1 # audit_record_attr.txt
2 # Two "#" are comments that are copied to audit_record_attr
3 # other comments are removed.
4 ##
5 ## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
6 ## Copyright 2019 Joyent, Inc.
7 ##
8 ## CDDL HEADER START
9 ##
10 ## The contents of this file are subject to the terms of the
11 ## Common Development and Distribution License (the "License").
12 ## You may not use this file except in compliance with the License.
13 ##
14 ## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
15 ## or http://www.opensolaris.org/os/licensing.
16 ## See the License for the specific language governing permissions
17 ## and limitations under the License.
18 ##
19 ## When distributing Covered Code, include this CDDL HEADER in each
20 ## file and include the License file at usr/src/OPENSOLARIS.LICENSE.
21 ## If applicable, add the following below this CDDL HEADER, with the
22 ## fields enclosed by brackets "[]" replaced with your own identifying
23 ## information: Portions Copyright [yyyy] [name of copyright owner]
24 ##
25 ## CDDL HEADER END
26 ##
27 ##
28
29 # source file for describing audit records.
30
31 # This file is in two sections. The first is a list of attribute /
32 # value pairs used to provide short cuts in annotating the audit
33 # records. The second is for annotation for each audit record.
34
35 # first section: general attributes
36
37 # skipClass=<class name of items to skip if only in that class>
38 # skipClass=no # uncomment to filter unused events
39
40 # token name abbreviations
41 # token=alias:fullname -- short names for key tokens
42
43 token=arg:argument
44 token=attr:attribute
45 token=acl:acl_entry
46 token=cmd:command
47 token=data:data
48 token=exec_args:exec_arguments
49 token=exec_env:exec_environment
50 token=group:group
51 token=inaddr:ip_addr
52 token=inet:socket
53 token=ipc:ipc
54 token=ipc_perm:ipc_perm
55 token=newgroup:newgroups
56 token=path:path
57 token=path_attr:attribute_path
58 token=privset:privilege
59 token=proc:process
60 token=text:text
61 token=tid:terminal_adr
62 token=uauth:use_of_authorization
63 token=upriv:use_of_privilege
64 token=user:user_object
65 token=zone:zonename
66 token=fmri:service_instance
67 token=label:mandatory_label
68
69 token=head:header
70 token=subj:subject
71 token=ret:return
72 token=exit:exit
73
74 # note names -- certain notes show up repeatedly; collected here
75 #
76 # To achieve the maximum line length to be less than 80 characters, the
77 # note names (message=) can be defined as a multi line, each line except the
78 # last one finished with the backslash character.
79
80 message=ipc_perm:The ipc and ipc_perm tokens are not included if \
81 the message ID is not valid.
82
83
84 # basic record pattern ("insert" is where event-specific tokens
85 # are listed.)
86
87 kernel=head:insert:subj:[upriv]:ret
88 user=head:subj:insert:ret
89
90 # Second Section
91 # Annotation Section
92 #
93 # Most audit records need annotation beyond what is provided by
94 # the files audit_event and audit_class. At a minimum, a record
95 # is represented by a label and a format.
96 #
97 # label=record_id like AUE_ACCEPT
98 # format=token_alias
99 #
100 # there is no end line; a new label= end the preceding definition
101 # and starts the next.
102 #
103 # format values are a list of token names, separated by colons. The
104 # name is either one of the values described above (token=) or is
105 # a value to be taken literally. If a token name ends with a digit,
106 # the digit is an index into an array of comments. In the few cases
107 # where there are no tokens (other than header, subject, return/exit),
108 # use "format=kernel" or "format="user".
109 #
110 # comment is an array of strings separated by colons. If comments
111 # are listed on separate lines (recommended due to better
112 # readability/sustainability of the file), the preceding comment
113 # must end with a colon. The array starts at 1. (If the comment
114 # contains a colon, use ":" without the quotes.)
115 #
116 # case is used to generate alternate descriptions for a given
117 # record.
118 #
119 # Constraints - the string length; bear in mind, that any annotation of
120 # primitives below longer than is specified, will be silently truncated
121 # to given/defined amount of characters in the auditrecord(1M) runtime:
122 #
123 # primitive <= max (non-truncated) string length
124 # case <= unlimited; if necessary, text continues on a new line
125 # comment <= unlimited; if necessary, text continues on a new line
126 # label <= 43
127 # note <= unlimited; if necessary, text continues on a new line
128 # program <= 20
129 # see <= 39
130 # syscall <= 20
131 # title <= 46
132 # token <= 28 (full name)
133 #
134 # To achieve the maximum line length to be less than 80 characters, one can
135 # define the unlimited primitives as a multi line, each line except the
136 # last one finished with the backslash character. In addition to above
137 # mentioned, the "format=" record attribute follows the same rule.
138 #
139 #
140 # AUE_ACCEPT illustrates the use of all the above. Note that
141 # case is not nested; ellipsis (...) is used to give the effect
142 # of nesting.
143
144 label=AUE_ACCEPT
145 #accept(2) failure
146 case=Invalid socket file descriptor
147 format=arg1
148 comment=1, file descriptor, "so"
149 #accept(2) non SOCK_STREAM socket
150 case=If the socket address is not part of the AF_INET family
151 format=arg1:arg2:arg3
152 comment=1, "so", file descriptor:
153 comment="family", so_family:
154 comment="type", so_type
155 case=If the socket address is part of the AF_INET family
156 case=...If there is no vnode for this file descriptor
157 format=[arg]1
158 comment=1, file descriptor, "Bad so"
159 #accept(2) SOCK_STREAM socket-not bound
160 case=...or if the socket is not bound
161 format=[arg]1:[inet]2
162 comment=1, file descriptor, "so":
163 comment=local/foreign address (0.0.0.0)
164 case=...or if the socket address length = 0
165 format=[arg]1:[inet]2
166 comment=1, file descriptor, "so":
167 comment=local/foreign address (0.0.0.0)
168 case=...or for all other conditions
169 format=inet1:[inet]1
170 comment=socket address
171 #accept(2) failure
172 # header
173 # au_to_arg32 "so",file descriptor
174 # subject
175 # return <errno != 0>
176 #
177 #accept(2) non SOCK_STREAM socket
178 # header
179 # au_to_arg32 "so", file descriptor
180 # au_to_arg32 "family", so_family
181 # au_to_arg32 "type", so_type
182 # subject
183 # return success
184 #
185 #accept(2) SOCK_STREAM socket-not bound
186 # header
187 # au_to_arg32 "so", file descriptor
188 # au_to_socket_ex local/foreign address (0.0.0.0)
189 # subject
190 # return success
191 #
192 #accept(2) SOCK_STREAM socket-bound
193 # header
194 # au_to_arg32 "so", file descriptor
195 # au_to_socket_ex
196 # subject
197 # return success
198
199
200
201 label=AUE_ACCESS
202 format=path1:[attr]
203 comment=may be truncated in failure case
204 # header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec
205 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ
206 # attribute,100777,41416,staff,8388608,402255,0
207 # subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30
208 # return,success,0
209 # trailer,163
210 #
211 # header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec
212 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail
213 # attribute,100000,root,other,8388608,402257,0
214 # subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30
215 # return,failure: Permission denied,-1
216 # trailer,163
217 #
218 # header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec
219 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2
220 # subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30
221 # return,failure: No such file or directory,-1
222 # trailer,135
223
224 label=AUE_ACCT
225 case=Zero path
226 format=arg1
227 comment=1, 0, "accounting off"
228 case=Non-zero path
229 format=path1:[attr]2
230 comment=may be truncated in failure case:
231 comment=omitted if failure
232
233 label=AUE_ACLSET
234 syscall=acl
235 format=arg1:arg2:(0..n)[acl]3
236 comment=2, SETACL, "cmd":
237 comment=3, number of ACL entries, "nentries":
238 comment=Access Control List entries
239
240 label=AUE_ADJTIME
241 format=kernel
242
243 label=AUE_ASYNC_DAEMON
244 skip=Not used
245
246 label=AUE_ASYNC_DAEMON_EXIT
247 skip=Not used
248
249 label=AUE_AUDIT
250 skip=Not used. (Placeholder for the set AUE_AUDIT_*.)
251
252 label=AUE_AUDITON
253 skip=Not used. (Placeholder for the set AUE_AUDITON_*.)
254
255 label=AUE_AUDITON_GESTATE
256 skip=Not used
257
258 label=AUE_AUDITON_GETAMASK
259 format=kernel
260 syscall=auditon: GETAMASK
261
262 label=AUE_AUDITON_GETCAR
263 format=kernel
264 syscall=auditon: GETCAR
265 # header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec
266 # subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30
267 # return,success,0
268 # trailer,68
269
270 label=AUE_AUDITON_GETCLASS
271 format=kernel
272 syscall=auditon: GETCLASS
273 # header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec
274 # subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1
275 # return,success,0
276 # trailer,68
277
278 label=AUE_AUDITON_GETCOND
279 format=kernel
280 syscall=auditon: GETCOND
281 # header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec
282 # subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1
283 # return,success,0
284 # trailer,68
285
286 label=AUE_AUDITON_GETCWD
287 format=kernel
288 syscall=auditon: GETCWD
289 # header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec
290 # subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1
291 # return,success,0
292 # trailer,68
293
294 label=AUE_AUDITON_GETKMASK
295 format=kernel
296 syscall=auditon: GETKMASK
297 # header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec
298 # subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1
299 # return,success,0
300 # trailer,68
301
302 label=AUE_AUDITON_GETSTAT
303 format=kernel
304 syscall=auditon: A_GETSTAT
305 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec
306 # subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1
307 # return,success,0
308 # trailer,68
309
310 label=AUE_AUDITON_GPOLICY
311 format=kernel
312 syscall=auditon: GPOLICY
313 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec
314 # subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1
315 # return,success,0
316 # trailer,68
317
318 label=AUE_AUDITON_GQCTRL
319 format=kernel
320 syscall=auditon: GQCTRL
321 # header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec
322 # subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1
323 # return,success,0
324 # trailer,68
325
326
327 label=AUE_AUDITON_GTERMID
328 skip=Not used.
