# audit_record_attr.txt # Two "#" are comments that are copied to audit_record_attr # other comments are removed. ## ## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. ## Copyright 2018 Nexenta Systems, Inc. All rights reserved. ## Copyright 2019 Joyent, Inc. ## ## CDDL HEADER START ## ## The contents of this file are subject to the terms of the ## Common Development and Distribution License (the "License"). ## You may not use this file except in compliance with the License. ## ## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE ## or http://www.opensolaris.org/os/licensing. ## See the License for the specific language governing permissions ## and limitations under the License. ## ## When distributing Covered Code, include this CDDL HEADER in each ## file and include the License file at usr/src/OPENSOLARIS.LICENSE. ## If applicable, add the following below this CDDL HEADER, with the ## fields enclosed by brackets "[]" replaced with your own identifying ## information: Portions Copyright [yyyy] [name of copyright owner] ## ## CDDL HEADER END ## ## # source file for describing audit records. # This file is in two sections. The first is a list of attribute / # value pairs used to provide short cuts in annotating the audit # records. The second is for annotation for each audit record. # first section: general attributes # skipClass= # skipClass=no # uncomment to filter unused events # token name abbreviations # token=alias:fullname -- short names for key tokens token=arg:argument token=attr:attribute token=acl:acl_entry token=cmd:command token=data:data token=exec_args:exec_arguments token=exec_env:exec_environment token=group:group token=inaddr:ip_addr token=inet:socket token=ipc:ipc token=ipc_perm:ipc_perm token=newgroup:newgroups token=path:path token=path_attr:attribute_path token=privset:privilege token=proc:process token=text:text token=tid:terminal_adr token=uauth:use_of_authorization token=upriv:use_of_privilege token=user:user_object token=zone:zonename token=fmri:service_instance token=label:mandatory_label token=head:header token=subj:subject token=ret:return token=exit:exit # note names -- certain notes show up repeatedly; collected here # # To achieve the maximum line length to be less than 80 characters, the # note names (message=) can be defined as a multi line, each line except the # last one finished with the backslash character. message=ipc_perm:The ipc and ipc_perm tokens are not included if \ the message ID is not valid. # basic record pattern ("insert" is where event-specific tokens # are listed.) kernel=head:insert:subj:[upriv]:ret user=head:subj:insert:ret # Second Section # Annotation Section # # Most audit records need annotation beyond what is provided by # the files audit_event and audit_class. At a minimum, a record # is represented by a label and a format. # # label=record_id like AUE_ACCEPT # format=token_alias # # there is no end line; a new label= end the preceding definition # and starts the next. # # format values are a list of token names, separated by colons. The # name is either one of the values described above (token=) or is # a value to be taken literally. If a token name ends with a digit, # the digit is an index into an array of comments. In the few cases # where there are no tokens (other than header, subject, return/exit), # use "format=kernel" or "format="user". # # comment is an array of strings separated by colons. If comments # are listed on separate lines (recommended due to better # readability/sustainability of the file), the preceding comment # must end with a colon. The array starts at 1. (If the comment # contains a colon, use ":" without the quotes.) # # case is used to generate alternate descriptions for a given # record. # # Constraints - the string length; bear in mind, that any annotation of # primitives below longer than is specified, will be silently truncated # to given/defined amount of characters in the auditrecord(8) runtime: # # primitive <= max (non-truncated) string length # case <= unlimited; if necessary, text continues on a new line # comment <= unlimited; if necessary, text continues on a new line # label <= 43 # note <= unlimited; if necessary, text continues on a new line # program <= 20 # see <= 39 # syscall <= 20 # title <= 46 # token <= 28 (full name) # # To achieve the maximum line length to be less than 80 characters, one can # define the unlimited primitives as a multi line, each line except the # last one finished with the backslash character. In addition to above # mentioned, the "format=" record attribute follows the same rule. # # # AUE_ACCEPT illustrates the use of all the above. Note that # case is not nested; ellipsis (...) is used to give the effect # of nesting. label=AUE_ACCEPT #accept(2) failure case=Invalid socket file descriptor format=arg1 comment=1, file descriptor, "so" #accept(2) non SOCK_STREAM socket case=If the socket address is not part of the AF_INET family format=arg1:arg2:arg3 comment=1, "so", file descriptor: comment="family", so_family: comment="type", so_type case=If the socket address is part of the AF_INET family case=...If there is no vnode for this file descriptor format=[arg]1 comment=1, file descriptor, "Bad so" #accept(2) SOCK_STREAM socket-not bound case=...or if the socket is not bound format=[arg]1:[inet]2 comment=1, file descriptor, "so": comment=local/foreign address (0.0.0.0) case=...or if the socket address length = 0 format=[arg]1:[inet]2 comment=1, file descriptor, "so": comment=local/foreign address (0.0.0.0) case=...or for all other conditions format=inet1:[inet]1 comment=socket address #accept(2) failure # header # au_to_arg32 "so",file descriptor # subject # return # #accept(2) non SOCK_STREAM socket # header # au_to_arg32 "so", file descriptor # au_to_arg32 "family", so_family # au_to_arg32 "type", so_type # subject # return success # #accept(2) SOCK_STREAM socket-not bound # header # au_to_arg32 "so", file descriptor # au_to_socket_ex local/foreign address (0.0.0.0) # subject # return success # #accept(2) SOCK_STREAM socket-bound # header # au_to_arg32 "so", file descriptor # au_to_socket_ex # subject # return success label=AUE_ACCESS format=path1:[attr] comment=may be truncated in failure case # header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ # attribute,100777,41416,staff,8388608,402255,0 # subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30 # return,success,0 # trailer,163 # # header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail # attribute,100000,root,other,8388608,402257,0 # subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30 # return,failure: Permission denied,-1 # trailer,163 # # header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2 # subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30 # return,failure: No such file or directory,-1 # trailer,135 label=AUE_ACCT case=Zero path format=arg1 comment=1, 0, "accounting off" case=Non-zero path format=path1:[attr]2 comment=may be truncated in failure case: comment=omitted if failure label=AUE_ACLSET syscall=acl format=arg1:arg2:(0..n)[acl]3 comment=2, SETACL, "cmd": comment=3, number of ACL entries, "nentries": comment=Access Control List entries label=AUE_ADJTIME format=kernel label=AUE_ASYNC_DAEMON skip=Not used label=AUE_ASYNC_DAEMON_EXIT skip=Not used label=AUE_AUDIT skip=Not used. (Placeholder for the set AUE_AUDIT_*.) label=AUE_AUDITON skip=Not used. (Placeholder for the set AUE_AUDITON_*.) label=AUE_AUDITON_GESTATE skip=Not used label=AUE_AUDITON_GETAMASK format=kernel syscall=auditon: GETAMASK label=AUE_AUDITON_GETCAR format=kernel syscall=auditon: GETCAR # header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec # subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30 # return,success,0 # trailer,68 label=AUE_AUDITON_GETCLASS