1 # audit_record_attr.txt
   2 # Two "#" are comments that are copied to audit_record_attr
   3 # other comments are removed.
   4 ##
   5 ## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
   6 ## Copyright 2019 Joyent, Inc.
   7 ##
   8 ## CDDL HEADER START
   9 ##
  10 ## The contents of this file are subject to the terms of the
  11 ## Common Development and Distribution License (the "License").
  12 ## You may not use this file except in compliance with the License.
  13 ##
  14 ## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  15 ## or http://www.opensolaris.org/os/licensing.
  16 ## See the License for the specific language governing permissions
  17 ## and limitations under the License.
  18 ##
  19 ## When distributing Covered Code, include this CDDL HEADER in each
  20 ## file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  21 ## If applicable, add the following below this CDDL HEADER, with the
  22 ## fields enclosed by brackets "[]" replaced with your own identifying
  23 ## information: Portions Copyright [yyyy] [name of copyright owner]
  24 ##
  25 ## CDDL HEADER END
  26 ##
  27 ##
  28 
  29 # source file for describing audit records.
  30 
  31 # This file is in two sections.  The first is a list of attribute /
  32 # value pairs used to provide short cuts in annotating the audit
  33 # records.  The second is for annotation for each audit record.
  34 
  35 # first section: general attributes
  36 
  37 # skipClass=<class name of items to skip if only in that class>
  38 # skipClass=no    # uncomment to filter unused events
  39 
  40 # token name abbreviations
  41 # token=alias:fullname  -- short names for key tokens
  42 
  43 token=arg:argument
  44 token=attr:attribute
  45 token=acl:acl_entry
  46 token=cmd:command
  47 token=data:data
  48 token=exec_args:exec_arguments
  49 token=exec_env:exec_environment
  50 token=group:group
  51 token=inaddr:ip_addr
  52 token=inet:socket
  53 token=ipc:ipc
  54 token=ipc_perm:ipc_perm
  55 token=newgroup:newgroups
  56 token=path:path
  57 token=path_attr:attribute_path
  58 token=privset:privilege
  59 token=proc:process
  60 token=text:text
  61 token=tid:terminal_adr
  62 token=uauth:use_of_authorization
  63 token=upriv:use_of_privilege
  64 token=user:user_object
  65 token=zone:zonename
  66 token=fmri:service_instance
  67 token=label:mandatory_label
  68 
  69 token=head:header
  70 token=subj:subject
  71 token=ret:return
  72 token=exit:exit
  73 
  74 # note names -- certain notes show up repeatedly; collected here
  75 #
  76 # To achieve the maximum line length to be less than 80 characters, the
  77 # note names (message=) can be defined as a multi line, each line except the
  78 # last one finished with the backslash character.
  79 
  80 message=ipc_perm:The ipc and ipc_perm tokens are not included if \
  81   the message ID is not valid.
  82 
  83 
  84 # basic record pattern ("insert" is where event-specific tokens
  85 # are listed.)
  86 
  87 kernel=head:insert:subj:[upriv]:ret
  88 user=head:subj:insert:ret
  89 
  90 # Second Section
  91 # Annotation Section
  92 #
  93 # Most audit records need annotation beyond what is provided by
  94 # the files audit_event and audit_class.  At a minimum, a record
  95 # is represented by a label and a format.
  96 #
  97 # label=record_id             like AUE_ACCEPT
  98 # format=token_alias
  99 #
 100 # there is no end line; a new label= end the preceding definition
 101 # and starts the next.
 102 #
 103 # format values are a list of token names, separated by colons.  The
 104 # name is either one of the values described above (token=) or is
 105 # a value to be taken literally.  If a token name ends with a digit,
 106 # the digit is an index into an array of comments.  In the few cases
 107 # where there are no tokens (other than header, subject, return/exit),
 108 # use "format=kernel" or "format="user".
 109 #
 110 # comment is an array of strings separated by colons.  If comments
 111 # are listed on separate lines (recommended due to better
 112 # readability/sustainability of the file), the preceding comment
 113 # must end with  a colon.  The array starts at 1. (If the comment
 114 # contains a colon, use "&colon;" without the quotes.)
 115 #
 116 # case is used to generate alternate descriptions for a given
 117 # record.
 118 #
 119 # Constraints - the string length; bear in mind, that any annotation of
 120 # primitives below longer than is specified, will be silently truncated
 121 # to given/defined amount of characters in the auditrecord(1M) runtime:
 122 #
 123 #     primitive <= max (non-truncated) string length
 124 #       case    <= unlimited; if necessary, text continues on a new line
 125 #       comment <= unlimited; if necessary, text continues on a new line
 126 #       label   <= 43
 127 #       note    <= unlimited; if necessary, text continues on a new line
 128 #       program <= 20
 129 #       see     <= 39
 130 #       syscall <= 20
 131 #       title   <= 46
 132 #       token   <= 28 (full name)
 133 #
 134 # To achieve the maximum line length to be less than 80 characters, one can
 135 # define the unlimited primitives as a multi line, each line except the
 136 # last one finished with the backslash character. In addition to above
 137 # mentioned, the "format=" record attribute follows the same rule.
 138 #
 139 #
 140 # AUE_ACCEPT illustrates the use of all the above.  Note that
 141 # case is not nested; ellipsis (...) is used to give the effect
 142 # of nesting.
 143 
 144 label=AUE_ACCEPT
 145 #accept(2) failure
 146   case=Invalid socket file descriptor
 147     format=arg1
 148       comment=1, file descriptor, "so"
 149 #accept(2) non SOCK_STREAM socket
 150   case=If the socket address is not part of the AF_INET family
 151     format=arg1:arg2:arg3
 152       comment=1, "so", file descriptor:
 153       comment="family", so_family:
 154       comment="type", so_type
 155   case=If the socket address is part of the AF_INET family
 156     case=...If there is no vnode for this file descriptor
 157       format=[arg]1
 158         comment=1, file descriptor, "Bad so"
 159 #accept(2) SOCK_STREAM socket-not bound
 160     case=...or if the socket is not bound
 161       format=[arg]1:[inet]2
 162         comment=1, file descriptor, "so":
 163         comment=local/foreign address (0.0.0.0)
 164     case=...or if the socket address length = 0
 165       format=[arg]1:[inet]2
 166         comment=1, file descriptor, "so":
 167         comment=local/foreign address (0.0.0.0)
 168     case=...or for all other conditions
 169       format=inet1:[inet]1
 170         comment=socket address
 171 #accept(2) failure
 172 #       header
 173 #       au_to_arg32     "so",file descriptor
 174 #       subject
 175 #       return  <errno != 0>
 176 #
 177 #accept(2) non SOCK_STREAM socket
 178 #       header
 179 #       au_to_arg32     "so", file descriptor
 180 #       au_to_arg32     "family", so_family
 181 #       au_to_arg32     "type", so_type
 182 #       subject
 183 #       return success
 184 #
 185 #accept(2) SOCK_STREAM socket-not bound
 186 #       header
 187 #       au_to_arg32     "so", file descriptor
 188 #       au_to_socket_ex local/foreign address (0.0.0.0)
 189 #       subject
 190 #       return success
 191 #
 192 #accept(2) SOCK_STREAM socket-bound
 193 #       header
 194 #       au_to_arg32     "so", file descriptor
 195 #       au_to_socket_ex
 196 #       subject
 197 #       return success
 198 
 199 
 200 
 201 label=AUE_ACCESS
 202   format=path1:[attr]
 203     comment=may be truncated in failure case
 204 #       header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec
 205 #       path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ
 206 #       attribute,100777,41416,staff,8388608,402255,0
 207 #       subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30
 208 #       return,success,0
 209 #       trailer,163
 210 #
 211 #       header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec
 212 #       path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail
 213 #       attribute,100000,root,other,8388608,402257,0
 214 #       subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30
 215 #       return,failure: Permission denied,-1
 216 #       trailer,163
 217 #
 218 #       header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec
 219 #       path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2
 220 #       subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30
 221 #       return,failure: No such file or directory,-1
 222 #       trailer,135
 223 
 224 label=AUE_ACCT
 225   case=Zero path
 226     format=arg1
 227       comment=1, 0, "accounting off"
 228   case=Non-zero path
 229     format=path1:[attr]2
 230       comment=may be truncated in failure case:
 231       comment=omitted if failure
 232 
 233 label=AUE_ACLSET
 234   syscall=acl
 235   format=arg1:arg2:(0..n)[acl]3
 236     comment=2, SETACL, "cmd":
 237     comment=3, number of ACL entries, "nentries":
 238     comment=Access Control List entries
 239 
 240 label=AUE_ADJTIME
 241   format=kernel
 242 
 243 label=AUE_ASYNC_DAEMON
 244   skip=Not used
 245 
 246 label=AUE_ASYNC_DAEMON_EXIT
 247   skip=Not used
 248 
 249 label=AUE_AUDIT
 250   skip=Not used.  (Placeholder for the set AUE_AUDIT_*.)
 251 
 252 label=AUE_AUDITON
 253   skip=Not used.  (Placeholder for the set AUE_AUDITON_*.)
 254 
 255 label=AUE_AUDITON_GESTATE
 256   skip=Not used
 257 
 258 label=AUE_AUDITON_GETAMASK
 259   format=kernel
 260   syscall=auditon: GETAMASK
 261 
 262 label=AUE_AUDITON_GETCAR
 263   format=kernel
 264   syscall=auditon: GETCAR
 265 #       header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec
 266 #       subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30
 267 #       return,success,0
 268 #       trailer,68
 269 
 270 label=AUE_AUDITON_GETCLASS
 271   format=kernel
 272   syscall=auditon: GETCLASS
 273 #       header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec
 274 #       subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1
 275 #       return,success,0
 276 #       trailer,68
 277 
 278 label=AUE_AUDITON_GETCOND
 279   format=kernel
 280   syscall=auditon: GETCOND
 281 #       header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec
 282 #       subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1
 283 #       return,success,0
 284 #       trailer,68
 285 
 286 label=AUE_AUDITON_GETCWD
 287   format=kernel
 288   syscall=auditon: GETCWD
 289 #       header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec
 290 #       subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1
 291 #       return,success,0
 292 #       trailer,68
 293 
 294 label=AUE_AUDITON_GETKMASK
 295   format=kernel
 296   syscall=auditon: GETKMASK
 297 #       header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec
 298 #       subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1
 299 #       return,success,0
 300 #       trailer,68
 301 
 302 label=AUE_AUDITON_GETSTAT
 303   format=kernel
 304   syscall=auditon: A_GETSTAT
 305 #       header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec
 306 #       subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1
 307 #       return,success,0
 308 #       trailer,68
 309 
 310 label=AUE_AUDITON_GPOLICY
 311   format=kernel
 312   syscall=auditon: GPOLICY
 313 #       header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec
 314 #       subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1
 315 #       return,success,0
 316 #       trailer,68
 317 
 318 label=AUE_AUDITON_GQCTRL
 319   format=kernel
 320   syscall=auditon: GQCTRL
 321 #       header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec
 322 #       subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1
 323 #       return,success,0
 324 #       trailer,68
 325 
 326 
 327 label=AUE_AUDITON_GTERMID
 328   skip=Not used.
