1 # audit_record_attr.txt 2 # Two "#" are comments that are copied to audit_record_attr 3 # other comments are removed. 4 ## 5 ## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. 6 ## Copyright 2019 Joyent, Inc. 7 ## 8 ## CDDL HEADER START 9 ## 10 ## The contents of this file are subject to the terms of the 11 ## Common Development and Distribution License (the "License"). 12 ## You may not use this file except in compliance with the License. 13 ## 14 ## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 15 ## or http://www.opensolaris.org/os/licensing. 16 ## See the License for the specific language governing permissions 17 ## and limitations under the License. 18 ## 19 ## When distributing Covered Code, include this CDDL HEADER in each 20 ## file and include the License file at usr/src/OPENSOLARIS.LICENSE. 21 ## If applicable, add the following below this CDDL HEADER, with the 22 ## fields enclosed by brackets "[]" replaced with your own identifying 23 ## information: Portions Copyright [yyyy] [name of copyright owner] 24 ## 25 ## CDDL HEADER END 26 ## 27 ## 28 29 # source file for describing audit records. 30 31 # This file is in two sections. The first is a list of attribute / 32 # value pairs used to provide short cuts in annotating the audit 33 # records. The second is for annotation for each audit record. 34 35 # first section: general attributes 36 37 # skipClass=<class name of items to skip if only in that class> 38 # skipClass=no # uncomment to filter unused events 39 40 # token name abbreviations 41 # token=alias:fullname -- short names for key tokens 42 43 token=arg:argument 44 token=attr:attribute 45 token=acl:acl_entry 46 token=cmd:command 47 token=data:data 48 token=exec_args:exec_arguments 49 token=exec_env:exec_environment 50 token=group:group 51 token=inaddr:ip_addr 52 token=inet:socket 53 token=ipc:ipc 54 token=ipc_perm:ipc_perm 55 token=newgroup:newgroups 56 token=path:path 57 token=path_attr:attribute_path 58 token=privset:privilege 59 token=proc:process 60 token=text:text 61 token=tid:terminal_adr 62 token=uauth:use_of_authorization 63 token=upriv:use_of_privilege 64 token=user:user_object 65 token=zone:zonename 66 token=fmri:service_instance 67 token=label:mandatory_label 68 69 token=head:header 70 token=subj:subject 71 token=ret:return 72 token=exit:exit 73 74 # note names -- certain notes show up repeatedly; collected here 75 # 76 # To achieve the maximum line length to be less than 80 characters, the 77 # note names (message=) can be defined as a multi line, each line except the 78 # last one finished with the backslash character. 79 80 message=ipc_perm:The ipc and ipc_perm tokens are not included if \ 81 the message ID is not valid. 82 83 84 # basic record pattern ("insert" is where event-specific tokens 85 # are listed.) 86 87 kernel=head:insert:subj:[upriv]:ret 88 user=head:subj:insert:ret 89 90 # Second Section 91 # Annotation Section 92 # 93 # Most audit records need annotation beyond what is provided by 94 # the files audit_event and audit_class. At a minimum, a record 95 # is represented by a label and a format. 96 # 97 # label=record_id like AUE_ACCEPT 98 # format=token_alias 99 # 100 # there is no end line; a new label= end the preceding definition 101 # and starts the next. 102 # 103 # format values are a list of token names, separated by colons. The 104 # name is either one of the values described above (token=) or is 105 # a value to be taken literally. If a token name ends with a digit, 106 # the digit is an index into an array of comments. In the few cases 107 # where there are no tokens (other than header, subject, return/exit), 108 # use "format=kernel" or "format="user". 109 # 110 # comment is an array of strings separated by colons. If comments 111 # are listed on separate lines (recommended due to better 112 # readability/sustainability of the file), the preceding comment 113 # must end with a colon. The array starts at 1. (If the comment 114 # contains a colon, use ":" without the quotes.) 115 # 116 # case is used to generate alternate descriptions for a given 117 # record. 118 # 119 # Constraints - the string length; bear in mind, that any annotation of 120 # primitives below longer than is specified, will be silently truncated 121 # to given/defined amount of characters in the auditrecord(1M) runtime: 122 # 123 # primitive <= max (non-truncated) string length 124 # case <= unlimited; if necessary, text continues on a new line 125 # comment <= unlimited; if necessary, text continues on a new line 126 # label <= 43 127 # note <= unlimited; if necessary, text continues on a new line 128 # program <= 20 129 # see <= 39 130 # syscall <= 20 131 # title <= 46 132 # token <= 28 (full name) 133 # 134 # To achieve the maximum line length to be less than 80 characters, one can 135 # define the unlimited primitives as a multi line, each line except the 136 # last one finished with the backslash character. In addition to above 137 # mentioned, the "format=" record attribute follows the same rule. 138 # 139 # 140 # AUE_ACCEPT illustrates the use of all the above. Note that 141 # case is not nested; ellipsis (...) is used to give the effect 142 # of nesting. 143 144 label=AUE_ACCEPT 145 #accept(2) failure 146 case=Invalid socket file descriptor 147 format=arg1 148 comment=1, file descriptor, "so" 149 #accept(2) non SOCK_STREAM socket 150 case=If the socket address is not part of the AF_INET family 151 format=arg1:arg2:arg3 152 comment=1, "so", file descriptor: 153 comment="family", so_family: 154 comment="type", so_type 155 case=If the socket address is part of the AF_INET family 156 case=...If there is no vnode for this file descriptor 157 format=[arg]1 158 comment=1, file descriptor, "Bad so" 159 #accept(2) SOCK_STREAM socket-not bound 160 case=...or if the socket is not bound 161 format=[arg]1:[inet]2 162 comment=1, file descriptor, "so": 163 comment=local/foreign address (0.0.0.0) 164 case=...or if the socket address length = 0 165 format=[arg]1:[inet]2 166 comment=1, file descriptor, "so": 167 comment=local/foreign address (0.0.0.0) 168 case=...or for all other conditions 169 format=inet1:[inet]1 170 comment=socket address 171 #accept(2) failure 172 # header 173 # au_to_arg32 "so",file descriptor 174 # subject 175 # return <errno != 0> 176 # 177 #accept(2) non SOCK_STREAM socket 178 # header 179 # au_to_arg32 "so", file descriptor 180 # au_to_arg32 "family", so_family 181 # au_to_arg32 "type", so_type 182 # subject 183 # return success 184 # 185 #accept(2) SOCK_STREAM socket-not bound 186 # header 187 # au_to_arg32 "so", file descriptor 188 # au_to_socket_ex local/foreign address (0.0.0.0) 189 # subject 190 # return success 191 # 192 #accept(2) SOCK_STREAM socket-bound 193 # header 194 # au_to_arg32 "so", file descriptor 195 # au_to_socket_ex 196 # subject 197 # return success 198 199 200 201 label=AUE_ACCESS 202 format=path1:[attr] 203 comment=may be truncated in failure case 204 # header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec 205 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ 206 # attribute,100777,41416,staff,8388608,402255,0 207 # subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30 208 # return,success,0 209 # trailer,163 210 # 211 # header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec 212 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail 213 # attribute,100000,root,other,8388608,402257,0 214 # subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30 215 # return,failure: Permission denied,-1 216 # trailer,163 217 # 218 # header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec 219 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2 220 # subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30 221 # return,failure: No such file or directory,-1 222 # trailer,135 223 224 label=AUE_ACCT 225 case=Zero path 226 format=arg1 227 comment=1, 0, "accounting off" 228 case=Non-zero path 229 format=path1:[attr]2 230 comment=may be truncated in failure case: 231 comment=omitted if failure 232 233 label=AUE_ACLSET 234 syscall=acl 235 format=arg1:arg2:(0..n)[acl]3 236 comment=2, SETACL, "cmd": 237 comment=3, number of ACL entries, "nentries": 238 comment=Access Control List entries 239 240 label=AUE_ADJTIME 241 format=kernel 242 243 label=AUE_ASYNC_DAEMON 244 skip=Not used 245 246 label=AUE_ASYNC_DAEMON_EXIT 247 skip=Not used 248 249 label=AUE_AUDIT 250 skip=Not used. (Placeholder for the set AUE_AUDIT_*.) 251 252 label=AUE_AUDITON 253 skip=Not used. (Placeholder for the set AUE_AUDITON_*.) 