329
330 label=AUE_AUDITON_SESTATE
331 skip=Not used.
332
333 label=AUE_AUDITON_SETAMASK
334 format=[arg]1:[arg]2
335 comment=2, "setamask as_success", user default audit preselection mask:
336 comment=2, "setamask as_failure", user default audit preselection mask
337 syscall=auditon: SETAMASK
338
339 label=AUE_AUDITON_SETCLASS
340 format=[arg]1:[arg]2
341 comment=2, "setclass:ec_event", event number:
342 comment=3, "setclass:ec_class", class mask
343 syscall=auditon: SETCLASS
344 # header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec
345 # argument,2,0x0,setclass:ec_event
346 # argument,3,0x0,setclass:ec_class
347 # subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1
348 # return,success,0
349 # trailer,120
350
351 label=AUE_AUDITON_SETCOND
352 format=[arg]1
353 comment=3, "setcond", audit state
354 syscall=auditon: SETCOND
355
356 label=AUE_AUDITON_SETKMASK
357 format=[arg]1:[arg]2
358 comment=2, "setkmask as_success", kernel non-attributable mask:
359 comment=2, "setkmask as_failure", kernel non-attributable mask
360 syscall=auditon: SETKMASK
361 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec
362 # argument,2,0x0,setkmask:as_success
363 # argument,2,0x0,setkmask:as_failure
364 # subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1
365 # return,success,0
366 # trailer,124
367 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec
368 # argument,2,0x0,setkmask:as_success
369 # argument,2,0x0,setkmask:as_failure
370 # subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1
371 # return,failure: Not owner,-1
372 # trailer,124
373
374 label=AUE_AUDITON_SETSMASK
375 format=[arg]1:[arg]2
376 comment=3, "setsmask:as_success", session ID mask:
377 comment=3, "setsmask:as_failure", session ID mask
378 syscall=auditon: SETSMASK
379 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec
380 # argument,3,0x400,setsmask:as_success
381 # argument,3,0x400,setsmask:as_failure
382 # subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1
383 # return,success,0
384 # trailer,124
385 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec
386 # argument,3,0x400,setsmask:as_success
387 # argument,3,0x400,setsmask:as_failure
388 # subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1
389 # return,failure: Not owner,-1
390 # trailer,124
391
392 label=AUE_AUDITON_SETSTAT
393 format=kernel
394 syscall=auditon: SETSTAT
395 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec
396 # subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1
397 # return,success,0
398 # trailer,68
399 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec
400 # subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1
401 # return,failure: Not owner,-1
402 # trailer,68
403
404 label=AUE_AUDITON_SETUMASK
405 format=[arg]1:[arg]2
406 comment=3, "setumask:as_success", audit ID mask:
407 comment=3, "setumask:as_failure", audit ID mask
408 syscall=auditon: SETUMASK
409 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec
410 # argument,3,0x400,setumask:as_success
411 # argument,3,0x400,setumask:as_failure
412 # subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1
413 # return,success,0
414 # trailer,124
415 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec
416 # argument,3,0x400,setumask:as_success
417 # argument,3,0x400,setumask:as_failure
418 # subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1
419 # return,failure: Not owner,-1
420 # trailer,124
421
422 label=AUE_AUDITON_SPOLICY
423 format=[arg]1
424 comment=1, audit policy flags, "setpolicy"
425 syscall=auditon: SPOLICY
426 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec
427 # argument,3,0x200,setpolicy
428 # subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1
429 # return,success,0
430 # trailer,86
431 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec
432 # argument,3,0x200,setpolicy
433 # subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1
434 # return,failure: Not owner,-1
435 # trailer,86
436
437 label=AUE_AUDITON_SQCTRL
438 format=[arg]1:[arg]2:[arg]3:[arg]4
439 comment=3, "setqctrl:aq_hiwater", queue control param.:
440 comment=3, "setqctrl:aq_lowater", queue control param.:
441 comment=3, "setqctrl:aq_bufsz", queue control param.:
442 comment=3, "setqctrl:aq_delay", queue control param.
443 syscall=auditon: SQCTRL
444 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec
445 # argument,3,0x64,setqctrl:aq_hiwater
446 # argument,3,0xa,setqctrl:aq_lowater
447 # argument,3,0x400,setqctrl:aq_bufsz
448 # argument,3,0x14,setqctrl:aq_delay
449 # subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1
450 # return,success,0
451 # trailer,176
452 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec
453 # argument,3,0x64,setqctrl:aq_hiwater
454 # argument,3,0xa,setqctrl:aq_lowater
455 # argument,3,0x400,setqctrl:aq_bufsz
456 # argument,3,0x14,setqctrl:aq_delay
457 # subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1
458 # return,failure: Not owner,-1
459 # trailer,176
460
461 label=AUE_AUDITON_STERMID
462 skip=Not used.
463
464 label=AUE_AUDITSTAT
465 skip=Not used.
466
467 label=AUE_AUDITSVC
468 skip=Not used.
469
470 label=AUE_AUDITSYS
471 skip=Not used. (Place holder for various auditing events.)
472
473 label=AUE_BIND
474 # differs from documented version.
475 # cases "no vnode" not fully confirmed
476 # family and type need argument number
477 case=Invalid socket handle
478 format=arg1
479 comment=1, file descriptor, "so"
480 case=If there is no vnode for this file descriptor
481 case=or if the socket is not of the AF_INET family
482 format=arg1:arg2:arg3
483 comment=1, file descriptor, "so":
484 comment=1, socket family, "family":
485 comment=1, socket type, "type"
486 case=or for all other conditions
487 format=arg1:inet2
488 comment=1, file descriptor, "so":
489 comment=socket address
490
491 label=AUE_BRANDSYS
492 # generic mechanism to allow user-space and kernel components of a brand
493 # to communicate. The interpretation of the arguments to the call is
494 # left entirely up to the brand.
495 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7
496 comment=1, command, "cmd":
497 comment=2, command args, "arg":
498 comment=3, command args, "arg":
499 comment=4, command args, "arg":
500 comment=5, command args, "arg":
501 comment=6, command args, "arg":
502 comment=7, command args, "arg"
503
504 label=AUE_BSMSYS
505 skip=Not used.
506
507 label=AUE_CHDIR
508 format=path:[attr]
509 # header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec
510 # path,/export/home/CC_final/icenine/arv/chdir/obj_succ
511 # attribute,40777,root,other,8388608,231558,0
512 # subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1
513 # return,success,0
514 # trailer,151
515 # header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec
516 # path,/export/home/CC_final/icenine/arv/chdir/obj_fail
517 # attribute,40000,root,other,8388608,237646,0
518 # subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1
519 # return,failure: Permission denied,-1
520 # trailer,151
521
522 label=AUE_CHMOD
523 format=arg1:path:[attr]
524 comment=2, mode, "new file mode"
525 # header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec
526 # argument,2,0x1f8,new file mode
527 # path,/export/home/CC_final/icenine/arv/chmod/obj_succ
528 # attribute,100770,tuser10,other,8388608,243608,0
529 # subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1
530 # return,success,0
531 # trailer,173
532 # header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec
533 # argument,2,0x1f8,new file mode
534 # path,/export/home/CC_final/icenine/arv/chmod/obj_fail
535 # attribute,100600,root,other,8388608,243609,0
536 # subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1
537 # return,failure: Not owner,-1
538 # trailer,173
539
540 label=AUE_CHOWN
541 format=arg1:arg2
542 comment=2, uid, "new file uid":
543 comment=3, gid, "new file gid"
544 # header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec
545 # argument,2,0x271a,new file uid
546 # argument,3,0xffffffff,new file gid
547 # path,/export/home/CC_final/icenine/arv/chown/obj_succ
548 # attribute,100644,tuser10,other,8388608,268406,0
549 # subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1
550 # return,success,0
551 # trailer,193
552 # header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec
553 # argument,2,0x271a,new file uid
554 # argument,3,0xffffffff,new file gid
555 # path,/export/home/CC_final/icenine/arv/chown/obj_fail
556 # attribute,100644,root,other,8388608,268407,0
557 # subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1
558 # return,failure: Not owner,-1
559 # trailer,193
560
561 label=AUE_CHROOT
562 format=path:[attr]
563 # header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec
564 # path,/
565 # attribute,40755,root,root,8388608,2,0
566 # subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1
567 # return,success,0
568 # trailer,104
569 # header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec
570 # path,/export/home/CC_final/icenine/arv/chroot/obj_fail
571 # attribute,40777,tuser10,other,8388608,335110,0
572 # subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1
573 # return,failure: Not owner,-1
574 # trailer,152
575
576 label=AUE_CLOCK_SETTIME
577 format=kernel
578
579 label=AUE_CLOSE
580 format=arg1:[path]:[attr]
581 comment=1, file descriptor, "fd"
582
583 label=AUE_CONFIGKSSL
584 case=Adding KSSL entry.
585 format=text1:inaddr2:text3:text4
586 comment=opcode, KSSL_ADD_ENTRY:
587 comment=local IP address:
588 comment=SSL port number:
589 comment=proxy port number
590 case=Deleting KSSL entry.
