format=[arg]1:[inet]2 163 comment=1, file descriptor, "so": 164 comment=local/foreign address (0.0.0.0) 165 case=...or if the socket address length = 0 166 format=[arg]1:[inet]2 167 comment=1, file descriptor, "so": 168 comment=local/foreign address (0.0.0.0) 169 case=...or for all other conditions 170 format=inet1:[inet]1 171 comment=socket address 172#accept(2) failure 173# header 174# au_to_arg32 "so",file descriptor 175# subject 176# return <errno != 0> 177# 178#accept(2) non SOCK_STREAM socket 179# header 180# au_to_arg32 "so", file descriptor 181# au_to_arg32 "family", so_family 182# au_to_arg32 "type", so_type 183# subject 184# return success 185# 186#accept(2) SOCK_STREAM socket-not bound 187# header 188# au_to_arg32 "so", file descriptor 189# au_to_socket_ex local/foreign address (0.0.0.0) 190# subject 191# return success 192# 193#accept(2) SOCK_STREAM socket-bound 194# header 195# au_to_arg32 "so", file descriptor 196# au_to_socket_ex 197# subject 198# return success 199 200 201 202label=AUE_ACCESS 203 format=path1:[attr] 204 comment=may be truncated in failure case 205# header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec 206# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ 207# attribute,100777,41416,staff,8388608,402255,0 208# subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30 209# return,success,0 210# trailer,163 211# 212# header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec 213# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail 214# attribute,100000,root,other,8388608,402257,0 215# subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30 216# return,failure: Permission denied,-1 217# trailer,163 218# 219# header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec 220# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2 221# subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30 222# return,failure: No such file or directory,-1 223# trailer,135 224 225label=AUE_ACCT 226 case=Zero path 227 format=arg1 228 comment=1, 0, "accounting off" 229 case=Non-zero path 230 format=path1:[attr]2 231 comment=may be truncated in failure case: 232 comment=omitted if failure 233 234label=AUE_ACLSET 235 syscall=acl 236 format=arg1:arg2:(0..n)[acl]3 237 comment=2, SETACL, "cmd": 238 comment=3, number of ACL entries, "nentries": 239 comment=Access Control List entries 240 241label=AUE_ADJTIME 242 format=kernel 243 244label=AUE_ASYNC_DAEMON 245 skip=Not used 246 247label=AUE_ASYNC_DAEMON_EXIT 248 skip=Not used 249 250label=AUE_AUDIT 251 skip=Not used. (Placeholder for the set AUE_AUDIT_*.) 252 253label=AUE_AUDITON 254 skip=Not used. (Placeholder for the set AUE_AUDITON_*.) 255 256label=AUE_AUDITON_GESTATE 257 skip=Not used 258 259label=AUE_AUDITON_GETAMASK 260 format=kernel 261 syscall=auditon: GETAMASK 262 263label=AUE_AUDITON_GETCAR 264 format=kernel 265 syscall=auditon: GETCAR 266# header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec 267# subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30 268# return,success,0 269# trailer,68 270 271label=AUE_AUDITON_GETCLASS 272 format=kernel 273 syscall=auditon: GETCLASS 274# header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec 275# subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1 276# return,success,0 277# trailer,68 278 279label=AUE_AUDITON_GETCOND 280 format=kernel 281 syscall=auditon: GETCOND 282# header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec 283# subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1 284# return,success,0 285# trailer,68 286 287label=AUE_AUDITON_GETCWD 288 format=kernel 289 syscall=auditon: GETCWD 290# header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec 291# subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1 292# return,success,0 293# trailer,68 294 295label=AUE_AUDITON_GETKMASK 296 format=kernel 297 syscall=auditon: GETKMASK 298# header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec 299# subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1 300# return,success,0 301# trailer,68 302 303label=AUE_AUDITON_GETSTAT 304 format=kernel 305 syscall=auditon: A_GETSTAT 306# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec 307# subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1 308# return,success,0 309# trailer,68 310 311label=AUE_AUDITON_GPOLICY 312 format=kernel 313 syscall=auditon: GPOLICY 314# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec 315# subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1 316# return,success,0 317# trailer,68 318 319label=AUE_AUDITON_GQCTRL 320 format=kernel 321 syscall=auditon: GQCTRL 322# header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec 323# subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1 324# return,success,0 325# trailer,68 326 327 328label=AUE_AUDITON_GTERMID 329 skip=Not used. 330 331label=AUE_AUDITON_SESTATE 332 skip=Not used. 333 334label=AUE_AUDITON_SETAMASK 335 format=[arg]1:[arg]2 336 comment=2, "setamask as_success", user default audit preselection mask: 337 comment=2, "setamask as_failure", user default audit preselection mask 338 syscall=auditon: SETAMASK 339 340label=AUE_AUDITON_SETCLASS 341 format=[arg]1:[arg]2 342 comment=2, "setclass:ec_event", event number: 343 comment=3, "setclass:ec_class", class mask 344 syscall=auditon: SETCLASS 345# header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec 346# argument,2,0x0,setclass:ec_event 347# argument,3,0x0,setclass:ec_class 348# subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1 349# return,success,0 350# trailer,120 351 352label=AUE_AUDITON_SETCOND 353 format=[arg]1 354 comment=3, "setcond", audit state 355 syscall=auditon: SETCOND 356 357label=AUE_AUDITON_SETKMASK 358 format=[arg]1:[arg]2 359 comment=2, "setkmask as_success", kernel non-attributable mask: 360 comment=2, "setkmask as_failure", kernel non-attributable mask 361 syscall=auditon: SETKMASK 362# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec 363# argument,2,0x0,setkmask:as_success 364# argument,2,0x0,setkmask:as_failure 365# subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1 366# return,success,0 367# trailer,124 368# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec 369# argument,2,0x0,setkmask:as_success 370# argument,2,0x0,setkmask:as_failure 371# subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1 372# return,failure: Not owner,-1 373# trailer,124 374 375label=AUE_AUDITON_SETSMASK 376 format=[arg]1:[arg]2 377 comment=3, "setsmask:as_success", session ID mask: 378 comment=3, "setsmask:as_failure", session ID mask 379 syscall=auditon: SETSMASK 380# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec 381# argument,3,0x400,setsmask:as_success 382# argument,3,0x400,setsmask:as_failure 383# subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1 384# return,success,0 385# trailer,124 386# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec 387# argument,3,0x400,setsmask:as_success 388# argument,3,0x400,setsmask:as_failure 389# subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1 390# return,failure: Not owner,-1 391# trailer,124 392 393label=AUE_AUDITON_SETSTAT 394 format=kernel 395 syscall=auditon: SETSTAT 396# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec 397# subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1 398# return,success,0 399# trailer,68 400# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec 401# subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1 402# return,failure: Not owner,-1 403# trailer,68 404 405label=AUE_AUDITON_SETUMASK 406 format=[arg]1:[arg]2 407 comment=3, "setumask:as_success", audit ID mask: 408 comment=3, "setumask:as_failure", audit ID mask 409 syscall=auditon: SETUMASK 410# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec 411# argument,3,0x400,setumask:as_success 412# argument,3,0x400,setumask:as_failure 413# subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1 414# return,success,0 415# trailer,124 416# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec 417# argument,3,0x400,setumask:as_success 418# argument,3,0x400,setumask:as_failure 419# subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1 420# return,failure: Not owner,-1 421# trailer,124 422 423label=AUE_AUDITON_SPOLICY 424 format=[arg]1 425 comment=1, audit policy flags, "setpolicy" 426 syscall=auditon: SPOLICY 427# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec 428# argument,3,0x200,setpolicy 429# subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1 430# return,success,0 431# trailer,86 432# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec 433# argument,3,0x200,setpolicy 434# subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1 435# return,failure: Not owner,-1 436# trailer,86 437 438label=AUE_AUDITON_SQCTRL 439 format=[arg]1:[arg]2:[arg]3:[arg]4 440 comment=3, "setqctrl:aq_hiwater", queue control param.: 441 comment=3, "setqctrl:aq_lowater", queue control param.: 442 comment=3, "setqctrl:aq_bufsz", queue control param.: 443 comment=3, "setqctrl:aq_delay", queue control param. 