254 255 label=AUE_AUDITON_GESTATE 256 skip=Not used 257 258 label=AUE_AUDITON_GETAMASK 259 format=kernel 260 syscall=auditon: GETAMASK 261 262 label=AUE_AUDITON_GETCAR 263 format=kernel 264 syscall=auditon: GETCAR 265 # header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec 266 # subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30 267 # return,success,0 268 # trailer,68 269 270 label=AUE_AUDITON_GETCLASS 271 format=kernel 272 syscall=auditon: GETCLASS 273 # header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec 274 # subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1 275 # return,success,0 276 # trailer,68 277 278 label=AUE_AUDITON_GETCOND 279 format=kernel 280 syscall=auditon: GETCOND 281 # header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec 282 # subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1 283 # return,success,0 284 # trailer,68 285 286 label=AUE_AUDITON_GETCWD 287 format=kernel 288 syscall=auditon: GETCWD 289 # header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec 290 # subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1 291 # return,success,0 292 # trailer,68 293 294 label=AUE_AUDITON_GETKMASK 295 format=kernel 296 syscall=auditon: GETKMASK 297 # header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec 298 # subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1 299 # return,success,0 300 # trailer,68 301 302 label=AUE_AUDITON_GETSTAT 303 format=kernel 304 syscall=auditon: A_GETSTAT 305 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec 306 # subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1 307 # return,success,0 308 # trailer,68 309 310 label=AUE_AUDITON_GPOLICY 311 format=kernel 312 syscall=auditon: GPOLICY 313 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec 314 # subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1 315 # return,success,0 316 # trailer,68 317 318 label=AUE_AUDITON_GQCTRL 319 format=kernel 320 syscall=auditon: GQCTRL 321 # header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec 322 # subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1 323 # return,success,0 324 # trailer,68 325 326 327 label=AUE_AUDITON_GTERMID 328 skip=Not used. 329 330 label=AUE_AUDITON_SESTATE 331 skip=Not used. 332 333 label=AUE_AUDITON_SETAMASK 334 format=[arg]1:[arg]2 335 comment=2, "setamask as_success", user default audit preselection mask: 336 comment=2, "setamask as_failure", user default audit preselection mask 337 syscall=auditon: SETAMASK 338 339 label=AUE_AUDITON_SETCLASS 340 format=[arg]1:[arg]2 341 comment=2, "setclass:ec_event", event number: 342 comment=3, "setclass:ec_class", class mask 343 syscall=auditon: SETCLASS 344 # header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec 345 # argument,2,0x0,setclass:ec_event 346 # argument,3,0x0,setclass:ec_class 347 # subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1 348 # return,success,0 349 # trailer,120 350 351 label=AUE_AUDITON_SETCOND 352 format=[arg]1 353 comment=3, "setcond", audit state 354 syscall=auditon: SETCOND 355 356 label=AUE_AUDITON_SETKMASK 357 format=[arg]1:[arg]2 358 comment=2, "setkmask as_success", kernel non-attributable mask: 359 comment=2, "setkmask as_failure", kernel non-attributable mask 360 syscall=auditon: SETKMASK 361 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec 362 # argument,2,0x0,setkmask:as_success 363 # argument,2,0x0,setkmask:as_failure 364 # subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1 365 # return,success,0 366 # trailer,124 367 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec 368 # argument,2,0x0,setkmask:as_success 369 # argument,2,0x0,setkmask:as_failure 370 # subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1 371 # return,failure: Not owner,-1 372 # trailer,124 373 374 label=AUE_AUDITON_SETSMASK 375 format=[arg]1:[arg]2 376 comment=3, "setsmask:as_success", session ID mask: 377 comment=3, "setsmask:as_failure", session ID mask 378 syscall=auditon: SETSMASK 379 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec 380 # argument,3,0x400,setsmask:as_success 381 # argument,3,0x400,setsmask:as_failure 382 # subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1 383 # return,success,0 384 # trailer,124 385 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec 386 # argument,3,0x400,setsmask:as_success 387 # argument,3,0x400,setsmask:as_failure 388 # subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1 389 # return,failure: Not owner,-1 390 # trailer,124 391 392 label=AUE_AUDITON_SETSTAT 393 format=kernel 394 syscall=auditon: SETSTAT 395 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec 396 # subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1 397 # return,success,0 398 # trailer,68 399 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec 400 # subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1 401 # return,failure: Not owner,-1 402 # trailer,68 403 404 label=AUE_AUDITON_SETUMASK 405 format=[arg]1:[arg]2 406 comment=3, "setumask:as_success", audit ID mask: 407 comment=3, "setumask:as_failure", audit ID mask 408 syscall=auditon: SETUMASK 409 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec 410 # argument,3,0x400,setumask:as_success 411 # argument,3,0x400,setumask:as_failure 412 # subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1 413 # return,success,0 414 # trailer,124 415 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec 416 # argument,3,0x400,setumask:as_success 417 # argument,3,0x400,setumask:as_failure 418 # subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1 419 # return,failure: Not owner,-1 420 # trailer,124 421 422 label=AUE_AUDITON_SPOLICY 423 format=[arg]1 424 comment=1, audit policy flags, "setpolicy" 425 syscall=auditon: SPOLICY 426 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec 427 # argument,3,0x200,setpolicy 428 # subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1 429 # return,success,0 430 # trailer,86 431 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec 432 # argument,3,0x200,setpolicy 433 # subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1 434 # return,failure: Not owner,-1 435 # trailer,86 436 437 label=AUE_AUDITON_SQCTRL 438 format=[arg]1:[arg]2:[arg]3:[arg]4 439 comment=3, "setqctrl:aq_hiwater", queue control param.: 440 comment=3, "setqctrl:aq_lowater", queue control param.: 441 comment=3, "setqctrl:aq_bufsz", queue control param.: 442 comment=3, "setqctrl:aq_delay", queue control param. 443 syscall=auditon: SQCTRL 444 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec 445 # argument,3,0x64,setqctrl:aq_hiwater 446 # argument,3,0xa,setqctrl:aq_lowater 447 # argument,3,0x400,setqctrl:aq_bufsz 448 # argument,3,0x14,setqctrl:aq_delay 449 # subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1 450 # return,success,0 451 # trailer,176 452 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec 453 # argument,3,0x64,setqctrl:aq_hiwater 454 # argument,3,0xa,setqctrl:aq_lowater 455 # argument,3,0x400,setqctrl:aq_bufsz 456 # argument,3,0x14,setqctrl:aq_delay 457 # subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1 458 # return,failure: Not owner,-1 459 # trailer,176 460 461 label=AUE_AUDITON_STERMID 462 skip=Not used. 463 464 label=AUE_AUDITSTAT 465 skip=Not used. 466 467 label=AUE_AUDITSVC 468 skip=Not used. 469 470 label=AUE_AUDITSYS 471 skip=Not used. (Place holder for various auditing events.) 472 473 label=AUE_BIND 474 # differs from documented version. 475 # cases "no vnode" not fully confirmed 476 # family and type need argument number 477 case=Invalid socket handle 478 format=arg1 479 comment=1, file descriptor, "so" 480 case=If there is no vnode for this file descriptor 481 case=or if the socket is not of the AF_INET family 482 format=arg1:arg2:arg3 483 comment=1, file descriptor, "so": 484 comment=1, socket family, "family": 485 comment=1, socket type, "type" 486 case=or for all other conditions 487 format=arg1:inet2 488 comment=1, file descriptor, "so": 489 comment=socket address 490 491 label=AUE_BRANDSYS 492 # generic mechanism to allow user-space and kernel components of a brand 493 # to communicate. The interpretation of the arguments to the call is 494 # left entirely up to the brand. 495 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7 496 comment=1, command, "cmd": 497 comment=2, command args, "arg": 498 comment=3, command args, "arg": 499 comment=4, command args, "arg": 500 comment=5, command args, "arg": 501 comment=6, command args, "arg": 502 comment=7, command args, "arg" 503 504 label=AUE_BSMSYS 505 skip=Not used. 506 507 label=AUE_CHDIR 508 format=path:[attr] 509 # header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec 510 # path,/export/home/CC_final/icenine/arv/chdir/obj_succ 511 # attribute,40777,root,other,8388608,231558,0 512 # subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1 513 # return,success,0 514 # trailer,151 515 # header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec 516 # path,/export/home/CC_final/icenine/arv/chdir/obj_fail 517 # attribute,40000,root,other,8388608,237646,0 518 # subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1 519 # return,failure: Permission denied,-1 520 # trailer,151 521 522 label=AUE_CHMOD 523 format=arg1:path:[attr] 524 comment=2, mode, "new file mode" 525 # header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec 526 # argument,2,0x1f8,new file mode 527 # path,/export/home/CC_final/icenine/arv/chmod/obj_succ 528 # attribute,100770,tuser10,other,8388608,243608,0 529 # subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1 530 # return,success,0 531 # trailer,173 532 # header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec 533 # argument,2,0x1f8,new file mode 534 # path,/export/home/CC_final/icenine/arv/chmod/obj_fail 535 # attribute,100600,root,other,8388608,243609,0 536 # subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1 537 # return,failure: Not owner,-1 538 # trailer,173 539 540 label=AUE_CHOWN 541 format=arg1:arg2 542 comment=2, uid, "new file uid": 543 comment=3, gid, "new file gid" 544 # header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec 545 # argument,2,0x271a,new file uid 546 # argument,3,0xffffffff,new file gid 547 # path,/export/home/CC_final/icenine/arv/chown/obj_succ 548 # attribute,100644,tuser10,other,8388608,268406,0 549 # subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1 550 # return,success,0 551 # trailer,193 552 # header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec 553 # argument,2,0x271a,new file uid 554 # argument,3,0xffffffff,new file gid 555 # path,/export/home/CC_final/icenine/arv/chown/obj_fail 556 # attribute,100644,root,other,8388608,268407,0 557 # subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1 558 # return,failure: Not owner,-1 559 # trailer,193 560 561 label=AUE_CHROOT 562 format=path:[attr] 563 # header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec 564 # path,/ 565 # attribute,40755,root,root,8388608,2,0 566 # subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1 567 # return,success,0 568 # trailer,104 569 # header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec 570 # path,/export/home/CC_final/icenine/arv/chroot/obj_fail 571 # attribute,40777,tuser10,other,8388608,335110,0 572 # subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1 573 # return,failure: Not owner,-1 574 # trailer,152 575 576 label=AUE_CLOCK_SETTIME 577 format=kernel 578 579 label=AUE_CLOSE 580 format=arg1:[path]:[attr] 581 comment=1, file descriptor, "fd" 582 583 label=AUE_CONFIGKSSL 584 case=Adding KSSL entry. 585 format=text1:inaddr2:text3:text4 586 comment=opcode, KSSL_ADD_ENTRY: 587 comment=local IP address: 588 comment=SSL port number: 589 comment=proxy port number 590 case=Deleting KSSL entry. 591 format=text1:inaddr2:text3 592 comment=opcode, KSSL_DELETE_ENTRY: 593 comment=local IP address: 594 comment=SSL port number 595 596 label=AUE_CONNECT 597 # cases "no vnode" not fully confirmed 598 case=If there is no vnode for this file descriptor 599 case=If the socket address is not part of the AF_INET family 600 format=arg1:arg2:arg3 601 comment=1, file descriptor, "so": 602 comment=1, socket family, "family": 603 comment=1, socket type, "type" 604 case=If the socket address is part of the AF_INET family 605 format=arg1:inet2 606 comment=1, file descriptor, "so": 607 comment=socket address 608 609 label=AUE_CORE 610 syscall=none 611 title=process dumped core 612 see=none 613 format=path:[attr]:arg1 614 comment=1, signal, "signal" 615 # see uts/common/c2/audit.c 616 617 label=AUE_CREAT 618 # obsolete - see open(2) 619 format=path:[attr] 620 # does not match old BSM manual 621 # header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec 622 # path,/export/home/CC_final/icenine/arv/creat/obj_succ 623 # attribute,100644,tuser10,other,8388608,49679,0 624 # subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1 625 # return,success,8 626 # trailer,151 627 # header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec 628 # path,/devices/pseudo/mm@0:null 629 # subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1 630 # return,success,8 631 # trailer,107 632 # header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec 633 # path,/obj_fail 634 # subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1 635 # return,failure: Permission denied,-1 636 # trailer,83 637 638 label=AUE_CRYPTOADM 639 title=kernel cryptographic framework 640 format=text1:(0..n)[text]2 641 comment=cryptoadm command/operation: 642 comment=mechanism list 643 644 label=AUE_DOORFS 645 skip=Not used. (Place holder for set of door audit events.) 646 647 label=AUE_DOORFS_DOOR_BIND 648 skip=Not used. 649 syscall=doorfs: DOOR_BIND 650 651 label=AUE_DOORFS_DOOR_CALL 652 format=arg1:proc2 653 comment=1, door ID, "door ID": 654 comment=for process that owns the door 655 syscall=doorfs: DOOR_CALL 656 657 label=AUE_DOORFS_DOOR_CREATE 658 format=arg1 659 comment=1, door attributes, "door attr" 660 syscall=doorfs: DOOR_CREATE 661 662 label=AUE_DOORFS_DOOR_CRED 663 skip=Not used. 664 syscall=doorfs: DOOR_CRED 665 666 label=AUE_DOORFS_DOOR_INFO 667 skip=Not used. 668 syscall=doorfs: DOOR_INFO 669 670 label=AUE_DOORFS_DOOR_RETURN 671 format=kernel 672 syscall=doorfs: DOOR_RETURN 673 674 label=AUE_DOORFS_DOOR_REVOKE 675 format=arg1 676 comment=1, door ID, "door ID" 677 syscall=doorfs: DOOR_REVOKE 678 679 label=AUE_DOORFS_DOOR_UNBIND 680 skip=Not used. 681 syscall=doorfs: DOOR_UNBIND 682 683 label=AUE_DUP2 684 skip=Not used. 685 686 label=AUE_ENTERPROM 687 title=enter prom 688 syscall=none 689 format=head:text1:ret 690 comment="kmdb" 691 # header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00 692 # text,kmdb 693 # return,success,0 694 695 label=AUE_EXEC 696 # obsolete - see execve(2) 697 format=path:[attr]1:[exec_args]2:[exec_env]3 698 comment=omitted on error: 699 comment=output if argv policy is set: 700 comment=output if arge policy is set 701 702 label=AUE_EXECVE 703 format=path:[attr]1:[exec_args]2:[exec_env]3 704 comment=omitted on error: 705 comment=output if argv policy is set: 706 comment=output if arge policy is set 707 # header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec 708 # path,/devices/pseudo/mm@0:null 709 # subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1 710 # return,success,8 711 # trailer,107 712 # header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec 713 # path,/usr/bin/pig 714 # subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1 715 # return,failure: No such file or directory,-1 716 # trailer,86 717 718 label=AUE_PFEXEC 719 format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5 720 comment=pathname of the executable: 721 comment=pathname of working directory: 722 comment=privileges if the limit or inheritable set are changed: 723 comment=process if ruid, euid, rgid or egid is changed: 724 comment=output if arge policy is set 725 726 label=AUE_sudo 727 format=exec_args1:[text]2 728 comment=command args: 729 comment=error message (failure only) 730 731 label=AUE_EXIT 732 format=arg1:[text]2 733 comment=1, exit status, "exit status": 734 comment=event aborted 735 736 label=AUE_EXITPROM 737 title=exit prom 738 syscall=none 739 format=head:text1:ret 740 comment="kmdb" 741 # header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00 742 # text,kmdb 743 # return,success,0 744 745 label=AUE_EXPORTFS 746 skip=Not used. 747 748 label=AUE_FACCESSAT 749 # obsolete 750 see=access(2) 751 format=path:[attr] 752 753 label=AUE_FACLSET 754 syscall=facl 755 case=Invalid file descriptor 756 format=arg1:arg2 757 comment=2, SETACL, "cmd": 758 comment=3, number of ACL entries, "nentries" 759 case=Zero path 760 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4 761 comment=2, SETACL, "cmd": 762 comment=3, number of ACL entries, "nentries": 763 comment=1, file descriptor, "no path: fd": 764 comment=ACLs 765 case=Non-zero path 766 format=arg1:arg2:path:[attr]:(0..n)[acl]3 767 comment=2, SETACL, "cmd": 768 comment=3, number of ACL entries, "nentries": 769 comment=ACLs 770 771 label=AUE_FCHDIR 772 format=[path]:[attr] 773 # header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec 774 # path,/export/home/CC_final/icenine/arv/fchdir/obj_succ 775 # attribute,40777,tuser10,other,8388608,207662,0 776 # subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1 777 # return,success,0 778 # trailer,150 779 # header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec 780 # subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1 781 # return,failure: Permission denied,-1 782 # trailer,68 783 784 label=AUE_FCHMOD 785 case=With a valid file descriptor and path 786 format=arg1:path:[attr] 787 comment=2, mode, "new file mode" 788 case=With a valid file descriptor and invalid path 789 format=arg1:[arg]2:[attr] 790 comment=2, mode, "new file mode": 791 comment=1, file descriptor, "no path: fd" 792 case=With an invalid file descriptor 793 format=arg1 794 comment=2, mode, "new file mode" 795 # header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec 796 # argument,2,0x1a4,new file mode 797 # path,/export/home/CC/icenine/arv/fchmod/obj_succ 798 # attribute,100644,tuser10,other,7602240,26092,0 799 # subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1 800 # return,success,0 801 # trailer,168 802 # header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec 803 # argument,2,0x1a4,new file mode 804 # subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1 805 # return,failure: Bad file number,-1 806 # trailer,90 807 # header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec 808 # argument,2,0x1a4,new file mode 809 # path,/export/home/CC/icenine/arv/fchmod/obj_fail 810 # attribute,100644,root,other,7602240,26093,0 811 # subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1 812 # return,failure: Not owner,-1 813 # trailer,168 814 815 label=AUE_FCHOWN 816 case=With a valid file descriptor 817 format=arg1:arg2:[path]:[attr] 818 comment=2, uid, "new file uid": 819 comment=3, gid, "new file gid" 820 case=With an invalid file descriptor 821 format=arg1:arg2:[arg]3:[attr] 822 comment=2, uid, "new file uid": 823 comment=3, gid, "new file gid": 824 comment=1, file descriptor, "no path fd" 825 826 label=AUE_FCHOWNAT 827 # obsolete 828 see=openat(2) 829 case=With a valid absolute/relative file path 830 format=path:[attr] 831 case=With an file path eq. NULL and valid file descriptor 832 format=kernel 833 834 label=AUE_FCHROOT 835 format=[path]:[attr] 836 # fchroot -> chdirec -> audit_chdirec 837 838 label=AUE_FCNTL 839 case=With a valid file descriptor 840 format=arg1:[arg]2:path:attr 841 comment=2, command, "cmd": 842 comment=3, flags, "flags" 843 case=With an invalid file descriptor 844 format=arg1:[arg]2:arg3 845 comment=2, command, "cmd": 846 comment=3, flags, "flags": 847 comment=1, file descriptor, "no path fd" 848 note=Flags are included only when cmd is F_SETFL. 