591 format=text1:inaddr2:text3
592 comment=opcode, KSSL_DELETE_ENTRY:
593 comment=local IP address:
594 comment=SSL port number
595
596 label=AUE_CONNECT
597 # cases "no vnode" not fully confirmed
598 case=If there is no vnode for this file descriptor
599 case=If the socket address is not part of the AF_INET family
600 format=arg1:arg2:arg3
601 comment=1, file descriptor, "so":
602 comment=1, socket family, "family":
603 comment=1, socket type, "type"
604 case=If the socket address is part of the AF_INET family
605 format=arg1:inet2
606 comment=1, file descriptor, "so":
607 comment=socket address
608
609 label=AUE_CORE
610 syscall=none
611 title=process dumped core
612 see=none
613 format=path:[attr]:arg1
614 comment=1, signal, "signal"
615 # see uts/common/c2/audit.c
616
617 label=AUE_CREAT
618 # obsolete - see open(2)
619 format=path:[attr]
620 # does not match old BSM manual
621 # header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec
622 # path,/export/home/CC_final/icenine/arv/creat/obj_succ
623 # attribute,100644,tuser10,other,8388608,49679,0
624 # subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1
625 # return,success,8
626 # trailer,151
627 # header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec
628 # path,/devices/pseudo/mm@0:null
629 # subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1
630 # return,success,8
631 # trailer,107
632 # header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec
633 # path,/obj_fail
634 # subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1
635 # return,failure: Permission denied,-1
636 # trailer,83
637
638 label=AUE_CRYPTOADM
639 title=kernel cryptographic framework
640 format=text1:(0..n)[text]2
641 comment=cryptoadm command/operation:
642 comment=mechanism list
643
644 label=AUE_DOORFS
645 skip=Not used. (Place holder for set of door audit events.)
646
647 label=AUE_DOORFS_DOOR_BIND
648 skip=Not used.
649 syscall=doorfs: DOOR_BIND
650
651 label=AUE_DOORFS_DOOR_CALL
652 format=arg1:proc2
653 comment=1, door ID, "door ID":
654 comment=for process that owns the door
655 syscall=doorfs: DOOR_CALL
656
657 label=AUE_DOORFS_DOOR_CREATE
658 format=arg1
659 comment=1, door attributes, "door attr"
660 syscall=doorfs: DOOR_CREATE
661
662 label=AUE_DOORFS_DOOR_CRED
663 skip=Not used.
664 syscall=doorfs: DOOR_CRED
665
666 label=AUE_DOORFS_DOOR_INFO
667 skip=Not used.
668 syscall=doorfs: DOOR_INFO
669
670 label=AUE_DOORFS_DOOR_RETURN
671 format=kernel
672 syscall=doorfs: DOOR_RETURN
673
674 label=AUE_DOORFS_DOOR_REVOKE
675 format=arg1
676 comment=1, door ID, "door ID"
677 syscall=doorfs: DOOR_REVOKE
678
679 label=AUE_DOORFS_DOOR_UNBIND
680 skip=Not used.
681 syscall=doorfs: DOOR_UNBIND
682
683 label=AUE_DUP2
684 skip=Not used.
685
686 label=AUE_ENTERPROM
687 title=enter prom
688 syscall=none
689 format=head:text1:ret
690 comment="kmdb"
691 # header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00
692 # text,kmdb
693 # return,success,0
694
695 label=AUE_EXEC
696 # obsolete - see execve(2)
697 format=path:[attr]1:[exec_args]2:[exec_env]3
698 comment=omitted on error:
699 comment=output if argv policy is set:
700 comment=output if arge policy is set
701
702 label=AUE_EXECVE
703 format=path:[attr]1:[exec_args]2:[exec_env]3
704 comment=omitted on error:
705 comment=output if argv policy is set:
706 comment=output if arge policy is set
707 # header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec
708 # path,/devices/pseudo/mm@0:null
709 # subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1
710 # return,success,8
711 # trailer,107
712 # header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec
713 # path,/usr/bin/pig
714 # subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1
715 # return,failure: No such file or directory,-1
716 # trailer,86
717
718 label=AUE_PFEXEC
719 format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5
720 comment=pathname of the executable:
721 comment=pathname of working directory:
722 comment=privileges if the limit or inheritable set are changed:
723 comment=process if ruid, euid, rgid or egid is changed:
724 comment=output if arge policy is set
725
726 label=AUE_sudo
727 format=exec_args1:[text]2
728 comment=command args:
729 comment=error message (failure only)
730
731 label=AUE_EXIT
732 format=arg1:[text]2
733 comment=1, exit status, "exit status":
734 comment=event aborted
735
736 label=AUE_EXITPROM
737 title=exit prom
738 syscall=none
739 format=head:text1:ret
740 comment="kmdb"
741 # header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00
742 # text,kmdb
743 # return,success,0
744
745 label=AUE_EXPORTFS
746 skip=Not used.
747
748 label=AUE_FACCESSAT
749 # obsolete
750 see=access(2)
751 format=path:[attr]
752
753 label=AUE_FACLSET
754 syscall=facl
755 case=Invalid file descriptor
756 format=arg1:arg2
757 comment=2, SETACL, "cmd":
758 comment=3, number of ACL entries, "nentries"
759 case=Zero path
760 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4
761 comment=2, SETACL, "cmd":
762 comment=3, number of ACL entries, "nentries":
763 comment=1, file descriptor, "no path: fd":
764 comment=ACLs
765 case=Non-zero path
766 format=arg1:arg2:path:[attr]:(0..n)[acl]3
767 comment=2, SETACL, "cmd":
768 comment=3, number of ACL entries, "nentries":
769 comment=ACLs
770
771 label=AUE_FCHDIR
772 format=[path]:[attr]
773 # header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec
774 # path,/export/home/CC_final/icenine/arv/fchdir/obj_succ
775 # attribute,40777,tuser10,other,8388608,207662,0
776 # subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1
777 # return,success,0
778 # trailer,150
779 # header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec
780 # subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1
781 # return,failure: Permission denied,-1
782 # trailer,68
783
784 label=AUE_FCHMOD
785 case=With a valid file descriptor and path
786 format=arg1:path:[attr]
787 comment=2, mode, "new file mode"
788 case=With a valid file descriptor and invalid path
789 format=arg1:[arg]2:[attr]
790 comment=2, mode, "new file mode":
791 comment=1, file descriptor, "no path: fd"
792 case=With an invalid file descriptor
793 format=arg1
794 comment=2, mode, "new file mode"
795 # header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec
796 # argument,2,0x1a4,new file mode
797 # path,/export/home/CC/icenine/arv/fchmod/obj_succ
798 # attribute,100644,tuser10,other,7602240,26092,0
799 # subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1
800 # return,success,0
801 # trailer,168
802 # header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec
803 # argument,2,0x1a4,new file mode
804 # subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1
805 # return,failure: Bad file number,-1
806 # trailer,90
807 # header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec
808 # argument,2,0x1a4,new file mode
809 # path,/export/home/CC/icenine/arv/fchmod/obj_fail
810 # attribute,100644,root,other,7602240,26093,0
811 # subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1
812 # return,failure: Not owner,-1
813 # trailer,168
814
815 label=AUE_FCHOWN
816 case=With a valid file descriptor
817 format=arg1:arg2:[path]:[attr]
818 comment=2, uid, "new file uid":
819 comment=3, gid, "new file gid"
820 case=With an invalid file descriptor
821 format=arg1:arg2:[arg]3:[attr]
822 comment=2, uid, "new file uid":
823 comment=3, gid, "new file gid":
824 comment=1, file descriptor, "no path fd"
825
826 label=AUE_FCHOWNAT
827 # obsolete
828 see=openat(2)
829 case=With a valid absolute/relative file path
830 format=path:[attr]
831 case=With an file path eq. NULL and valid file descriptor
832 format=kernel
833
834 label=AUE_FCHROOT
835 format=[path]:[attr]
836 # fchroot -> chdirec -> audit_chdirec
837
838 label=AUE_FCNTL
839 case=With a valid file descriptor
840 format=arg1:[arg]2:path:attr
841 comment=2, command, "cmd":
842 comment=3, flags, "flags"
843 case=With an invalid file descriptor
844 format=arg1:[arg]2:arg3
845 comment=2, command, "cmd":
846 comment=3, flags, "flags":
847 comment=1, file descriptor, "no path fd"
848 note=Flags are included only when cmd is F_SETFL.
849
850 label=AUE_FLOCK
851 skip=Not used.
852
853 label=AUE_FORKALL
854 format=[arg]1
855 comment=0, pid, "child PID"
856 note=The forkall(2) return values are undefined because the audit record
857 note=is produced at the point that the child process is spawned.
858 # see audit.c
859
860 label=AUE_FORK1
861 format=[arg]1
862 comment=0, pid, "child PID"
863 note=The fork1(2) return values are undefined because the audit record
864 note=is produced at the point that the child process is spawned.
865 # see audit.c
866
867 label=AUE_FSAT
868 # obsolete
869 skip=Not used. (Placeholder for AUE_*AT records)
870
871 label=AUE_FSTAT
872 skip=Not used.
873
874 label=AUE_FSTATAT
875 # obsolete
876 format=path:[attr]
877
878 label=AUE_FSTATFS
879 case=With a valid file descriptor
880 format=[path]:[attr]
881 case=With an invalid file descriptor
882 format=arg1
883 comment=1, file descriptor, "no path fd"
884
885 label=AUE_FTRUNCATE
886 skip=Not used.
887
888 label=AUE_FUSERS
889 syscall=utssys: UTS_FUSERS
890 format=path:attr
891
892 label=AUE_FUTIMESAT
893 # obsolete
894 format=[path]:[attr]
895
896 label=AUE_GETAUDIT
897 format=kernel
898 # header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec
899 # subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1
900 # return,success,0
901 # trailer,68
902 # header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec
903 # subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1
904 # return,success,0
905 # trailer,68
906
907 label=AUE_GETAUDIT_ADDR
908 format=kernel
909 # header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec
910 # subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2
911 # return,success,0
912
913 label=AUE_GETAUID
914 format=kernel
915 # header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec
916 # subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1
917 # return,success,0
918 # trailer,68
919 # header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec
920 # subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1
921 # return,failure: Not owner,-1
922 # trailer,68
923
924 label=AUE_GETDENTS
925 skip=Not used.
926 #Not security relevant
927
928 label=AUE_GETKERNSTATE
929 skip=Not used.
930
931 label=AUE_GETMSG
932 case=With a valid file descriptor
933 format=arg1:[path]:attr:arg2
934 comment=1, file descriptor, "fd":
935 comment=4, priority, "pri"
936 case=With an invalid file descriptor
937 format=arg1:arg2
938 comment=1, file descriptor, "fd":
939 comment=4, priority, "pri"
940
941 label=AUE_GETPMSG
942 case=With a valid file descriptor
943 format=arg1:[path]:attr
944 comment=1, file descriptor, "fd"
945 case=With an invalid file descriptor
946 format=arg1
947 comment=1, file descriptor, "fd"
948
949 label=AUE_GETPORTAUDIT
950 format=Not used.