format=kernel syscall=auditon: GETCLASS # header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec # subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1 # return,success,0 # trailer,68 label=AUE_AUDITON_GETCOND format=kernel syscall=auditon: GETCOND # header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec # subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1 # return,success,0 # trailer,68 label=AUE_AUDITON_GETCWD format=kernel syscall=auditon: GETCWD # header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec # subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1 # return,success,0 # trailer,68 label=AUE_AUDITON_GETKMASK format=kernel syscall=auditon: GETKMASK # header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec # subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1 # return,success,0 # trailer,68 label=AUE_AUDITON_GETSTAT format=kernel syscall=auditon: A_GETSTAT # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec # subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1 # return,success,0 # trailer,68 label=AUE_AUDITON_GPOLICY format=kernel syscall=auditon: GPOLICY # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec # subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1 # return,success,0 # trailer,68 label=AUE_AUDITON_GQCTRL format=kernel syscall=auditon: GQCTRL # header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec # subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1 # return,success,0 # trailer,68 label=AUE_AUDITON_GTERMID skip=Not used. label=AUE_AUDITON_SESTATE skip=Not used. label=AUE_AUDITON_SETAMASK format=[arg]1:[arg]2 comment=2, "setamask as_success", user default audit preselection mask: comment=2, "setamask as_failure", user default audit preselection mask syscall=auditon: SETAMASK label=AUE_AUDITON_SETCLASS format=[arg]1:[arg]2 comment=2, "setclass:ec_event", event number: comment=3, "setclass:ec_class", class mask syscall=auditon: SETCLASS # header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec # argument,2,0x0,setclass:ec_event # argument,3,0x0,setclass:ec_class # subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1 # return,success,0 # trailer,120 label=AUE_AUDITON_SETCOND format=[arg]1 comment=3, "setcond", audit state syscall=auditon: SETCOND label=AUE_AUDITON_SETKMASK format=[arg]1:[arg]2 comment=2, "setkmask as_success", kernel non-attributable mask: comment=2, "setkmask as_failure", kernel non-attributable mask syscall=auditon: SETKMASK # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec # argument,2,0x0,setkmask:as_success # argument,2,0x0,setkmask:as_failure # subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1 # return,success,0 # trailer,124 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec # argument,2,0x0,setkmask:as_success # argument,2,0x0,setkmask:as_failure # subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1 # return,failure: Not owner,-1 # trailer,124 label=AUE_AUDITON_SETSMASK format=[arg]1:[arg]2 comment=3, "setsmask:as_success", session ID mask: comment=3, "setsmask:as_failure", session ID mask syscall=auditon: SETSMASK # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec # argument,3,0x400,setsmask:as_success # argument,3,0x400,setsmask:as_failure # subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1 # return,success,0 # trailer,124 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec # argument,3,0x400,setsmask:as_success # argument,3,0x400,setsmask:as_failure # subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1 # return,failure: Not owner,-1 # trailer,124 label=AUE_AUDITON_SETSTAT format=kernel syscall=auditon: SETSTAT # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec # subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1 # return,success,0 # trailer,68 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec # subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1 # return,failure: Not owner,-1 # trailer,68 label=AUE_AUDITON_SETUMASK format=[arg]1:[arg]2 comment=3, "setumask:as_success", audit ID mask: comment=3, "setumask:as_failure", audit ID mask syscall=auditon: SETUMASK # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec # argument,3,0x400,setumask:as_success # argument,3,0x400,setumask:as_failure # subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1 # return,success,0 # trailer,124 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec # argument,3,0x400,setumask:as_success # argument,3,0x400,setumask:as_failure # subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1 # return,failure: Not owner,-1 # trailer,124 label=AUE_AUDITON_SPOLICY format=[arg]1 comment=1, audit policy flags, "setpolicy" syscall=auditon: SPOLICY # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec # argument,3,0x200,setpolicy # subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1 # return,success,0 # trailer,86 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec # argument,3,0x200,setpolicy # subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1 # return,failure: Not owner,-1 # trailer,86 label=AUE_AUDITON_SQCTRL format=[arg]1:[arg]2:[arg]3:[arg]4 comment=3, "setqctrl:aq_hiwater", queue control param.: comment=3, "setqctrl:aq_lowater", queue control param.: comment=3, "setqctrl:aq_bufsz", queue control param.: comment=3, "setqctrl:aq_delay", queue control param. syscall=auditon: SQCTRL # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec # argument,3,0x64,setqctrl:aq_hiwater # argument,3,0xa,setqctrl:aq_lowater # argument,3,0x400,setqctrl:aq_bufsz # argument,3,0x14,setqctrl:aq_delay # subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1 # return,success,0 # trailer,176 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec # argument,3,0x64,setqctrl:aq_hiwater # argument,3,0xa,setqctrl:aq_lowater # argument,3,0x400,setqctrl:aq_bufsz # argument,3,0x14,setqctrl:aq_delay # subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1 # return,failure: Not owner,-1 # trailer,176 label=AUE_AUDITON_SETPMASK format=[arg]1:[arg]2 comment=3, "setpmask:pid", process comment=3, "setpmask:as_success", audit ID mask: comment=3, "setpmask:as_failure", audit ID mask syscall=auditon: SETPMASK label=AUE_AUDITON_SETKAUDIT format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7 comment=1, audit user ID, "auid": comment=1, terminal ID, "port": comment=1, type, "type": comment=1, terminal ID, "ip address": comment=1, preselection mask, "as_success": comment=1, preselection mask, "as_failure": comment=1, audit session ID, "asid" syscall=auditon: SETKAUDIT label=AUE_AUDITON_GETPINFO format=kernel syscall=auditon: GETPINFO label=AUE_AUDITON_GETKAUDIT format=kernel syscall=auditon: GETKAUDIT label=AUE_AUDITON_OTHER format=kernel syscall=auditon: OTHER label=AUE_AUDITON_STERMID skip=Not used. label=AUE_AUDITSTAT skip=Not used. label=AUE_AUDITSVC skip=Not used. label=AUE_AUDITSYS skip=Not used. (Place holder for various auditing events.) label=AUE_BIND # differs from documented version. # cases "no vnode" not fully confirmed # family and type need argument number case=Invalid socket handle format=arg1 comment=1, file descriptor, "so" case=If there is no vnode for this file descriptor case=or if the socket is not of the AF_INET family format=arg1:arg2:arg3 comment=1, file descriptor, "so": comment=1, socket family, "family": comment=1, socket type, "type" case=or for all other conditions format=arg1:inet2 comment=1, file descriptor, "so": comment=socket address label=AUE_BRANDSYS # generic mechanism to allow user-space and kernel components of a brand # to communicate. The interpretation of the arguments to the call is # left entirely up to the brand. format=arg1:arg2:arg3:arg4:arg5:arg6:arg7 comment=1, command, "cmd": comment=2, command args, "arg": comment=3, command