 329 
 330 label=AUE_AUDITON_SESTATE
 331   skip=Not used.
 332 
 333 label=AUE_AUDITON_SETAMASK
 334   format=[arg]1:[arg]2
 335     comment=2, "setamask as_success", user default audit preselection mask:
 336     comment=2, "setamask as_failure", user default audit preselection mask
 337   syscall=auditon: SETAMASK
 338 
 339 label=AUE_AUDITON_SETCLASS
 340   format=[arg]1:[arg]2
 341     comment=2, "setclass&colon;ec_event", event number:
 342     comment=3, "setclass&colon;ec_class", class mask
 343   syscall=auditon: SETCLASS
 344 #       header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec
 345 #       argument,2,0x0,setclass:ec_event
 346 #       argument,3,0x0,setclass:ec_class
 347 #       subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1
 348 #       return,success,0
 349 #       trailer,120
 350 
 351 label=AUE_AUDITON_SETCOND
 352   format=[arg]1
 353     comment=3, "setcond", audit state
 354   syscall=auditon: SETCOND
 355 
 356 label=AUE_AUDITON_SETKMASK
 357   format=[arg]1:[arg]2
 358     comment=2, "setkmask as_success", kernel non-attributable mask:
 359     comment=2, "setkmask as_failure", kernel non-attributable mask
 360   syscall=auditon: SETKMASK
 361 #       header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec
 362 #       argument,2,0x0,setkmask:as_success
 363 #       argument,2,0x0,setkmask:as_failure
 364 #       subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1
 365 #       return,success,0
 366 #       trailer,124
 367 #       header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec
 368 #       argument,2,0x0,setkmask:as_success
 369 #       argument,2,0x0,setkmask:as_failure
 370 #       subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1
 371 #       return,failure: Not owner,-1
 372 #       trailer,124
 373 
 374 label=AUE_AUDITON_SETSMASK
 375   format=[arg]1:[arg]2
 376     comment=3, "setsmask&colon;as_success", session ID mask:
 377     comment=3, "setsmask&colon;as_failure", session ID mask
 378   syscall=auditon: SETSMASK
 379 #       header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec
 380 #       argument,3,0x400,setsmask:as_success
 381 #       argument,3,0x400,setsmask:as_failure
 382 #       subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1
 383 #       return,success,0
 384 #       trailer,124
 385 #       header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec
 386 #       argument,3,0x400,setsmask:as_success
 387 #       argument,3,0x400,setsmask:as_failure
 388 #       subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1
 389 #       return,failure: Not owner,-1
 390 #       trailer,124
 391 
 392 label=AUE_AUDITON_SETSTAT
 393   format=kernel
 394   syscall=auditon: SETSTAT
 395 #       header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec
 396 #       subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1
 397 #       return,success,0
 398 #       trailer,68
 399 #       header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec
 400 #       subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1
 401 #       return,failure: Not owner,-1
 402 #       trailer,68
 403 
 404 label=AUE_AUDITON_SETUMASK
 405   format=[arg]1:[arg]2
 406     comment=3, "setumask&colon;as_success", audit ID mask:
 407     comment=3, "setumask&colon;as_failure", audit ID mask
 408   syscall=auditon: SETUMASK
 409 #       header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec
 410 #       argument,3,0x400,setumask:as_success
 411 #       argument,3,0x400,setumask:as_failure
 412 #       subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1
 413 #       return,success,0
 414 #       trailer,124
 415 #       header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec
 416 #       argument,3,0x400,setumask:as_success
 417 #       argument,3,0x400,setumask:as_failure
 418 #       subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1
 419 #       return,failure: Not owner,-1
 420 #       trailer,124
 421 
 422 label=AUE_AUDITON_SPOLICY
 423   format=[arg]1
 424     comment=1, audit policy flags, "setpolicy"
 425   syscall=auditon: SPOLICY
 426 #       header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec
 427 #       argument,3,0x200,setpolicy
 428 #       subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1
 429 #       return,success,0
 430 #       trailer,86
 431 #       header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec
 432 #       argument,3,0x200,setpolicy
 433 #       subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1
 434 #       return,failure: Not owner,-1
 435 #       trailer,86
 436 
 437 label=AUE_AUDITON_SQCTRL
 438   format=[arg]1:[arg]2:[arg]3:[arg]4
 439     comment=3, "setqctrl&colon;aq_hiwater", queue control param.:
 440     comment=3, "setqctrl&colon;aq_lowater", queue control param.:
 441     comment=3, "setqctrl&colon;aq_bufsz", queue control param.:
 442     comment=3, "setqctrl&colon;aq_delay", queue control param.
 443   syscall=auditon: SQCTRL
 444 #       header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec
 445 #       argument,3,0x64,setqctrl:aq_hiwater
 446 #       argument,3,0xa,setqctrl:aq_lowater
 447 #       argument,3,0x400,setqctrl:aq_bufsz
 448 #       argument,3,0x14,setqctrl:aq_delay
 449 #       subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1
 450 #       return,success,0
 451 #       trailer,176
 452 #       header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec
 453 #       argument,3,0x64,setqctrl:aq_hiwater
 454 #       argument,3,0xa,setqctrl:aq_lowater
 455 #       argument,3,0x400,setqctrl:aq_bufsz
 456 #       argument,3,0x14,setqctrl:aq_delay
 457 #       subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1
 458 #       return,failure: Not owner,-1
 459 #       trailer,176
 460 
 461 label=AUE_AUDITON_STERMID
 462   skip=Not used.
 463 
 464 label=AUE_AUDITSTAT
 465   skip=Not used.
 466 
 467 label=AUE_AUDITSVC
 468   skip=Not used.
 469 
 470 label=AUE_AUDITSYS
 471   skip=Not used. (Place holder for various auditing events.)
 472 
 473 label=AUE_BIND
 474 # differs from documented version.
 475 # cases "no vnode" not fully confirmed
 476 # family and type need argument number
 477   case=Invalid socket handle
 478     format=arg1
 479       comment=1, file descriptor, "so"
 480   case=If there is no vnode for this file descriptor
 481   case=or if the socket is not of the AF_INET family
 482     format=arg1:arg2:arg3
 483       comment=1, file descriptor, "so":
 484       comment=1, socket family, "family":
 485       comment=1, socket type, "type"
 486   case=or for all other conditions
 487     format=arg1:inet2
 488       comment=1, file descriptor, "so":
 489       comment=socket address
 490 
 491 label=AUE_BRANDSYS
 492 # generic mechanism to allow user-space and kernel components of a brand
 493 # to communicate.  The interpretation of the arguments to the call is
 494 # left entirely up to the brand.
 495   format=arg1:arg2:arg3:arg4:arg5:arg6:arg7
 496     comment=1, command, "cmd":
 497     comment=2, command args, "arg":
 498     comment=3, command args, "arg":
 499     comment=4, command args, "arg":
 500     comment=5, command args, "arg":
 501     comment=6, command args, "arg":
 502     comment=7, command args, "arg"
 503 
 504 label=AUE_BSMSYS
 505   skip=Not used.
 506 
 507 label=AUE_CHDIR
 508   format=path:[attr]
 509 #       header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec
 510 #       path,/export/home/CC_final/icenine/arv/chdir/obj_succ
 511 #       attribute,40777,root,other,8388608,231558,0
 512 #       subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1
 513 #       return,success,0
 514 #       trailer,151
 515 #       header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec
 516 #       path,/export/home/CC_final/icenine/arv/chdir/obj_fail
 517 #       attribute,40000,root,other,8388608,237646,0
 518 #       subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1
 519 #       return,failure: Permission denied,-1
 520 #       trailer,151
 521 
 522 label=AUE_CHMOD
 523   format=arg1:path:[attr]
 524     comment=2, mode, "new file mode"
 525 #       header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec
 526 #       argument,2,0x1f8,new file mode
 527 #       path,/export/home/CC_final/icenine/arv/chmod/obj_succ
 528 #       attribute,100770,tuser10,other,8388608,243608,0
 529 #       subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1
 530 #       return,success,0
 531 #       trailer,173
 532 #       header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec
 533 #       argument,2,0x1f8,new file mode
 534 #       path,/export/home/CC_final/icenine/arv/chmod/obj_fail
 535 #       attribute,100600,root,other,8388608,243609,0
 536 #       subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1
 537 #       return,failure: Not owner,-1
 538 #       trailer,173
 539 
 540 label=AUE_CHOWN
 541   format=arg1:arg2
 542     comment=2, uid, "new file uid":
 543     comment=3, gid, "new file gid"
 544 #       header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec
 545 #       argument,2,0x271a,new file uid
 546 #       argument,3,0xffffffff,new file gid
 547 #       path,/export/home/CC_final/icenine/arv/chown/obj_succ
 548 #       attribute,100644,tuser10,other,8388608,268406,0
 549 #       subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1
 550 #       return,success,0
 551 #       trailer,193
 552 #       header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec
 553 #       argument,2,0x271a,new file uid
 554 #       argument,3,0xffffffff,new file gid
 555 #       path,/export/home/CC_final/icenine/arv/chown/obj_fail
 556 #       attribute,100644,root,other,8388608,268407,0
 557 #       subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1
 558 #       return,failure: Not owner,-1
 559 #       trailer,193
 560 
 561 label=AUE_CHROOT
 562   format=path:[attr]
 563 #       header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec
 564 #       path,/
 565 #       attribute,40755,root,root,8388608,2,0
 566 #       subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1
 567 #       return,success,0
 568 #       trailer,104
 569 #       header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec
 570 #       path,/export/home/CC_final/icenine/arv/chroot/obj_fail
 571 #       attribute,40777,tuser10,other,8388608,335110,0
 572 #       subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1
 573 #       return,failure: Not owner,-1
 574 #       trailer,152
 575 
 576 label=AUE_CLOCK_SETTIME
 577   format=kernel
 578 
 579 label=AUE_CLOSE
 580   format=arg1:[path]:[attr]
 581     comment=1, file descriptor, "fd"
 582 
 583 label=AUE_CONFIGKSSL
 584   case=Adding KSSL entry.