951
952 label=AUE_GETUSERAUDIT
953 skip=Not used.
954
955 label=AUE_INST_SYNC
956 format=arg1
957 comment=2, flags value, "flags"
958
959 label=AUE_IOCTL
960 case=With an invalid file descriptor
961 format=arg1:arg2:arg3
962 comment=1, file descriptor, "fd":
963 comment=2, command, "cmd":
964 comment=3, arg, "arg"
965 case=With a valid file descriptor
966 format=path:[attr]:arg1:arg2
967 comment=2, ioctl cmd, "cmd":
968 comment=3, ioctl arg, "arg"
969 case=Non-file file descriptor
970 format=arg1:arg2:arg3
971 comment=1, file descriptor, "fd":
972 comment=2, ioctl cmd, "cmd":
973 comment=3, ioctl arg, "arg"
974 case=Bad file name
975 format=arg1:arg2:arg3
976 comment=1, file descriptor, "no path: fd":
977 comment=2, ioctl cmd, "cmd":
978 comment=3, ioctl arg, "arg"
979 # old BSM manual misses a case
980
981 label=AUE_JUNK
982 skip=Not used.
983
984 label=AUE_KILL
985 case=Valid process
986 format=arg1:[proc]
987 comment=2, signo, "signal"
988 case=Zero or negative process
989 format=arg1:arg2
990 comment=2, signo, "signal":
991 comment=1, pid, "process"
992
993 label=AUE_KILLPG
994 skip=Not used.
995
996 label=AUE_LCHOWN
997 format=arg1:arg2:path:[attr]
998 comment=2, uid, "new file uid":
999 comment=3, gid, "new file gid"
1000
1001 label=AUE_LINK
1002 format=path1:[attr]:path2
1003 comment=from path:
1004 comment=to path
1005
1006 label=AUE_LSEEK
1007 skip=Not used.
1008
1009 label=AUE_LSTAT
1010 format=path:[attr]
1011
1012 label=AUE_LXSTAT
1013 # obsolete
1014 skip=Not used.
1015
1016 label=AUE_MCTL
1017 skip=Not used.
1018
1019 label=AUE_MEMCNTL
1020 format=arg1:arg2:arg3:arg4:arg5:arg6
1021 comment=1, base address, "base":
1022 comment=2, length, "len":
1023 comment=3, command, "cmd":
1024 comment=4, command args, "arg":
1025 comment=5, command attributes, "attr":
1026 comment=6, 0, "mask"
1027
1028 label=AUE_MKDIR
1029 format=arg1:path:[attr]
1030 comment=2, mode, "mode"
1031
1032 label=AUE_MKNOD
1033 format=arg1:arg2:path:[attr]
1034 comment=2, mode, "mode":
1035 comment=3, dev, "dev"
1036
1037 label=AUE_MMAP
1038 case=With a valid file descriptor
1039 format=arg1:arg2:[path]3:[attr]
1040 comment=1, segment address, "addr":
1041 comment=2, segment address, "len":
1042 comment=if no path, then argument: \
1043 1, "nopath: fd", file descriptor
1044 case=With an invalid file descriptor
1045 format=arg1:arg2:arg3
1046 comment=1, segment address, "addr":
1047 comment=2, segment address, "len":
1048 comment=1, file descriptor, "no path: fd"
1049
1050 label=AUE_MODADDMAJ
1051 title=modctl: bind module
1052 syscall=modctl
1053 format=[text]1:[text]2:text3:arg4:(0..n)[text]5
1054 comment=driver major number:
1055 comment=driver name:
1056 comment=driver major number or "no drvname":
1057 comment=5, number of aliases, "":
1058 comment=aliases
1059
1060 label=AUE_MODADDPRIV
1061 format=kernel
1062
1063 label=AUE_MODCONFIG
1064 skip=Not used.
1065
1066 label=AUE_MODCTL
1067 skip=Not used. (placeholder)
1068
1069 label=AUE_MODDEVPLCY
1070 syscall=modctl
1071 title=modctl: set device policy
1072 case=If unknown minor name/pattern
1073 format=arg1:arg2:arg3:arg4:arg5
1074 comment=2, "major", major number:
1075 comment=2, "lomin", low minor number, if known:
1076 comment=2, "himin", hi minor number, if known:
1077 comment=privileges required for reading:
1078 comment=privileges required for writing
1079 case=else
1080 format=arg1:text2:arg3:arg4
1081 comment=2, "major", major number:
1082 comment=minor name/pattern:
1083 comment=privileges required for reading:
1084 comment=privileges required for writing
1085
1086 label=AUE_MODLOAD
1087 syscall=modctl
1088 title=modctl: load module
1089 format=[text]1:text2
1090 comment=default path:
1091 comment=filename path
1092
1093 label=AUE_MODUNLOAD
1094 syscall=modctl
1095 title=modctl: unload module
1096 format=arg1
1097 comment=1, module ID, "id"
1098
1099 label=AUE_MOUNT
1100 case=UNIX file system
1101 format=arg1:text2:path:[attr]
1102 comment=3, flags, "flags":
1103 comment=filesystem type
1104 case=NFS file system
1105 format=arg1:text2:text3:arg4:path:[attr]
1106 comment=3, flags, "flags":
1107 comment=filesystem type:
1108 comment=host name:
1109 comment=3, flags, "internal flags"
1110 # unix example:
1111 # header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec
1112 # argument,3,0x104,flags
1113 # text,ufs
1114 # path,/var2
1115 # attribute,40755,root,root,32,12160,0
1116 # path,/devices/pci@1f,4000/scsi@3/sd@0,0:e
1117 # attribute,60640,root,sys,32,231268,137438953476
1118 # subject,abc,root,other,root,other,1726,1715,255 66049 ohboy
1119 # return,success,4290707268
1120 # ^^^^^^^^^^ <- bugid 4333559
1121
1122 label=AUE_MSGCTL
1123 format=arg1:[ipc]:[ipc_perm]
1124 comment=1, message ID, "msg ID"
1125 note=ipc_perm
1126 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1127
1128 label=AUE_MSGCTL_RMID
1129 format=arg1:[ipc]:[ipc_perm]
1130 comment=1, message ID, "msg ID"
1131 note=ipc_perm
1132 syscall=msgctl: IPC_RMID
1133 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1134
1135 label=AUE_MSGCTL_SET
1136 format=arg1:[ipc]:[ipc_perm]
1137 comment=1, message ID, "msg ID"
1138 note=ipc_perm
1139 syscall=msgctl: IPC_SET
1140 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1141
1142 label=AUE_MSGCTL_STAT
1143 format=arg1:[ipc]:[ipc_perm]
1144 comment=1, message ID, "msg ID"
1145 note=ipc_perm
1146 syscall=msgctl: IPC_STAT
1147 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1148
1149 label=AUE_MSGGET
1150 format=arg1:ipc
1151 comment=1, message key, "msg key"
1152 note=ipc_perm
1153 syscall=msgget
1154
1155 label=AUE_MSGGETL
1156 skip=Not used.
1157
1158 label=AUE_MSGRCV
1159 format=arg1:[ipc]:[ipc_perm]
1160 comment=1, message ID, "msg ID"
1161 note=ipc_perm
1162 syscall=msgrcv
1163 # ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc
1164
1165 label=AUE_MSGRCVL
1166 skip=Not used.
1167
1168 label=AUE_MSGSND
1169 format=arg1:[ipc]:[ipc_perm]
1170 comment=1, message ID, "msg ID"
1171 note=ipc_perm
1172 syscall=msgsnd
1173 # ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc
1174
1175 label=AUE_MSGSNDL
1176 skip=Not used.
1177
1178 label=AUE_MSGSYS
1179 skip=Not used. (Placeholder for AUE_MSG* events.)
1180
1181 label=AUE_MUNMAP
1182 format=arg1:arg2
1183 comment=1, address of memory, "addr":
1184 comment=2, memory segment size, "len"
1185
1186 label=AUE_NFS
1187 skip=Not used.
1188
1189 label=AUE_NFSSVC_EXIT
1190 skip=Not used.
1191
1192 label=AUE_NFS_GETFH
1193 skip=Not used.
1194
1195 label=AUE_NFS_SVC
1196 skip=Not used.
1197
1198 label=AUE_NICE
1199 format=kernel
1200
1201 label=AUE_NULL
1202 skip=Not used. (placeholder)
1203 # used internal to audit_event.c for minimal audit
1204
1205 label=AUE_NTP_ADJTIME
1206 format=kernel
1207
1208 label=AUE_ONESIDE
1209 skip=Not used.
1210
1211 label=AUE_OPEN
1212 skip=Not used. (placeholder for AUE_OPEN_*).