args, "arg": comment=4, command args, "arg": comment=5, command args, "arg": comment=6, command args, "arg": comment=7, command args, "arg" label=AUE_BSMSYS skip=Not used. label=AUE_CHDIR format=path:[attr] # header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec # path,/export/home/CC_final/icenine/arv/chdir/obj_succ # attribute,40777,root,other,8388608,231558,0 # subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1 # return,success,0 # trailer,151 # header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec # path,/export/home/CC_final/icenine/arv/chdir/obj_fail # attribute,40000,root,other,8388608,237646,0 # subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1 # return,failure: Permission denied,-1 # trailer,151 label=AUE_CHMOD format=arg1:path:[attr] comment=2, mode, "new file mode" # header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec # argument,2,0x1f8,new file mode # path,/export/home/CC_final/icenine/arv/chmod/obj_succ # attribute,100770,tuser10,other,8388608,243608,0 # subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1 # return,success,0 # trailer,173 # header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec # argument,2,0x1f8,new file mode # path,/export/home/CC_final/icenine/arv/chmod/obj_fail # attribute,100600,root,other,8388608,243609,0 # subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1 # return,failure: Not owner,-1 # trailer,173 label=AUE_CHOWN format=arg1:arg2 comment=2, uid, "new file uid": comment=3, gid, "new file gid" # header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec # argument,2,0x271a,new file uid # argument,3,0xffffffff,new file gid # path,/export/home/CC_final/icenine/arv/chown/obj_succ # attribute,100644,tuser10,other,8388608,268406,0 # subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1 # return,success,0 # trailer,193 # header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec # argument,2,0x271a,new file uid # argument,3,0xffffffff,new file gid # path,/export/home/CC_final/icenine/arv/chown/obj_fail # attribute,100644,root,other,8388608,268407,0 # subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1 # return,failure: Not owner,-1 # trailer,193 label=AUE_CHROOT format=path:[attr] # header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec # path,/ # attribute,40755,root,root,8388608,2,0 # subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1 # return,success,0 # trailer,104 # header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec # path,/export/home/CC_final/icenine/arv/chroot/obj_fail # attribute,40777,tuser10,other,8388608,335110,0 # subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1 # return,failure: Not owner,-1 # trailer,152 label=AUE_CLOCK_SETTIME format=kernel label=AUE_CLOSE format=arg1:[path]:[attr] comment=1, file descriptor, "fd" label=AUE_CONFIGKSSL case=Adding KSSL entry. format=text1:inaddr2:text3:text4 comment=opcode, KSSL_ADD_ENTRY: comment=local IP address: comment=SSL port number: comment=proxy port number case=Deleting KSSL entry. format=text1:inaddr2:text3 comment=opcode, KSSL_DELETE_ENTRY: comment=local IP address: comment=SSL port number label=AUE_CONNECT # cases "no vnode" not fully confirmed case=If there is no vnode for this file descriptor case=If the socket address is not part of the AF_INET family format=arg1:arg2:arg3 comment=1, file descriptor, "so": comment=1, socket family, "family": comment=1, socket type, "type" case=If the socket address is part of the AF_INET family format=arg1:inet2 comment=1, file descriptor, "so": comment=socket address label=AUE_CORE syscall=none title=process dumped core see=none format=path:[attr]:arg1 comment=1, signal, "signal" # see uts/common/c2/audit.c label=AUE_CREAT # obsolete - see open(2) format=path:[attr] # does not match old BSM manual # header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec # path,/export/home/CC_final/icenine/arv/creat/obj_succ # attribute,100644,tuser10,other,8388608,49679,0 # subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1 # return,success,8 # trailer,151 # header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec # path,/devices/pseudo/mm@0:null # subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1 # return,success,8 # trailer,107 # header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec # path,/obj_fail # subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1 # return,failure: Permission denied,-1 # trailer,83 label=AUE_CRYPTOADM title=kernel cryptographic framework format=text1:(0..n)[text]2 comment=cryptoadm command/operation: comment=mechanism list label=AUE_DOORFS skip=Not used. (Place holder for set of door audit events.) label=AUE_DOORFS_DOOR_BIND skip=Not used. syscall=doorfs: DOOR_BIND label=AUE_DOORFS_DOOR_CALL format=arg1:proc2 comment=1, door ID, "door ID": comment=for process that owns the door syscall=doorfs: DOOR_CALL label=AUE_DOORFS_DOOR_CREATE format=arg1 comment=1, door attributes, "door attr" syscall=doorfs: DOOR_CREATE label=AUE_DOORFS_DOOR_CRED skip=Not used. syscall=doorfs: DOOR_CRED label=AUE_DOORFS_DOOR_INFO skip=Not used. syscall=doorfs: DOOR_INFO label=AUE_DOORFS_DOOR_RETURN format=kernel syscall=doorfs: DOOR_RETURN label=AUE_DOORFS_DOOR_REVOKE format=arg1 comment=1, door ID, "door ID" syscall=doorfs: DOOR_REVOKE label=AUE_DOORFS_DOOR_UNBIND skip=Not used. syscall=doorfs: DOOR_UNBIND label=AUE_DUP2 skip=Not used. label=AUE_ENTERPROM title=enter prom syscall=none format=head:text1:ret comment="kmdb" # header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00 # text,kmdb # return,success,0 label=AUE_EXEC # obsolete - see execve(2) format=path:[attr]1:[exec_args]2:[exec_env]3 comment=omitted on error: comment=output if argv policy is set: comment=output if arge policy is set label=AUE_EXECVE format=path:[attr]1:[exec_args]2:[exec_env]3 comment=omitted on error: comment=output if argv policy is set: comment=output if arge policy is set # header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec # path,/devices/pseudo/mm@0:null # subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1 # return,success,8 # trailer,107 # header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec # path,/usr/bin/pig # subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1 # return,failure: No such file or directory,-1 # trailer,86 label=AUE_PFEXEC format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5 comment=pathname of the executable: comment=pathname of working directory: comment=privileges if the limit or inheritable set are changed: comment=process if ruid, euid, rgid or egid is changed: comment=output if arge policy is set label=AUE_sudo format=exec_args1:[text]2 comment=command args: comment=error message (failure only) label=AUE_EXIT format=arg1:[text]2 comment=1, exit status, "exit status": comment=event aborted label=AUE_EXITPROM title=exit prom syscall=none format=head:text1:ret comment="kmdb" # header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00 # text,kmdb # return,success,0 label=AUE_EXPORTFS skip=Not used. label=AUE_FACCESSAT # obsolete see=access(2) format=path:[attr] label=AUE_FACLSET syscall=facl case=Invalid file descriptor format=arg1:arg2 comment=2, SETACL, "cmd": comment=3, number of ACL entries, "nentries" case=Zero path format=arg1:arg2:arg3:[attr]:(0..n)[acl]4 comment=2, SETACL, "cmd": comment=3, number of ACL entries, "nentries": comment=1, file descriptor, "no path: fd": comment=ACLs case=Non-zero path format=arg1:arg2:path:[attr]:(0..n)[acl]3 comment=2, SETACL, "cmd": comment=3, number of ACL entries, "nentries": comment=ACLs label=AUE_FCHDIR format=[path]:[attr] # header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec # path,/export/home/CC_final/icenine/arv/fchdir/obj_succ # attribute,40777,tuser10,other,8388608,207662,0 # subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1 # return,success,0 # trailer,150 # header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec # subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1 # return,failure: Permission denied,-1 # trailer,68 label=AUE_FCHMOD case=With a valid file descriptor and path format=arg1:path:[attr] comment=2, mode, "new file mode" case=With a valid file descriptor and invalid path format=arg1:[arg]2:[attr] comment=2, mode, "new file mode": comment=1, file descriptor, "no path: fd" case=With an invalid file descriptor format=arg1 comment=2, mode, "new file mode" # header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec # argument,2,0x1a4,new file mode # path,/export/home/CC/icenine/arv/fchmod/obj_succ # attribute,100644,tuser10,other,7602240,26092,0 # subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1 # return,success,0 # trailer,168 # header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec # argument,2,0x1a4,new file mode # subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1 # return,failure: Bad file number,-1 # trailer,90 # header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec # argument,2,0x1a4,new file mode # path,/export/home/CC/icenine/arv/fchmod/obj_fail # attribute,100644,root,other,7602240,26093,0 # subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1 # return,failure: Not owner,-1 # trailer,168 label=AUE_FCHOWN case=With a valid file descriptor format=arg1:arg2:[path]:[attr] comment=2, uid, "new file uid": comment=3, gid, "new file gid" case=With an invalid file descriptor format=arg1:arg2:[arg]3:[attr] comment=2, uid, "new file uid": comment=3, gid, "new file gid": comment=1, file descriptor, "no path fd" label=AUE_FCHOWNAT # obsolete see=openat(2) case=With a valid absolute/relative file path format=path:[attr] case=With an file path eq. NULL and valid file descriptor format=kernel label=AUE_FCHROOT format=[path]:[attr] # fchroot -> chdirec -> audit_chdirec label=AUE_FCNTL case=With a valid file descriptor format=arg1:[arg]2:path:attr comment=2, command, "cmd": comment=3, flags, "flags" case=With an invalid file descriptor format=arg1:[arg]2:arg3 comment=2, command, "cmd": comment=3, flags, "flags": comment=1, file descriptor, "no path fd" note=Flags are included only when cmd is F_SETFL. label=AUE_FLOCK skip=Not used. label=AUE_FORKALL format=[arg]1 comment=0, pid, "child PID" note=The forkall(2) return values are undefined because the audit record note=is produced at the point that the child process is spawned. # see audit.c label=AUE_FORK1 format=[arg]1 comment=0, pid, "child PID" note=The fork1(2) return values are undefined because the audit record note=is produced at the point that the child process is spawned. # see audit.c label=AUE_FSAT # obsolete skip=Not used. (Placeholder for AUE_*AT records) label=AUE_FSTAT skip=Not used. label=AUE_FSTATAT # obsolete format=path:[attr] label=AUE_FSTATFS case=With a valid file descriptor format=[path]:[attr] case=With an invalid file descriptor format=arg1 comment=1, file descriptor, "no path fd" label=AUE_FTRUNCATE skip=Not used. label=AUE_FUSERS syscall=utssys: UTS_FUSERS format=path:attr label=AUE_FUTIMESAT # obsolete format=[path]:[attr] label=AUE_GETAUDIT format=kernel # header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec # subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1 # return,success,0 # trailer,68 # header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec # subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1 # return,success,0 # trailer,68 label=AUE_GETAUDIT_ADDR format=kernel # header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec # subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2 # return,success,0 label=AUE_GETAUID format=kernel # header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec # subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1 # return,success,0 # trailer,68 # header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec # subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1 # return,failure: Not owner,-1 # trailer,68 label=AUE_GETDENTS skip=Not used. #Not security relevant label=AUE_GETKERNSTATE skip=Not used. label=AUE_GETMSG case=With a valid file descriptor format=arg1:[path]:attr:arg2 comment=1, file descriptor, "fd": comment=4, priority, "pri" case=With an invalid file descriptor format=arg1:arg2 comment=1, file descriptor, "fd": comment=4, priority, "pri" label=AUE_GETPMSG case=With a valid file descriptor format=arg1:[path]:attr comment=1, file descriptor, "fd" case=With an invalid file descriptor format=arg1 comment=1, file descriptor, "fd" label=AUE_GETPORTAUDIT format=Not used. label=AUE_GETUSERAUDIT skip=Not used. label=AUE_INST_SYNC format=arg1 comment=2, flags value, "flags" label=AUE_IOCTL case=With an invalid file descriptor format=arg1:arg2:arg3 comment=1, file descriptor, "fd": comment=2, command, "cmd": comment=3, arg, "arg" case=With a valid file descriptor format=path:[attr]:arg1:arg2 comment=2, ioctl cmd, "cmd": comment=3, ioctl arg, "arg" case=Non-file file descriptor format=arg1:arg2:arg3 comment=1, file descriptor, "fd": comment=2, ioctl cmd, "cmd": comment=3, ioctl arg, "arg" case=Bad file name format=arg1:arg2:arg3 comment=1, file descriptor, "no path: fd": comment=2, ioctl cmd, "cmd": comment=3, ioctl arg, "arg" # old BSM manual misses a case label=AUE_JUNK skip=Not used. label=AUE_KILL case=Valid process format=arg1:[proc] comment=2, signo, "signal" case=Zero or negative process format=arg1:arg2 comment=2, signo, "signal": comment=1, pid, "process" label=AUE_KILLPG skip=Not used. label=AUE_LCHOWN format=arg1:arg2:path:[attr] comment=2, uid, "new file uid": comment=3, gid, "new file gid" label=AUE_LINK format=path1:[attr]:path2 comment=from path: comment=to path label=AUE_LSEEK skip=Not used. label=AUE_LSTAT format=path:[attr] label=AUE_LXSTAT # obsolete skip=Not used. label=AUE_MCTL skip=Not used. label=AUE_MEMCNTL format=arg1:arg2:arg3:arg4:arg5:arg6 comment=1, base address, "base": comment=2, length, "len": comment=3, command, "cmd": comment=4, command args, "arg": comment=5, command attributes, "attr": comment=6, 0, "mask" label=AUE_MKDIR format=arg1:path:[attr] comment=2, mode, "mode" label=AUE_MKNOD format=arg1:arg2:path:[attr] comment=2, mode, "mode": comment=3, dev, "dev" label=AUE_MMAP case=With a valid file descriptor format=arg1:arg2:[path]3:[attr] comment=1, segment address, "addr": comment=2, segment address, "len": comment=if no path, then argument: \ 1, "nopath: fd", file descriptor case=With an invalid file descriptor format=arg1:arg2:arg3 comment=1, segment address, "addr": comment=2, segment address, "len": comment=1, file descriptor, "no path: fd" label=AUE_MODADDMAJ title=modctl: bind module syscall=modctl format=[text]1:[text]2:text3:arg4:(0..n)[text]5 comment=driver major number: comment=driver name: comment=driver major number or "no drvname": comment=5, number of aliases, "": comment=aliases label=AUE_MODADDPRIV format=kernel label=AUE_MODCONFIG skip=Not used. label=AUE_MODCTL skip=Not used. (placeholder) label=AUE_MODDEVPLCY syscall=modctl title=modctl: set device policy case=If unknown minor name/pattern format=arg1:arg2:arg3:arg4:arg5 comment=2, "major", major number: comment=2, "lomin", low minor number, if known: comment=2, "himin", hi minor number, if known: comment=privileges required for reading: comment=privileges required for writing case=else format=arg1:text2:arg3:arg4 comment=2, "major", major number: comment=minor name/pattern: comment=privileges required for reading: comment=privileges required for writing label=AUE_MODLOAD syscall=modctl title=modctl: load module format=[text]1:text2 comment=default path: comment=filename path label=AUE_MODUNLOAD syscall=modctl title=modctl: unload module format=arg1 