849 850 label=AUE_FLOCK 851 skip=Not used. 852 853 label=AUE_FORKALL 854 format=[arg]1 855 comment=0, pid, "child PID" 856 note=The forkall(2) return values are undefined because the audit record 857 note=is produced at the point that the child process is spawned. 858 # see audit.c 859 860 label=AUE_FORK1 861 format=[arg]1 862 comment=0, pid, "child PID" 863 note=The fork1(2) return values are undefined because the audit record 864 note=is produced at the point that the child process is spawned. 865 # see audit.c 866 867 label=AUE_FSAT 868 # obsolete 869 skip=Not used. (Placeholder for AUE_*AT records) 870 871 label=AUE_FSTAT 872 skip=Not used. 873 874 label=AUE_FSTATAT 875 # obsolete 876 format=path:[attr] 877 878 label=AUE_FSTATFS 879 case=With a valid file descriptor 880 format=[path]:[attr] 881 case=With an invalid file descriptor 882 format=arg1 883 comment=1, file descriptor, "no path fd" 884 885 label=AUE_FTRUNCATE 886 skip=Not used. 887 888 label=AUE_FUSERS 889 syscall=utssys: UTS_FUSERS 890 format=path:attr 891 892 label=AUE_FUTIMESAT 893 # obsolete 894 format=[path]:[attr] 895 896 label=AUE_GETAUDIT 897 format=kernel 898 # header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec 899 # subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1 900 # return,success,0 901 # trailer,68 902 # header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec 903 # subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1 904 # return,success,0 905 # trailer,68 906 907 label=AUE_GETAUDIT_ADDR 908 format=kernel 909 # header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec 910 # subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2 911 # return,success,0 912 913 label=AUE_GETAUID 914 format=kernel 915 # header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec 916 # subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1 917 # return,success,0 918 # trailer,68 919 # header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec 920 # subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1 921 # return,failure: Not owner,-1 922 # trailer,68 923 924 label=AUE_GETDENTS 925 skip=Not used. 926 #Not security relevant 927 928 label=AUE_GETKERNSTATE 929 skip=Not used. 930 931 label=AUE_GETMSG 932 case=With a valid file descriptor 933 format=arg1:[path]:attr:arg2 934 comment=1, file descriptor, "fd": 935 comment=4, priority, "pri" 936 case=With an invalid file descriptor 937 format=arg1:arg2 938 comment=1, file descriptor, "fd": 939 comment=4, priority, "pri" 940 941 label=AUE_GETPMSG 942 case=With a valid file descriptor 943 format=arg1:[path]:attr 944 comment=1, file descriptor, "fd" 945 case=With an invalid file descriptor 946 format=arg1 947 comment=1, file descriptor, "fd" 948 949 label=AUE_GETPORTAUDIT 950 format=Not used. 951 952 label=AUE_GETUSERAUDIT 953 skip=Not used. 954 955 label=AUE_INST_SYNC 956 format=arg1 957 comment=2, flags value, "flags" 958 959 label=AUE_IOCTL 960 case=With an invalid file descriptor 961 format=arg1:arg2:arg3 962 comment=1, file descriptor, "fd": 963 comment=2, command, "cmd": 964 comment=3, arg, "arg" 965 case=With a valid file descriptor 966 format=path:[attr]:arg1:arg2 967 comment=2, ioctl cmd, "cmd": 968 comment=3, ioctl arg, "arg" 969 case=Non-file file descriptor 970 format=arg1:arg2:arg3 971 comment=1, file descriptor, "fd": 972 comment=2, ioctl cmd, "cmd": 973 comment=3, ioctl arg, "arg" 974 case=Bad file name 975 format=arg1:arg2:arg3 976 comment=1, file descriptor, "no path: fd": 977 comment=2, ioctl cmd, "cmd": 978 comment=3, ioctl arg, "arg" 979 # old BSM manual misses a case 980 981 label=AUE_JUNK 982 skip=Not used. 983 984 label=AUE_KILL 985 case=Valid process 986 format=arg1:[proc] 987 comment=2, signo, "signal" 988 case=Zero or negative process 989 format=arg1:arg2 990 comment=2, signo, "signal": 991 comment=1, pid, "process" 992 993 label=AUE_KILLPG 994 skip=Not used. 995 996 label=AUE_LCHOWN 997 format=arg1:arg2:path:[attr] 998 comment=2, uid, "new file uid": 999 comment=3, gid, "new file gid" 1000 1001 label=AUE_LINK 1002 format=path1:[attr]:path2 1003 comment=from path: 1004 comment=to path 1005 1006 label=AUE_LSEEK 1007 skip=Not used. 1008 1009 label=AUE_LSTAT 1010 format=path:[attr] 1011 1012 label=AUE_LXSTAT 1013 # obsolete 1014 skip=Not used. 1015 1016 label=AUE_MCTL 1017 skip=Not used. 1018 1019 label=AUE_MEMCNTL 1020 format=arg1:arg2:arg3:arg4:arg5:arg6 1021 comment=1, base address, "base": 1022 comment=2, length, "len": 1023 comment=3, command, "cmd": 1024 comment=4, command args, "arg": 1025 comment=5, command attributes, "attr": 1026 comment=6, 0, "mask" 1027 1028 label=AUE_MKDIR 1029 format=arg1:path:[attr] 1030 comment=2, mode, "mode" 1031 1032 label=AUE_MKNOD 1033 format=arg1:arg2:path:[attr] 1034 comment=2, mode, "mode": 1035 comment=3, dev, "dev" 1036 1037 label=AUE_MMAP 1038 case=With a valid file descriptor 1039 format=arg1:arg2:[path]3:[attr] 1040 comment=1, segment address, "addr": 1041 comment=2, segment address, "len": 1042 comment=if no path, then argument: \ 1043 1, "nopath: fd", file descriptor 1044 case=With an invalid file descriptor 1045 format=arg1:arg2:arg3 1046 comment=1, segment address, "addr": 1047 comment=2, segment address, "len": 1048 comment=1, file descriptor, "no path: fd" 1049 1050 label=AUE_MODADDMAJ 1051 title=modctl: bind module 1052 syscall=modctl 1053 format=[text]1:[text]2:text3:arg4:(0..n)[text]5 1054 comment=driver major number: 1055 comment=driver name: 1056 comment=driver major number or "no drvname": 1057 comment=5, number of aliases, "": 1058 comment=aliases 1059 1060 label=AUE_MODADDPRIV 1061 format=kernel 1062 1063 label=AUE_MODCONFIG 1064 skip=Not used. 1065 1066 label=AUE_MODCTL 1067 skip=Not used. (placeholder) 1068 1069 label=AUE_MODDEVPLCY 1070 syscall=modctl 1071 title=modctl: set device policy 1072 case=If unknown minor name/pattern 1073 format=arg1:arg2:arg3:arg4:arg5 1074 comment=2, "major", major number: 1075 comment=2, "lomin", low minor number, if known: 1076 comment=2, "himin", hi minor number, if known: 1077 comment=privileges required for reading: 1078 comment=privileges required for writing 1079 case=else 1080 format=arg1:text2:arg3:arg4 1081 comment=2, "major", major number: 1082 comment=minor name/pattern: 1083 comment=privileges required for reading: 1084 comment=privileges required for writing 1085 1086 label=AUE_MODLOAD 1087 syscall=modctl 1088 title=modctl: load module 1089 format=[text]1:text2 1090 comment=default path: 1091 comment=filename path 1092 1093 label=AUE_MODUNLOAD 1094 syscall=modctl 1095 title=modctl: unload module 1096 format=arg1 1097 comment=1, module ID, "id" 1098 1099 label=AUE_MOUNT 1100 case=UNIX file system 1101 format=arg1:text2:path:[attr] 1102 comment=3, flags, "flags": 1103 comment=filesystem type 1104 case=NFS file system 1105 format=arg1:text2:text3:arg4:path:[attr] 1106 comment=3, flags, "flags": 1107 comment=filesystem type: 1108 comment=host name: 1109 comment=3, flags, "internal flags" 1110 # unix example: 1111 # header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec 1112 # argument,3,0x104,flags 1113 # text,ufs 1114 # path,/var2 1115 # attribute,40755,root,root,32,12160,0 1116 # path,/devices/pci@1f,4000/scsi@3/sd@0,0:e 1117 # attribute,60640,root,sys,32,231268,137438953476 1118 # subject,abc,root,other,root,other,1726,1715,255 66049 ohboy 1119 # return,success,4290707268 1120 # ^^^^^^^^^^ <- bugid 4333559 1121 1122 label=AUE_MSGCTL 1123 format=arg1:[ipc]:[ipc_perm] 1124 comment=1, message ID, "msg ID" 1125 note=ipc_perm 1126 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1127 1128 label=AUE_MSGCTL_RMID 1129 format=arg1:[ipc]:[ipc_perm] 1130 comment=1, message ID, "msg ID" 1131 note=ipc_perm 1132 syscall=msgctl: IPC_RMID 1133 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1134 1135 label=AUE_MSGCTL_SET 1136 format=arg1:[ipc]:[ipc_perm] 1137 comment=1, message ID, "msg ID" 1138 note=ipc_perm 1139 syscall=msgctl: IPC_SET 1140 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1141 1142 label=AUE_MSGCTL_STAT 1143 format=arg1:[ipc]:[ipc_perm] 1144 comment=1, message ID, "msg ID" 1145 note=ipc_perm 1146 syscall=msgctl: IPC_STAT 1147 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc 1148 1149 label=AUE_MSGGET 1150 format=arg1:ipc 1151 comment=1, message key, "msg key" 1152 note=ipc_perm 1153 syscall=msgget 1154 1155 label=AUE_MSGGETL 1156 skip=Not used. 1157 1158 label=AUE_MSGRCV 1159 format=arg1:[ipc]:[ipc_perm] 1160 comment=1, message ID, "msg ID" 1161 note=ipc_perm 1162 syscall=msgrcv 1163 # ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc 1164 1165 label=AUE_MSGRCVL 1166 skip=Not used. 1167 1168 label=AUE_MSGSND 1169 format=arg1:[ipc]:[ipc_perm] 1170 comment=1, message ID, "msg ID" 1171 note=ipc_perm 1172 syscall=msgsnd 1173 # ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc 1174 1175 label=AUE_MSGSNDL 1176 skip=Not used. 1177 1178 label=AUE_MSGSYS 1179 skip=Not used. (Placeholder for AUE_MSG* events.) 