444 syscall=auditon: SQCTRL 445# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec 446# argument,3,0x64,setqctrl:aq_hiwater 447# argument,3,0xa,setqctrl:aq_lowater 448# argument,3,0x400,setqctrl:aq_bufsz 449# argument,3,0x14,setqctrl:aq_delay 450# subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1 451# return,success,0 452# trailer,176 453# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec 454# argument,3,0x64,setqctrl:aq_hiwater 455# argument,3,0xa,setqctrl:aq_lowater 456# argument,3,0x400,setqctrl:aq_bufsz 457# argument,3,0x14,setqctrl:aq_delay 458# subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1 459# return,failure: Not owner,-1 460# trailer,176 461 462label=AUE_AUDITON_SETPMASK 463 format=[arg]1:[arg]2 464 comment=3, "setpmask:pid", process 465 comment=3, "setpmask:as_success", audit ID mask: 466 comment=3, "setpmask:as_failure", audit ID mask 467 syscall=auditon: SETPMASK 468 469label=AUE_AUDITON_SETKAUDIT 470 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7 471 comment=1, audit user ID, "auid": 472 comment=1, terminal ID, "port": 473 comment=1, type, "type": 474 comment=1, terminal ID, "ip address": 475 comment=1, preselection mask, "as_success": 476 comment=1, preselection mask, "as_failure": 477 comment=1, audit session ID, "asid" 478 syscall=auditon: SETKAUDIT 479 480label=AUE_AUDITON_GETPINFO 481 format=kernel 482 syscall=auditon: GETPINFO 483 484label=AUE_AUDITON_GETKAUDIT 485 format=kernel 486 syscall=auditon: GETKAUDIT 487 488label=AUE_AUDITON_OTHER 489 format=kernel 490 syscall=auditon: OTHER 491 492label=AUE_AUDITON_STERMID 493 skip=Not used. 494 495label=AUE_AUDITSTAT 496 skip=Not used. 497 498label=AUE_AUDITSVC 499 skip=Not used. 500 501label=AUE_AUDITSYS 502 skip=Not used. (Place holder for various auditing events.) 503 504label=AUE_BIND 505# differs from documented version. 506# cases "no vnode" not fully confirmed 507# family and type need argument number 508 case=Invalid socket handle 509 format=arg1 510 comment=1, file descriptor, "so" 511 case=If there is no vnode for this file descriptor 512 case=or if the socket is not of the AF_INET family 513 format=arg1:arg2:arg3 514 comment=1, file descriptor, "so": 515 comment=1, socket family, "family": 516 comment=1, socket type, "type" 517 case=or for all other conditions 518 format=arg1:inet2 519 comment=1, file descriptor, "so": 520 comment=socket address 521 522label=AUE_BRANDSYS 523# generic mechanism to allow user-space and kernel components of a brand 524# to communicate. The interpretation of the arguments to the call is 525# left entirely up to the brand. 526 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7 527 comment=1, command, "cmd": 528 comment=2, command args, "arg": 529 comment=3, command args, "arg": 530 comment=4, command args, "arg": 531 comment=5, command args, "arg": 532 comment=6, command args, "arg": 533 comment=7, command args, "arg" 534 535label=AUE_BSMSYS 536 skip=Not used. 537 538label=AUE_CHDIR 539 format=path:[attr] 540# header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec 541# path,/export/home/CC_final/icenine/arv/chdir/obj_succ 542# attribute,40777,root,other,8388608,231558,0 543# subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1 544# return,success,0 545# trailer,151 546# header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec 547# path,/export/home/CC_final/icenine/arv/chdir/obj_fail 548# attribute,40000,root,other,8388608,237646,0 549# subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1 550# return,failure: Permission denied,-1 551# trailer,151 552 553label=AUE_CHMOD 554 format=arg1:path:[attr] 555 comment=2, mode, "new file mode" 556# header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec 557# argument,2,0x1f8,new file mode 558# path,/export/home/CC_final/icenine/arv/chmod/obj_succ 559# attribute,100770,tuser10,other,8388608,243608,0 560# subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1 561# return,success,0 562# trailer,173 563# header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec 564# argument,2,0x1f8,new file mode 565# path,/export/home/CC_final/icenine/arv/chmod/obj_fail 566# attribute,100600,root,other,8388608,243609,0 567# subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1 568# return,failure: Not owner,-1 569# trailer,173 570 571label=AUE_CHOWN 572 format=arg1:arg2 573 comment=2, uid, "new file uid": 574 comment=3, gid, "new file gid" 575# header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec 576# argument,2,0x271a,new file uid 577# argument,3,0xffffffff,new file gid 578# path,/export/home/CC_final/icenine/arv/chown/obj_succ 579# attribute,100644,tuser10,other,8388608,268406,0 580# subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1 581# return,success,0 582# trailer,193 583# header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec 584# argument,2,0x271a,new file uid 585# argument,3,0xffffffff,new file gid 586# path,/export/home/CC_final/icenine/arv/chown/obj_fail 587# attribute,100644,root,other,8388608,268407,0 588# subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1 589# return,failure: Not owner,-1 590# trailer,193 591 592label=AUE_CHROOT 593 format=path:[attr] 594# header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec 595# path,/ 596# attribute,40755,root,root,8388608,2,0 597# subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1 598# return,success,0 599# trailer,104 600# header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec 601# path,/export/home/CC_final/icenine/arv/chroot/obj_fail 602# attribute,40777,tuser10,other,8388608,335110,0 603# subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1 604# return,failure: Not owner,-1 605# trailer,152 606 607label=AUE_CLOCK_SETTIME 608 format=kernel 609 610label=AUE_CLOSE 611 format=arg1:[path]:[attr] 612 comment=1, file descriptor, "fd" 613 614label=AUE_CONFIGKSSL 615 case=Adding KSSL entry. 616 format=text1:inaddr2:text3:text4 617 comment=opcode, KSSL_ADD_ENTRY: 618 comment=local IP address: 619 comment=SSL port number: 620 comment=proxy port number 621 case=Deleting KSSL entry. 622 format=text1:inaddr2:text3 623 comment=opcode, KSSL_DELETE_ENTRY: 624 comment=local IP address: 625 comment=SSL port number 626 627label=AUE_CONNECT 628# cases "no vnode" not fully confirmed 629 case=If there is no vnode for this file descriptor 630 case=If the socket address is not part of the AF_INET family 631 format=arg1:arg2:arg3 632 comment=1, file descriptor, "so": 633 comment=1, socket family, "family": 634 comment=1, socket type, "type" 635 case=If the socket address is part of the AF_INET family 636 format=arg1:inet2 637 comment=1, file descriptor, "so": 638 comment=socket address 639 640label=AUE_CORE 641 syscall=none 642 title=process dumped core 643 see=none 644 format=path:[attr]:arg1 645 comment=1, signal, "signal" 646# see uts/common/c2/audit.c 647 648label=AUE_CREAT 649# obsolete - see open(2) 650 format=path:[attr] 651# does not match old BSM manual 652# header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec 653# path,/export/home/CC_final/icenine/arv/creat/obj_succ 654# attribute,100644,tuser10,other,8388608,49679,0 655# subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1 656# return,success,8 657# trailer,151 658# header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec 659# path,/devices/pseudo/mm@0:null 660# subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1 661# return,success,8 662# trailer,107 663# header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec 664# path,/obj_fail 665# subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1 666# return,failure: Permission denied,-1 667# trailer,83 668 669label=AUE_CRYPTOADM 670 title=kernel cryptographic framework 671 format=text1:(0..n)[text]2 672 comment=cryptoadm command/operation: 673 comment=mechanism list 674 675label=AUE_DOORFS 676 skip=Not used. (Place holder for set of door audit events.) 