comment=1, module ID, "id" label=AUE_MOUNT case=UNIX file system format=arg1:text2:path:[attr] comment=3, flags, "flags": comment=filesystem type case=NFS file system format=arg1:text2:text3:arg4:path:[attr] comment=3, flags, "flags": comment=filesystem type: comment=host name: comment=3, flags, "internal flags" # unix example: # header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec # argument,3,0x104,flags # text,ufs # path,/var2 # attribute,40755,root,root,32,12160,0 # path,/devices/pci@1f,4000/scsi@3/sd@0,0:e # attribute,60640,root,sys,32,231268,137438953476 # subject,abc,root,other,root,other,1726,1715,255 66049 ohboy # return,success,4290707268 # ^^^^^^^^^^ <- bugid 4333559 label=AUE_MSGCTL format=arg1:[ipc]:[ipc_perm] comment=1, message ID, "msg ID" note=ipc_perm # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc label=AUE_MSGCTL_RMID format=arg1:[ipc]:[ipc_perm] comment=1, message ID, "msg ID" note=ipc_perm syscall=msgctl: IPC_RMID # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc label=AUE_MSGCTL_SET format=arg1:[ipc]:[ipc_perm] comment=1, message ID, "msg ID" note=ipc_perm syscall=msgctl: IPC_SET # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc label=AUE_MSGCTL_STAT format=arg1:[ipc]:[ipc_perm] comment=1, message ID, "msg ID" note=ipc_perm syscall=msgctl: IPC_STAT # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc label=AUE_MSGGET format=arg1:ipc comment=1, message key, "msg key" note=ipc_perm syscall=msgget label=AUE_MSGGETL skip=Not used. label=AUE_MSGRCV format=arg1:[ipc]:[ipc_perm] comment=1, message ID, "msg ID" note=ipc_perm syscall=msgrcv # ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc label=AUE_MSGRCVL skip=Not used. label=AUE_MSGSND format=arg1:[ipc]:[ipc_perm] comment=1, message ID, "msg ID" note=ipc_perm syscall=msgsnd # ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc label=AUE_MSGSNDL skip=Not used. label=AUE_MSGSYS skip=Not used. (Placeholder for AUE_MSG* events.) label=AUE_MUNMAP format=arg1:arg2 comment=1, address of memory, "addr": comment=2, memory segment size, "len" label=AUE_NFS skip=Not used. label=AUE_NFSSVC_EXIT skip=Not used. label=AUE_NFS_GETFH skip=Not used. label=AUE_NFS_SVC skip=Not used. label=AUE_NICE format=kernel label=AUE_NULL skip=Not used. (placeholder) # used internal to audit_event.c for minimal audit label=AUE_NTP_ADJTIME format=kernel label=AUE_ONESIDE skip=Not used. label=AUE_OPEN skip=Not used. (placeholder for AUE_OPEN_*). label=AUE_OPEN_R format=path:[path_attr]:[attr] see=open(2) - read label=AUE_OPENAT_R # obsolete format=path:[path_attr]:[attr] see=openat(2) label=AUE_OPEN_RC format=path:[path_attr]:[attr] see=open(2) - read,creat label=AUE_OPENAT_RC # obsolete see=openat(2) format=path:[path_attr]:[attr] label=AUE_OPEN_RT format=path:[path_attr]:[attr] see=open(2) - read,trunc label=AUE_OPENAT_RT # obsolete see=openat(2) format=path:[path_attr]:[attr] label=AUE_OPEN_RTC format=path:[path_attr]:[attr] see=open(2) - read,trunc,creat label=AUE_OPENAT_RTC # obsolete see=openat(2) format=path:[path_attr]:[attr] label=AUE_OPEN_RW format=path:[path_attr]:[attr] see=open(2) - read,write label=AUE_OPENAT_RW # obsolete see=openat(2) format=path:[path_attr]:[attr] # aui_fsat(): fm & O_RDWR label=AUE_OPEN_RWC format=path:[path_attr]:[attr] see=open(2) - read,write,creat label=AUE_OPENAT_RWC # obsolete see=openat(2) format=path:[path_attr]:[attr] label=AUE_OPEN_RWT format=path:[path_attr]:[attr] see=open(2) - read,write,trunc label=AUE_OPENAT_RWT # obsolete see=openat(2) format=path:[path_attr]:[attr] label=AUE_OPEN_RWTC format=path:[path_attr]:[attr] see=open(2) - read,write,trunc,creat label=AUE_OPENAT_RWTC # obsolete see=openat(2) format=path:[path_attr]:[attr] label=AUE_OPEN_W format=path:[path_attr]:[attr] see=open(2) - write label=AUE_OPENAT_W see=openat(2) format=path:[path_attr]:[attr] label=AUE_OPEN_WC format=path:[path_attr]:[attr] see=open(2) - write,creat label=AUE_OPENAT_WC see=openat(2) format=path:[path_attr]:[attr] label=AUE_OPEN_WT format=path:[path_attr]:[attr] see=open(2) - write,trunc label=AUE_OPENAT_WT see=openat(2) format=path:[path_attr]:[attr] label=AUE_OPEN_WTC format=path:[path_attr]:[attr] see=open(2) - write,trunc,creat label=AUE_OPENAT_WTC see=openat(2) format=path:[path_attr]:[attr] label=AUE_OPEN_S format=path:[path_attr]:[attr] see=open(2) - search label=AUE_OPEN_E format=path:[path_attr]:[attr] see=open(2) - exec label=AUE_OSETPGRP skip=Not used. label=AUE_OSTAT # obsolete skip=Not used. label=AUE_PATHCONF format=path:[attr] label=AUE_PIPE format=kernel # class is no, not usually printed label=AUE_PORTFS skip=Not used (placeholder for AUE_PORTFS_*). label=AUE_PORTFS skip=Not used (placeholder for AUE_PORTFS_*). label=AUE_PORTFS_ASSOCIATE syscall=portfs see=port_associate(3C) case=Port association via PORT_SOURCE_FILE format=[path]1:attr comment=name of the file/directory to be watched label=AUE_PORTFS_DISSOCIATE syscall=portfs see=port_dissociate(3C) case=Port disassociation via PORT_SOURCE_FILE format=kernel label=AUE_PRIOCNTLSYS syscall=priocntl see=priocntl(2) format=arg1:arg2 comment=1, priocntl version number, "pc_version": comment=3, command, "cmd" label=AUE_PROCESSOR_BIND case=No LWP/thread bound to the processor format=arg1:arg2:text3:[proc] comment=1, type of ID, "ID type": comment=2, ID value, "ID": comment="PBIND_NONE" case=With processor bound format=arg1:arg2:arg3:[proc] comment=1, type of ID, "ID type": comment=2, ID value, "ID": comment=3, processor ID, "processor_id" label=AUE_PUTMSG see=putmsg(2) format=arg1:[path]:[attr]:arg2 comment=1, file descriptor, "fd": comment=4, priority, "pri" label=AUE_PUTPMSG see=putpmsg(2) format=arg1:[path]:[attr]:arg2:arg3 comment=1, file descriptor, "fd": comment=4, priority, "pri": comment=5, flags, "flags" label=AUE_P_ONLINE format=arg1:arg2:text3 comment=1, processor ID, "processor ID": comment=2, flags value, "flags": comment=text form of flags. Values: \ P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS, P_DISABLED label=AUE_QUOTACTL skip=Not used. label=AUE_READ skip=Not used. (Placeholder for AUE_READ_* events) label=AUE_READL skip=Not used. (Obsolete) label=AUE_READLINK format=path:[attr] label=AUE_READV skip=Not used (obsolete) # detritus from CMS label=AUE_READVL skip=Not used (obsolete) # detritus from CMS label=AUE_REBOOT skip=Not used. label=AUE_RECV case=If address family is AF_INET or AF_INET6 format=[arg]1:[inet] comment=1, file descriptor, "so" case=If address family is AF_UNIX and path is defined format=[path]1:[attr] comment=1, file descriptor, "so" case=If address family is AF_UNIX and path is NULL format=[path]1:[attr] comment=1, file descriptor, "no path: fd" case=If address family is other than AF_UNIX, AF_INET, AF_INET6 format=[arg]1:[arg]2:[arg]3 comment=1, file descriptor, "so": comment=1, family, "family": comment=1, type, "type" # associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237]) label=AUE_RECVFROM format=inet:arg1:[arg]2:inet3:arg4 comment=3, message length, "len": comment=4, flags, "flags": comment=from address: comment=6, address length, "tolen" note=The socket token for a bad socket is reported as "argument note=token (1, socket descriptor, "fd")" label=AUE_RECVMSG case=If invalid file descriptor format=arg1:arg2 comment=1, file descriptor, "so": comment=3, flags, "flags" case=If valid file descriptor and socket is AF_UNIX and no path format=arg1:[attr] comment=1, file descriptor, "no path: fd" case=If valid file descriptor and socket is AF_UNIX and path defined format=path:attr case=If valid file descriptor and socket is AF_INET or AF_INET6 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM format=arg1:arg2:inet comment=1, file descriptor, "so": comment=2, flags, "flags" case=.. if socket type is unknown format=arg1:arg2:arg3:arg4 comment=1, file