1180 1181 label=AUE_MUNMAP 1182 format=arg1:arg2 1183 comment=1, address of memory, "addr": 1184 comment=2, memory segment size, "len" 1185 1186 label=AUE_NFS 1187 skip=Not used. 1188 1189 label=AUE_NFSSVC_EXIT 1190 skip=Not used. 1191 1192 label=AUE_NFS_GETFH 1193 skip=Not used. 1194 1195 label=AUE_NFS_SVC 1196 skip=Not used. 1197 1198 label=AUE_NICE 1199 format=kernel 1200 1201 label=AUE_NULL 1202 skip=Not used. (placeholder) 1203 # used internal to audit_event.c for minimal audit 1204 1205 label=AUE_NTP_ADJTIME 1206 format=kernel 1207 1208 label=AUE_ONESIDE 1209 skip=Not used. 1210 1211 label=AUE_OPEN 1212 skip=Not used. (placeholder for AUE_OPEN_*). 1213 1214 label=AUE_OPEN_R 1215 format=path:[path_attr]:[attr] 1216 see=open(2) - read 1217 1218 label=AUE_OPENAT_R 1219 # obsolete 1220 format=path:[path_attr]:[attr] 1221 see=openat(2) 1222 1223 label=AUE_OPEN_RC 1224 format=path:[path_attr]:[attr] 1225 see=open(2) - read,creat 1226 1227 label=AUE_OPENAT_RC 1228 # obsolete 1229 see=openat(2) 1230 format=path:[path_attr]:[attr] 1231 1232 label=AUE_OPEN_RT 1233 format=path:[path_attr]:[attr] 1234 see=open(2) - read,trunc 1235 1236 label=AUE_OPENAT_RT 1237 # obsolete 1238 see=openat(2) 1239 format=path:[path_attr]:[attr] 1240 1241 label=AUE_OPEN_RTC 1242 format=path:[path_attr]:[attr] 1243 see=open(2) - read,trunc,creat 1244 1245 label=AUE_OPENAT_RTC 1246 # obsolete 1247 see=openat(2) 1248 format=path:[path_attr]:[attr] 1249 1250 label=AUE_OPEN_RW 1251 format=path:[path_attr]:[attr] 1252 see=open(2) - read,write 1253 1254 label=AUE_OPENAT_RW 1255 # obsolete 1256 see=openat(2) 1257 format=path:[path_attr]:[attr] 1258 # aui_fsat(): fm & O_RDWR 1259 1260 label=AUE_OPEN_RWC 1261 format=path:[path_attr]:[attr] 1262 see=open(2) - read,write,creat 1263 1264 label=AUE_OPENAT_RWC 1265 # obsolete 1266 see=openat(2) 1267 format=path:[path_attr]:[attr] 1268 1269 label=AUE_OPEN_RWT 1270 format=path:[path_attr]:[attr] 1271 see=open(2) - read,write,trunc 1272 1273 label=AUE_OPENAT_RWT 1274 # obsolete 1275 see=openat(2) 1276 format=path:[path_attr]:[attr] 1277 1278 label=AUE_OPEN_RWTC 1279 format=path:[path_attr]:[attr] 1280 see=open(2) - read,write,trunc,creat 1281 1282 label=AUE_OPENAT_RWTC 1283 # obsolete 1284 see=openat(2) 1285 format=path:[path_attr]:[attr] 1286 1287 label=AUE_OPEN_W 1288 format=path:[path_attr]:[attr] 1289 see=open(2) - write 1290 1291 label=AUE_OPENAT_W 1292 see=openat(2) 1293 format=path:[path_attr]:[attr] 1294 1295 label=AUE_OPEN_WC 1296 format=path:[path_attr]:[attr] 1297 see=open(2) - write,creat 1298 1299 label=AUE_OPENAT_WC 1300 see=openat(2) 1301 format=path:[path_attr]:[attr] 1302 1303 label=AUE_OPEN_WT 1304 format=path:[path_attr]:[attr] 1305 see=open(2) - write,trunc 1306 1307 label=AUE_OPENAT_WT 1308 see=openat(2) 1309 format=path:[path_attr]:[attr] 1310 1311 label=AUE_OPEN_WTC 1312 format=path:[path_attr]:[attr] 1313 see=open(2) - write,trunc,creat 1314 1315 label=AUE_OPENAT_WTC 1316 see=openat(2) 1317 format=path:[path_attr]:[attr] 1318 1319 label=AUE_OPEN_S 1320 format=path:[path_attr]:[attr] 1321 see=open(2) - search 1322 1323 label=AUE_OPEN_E 1324 format=path:[path_attr]:[attr] 1325 see=open(2) - exec 1326 1327 label=AUE_OSETPGRP 1328 skip=Not used. 1329 1330 label=AUE_OSTAT 1331 # obsolete 1332 skip=Not used. 1333 1334 label=AUE_PATHCONF 1335 format=path:[attr] 1336 1337 label=AUE_PIPE 1338 format=kernel 1339 # class is no, not usually printed 1340 1341 label=AUE_PORTFS 1342 skip=Not used (placeholder for AUE_PORTFS_*). 1343 1344 label=AUE_PORTFS 1345 skip=Not used (placeholder for AUE_PORTFS_*). 1346 1347 label=AUE_PORTFS_ASSOCIATE 1348 syscall=portfs 1349 see=port_associate(3C) 1350 case=Port association via PORT_SOURCE_FILE 1351 format=[path]1:attr 1352 comment=name of the file/directory to be watched 1353 1354 label=AUE_PORTFS_DISSOCIATE 1355 syscall=portfs 1356 see=port_dissociate(3C) 1357 case=Port disassociation via PORT_SOURCE_FILE 1358 format=kernel 1359 1360 label=AUE_PRIOCNTLSYS 1361 syscall=priocntl 1362 see=priocntl(2) 1363 format=arg1:arg2 1364 comment=1, priocntl version number, "pc_version": 1365 comment=3, command, "cmd" 1366 1367 label=AUE_PROCESSOR_BIND 1368 case=No LWP/thread bound to the processor 1369 format=arg1:arg2:text3:[proc] 1370 comment=1, type of ID, "ID type": 1371 comment=2, ID value, "ID": 1372 comment="PBIND_NONE" 1373 case=With processor bound 1374 format=arg1:arg2:arg3:[proc] 1375 comment=1, type of ID, "ID type": 1376 comment=2, ID value, "ID": 1377 comment=3, processor ID, "processor_id" 1378 1379 label=AUE_PUTMSG 1380 see=putmsg(2) 1381 format=arg1:[path]:[attr]:arg2 1382 comment=1, file descriptor, "fd": 1383 comment=4, priority, "pri" 1384 1385 label=AUE_PUTPMSG 1386 see=putpmsg(2) 1387 format=arg1:[path]:[attr]:arg2:arg3 1388 comment=1, file descriptor, "fd": 1389 comment=4, priority, "pri": 1390 comment=5, flags, "flags" 1391 1392 label=AUE_P_ONLINE 1393 format=arg1:arg2:text3 1394 comment=1, processor ID, "processor ID": 1395 comment=2, flags value, "flags": 1396 comment=text form of flags. Values: \ 1397 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS, P_DISABLED 1398 1399 label=AUE_QUOTACTL 1400 skip=Not used. 1401 1402 label=AUE_READ 1403 skip=Not used. (Placeholder for AUE_READ_* events) 1404 1405 label=AUE_READL 1406 skip=Not used. (Obsolete) 1407 1408 label=AUE_READLINK 1409 format=path:[attr] 1410 1411 label=AUE_READV 1412 skip=Not used (obsolete) 1413 # detritus from CMS 1414 1415 label=AUE_READVL 1416 skip=Not used (obsolete) 1417 # detritus from CMS 1418 1419 label=AUE_REBOOT 1420 skip=Not used. 1421 1422 label=AUE_RECV 1423 case=If address family is AF_INET or AF_INET6 1424 format=[arg]1:[inet] 1425 comment=1, file descriptor, "so" 1426 case=If address family is AF_UNIX and path is defined 1427 format=[path]1:[attr] 1428 comment=1, file descriptor, "so" 1429 case=If address family is AF_UNIX and path is NULL 1430 format=[path]1:[attr] 1431 comment=1, file descriptor, "no path: fd" 1432 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1433 format=[arg]1:[arg]2:[arg]3 1434 comment=1, file descriptor, "so": 1435 comment=1, family, "family": 1436 comment=1, type, "type" 1437 # associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237]) 1438 1439 label=AUE_RECVFROM 1440 format=inet:arg1:[arg]2:inet3:arg4 1441 comment=3, message length, "len": 1442 comment=4, flags, "flags": 1443 comment=from address: 1444 comment=6, address length, "tolen" 1445 note=The socket token for a bad socket is reported as "argument 1446 note=token (1, socket descriptor, "fd")" 1447 1448 label=AUE_RECVMSG 1449 case=If invalid file descriptor 1450 format=arg1:arg2 1451 comment=1, file descriptor, "so": 1452 comment=3, flags, "flags" 1453 case=If valid file descriptor and socket is AF_UNIX and no path 1454 format=arg1:[attr] 1455 comment=1, file descriptor, "no path: fd" 1456 case=If valid file descriptor and socket is AF_UNIX and path defined 1457 format=path:attr 1458 case=If valid file descriptor and socket is AF_INET or AF_INET6 1459 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM 1460 format=arg1:arg2:inet 1461 comment=1, file descriptor, "so": 1462 comment=2, flags, "flags" 1463 case=.. if socket type is unknown 1464 format=arg1:arg2:arg3:arg4 1465 comment=1, file descriptor, "so": 1466 comment=1, family, "family": 1467 comment=1, type, "type": 1468 comment=3, flags, "flags" 1469 1470 label=AUE_RENAME 1471 format=path1:[attr]1:[path]2 1472 comment=from name: 1473 comment=to name 1474 1475 label=AUE_RENAMEAT 1476 # obsolete 1477 format=path1:[attr]1:[path]2 1478 comment=from name: 1479 comment=to name 1480 1481 label=AUE_RFSSYS 1482 skip=Not used. 1483 # apparently replaced 1484 1485 label=AUE_RMDIR 1486 format=path:[attr] 1487 1488 label=AUE_SEMCTL 1489 format=arg1:[ipc]:[ipc_perm] 1490 comment=1, semaphore ID, "sem ID" 1491 note=ipc_perm 1492 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1493 1494 label=AUE_SEMCTL_GETALL 1495 format=arg1:[ipc]:[ipc_perm] 1496 comment=1, semaphore ID, "sem ID" 1497 note=ipc_perm 1498 syscall=semctl: GETALL 1499 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1500 1501 label=AUE_SEMCTL_GETNCNT 