 585     format=text1:inaddr2:text3:text4
 586       comment=opcode, KSSL_ADD_ENTRY:
 587       comment=local IP address:
 588       comment=SSL port number:
 589       comment=proxy port number
 590   case=Deleting KSSL entry.
 591     format=text1:inaddr2:text3
 592       comment=opcode, KSSL_DELETE_ENTRY:
 593       comment=local IP address:
 594       comment=SSL port number
 595 
 596 label=AUE_CONNECT
 597 # cases "no vnode" not fully confirmed
 598   case=If there is no vnode for this file descriptor
 599   case=If the socket address is not part of the AF_INET family
 600     format=arg1:arg2:arg3
 601       comment=1, file descriptor, "so":
 602       comment=1, socket family, "family":
 603       comment=1, socket type, "type"
 604   case=If the socket address is part of the AF_INET family
 605     format=arg1:inet2
 606       comment=1, file descriptor, "so":
 607       comment=socket address
 608 
 609 label=AUE_CORE
 610   syscall=none
 611   title=process dumped core
 612   see=none
 613   format=path:[attr]:arg1
 614     comment=1, signal, "signal"
 615 # see uts/common/c2/audit.c
 616 
 617 label=AUE_CREAT
 618 # obsolete - see open(2)
 619   format=path:[attr]
 620 # does not match old BSM manual
 621 #       header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec
 622 #       path,/export/home/CC_final/icenine/arv/creat/obj_succ
 623 #       attribute,100644,tuser10,other,8388608,49679,0
 624 #       subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1
 625 #       return,success,8
 626 #       trailer,151
 627 #       header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec
 628 #       path,/devices/pseudo/mm@0:null
 629 #       subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1
 630 #       return,success,8
 631 #       trailer,107
 632 #       header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec
 633 #       path,/obj_fail
 634 #       subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1
 635 #       return,failure: Permission denied,-1
 636 #       trailer,83
 637 
 638 label=AUE_CRYPTOADM
 639   title=kernel cryptographic framework
 640   format=text1:(0..n)[text]2
 641   comment=cryptoadm command/operation:
 642   comment=mechanism list
 643 
 644 label=AUE_DOORFS
 645   skip=Not used.  (Place holder for set of door audit events.)
 646 
 647 label=AUE_DOORFS_DOOR_BIND
 648   skip=Not used.
 649   syscall=doorfs:  DOOR_BIND
 650 
 651 label=AUE_DOORFS_DOOR_CALL
 652   format=arg1:proc2
 653     comment=1, door ID, "door ID":
 654     comment=for process that owns the door
 655   syscall=doorfs:  DOOR_CALL
 656 
 657 label=AUE_DOORFS_DOOR_CREATE
 658   format=arg1
 659     comment=1, door attributes, "door attr"
 660   syscall=doorfs:  DOOR_CREATE
 661 
 662 label=AUE_DOORFS_DOOR_CRED
 663   skip=Not used.
 664   syscall=doorfs:  DOOR_CRED
 665 
 666 label=AUE_DOORFS_DOOR_INFO
 667   skip=Not used.
 668   syscall=doorfs:  DOOR_INFO
 669 
 670 label=AUE_DOORFS_DOOR_RETURN
 671   format=kernel
 672   syscall=doorfs:  DOOR_RETURN
 673 
 674 label=AUE_DOORFS_DOOR_REVOKE
 675   format=arg1
 676     comment=1, door ID, "door ID"
 677   syscall=doorfs:  DOOR_REVOKE
 678 
 679 label=AUE_DOORFS_DOOR_UNBIND
 680   skip=Not used.
 681   syscall=doorfs:  DOOR_UNBIND
 682 
 683 label=AUE_DUP2
 684 skip=Not used.
 685 
 686 label=AUE_ENTERPROM
 687   title=enter prom
 688   syscall=none
 689   format=head:text1:ret
 690     comment="kmdb"
 691 #       header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00
 692 #       text,kmdb
 693 #       return,success,0
 694 
 695 label=AUE_EXEC
 696 # obsolete - see execve(2)
 697   format=path:[attr]1:[exec_args]2:[exec_env]3
 698     comment=omitted on error:
 699     comment=output if argv policy is set:
 700     comment=output if arge policy is set
 701 
 702 label=AUE_EXECVE
 703   format=path:[attr]1:[exec_args]2:[exec_env]3
 704     comment=omitted on error:
 705     comment=output if argv policy is set:
 706     comment=output if arge policy is set
 707 #       header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec
 708 #       path,/devices/pseudo/mm@0:null
 709 #       subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1
 710 #       return,success,8
 711 #       trailer,107
 712 #       header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec
 713 #       path,/usr/bin/pig
 714 #       subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1
 715 #       return,failure: No such file or directory,-1
 716 #       trailer,86
 717 
 718 label=AUE_PFEXEC
 719   format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5
 720     comment=pathname of the executable:
 721     comment=pathname of working directory:
 722     comment=privileges if the limit or inheritable set are changed:
 723     comment=process if ruid, euid, rgid or egid is changed:
 724     comment=output if arge policy is set
 725 
 726 label=AUE_sudo
 727   format=exec_args1:[text]2
 728     comment=command args:
 729     comment=error message (failure only)
 730 
 731 label=AUE_EXIT
 732   format=arg1:[text]2
 733     comment=1, exit status, "exit status":
 734     comment=event aborted
 735 
 736 label=AUE_EXITPROM
 737   title=exit prom
 738   syscall=none
 739   format=head:text1:ret
 740     comment="kmdb"
 741 #       header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00
 742 #       text,kmdb
 743 #       return,success,0
 744 
 745 label=AUE_EXPORTFS
 746   skip=Not used.
 747 
 748 label=AUE_FACCESSAT
 749 # obsolete
 750   see=access(2)
 751   format=path:[attr]
 752 
 753 label=AUE_FACLSET
 754   syscall=facl
 755   case=Invalid file descriptor
 756     format=arg1:arg2
 757       comment=2, SETACL, "cmd":
 758       comment=3, number of ACL entries, "nentries"
 759   case=Zero path
 760     format=arg1:arg2:arg3:[attr]:(0..n)[acl]4
 761       comment=2, SETACL, "cmd":
 762       comment=3, number of ACL entries, "nentries":
 763       comment=1, file descriptor, "no path&colon; fd":
 764       comment=ACLs
 765   case=Non-zero path
 766     format=arg1:arg2:path:[attr]:(0..n)[acl]3
 767       comment=2, SETACL, "cmd":
 768       comment=3, number of ACL entries, "nentries":
 769       comment=ACLs
 770 
 771 label=AUE_FCHDIR
 772   format=[path]:[attr]
 773 #       header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec
 774 #       path,/export/home/CC_final/icenine/arv/fchdir/obj_succ
 775 #       attribute,40777,tuser10,other,8388608,207662,0
 776 #       subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1
 777 #       return,success,0
 778 #       trailer,150
 779 #       header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec
 780 #       subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1
 781 #       return,failure: Permission denied,-1
 782 #       trailer,68
 783 
 784 label=AUE_FCHMOD
 785   case=With a valid file descriptor and path
 786     format=arg1:path:[attr]
 787       comment=2, mode, "new file mode"
 788   case=With a valid file descriptor and invalid path
 789     format=arg1:[arg]2:[attr]
 790       comment=2, mode, "new file mode":
 791       comment=1, file descriptor, "no path&colon; fd"
 792   case=With an invalid file descriptor
 793     format=arg1
 794       comment=2, mode, "new file mode"
 795 #       header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec
 796 #       argument,2,0x1a4,new file mode
 797 #       path,/export/home/CC/icenine/arv/fchmod/obj_succ
 798 #       attribute,100644,tuser10,other,7602240,26092,0
 799 #       subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1
 800 #       return,success,0
 801 #       trailer,168
 802 #       header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec
 803 #       argument,2,0x1a4,new file mode
 804 #       subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1
 805 #       return,failure: Bad file number,-1
 806 #       trailer,90
 807 #       header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec
 808 #       argument,2,0x1a4,new file mode
 809 #       path,/export/home/CC/icenine/arv/fchmod/obj_fail
 810 #       attribute,100644,root,other,7602240,26093,0
 811 #       subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1
 812 #       return,failure: Not owner,-1
 813 #       trailer,168
 814 
 815 label=AUE_FCHOWN
 816   case=With a valid file descriptor
 817     format=arg1:arg2:[path]:[attr]
 818       comment=2, uid, "new file uid":
 819       comment=3, gid, "new file gid"
 820   case=With an invalid file descriptor
 821     format=arg1:arg2:[arg]3:[attr]
 822        comment=2, uid, "new file uid":
 823        comment=3, gid, "new file gid":
 824        comment=1, file descriptor, "no path fd"
 825 
 826 label=AUE_FCHOWNAT
 827 # obsolete
 828   see=openat(2)
 829   case=With a valid absolute/relative file path
 830     format=path:[attr]
 831   case=With an file path eq. NULL and valid file descriptor
 832     format=kernel
 833 
 834 label=AUE_FCHROOT
 835   format=[path]:[attr]
 836 # fchroot -> chdirec -> audit_chdirec
 837 
 838 label=AUE_FCNTL
 839   case=With a valid file descriptor
 840     format=arg1:[arg]2:path:attr
 841       comment=2, command, "cmd":
 842       comment=3, flags, "flags"
 843   case=With an invalid file descriptor
 844     format=arg1:[arg]2:arg3
 845       comment=2, command, "cmd":
 846       comment=3, flags, "flags":
 847       comment=1, file descriptor, "no path fd"
 848   note=Flags are included only when cmd is F_SETFL.
 849 
 850 label=AUE_FLOCK
 851   skip=Not used.
 852 
 853 label=AUE_FORKALL
 854   format=[arg]1
 855     comment=0, pid, "child PID"
 856   note=The forkall(2) return values are undefined because the audit record
 857   note=is produced at the point that the child process is spawned.
 858 # see audit.c
 859 
 860 label=AUE_FORK1
 861   format=[arg]1
 862     comment=0, pid, "child PID"
 863   note=The fork1(2) return values are undefined because the audit record
 864   note=is produced at the point that the child process is spawned.
 865 # see audit.c
 866 
 867 label=AUE_FSAT
 868 # obsolete
 869   skip=Not used.  (Placeholder for AUE_*AT records)
 870 
 871 label=AUE_FSTAT
 872   skip=Not used.
 873 
 874 label=AUE_FSTATAT
 875 # obsolete
 876   format=path:[attr]
 877 
 878 label=AUE_FSTATFS
 879   case=With a valid file descriptor
 880     format=[path]:[attr]
 881   case=With an invalid file descriptor
 882     format=arg1
 883       comment=1, file descriptor, "no path fd"
 884 
 885 label=AUE_FTRUNCATE
 886   skip=Not used.