677 678label=AUE_DOORFS_DOOR_BIND 679 skip=Not used. 680 syscall=doorfs: DOOR_BIND 681 682label=AUE_DOORFS_DOOR_CALL 683 format=arg1:proc2 684 comment=1, door ID, "door ID": 685 comment=for process that owns the door 686 syscall=doorfs: DOOR_CALL 687 688label=AUE_DOORFS_DOOR_CREATE 689 format=arg1 690 comment=1, door attributes, "door attr" 691 syscall=doorfs: DOOR_CREATE 692 693label=AUE_DOORFS_DOOR_CRED 694 skip=Not used. 695 syscall=doorfs: DOOR_CRED 696 697label=AUE_DOORFS_DOOR_INFO 698 skip=Not used. 699 syscall=doorfs: DOOR_INFO 700 701label=AUE_DOORFS_DOOR_RETURN 702 format=kernel 703 syscall=doorfs: DOOR_RETURN 704 705label=AUE_DOORFS_DOOR_REVOKE 706 format=arg1 707 comment=1, door ID, "door ID" 708 syscall=doorfs: DOOR_REVOKE 709 710label=AUE_DOORFS_DOOR_UNBIND 711 skip=Not used. 712 syscall=doorfs: DOOR_UNBIND 713 714label=AUE_DUP2 715skip=Not used. 716 717label=AUE_ENTERPROM 718 title=enter prom 719 syscall=none 720 format=head:text1:ret 721 comment="kmdb" 722# header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00 723# text,kmdb 724# return,success,0 725 726label=AUE_EXEC 727# obsolete - see execve(2) 728 format=path:[attr]1:[exec_args]2:[exec_env]3 729 comment=omitted on error: 730 comment=output if argv policy is set: 731 comment=output if arge policy is set 732 733label=AUE_EXECVE 734 format=path:[attr]1:[exec_args]2:[exec_env]3 735 comment=omitted on error: 736 comment=output if argv policy is set: 737 comment=output if arge policy is set 738# header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec 739# path,/devices/pseudo/mm@0:null 740# subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1 741# return,success,8 742# trailer,107 743# header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec 744# path,/usr/bin/pig 745# subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1 746# return,failure: No such file or directory,-1 747# trailer,86 748 749label=AUE_PFEXEC 750 format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5 751 comment=pathname of the executable: 752 comment=pathname of working directory: 753 comment=privileges if the limit or inheritable set are changed: 754 comment=process if ruid, euid, rgid or egid is changed: 755 comment=output if arge policy is set 756 757label=AUE_sudo 758 format=exec_args1:[text]2 759 comment=command args: 760 comment=error message (failure only) 761 762label=AUE_EXIT 763 format=arg1:[text]2 764 comment=1, exit status, "exit status": 765 comment=event aborted 766 767label=AUE_EXITPROM 768 title=exit prom 769 syscall=none 770 format=head:text1:ret 771 comment="kmdb" 772# header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00 773# text,kmdb 774# return,success,0 775 776label=AUE_EXPORTFS 777 skip=Not used. 778 779label=AUE_FACCESSAT 780# obsolete 781 see=access(2) 782 format=path:[attr] 783 784label=AUE_FACLSET 785 syscall=facl 786 case=Invalid file descriptor 787 format=arg1:arg2 788 comment=2, SETACL, "cmd": 789 comment=3, number of ACL entries, "nentries" 790 case=Zero path 791 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4 792 comment=2, SETACL, "cmd": 793 comment=3, number of ACL entries, "nentries": 794 comment=1, file descriptor, "no path: fd": 795 comment=ACLs 796 case=Non-zero path 797 format=arg1:arg2:path:[attr]:(0..n)[acl]3 798 comment=2, SETACL, "cmd": 799 comment=3, number of ACL entries, "nentries": 800 comment=ACLs 801 802label=AUE_FCHDIR 803 format=[path]:[attr] 804# header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec 805# path,/export/home/CC_final/icenine/arv/fchdir/obj_succ 806# attribute,40777,tuser10,other,8388608,207662,0 807# subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1 808# return,success,0 809# trailer,150 810# header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec 811# subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1 812# return,failure: Permission denied,-1 813# trailer,68 814 815label=AUE_FCHMOD 816 case=With a valid file descriptor and path 817 format=arg1:path:[attr] 818 comment=2, mode, "new file mode" 819 case=With a valid file descriptor and invalid path 820 format=arg1:[arg]2:[attr] 821 comment=2, mode, "new file mode": 822 comment=1, file descriptor, "no path: fd" 823 case=With an invalid file descriptor 824 format=arg1 825 comment=2, mode, "new file mode" 826# header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec 827# argument,2,0x1a4,new file mode 828# path,/export/home/CC/icenine/arv/fchmod/obj_succ 829# attribute,100644,tuser10,other,7602240,26092,0 830# subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1 831# return,success,0 832# trailer,168 833# header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec 834# argument,2,0x1a4,new file mode 835# subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1 836# return,failure: Bad file number,-1 837# trailer,90 838# header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec 839# argument,2,0x1a4,new file mode 840# path,/export/home/CC/icenine/arv/fchmod/obj_fail 841# attribute,100644,root,other,7602240,26093,0 842# subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1 843# return,failure: Not owner,-1 844# trailer,168 845 846label=AUE_FCHOWN 847 case=With a valid file descriptor 848 format=arg1:arg2:[path]:[attr] 849 comment=2, uid, "new file uid": 850 comment=3, gid, "new file gid" 851 case=With an invalid file descriptor 852 format=arg1:arg2:[arg]3:[attr] 853 comment=2, uid, "new file uid": 854 comment=3, gid, "new file gid": 855 comment=1, file descriptor, "no path fd" 856 857label=AUE_FCHOWNAT 858# obsolete 859 see=openat(2) 860 case=With a valid absolute/relative file path 861 format=path:[attr] 862 case=With an file path eq. NULL and valid file descriptor 863 format=kernel 864 865label=AUE_FCHROOT 866 format=[path]:[attr] 867# fchroot -> chdirec -> audit_chdirec 868 869label=AUE_FCNTL 870 case=With a valid file descriptor 871 format=arg1:[arg]2:path:attr 872 comment=2, command, "cmd": 873 comment=3, flags, "flags" 874 case=With an invalid file descriptor 875 format=arg1:[arg]2:arg3 876 comment=2, command, "cmd": 877 comment=3, flags, "flags": 878 comment=1, file descriptor, "no path fd" 879 note=Flags are included only when cmd is F_SETFL. 880 881label=AUE_FLOCK 882 skip=Not used. 883 884label=AUE_FORKALL 885 format=[arg]1 886 comment=0, pid, "child PID" 887 note=The forkall(2) return values are undefined because the audit record 888 note=is produced at the point that the child process is spawned. 889# see audit.c 890 891label=AUE_FORK1 892 format=[arg]1 893 comment=0, pid, "child PID" 894 note=The fork1(2) return values are undefined because the audit record 895 note=is produced at the point that the child process is spawned. 896# see audit.c 897 898label=AUE_FSAT 899# obsolete 900 skip=Not used. (Placeholder for AUE_*AT records) 901 902label=AUE_FSTAT 903 skip=Not used. 904 905label=AUE_FSTATAT 906# obsolete 907 format=path:[attr] 908 909label=AUE_FSTATFS 910 case=With a valid file descriptor 911 format=[path]:[attr] 912 case=With an invalid file descriptor 913 format=arg1 914 comment=1, file descriptor, "no path fd" 915 916label=AUE_FTRUNCATE 917 skip=Not used. 918 919label=AUE_FUSERS 920 syscall=utssys: UTS_FUSERS 921 format=path:attr 922 923label=AUE_FUTIMESAT 924# obsolete 925 format=[path]:[attr] 926 927label=AUE_GETAUDIT 928 format=kernel 929# header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec 930# subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1 931# return,success,0 932# trailer,68 933# header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec 934# subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1 935# return,success,0 936# trailer,68 937 938label=AUE_GETAUDIT_ADDR 939 format=kernel 940# header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec 941# subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2 942# return,success,0 943 944label=AUE_GETAUID 945 format=kernel 946# header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec 947# subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1 948# return,success,0 949# trailer,68 950# header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec 951# subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1 952# return,failure: Not owner,-1 953# trailer,68 954 955label=AUE_GETDENTS 956 skip=Not used. 957#Not security relevant 