1213
1214 label=AUE_OPEN_R
1215 format=path:[path_attr]:[attr]
1216 see=open(2) - read
1217
1218 label=AUE_OPENAT_R
1219 # obsolete
1220 format=path:[path_attr]:[attr]
1221 see=openat(2)
1222
1223 label=AUE_OPEN_RC
1224 format=path:[path_attr]:[attr]
1225 see=open(2) - read,creat
1226
1227 label=AUE_OPENAT_RC
1228 # obsolete
1229 see=openat(2)
1230 format=path:[path_attr]:[attr]
1231
1232 label=AUE_OPEN_RT
1233 format=path:[path_attr]:[attr]
1234 see=open(2) - read,trunc
1235
1236 label=AUE_OPENAT_RT
1237 # obsolete
1238 see=openat(2)
1239 format=path:[path_attr]:[attr]
1240
1241 label=AUE_OPEN_RTC
1242 format=path:[path_attr]:[attr]
1243 see=open(2) - read,trunc,creat
1244
1245 label=AUE_OPENAT_RTC
1246 # obsolete
1247 see=openat(2)
1248 format=path:[path_attr]:[attr]
1249
1250 label=AUE_OPEN_RW
1251 format=path:[path_attr]:[attr]
1252 see=open(2) - read,write
1253
1254 label=AUE_OPENAT_RW
1255 # obsolete
1256 see=openat(2)
1257 format=path:[path_attr]:[attr]
1258 # aui_fsat(): fm & O_RDWR
1259
1260 label=AUE_OPEN_RWC
1261 format=path:[path_attr]:[attr]
1262 see=open(2) - read,write,creat
1263
1264 label=AUE_OPENAT_RWC
1265 # obsolete
1266 see=openat(2)
1267 format=path:[path_attr]:[attr]
1268
1269 label=AUE_OPEN_RWT
1270 format=path:[path_attr]:[attr]
1271 see=open(2) - read,write,trunc
1272
1273 label=AUE_OPENAT_RWT
1274 # obsolete
1275 see=openat(2)
1276 format=path:[path_attr]:[attr]
1277
1278 label=AUE_OPEN_RWTC
1279 format=path:[path_attr]:[attr]
1280 see=open(2) - read,write,trunc,creat
1281
1282 label=AUE_OPENAT_RWTC
1283 # obsolete
1284 see=openat(2)
1285 format=path:[path_attr]:[attr]
1286
1287 label=AUE_OPEN_W
1288 format=path:[path_attr]:[attr]
1289 see=open(2) - write
1290
1291 label=AUE_OPENAT_W
1292 see=openat(2)
1293 format=path:[path_attr]:[attr]
1294
1295 label=AUE_OPEN_WC
1296 format=path:[path_attr]:[attr]
1297 see=open(2) - write,creat
1298
1299 label=AUE_OPENAT_WC
1300 see=openat(2)
1301 format=path:[path_attr]:[attr]
1302
1303 label=AUE_OPEN_WT
1304 format=path:[path_attr]:[attr]
1305 see=open(2) - write,trunc
1306
1307 label=AUE_OPENAT_WT
1308 see=openat(2)
1309 format=path:[path_attr]:[attr]
1310
1311 label=AUE_OPEN_WTC
1312 format=path:[path_attr]:[attr]
1313 see=open(2) - write,trunc,creat
1314
1315 label=AUE_OPENAT_WTC
1316 see=openat(2)
1317 format=path:[path_attr]:[attr]
1318
1319 label=AUE_OPEN_S
1320 format=path:[path_attr]:[attr]
1321 see=open(2) - search
1322
1323 label=AUE_OPEN_E
1324 format=path:[path_attr]:[attr]
1325 see=open(2) - exec
1326
1327 label=AUE_OSETPGRP
1328 skip=Not used.
1329
1330 label=AUE_OSTAT
1331 # obsolete
1332 skip=Not used.
1333
1334 label=AUE_PATHCONF
1335 format=path:[attr]
1336
1337 label=AUE_PIPE
1338 format=kernel
1339 # class is no, not usually printed
1340
1341 label=AUE_PORTFS
1342 skip=Not used (placeholder for AUE_PORTFS_*).
1343
1344 label=AUE_PORTFS
1345 skip=Not used (placeholder for AUE_PORTFS_*).
1346
1347 label=AUE_PORTFS_ASSOCIATE
1348 syscall=portfs
1349 see=port_associate(3C)
1350 case=Port association via PORT_SOURCE_FILE
1351 format=[path]1:attr
1352 comment=name of the file/directory to be watched
1353
1354 label=AUE_PORTFS_DISSOCIATE
1355 syscall=portfs
1356 see=port_dissociate(3C)
1357 case=Port disassociation via PORT_SOURCE_FILE
1358 format=kernel
1359
1360 label=AUE_PRIOCNTLSYS
1361 syscall=priocntl
1362 see=priocntl(2)
1363 format=arg1:arg2
1364 comment=1, priocntl version number, "pc_version":
1365 comment=3, command, "cmd"
1366
1367 label=AUE_PROCESSOR_BIND
1368 case=No LWP/thread bound to the processor
1369 format=arg1:arg2:text3:[proc]
1370 comment=1, type of ID, "ID type":
1371 comment=2, ID value, "ID":
1372 comment="PBIND_NONE"
1373 case=With processor bound
1374 format=arg1:arg2:arg3:[proc]
1375 comment=1, type of ID, "ID type":
1376 comment=2, ID value, "ID":
1377 comment=3, processor ID, "processor_id"
1378
1379 label=AUE_PUTMSG
1380 see=putmsg(2)
1381 format=arg1:[path]:[attr]:arg2
1382 comment=1, file descriptor, "fd":
1383 comment=4, priority, "pri"
1384
1385 label=AUE_PUTPMSG
1386 see=putpmsg(2)
1387 format=arg1:[path]:[attr]:arg2:arg3
1388 comment=1, file descriptor, "fd":
1389 comment=4, priority, "pri":
1390 comment=5, flags, "flags"
1391
1392 label=AUE_P_ONLINE
1393 format=arg1:arg2:text3
1394 comment=1, processor ID, "processor ID":
1395 comment=2, flags value, "flags":
1396 comment=text form of flags. Values: \
1397 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS, P_DISABLED
1398
1399 label=AUE_QUOTACTL
1400 skip=Not used.
1401
1402 label=AUE_READ
1403 skip=Not used. (Placeholder for AUE_READ_* events)
1404
1405 label=AUE_READL
1406 skip=Not used. (Obsolete)
1407
1408 label=AUE_READLINK
1409 format=path:[attr]
1410
1411 label=AUE_READV
1412 skip=Not used (obsolete)
1413 # detritus from CMS
1414
1415 label=AUE_READVL
1416 skip=Not used (obsolete)
1417 # detritus from CMS
1418
1419 label=AUE_REBOOT
1420 skip=Not used.
1421
1422 label=AUE_RECV
1423 case=If address family is AF_INET or AF_INET6
1424 format=[arg]1:[inet]
1425 comment=1, file descriptor, "so"
1426 case=If address family is AF_UNIX and path is defined
1427 format=[path]1:[attr]
1428 comment=1, file descriptor, "so"
1429 case=If address family is AF_UNIX and path is NULL
1430 format=[path]1:[attr]
1431 comment=1, file descriptor, "no path: fd"
1432 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1433 format=[arg]1:[arg]2:[arg]3
1434 comment=1, file descriptor, "so":
1435 comment=1, family, "family":
1436 comment=1, type, "type"
1437 # associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237])
1438
1439 label=AUE_RECVFROM
1440 format=inet:arg1:[arg]2:inet3:arg4
1441 comment=3, message length, "len":
1442 comment=4, flags, "flags":
1443 comment=from address:
1444 comment=6, address length, "tolen"
1445 note=The socket token for a bad socket is reported as "argument
1446 note=token (1, socket descriptor, "fd")"
1447
1448 label=AUE_RECVMSG
1449 case=If invalid file descriptor
1450 format=arg1:arg2
1451 comment=1, file descriptor, "so":
1452 comment=3, flags, "flags"
1453 case=If valid file descriptor and socket is AF_UNIX and no path
1454 format=arg1:[attr]
1455 comment=1, file descriptor, "no path: fd"
1456 case=If valid file descriptor and socket is AF_UNIX and path defined
1457 format=path:attr
1458 case=If valid file descriptor and socket is AF_INET or AF_INET6
1459 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM
1460 format=arg1:arg2:inet
1461 comment=1, file descriptor, "so":
1462 comment=2, flags, "flags"
1463 case=.. if socket type is unknown
1464 format=arg1:arg2:arg3:arg4
1465 comment=1, file descriptor, "so":
1466 comment=1, family, "family":
1467 comment=1, type, "type":
1468 comment=3, flags, "flags"
1469
1470 label=AUE_RENAME
1471 format=path1:[attr]1:[path]2
1472 comment=from name:
1473 comment=to name
1474
1475 label=AUE_RENAMEAT
1476 # obsolete
1477 format=path1:[attr]1:[path]2
1478 comment=from name:
1479 comment=to name
1480
1481 label=AUE_RFSSYS
1482 skip=Not used.
1483 # apparently replaced
1484
1485 label=AUE_RMDIR
1486 format=path:[attr]
1487
1488 label=AUE_SEMCTL
1489 format=arg1:[ipc]:[ipc_perm]
1490 comment=1, semaphore ID, "sem ID"
1491 note=ipc_perm
1492 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1493
1494 label=AUE_SEMCTL_GETALL
1495 format=arg1:[ipc]:[ipc_perm]
1496 comment=1, semaphore ID, "sem ID"
1497 note=ipc_perm
1498 syscall=semctl: GETALL
1499 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1500
1501 label=AUE_SEMCTL_GETNCNT
1502 format=arg1:[ipc]:[ipc_perm]
1503 comment=1, semaphore ID, "sem ID"
1504 note=ipc_perm
1505 syscall=semctl: GETNCNT
1506 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1507
1508 label=AUE_SEMCTL_GETPID
1509 format=arg1:[ipc]:[ipc_perm]
1510 comment=1, semaphore ID, "sem ID"
1511 note=ipc_perm
1512 syscall=semctl: GETPID
1513 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1514
1515 label=AUE_SEMCTL_GETVAL
1516 format=arg1:[ipc]:[ipc_perm]
1517 comment=1, semaphore ID, "sem ID"
1518 note=ipc_perm
1519 syscall=semctl: GETVAL
1520 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1521
1522 label=AUE_SEMCTL_GETZCNT
1523 format=arg1:[ipc]:[ipc_perm]
1524 comment=1, semaphore ID, "sem ID"
1525 note=ipc_perm
1526 syscall=semctl: GETZCNT
1527 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1528
1529 label=AUE_SEMCTL_RMID
1530 format=arg1:[ipc]:[ipc_perm]
1531 comment=1, semaphore ID, "sem ID"
1532 note=ipc_perm
1533 syscall=semctl: IPC_RMID
1534 # ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1535
1536 label=AUE_SEMCTL_SET
1537 format=arg1:[ipc]:[ipc_perm]
1538 comment=1, semaphore ID, "sem ID"
1539 note=ipc_perm
1540 syscall=semctl: IPC_SET
1541 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1542
1543 label=AUE_SEMCTL_SETALL
1544 format=arg1:[ipc]:[ipc_perm]
1545 comment=1, semaphore ID, "sem ID"
1546 note=ipc_perm
1547 syscall=semctl: SETALL
1548 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1549
1550 label=AUE_SEMCTL_SETVAL
1551 format=arg1:[ipc]:[ipc_perm]
1552 comment=1, semaphore ID, "sem ID"
1553 note=ipc_perm
1554 syscall=semctl: SETVAL
1555 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1556
1557 label=AUE_SEMCTL_STAT
1558 format=arg1:[ipc]:[ipc_perm]
1559 comment=1, semaphore ID, "sem ID"
1560 note=ipc_perm
1561 syscall=semctl: IPC_STAT
1562 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1563
1564 label=AUE_SEMGET
1565 format=arg1:[ipc_perm]:ipc
1566 comment=1, semaphore ID, "sem key"
1567 note=ipc_perm
1568 syscall=semctl: SETVAL
1569 # ipc_perm token: semget -> audit_ipcget
1570
1571 label=AUE_SEMGETL
1572 skip=Not used.