 887 
 888 label=AUE_FUSERS
 889   syscall=utssys: UTS_FUSERS
 890   format=path:attr
 891 
 892 label=AUE_FUTIMESAT
 893 # obsolete
 894   format=[path]:[attr]
 895 
 896 label=AUE_GETAUDIT
 897   format=kernel
 898 #       header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec
 899 #       subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1
 900 #       return,success,0
 901 #       trailer,68
 902 #       header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec
 903 #       subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1
 904 #       return,success,0
 905 #       trailer,68
 906 
 907 label=AUE_GETAUDIT_ADDR
 908   format=kernel
 909 #       header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec
 910 #       subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2
 911 #       return,success,0
 912 
 913 label=AUE_GETAUID
 914   format=kernel
 915 #       header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec
 916 #       subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1
 917 #       return,success,0
 918 #       trailer,68
 919 #       header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec
 920 #       subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1
 921 #       return,failure: Not owner,-1
 922 #       trailer,68
 923 
 924 label=AUE_GETDENTS
 925   skip=Not used.
 926 #Not security relevant
 927 
 928 label=AUE_GETKERNSTATE
 929   skip=Not used.
 930 
 931 label=AUE_GETMSG
 932   case=With a valid file descriptor
 933   format=arg1:[path]:attr:arg2
 934     comment=1, file descriptor, "fd":
 935     comment=4, priority, "pri"
 936   case=With an invalid file descriptor
 937   format=arg1:arg2
 938     comment=1, file descriptor, "fd":
 939     comment=4, priority, "pri"
 940 
 941 label=AUE_GETPMSG
 942   case=With a valid file descriptor
 943   format=arg1:[path]:attr
 944     comment=1, file descriptor, "fd"
 945   case=With an invalid file descriptor
 946   format=arg1
 947     comment=1, file descriptor, "fd"
 948 
 949 label=AUE_GETPORTAUDIT
 950   format=Not used.
 951 
 952 label=AUE_GETUSERAUDIT
 953   skip=Not used.
 954 
 955 label=AUE_INST_SYNC
 956   format=arg1
 957     comment=2, flags value, "flags"
 958 
 959 label=AUE_IOCTL
 960   case=With an invalid file descriptor
 961     format=arg1:arg2:arg3
 962       comment=1, file descriptor, "fd":
 963       comment=2, command, "cmd":
 964       comment=3, arg, "arg"
 965   case=With a valid file descriptor
 966     format=path:[attr]:arg1:arg2
 967       comment=2, ioctl cmd, "cmd":
 968       comment=3, ioctl arg, "arg"
 969   case=Non-file file descriptor
 970     format=arg1:arg2:arg3
 971       comment=1, file descriptor, "fd":
 972       comment=2, ioctl cmd, "cmd":
 973       comment=3, ioctl arg, "arg"
 974   case=Bad file name
 975     format=arg1:arg2:arg3
 976       comment=1, file descriptor, "no path&colon; fd":
 977       comment=2, ioctl cmd, "cmd":
 978       comment=3, ioctl arg, "arg"
 979 # old BSM manual misses a case
 980 
 981 label=AUE_JUNK
 982   skip=Not used.
 983 
 984 label=AUE_KILL
 985   case=Valid process
 986     format=arg1:[proc]
 987       comment=2, signo, "signal"
 988   case=Zero or negative process
 989     format=arg1:arg2
 990       comment=2, signo, "signal":
 991       comment=1, pid, "process"
 992 
 993 label=AUE_KILLPG
 994   skip=Not used.
 995 
 996 label=AUE_LCHOWN
 997   format=arg1:arg2:path:[attr]
 998     comment=2, uid, "new file uid":
 999     comment=3, gid, "new file gid"
1000 
1001 label=AUE_LINK
1002   format=path1:[attr]:path2
1003      comment=from path:
1004      comment=to path
1005 
1006 label=AUE_LSEEK
1007   skip=Not used.
1008 
1009 label=AUE_LSTAT
1010   format=path:[attr]
1011 
1012 label=AUE_LXSTAT
1013 # obsolete
1014   skip=Not used.
1015 
1016 label=AUE_MCTL
1017   skip=Not used.
1018 
1019 label=AUE_MEMCNTL
1020   format=arg1:arg2:arg3:arg4:arg5:arg6
1021     comment=1, base address, "base":
1022     comment=2, length, "len":
1023     comment=3, command, "cmd":
1024     comment=4, command args, "arg":
1025     comment=5, command attributes, "attr":
1026     comment=6, 0, "mask"
1027 
1028 label=AUE_MKDIR
1029   format=arg1:path:[attr]
1030     comment=2, mode, "mode"
1031 
1032 label=AUE_MKNOD
1033   format=arg1:arg2:path:[attr]
1034     comment=2, mode, "mode":
1035     comment=3, dev, "dev"
1036 
1037 label=AUE_MMAP
1038   case=With a valid file descriptor
1039     format=arg1:arg2:[path]3:[attr]
1040       comment=1, segment address, "addr":
1041       comment=2, segment address, "len":
1042       comment=if no path, then argument&colon; \
1043         1, "nopath&colon; fd", file descriptor
1044   case=With an invalid file descriptor
1045     format=arg1:arg2:arg3
1046       comment=1, segment address, "addr":
1047       comment=2, segment address, "len":
1048       comment=1, file descriptor, "no path&colon; fd"
1049 
1050 label=AUE_MODADDMAJ
1051   title=modctl: bind module
1052   syscall=modctl
1053   format=[text]1:[text]2:text3:arg4:(0..n)[text]5
1054     comment=driver major number:
1055     comment=driver name:
1056     comment=driver major number or "no drvname":
1057     comment=5, number of aliases, "":
1058     comment=aliases
1059 
1060 label=AUE_MODADDPRIV
1061   format=kernel
1062 
1063 label=AUE_MODCONFIG
1064   skip=Not used.
1065 
1066 label=AUE_MODCTL
1067   skip=Not used. (placeholder)
1068 
1069 label=AUE_MODDEVPLCY
1070   syscall=modctl
1071   title=modctl: set device policy
1072   case=If unknown minor name/pattern
1073     format=arg1:arg2:arg3:arg4:arg5
1074       comment=2, "major", major number:
1075       comment=2, "lomin", low minor number, if known:
1076       comment=2, "himin", hi minor number, if known:
1077       comment=privileges required for reading:
1078       comment=privileges required for writing
1079   case=else
1080     format=arg1:text2:arg3:arg4
1081       comment=2, "major", major number:
1082       comment=minor name/pattern:
1083       comment=privileges required for reading:
1084       comment=privileges required for writing
1085 
1086 label=AUE_MODLOAD
1087   syscall=modctl
1088   title=modctl: load module
1089   format=[text]1:text2
1090     comment=default path:
1091     comment=filename path
1092 
1093 label=AUE_MODUNLOAD
1094   syscall=modctl
1095   title=modctl: unload module
1096   format=arg1
1097     comment=1, module ID, "id"
1098 
1099 label=AUE_MOUNT
1100   case=UNIX file system
1101     format=arg1:text2:path:[attr]
1102       comment=3, flags, "flags":
1103       comment=filesystem type
1104   case=NFS file system
1105     format=arg1:text2:text3:arg4:path:[attr]
1106       comment=3, flags, "flags":
1107       comment=filesystem type:
1108       comment=host name:
1109       comment=3, flags, "internal flags"
1110 # unix example:
1111 #       header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec
1112 #       argument,3,0x104,flags
1113 #       text,ufs
1114 #       path,/var2
1115 #       attribute,40755,root,root,32,12160,0
1116 #       path,/devices/pci@1f,4000/scsi@3/sd@0,0:e
1117 #       attribute,60640,root,sys,32,231268,137438953476
1118 #       subject,abc,root,other,root,other,1726,1715,255 66049 ohboy
1119 #       return,success,4290707268
1120 #                      ^^^^^^^^^^         <- bugid 4333559
1121 
1122 label=AUE_MSGCTL
1123   format=arg1:[ipc]:[ipc_perm]
1124     comment=1, message ID, "msg ID"
1125   note=ipc_perm
1126 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1127 
1128 label=AUE_MSGCTL_RMID
1129   format=arg1:[ipc]:[ipc_perm]
1130     comment=1, message ID, "msg ID"
1131   note=ipc_perm
1132   syscall=msgctl: IPC_RMID
1133 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1134 
1135 label=AUE_MSGCTL_SET
1136   format=arg1:[ipc]:[ipc_perm]
1137     comment=1, message ID, "msg ID"
1138   note=ipc_perm
1139   syscall=msgctl: IPC_SET
1140 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1141 
1142 label=AUE_MSGCTL_STAT
1143   format=arg1:[ipc]:[ipc_perm]
1144     comment=1, message ID, "msg ID"
1145   note=ipc_perm
1146   syscall=msgctl: IPC_STAT
1147 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1148 
1149 label=AUE_MSGGET
1150   format=arg1:ipc
1151     comment=1, message key, "msg key"
1152   note=ipc_perm
1153   syscall=msgget
1154 
1155 label=AUE_MSGGETL
1156   skip=Not used.
1157 
1158 label=AUE_MSGRCV
1159   format=arg1:[ipc]:[ipc_perm]
1160     comment=1, message ID, "msg ID"
1161   note=ipc_perm
1162   syscall=msgrcv
1163 # ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc
1164 
1165 label=AUE_MSGRCVL
1166   skip=Not used.
1167 
1168 label=AUE_MSGSND
1169   format=arg1:[ipc]:[ipc_perm]
1170     comment=1, message ID, "msg ID"
1171   note=ipc_perm
1172   syscall=msgsnd
1173 # ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc
1174 
1175 label=AUE_MSGSNDL
1176   skip=Not used.
1177 
1178 label=AUE_MSGSYS
1179 skip=Not used.  (Placeholder for AUE_MSG* events.)
1180 
1181 label=AUE_MUNMAP
1182   format=arg1:arg2
1183     comment=1, address of memory, "addr":
1184     comment=2, memory segment size, "len"
1185 
1186 label=AUE_NFS
1187   skip=Not used.
1188 
1189 label=AUE_NFSSVC_EXIT
1190   skip=Not used.
1191 
1192 label=AUE_NFS_GETFH
1193   skip=Not used.
1194 
1195 label=AUE_NFS_SVC
1196   skip=Not used.
1197 
1198 label=AUE_NICE
1199   format=kernel
1200 
1201 label=AUE_NULL
1202   skip=Not used.  (placeholder)
1203 # used internal to audit_event.c for minimal audit
1204 
1205 label=AUE_NTP_ADJTIME
1206   format=kernel
1207 
1208 label=AUE_ONESIDE
1209   skip=Not used.