958 959label=AUE_GETKERNSTATE 960 skip=Not used. 961 962label=AUE_GETMSG 963 case=With a valid file descriptor 964 format=arg1:[path]:attr:arg2 965 comment=1, file descriptor, "fd": 966 comment=4, priority, "pri" 967 case=With an invalid file descriptor 968 format=arg1:arg2 969 comment=1, file descriptor, "fd": 970 comment=4, priority, "pri" 971 972label=AUE_GETPMSG 973 case=With a valid file descriptor 974 format=arg1:[path]:attr 975 comment=1, file descriptor, "fd" 976 case=With an invalid file descriptor 977 format=arg1 978 comment=1, file descriptor, "fd" 979 980label=AUE_GETPORTAUDIT 981 format=Not used. 982 983label=AUE_GETUSERAUDIT 984 skip=Not used. 985 986label=AUE_INST_SYNC 987 format=arg1 988 comment=2, flags value, "flags" 989 990label=AUE_IOCTL 991 case=With an invalid file descriptor 992 format=arg1:arg2:arg3 993 comment=1, file descriptor, "fd": 994 comment=2, command, "cmd": 995 comment=3, arg, "arg" 996 case=With a valid file descriptor 997 format=path:[attr]:arg1:arg2 998 comment=2, ioctl cmd, "cmd": 999 comment=3, ioctl arg, "arg" 1000 case=Non-file file descriptor 1001 format=arg1:arg2:arg3 1002 comment=1, file descriptor, "fd": 1003 comment=2, ioctl cmd, "cmd": 1004 comment=3, ioctl arg, "arg" 1005 case=Bad file name 1006 format=arg1:arg2:arg3 1007 comment=1, file descriptor, "no path: fd": 1008 comment=2, ioctl cmd, "cmd": 1009 comment=3, ioctl arg, "arg" 1010# old BSM manual misses a case 1011 1012label=AUE_JUNK 1013 skip=Not used. 1014 1015label=AUE_KILL 1016 case=Valid process 1017 format=arg1:[proc] 1018 comment=2, signo, "signal" 1019 case=Zero or negative process 1020 format=arg1:arg2 1021 comment=2, signo, "signal": 1022 comment=1, pid, "process" 1023 1024label=AUE_KILLPG 1025 skip=Not used. 1026 1027label=AUE_LCHOWN 1028 format=arg1:arg2:path:[attr] 1029 comment=2, uid, "new file uid": 1030 comment=3, gid, "new file gid" 1031 1032label=AUE_LINK 1033 format=path1:[attr]:path2 1034 comment=from path: 1035 comment=to path 1036 1037label=AUE_LSEEK 1038 skip=Not used. 1039 1040label=AUE_LSTAT 1041 format=path:[attr] 1042 1043label=AUE_LXSTAT 1044# obsolete 1045 skip=Not used. 1046 1047label=AUE_MCTL 1048 skip=Not used. 1049 1050label=AUE_MEMCNTL 1051 format=arg1:arg2:arg3:arg4:arg5:arg6 1052 comment=1, base address, "base": 1053 comment=2, length, "len": 1054 comment=3, command, "cmd": 1055 comment=4, command args, "arg": 1056 comment=5, command attributes, "attr": 1057 comment=6, 0, "mask" 1058 1059label=AUE_MKDIR 1060 format=arg1:path:[attr] 1061 comment=2, mode, "mode" 1062 1063label=AUE_MKNOD 1064 format=arg1:arg2:path:[attr] 1065 comment=2, mode, "mode": 1066 comment=3, dev, "dev" 1067 1068label=AUE_MMAP 1069 case=With a valid file descriptor 1070 format=arg1:arg2:[path]3:[attr] 1071 comment=1, segment address, "addr": 1072 comment=2, segment address, "len": 1073 comment=if no path, then argument: \ 1074 1, "nopath: fd", file descriptor 1075 case=With an invalid file descriptor 1076 format=arg1:arg2:arg3 1077 comment=1, segment address, "addr": 1078 comment=2, segment address, "len": 1079 comment=1, file descriptor, "no path: fd" 1080 1081label=AUE_MODADDMAJ 1082 title=modctl: bind module 1083 syscall=modctl 1084 format=[text]1:[text]2:text3:arg4:(0..n)[text]5 1085 comment=driver major number: 1086 comment=driver name: 1087 comment=driver major number or "no drvname": 1088 comment=5, number of aliases, "": 1089 comment=aliases 1090 1091label=AUE_MODADDPRIV 1092 format=kernel 1093 1094label=AUE_MODCONFIG 1095 skip=Not used. 1096 1097label=AUE_MODCTL 1098 skip=Not used. (placeholder) 1099 1100label=AUE_MODDEVPLCY 1101 syscall=modctl 1102 title=modctl: set device policy 1103 case=If unknown minor name/pattern 1104 format=arg1:arg2:arg3:arg4:arg5 1105 comment=2, "major", major number: 1106 comment=2, "lomin", low minor number, if known: 1107 comment=2, "himin", hi minor number, if known: 1108 comment=privileges required for reading: 1109 comment=privileges required for writing 1110 case=else 1111 format=arg1:text2:arg3:arg4 1112 comment=2, "major", major number: 1113 comment=minor name/pattern: 1114 comment=privileges required for reading: 1115 comment=privileges required for writing 1116 1117label=AUE_MODLOAD 1118 syscall=modctl 1119 title=modctl: load module 1120 format=[text]1:text2 1121 comment=default path: 1122 comment=filename path 1123 1124label=AUE_MODUNLOAD 1125 syscall=modctl 1126 title=modctl: unload module 1127 format=arg1 1128 comment=1, module ID, "id" 1129 1130label=AUE_MOUNT 1131 case=UNIX file system 1132 format=arg1:text2:path:[attr] 1133 comment=3, flags, "flags": 1134 comment=filesystem type 1135 case=NFS file system 1136 format=arg1:text2:text3:arg4:path:[attr] 1137 comment=3, flags, "flags": 1138 comment=filesystem type: 1139 comment=host name: 1140 comment=3, flags, "internal flags" 1141# unix example: 1142# header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec 1143# argument,3,0x104,flags 1144# text,ufs 1145# path,/var2 1146# attribute,40755,root,root,32,12160,0 1147# path,/devices/pci@1f,4000/scsi@3/sd@0,0:e 1148# attribute,60640,root,sys,32,231268,137438953476 1149# subject,abc,root,other,root,other,1726,1715,255 66049 ohboy 1150# return,success,4290707268 1151# ^^^^^^^^^^ <- bugid 4333559 1152 1153label=AUE_MSGCTL 1154 format=arg1:[ipc]:[ipc_perm] 1155 comment=1, message ID, "msg ID" 1156 note=ipc_perm 1157# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1158 1159label=AUE_MSGCTL_RMID 1160 format=arg1:[ipc]:[ipc_perm] 1161 comment=1, message ID, "msg ID" 1162 note=ipc_perm 1163 syscall=msgctl: IPC_RMID 1164# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1165 1166label=AUE_MSGCTL_SET 1167 format=arg1:[ipc]:[ipc_perm] 1168 comment=1, message ID, "msg ID" 1169 note=ipc_perm 1170 syscall=msgctl: IPC_SET 1171# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1172 1173label=AUE_MSGCTL_STAT 1174 format=arg1:[ipc]:[ipc_perm] 1175 comment=1, message ID, "msg ID" 1176 note=ipc_perm 1177 syscall=msgctl: IPC_STAT 1178# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1179 1180label=AUE_MSGGET 1181 format=arg1:ipc 1182 comment=1, message key, "msg key" 1183 note=ipc_perm 1184 syscall=msgget 1185 1186label=AUE_MSGGETL 1187 skip=Not used. 1188 1189label=AUE_MSGRCV 1190 format=arg1:[ipc]:[ipc_perm] 1191 comment=1, message ID, "msg ID" 1192 note=ipc_perm 1193 syscall=msgrcv 1194# ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc 1195 1196label=AUE_MSGRCVL 1197 skip=Not used. 1198 1199label=AUE_MSGSND 1200 format=arg1:[ipc]:[ipc_perm] 1201 comment=1, message ID, "msg ID" 1202 note=ipc_perm 1203 syscall=msgsnd 1204# ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc 1205 1206label=AUE_MSGSNDL 1207 skip=Not used. 1208 1209label=AUE_MSGSYS 1210skip=Not used. (Placeholder for AUE_MSG* events.) 1211 1212label=AUE_MUNMAP 1213 format=arg1:arg2 1214 comment=1, address of memory, "addr": 1215 comment=2, memory segment size, "len" 1216 1217label=AUE_NFS 1218 skip=Not used. 1219 1220label=AUE_NFSSVC_EXIT 1221 skip=Not used. 1222 1223label=AUE_NFS_GETFH 1224 skip=Not used. 1225 1226label=AUE_NFS_SVC 1227 skip=Not used. 1228 1229label=AUE_NICE 1230 format=kernel 1231 1232label=AUE_NULL 1233 skip=Not used. (placeholder) 1234# used internal to audit_event.c for minimal audit 1235 1236label=AUE_NTP_ADJTIME 1237 format=kernel 1238 1239label=AUE_ONESIDE 1240 skip=Not used. 1241 1242label=AUE_OPEN 1243 skip=Not used. (placeholder for AUE_OPEN_*). 