1573
1574 label=AUE_SEMOP
1575 format=arg1:[ipc]:[ipc_perm]
1576 comment=1, semaphore ID, "sem ID"
1577 note=ipc_perm
1578 # ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc
1579
1580 label=AUE_SEMSYS
1581 skip=Not used. (place holder) -- defaults to a semget variant
1582
1583 label=AUE_SEND
1584 case=If address family is AF_INET or AF_INET6
1585 format=[arg]1:[inet]
1586 comment=1, file descriptor, "so"
1587 case=If address family is AF_UNIX and path is defined
1588 format=[path]1:[attr]
1589 comment=1, file descriptor, "so"
1590 case=If address family is AF_UNIX and path is NULL
1591 format=[path]1:[attr]
1592 comment=1, file descriptor, "no path: fd"
1593 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1594 format=[arg]1:[arg]2:[arg]3
1595 comment=1, file descriptor, "so":
1596 comment=1, family, "family":
1597 comment=1, type, "type"
1598 # associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240])
1599
1600 label=AUE_SENDMSG
1601 case=If invalid file descriptor
1602 format=arg1:arg2
1603 comment=1, file descriptor, "so":
1604 comment=3, flags, "flags"
1605 case=If valid file descriptor
1606 case=...and address family is AF_UNIX and path is defined
1607 format=path:attr
1608 case=...and address family is AF_UNIX and path is NULL
1609 format=path1:attr
1610 comment=1, file descriptor, "nopath: fd"
1611 case=...and address family is AF_INET or AF_INET6, \
1612 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1613 format=arg1:arg2:inet
1614 comment=1, file descriptor, "so":
1615 comment=3, flags, "flags"
1616 case=...and unknown address family or address family AF_INET or AF_INET6 \
1617 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1618 format=arg1:arg2:arg3:arg4
1619 comment=1, file descriptor, "so":
1620 comment=1, family, "family":
1621 comment=1, type, "type":
1622 comment=1, flags, "flags"
1623
1624 label=AUE_SENDTO
1625 case=If invalid file descriptor
1626 format=arg1:arg2
1627 comment=1, file descriptor, "so":
1628 comment=3, flags, "flags"
1629 case=If valid file descriptor
1630 case=...and socket is AF_UNIX and path is defined
1631 format=path:attr
1632 case=...and address family is AF_UNIX and path is NULL
1633 format=path1:attr
1634 comment=1, file descriptor, "nopath: fd"
1635 case=...and address family is AF_INET or AF_INET6
1636 format=arg1:arg2:inet
1637 comment=1, file descriptor, "so":
1638 comment=3, flags, "flags"
1639 case=...and unknown address family
1640 format=arg1:arg2:arg3:arg4
1641 comment=1, file descriptor, "so":
1642 comment=1, family, "family":
1643 comment=1, type, "type":
1644 comment=1, flags, "flags"
1645
1646 label=AUE_SETAUDIT
1647 case=With a valid program stack address
1648 format=arg1:arg2:arg3:arg4:arg5:arg6
1649 comment=1, audit user ID, "setaudit:auid":
1650 comment=1, terminal ID, "setaudit:port":
1651 comment=1, terminal ID, "setaudit:machine":
1652 comment=1, preselection mask, "setaudit:as_success":
1653 comment=1, preselection mask, "setaudit:as_failure":
1654 comment=1, audit session ID, "setaudit:asid"
1655 case=With an invalid program stack address
1656 format=kernel
1657 # header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec
1658 # argument,1,0x271a,setaudit:auid
1659 # argument,1,0x3ff0201,setaudit:port
1660 # argument,1,0x8192591e,setaudit:machine
1661 # argument,1,0x400,setaudit:as_success
1662 # argument,1,0x400,setaudit:as_failure
1663 # argument,1,0x16f,setaudit:asid
1664 # subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1
1665 # return,success,0
1666 # trailer,215
1667 # header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec
1668 # argument,1,0x271a,setaudit:auid
1669 # argument,1,0x3ff0201,setaudit:port
1670 # argument,1,0x8192591e,setaudit:machine
1671 # argument,1,0x400,setaudit:as_success
1672 # argument,1,0x400,setaudit:as_failure
1673 # argument,1,0x16f,setaudit:asid
1674 # subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1
1675 # return,success,0
1676 # trailer,215
1677
1678 label=AUE_SETAUDIT_ADDR
1679 case=With a valid program stack address
1680 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7
1681 comment=1, audit user ID, "auid":
1682 comment=1, terminal ID, "port":
1683 comment=1, type, "type":
1684 comment=1, terminal ID, "ip address":
1685 comment=1, preselection mask, "as_success":
1686 comment=1, preselection mask, "as_failure":
1687 comment=1, audit session ID, "asid"
1688 case=With an invalid program stack address
1689 format=kernel
1690 # header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec
1691 # argument,1,0x15fa7,auid
1692 # argument,1,0x0,port
1693 # argument,1,0x4,type
1694 # ip address,tmach2
1695 # argument,1,0x9c00,as_success
1696 # argument,1,0x9c00,as_failure
1697 # argument,1,0x1f1,asid
1698 # subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2
1699 # return,success,0
1700
1701 label=AUE_SETAUID
1702 format=arg1
1703 comment=2, audit user ID, "setauid"
1704
1705 label=AUE_SETDOMAINNAME
1706 skip=Not used. (See AUE_SYSINFO)
1707 # See AUE_SYSINFO with SI_SET_SRPC_DOMAIN
1708
1709 label=AUE_SETEGID
1710 format=arg1
1711 comment=1, group ID, "gid"
1712
1713 label=AUE_SETEUID
1714 format=arg1
1715 comment=1, user ID, "euid"
1716
1717 label=AUE_SETGID
1718 format=arg1
1719 comment=1, group ID, "gid"
1720
1721 label=AUE_SETGROUPS
1722 note=If more than NGROUPS_MAX_DEFAULT groups listed,
1723 note=no tokens are generated.
1724 case=If no groups in list
1725 format=[arg]1
1726 comment=1, 0, "setgroups"
1727 case=If 1 or more groups in list
1728 format=(1..n)arg1
1729 comment=1, gid, "setgroups"
1730
1731 label=AUE_SETHOSTNAME
1732 skip=Not used. (See AUE_SYSINFO)
1733 # See sysinfo call with command SI_SET_HOSTNAME
1734
1735 label=AUE_SETKERNSTATE
1736 skip=Not used.
1737
1738 label=AUE_SETPGID
1739 format=[proc]:[arg]1
1740 comment=2, pgid, "pgid"
1741
1742 label=AUE_SETPGRP
1743 format=kernel
1744
1745 label=AUE_SETPRIORITY
1746 skip=Not used.
1747
1748 label=AUE_SETPPRIV
1749 case=operation privileges off
1750 format=arg1:privset2
1751 comment=setppriv operation:
1752 comment=privileges actually switched off
1753 case=operation privileges on
1754 format=arg1:privset2
1755 comment=setppriv operation:
1756 comment=privileges actually switched on
1757 case=operation privileges off
1758 format=arg1:privset2:privset3
1759 comment=setppriv operation:
1760 comment=privileges before privset:
1761 comment=privileges after privset
1762 #header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec
1763 #argument,2,0x2,op
1764 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1765 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1766 #subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0
1767 #return,success,0
1768
1769 label=AUE_SETREGID
1770 format=arg1:arg2
1771 comment=1, real group ID, "rgid":
1772 comment=2, effective group ID, "egid"
1773
1774 label=AUE_SETREUID
1775 format=arg1:arg2
1776 comment=1, real user ID, "ruid":
1777 comment=2, effective user ID, "euid"
1778
1779 label=AUE_SETRLIMIT
1780 format=kernel
1781 # header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec
1782 # subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2
1783 # return,success,0
1784
1785 label=AUE_SETSID
1786 format=kernel
1787
1788 label=AUE_SETSOCKOPT
1789 case=Invalid file descriptor
1790 format=arg1:arg2
1791 comment=1, file descriptor, "so":
1792 comment=2, level, "level"
1793 case=Valid file descriptor
1794 case=...and socket is AF_UNIX
1795 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8
1796 comment=if no path, will be argument: 1, "nopath: fd", \
1797 file descriptor:
1798 comment=1, file descriptor, "so":
1799 comment=1, family, "family":
1800 comment=1, type, "type":
1801 comment=2, protocol level, "level":
1802 comment=3, option name, "optname":
1803 comment=5, option length, "optlen":
1804 comment=option data
1805 case=...and socket is AF_INET or AF_INET6
1806 format=arg1:arg2:arg3:[arg]4:[data]5:inet
1807 comment=1, file descriptor, "so":
1808 comment=2, protocol level, "level":
1809 comment=3, option name, "optname":
1810 comment=5, option length, "optlen":
1811 comment=option data
1812 case=...and socket adddress family is unknown
1813 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7
1814 comment=1, file descriptor, "so":
1815 comment=1, family, "family":
1816 comment=1, type, "type":
1817 comment=2, protocol level, "level":
1818 comment=3, option name, "optname":
1819 comment=5, option length, "optlen":
1820 comment=option data
1821
1822 label=AUE_SETTIMEOFDAY
1823 skip=Not used.