1210 
1211 label=AUE_OPEN
1212   skip=Not used.  (placeholder for AUE_OPEN_*).
1213 
1214 label=AUE_OPEN_R
1215   format=path:[path_attr]:[attr]
1216   see=open(2) - read
1217 
1218 label=AUE_OPENAT_R
1219 # obsolete
1220   format=path:[path_attr]:[attr]
1221   see=openat(2)
1222 
1223 label=AUE_OPEN_RC
1224   format=path:[path_attr]:[attr]
1225   see=open(2) - read,creat
1226 
1227 label=AUE_OPENAT_RC
1228 # obsolete
1229   see=openat(2)
1230   format=path:[path_attr]:[attr]
1231 
1232 label=AUE_OPEN_RT
1233   format=path:[path_attr]:[attr]
1234   see=open(2) - read,trunc
1235 
1236 label=AUE_OPENAT_RT
1237 # obsolete
1238   see=openat(2)
1239   format=path:[path_attr]:[attr]
1240 
1241 label=AUE_OPEN_RTC
1242   format=path:[path_attr]:[attr]
1243   see=open(2) - read,trunc,creat
1244 
1245 label=AUE_OPENAT_RTC
1246 # obsolete
1247   see=openat(2)
1248   format=path:[path_attr]:[attr]
1249 
1250 label=AUE_OPEN_RW
1251   format=path:[path_attr]:[attr]
1252   see=open(2) - read,write
1253 
1254 label=AUE_OPENAT_RW
1255 # obsolete
1256   see=openat(2)
1257   format=path:[path_attr]:[attr]
1258 # aui_fsat(): fm & O_RDWR
1259 
1260 label=AUE_OPEN_RWC
1261   format=path:[path_attr]:[attr]
1262   see=open(2) - read,write,creat
1263 
1264 label=AUE_OPENAT_RWC
1265 # obsolete
1266   see=openat(2)
1267   format=path:[path_attr]:[attr]
1268 
1269 label=AUE_OPEN_RWT
1270   format=path:[path_attr]:[attr]
1271   see=open(2) - read,write,trunc
1272 
1273 label=AUE_OPENAT_RWT
1274 # obsolete
1275   see=openat(2)
1276   format=path:[path_attr]:[attr]
1277 
1278 label=AUE_OPEN_RWTC
1279   format=path:[path_attr]:[attr]
1280   see=open(2) - read,write,trunc,creat
1281 
1282 label=AUE_OPENAT_RWTC
1283 # obsolete
1284   see=openat(2)
1285   format=path:[path_attr]:[attr]
1286 
1287 label=AUE_OPEN_W
1288   format=path:[path_attr]:[attr]
1289   see=open(2) - write
1290 
1291 label=AUE_OPENAT_W
1292   see=openat(2)
1293   format=path:[path_attr]:[attr]
1294 
1295 label=AUE_OPEN_WC
1296   format=path:[path_attr]:[attr]
1297   see=open(2) - write,creat
1298 
1299 label=AUE_OPENAT_WC
1300   see=openat(2)
1301   format=path:[path_attr]:[attr]
1302 
1303 label=AUE_OPEN_WT
1304   format=path:[path_attr]:[attr]
1305   see=open(2) - write,trunc
1306 
1307 label=AUE_OPENAT_WT
1308   see=openat(2)
1309   format=path:[path_attr]:[attr]
1310 
1311 label=AUE_OPEN_WTC
1312   format=path:[path_attr]:[attr]
1313   see=open(2) - write,trunc,creat
1314 
1315 label=AUE_OPENAT_WTC
1316   see=openat(2)
1317   format=path:[path_attr]:[attr]
1318 
1319 label=AUE_OPEN_S
1320   format=path:[path_attr]:[attr]
1321   see=open(2) - search
1322 
1323 label=AUE_OPEN_E
1324   format=path:[path_attr]:[attr]
1325   see=open(2) - exec
1326 
1327 label=AUE_OSETPGRP
1328   skip=Not used.
1329 
1330 label=AUE_OSTAT
1331 # obsolete
1332   skip=Not used.
1333 
1334 label=AUE_PATHCONF
1335   format=path:[attr]
1336 
1337 label=AUE_PIPE
1338 format=kernel
1339 # class is no, not usually printed
1340 
1341 label=AUE_PORTFS
1342   skip=Not used (placeholder for AUE_PORTFS_*).
1343 
1344 label=AUE_PORTFS
1345   skip=Not used (placeholder for AUE_PORTFS_*).
1346 
1347 label=AUE_PORTFS_ASSOCIATE
1348   syscall=portfs
1349   see=port_associate(3C)
1350   case=Port association via PORT_SOURCE_FILE
1351   format=[path]1:attr
1352     comment=name of the file/directory to be watched
1353 
1354 label=AUE_PORTFS_DISSOCIATE
1355   syscall=portfs
1356   see=port_dissociate(3C)
1357   case=Port disassociation via PORT_SOURCE_FILE
1358   format=kernel
1359 
1360 label=AUE_PRIOCNTLSYS
1361   syscall=priocntl
1362   see=priocntl(2)
1363   format=arg1:arg2
1364     comment=1, priocntl version number, "pc_version":
1365     comment=3, command, "cmd"
1366 
1367 label=AUE_PROCESSOR_BIND
1368   case=No LWP/thread bound to the processor
1369     format=arg1:arg2:text3:[proc]
1370       comment=1, type of ID, "ID type":
1371       comment=2, ID value, "ID":
1372       comment="PBIND_NONE"
1373   case=With processor bound
1374     format=arg1:arg2:arg3:[proc]
1375       comment=1, type of ID, "ID type":
1376       comment=2, ID value, "ID":
1377       comment=3, processor ID, "processor_id"
1378 
1379 label=AUE_PUTMSG
1380   see=putmsg(2)
1381   format=arg1:[path]:[attr]:arg2
1382     comment=1, file descriptor, "fd":
1383     comment=4, priority, "pri"
1384 
1385 label=AUE_PUTPMSG
1386   see=putpmsg(2)
1387   format=arg1:[path]:[attr]:arg2:arg3
1388     comment=1, file descriptor, "fd":
1389     comment=4, priority, "pri":
1390     comment=5, flags, "flags"
1391 
1392 label=AUE_P_ONLINE
1393   format=arg1:arg2:text3
1394     comment=1, processor ID, "processor ID":
1395     comment=2, flags value, "flags":
1396     comment=text form of flags.  Values&colon;  \
1397       P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS, P_DISABLED
1398 
1399 label=AUE_QUOTACTL
1400   skip=Not used.
1401 
1402 label=AUE_READ
1403   skip=Not used.  (Placeholder for AUE_READ_* events)
1404 
1405 label=AUE_READL
1406   skip=Not used. (Obsolete)
1407 
1408 label=AUE_READLINK
1409   format=path:[attr]
1410 
1411 label=AUE_READV
1412   skip=Not used (obsolete)
1413 # detritus from CMS
1414 
1415 label=AUE_READVL
1416   skip=Not used (obsolete)
1417 # detritus from CMS
1418 
1419 label=AUE_REBOOT
1420   skip=Not used.
1421 
1422 label=AUE_RECV
1423   case=If address family is AF_INET or AF_INET6
1424     format=[arg]1:[inet]
1425       comment=1, file descriptor, "so"
1426   case=If address family is AF_UNIX and path is defined
1427     format=[path]1:[attr]
1428       comment=1, file descriptor, "so"
1429   case=If address family is AF_UNIX and path is NULL
1430     format=[path]1:[attr]
1431       comment=1, file descriptor, "no path&colon; fd"
1432   case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1433     format=[arg]1:[arg]2:[arg]3
1434       comment=1, file descriptor, "so":
1435       comment=1, family, "family":
1436       comment=1, type, "type"
1437 # associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237])
1438 
1439 label=AUE_RECVFROM
1440   format=inet:arg1:[arg]2:inet3:arg4
1441     comment=3, message length, "len":
1442     comment=4, flags, "flags":
1443     comment=from address:
1444     comment=6, address length, "tolen"
1445   note=The socket token for a bad socket is reported as "argument
1446   note=token (1, socket descriptor, "fd")"
1447 
1448 label=AUE_RECVMSG
1449   case=If invalid file descriptor
1450     format=arg1:arg2
1451       comment=1, file descriptor, "so":
1452       comment=3, flags, "flags"
1453   case=If valid file descriptor and socket is AF_UNIX and no path
1454   format=arg1:[attr]
1455     comment=1, file descriptor, "no path&colon; fd"
1456   case=If valid file descriptor and socket is AF_UNIX and path defined
1457   format=path:attr
1458   case=If valid file descriptor and socket is AF_INET or AF_INET6
1459   case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM
1460   format=arg1:arg2:inet
1461     comment=1, file descriptor, "so":
1462     comment=2, flags, "flags"
1463   case=.. if socket type is unknown
1464   format=arg1:arg2:arg3:arg4
1465     comment=1, file descriptor, "so":
1466     comment=1, family, "family":
1467     comment=1, type, "type":
1468     comment=3, flags, "flags"
1469 
1470 label=AUE_RENAME
1471   format=path1:[attr]1:[path]2
1472   comment=from name:
1473   comment=to name
1474 
1475 label=AUE_RENAMEAT
1476 # obsolete
1477   format=path1:[attr]1:[path]2
1478   comment=from name:
1479   comment=to name
1480 
1481 label=AUE_RFSSYS
1482   skip=Not used.