1244 1245label=AUE_OPEN_R 1246 format=path:[path_attr]:[attr] 1247 see=open(2) - read 1248 1249label=AUE_OPENAT_R 1250# obsolete 1251 format=path:[path_attr]:[attr] 1252 see=openat(2) 1253 1254label=AUE_OPEN_RC 1255 format=path:[path_attr]:[attr] 1256 see=open(2) - read,creat 1257 1258label=AUE_OPENAT_RC 1259# obsolete 1260 see=openat(2) 1261 format=path:[path_attr]:[attr] 1262 1263label=AUE_OPEN_RT 1264 format=path:[path_attr]:[attr] 1265 see=open(2) - read,trunc 1266 1267label=AUE_OPENAT_RT 1268# obsolete 1269 see=openat(2) 1270 format=path:[path_attr]:[attr] 1271 1272label=AUE_OPEN_RTC 1273 format=path:[path_attr]:[attr] 1274 see=open(2) - read,trunc,creat 1275 1276label=AUE_OPENAT_RTC 1277# obsolete 1278 see=openat(2) 1279 format=path:[path_attr]:[attr] 1280 1281label=AUE_OPEN_RW 1282 format=path:[path_attr]:[attr] 1283 see=open(2) - read,write 1284 1285label=AUE_OPENAT_RW 1286# obsolete 1287 see=openat(2) 1288 format=path:[path_attr]:[attr] 1289# aui_fsat(): fm & O_RDWR 1290 1291label=AUE_OPEN_RWC 1292 format=path:[path_attr]:[attr] 1293 see=open(2) - read,write,creat 1294 1295label=AUE_OPENAT_RWC 1296# obsolete 1297 see=openat(2) 1298 format=path:[path_attr]:[attr] 1299 1300label=AUE_OPEN_RWT 1301 format=path:[path_attr]:[attr] 1302 see=open(2) - read,write,trunc 1303 1304label=AUE_OPENAT_RWT 1305# obsolete 1306 see=openat(2) 1307 format=path:[path_attr]:[attr] 1308 1309label=AUE_OPEN_RWTC 1310 format=path:[path_attr]:[attr] 1311 see=open(2) - read,write,trunc,creat 1312 1313label=AUE_OPENAT_RWTC 1314# obsolete 1315 see=openat(2) 1316 format=path:[path_attr]:[attr] 1317 1318label=AUE_OPEN_W 1319 format=path:[path_attr]:[attr] 1320 see=open(2) - write 1321 1322label=AUE_OPENAT_W 1323 see=openat(2) 1324 format=path:[path_attr]:[attr] 1325 1326label=AUE_OPEN_WC 1327 format=path:[path_attr]:[attr] 1328 see=open(2) - write,creat 1329 1330label=AUE_OPENAT_WC 1331 see=openat(2) 1332 format=path:[path_attr]:[attr] 1333 1334label=AUE_OPEN_WT 1335 format=path:[path_attr]:[attr] 1336 see=open(2) - write,trunc 1337 1338label=AUE_OPENAT_WT 1339 see=openat(2) 1340 format=path:[path_attr]:[attr] 1341 1342label=AUE_OPEN_WTC 1343 format=path:[path_attr]:[attr] 1344 see=open(2) - write,trunc,creat 1345 1346label=AUE_OPENAT_WTC 1347 see=openat(2) 1348 format=path:[path_attr]:[attr] 1349 1350label=AUE_OPEN_S 1351 format=path:[path_attr]:[attr] 1352 see=open(2) - search 1353 1354label=AUE_OPEN_E 1355 format=path:[path_attr]:[attr] 1356 see=open(2) - exec 1357 1358label=AUE_OSETPGRP 1359 skip=Not used. 1360 1361label=AUE_OSTAT 1362# obsolete 1363 skip=Not used. 1364 1365label=AUE_PATHCONF 1366 format=path:[attr] 1367 1368label=AUE_PIPE 1369format=kernel 1370# class is no, not usually printed 1371 1372label=AUE_PORTFS 1373 skip=Not used (placeholder for AUE_PORTFS_*). 1374 1375label=AUE_PORTFS 1376 skip=Not used (placeholder for AUE_PORTFS_*). 1377 1378label=AUE_PORTFS_ASSOCIATE 1379 syscall=portfs 1380 see=port_associate(3C) 1381 case=Port association via PORT_SOURCE_FILE 1382 format=[path]1:attr 1383 comment=name of the file/directory to be watched 1384 1385label=AUE_PORTFS_DISSOCIATE 1386 syscall=portfs 1387 see=port_dissociate(3C) 1388 case=Port disassociation via PORT_SOURCE_FILE 1389 format=kernel 1390 1391label=AUE_PRIOCNTLSYS 1392 syscall=priocntl 1393 see=priocntl(2) 1394 format=arg1:arg2 1395 comment=1, priocntl version number, "pc_version": 1396 comment=3, command, "cmd" 1397 1398label=AUE_PROCESSOR_BIND 1399 case=No LWP/thread bound to the processor 1400 format=arg1:arg2:text3:[proc] 1401 comment=1, type of ID, "ID type": 1402 comment=2, ID value, "ID": 1403 comment="PBIND_NONE" 1404 case=With processor bound 1405 format=arg1:arg2:arg3:[proc] 1406 comment=1, type of ID, "ID type": 1407 comment=2, ID value, "ID": 1408 comment=3, processor ID, "processor_id" 1409 1410label=AUE_PUTMSG 1411 see=putmsg(2) 1412 format=arg1:[path]:[attr]:arg2 1413 comment=1, file descriptor, "fd": 1414 comment=4, priority, "pri" 1415 1416label=AUE_PUTPMSG 1417 see=putpmsg(2) 1418 format=arg1:[path]:[attr]:arg2:arg3 1419 comment=1, file descriptor, "fd": 1420 comment=4, priority, "pri": 1421 comment=5, flags, "flags" 1422 1423label=AUE_P_ONLINE 1424 format=arg1:arg2:text3 1425 comment=1, processor ID, "processor ID": 1426 comment=2, flags value, "flags": 1427 comment=text form of flags. Values: \ 1428 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS, P_DISABLED 1429 1430label=AUE_QUOTACTL 1431 skip=Not used. 1432 1433label=AUE_READ 1434 skip=Not used. (Placeholder for AUE_READ_* events) 1435 1436label=AUE_READL 1437 skip=Not used. (Obsolete) 1438 1439label=AUE_READLINK 1440 format=path:[attr] 1441 1442label=AUE_READV 1443 skip=Not used (obsolete) 1444# detritus from CMS 1445 1446label=AUE_READVL 1447 skip=Not used (obsolete) 1448# detritus from CMS 1449 1450label=AUE_REBOOT 1451 skip=Not used. 1452 1453label=AUE_RECV 1454 case=If address family is AF_INET or AF_INET6 1455 format=[arg]1:[inet] 1456 comment=1, file descriptor, "so" 1457 case=If address family is AF_UNIX and path is defined 1458 format=[path]1:[attr] 1459 comment=1, file descriptor, "so" 1460 case=If address family is AF_UNIX and path is NULL 1461 format=[path]1:[attr] 1462 comment=1, file descriptor, "no path: fd" 1463 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1464 format=[arg]1:[arg]2:[arg]3 1465 comment=1, file descriptor, "so": 1466 comment=1, family, "family": 1467 comment=1, type, "type" 1468# associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237]) 1469 1470label=AUE_RECVFROM 1471 format=inet:arg1:[arg]2:inet3:arg4 1472 comment=3, message length, "len": 1473 comment=4, flags, "flags": 1474 comment=from address: 1475 comment=6, address length, "tolen" 1476 note=The socket token for a bad socket is reported as "argument 1477 note=token (1, socket descriptor, "fd")" 1478 1479label=AUE_RECVMSG 1480 case=If invalid file descriptor 1481 format=arg1:arg2 1482 comment=1, file descriptor, "so": 1483 comment=3, flags, "flags" 1484 case=If valid file descriptor and socket is AF_UNIX and no path 1485 format=arg1:[attr] 1486 comment=1, file descriptor, "no path: fd" 1487 case=If valid file descriptor and socket is AF_UNIX and path defined 1488 format=path:attr 1489 case=If valid file descriptor and socket is AF_INET or AF_INET6 1490 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM 1491 format=arg1:arg2:inet 1492 comment=1, file descriptor, "so": 1493 comment=2, flags, "flags" 1494 case=.. if socket type is unknown 1495 format=arg1:arg2:arg3:arg4 1496 comment=1, file descriptor, "so": 1497 comment=1, family, "family": 1498 comment=1, type, "type": 1499 comment=3, flags, "flags" 1500 1501label=AUE_RENAME 1502 format=path1:[attr]1:[path]2 1503 comment=from name: 1504 comment=to name 1505 1506label=AUE_RENAMEAT 1507# obsolete 1508 format=path1:[attr]1:[path]2 1509 comment=from name: 1510 comment=to name 1511 1512label=AUE_RFSSYS 1513 skip=Not used. 1514# apparently replaced 1515 1516label=AUE_RMDIR 1517 format=path:[attr] 1518 1519label=AUE_SACL 1520 title=File Access Audit 1521 syscall=none 1522 see=none 1523 format=head:path:arg1:[text]2:subj 1524 comment="access_mask": 1525 comment="Windows SID" 1526 1527label=AUE_SEMCTL 1528 format=arg1:[ipc]:[ipc_perm] 1529 comment=1, semaphore ID, "sem ID" 1530 note=ipc_perm 1531# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1532 1533label=AUE_SEMCTL_GETALL 1534 format=arg1:[ipc]:[ipc_perm] 1535 comment=1, semaphore ID, "sem ID" 1536 note=ipc_perm 1537 syscall=semctl: GETALL 1538# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1539 1540label=AUE_SEMCTL_GETNCNT 1541 format=arg1:[ipc]:[ipc_perm] 1542 comment=1, semaphore ID, "sem ID" 1543 note=ipc_perm 1544 syscall=semctl: GETNCNT 1545# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1546 1547label=AUE_SEMCTL_GETPID 1548 format=arg1:[ipc]:[ipc_perm] 1549 comment=1, semaphore ID, "sem ID" 1550 note=ipc_perm 1551 syscall=semctl: GETPID 1552# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1553 1554label=AUE_SEMCTL_GETVAL 1555 format=arg1:[ipc]:[ipc_perm] 1556 comment=1, semaphore ID, "sem ID" 1557 note=ipc_perm 1558 syscall=semctl: GETVAL 1559# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1560 1561label=AUE_SEMCTL_GETZCNT 1562 format=arg1:[ipc]:[ipc_perm] 1563 comment=1, semaphore ID, "sem ID" 1564 note=ipc_perm 1565 syscall=semctl: GETZCNT 1566# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1567 1568label=AUE_SEMCTL_RMID 1569 format=arg1:[ipc]:[ipc_perm] 1570 comment=1, semaphore ID, "sem ID" 1571 note=ipc_perm 1572 syscall=semctl: IPC_RMID 1573# ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1574 1575label=AUE_SEMCTL_SET 1576 format=arg1:[ipc]:[ipc_perm] 1577 comment=1, semaphore ID, "sem ID" 1578 note=ipc_perm 1579 syscall=semctl: IPC_SET 1580# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1581 1582label=AUE_SEMCTL_SETALL 1583 format=arg1:[ipc]:[ipc_perm] 1584 comment=1, semaphore ID, "sem ID" 1585 note=ipc_perm 1586 syscall=semctl: SETALL 1587# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1588 1589label=AUE_SEMCTL_SETVAL 1590 format=arg1:[ipc]:[ipc_perm] 1591 comment=1, semaphore ID, "sem ID" 1592 note=ipc_perm 1593 syscall=semctl: SETVAL 1594# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1595 1596label=AUE_SEMCTL_STAT 1597 format=arg1:[ipc]:[ipc_perm] 1598 comment=1, semaphore ID, "sem ID" 1599 note=ipc_perm 1600 syscall=semctl: IPC_STAT 