1502 format=arg1:[ipc]:[ipc_perm] 1503 comment=1, semaphore ID, "sem ID" 1504 note=ipc_perm 1505 syscall=semctl: GETNCNT 1506 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1507 1508 label=AUE_SEMCTL_GETPID 1509 format=arg1:[ipc]:[ipc_perm] 1510 comment=1, semaphore ID, "sem ID" 1511 note=ipc_perm 1512 syscall=semctl: GETPID 1513 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1514 1515 label=AUE_SEMCTL_GETVAL 1516 format=arg1:[ipc]:[ipc_perm] 1517 comment=1, semaphore ID, "sem ID" 1518 note=ipc_perm 1519 syscall=semctl: GETVAL 1520 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1521 1522 label=AUE_SEMCTL_GETZCNT 1523 format=arg1:[ipc]:[ipc_perm] 1524 comment=1, semaphore ID, "sem ID" 1525 note=ipc_perm 1526 syscall=semctl: GETZCNT 1527 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1528 1529 label=AUE_SEMCTL_RMID 1530 format=arg1:[ipc]:[ipc_perm] 1531 comment=1, semaphore ID, "sem ID" 1532 note=ipc_perm 1533 syscall=semctl: IPC_RMID 1534 # ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1535 1536 label=AUE_SEMCTL_SET 1537 format=arg1:[ipc]:[ipc_perm] 1538 comment=1, semaphore ID, "sem ID" 1539 note=ipc_perm 1540 syscall=semctl: IPC_SET 1541 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1542 1543 label=AUE_SEMCTL_SETALL 1544 format=arg1:[ipc]:[ipc_perm] 1545 comment=1, semaphore ID, "sem ID" 1546 note=ipc_perm 1547 syscall=semctl: SETALL 1548 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1549 1550 label=AUE_SEMCTL_SETVAL 1551 format=arg1:[ipc]:[ipc_perm] 1552 comment=1, semaphore ID, "sem ID" 1553 note=ipc_perm 1554 syscall=semctl: SETVAL 1555 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1556 1557 label=AUE_SEMCTL_STAT 1558 format=arg1:[ipc]:[ipc_perm] 1559 comment=1, semaphore ID, "sem ID" 1560 note=ipc_perm 1561 syscall=semctl: IPC_STAT 1562 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc 1563 1564 label=AUE_SEMGET 1565 format=arg1:[ipc_perm]:ipc 1566 comment=1, semaphore ID, "sem key" 1567 note=ipc_perm 1568 syscall=semctl: SETVAL 1569 # ipc_perm token: semget -> audit_ipcget 1570 1571 label=AUE_SEMGETL 1572 skip=Not used. 1573 1574 label=AUE_SEMOP 1575 format=arg1:[ipc]:[ipc_perm] 1576 comment=1, semaphore ID, "sem ID" 1577 note=ipc_perm 1578 # ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc 1579 1580 label=AUE_SEMSYS 1581 skip=Not used. (place holder) -- defaults to a semget variant 1582 1583 label=AUE_SEND 1584 case=If address family is AF_INET or AF_INET6 1585 format=[arg]1:[inet] 1586 comment=1, file descriptor, "so" 1587 case=If address family is AF_UNIX and path is defined 1588 format=[path]1:[attr] 1589 comment=1, file descriptor, "so" 1590 case=If address family is AF_UNIX and path is NULL 1591 format=[path]1:[attr] 1592 comment=1, file descriptor, "no path: fd" 1593 case=If address family is other than AF_UNIX, AF_INET, AF_INET6 1594 format=[arg]1:[arg]2:[arg]3 1595 comment=1, file descriptor, "so": 1596 comment=1, family, "family": 1597 comment=1, type, "type" 1598 # associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240]) 1599 1600 label=AUE_SENDMSG 1601 case=If invalid file descriptor 1602 format=arg1:arg2 1603 comment=1, file descriptor, "so": 1604 comment=3, flags, "flags" 1605 case=If valid file descriptor 1606 case=...and address family is AF_UNIX and path is defined 1607 format=path:attr 1608 case=...and address family is AF_UNIX and path is NULL 1609 format=path1:attr 1610 comment=1, file descriptor, "nopath: fd" 1611 case=...and address family is AF_INET or AF_INET6, \ 1612 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1613 format=arg1:arg2:inet 1614 comment=1, file descriptor, "so": 1615 comment=3, flags, "flags" 1616 case=...and unknown address family or address family AF_INET or AF_INET6 \ 1617 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM 1618 format=arg1:arg2:arg3:arg4 1619 comment=1, file descriptor, "so": 1620 comment=1, family, "family": 1621 comment=1, type, "type": 1622 comment=1, flags, "flags" 1623 1624 label=AUE_SENDTO 1625 case=If invalid file descriptor 1626 format=arg1:arg2 1627 comment=1, file descriptor, "so": 1628 comment=3, flags, "flags" 1629 case=If valid file descriptor 1630 case=...and socket is AF_UNIX and path is defined 1631 format=path:attr 1632 case=...and address family is AF_UNIX and path is NULL 1633 format=path1:attr 1634 comment=1, file descriptor, "nopath: fd" 1635 case=...and address family is AF_INET or AF_INET6 1636 format=arg1:arg2:inet 1637 comment=1, file descriptor, "so": 1638 comment=3, flags, "flags" 1639 case=...and unknown address family 1640 format=arg1:arg2:arg3:arg4 1641 comment=1, file descriptor, "so": 1642 comment=1, family, "family": 1643 comment=1, type, "type": 1644 comment=1, flags, "flags" 1645 1646 label=AUE_SETAUDIT 1647 case=With a valid program stack address 1648 format=arg1:arg2:arg3:arg4:arg5:arg6 1649 comment=1, audit user ID, "setaudit:auid": 1650 comment=1, terminal ID, "setaudit:port": 1651 comment=1, terminal ID, "setaudit:machine": 1652 comment=1, preselection mask, "setaudit:as_success": 1653 comment=1, preselection mask, "setaudit:as_failure": 1654 comment=1, audit session ID, "setaudit:asid" 1655 case=With an invalid program stack address 1656 format=kernel 1657 # header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec 1658 # argument,1,0x271a,setaudit:auid 1659 # argument,1,0x3ff0201,setaudit:port 1660 # argument,1,0x8192591e,setaudit:machine 1661 # argument,1,0x400,setaudit:as_success 1662 # argument,1,0x400,setaudit:as_failure 1663 # argument,1,0x16f,setaudit:asid 1664 # subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1 1665 # return,success,0 1666 # trailer,215 1667 # header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec 1668 # argument,1,0x271a,setaudit:auid 1669 # argument,1,0x3ff0201,setaudit:port 1670 # argument,1,0x8192591e,setaudit:machine 1671 # argument,1,0x400,setaudit:as_success 1672 # argument,1,0x400,setaudit:as_failure 1673 # argument,1,0x16f,setaudit:asid 1674 # subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1 1675 # return,success,0 1676 # trailer,215 1677 1678 label=AUE_SETAUDIT_ADDR 1679 case=With a valid program stack address 1680 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7 1681 comment=1, audit user ID, "auid": 1682 comment=1, terminal ID, "port": 1683 comment=1, type, "type": 1684 comment=1, terminal ID, "ip address": 1685 comment=1, preselection mask, "as_success": 1686 comment=1, preselection mask, "as_failure": 1687 comment=1, audit session ID, "asid" 1688 case=With an invalid program stack address 1689 format=kernel 1690 # header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec 1691 # argument,1,0x15fa7,auid 1692 # argument,1,0x0,port 1693 # argument,1,0x4,type 1694 # ip address,tmach2 1695 # argument,1,0x9c00,as_success 1696 # argument,1,0x9c00,as_failure 1697 # argument,1,0x1f1,asid 1698 # subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2 1699 # return,success,0 1700 1701 label=AUE_SETAUID 1702 format=arg1 1703 comment=2, audit user ID, "setauid" 1704 1705 label=AUE_SETDOMAINNAME 1706 skip=Not used. (See AUE_SYSINFO) 1707 # See AUE_SYSINFO with SI_SET_SRPC_DOMAIN 1708 1709 label=AUE_SETEGID 1710 format=arg1 1711 comment=1, group ID, "gid" 1712 1713 label=AUE_SETEUID 1714 format=arg1 1715 comment=1, user ID, "euid" 1716 1717 label=AUE_SETGID 1718 format=arg1 1719 comment=1, group ID, "gid" 1720 1721 label=AUE_SETGROUPS 1722 note=If more than NGROUPS_MAX_DEFAULT groups listed, 1723 note=no tokens are generated. 1724 case=If no groups in list 1725 format=[arg]1 1726 comment=1, 0, "setgroups" 1727 case=If 1 or more groups in list 1728 format=(1..n)arg1 1729 comment=1, gid, "setgroups" 1730 1731 label=AUE_SETHOSTNAME 1732 skip=Not used. (See AUE_SYSINFO) 1733 # See sysinfo call with command SI_SET_HOSTNAME 1734 1735 label=AUE_SETKERNSTATE 1736 skip=Not used. 1737 1738 label=AUE_SETPGID 1739 format=[proc]:[arg]1 1740 comment=2, pgid, "pgid" 1741 1742 label=AUE_SETPGRP 1743 format=kernel 1744 1745 label=AUE_SETPRIORITY 1746 skip=Not used. 1747 1748 label=AUE_SETPPRIV 1749 case=operation privileges off 1750 format=arg1:privset2 1751 comment=setppriv operation: 1752 comment=privileges actually switched off 1753 case=operation privileges on 1754 format=arg1:privset2 1755 comment=setppriv operation: 1756 comment=privileges actually switched on 1757 case=operation privileges off 1758 format=arg1:privset2:privset3 1759 comment=setppriv operation: 1760 comment=privileges before privset: 1761 comment=privileges after privset 1762 #header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec 1763 #argument,2,0x2,op 1764 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1765 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1766 #subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0 1767 #return,success,0 1768 1769 label=AUE_SETREGID 1770 format=arg1:arg2 1771 comment=1, real group ID, "rgid": 1772 comment=2, effective group ID, "egid" 1773 1774 label=AUE_SETREUID 1775 format=arg1:arg2 1776 comment=1, real user ID, "ruid": 1777 comment=2, effective user ID, "euid" 1778 1779 label=AUE_SETRLIMIT 