1483 # apparently replaced
1484 
1485 label=AUE_RMDIR
1486   format=path:[attr]
1487 
1488 label=AUE_SEMCTL
1489   format=arg1:[ipc]:[ipc_perm]
1490     comment=1, semaphore ID, "sem ID"
1491   note=ipc_perm
1492 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1493 
1494 label=AUE_SEMCTL_GETALL
1495   format=arg1:[ipc]:[ipc_perm]
1496     comment=1, semaphore ID, "sem ID"
1497   note=ipc_perm
1498   syscall=semctl: GETALL
1499 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1500 
1501 label=AUE_SEMCTL_GETNCNT
1502   format=arg1:[ipc]:[ipc_perm]
1503     comment=1, semaphore ID, "sem ID"
1504   note=ipc_perm
1505   syscall=semctl: GETNCNT
1506 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1507 
1508 label=AUE_SEMCTL_GETPID
1509   format=arg1:[ipc]:[ipc_perm]
1510     comment=1, semaphore ID, "sem ID"
1511   note=ipc_perm
1512   syscall=semctl: GETPID
1513 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1514 
1515 label=AUE_SEMCTL_GETVAL
1516   format=arg1:[ipc]:[ipc_perm]
1517     comment=1, semaphore ID, "sem ID"
1518   note=ipc_perm
1519   syscall=semctl: GETVAL
1520 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1521 
1522 label=AUE_SEMCTL_GETZCNT
1523   format=arg1:[ipc]:[ipc_perm]
1524     comment=1, semaphore ID, "sem ID"
1525   note=ipc_perm
1526   syscall=semctl: GETZCNT
1527 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1528 
1529 label=AUE_SEMCTL_RMID
1530   format=arg1:[ipc]:[ipc_perm]
1531     comment=1, semaphore ID, "sem ID"
1532   note=ipc_perm
1533   syscall=semctl: IPC_RMID
1534 # ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1535 
1536 label=AUE_SEMCTL_SET
1537   format=arg1:[ipc]:[ipc_perm]
1538     comment=1, semaphore ID, "sem ID"
1539   note=ipc_perm
1540   syscall=semctl: IPC_SET
1541 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1542 
1543 label=AUE_SEMCTL_SETALL
1544   format=arg1:[ipc]:[ipc_perm]
1545     comment=1, semaphore ID, "sem ID"
1546   note=ipc_perm
1547   syscall=semctl: SETALL
1548 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1549 
1550 label=AUE_SEMCTL_SETVAL
1551   format=arg1:[ipc]:[ipc_perm]
1552     comment=1, semaphore ID, "sem ID"
1553   note=ipc_perm
1554   syscall=semctl: SETVAL
1555 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1556 
1557 label=AUE_SEMCTL_STAT
1558   format=arg1:[ipc]:[ipc_perm]
1559     comment=1, semaphore ID, "sem ID"
1560   note=ipc_perm
1561   syscall=semctl: IPC_STAT
1562 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1563 
1564 label=AUE_SEMGET
1565   format=arg1:[ipc_perm]:ipc
1566     comment=1, semaphore ID, "sem key"
1567   note=ipc_perm
1568   syscall=semctl: SETVAL
1569 # ipc_perm token: semget -> audit_ipcget
1570 
1571 label=AUE_SEMGETL
1572   skip=Not used.
1573 
1574 label=AUE_SEMOP
1575   format=arg1:[ipc]:[ipc_perm]
1576     comment=1, semaphore ID, "sem ID"
1577   note=ipc_perm
1578 # ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc
1579 
1580 label=AUE_SEMSYS
1581   skip=Not used.  (place holder) -- defaults to a semget variant
1582 
1583 label=AUE_SEND
1584   case=If address family is AF_INET or AF_INET6
1585     format=[arg]1:[inet]
1586       comment=1, file descriptor, "so"
1587   case=If address family is AF_UNIX and path is defined
1588     format=[path]1:[attr]
1589       comment=1, file descriptor, "so"
1590   case=If address family is AF_UNIX and path is NULL
1591     format=[path]1:[attr]
1592       comment=1, file descriptor, "no path&colon; fd"
1593   case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1594     format=[arg]1:[arg]2:[arg]3
1595       comment=1, file descriptor, "so":
1596       comment=1, family, "family":
1597       comment=1, type, "type"
1598 # associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240])
1599 
1600 label=AUE_SENDMSG
1601   case=If invalid file descriptor
1602     format=arg1:arg2
1603       comment=1, file descriptor, "so":
1604       comment=3, flags, "flags"
1605   case=If valid file descriptor
1606   case=...and address family is AF_UNIX and path is defined
1607     format=path:attr
1608   case=...and address family is AF_UNIX and path is NULL
1609     format=path1:attr
1610       comment=1, file descriptor, "nopath&colon; fd"
1611   case=...and address family is AF_INET or AF_INET6, \
1612     socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1613     format=arg1:arg2:inet
1614       comment=1, file descriptor, "so":
1615       comment=3, flags, "flags"
1616   case=...and unknown address family or address family AF_INET or AF_INET6 \
1617     and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1618     format=arg1:arg2:arg3:arg4
1619       comment=1, file descriptor, "so":
1620       comment=1, family, "family":
1621       comment=1, type, "type":
1622       comment=1, flags, "flags"
1623 
1624 label=AUE_SENDTO
1625   case=If invalid file descriptor
1626     format=arg1:arg2
1627       comment=1, file descriptor, "so":
1628       comment=3, flags, "flags"
1629   case=If valid file descriptor
1630   case=...and socket is AF_UNIX and path is defined
1631     format=path:attr
1632   case=...and address family is AF_UNIX and path is NULL
1633     format=path1:attr
1634       comment=1, file descriptor, "nopath&colon; fd"
1635   case=...and address family is AF_INET or AF_INET6
1636     format=arg1:arg2:inet
1637       comment=1, file descriptor, "so":
1638       comment=3, flags, "flags"
1639   case=...and unknown address family
1640     format=arg1:arg2:arg3:arg4
1641       comment=1, file descriptor, "so":
1642       comment=1, family, "family":
1643       comment=1, type, "type":
1644       comment=1, flags, "flags"
1645 
1646 label=AUE_SETAUDIT
1647   case=With a valid program stack address
1648     format=arg1:arg2:arg3:arg4:arg5:arg6
1649       comment=1, audit user ID, "setaudit&colon;auid":
1650       comment=1, terminal ID, "setaudit&colon;port":
1651       comment=1, terminal ID, "setaudit&colon;machine":
1652       comment=1, preselection mask, "setaudit&colon;as_success":
1653       comment=1, preselection mask, "setaudit&colon;as_failure":
1654       comment=1, audit session ID, "setaudit&colon;asid"
1655   case=With an invalid program stack address
1656     format=kernel
1657 #       header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec
1658 #       argument,1,0x271a,setaudit:auid
1659 #       argument,1,0x3ff0201,setaudit:port
1660 #       argument,1,0x8192591e,setaudit:machine
1661 #       argument,1,0x400,setaudit:as_success
1662 #       argument,1,0x400,setaudit:as_failure
1663 #       argument,1,0x16f,setaudit:asid
1664 #       subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1
1665 #       return,success,0
1666 #       trailer,215
1667 #       header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec
1668 #       argument,1,0x271a,setaudit:auid
1669 #       argument,1,0x3ff0201,setaudit:port
1670 #       argument,1,0x8192591e,setaudit:machine
1671 #       argument,1,0x400,setaudit:as_success
1672 #       argument,1,0x400,setaudit:as_failure
1673 #       argument,1,0x16f,setaudit:asid
1674 #       subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1
1675 #       return,success,0
1676 #       trailer,215
1677 
1678 label=AUE_SETAUDIT_ADDR
1679   case=With a valid program stack address
1680     format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7
1681       comment=1, audit user ID, "auid":
1682       comment=1, terminal ID, "port":
1683       comment=1, type, "type":
1684       comment=1, terminal ID, "ip address":
1685       comment=1, preselection mask, "as_success":
1686       comment=1, preselection mask, "as_failure":
1687       comment=1, audit session ID, "asid"
1688   case=With an invalid program stack address
1689     format=kernel
1690 #       header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec
1691 #       argument,1,0x15fa7,auid
1692 #       argument,1,0x0,port
1693 #       argument,1,0x4,type
1694 #       ip address,tmach2
1695 #       argument,1,0x9c00,as_success
1696 #       argument,1,0x9c00,as_failure
1697 #       argument,1,0x1f1,asid
1698 #       subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2
1699 #       return,success,0
1700 
1701 label=AUE_SETAUID
1702   format=arg1
1703     comment=2, audit user ID, "setauid"
1704 
1705 label=AUE_SETDOMAINNAME
1706   skip=Not used.  (See AUE_SYSINFO)
1707 # See AUE_SYSINFO with SI_SET_SRPC_DOMAIN
1708 
1709 label=AUE_SETEGID
1710   format=arg1
1711     comment=1, group ID, "gid"
1712 
1713 label=AUE_SETEUID
1714   format=arg1
1715     comment=1, user ID, "euid"
1716 
1717 label=AUE_SETGID
1718   format=arg1
1719     comment=1, group ID, "gid"
1720 
1721 label=AUE_SETGROUPS
1722   note=If more than NGROUPS_MAX_DEFAULT groups listed,
1723   note=no tokens are generated.
1724   case=If no groups in list
1725     format=[arg]1
1726       comment=1, 0, "setgroups"
1727   case=If 1 or more groups in list
1728     format=(1..n)arg1
1729       comment=1, gid, "setgroups"
1730 
1731 label=AUE_SETHOSTNAME
1732   skip=Not used.  (See AUE_SYSINFO)
1733 # See sysinfo call with command SI_SET_HOSTNAME
1734 
1735 label=AUE_SETKERNSTATE
1736   skip=Not used.
1737 
1738 label=AUE_SETPGID
1739   format=[proc]:[arg]1
1740   comment=2, pgid, "pgid"
1741 
1742 label=AUE_SETPGRP
1743   format=kernel
1744 
1745 label=AUE_SETPRIORITY
1746   skip=Not used.
1747 
1748 label=AUE_SETPPRIV
1749   case=operation privileges off
1750   format=arg1:privset2
1751     comment=setppriv operation:
1752     comment=privileges actually switched off
1753   case=operation privileges on
1754   format=arg1:privset2
1755     comment=setppriv operation:
1756     comment=privileges actually switched on
1757   case=operation privileges off
1758   format=arg1:privset2:privset3
1759     comment=setppriv operation:
1760     comment=privileges before privset:
1761     comment=privileges after privset
1762 #header,220,2,settppriv(2),,test1,Mon Oct  6 10:09:05 PDT 2003, + 753 msec
1763 #argument,2,0x2,op
1764 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1765 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1766 #subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0
1767 #return,success,0
1768 
1769 label=AUE_SETREGID
1770   format=arg1:arg2
1771     comment=1, real group ID, "rgid":
1772     comment=2, effective group ID, "egid"
1773 
1774 label=AUE_SETREUID
1775   format=arg1:arg2
1776     comment=1, real user ID, "ruid":
1777     comment=2, effective user ID, "euid"
1778 
1779 label=AUE_SETRLIMIT
1780   format=kernel
1781 #       header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec
1782 #       subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2
1783 #       return,success,0
1784 
1785 label=AUE_SETSID
1786   format=kernel
1787 
1788 label=AUE_SETSOCKOPT
1789   case=Invalid file descriptor
1790     format=arg1:arg2
1791       comment=1, file descriptor, "so":
1792       comment=2, level, "level"
1793   case=Valid file descriptor
1794   case=...and socket is AF_UNIX
1795     format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8
1796       comment=if no path, will be argument&colon; 1, "nopath&colon; fd", \
1797         file descriptor:
1798       comment=1, file descriptor, "so":
1799       comment=1, family, "family":
1800       comment=1, type, "type":
1801       comment=2, protocol level, "level":
1802       comment=3, option name, "optname":
1803       comment=5, option length, "optlen":
1804       comment=option data
1805   case=...and socket is AF_INET or AF_INET6
1806     format=arg1:arg2:arg3:[arg]4:[data]5:inet
1807       comment=1, file descriptor, "so":
1808       comment=2, protocol level, "level":
1809       comment=3, option name, "optname":
1810       comment=5, option length, "optlen":
1811       comment=option data
1812   case=...and socket adddress family is unknown
1813     format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7
1814       comment=1, file descriptor, "so":
1815       comment=1, family, "family":
1816       comment=1, type, "type":
1817       comment=2, protocol level, "level":
1818       comment=3, option name, "optname":
1819       comment=5, option length, "optlen":
1820       comment=option data
1821 
1822 label=AUE_SETTIMEOFDAY
1823   skip=Not used.