1824
1825 label=AUE_SETUID
1826 syscall=setuid
1827 format=arg1
1828 comment=1, "uid" to be set
1829
1830 label=AUE_SETUSERAUDIT
1831 skip=Not used.
1832
1833 label=AUE_SHMAT
1834 format=arg1:arg2:[ipc]:[ipc_perm]
1835 comment=1, shared memory ID, "shm ID":
1836 comment=2, shared mem addr, "shm addr"
1837 note=ipc_perm
1838 # ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc
1839
1840 label=AUE_SHMCTL
1841 format=arg1:[ipc]:[ipc_perm]
1842 comment=1, shared memory ID, "shm ID"
1843 note=ipc_perm
1844 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1845
1846 label=AUE_SHMCTL_RMID
1847 format=arg1:[ipc]:[ipc_perm]
1848 comment=1, shared memory ID, "shm ID"
1849 note=ipc_perm
1850 syscall=semctl: IPC_RMID
1851 # ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1852
1853 label=AUE_SHMCTL_SET
1854 format=arg1:[ipc]:[ipc_perm]
1855 comment=1, shared memory ID, "shm ID"
1856 note=ipc_perm
1857 syscall=semctl: IPC_SET
1858 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1859
1860 label=AUE_SHMCTL_STAT
1861 format=arg1:[ipc]:[ipc_perm]
1862 comment=1, shared memory ID, "shm ID"
1863 note=ipc_perm
1864 syscall=semctl: IPC_STAT
1865 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1866
1867 label=AUE_SHMDT
1868 format=arg1
1869 comment=1, shared memory address, "shm adr"
1870
1871 label=AUE_SHMGET
1872 format=arg1:[ipc_perm]:[ipc]
1873 comment=0, shared memory key, "shm key"
1874 note=ipc_perm
1875 # ipc_perm: shmget -> audit_ipcget
1876
1877 label=AUE_SHMGETL
1878 skip=Not used.
1879
1880 label=AUE_SHMSYS
1881 skip=Not used. (Placeholder for shmget and shmctl*)
1882
1883 label=AUE_SHUTDOWN
1884 case=If the socket address is invalid
1885 format=[arg]1:[text]2:[text]3
1886 comment=1, file descriptor, "fd":
1887 comment=bad socket address:
1888 comment=bad peer address
1889 case=If the socket address is part of the AF_INET family
1890 case=..with zero file descriptor
1891 format=arg1:[arg]2:[arg]3:[arg]4
1892 comment=1, file descriptor, "so":
1893 comment=1, family, "family":
1894 comment=1, type, "type":
1895 comment=2, how shutdown code, "how"
1896 case=...with non-zero file descriptor
1897 format=arg1:arg2:inet
1898 comment=1, file descriptor, "so":
1899 comment=2, how shutdown code, "how"
1900 case=If the socket address is AF_UNIX
1901 case=...with zero file descriptor
1902 format=path1:arg2:[arg]3:[arg]4:[arg]5
1903 comment=If error: argument: \
1904 1, "no path: fd", file descriptor:
1905 comment=1, file descriptor, "so":
1906 comment=1, family, "family":
1907 comment=1, type, "type":
1908 comment=2, how shutdown code, "how"
1909 case=...with non-zero file descriptor
1910 format=path1:arg2:arg3:inet
1911 comment=If error: argument: \
1912 1, file descriptor, "no path: fd":
1913 comment=1, file descriptor, "so":
1914 comment=2, how shutdown code, "how"
1915 #old BSM manual wrong; used audit_event.c
1916
1917 label=AUE_SOCKACCEPT
1918 syscall=getmsg: socket accept
1919 format=inet:arg1:[path]:attr:arg2
1920 comment=1, file descriptor, "fd":
1921 comment=4, priority, "pri"
1922 # see putmsg and getmsg for record format
1923 # See audit.c for inet token and audit_start.c for other reference
1924
1925 label=AUE_SOCKCONFIG
1926 format=arg1:arg2:arg3:[path]4
1927 comment=1, domain address, "domain":
1928 comment=2, type, "type":
1929 comment=3, protocol, "protocol":
1930 comment=If no path:argument -- 3, 0, "devpath"
1931
1932 label=AUE_SOCKCONNECT
1933 syscall=putmsg: socket connect
1934 format=inet:arg1:[path]:attr:arg2
1935 comment=1, file descriptor, "fd":
1936 comment=4, priority, "pri"
1937 # same as AUE_SOCKACCEPT
1938
1939 label=AUE_SOCKET
1940 format=arg1:[arg]2:arg3
1941 comment=1, socket domain, "domain":
1942 comment=2, socket type, "type":
1943 comment=3, socket protocol, "protocol"
1944
1945 label=AUE_SOCKETPAIR
1946 skip=Not used.
1947 # unreferenced
1948
1949 label=AUE_SOCKRECEIVE
1950 syscall=getmsg
1951 format=inet:arg1:[path]:attr:arg2
1952 comment=1, file descriptor, "fd":
1953 comment=4, priority, "pri"
1954 # see AUE_SOCKACCEPT
1955
1956 label=AUE_SOCKSEND
1957 syscall=putmsg
1958 format=inet:arg1:[path]:attr:arg2
1959 comment=1, file descriptor, "fd":
1960 comment=4, priority, "pri"
1961 # see AUE_SOCKACCEPT
1962
1963 label=AUE_STAT
1964 format=path:[attr]
1965
1966 label=AUE_STATFS
1967 format=path:[attr]
1968
1969 label=AUE_STATVFS
1970 format=path:[attr]
1971
1972 label=AUE_STIME
1973 format=kernel
1974
1975 label=AUE_SWAPON
1976 skip=Not used.
1977
1978 label=AUE_SYMLINK
1979 format=path:text1:[attr]
1980 comment=symbolic link string
1981
1982 label=AUE_SYSINFO
1983 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands
1984 note=are currently audited.
1985 format=arg1:[text]2
1986 comment=1, command, "cmd":
1987 comment=name
1988
1989 label=AUE_SYSTEMBOOT
1990 title=system booted
1991 syscall=none
1992 format=head:text1
1993 comment="booting kernel"
1994 # see audit_start.c and audit_io.c
1995 # no subject or return / exit token
1996 # header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec
1997 # text,booting kernel
1998
1999 label=AUE_TRUNCATE
2000 skip=Not used.
2001
2002 label=AUE_UMOUNT
2003 syscall=umount: old version
2004 note=Implemented as call of the newer umount2(2).
2005 format=path:arg1:[path]:[attr]
2006 comment=2, mflag value = 0, "flags"
2007
2008 label=AUE_UMOUNT2
2009 syscall=umount2
2010 format=path:arg1:[path]:[attr]
2011 comment=2, mflag value, "flags"
2012
2013 label=AUE_UNLINK
2014 format=path:[attr]
2015
2016 label=AUE_UNLINKAT
2017 # obsolete
2018 see=openat(2)
2019 format=path:[attr]
2020
2021 label=AUE_UNMOUNT
2022 skip=Not used.
2023
2024 label=AUE_UTIME
2025 # obsolete
2026 format=path:[attr]
2027
2028 label=AUE_UTIMES
2029 see=futimens(2)
2030 format=path:[attr]
2031
2032 label=AUE_VFORK
2033 format=arg1
2034 comment=0, pid, "child PID"
2035 note=The vfork(2) return values are undefined because the audit record is
2036 note=produced at the point that the child process is spawned.
2037
2038 label=AUE_VPIXSYS
2039 skip=Not used.
2040
2041 label=AUE_VTRACE
2042 skip=Not used.
2043
2044 label=AUE_WRITE
2045 format=path1:attr
2046 comment=if no path, argument -- "1, file descriptor, "no path: fd"
2047 note:An audit record is generated for write only once per file close.
2048
2049 label=AUE_WRITEV
2050 skip=Not used. (obsolete)
2051
2052 label=AUE_XMKNOD
2053 # obsolete
2054 skip=Not used.
2055
2056 label=AUE_XSTAT
2057 # obsolete
2058 skip=Not Used.
2059
2060 label=AUE_PF_POLICY_ADDRULE
2061 title=Add IPsec policy rule
2062 see=
2063 syscall=none
2064 format=arg1:arg2:[zone]3:[text]4
2065 comment=Operation applied to active policy (1 is active, 0 is inactive):
2066 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2067 comment=affected zone:
2068 comment=Name of target tunnel
2069
2070 label=AUE_PF_POLICY_DELRULE
2071 title=Delete IPsec policy rule
2072 see=
2073 syscall=none
2074 format=arg1:arg2:[zone]3:[text]4
2075 comment=Operation applied to active policy (1 is active, 0 is inactive):
2076 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2077 comment=affected zone:
2078 comment=Name of target tunnel
2079
2080 label=AUE_PF_POLICY_CLONE
2081 title=Clone IPsec policy
2082 see=
2083 syscall=none
2084 format=arg1:arg2:[zone]3:[text]4
2085 comment=Operation applied to active policy (1 is active, 0 is inactive):
2086 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2087 comment=affected zone:
2088 comment=Name of target tunnel
2089
2090 label=AUE_PF_POLICY_FLIP
2091 title=Flip IPsec policy
2092 see=
2093 syscall=none
2094 format=arg1:arg2:[zone]3:[text]4
2095 comment=Operation applied to active policy (1 is active, 0 is inactive):
2096 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2097 comment=affected zone:
2098 comment=Name of target tunnel
2099
2100 label=AUE_PF_POLICY_FLUSH
2101 title=Flip IPsec policy rules
2102 see=
2103 syscall=none
2104 format=arg1:arg2:[zone]3:[text]4
2105 comment=Operation applied to active policy (1 is active, 0 is inactive):
2106 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2107 comment=affected zone:
2108 comment=Name of target tunnel
2109
2110 label=AUE_PF_POLICY_ALGS
2111 title=Update IPsec algorithms
2112 see=
2113 syscall=none
2114 format=arg1:arg2:[zone]3:[text]4
2115 comment=Operation applied to active policy (1 is active, 0 is inactive):
2116 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2117 comment=affected zone:
2118 comment=Name of target tunnel
2119
2120 label=AUE_allocate_fail
2121 program=/usr/sbin/allocate
2122 title=allocate: allocate-device failure
2123 format=(0..n)[text]1
2124 comment=command line arguments
2125 # see audit_allocate.c
2126
2127 label=AUE_allocate_succ
2128 program=/usr/sbin/allocate
2129 title=allocate: allocate-device success
2130 format=(0..n)[text]1
2131 comment=command line arguments
2132 # see audit_allocate.c
2133
2134 label=AUE_at_create
2135 program=/usr/bin/at
2136 title=at: at-create crontab
2137 format=path
2138
2139 label=AUE_at_delete
2140 program=/usr/bin/at
2141 title=at: at-delete atjob (at or atrm)
2142 format=text1:path
2143 comment="ancillary file:" filename or "bad format of at-job name"
2144
2145 label=AUE_at_perm
2146 skip=Not used.