1780 format=kernel 1781 # header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec 1782 # subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2 1783 # return,success,0 1784 1785 label=AUE_SETSID 1786 format=kernel 1787 1788 label=AUE_SETSOCKOPT 1789 case=Invalid file descriptor 1790 format=arg1:arg2 1791 comment=1, file descriptor, "so": 1792 comment=2, level, "level" 1793 case=Valid file descriptor 1794 case=...and socket is AF_UNIX 1795 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8 1796 comment=if no path, will be argument: 1, "nopath: fd", \ 1797 file descriptor: 1798 comment=1, file descriptor, "so": 1799 comment=1, family, "family": 1800 comment=1, type, "type": 1801 comment=2, protocol level, "level": 1802 comment=3, option name, "optname": 1803 comment=5, option length, "optlen": 1804 comment=option data 1805 case=...and socket is AF_INET or AF_INET6 1806 format=arg1:arg2:arg3:[arg]4:[data]5:inet 1807 comment=1, file descriptor, "so": 1808 comment=2, protocol level, "level": 1809 comment=3, option name, "optname": 1810 comment=5, option length, "optlen": 1811 comment=option data 1812 case=...and socket adddress family is unknown 1813 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7 1814 comment=1, file descriptor, "so": 1815 comment=1, family, "family": 1816 comment=1, type, "type": 1817 comment=2, protocol level, "level": 1818 comment=3, option name, "optname": 1819 comment=5, option length, "optlen": 1820 comment=option data 1821 1822 label=AUE_SETTIMEOFDAY 1823 skip=Not used. 1824 1825 label=AUE_SETUID 1826 syscall=setuid 1827 format=arg1 1828 comment=1, "uid" to be set 1829 1830 label=AUE_SETUSERAUDIT 1831 skip=Not used. 1832 1833 label=AUE_SHMAT 1834 format=arg1:arg2:[ipc]:[ipc_perm] 1835 comment=1, shared memory ID, "shm ID": 1836 comment=2, shared mem addr, "shm addr" 1837 note=ipc_perm 1838 # ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc 1839 1840 label=AUE_SHMCTL 1841 format=arg1:[ipc]:[ipc_perm] 1842 comment=1, shared memory ID, "shm ID" 1843 note=ipc_perm 1844 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1845 1846 label=AUE_SHMCTL_RMID 1847 format=arg1:[ipc]:[ipc_perm] 1848 comment=1, shared memory ID, "shm ID" 1849 note=ipc_perm 1850 syscall=semctl: IPC_RMID 1851 # ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc 1852 1853 label=AUE_SHMCTL_SET 1854 format=arg1:[ipc]:[ipc_perm] 1855 comment=1, shared memory ID, "shm ID" 1856 note=ipc_perm 1857 syscall=semctl: IPC_SET 1858 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1859 1860 label=AUE_SHMCTL_STAT 1861 format=arg1:[ipc]:[ipc_perm] 1862 comment=1, shared memory ID, "shm ID" 1863 note=ipc_perm 1864 syscall=semctl: IPC_STAT 1865 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc 1866 1867 label=AUE_SHMDT 1868 format=arg1 1869 comment=1, shared memory address, "shm adr" 1870 1871 label=AUE_SHMGET 1872 format=arg1:[ipc_perm]:[ipc] 1873 comment=0, shared memory key, "shm key" 1874 note=ipc_perm 1875 # ipc_perm: shmget -> audit_ipcget 1876 1877 label=AUE_SHMGETL 1878 skip=Not used. 1879 1880 label=AUE_SHMSYS 1881 skip=Not used. (Placeholder for shmget and shmctl*) 1882 1883 label=AUE_SHUTDOWN 1884 case=If the socket address is invalid 1885 format=[arg]1:[text]2:[text]3 1886 comment=1, file descriptor, "fd": 1887 comment=bad socket address: 1888 comment=bad peer address 1889 case=If the socket address is part of the AF_INET family 1890 case=..with zero file descriptor 1891 format=arg1:[arg]2:[arg]3:[arg]4 1892 comment=1, file descriptor, "so": 1893 comment=1, family, "family": 1894 comment=1, type, "type": 1895 comment=2, how shutdown code, "how" 1896 case=...with non-zero file descriptor 1897 format=arg1:arg2:inet 1898 comment=1, file descriptor, "so": 1899 comment=2, how shutdown code, "how" 1900 case=If the socket address is AF_UNIX 1901 case=...with zero file descriptor 1902 format=path1:arg2:[arg]3:[arg]4:[arg]5 1903 comment=If error: argument: \ 1904 1, "no path: fd", file descriptor: 1905 comment=1, file descriptor, "so": 1906 comment=1, family, "family": 1907 comment=1, type, "type": 1908 comment=2, how shutdown code, "how" 1909 case=...with non-zero file descriptor 1910 format=path1:arg2:arg3:inet 1911 comment=If error: argument: \ 1912 1, file descriptor, "no path: fd": 1913 comment=1, file descriptor, "so": 1914 comment=2, how shutdown code, "how" 1915 #old BSM manual wrong; used audit_event.c 1916 1917 label=AUE_SOCKACCEPT 1918 syscall=getmsg: socket accept 1919 format=inet:arg1:[path]:attr:arg2 1920 comment=1, file descriptor, "fd": 1921 comment=4, priority, "pri" 1922 # see putmsg and getmsg for record format 1923 # See audit.c for inet token and audit_start.c for other reference 1924 1925 label=AUE_SOCKCONFIG 1926 format=arg1:arg2:arg3:[path]4 1927 comment=1, domain address, "domain": 1928 comment=2, type, "type": 1929 comment=3, protocol, "protocol": 1930 comment=If no path:argument -- 3, 0, "devpath" 1931 1932 label=AUE_SOCKCONNECT 1933 syscall=putmsg: socket connect 1934 format=inet:arg1:[path]:attr:arg2 1935 comment=1, file descriptor, "fd": 1936 comment=4, priority, "pri" 1937 # same as AUE_SOCKACCEPT 1938 1939 label=AUE_SOCKET 1940 format=arg1:[arg]2:arg3 1941 comment=1, socket domain, "domain": 1942 comment=2, socket type, "type": 1943 comment=3, socket protocol, "protocol" 1944 1945 label=AUE_SOCKETPAIR 1946 skip=Not used. 1947 # unreferenced 1948 1949 label=AUE_SOCKRECEIVE 1950 syscall=getmsg 1951 format=inet:arg1:[path]:attr:arg2 1952 comment=1, file descriptor, "fd": 1953 comment=4, priority, "pri" 1954 # see AUE_SOCKACCEPT 1955 1956 label=AUE_SOCKSEND 1957 syscall=putmsg 1958 format=inet:arg1:[path]:attr:arg2 1959 comment=1, file descriptor, "fd": 1960 comment=4, priority, "pri" 1961 # see AUE_SOCKACCEPT 1962 1963 label=AUE_STAT 1964 format=path:[attr] 1965 1966 label=AUE_STATFS 1967 format=path:[attr] 1968 1969 label=AUE_STATVFS 1970 format=path:[attr] 1971 1972 label=AUE_STIME 1973 format=kernel 1974 1975 label=AUE_SWAPON 1976 skip=Not used. 1977 1978 label=AUE_SYMLINK 1979 format=path:text1:[attr] 1980 comment=symbolic link string 1981 1982 label=AUE_SYSINFO 1983 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands 1984 note=are currently audited. 1985 format=arg1:[text]2 1986 comment=1, command, "cmd": 1987 comment=name 1988 1989 label=AUE_SYSTEMBOOT 1990 title=system booted 1991 syscall=none 1992 format=head:text1 1993 comment="booting kernel" 1994 # see audit_start.c and audit_io.c 1995 # no subject or return / exit token 1996 # header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec 1997 # text,booting kernel 1998 1999 label=AUE_TRUNCATE 2000 skip=Not used. 2001 2002 label=AUE_UMOUNT 2003 syscall=umount: old version 2004 note=Implemented as call of the newer umount2(2). 2005 format=path:arg1:[path]:[attr] 2006 comment=2, mflag value = 0, "flags" 2007 2008 label=AUE_UMOUNT2 2009 syscall=umount2 2010 format=path:arg1:[path]:[attr] 2011 comment=2, mflag value, "flags" 2012 2013 label=AUE_UNLINK 2014 format=path:[attr] 2015 2016 label=AUE_UNLINKAT 2017 # obsolete 2018 see=openat(2) 2019 format=path:[attr] 2020 2021 label=AUE_UNMOUNT 2022 skip=Not used. 2023 2024 label=AUE_UTIME 2025 # obsolete 2026 format=path:[attr] 2027 2028 label=AUE_UTIMES 2029 see=futimens(2) 2030 format=path:[attr] 2031 2032 label=AUE_VFORK 2033 format=arg1 2034 comment=0, pid, "child PID" 2035 note=The vfork(2) return values are undefined because the audit record is 2036 note=produced at the point that the child process is spawned. 2037 2038 label=AUE_VPIXSYS 2039 skip=Not used. 2040 2041 label=AUE_VTRACE 2042 skip=Not used. 2043 2044 label=AUE_WRITE 2045 format=path1:attr 2046 comment=if no path, argument -- "1, file descriptor, "no path: fd" 2047 note:An audit record is generated for write only once per file close. 