1824 
1825 label=AUE_SETUID
1826   syscall=setuid
1827   format=arg1
1828     comment=1, "uid" to be set
1829 
1830 label=AUE_SETUSERAUDIT
1831   skip=Not used.
1832 
1833 label=AUE_SHMAT
1834   format=arg1:arg2:[ipc]:[ipc_perm]
1835     comment=1, shared memory ID, "shm ID":
1836     comment=2, shared mem addr, "shm addr"
1837   note=ipc_perm
1838 # ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc
1839 
1840 label=AUE_SHMCTL
1841   format=arg1:[ipc]:[ipc_perm]
1842     comment=1, shared memory ID, "shm ID"
1843   note=ipc_perm
1844 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1845 
1846 label=AUE_SHMCTL_RMID
1847   format=arg1:[ipc]:[ipc_perm]
1848   comment=1, shared memory ID, "shm ID"
1849   note=ipc_perm
1850   syscall=semctl:  IPC_RMID
1851 # ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1852 
1853 label=AUE_SHMCTL_SET
1854   format=arg1:[ipc]:[ipc_perm]
1855     comment=1, shared memory ID, "shm ID"
1856   note=ipc_perm
1857   syscall=semctl:  IPC_SET
1858 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1859 
1860 label=AUE_SHMCTL_STAT
1861   format=arg1:[ipc]:[ipc_perm]
1862     comment=1, shared memory ID, "shm ID"
1863   note=ipc_perm
1864   syscall=semctl:  IPC_STAT
1865 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1866 
1867 label=AUE_SHMDT
1868   format=arg1
1869     comment=1, shared memory address, "shm adr"
1870 
1871 label=AUE_SHMGET
1872   format=arg1:[ipc_perm]:[ipc]
1873     comment=0, shared memory key, "shm key"
1874   note=ipc_perm
1875 # ipc_perm: shmget -> audit_ipcget
1876 
1877 label=AUE_SHMGETL
1878   skip=Not used.
1879 
1880 label=AUE_SHMSYS
1881   skip=Not used.  (Placeholder for shmget and shmctl*)
1882 
1883 label=AUE_SHUTDOWN
1884   case=If the socket address is invalid
1885     format=[arg]1:[text]2:[text]3
1886       comment=1, file descriptor, "fd":
1887       comment=bad socket address:
1888       comment=bad peer address
1889   case=If the socket address is part of the AF_INET family
1890     case=..with zero file descriptor
1891       format=arg1:[arg]2:[arg]3:[arg]4
1892         comment=1, file descriptor, "so":
1893         comment=1, family, "family":
1894         comment=1, type, "type":
1895         comment=2, how shutdown code, "how"
1896     case=...with non-zero file descriptor
1897       format=arg1:arg2:inet
1898         comment=1, file descriptor, "so":
1899         comment=2, how shutdown code, "how"
1900   case=If the socket address is AF_UNIX
1901     case=...with zero file descriptor
1902       format=path1:arg2:[arg]3:[arg]4:[arg]5
1903         comment=If error&colon; argument&colon; \
1904           1, "no path&colon; fd", file descriptor:
1905         comment=1, file descriptor, "so":
1906         comment=1, family, "family":
1907         comment=1, type, "type":
1908         comment=2, how shutdown code, "how"
1909     case=...with non-zero file descriptor
1910       format=path1:arg2:arg3:inet
1911         comment=If error&colon; argument&colon; \
1912           1, file descriptor, "no path&colon; fd":
1913         comment=1, file descriptor, "so":
1914         comment=2, how shutdown code, "how"
1915 #old BSM manual wrong; used audit_event.c
1916 
1917 label=AUE_SOCKACCEPT
1918   syscall=getmsg:  socket accept
1919   format=inet:arg1:[path]:attr:arg2
1920     comment=1, file descriptor, "fd":
1921     comment=4, priority, "pri"
1922 # see putmsg and getmsg for record format
1923 # See audit.c for inet token and audit_start.c for other reference
1924 
1925 label=AUE_SOCKCONFIG
1926   format=arg1:arg2:arg3:[path]4
1927     comment=1, domain address, "domain":
1928     comment=2, type, "type":
1929     comment=3, protocol, "protocol":
1930     comment=If no path&colon;argument -- 3, 0, "devpath"
1931 
1932 label=AUE_SOCKCONNECT
1933   syscall=putmsg:  socket connect
1934   format=inet:arg1:[path]:attr:arg2
1935     comment=1, file descriptor, "fd":
1936     comment=4, priority, "pri"
1937 # same as AUE_SOCKACCEPT
1938 
1939 label=AUE_SOCKET
1940   format=arg1:[arg]2:arg3
1941     comment=1, socket domain, "domain":
1942     comment=2, socket type, "type":
1943     comment=3, socket protocol, "protocol"
1944 
1945 label=AUE_SOCKETPAIR
1946   skip=Not used.
1947 # unreferenced
1948 
1949 label=AUE_SOCKRECEIVE
1950   syscall=getmsg
1951   format=inet:arg1:[path]:attr:arg2
1952     comment=1, file descriptor, "fd":
1953     comment=4, priority, "pri"
1954 # see AUE_SOCKACCEPT
1955 
1956 label=AUE_SOCKSEND
1957 syscall=putmsg
1958   format=inet:arg1:[path]:attr:arg2
1959     comment=1, file descriptor, "fd":
1960     comment=4, priority, "pri"
1961 # see AUE_SOCKACCEPT
1962 
1963 label=AUE_STAT
1964   format=path:[attr]
1965 
1966 label=AUE_STATFS
1967   format=path:[attr]
1968 
1969 label=AUE_STATVFS
1970   format=path:[attr]
1971 
1972 label=AUE_STIME
1973   format=kernel
1974 
1975 label=AUE_SWAPON
1976   skip=Not used.
1977 
1978 label=AUE_SYMLINK
1979   format=path:text1:[attr]
1980     comment=symbolic link string
1981 
1982 label=AUE_SYSINFO
1983   note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands
1984   note=are currently audited.
1985   format=arg1:[text]2
1986     comment=1, command, "cmd":
1987     comment=name
1988 
1989 label=AUE_SYSTEMBOOT
1990   title=system booted
1991   syscall=none
1992   format=head:text1
1993     comment="booting kernel"
1994 # see audit_start.c and audit_io.c
1995 # no subject or return / exit token
1996 #       header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec
1997 #       text,booting kernel
1998 
1999 label=AUE_TRUNCATE
2000   skip=Not used.
2001 
2002 label=AUE_UMOUNT
2003   syscall=umount: old version
2004   note=Implemented as call of the newer umount2(2).
2005   format=path:arg1:[path]:[attr]
2006     comment=2, mflag value = 0, "flags"
2007 
2008 label=AUE_UMOUNT2
2009   syscall=umount2
2010   format=path:arg1:[path]:[attr]
2011     comment=2, mflag value, "flags"
2012 
2013 label=AUE_UNLINK
2014   format=path:[attr]
2015 
2016 label=AUE_UNLINKAT
2017 # obsolete
2018   see=openat(2)
2019   format=path:[attr]
2020 
2021 label=AUE_UNMOUNT
2022   skip=Not used.
2023 
2024 label=AUE_UTIME
2025 # obsolete
2026   format=path:[attr]
2027 
2028 label=AUE_UTIMES
2029   see=futimens(2)
2030   format=path:[attr]
2031 
2032 label=AUE_VFORK
2033   format=arg1
2034     comment=0, pid, "child PID"
2035   note=The vfork(2) return values are undefined because the audit record is
2036   note=produced at the point that the child process is spawned.
2037 
2038 label=AUE_VPIXSYS
2039   skip=Not used.
2040 
2041 label=AUE_VTRACE
2042   skip=Not used.
2043 
2044 label=AUE_WRITE
2045   format=path1:attr
2046     comment=if no path, argument -- "1, file descriptor, "no path: fd"
2047   note:An audit record is generated for write only once per file close.
2048 
2049 label=AUE_WRITEV
2050   skip=Not used. (obsolete)
2051 
2052 label=AUE_XMKNOD
2053 # obsolete
2054   skip=Not used.
2055 
2056 label=AUE_XSTAT
2057 # obsolete
2058   skip=Not Used.
2059 
2060 label=AUE_PF_POLICY_ADDRULE
2061   title=Add IPsec policy rule
2062   see=
2063   syscall=none
2064   format=arg1:arg2:[zone]3:[text]4
2065   comment=Operation applied to active policy (1 is active, 0 is inactive):
2066   comment=Operation applied to global policy (1 is global, 0 is tunnel):
2067   comment=affected zone:
2068   comment=Name of target tunnel
2069 
2070 label=AUE_PF_POLICY_DELRULE
2071   title=Delete IPsec policy rule
2072   see=
2073   syscall=none
2074   format=arg1:arg2:[zone]3:[text]4
2075   comment=Operation applied to active policy (1 is active, 0 is inactive):
2076   comment=Operation applied to global policy (1 is global, 0 is tunnel):
2077   comment=affected zone:
2078   comment=Name of target tunnel
2079 
2080 label=AUE_PF_POLICY_CLONE
2081   title=Clone IPsec policy
2082   see=
2083   syscall=none
2084   format=arg1:arg2:[zone]3:[text]4
2085   comment=Operation applied to active policy (1 is active, 0 is inactive):
2086   comment=Operation applied to global policy (1 is global, 0 is tunnel):
2087   comment=affected zone:
2088   comment=Name of target tunnel
2089 
2090 label=AUE_PF_POLICY_FLIP
2091   title=Flip IPsec policy
2092   see=
2093   syscall=none
2094   format=arg1:arg2:[zone]3:[text]4
2095   comment=Operation applied to active policy (1 is active, 0 is inactive):
2096   comment=Operation applied to global policy (1 is global, 0 is tunnel):
2097   comment=affected zone:
2098   comment=Name of target tunnel
2099 
2100 label=AUE_PF_POLICY_FLUSH
2101   title=Flip IPsec policy rules
2102   see=
2103   syscall=none
2104   format=arg1:arg2:[zone]3:[text]4
2105   comment=Operation applied to active policy (1 is active, 0 is inactive):
2106   comment=Operation applied to global policy (1 is global, 0 is tunnel):
2107   comment=affected zone:
2108   comment=Name of target tunnel
2109 
2110 label=AUE_PF_POLICY_ALGS
2111   title=Update IPsec algorithms
2112   see=
2113   syscall=none
2114   format=arg1:arg2:[zone]3:[text]4
2115   comment=Operation applied to active policy (1 is active, 0 is inactive):
2116   comment=Operation applied to global policy (1 is global, 0 is tunnel):
2117   comment=affected zone:
2118   comment=Name of target tunnel
2119 
2120 label=AUE_allocate_fail
2121   program=/usr/sbin/allocate
2122   title=allocate: allocate-device failure
2123   format=(0..n)[text]1
2124     comment=command line arguments
2125 # see audit_allocate.c
2126 
2127 label=AUE_allocate_succ
2128   program=/usr/sbin/allocate
2129   title=allocate: allocate-device success
2130   format=(0..n)[text]1
2131     comment=command line arguments
2132 # see audit_allocate.c
2133 
2134 label=AUE_at_create
2135   program=/usr/bin/at
2136   title=at: at-create crontab
2137   format=path
2138 
2139 label=AUE_at_delete
2140   program=/usr/bin/at
2141   title=at: at-delete atjob (at or atrm)
2142   format=text1:path
2143   comment="ancillary file&colon;" filename or "bad format of at-job name"
2144 
2145 label=AUE_at_perm
2146   skip=Not used.