1601# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1602 1603label=AUE_SEMGET 1604 format=arg1:[ipc_perm]:ipc 1605 comment=1, semaphore ID, "sem key" 1606 note=ipc_perm 1607 syscall=semctl: SETVAL 1608# ipc_perm token: semget -> audit_ipcget 1609 1610label=AUE_SEMGETL 1611 skip=Not used. 1612 1613label=AUE_SEMOP 1614 format=arg1:[ipc]:[ipc_perm] 1615 comment=1, semaphore ID, "sem ID" 1616 note=ipc_perm 1617# ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc 1618 1619label=AUE_SEMSYS 1620 skip=Not used. (place holder) -- defaults to a semget variant 1621 1622label=AUE_SEND 1623 case=If address family is AF_INET or AF_INET6 1624 format=[arg]1:[inet] 1625 comment=1, file descriptor, "so" 1626 case=If address family is AF_UNIX and path is defined 1627 format=[path]1:[attr] 1628 comment=1, file descriptor, "so" 1629 case=If address family is AF_UNIX and path is NULL 1630 format=[path]1:[attr] 1631 comment=1, file descriptor, "no path: fd" 1632 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1633 format=[arg]1:[arg]2:[arg]3 1634 comment=1, file descriptor, "so": 1635 comment=1, family, "family": 1636 comment=1, type, "type" 1637# associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240]) 1638 1639label=AUE_SENDMSG 1640 case=If invalid file descriptor 1641 format=arg1:arg2 1642 comment=1, file descriptor, "so": 1643 comment=3, flags, "flags" 1644 case=If valid file descriptor 1645 case=...and address family is AF_UNIX and path is defined 1646 format=path:attr 1647 case=...and address family is AF_UNIX and path is NULL 1648 format=path1:attr 1649 comment=1, file descriptor, "nopath: fd" 1650 case=...and address family is AF_INET or AF_INET6, \ 1651 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1652 format=arg1:arg2:inet 1653 comment=1, file descriptor, "so": 1654 comment=3, flags, "flags" 1655 case=...and unknown address family or address family AF_INET or AF_INET6 \ 1656 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1657 format=arg1:arg2:arg3:arg4 1658 comment=1, file descriptor, "so": 1659 comment=1, family, "family": 1660 comment=1, type, "type": 1661 comment=1, flags, "flags" 1662 1663label=AUE_SENDTO 1664 case=If invalid file descriptor 1665 format=arg1:arg2 1666 comment=1, file descriptor, "so": 1667 comment=3, flags, "flags" 1668 case=If valid file descriptor 1669 case=...and socket is AF_UNIX and path is defined 1670 format=path:attr 1671 case=...and address family is AF_UNIX and path is NULL 1672 format=path1:attr 1673 comment=1, file descriptor, "nopath: fd" 1674 case=...and address family is AF_INET or AF_INET6 1675 format=arg1:arg2:inet 1676 comment=1, file descriptor, "so": 1677 comment=3, flags, "flags" 1678 case=...and unknown address family 1679 format=arg1:arg2:arg3:arg4 1680 comment=1, file descriptor, "so": 1681 comment=1, family, "family": 1682 comment=1, type, "type": 1683 comment=1, flags, "flags" 1684 1685label=AUE_SETAUDIT 1686 case=With a valid program stack address 1687 format=arg1:arg2:arg3:arg4:arg5:arg6 1688 comment=1, audit user ID, "setaudit:auid": 1689 comment=1, terminal ID, "setaudit:port": 1690 comment=1, terminal ID, "setaudit:machine": 1691 comment=1, preselection mask, "setaudit:as_success": 1692 comment=1, preselection mask, "setaudit:as_failure": 1693 comment=1, audit session ID, "setaudit:asid" 1694 case=With an invalid program stack address 1695 format=kernel 1696# header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec 1697# argument,1,0x271a,setaudit:auid 1698# argument,1,0x3ff0201,setaudit:port 1699# argument,1,0x8192591e,setaudit:machine 1700# argument,1,0x400,setaudit:as_success 1701# argument,1,0x400,setaudit:as_failure 1702# argument,1,0x16f,setaudit:asid 1703# subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1 1704# return,success,0 1705# trailer,215 1706# header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec 1707# argument,1,0x271a,setaudit:auid 1708# argument,1,0x3ff0201,setaudit:port 1709# argument,1,0x8192591e,setaudit:machine 1710# argument,1,0x400,setaudit:as_success 1711# argument,1,0x400,setaudit:as_failure 1712# argument,1,0x16f,setaudit:asid 1713# subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1 1714# return,success,0 1715# trailer,215 1716 1717label=AUE_SETAUDIT_ADDR 1718 case=With a valid program stack address 1719 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7 1720 comment=1, audit user ID, "auid": 1721 comment=1, terminal ID, "port": 1722 comment=1, type, "type": 1723 comment=1, terminal ID, "ip address": 1724 comment=1, preselection mask, "as_success": 1725 comment=1, preselection mask, "as_failure": 1726 comment=1, audit session ID, "asid" 1727 case=With an invalid program stack address 1728 format=kernel 1729# header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec 1730# argument,1,0x15fa7,auid 1731# argument,1,0x0,port 1732# argument,1,0x4,type 1733# ip address,tmach2 1734# argument,1,0x9c00,as_success 1735# argument,1,0x9c00,as_failure 1736# argument,1,0x1f1,asid 1737# subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2 1738# return,success,0 1739 1740label=AUE_SETAUID 1741 format=arg1 1742 comment=2, audit user ID, "setauid" 1743 1744label=AUE_SETDOMAINNAME 1745 skip=Not used. (See AUE_SYSINFO) 1746# See AUE_SYSINFO with SI_SET_SRPC_DOMAIN 1747 1748label=AUE_SETEGID 1749 format=arg1 1750 comment=1, group ID, "gid" 1751 1752label=AUE_SETEUID 1753 format=arg1 1754 comment=1, user ID, "euid" 1755 1756label=AUE_SETGID 1757 format=arg1 1758 comment=1, group ID, "gid" 1759 1760label=AUE_SETGROUPS 1761 note=If more than NGROUPS_MAX_DEFAULT groups listed, 1762 note=no tokens are generated. 1763 case=If no groups in list 1764 format=[arg]1 1765 comment=1, 0, "setgroups" 1766 case=If 1 or more groups in list 1767 format=(1..n)arg1 1768 comment=1, gid, "setgroups" 1769 1770label=AUE_SETHOSTNAME 1771 skip=Not used. (See AUE_SYSINFO) 1772# See sysinfo call with command SI_SET_HOSTNAME 1773 1774label=AUE_SETKERNSTATE 1775 skip=Not used. 1776 1777label=AUE_SETPGID 1778 format=[proc]:[arg]1 1779 comment=2, pgid, "pgid" 1780 1781label=AUE_SETPGRP 1782 format=kernel 1783 1784label=AUE_SETPRIORITY 1785 skip=Not used. 1786 1787label=AUE_SETPPRIV 1788 case=operation privileges off 1789 format=arg1:privset2 1790 comment=setppriv operation: 1791 comment=privileges actually switched off 1792 case=operation privileges on 1793 format=arg1:privset2 1794 comment=setppriv operation: 1795 comment=privileges actually switched on 1796 case=operation privileges off 1797 format=arg1:privset2:privset3 1798 comment=setppriv operation: 1799 comment=privileges before privset: 1800 comment=privileges after privset 1801#header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec 1802#argument,2,0x2,op 1803#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1804#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1805#subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0 1806#return,success,0 1807 1808label=AUE_SETREGID 1809 format=arg1:arg2 1810 comment=1, real group ID, "rgid": 1811 comment=2, effective group ID, "egid" 1812 1813label=AUE_SETREUID 1814 format=arg1:arg2 1815 comment=1, real user ID, "ruid": 1816 comment=2, effective user ID, "euid" 1817 1818label=AUE_SETRLIMIT 1819 format=kernel 1820# header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec 1821# subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2 1822# return,success,0 1823 1824label=AUE_SETSID 1825 format=kernel 1826 1827label=AUE_SETSOCKOPT 1828 case=Invalid file descriptor 1829 format=arg1:arg2 1830 comment=1, file descriptor, "so": 1831 comment=2, level, "level" 1832 case=Valid file descriptor 1833 case=...and socket is AF_UNIX 1834 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8 1835 comment=if no path, will be argument: 1, "nopath: fd", \ 1836 file descriptor: 1837 comment=1, file descriptor, "so": 1838 comment=1, family, "family": 1839 comment=1, type, "type": 1840 comment=2, protocol level, "level": 1841 comment=3, option name, "optname": 1842 comment=5, option length, "optlen": 1843 comment=option data 1844 case=...and socket is AF_INET or AF_INET6 1845 format=arg1:arg2:arg3:[arg]4:[data]5:inet 1846 comment=1, file descriptor, "so": 1847 comment=2, protocol level, "level": 1848 comment=3, option name, "optname": 1849 comment=5, option length, "optlen": 1850 comment=option data 1851 case=...and socket adddress family is unknown 1852 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7 