descriptor, "so": comment=1, family, "family": comment=1, type, "type": comment=3, flags, "flags" label=AUE_RENAME format=path1:[attr]1:[path]2 comment=from name: comment=to name label=AUE_RENAMEAT # obsolete format=path1:[attr]1:[path]2 comment=from name: comment=to name label=AUE_RFSSYS skip=Not used. # apparently replaced label=AUE_RMDIR format=path:[attr] label=AUE_SACL title=File Access Audit syscall=none see=none format=head:path:arg1:[text]2:subj comment="access_mask": comment="Windows SID" label=AUE_SEMCTL format=arg1:[ipc]:[ipc_perm] comment=1, semaphore ID, "sem ID" note=ipc_perm # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc label=AUE_SEMCTL_GETALL format=arg1:[ipc]:[ipc_perm] comment=1, semaphore ID, "sem ID" note=ipc_perm syscall=semctl: GETALL # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc label=AUE_SEMCTL_GETNCNT format=arg1:[ipc]:[ipc_perm] comment=1, semaphore ID, "sem ID" note=ipc_perm syscall=semctl: GETNCNT # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc label=AUE_SEMCTL_GETPID format=arg1:[ipc]:[ipc_perm] comment=1, semaphore ID, "sem ID" note=ipc_perm syscall=semctl: GETPID # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc label=AUE_SEMCTL_GETVAL format=arg1:[ipc]:[ipc_perm] comment=1, semaphore ID, "sem ID" note=ipc_perm syscall=semctl: GETVAL # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc label=AUE_SEMCTL_GETZCNT format=arg1:[ipc]:[ipc_perm] comment=1, semaphore ID, "sem ID" note=ipc_perm syscall=semctl: GETZCNT # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc label=AUE_SEMCTL_RMID format=arg1:[ipc]:[ipc_perm] comment=1, semaphore ID, "sem ID" note=ipc_perm syscall=semctl: IPC_RMID # ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc label=AUE_SEMCTL_SET format=arg1:[ipc]:[ipc_perm] comment=1, semaphore ID, "sem ID" note=ipc_perm syscall=semctl: IPC_SET # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc label=AUE_SEMCTL_SETALL format=arg1:[ipc]:[ipc_perm] comment=1, semaphore ID, "sem ID" note=ipc_perm syscall=semctl: SETALL # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc label=AUE_SEMCTL_SETVAL format=arg1:[ipc]:[ipc_perm] comment=1, semaphore ID, "sem ID" note=ipc_perm syscall=semctl: SETVAL # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc label=AUE_SEMCTL_STAT format=arg1:[ipc]:[ipc_perm] comment=1, semaphore ID, "sem ID" note=ipc_perm syscall=semctl: IPC_STAT # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc label=AUE_SEMGET format=arg1:[ipc_perm]:ipc comment=1, semaphore ID, "sem key" note=ipc_perm syscall=semctl: SETVAL # ipc_perm token: semget -> audit_ipcget label=AUE_SEMGETL skip=Not used. label=AUE_SEMOP format=arg1:[ipc]:[ipc_perm] comment=1, semaphore ID, "sem ID" note=ipc_perm # ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc label=AUE_SEMSYS skip=Not used. (place holder) -- defaults to a semget variant label=AUE_SEND case=If address family is AF_INET or AF_INET6 format=[arg]1:[inet] comment=1, file descriptor, "so" case=If address family is AF_UNIX and path is defined format=[path]1:[attr] comment=1, file descriptor, "so" case=If address family is AF_UNIX and path is NULL format=[path]1:[attr] comment=1, file descriptor, "no path: fd" case=If address family is other than AF_UNIX, AF_INET, AF_INET6 format=[arg]1:[arg]2:[arg]3 comment=1, file descriptor, "so": comment=1, family, "family": comment=1, type, "type" # associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240]) label=AUE_SENDMSG case=If invalid file descriptor format=arg1:arg2 comment=1, file descriptor, "so": comment=3, flags, "flags" case=If valid file descriptor case=...and address family is AF_UNIX and path is defined format=path:attr case=...and address family is AF_UNIX and path is NULL format=path1:attr comment=1, file descriptor, "nopath: fd" case=...and address family is AF_INET or AF_INET6, \ socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM format=arg1:arg2:inet comment=1, file descriptor, "so": comment=3, flags, "flags" case=...and unknown address family or address family AF_INET or AF_INET6 \ and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM format=arg1:arg2:arg3:arg4 comment=1, file descriptor, "so": comment=1, family, "family": comment=1, type, "type": comment=1, flags, "flags" label=AUE_SENDTO case=If invalid file descriptor format=arg1:arg2 comment=1, file descriptor, "so": comment=3, flags, "flags" case=If valid file descriptor case=...and socket is AF_UNIX and path is defined format=path:attr case=...and address family is AF_UNIX and path is NULL format=path1:attr comment=1, file descriptor, "nopath: fd" case=...and address family is AF_INET or AF_INET6 format=arg1:arg2:inet comment=1, file descriptor, "so": comment=3, flags, "flags" case=...and unknown address family format=arg1:arg2:arg3:arg4 comment=1, file descriptor, "so": comment=1, family, "family": comment=1, type, "type": comment=1, flags, "flags" label=AUE_SETAUDIT case=With a valid program stack address format=arg1:arg2:arg3:arg4:arg5:arg6 comment=1, audit user ID, "setaudit:auid": comment=1, terminal ID, "setaudit:port": comment=1, terminal ID, "setaudit:machine": comment=1, preselection mask, "setaudit:as_success": comment=1, preselection mask, "setaudit:as_failure": comment=1, audit session ID, "setaudit:asid" case=With an invalid program stack address format=kernel # header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec # argument,1,0x271a,setaudit:auid # argument,1,0x3ff0201,setaudit:port # argument,1,0x8192591e,setaudit:machine # argument,1,0x400,setaudit:as_success # argument,1,0x400,setaudit:as_failure # argument,1,0x16f,setaudit:asid # subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1 # return,success,0 # trailer,215 # header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec # argument,1,0x271a,setaudit:auid # argument,1,0x3ff0201,setaudit:port # argument,1,0x8192591e,setaudit:machine # argument,1,0x400,setaudit:as_success # argument,1,0x400,setaudit:as_failure # argument,1,0x16f,setaudit:asid # subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1 # return,success,0 # trailer,215 label=AUE_SETAUDIT_ADDR case=With a valid program stack address format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7 comment=1, audit user ID, "auid": comment=1, terminal ID, "port": comment=1, type, "type": comment=1, terminal ID, "ip address": comment=1, preselection mask, "as_success": comment=1, preselection mask, "as_failure": comment=1, audit session ID, "asid" case=With an invalid program stack address format=kernel # header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec # argument,1,0x15fa7,auid # argument,1,0x0,port # argument,1,0x4,type # ip address,tmach2 # argument,1,0x9c00,as_success # argument,1,0x9c00,as_failure # argument,1,0x1f1,asid # subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2 # return,success,0 label=AUE_SETAUID format=arg1 comment=2, audit user ID, "setauid" label=AUE_SETDOMAINNAME skip=Not used. (See AUE_SYSINFO) # See AUE_SYSINFO with SI_SET_SRPC_DOMAIN label=AUE_SETEGID format=arg1 comment=1, group ID, "gid" label=AUE_SETEUID format=arg1 comment=1, user ID, "euid" label=AUE_SETGID format=arg1 comment=1, group ID, "gid" label=AUE_SETGROUPS note=If more than NGROUPS_MAX_DEFAULT groups listed, note=no tokens are generated. case=If no groups in list format=[arg]1 comment=1, 0, "setgroups" case=If 1 or more groups in list format=(1..n)arg1 comment=1, gid, "setgroups" label=AUE_SETHOSTNAME skip=Not used. (See AUE_SYSINFO) # See sysinfo call with command SI_SET_HOSTNAME label=AUE_SETKERNSTATE skip=Not used. label=AUE_SETPGID format=[proc]:[arg]1 comment=2, pgid, "pgid" label=AUE_SETPGRP format=kernel label=AUE_SETPRIORITY skip=Not used. label=AUE_SETPPRIV case=operation privileges off format=arg1:privset2 comment=setppriv operation: comment=privileges actually switched off case=operation privileges on format=arg1:privset2 comment=setppriv operation: comment=privileges actually switched on case=operation privileges off format=arg1:privset2:privset3 comment=setppriv operation: comment=privileges before privset: comment=privileges after privset #header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec #argument,2,0x2,op #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session #subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0 #return,success,0 label=AUE_SETREGID format=arg1:arg2 comment=1, real group ID, "rgid": comment=2, effective group ID, "egid" label=AUE_SETREUID format=arg1:arg2 comment=1, real user ID, "ruid": comment=2, effective user ID, "euid" label=AUE_SETRLIMIT format=kernel # header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec # subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2 # return,success,0 label=AUE_SETSID format=kernel label=AUE_SETSOCKOPT case=Invalid file descriptor format=arg1:arg2 comment=1, file descriptor, "so": comment=2, level, "level" case=Valid file descriptor case=...and socket is AF_UNIX format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8 comment=if no path, will be argument: 1, "nopath: fd", \ file descriptor: comment=1, file descriptor, "so": comment=1, family, "family": comment=1, type, "type": comment=2, protocol level, "level": comment=3, option name, "optname": comment=5, option length, "optlen": comment=option data case=...and socket is AF_INET or AF_INET6 format=arg1:arg2:arg3:[arg]4:[data]5:inet comment=1, file descriptor, "so": comment=2, protocol level, "level": comment=3, option name, "optname": comment=5, option length, "optlen": comment=option data case=...and socket adddress family is unknown format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7 comment=1, file descriptor, "so": comment=1, family, "family": comment=1, type, "type": comment=2, protocol level, "level": comment=3, option name, "optname": comment=5, option length, "optlen": comment=option data label=AUE_SETTIMEOFDAY skip=Not used. label=AUE_SETUID syscall=setuid format=arg1 comment=1, "uid" to be set label=AUE_SETUSERAUDIT skip=Not used. label=AUE_SHMAT format=arg1:arg2:[ipc]:[ipc_perm] comment=1, shared memory ID, "shm ID": comment=2, shared mem addr, "shm addr" note=ipc_perm # ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc label=AUE_SHMCTL format=arg1:[ipc]:[ipc_perm] comment=1, shared memory ID, "shm ID" note=ipc_perm # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc label=AUE_SHMCTL_RMID format=arg1:[ipc]:[ipc_perm] comment=1, shared memory ID, "shm ID" note=ipc_perm syscall=semctl: IPC_RMID # ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc label=AUE_SHMCTL_SET format=arg1:[ipc]:[ipc_perm] comment=1, shared memory ID, "shm ID" note=ipc_perm syscall=semctl: IPC_SET # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc label=AUE_SHMCTL_STAT format=arg1:[ipc]:[ipc_perm] comment=1, shared memory ID, "shm ID" note=ipc_perm syscall=semctl: IPC_STAT # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc label=AUE_SHMDT format=arg1 comment=1, shared memory address, "shm adr" label=AUE_SHMGET format=arg1:[ipc_perm]:[ipc] comment=0, shared memory key, "shm key" note=ipc_perm # ipc_perm: shmget -> audit_ipcget label=AUE_SHMGETL skip=Not used. label=AUE_SHMSYS skip=Not used. (Placeholder for shmget and shmctl*) label=AUE_SHUTDOWN case=If the socket address is invalid format=[arg]1:[text]2:[text]3 comment=1, file descriptor, "fd": comment=bad socket address: comment=bad peer address case=If the socket address is part of the AF_INET family case=..with zero file descriptor format=arg1:[arg]2:[arg]3:[arg]4 comment=1, file descriptor, "so": comment=1, family, "family": comment=1, type, "type": comment=2, how shutdown code, "how" case=...with non-zero file descriptor format=arg1:arg2:inet comment=1, file descriptor, "so": comment=2, how shutdown code, "how" case=If the socket address is AF_UNIX case=...with zero file descriptor format=path1:arg2:[arg]3:[arg]4:[arg]5 comment=If error: argument: \ 1, "no path: fd", file descriptor: comment=1, file descriptor, "so": comment=1, family, "family": comment=1, type, "type": comment=2, how shutdown code, "how" case=...with non-zero file descriptor format=path1:arg2:arg3:inet comment=If error: argument: \ 1, file descriptor, "no path: fd": comment=1, file descriptor, "so": comment=2, how shutdown code, "how" #old BSM manual wrong; used audit_event.c label=AUE_SOCKACCEPT syscall=getmsg: socket accept format=inet:arg1:[path]:attr:arg2 comment=1, file descriptor, "fd": comment=4, priority, "pri" # see putmsg and getmsg for record format # See audit.c for inet token and audit_start.c for other reference label=AUE_SOCKCONFIG format=arg1:arg2:arg3:[path]4 comment=1, domain address, "domain": comment=2, type, "type": comment=3, protocol, "protocol": comment=If no path:argument -- 3, 0, "devpath" label=AUE_SOCKCONNECT syscall=putmsg: socket connect format=inet:arg1:[path]:attr:arg2 comment=1, file descriptor, "fd": comment=4, priority, "pri" # same as AUE_SOCKACCEPT label=AUE_SOCKET format=arg1:[arg]2:arg3 comment=1, socket domain, "domain": comment=2, socket type, "type": comment=3, socket protocol, "protocol" label=AUE_SOCKETPAIR skip=Not used. # unreferenced label=AUE_SOCKRECEIVE syscall=getmsg format=inet:arg1:[path]:attr:arg2 comment=1, file descriptor, "fd": comment=4, priority, "pri" # see AUE_SOCKACCEPT label=AUE_SOCKSEND syscall=putmsg format=inet:arg1:[path]:attr:arg2 comment=1, file descriptor, "fd": comment=4, priority, "pri" # see AUE_SOCKACCEPT label=AUE_STAT format=path:[attr] label=AUE_STATFS format=path:[attr] label=AUE_STATVFS format=path:[attr] label=AUE_STIME format=kernel label=AUE_SWAPON skip=Not used. label=AUE_SYMLINK format=path:text1:[attr] comment=symbolic link string label=AUE_SYSINFO note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands note=are currently audited. format=arg1:[text]2 comment=1, command, "cmd": comment=name label=AUE_SYSTEMBOOT title=system booted syscall=none format=head:text1 comment="booting kernel" # see audit_start.c and audit_io.c # no subject or return / exit token # header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec # text,booting kernel label=AUE_TRUNCATE skip=Not used. label=AUE_UMOUNT syscall=umount: old version note=Implemented as call of the newer umount2(2). format=path:arg1:[path]:[attr] comment=2, mflag value = 0, "flags" label=AUE_UMOUNT2 syscall=umount2 format=path:arg1:[path]:[attr] comment=2, mflag value, "flags" label=AUE_UNLINK format=path:[attr] label=AUE_UNLINKAT # obsolete see=openat(2) format=path:[attr] label=AUE_UNMOUNT skip=Not used. label=AUE_UTIME # obsolete format=path:[attr] label=AUE_UTIMES see=futimens(2) format=path:[attr] label=AUE_VFORK format=arg1 comment=0, pid, "child PID" note=The vfork(2) return values are undefined because the audit record is note=produced at the point that the child process is spawned. label=AUE_VPIXSYS skip=Not used. label=AUE_VTRACE skip=Not used. label=AUE_WRITE format=path1:attr comment=if no path, argument -- "1, file descriptor, "no path: fd" note:An audit record is generated for write only once per file close. label=AUE_WRITEV skip=Not used. (obsolete) label=AUE_XMKNOD # obsolete skip=Not used. label=AUE_XSTAT # obsolete skip=Not Used. label=AUE_PF_POLICY_ADDRULE title=Add IPsec policy rule see= syscall=none format=arg1:arg2:[zone]3:[text]4 comment=Operation applied to active policy (1 is active, 0 is inactive): comment=Operation applied to global policy (1 is global, 0 is tunnel): comment=affected zone: comment=Name of target tunnel label=AUE_PF_POLICY_DELRULE title=Delete IPsec policy rule see= syscall=none format=arg1:arg2:[zone]3:[text]4 comment=Operation applied