2147 # not referenced outside uevents.h
2148
2149 label=AUE_create_user
2150 skip=Not used.
2151
2152 label=AUE_cron_invoke
2153 program=/usr/sbin/cron
2154 title=cron: cron-invoke at or cron
2155 case=If issue with account find
2156 format=text1
2157 comment="bad user" name or "user <name> account expired"
2158 case=else
2159 format=text1:text2
2160 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \
2161 or "unknown job type (<job_type_id>)":
2162 comment=command
2163
2164 label=AUE_crontab_create
2165 program=/usr/bin/crontab
2166 title=crontab: crontab created
2167 format=path
2168 # See audit_crontab.c
2169
2170 label=AUE_crontab_delete
2171 program=/usr/bin/crontab
2172 title=crontab: crontab delete
2173 format=path
2174 # See audit_crontab.c
2175
2176 label=AUE_crontab_mod
2177 program=/usr/bin/crontab
2178 title=crontab: crontab modify
2179 format=path
2180 # See audit_crontab.c
2181
2182 label=AUE_crontab_perm
2183 skip=Not used.
2184
2185 label=AUE_deallocate_fail
2186 program=/usr/sbin/deallocate
2187 title=deallocate-device failure
2188 format=(0..n)[text]1
2189 comment=command line arguments
2190 # See audit_allocate.c
2191
2192 label=AUE_deallocate_succ
2193 program=/usr/sbin/deallocate
2194 title=deallocate-device success
2195 format=(0..n)[text]1
2196 comment=command line arguments
2197 # See audit_allocate.c
2198
2199 label=AUE_delete_user
2200 skip=Not used.
2201
2202 label=AUE_disable_user
2203 skip=Not used.
2204
2205 label=AUE_enable_user
2206 skip=Not used.
2207
2208 label=AUE_ftpd
2209 program=/usr/sbin/in.ftpd
2210 title=in.ftpd
2211 format=[text]1
2212 comment=error message
2213 # See audit_ftpd
2214
2215 label=AUE_ftpd_logout
2216 program=/usr/sbin/in.ftpd
2217 title=in.ftpd
2218 format=user
2219 # See audit_ftpd
2220
2221 label=AUE_halt_solaris
2222 program=/usr/sbin/halt
2223 title=halt
2224 format=user
2225 # See audit_halt.c
2226
2227 label=AUE_kadmind_auth
2228 format=text1:text2:text3
2229 comment=Op: <requested information>:
2230 comment=Arg: <argument for Op>:
2231 comment=Client: <client principal name>
2232 # See audit_kadmin.c / common_audit()
2233
2234 label=AUE_kadmind_unauth
2235 format=text1:text2:text3
2236 comment=Op: <requested information>:
2237 comment=Arg: <argument for Op>:
2238 comment=Client: <client principal name>
2239 # See audit_kadmin.c / common_audit()
2240
2241 label=AUE_krb5kdc_as_req
2242 format=text1:text2
2243 comment=Client: <client principal name>:
2244 comment=Service: <requested service name>
2245 # See audit_krb5kdc.c / common_audit()
2246
2247 label=AUE_krb5kdc_tgs_req
2248 format=text1:text2
2249 comment=Client: <client principal name>:
2250 comment=Service: <requested service name>
2251 # See audit_krb5kdc.c / common_audit()
2252
2253 label=AUE_krb5kdc_tgs_req_alt_tgt
2254 format=text1:text2
2255 comment=Client: <client principal name>:
2256 comment=Service: <requested service name>
2257 # See audit_krb5kdc.c / common_audit()
2258
2259 label=AUE_krb5kdc_tgs_req_2ndtktmm
2260 format=text1:text2
2261 comment=Client: <client principal name>:
2262 comment=Service: <requested service name>
2263 # See audit_krb5kdc.c / common_audit()
2264
2265 label=AUE_listdevice_fail
2266 title=allocate-list devices failure
2267 program=/usr/sbin/allocate
2268 format=(0..n)[text]1
2269 comment=command line arguments
2270 # See audit_allocate.c
2271
2272 label=AUE_listdevice_succ
2273 title=allocate-list devices success
2274 program=/usr/sbin/allocate
2275 format=(0..n)[text]1
2276 comment=command line arguments
2277 # See audit_allocate.c
2278
2279 label=AUE_modify_user
2280 skip=Not used.
2281
2282 label=AUE_mountd_mount
2283 title=mountd: NFS mount
2284 program=/usr/lib/nfs/mountd
2285 see=mountd(1M)
2286 format=text1:path2
2287 comment=remote client hostname:
2288 comment=mount dir
2289 # See audit_mountd.c
2290
2291 label=AUE_mountd_umount
2292 title=mountd: NFS unmount
2293 program=/usr/lib/nfs/mountd
2294 format=text1:path2
2295 comment=remote client hostname:
2296 comment=mount dir
2297 # See audit_mountd.c
2298
2299 label=AUE_poweroff_solaris
2300 program=/usr/sbin/poweroff
2301 title=poweroff
2302 format=user
2303 # See audit_halt.c
2304
2305 label=AUE_reboot_solaris
2306 program=/usr/sbin/reboot
2307 title=reboot
2308 format=user
2309 # See audit_reboot.c
2310 # header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec
2311 # subject,tuser1,root,other,root,other,10422,497,0 0 tmach2
2312 # return,success,0
2313
2314 label=AUE_rexd
2315 program=/usr/sbin/rpc.rexd
2316 title=rpc.rexd
2317 format=[text]1:text2:text3:[text]4:[text]5
2318 comment=error message (failure only):
2319 comment="Remote execution requested by:" hostname:
2320 comment="Username:" username:
2321 comment="User id:" user ID (failure only):
2322 comment="Command line:" command attempted
2323 # See audit_rexd.c
2324
2325 label=AUE_rexecd
2326 program=/usr/sbin/rpc.rexecd
2327 title=rpc.rexecd
2328 format=[text]1:text2:text3:text4
2329 comment=error message (failure only):
2330 comment="Remote execution requested by:" hostname:
2331 comment="Username:" username:
2332 comment="Command line:" command attempted
2333 # See audit_rexecd.c
2334
2335 label=AUE_rshd
2336 program=/usr/sbin/in.rshd
2337 title=in.rshd
2338 format=text1:text2:[text]3:[text]4
2339 comment="cmd" command:
2340 comment="remote user" remote user:
2341 comment="local user" local user:
2342 comment=failure message
2343 # See audit_rshd.c
2344
2345 label=AUE_shutdown_solaris
2346 title=shutdown
2347 program=/usr/ucb/shutdown
2348 format=user
2349 # See audit_shutdown.c
2350
2351 label=AUE_smserverd
2352 program=/usr/lib/smedia/rpc.smserverd
2353 format=[text]1:[text]2
2354 comment=state change:
2355 comment=vid, pid, major/minor device
2356 # see usr/src/cmd/smserverd
2357 # code shows a third token, path, but it isn't implemented.
2358
2359 label=AUE_uadmin_solaris
2360 title=uadmin (obsolete)
2361 program=
2362 see=
2363 format=text1:text2
2364 comment=function code:
2365 comment=argument code
2366 # not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml
2367
2368 label=AUE_LABELSYS_TNRH
2369 title=config Trusted Network remote host cache
2370 see=tnrh(2)
2371 syscall=labelsys: TSOL_TNRH
2372 case=With the flush command (cmd=3)
2373 format=arg1
2374 comment=1, command, "cmd"
2375 case=With the load (cmd=1) and delete (cmd=2) commands
2376 format=arg1:inaddr2:arg3
2377 comment=1, command, "cmd":
2378 comment=ip address of host:
2379 comment=2, prefix length, "prefix len"
2380
2381 label=AUE_LABELSYS_TNRHTP
2382 title=config Trusted Network remote host template
2383 see=tnrhtp(2)
2384 syscall=labelsys: TSOL_TNRHTP
2385 case=With the flush command (cmd=3)
2386 format=arg1
2387 comment=1, command, "cmd"
2388 case=With the load (cmd=1) and delete (cmd=2) commands
2389 format=arg1:text2
2390 comment=1, command, "cmd":
2391 comment=name of template
2392
2393 label=AUE_LABELSYS_TNMLP
2394 title=config Trusted Network multi-level port entry
2395 see=tnmlp(2)
2396 syscall=labelsys: TSOL_TNMLP
2397 case=With the flush command (cmd=3)
2398 format=arg1:text2
2399 comment=1, command, "cmd":
2400 comment="shared", or name of zone
2401 case=With the load (cmd=1) and delete (cmd=2) commands
2402 format=arg1:text2:arg3:arg4:[arg]5
2403 comment=1, command, "cmd":
2404 comment="shared", or name of zone:
2405 comment=2, protocol number, "proto num":
2406 comment=2, starting mlp port number, "mlp_port":
2407 comment=2, ending mlp port number, "mlp_port_upper"