1853 comment=1, file descriptor, "so": 1854 comment=1, family, "family": 1855 comment=1, type, "type": 1856 comment=2, protocol level, "level": 1857 comment=3, option name, "optname": 1858 comment=5, option length, "optlen": 1859 comment=option data 1860 1861label=AUE_SETTIMEOFDAY 1862 skip=Not used. 1863 1864label=AUE_SETUID 1865 syscall=setuid 1866 format=arg1 1867 comment=1, "uid" to be set 1868 1869label=AUE_SETUSERAUDIT 1870 skip=Not used. 1871 1872label=AUE_SHMAT 1873 format=arg1:arg2:[ipc]:[ipc_perm] 1874 comment=1, shared memory ID, "shm ID": 1875 comment=2, shared mem addr, "shm addr" 1876 note=ipc_perm 1877# ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc 1878 1879label=AUE_SHMCTL 1880 format=arg1:[ipc]:[ipc_perm] 1881 comment=1, shared memory ID, "shm ID" 1882 note=ipc_perm 1883# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1884 1885label=AUE_SHMCTL_RMID 1886 format=arg1:[ipc]:[ipc_perm] 1887 comment=1, shared memory ID, "shm ID" 1888 note=ipc_perm 1889 syscall=semctl: IPC_RMID 1890# ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1891 1892label=AUE_SHMCTL_SET 1893 format=arg1:[ipc]:[ipc_perm] 1894 comment=1, shared memory ID, "shm ID" 1895 note=ipc_perm 1896 syscall=semctl: IPC_SET 1897# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1898 1899label=AUE_SHMCTL_STAT 1900 format=arg1:[ipc]:[ipc_perm] 1901 comment=1, shared memory ID, "shm ID" 1902 note=ipc_perm 1903 syscall=semctl: IPC_STAT 1904# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1905 1906label=AUE_SHMDT 1907 format=arg1 1908 comment=1, shared memory address, "shm adr" 1909 1910label=AUE_SHMGET 1911 format=arg1:[ipc_perm]:[ipc] 1912 comment=0, shared memory key, "shm key" 1913 note=ipc_perm 1914# ipc_perm: shmget -> audit_ipcget 1915 1916label=AUE_SHMGETL 1917 skip=Not used. 1918 1919label=AUE_SHMSYS 1920 skip=Not used. (Placeholder for shmget and shmctl*) 1921 1922label=AUE_SHUTDOWN 1923 case=If the socket address is invalid 1924 format=[arg]1:[text]2:[text]3 1925 comment=1, file descriptor, "fd": 1926 comment=bad socket address: 1927 comment=bad peer address 1928 case=If the socket address is part of the AF_INET family 1929 case=..with zero file descriptor 1930 format=arg1:[arg]2:[arg]3:[arg]4 1931 comment=1, file descriptor, "so": 1932 comment=1, family, "family": 1933 comment=1, type, "type": 1934 comment=2, how shutdown code, "how" 1935 case=...with non-zero file descriptor 1936 format=arg1:arg2:inet 1937 comment=1, file descriptor, "so": 1938 comment=2, how shutdown code, "how" 1939 case=If the socket address is AF_UNIX 1940 case=...with zero file descriptor 1941 format=path1:arg2:[arg]3:[arg]4:[arg]5 1942 comment=If error: argument: \ 1943 1, "no path: fd", file descriptor: 1944 comment=1, file descriptor, "so": 1945 comment=1, family, "family": 1946 comment=1, type, "type": 1947 comment=2, how shutdown code, "how" 1948 case=...with non-zero file descriptor 1949 format=path1:arg2:arg3:inet 1950 comment=If error: argument: \ 1951 1, file descriptor, "no path: fd": 1952 comment=1, file descriptor, "so": 1953 comment=2, how shutdown code, "how" 1954#old BSM manual wrong; used audit_event.c 1955 1956label=AUE_SOCKACCEPT 1957 syscall=getmsg: socket accept 1958 format=inet:arg1:[path]:attr:arg2 1959 comment=1, file descriptor, "fd": 1960 comment=4, priority, "pri" 1961# see putmsg and getmsg for record format 1962# See audit.c for inet token and audit_start.c for other reference 1963 1964label=AUE_SOCKCONFIG 1965 format=arg1:arg2:arg3:[path]4 1966 comment=1, domain address, "domain": 1967 comment=2, type, "type": 1968 comment=3, protocol, "protocol": 1969 comment=If no path:argument -- 3, 0, "devpath" 1970 1971label=AUE_SOCKCONNECT 1972 syscall=putmsg: socket connect 1973 format=inet:arg1:[path]:attr:arg2 1974 comment=1, file descriptor, "fd": 1975 comment=4, priority, "pri" 1976# same as AUE_SOCKACCEPT 1977 1978label=AUE_SOCKET 1979 format=arg1:[arg]2:arg3 1980 comment=1, socket domain, "domain": 1981 comment=2, socket type, "type": 1982 comment=3, socket protocol, "protocol" 1983 1984label=AUE_SOCKETPAIR 1985 skip=Not used. 1986# unreferenced 1987 1988label=AUE_SOCKRECEIVE 1989 syscall=getmsg 1990 format=inet:arg1:[path]:attr:arg2 1991 comment=1, file descriptor, "fd": 1992 comment=4, priority, "pri" 1993# see AUE_SOCKACCEPT 1994 1995label=AUE_SOCKSEND 1996syscall=putmsg 1997 format=inet:arg1:[path]:attr:arg2 1998 comment=1, file descriptor, "fd": 1999 comment=4, priority, "pri" 2000# see AUE_SOCKACCEPT 2001 2002label=AUE_STAT 2003 format=path:[attr] 2004 2005label=AUE_STATFS 2006 format=path:[attr] 2007 2008label=AUE_STATVFS 2009 format=path:[attr] 2010 2011label=AUE_STIME 2012 format=kernel 2013 2014label=AUE_SWAPON 2015 skip=Not used. 2016 2017label=AUE_SYMLINK 2018 format=path:text1:[attr] 2019 comment=symbolic link string 2020 2021label=AUE_SYSINFO 2022 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands 2023 note=are currently audited. 2024 format=arg1:[text]2 2025 comment=1, command, "cmd": 2026 comment=name 2027 2028label=AUE_SYSTEMBOOT 2029 title=system booted 2030 syscall=none 2031 format=head:text1 2032 comment="booting kernel" 2033# see audit_start.c and audit_io.c 2034# no subject or return / exit token 2035# header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec 2036# text,booting kernel 2037 2038label=AUE_TRUNCATE 2039 skip=Not used. 2040 2041label=AUE_UMOUNT 2042 syscall=umount: old version 2043 note=Implemented as call of the newer umount2(2). 2044 format=path:arg1:[path]:[attr] 2045 comment=2, mflag value = 0, "flags" 2046 2047label=AUE_UMOUNT2 2048 syscall=umount2 2049 format=path:arg1:[path]:[attr] 2050 comment=2, mflag value, "flags" 2051 2052label=AUE_UNLINK 2053 format=path:[attr] 2054 2055label=AUE_UNLINKAT 2056# obsolete 2057 see=openat(2) 2058 format=path:[attr] 2059 2060label=AUE_UNMOUNT 2061 skip=Not used. 2062 2063label=AUE_UTIME 2064# obsolete 2065 format=path:[attr] 2066 2067label=AUE_UTIMES 2068 see=futimens(2) 2069 format=path:[attr] 2070 2071label=AUE_VFORK 2072 format=arg1 2073 comment=0, pid, "child PID" 2074 note=The vfork(2) return values are undefined because the audit record is 2075 note=produced at the point that the child process is spawned. 2076 2077label=AUE_VPIXSYS 2078 skip=Not used. 2079 2080label=AUE_VTRACE 2081 skip=Not used. 2082 2083label=AUE_WRITE 2084 format=path1:attr 2085 comment=if no path, argument -- "1, file descriptor, "no path: fd" 2086 note:An audit record is generated for write only once per file close. 2087 2088label=AUE_WRITEV 2089 skip=Not used. (obsolete) 2090 2091label=AUE_XMKNOD 2092# obsolete 2093 skip=Not used. 2094 2095label=AUE_XSTAT 2096# obsolete 2097 skip=Not Used. 2098 2099label=AUE_PF_POLICY_ADDRULE 2100 title=Add IPsec policy rule 2101 see= 2102 syscall=none 2103 format=arg1:arg2:[zone]3:[text]4 2104 comment=Operation applied to active policy (1 is active, 0 is inactive): 2105 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2106 comment=affected zone: 2107 comment=Name of target tunnel 2108 2109label=AUE_PF_POLICY_DELRULE 2110 title=Delete IPsec policy rule 2111 see= 2112 syscall=none 2113 format=arg1:arg2:[zone]3:[text]4 2114 comment=Operation applied to active policy (1 is active, 0 is inactive): 2115 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2116 comment=affected zone: 2117 comment=Name of target tunnel 2118 2119label=AUE_PF_POLICY_CLONE 2120 title=Clone IPsec policy 2121 see= 2122 syscall=none 2123 format=arg1:arg2:[zone]3:[text]4 2124 comment=Operation applied to active policy (1 is active, 0 is inactive): 2125 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2126 comment=affected zone: 2127 comment=Name of target tunnel 2128 2129label=AUE_PF_POLICY_FLIP 2130 title=Flip IPsec policy 2131 see= 2132 syscall=none 2133 format=arg1:arg2:[zone]3:[text]4 2134 comment=Operation applied to active policy (1 is active, 0 is inactive): 2135 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2136 comment=affected zone: 2137 comment=Name of target tunnel 2138 2139label=AUE_PF_POLICY_FLUSH 2140 title=Flip IPsec policy rules 2141 see= 2142 syscall=none 2143 format=arg1:arg2:[zone]3:[text]4 2144 comment=Operation applied to active policy (1 is active, 0 is inactive): 2145 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2146 comment=affected zone: 2147 comment=Name of target tunnel 2148 2149label=AUE_PF_POLICY_ALGS 2150 title=Update IPsec