to active policy (1 is active, 0 is inactive): comment=Operation applied to global policy (1 is global, 0 is tunnel): comment=affected zone: comment=Name of target tunnel label=AUE_PF_POLICY_CLONE title=Clone IPsec policy see= syscall=none format=arg1:arg2:[zone]3:[text]4 comment=Operation applied to active policy (1 is active, 0 is inactive): comment=Operation applied to global policy (1 is global, 0 is tunnel): comment=affected zone: comment=Name of target tunnel label=AUE_PF_POLICY_FLIP title=Flip IPsec policy see= syscall=none format=arg1:arg2:[zone]3:[text]4 comment=Operation applied to active policy (1 is active, 0 is inactive): comment=Operation applied to global policy (1 is global, 0 is tunnel): comment=affected zone: comment=Name of target tunnel label=AUE_PF_POLICY_FLUSH title=Flip IPsec policy rules see= syscall=none format=arg1:arg2:[zone]3:[text]4 comment=Operation applied to active policy (1 is active, 0 is inactive): comment=Operation applied to global policy (1 is global, 0 is tunnel): comment=affected zone: comment=Name of target tunnel label=AUE_PF_POLICY_ALGS title=Update IPsec algorithms see= syscall=none format=arg1:arg2:[zone]3:[text]4 comment=Operation applied to active policy (1 is active, 0 is inactive): comment=Operation applied to global policy (1 is global, 0 is tunnel): comment=affected zone: comment=Name of target tunnel label=AUE_allocate_fail program=/usr/sbin/allocate title=allocate: allocate-device failure format=(0..n)[text]1 comment=command line arguments # see audit_allocate.c label=AUE_allocate_succ program=/usr/sbin/allocate title=allocate: allocate-device success format=(0..n)[text]1 comment=command line arguments # see audit_allocate.c label=AUE_at_create program=/usr/bin/at title=at: at-create crontab format=path label=AUE_at_delete program=/usr/bin/at title=at: at-delete atjob (at or atrm) format=text1:path comment="ancillary file:" filename or "bad format of at-job name" label=AUE_at_perm skip=Not used. # not referenced outside uevents.h label=AUE_create_user skip=Not used. label=AUE_cron_invoke program=/usr/sbin/cron title=cron: cron-invoke at or cron case=If issue with account find format=text1 comment="bad user" name or "user account expired" case=else format=text1:text2 comment="at-job", "batch-job", "crontab-job", "queue-job ()", \ or "unknown job type ()": comment=command label=AUE_crontab_create program=/usr/bin/crontab title=crontab: crontab created format=path # See audit_crontab.c label=AUE_crontab_delete program=/usr/bin/crontab title=crontab: crontab delete format=path # See audit_crontab.c label=AUE_crontab_mod program=/usr/bin/crontab title=crontab: crontab modify format=path # See audit_crontab.c label=AUE_crontab_perm skip=Not used. label=AUE_deallocate_fail program=/usr/sbin/deallocate title=deallocate-device failure format=(0..n)[text]1 comment=command line arguments # See audit_allocate.c label=AUE_deallocate_succ program=/usr/sbin/deallocate title=deallocate-device success format=(0..n)[text]1 comment=command line arguments # See audit_allocate.c label=AUE_delete_user skip=Not used. label=AUE_disable_user skip=Not used. label=AUE_enable_user skip=Not used. label=AUE_ftpd program=/usr/sbin/in.ftpd title=in.ftpd format=[text]1 comment=error message # See audit_ftpd label=AUE_ftpd_logout program=/usr/sbin/in.ftpd title=in.ftpd format=user # See audit_ftpd label=AUE_halt_solaris program=/usr/sbin/halt title=halt format=user # See audit_halt.c label=AUE_kadmind_auth format=text1:text2:text3 comment=Op: : comment=Arg: : comment=Client: # See audit_kadmin.c / common_audit() label=AUE_kadmind_unauth format=text1:text2:text3 comment=Op: : comment=Arg: : comment=Client: # See audit_kadmin.c / common_audit() label=AUE_krb5kdc_as_req format=text1:text2 comment=Client: : comment=Service: # See audit_krb5kdc.c / common_audit() label=AUE_krb5kdc_tgs_req format=text1:text2 comment=Client: : comment=Service: # See audit_krb5kdc.c / common_audit() label=AUE_krb5kdc_tgs_req_alt_tgt format=text1:text2 comment=Client: : comment=Service: # See audit_krb5kdc.c / common_audit() label=AUE_krb5kdc_tgs_req_2ndtktmm format=text1:text2 comment=Client: : comment=Service: # See audit_krb5kdc.c / common_audit() label=AUE_listdevice_fail title=allocate-list devices failure program=/usr/sbin/allocate format=(0..n)[text]1 comment=command line arguments # See audit_allocate.c label=AUE_listdevice_succ title=allocate-list devices success program=/usr/sbin/allocate format=(0..n)[text]1 comment=command line arguments # See audit_allocate.c label=AUE_modify_user skip=Not used. label=AUE_mountd_mount title=mountd: NFS mount program=/usr/lib/nfs/mountd see=mountd(8) format=text1:path2 comment=remote client hostname: comment=mount dir # See audit_mountd.c label=AUE_mountd_umount title=mountd: NFS unmount program=/usr/lib/nfs/mountd format=text1:path2 comment=remote client hostname: comment=mount dir # See audit_mountd.c label=AUE_poweroff_solaris program=/usr/sbin/poweroff title=poweroff format=user # See audit_halt.c label=AUE_reboot_solaris program=/usr/sbin/reboot title=reboot format=user # See audit_reboot.c # header,61,2,reboot(8),,Fri Nov 09 13:52:34 2001, + 726 msec # subject,tuser1,root,other,root,other,10422,497,0 0 tmach2 # return,success,0 label=AUE_rexd program=/usr/sbin/rpc.rexd title=rpc.rexd format=[text]1:text2:text3:[text]4:[text]5 comment=error message (failure only): comment="Remote execution requested by:" hostname: comment="Username:" username: comment="User id:" user ID (failure only): comment="Command line:" command attempted # See audit_rexd.c label=AUE_rexecd program=/usr/sbin/rpc.rexecd title=rpc.rexecd format=[text]1:text2:text3:text4 comment=error message (failure only): comment="Remote execution requested by:" hostname: comment="Username:" username: comment="Command line:" command attempted # See audit_rexecd.c label=AUE_rshd program=/usr/sbin/in.rshd title=in.rshd format=text1:text2:[text]3:[text]4 comment="cmd" command: comment="remote user" remote user: comment="local user" local user: comment=failure message # See audit_rshd.c label=AUE_shutdown_solaris title=shutdown program=/usr/ucb/shutdown format=user # See audit_shutdown.c label=AUE_smserverd program=/usr/lib/smedia/rpc.smserverd format=[text]1:[text]2 comment=state change: comment=vid, pid, major/minor device # see usr/src/cmd/smserverd # code shows a third token, path, but it isn't implemented. label=AUE_uadmin_solaris title=uadmin (obsolete) program= see= format=text1:text2 comment=function code: comment=argument code # not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml label=AUE_LABELSYS_TNRH title=config Trusted Network remote host cache see=tnrh(2) syscall=labelsys: TSOL_TNRH case=With the flush command (cmd=3) format=arg1 comment=1, command, "cmd" case=With the load (cmd=1) and delete (cmd=2) commands format=arg1:inaddr2:arg3 comment=1, command, "cmd": comment=ip address of host: comment=2, prefix length, "prefix len" label=AUE_LABELSYS_TNRHTP title=config Trusted Network remote host template see=tnrhtp(2) syscall=labelsys: TSOL_TNRHTP case=With the flush command (cmd=3) format=arg1 comment=1, command, "cmd" case=With the load (cmd=1) and delete (cmd=2) commands format=arg1:text2 comment=1, command, "cmd": comment=name of template label=AUE_LABELSYS_TNMLP title=config Trusted Network multi-level port entry see=tnmlp(2) syscall=labelsys: TSOL_TNMLP case=With the flush command (cmd=3) format=arg1:text2 comment=1, command, "cmd": comment="shared", or name of zone case=With the load (cmd=1) and delete (cmd=2) commands format=arg1:text2:arg3:arg4:[arg]5 comment=1, command, "cmd": comment="shared", or name of zone: comment=2, protocol number, "proto num": comment=2, starting mlp port number, "mlp_port": comment=2, ending mlp port number, "mlp_port_upper"