2147 # not referenced outside uevents.h
2148 
2149 label=AUE_create_user
2150   skip=Not used.
2151 
2152 label=AUE_cron_invoke
2153   program=/usr/sbin/cron
2154   title=cron: cron-invoke at or cron
2155   case=If issue with account find
2156   format=text1
2157     comment="bad user" name or "user <name> account expired"
2158   case=else
2159   format=text1:text2
2160     comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \
2161       or "unknown job type (<job_type_id>)":
2162     comment=command
2163 
2164 label=AUE_crontab_create
2165   program=/usr/bin/crontab
2166   title=crontab: crontab created
2167   format=path
2168 # See audit_crontab.c
2169 
2170 label=AUE_crontab_delete
2171   program=/usr/bin/crontab
2172   title=crontab: crontab delete
2173   format=path
2174 # See audit_crontab.c
2175 
2176 label=AUE_crontab_mod
2177   program=/usr/bin/crontab
2178   title=crontab:  crontab modify
2179   format=path
2180 # See audit_crontab.c
2181 
2182 label=AUE_crontab_perm
2183   skip=Not used.
2184 
2185 label=AUE_deallocate_fail
2186   program=/usr/sbin/deallocate
2187   title=deallocate-device failure
2188   format=(0..n)[text]1
2189     comment=command line arguments
2190 # See audit_allocate.c
2191 
2192 label=AUE_deallocate_succ
2193   program=/usr/sbin/deallocate
2194   title=deallocate-device success
2195   format=(0..n)[text]1
2196     comment=command line arguments
2197 # See audit_allocate.c
2198 
2199 label=AUE_delete_user
2200   skip=Not used.
2201 
2202 label=AUE_disable_user
2203   skip=Not used.
2204 
2205 label=AUE_enable_user
2206   skip=Not used.
2207 
2208 label=AUE_ftpd
2209   program=/usr/sbin/in.ftpd
2210   title=in.ftpd
2211   format=[text]1
2212     comment=error message
2213 # See audit_ftpd
2214 
2215 label=AUE_ftpd_logout
2216   program=/usr/sbin/in.ftpd
2217   title=in.ftpd
2218   format=user
2219 # See audit_ftpd
2220 
2221 label=AUE_halt_solaris
2222   program=/usr/sbin/halt
2223   title=halt
2224   format=user
2225 # See audit_halt.c
2226 
2227 label=AUE_kadmind_auth
2228   format=text1:text2:text3
2229     comment=Op&colon; <requested information>:
2230     comment=Arg&colon; <argument for Op>:
2231     comment=Client&colon; <client principal name>
2232 # See audit_kadmin.c / common_audit()
2233 
2234 label=AUE_kadmind_unauth
2235   format=text1:text2:text3
2236     comment=Op&colon; <requested information>:
2237     comment=Arg&colon; <argument for Op>:
2238     comment=Client&colon; <client principal name>
2239 # See audit_kadmin.c / common_audit()
2240 
2241 label=AUE_krb5kdc_as_req
2242   format=text1:text2
2243     comment=Client&colon; <client principal name>:
2244     comment=Service&colon; <requested service name>
2245 # See audit_krb5kdc.c / common_audit()
2246 
2247 label=AUE_krb5kdc_tgs_req
2248   format=text1:text2
2249     comment=Client&colon; <client principal name>:
2250     comment=Service&colon; <requested service name>
2251 # See audit_krb5kdc.c / common_audit()
2252 
2253 label=AUE_krb5kdc_tgs_req_alt_tgt
2254   format=text1:text2
2255     comment=Client&colon; <client principal name>:
2256     comment=Service&colon; <requested service name>
2257 # See audit_krb5kdc.c / common_audit()
2258 
2259 label=AUE_krb5kdc_tgs_req_2ndtktmm
2260   format=text1:text2
2261     comment=Client&colon; <client principal name>:
2262     comment=Service&colon; <requested service name>
2263 # See audit_krb5kdc.c / common_audit()
2264 
2265 label=AUE_listdevice_fail
2266   title=allocate-list devices failure
2267   program=/usr/sbin/allocate
2268   format=(0..n)[text]1
2269     comment=command line arguments
2270 # See audit_allocate.c
2271 
2272 label=AUE_listdevice_succ
2273   title=allocate-list devices success
2274   program=/usr/sbin/allocate
2275   format=(0..n)[text]1
2276     comment=command line arguments
2277 # See audit_allocate.c
2278 
2279 label=AUE_modify_user
2280   skip=Not used.
2281 
2282 label=AUE_mountd_mount
2283   title=mountd: NFS mount
2284   program=/usr/lib/nfs/mountd
2285   see=mountd(1M)
2286   format=text1:path2
2287     comment=remote client hostname:
2288     comment=mount dir
2289 # See audit_mountd.c
2290 
2291 label=AUE_mountd_umount
2292   title=mountd: NFS unmount
2293   program=/usr/lib/nfs/mountd
2294   format=text1:path2
2295   comment=remote client hostname:
2296   comment=mount dir
2297 # See audit_mountd.c
2298 
2299 label=AUE_poweroff_solaris
2300   program=/usr/sbin/poweroff
2301   title=poweroff
2302   format=user
2303 # See audit_halt.c
2304 
2305 label=AUE_reboot_solaris
2306   program=/usr/sbin/reboot
2307   title=reboot
2308   format=user
2309 # See audit_reboot.c
2310 #       header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec
2311 #       subject,tuser1,root,other,root,other,10422,497,0 0 tmach2
2312 #       return,success,0
2313 
2314 label=AUE_rexd
2315   program=/usr/sbin/rpc.rexd
2316   title=rpc.rexd
2317   format=[text]1:text2:text3:[text]4:[text]5
2318     comment=error message (failure only):
2319     comment="Remote execution requested by&colon;" hostname:
2320     comment="Username&colon;" username:
2321     comment="User id&colon;" user ID (failure only):
2322     comment="Command line&colon;" command attempted
2323 # See audit_rexd.c
2324 
2325 label=AUE_rexecd
2326   program=/usr/sbin/rpc.rexecd
2327   title=rpc.rexecd
2328   format=[text]1:text2:text3:text4
2329     comment=error message (failure only):
2330     comment="Remote execution requested by&colon;" hostname:
2331     comment="Username&colon;" username:
2332     comment="Command line&colon;" command attempted
2333 # See audit_rexecd.c
2334 
2335 label=AUE_rshd
2336   program=/usr/sbin/in.rshd
2337   title=in.rshd
2338   format=text1:text2:[text]3:[text]4
2339     comment="cmd" command:
2340     comment="remote user" remote user:
2341     comment="local user" local user:
2342     comment=failure message
2343 # See audit_rshd.c
2344 
2345 label=AUE_shutdown_solaris
2346   title=shutdown
2347   program=/usr/ucb/shutdown
2348   format=user
2349 # See audit_shutdown.c
2350 
2351 label=AUE_smserverd
2352   program=/usr/lib/smedia/rpc.smserverd
2353   format=[text]1:[text]2
2354     comment=state change:
2355     comment=vid, pid, major/minor device
2356 # see usr/src/cmd/smserverd
2357 # code shows a third token, path, but it isn't implemented.
2358 
2359 label=AUE_uadmin_solaris
2360   title=uadmin (obsolete)
2361   program=
2362   see=
2363   format=text1:text2
2364   comment=function code:
2365   comment=argument code
2366 # not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml
2367 
2368 label=AUE_LABELSYS_TNRH
2369   title=config Trusted Network remote host cache
2370   see=tnrh(2)
2371   syscall=labelsys: TSOL_TNRH
2372   case=With the flush command (cmd=3)
2373     format=arg1
2374       comment=1, command, "cmd"
2375   case=With the load (cmd=1) and delete (cmd=2) commands
2376     format=arg1:inaddr2:arg3
2377       comment=1, command, "cmd":
2378       comment=ip address of host:
2379       comment=2, prefix length, "prefix len"
2380 
2381 label=AUE_LABELSYS_TNRHTP
2382   title=config Trusted Network remote host template
2383   see=tnrhtp(2)
2384   syscall=labelsys: TSOL_TNRHTP
2385   case=With the flush command (cmd=3)
2386     format=arg1
2387       comment=1, command, "cmd"
2388   case=With the load (cmd=1) and delete (cmd=2) commands
2389     format=arg1:text2
2390       comment=1, command, "cmd":
2391       comment=name of template
2392 
2393 label=AUE_LABELSYS_TNMLP
2394   title=config Trusted Network multi-level port entry
2395   see=tnmlp(2)
2396   syscall=labelsys: TSOL_TNMLP
2397   case=With the flush command (cmd=3)
2398     format=arg1:text2
2399       comment=1, command, "cmd":
2400       comment="shared", or name of zone
2401   case=With the load (cmd=1) and delete (cmd=2) commands
2402     format=arg1:text2:arg3:arg4:[arg]5
2403       comment=1, command, "cmd":
2404       comment="shared", or name of zone:
2405       comment=2, protocol number, "proto num":
2406       comment=2, starting mlp port number, "mlp_port":
2407       comment=2, ending mlp port number, "mlp_port_upper"