algorithms 2151 see= 2152 syscall=none 2153 format=arg1:arg2:[zone]3:[text]4 2154 comment=Operation applied to active policy (1 is active, 0 is inactive): 2155 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2156 comment=affected zone: 2157 comment=Name of target tunnel 2158 2159label=AUE_allocate_fail 2160 program=/usr/sbin/allocate 2161 title=allocate: allocate-device failure 2162 format=(0..n)[text]1 2163 comment=command line arguments 2164# see audit_allocate.c 2165 2166label=AUE_allocate_succ 2167 program=/usr/sbin/allocate 2168 title=allocate: allocate-device success 2169 format=(0..n)[text]1 2170 comment=command line arguments 2171# see audit_allocate.c 2172 2173label=AUE_at_create 2174 program=/usr/bin/at 2175 title=at: at-create crontab 2176 format=path 2177 2178label=AUE_at_delete 2179 program=/usr/bin/at 2180 title=at: at-delete atjob (at or atrm) 2181 format=text1:path 2182 comment="ancillary file:" filename or "bad format of at-job name" 2183 2184label=AUE_at_perm 2185 skip=Not used. 2186# not referenced outside uevents.h 2187 2188label=AUE_create_user 2189 skip=Not used. 2190 2191label=AUE_cron_invoke 2192 program=/usr/sbin/cron 2193 title=cron: cron-invoke at or cron 2194 case=If issue with account find 2195 format=text1 2196 comment="bad user" name or "user <name> account expired" 2197 case=else 2198 format=text1:text2 2199 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \ 2200 or "unknown job type (<job_type_id>)": 2201 comment=command 2202 2203label=AUE_crontab_create 2204 program=/usr/bin/crontab 2205 title=crontab: crontab created 2206 format=path 2207# See audit_crontab.c 2208 2209label=AUE_crontab_delete 2210 program=/usr/bin/crontab 2211 title=crontab: crontab delete 2212 format=path 2213# See audit_crontab.c 2214 2215label=AUE_crontab_mod 2216 program=/usr/bin/crontab 2217 title=crontab: crontab modify 2218 format=path 2219# See audit_crontab.c 2220 2221label=AUE_crontab_perm 2222 skip=Not used. 2223 2224label=AUE_deallocate_fail 2225 program=/usr/sbin/deallocate 2226 title=deallocate-device failure 2227 format=(0..n)[text]1 2228 comment=command line arguments 2229# See audit_allocate.c 2230 2231label=AUE_deallocate_succ 2232 program=/usr/sbin/deallocate 2233 title=deallocate-device success 2234 format=(0..n)[text]1 2235 comment=command line arguments 2236# See audit_allocate.c 2237 2238label=AUE_delete_user 2239 skip=Not used. 2240 2241label=AUE_disable_user 2242 skip=Not used. 2243 2244label=AUE_enable_user 2245 skip=Not used. 2246 2247label=AUE_ftpd 2248 program=/usr/sbin/in.ftpd 2249 title=in.ftpd 2250 format=[text]1 2251 comment=error message 2252# See audit_ftpd 2253 2254label=AUE_ftpd_logout 2255 program=/usr/sbin/in.ftpd 2256 title=in.ftpd 2257 format=user 2258# See audit_ftpd 2259 2260label=AUE_halt_solaris 2261 program=/usr/sbin/halt 2262 title=halt 2263 format=user 2264# See audit_halt.c 2265 2266label=AUE_kadmind_auth 2267 format=text1:text2:text3 2268 comment=Op: <requested information>: 2269 comment=Arg: <argument for Op>: 2270 comment=Client: <client principal name> 2271# See audit_kadmin.c / common_audit() 2272 2273label=AUE_kadmind_unauth 2274 format=text1:text2:text3 2275 comment=Op: <requested information>: 2276 comment=Arg: <argument for Op>: 2277 comment=Client: <client principal name> 2278# See audit_kadmin.c / common_audit() 2279 2280label=AUE_krb5kdc_as_req 2281 format=text1:text2 2282 comment=Client: <client principal name>: 2283 comment=Service: <requested service name> 2284# See audit_krb5kdc.c / common_audit() 2285 2286label=AUE_krb5kdc_tgs_req 2287 format=text1:text2 2288 comment=Client: <client principal name>: 2289 comment=Service: <requested service name> 2290# See audit_krb5kdc.c / common_audit() 2291 2292label=AUE_krb5kdc_tgs_req_alt_tgt 2293 format=text1:text2 2294 comment=Client: <client principal name>: 2295 comment=Service: <requested service name> 2296# See audit_krb5kdc.c / common_audit() 2297 2298label=AUE_krb5kdc_tgs_req_2ndtktmm 2299 format=text1:text2 2300 comment=Client: <client principal name>: 2301 comment=Service: <requested service name> 2302# See audit_krb5kdc.c / common_audit() 2303 2304label=AUE_listdevice_fail 2305 title=allocate-list devices failure 2306 program=/usr/sbin/allocate 2307 format=(0..n)[text]1 2308 comment=command line arguments 2309# See audit_allocate.c 2310 2311label=AUE_listdevice_succ 2312 title=allocate-list devices success 2313 program=/usr/sbin/allocate 2314 format=(0..n)[text]1 2315 comment=command line arguments 2316# See audit_allocate.c 2317 2318label=AUE_modify_user 2319 skip=Not used. 2320 2321label=AUE_mountd_mount 2322 title=mountd: NFS mount 2323 program=/usr/lib/nfs/mountd 2324 see=mountd(8) 2325 format=text1:path2 2326 comment=remote client hostname: 2327 comment=mount dir 2328# See audit_mountd.c 2329 2330label=AUE_mountd_umount 2331 title=mountd: NFS unmount 2332 program=/usr/lib/nfs/mountd 2333 format=text1:path2 2334 comment=remote client hostname: 2335 comment=mount dir 2336# See audit_mountd.c 2337 2338label=AUE_poweroff_solaris 2339 program=/usr/sbin/poweroff 2340 title=poweroff 2341 format=user 2342# See audit_halt.c 2343 2344label=AUE_reboot_solaris 2345 program=/usr/sbin/reboot 2346 title=reboot 2347 format=user 2348# See audit_reboot.c 2349# header,61,2,reboot(8),,Fri Nov 09 13:52:34 2001, + 726 msec 2350# subject,tuser1,root,other,root,other,10422,497,0 0 tmach2 2351# return,success,0 2352 2353label=AUE_rexd 2354 program=/usr/sbin/rpc.rexd 2355 title=rpc.rexd 2356 format=[text]1:text2:text3:[text]4:[text]5 2357 comment=error message (failure only): 2358 comment="Remote execution requested by:" hostname: 2359 comment="Username:" username: 2360 comment="User id:" user ID (failure only): 2361 comment="Command line:" command attempted 2362# See audit_rexd.c 2363 2364label=AUE_rexecd 2365 program=/usr/sbin/rpc.rexecd 2366 title=rpc.rexecd 2367 format=[text]1:text2:text3:text4 2368 comment=error message (failure only): 2369 comment="Remote execution requested by:" hostname: 2370 comment="Username:" username: 2371 comment="Command line:" command attempted 2372# See audit_rexecd.c 2373 2374label=AUE_rshd 2375 program=/usr/sbin/in.rshd 2376 title=in.rshd 2377 format=text1:text2:[text]3:[text]4 2378 comment="cmd" command: 2379 comment="remote user" remote user: 2380 comment="local user" local user: 2381 comment=failure message 2382# See audit_rshd.c 2383 2384label=AUE_shutdown_solaris 2385 title=shutdown 2386 program=/usr/ucb/shutdown 2387 format=user 2388# See audit_shutdown.c 2389 2390label=AUE_smserverd 2391 program=/usr/lib/smedia/rpc.smserverd 2392 format=[text]1:[text]2 2393 comment=state change: 2394 comment=vid, pid, major/minor device 2395# see usr/src/cmd/smserverd 2396# code shows a third token, path, but it isn't implemented. 2397 2398label=AUE_uadmin_solaris 2399 title=uadmin (obsolete) 2400 program= 2401 see= 2402 format=text1:text2 2403 comment=function code: 2404 comment=argument code 2405# not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml 2406 2407label=AUE_LABELSYS_TNRH 2408 title=config Trusted Network remote host cache 2409 see=tnrh(2) 2410 syscall=labelsys: TSOL_TNRH 2411 case=With the flush command (cmd=3) 2412 format=arg1 2413 comment=1, command, "cmd" 2414 case=With the load (cmd=1) and delete (cmd=2) commands 2415 format=arg1:inaddr2:arg3 2416 comment=1, command, "cmd": 2417 comment=ip address of host: 2418 comment=2, prefix length, "prefix len" 2419 2420label=AUE_LABELSYS_TNRHTP 2421 title=config Trusted Network remote host template 2422 see=tnrhtp(2) 2423 syscall=labelsys: TSOL_TNRHTP 2424 case=With the flush command (cmd=3) 2425 format=arg1 2426 comment=1, command, "cmd" 2427 case=With the load (cmd=1) and delete (cmd=2) commands 2428 format=arg1:text2 2429 comment=1, command, "cmd": 2430 comment=name of template 2431 2432label=AUE_LABELSYS_TNMLP 2433 title=config Trusted Network multi-level port entry 2434 see=tnmlp(2) 2435 syscall=labelsys: TSOL_TNMLP 2436 case=With the flush command (cmd=3) 2437 format=arg1:text2 2438 comment=1, command, "cmd": 2439 comment="shared", or name of zone 2440 case=With the load (cmd=1) and delete (cmd=2) commands 2441 format=arg1:text2:arg3:arg4:[arg]5 2442 comment=1, command, "cmd": 2443 comment="shared", or name of zone: 2444 comment=2, protocol number, "proto num": 2445 comment=2, starting mlp port number, "mlp_port": 2446 comment=2, ending mlp port number, "mlp_port_upper" 2447