2048 2049 label=AUE_WRITEV 2050 skip=Not used. (obsolete) 2051 2052 label=AUE_XMKNOD 2053 # obsolete 2054 skip=Not used. 2055 2056 label=AUE_XSTAT 2057 # obsolete 2058 skip=Not Used. 2059 2060 label=AUE_PF_POLICY_ADDRULE 2061 title=Add IPsec policy rule 2062 see= 2063 syscall=none 2064 format=arg1:arg2:[zone]3:[text]4 2065 comment=Operation applied to active policy (1 is active, 0 is inactive): 2066 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2067 comment=affected zone: 2068 comment=Name of target tunnel 2069 2070 label=AUE_PF_POLICY_DELRULE 2071 title=Delete IPsec policy rule 2072 see= 2073 syscall=none 2074 format=arg1:arg2:[zone]3:[text]4 2075 comment=Operation applied to active policy (1 is active, 0 is inactive): 2076 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2077 comment=affected zone: 2078 comment=Name of target tunnel 2079 2080 label=AUE_PF_POLICY_CLONE 2081 title=Clone IPsec policy 2082 see= 2083 syscall=none 2084 format=arg1:arg2:[zone]3:[text]4 2085 comment=Operation applied to active policy (1 is active, 0 is inactive): 2086 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2087 comment=affected zone: 2088 comment=Name of target tunnel 2089 2090 label=AUE_PF_POLICY_FLIP 2091 title=Flip IPsec policy 2092 see= 2093 syscall=none 2094 format=arg1:arg2:[zone]3:[text]4 2095 comment=Operation applied to active policy (1 is active, 0 is inactive): 2096 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2097 comment=affected zone: 2098 comment=Name of target tunnel 2099 2100 label=AUE_PF_POLICY_FLUSH 2101 title=Flip IPsec policy rules 2102 see= 2103 syscall=none 2104 format=arg1:arg2:[zone]3:[text]4 2105 comment=Operation applied to active policy (1 is active, 0 is inactive): 2106 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2107 comment=affected zone: 2108 comment=Name of target tunnel 2109 2110 label=AUE_PF_POLICY_ALGS 2111 title=Update IPsec algorithms 2112 see= 2113 syscall=none 2114 format=arg1:arg2:[zone]3:[text]4 2115 comment=Operation applied to active policy (1 is active, 0 is inactive): 2116 comment=Operation applied to global policy (1 is global, 0 is tunnel): 2117 comment=affected zone: 2118 comment=Name of target tunnel 2119 2120 label=AUE_allocate_fail 2121 program=/usr/sbin/allocate 2122 title=allocate: allocate-device failure 2123 format=(0..n)[text]1 2124 comment=command line arguments 2125 # see audit_allocate.c 2126 2127 label=AUE_allocate_succ 2128 program=/usr/sbin/allocate 2129 title=allocate: allocate-device success 2130 format=(0..n)[text]1 2131 comment=command line arguments 2132 # see audit_allocate.c 2133 2134 label=AUE_at_create 2135 program=/usr/bin/at 2136 title=at: at-create crontab 2137 format=path 2138 2139 label=AUE_at_delete 2140 program=/usr/bin/at 2141 title=at: at-delete atjob (at or atrm) 2142 format=text1:path 2143 comment="ancillary file:" filename or "bad format of at-job name" 2144 2145 label=AUE_at_perm 2146 skip=Not used. 2147 # not referenced outside uevents.h 2148 2149 label=AUE_create_user 2150 skip=Not used. 2151 2152 label=AUE_cron_invoke 2153 program=/usr/sbin/cron 2154 title=cron: cron-invoke at or cron 2155 case=If issue with account find 2156 format=text1 2157 comment="bad user" name or "user <name> account expired" 2158 case=else 2159 format=text1:text2 2160 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \ 2161 or "unknown job type (<job_type_id>)": 2162 comment=command 2163 2164 label=AUE_crontab_create 2165 program=/usr/bin/crontab 2166 title=crontab: crontab created 2167 format=path 2168 # See audit_crontab.c 2169 2170 label=AUE_crontab_delete 2171 program=/usr/bin/crontab 2172 title=crontab: crontab delete 2173 format=path 2174 # See audit_crontab.c 2175 2176 label=AUE_crontab_mod 2177 program=/usr/bin/crontab 2178 title=crontab: crontab modify 2179 format=path 2180 # See audit_crontab.c 2181 2182 label=AUE_crontab_perm 2183 skip=Not used. 2184 2185 label=AUE_deallocate_fail 2186 program=/usr/sbin/deallocate 2187 title=deallocate-device failure 2188 format=(0..n)[text]1 2189 comment=command line arguments 2190 # See audit_allocate.c 2191 2192 label=AUE_deallocate_succ 2193 program=/usr/sbin/deallocate 2194 title=deallocate-device success 2195 format=(0..n)[text]1 2196 comment=command line arguments 2197 # See audit_allocate.c 2198 2199 label=AUE_delete_user 2200 skip=Not used. 2201 2202 label=AUE_disable_user 2203 skip=Not used. 2204 2205 label=AUE_enable_user 2206 skip=Not used. 2207 2208 label=AUE_ftpd 2209 program=/usr/sbin/in.ftpd 2210 title=in.ftpd 2211 format=[text]1 2212 comment=error message 2213 # See audit_ftpd 2214 2215 label=AUE_ftpd_logout 2216 program=/usr/sbin/in.ftpd 2217 title=in.ftpd 2218 format=user 2219 # See audit_ftpd 2220 2221 label=AUE_halt_solaris 2222 program=/usr/sbin/halt 2223 title=halt 2224 format=user 2225 # See audit_halt.c 2226 2227 label=AUE_kadmind_auth 2228 format=text1:text2:text3 2229 comment=Op: <requested information>: 2230 comment=Arg: <argument for Op>: 2231 comment=Client: <client principal name> 2232 # See audit_kadmin.c / common_audit() 2233 2234 label=AUE_kadmind_unauth 2235 format=text1:text2:text3 2236 comment=Op: <requested information>: 2237 comment=Arg: <argument for Op>: 2238 comment=Client: <client principal name> 2239 # See audit_kadmin.c / common_audit() 2240 2241 label=AUE_krb5kdc_as_req 2242 format=text1:text2 2243 comment=Client: <client principal name>: 2244 comment=Service: <requested service name> 2245 # See audit_krb5kdc.c / common_audit() 2246 2247 label=AUE_krb5kdc_tgs_req 2248 format=text1:text2 2249 comment=Client: <client principal name>: 2250 comment=Service: <requested service name> 2251 # See audit_krb5kdc.c / common_audit() 2252 2253 label=AUE_krb5kdc_tgs_req_alt_tgt 2254 format=text1:text2 2255 comment=Client: <client principal name>: 2256 comment=Service: <requested service name> 2257 # See audit_krb5kdc.c / common_audit() 2258 2259 label=AUE_krb5kdc_tgs_req_2ndtktmm 2260 format=text1:text2 2261 comment=Client: <client principal name>: 2262 comment=Service: <requested service name> 2263 # See audit_krb5kdc.c / common_audit() 2264 2265 label=AUE_listdevice_fail 2266 title=allocate-list devices failure 2267 program=/usr/sbin/allocate 2268 format=(0..n)[text]1 2269 comment=command line arguments 2270 # See audit_allocate.c 2271 2272 label=AUE_listdevice_succ 2273 title=allocate-list devices success 2274 program=/usr/sbin/allocate 2275 format=(0..n)[text]1 2276 comment=command line arguments 2277 # See audit_allocate.c 2278 2279 label=AUE_modify_user 2280 skip=Not used. 2281 2282 label=AUE_mountd_mount 2283 title=mountd: NFS mount 2284 program=/usr/lib/nfs/mountd 2285 see=mountd(1M) 2286 format=text1:path2 2287 comment=remote client hostname: 2288 comment=mount dir 2289 # See audit_mountd.c 2290 2291 label=AUE_mountd_umount 2292 title=mountd: NFS unmount 2293 program=/usr/lib/nfs/mountd 2294 format=text1:path2 2295 comment=remote client hostname: 2296 comment=mount dir 2297 # See audit_mountd.c 2298 2299 label=AUE_poweroff_solaris 2300 program=/usr/sbin/poweroff 2301 title=poweroff 2302 format=user 2303 # See audit_halt.c 2304 2305 label=AUE_reboot_solaris 2306 program=/usr/sbin/reboot 2307 title=reboot 2308 format=user 2309 # See audit_reboot.c 2310 # header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec 2311 # subject,tuser1,root,other,root,other,10422,497,0 0 tmach2 2312 # return,success,0 2313 2314 label=AUE_rexd 2315 program=/usr/sbin/rpc.rexd 2316 title=rpc.rexd 2317 format=[text]1:text2:text3:[text]4:[text]5 2318 comment=error message (failure only): 2319 comment="Remote execution requested by:" hostname: 2320 comment="Username:" username: 2321 comment="User id:" user ID (failure only): 2322 comment="Command line:" command attempted 2323 # See audit_rexd.c 2324 2325 label=AUE_rexecd 2326 program=/usr/sbin/rpc.rexecd 2327 title=rpc.rexecd 2328 format=[text]1:text2:text3:text4 2329 comment=error message (failure only): 2330 comment="Remote execution requested by:" hostname: 2331 comment="Username:" username: 2332 comment="Command line:" command attempted 2333 # See audit_rexecd.c 2334 2335 label=AUE_rshd 2336 program=/usr/sbin/in.rshd 2337 title=in.rshd 2338 format=text1:text2:[text]3:[text]4 2339 comment="cmd" command: 2340 comment="remote user" remote user: 2341 comment="local user" local user: 2342 comment=failure message 2343 # See audit_rshd.c 2344 2345 label=AUE_shutdown_solaris 2346 title=shutdown 2347 program=/usr/ucb/shutdown 2348 format=user 2349 # See audit_shutdown.c 2350 2351 label=AUE_smserverd 2352 program=/usr/lib/smedia/rpc.smserverd 2353 format=[text]1:[text]2 2354 comment=state change: 2355 comment=vid, pid, major/minor device 2356 # see usr/src/cmd/smserverd 2357 # code shows a third token, path, but it isn't implemented. 2358 2359 label=AUE_uadmin_solaris 2360 title=uadmin (obsolete) 2361 program= 2362 see= 2363 format=text1:text2 2364 comment=function code: 2365 comment=argument code 2366 # not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml 2367 2368 label=AUE_LABELSYS_TNRH 2369 title=config Trusted Network remote host cache 2370 see=tnrh(2) 2371 syscall=labelsys: TSOL_TNRH 2372 case=With the flush command (cmd=3) 2373 format=arg1 2374 comment=1, command, "cmd" 2375 case=With the load (cmd=1) and delete (cmd=2) commands 2376 format=arg1:inaddr2:arg3 2377 comment=1, command, "cmd": 2378 comment=ip address of host: 2379 comment=2, prefix length, "prefix len" 2380 2381 label=AUE_LABELSYS_TNRHTP 2382 title=config Trusted Network remote host template 2383 see=tnrhtp(2) 2384 syscall=labelsys: TSOL_TNRHTP 2385 case=With the flush command (cmd=3) 2386 format=arg1 2387 comment=1, command, "cmd" 2388 case=With the load (cmd=1) and delete (cmd=2) commands 2389 format=arg1:text2 2390 comment=1, command, "cmd": 2391 comment=name of template 2392 2393 label=AUE_LABELSYS_TNMLP 2394 title=config Trusted Network multi-level port entry 2395 see=tnmlp(2) 2396 syscall=labelsys: TSOL_TNMLP 2397 case=With the flush command (cmd=3) 2398 format=arg1:text2 2399 comment=1, command, "cmd": 2400 comment="shared", or name of zone 2401 case=With the load (cmd=1) and delete (cmd=2) commands 2402 format=arg1:text2:arg3:arg4:[arg]5 2403 comment=1, command, "cmd": 2404 comment="shared", or name of zone: 2405 comment=2, protocol number, "proto num": 2406 comment=2, starting mlp port number, "mlp_port": 2407 comment=2, ending mlp port number, "mlp_port_upper"