1 # audit_record_attr.txt
2 # Two "#" are comments that are copied to audit_record_attr
3 # other comments are removed.
4 ##
5 ## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
6 ## Copyright 2018 Nexenta Systems, Inc. All rights reserved.
7 ## Copyright 2019 Joyent, Inc.
8 ##
9 ## CDDL HEADER START
10 ##
11 ## The contents of this file are subject to the terms of the
12 ## Common Development and Distribution License (the "License").
13 ## You may not use this file except in compliance with the License.
14 ##
15 ## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
16 ## or http://www.opensolaris.org/os/licensing.
17 ## See the License for the specific language governing permissions
18 ## and limitations under the License.
19 ##
20 ## When distributing Covered Code, include this CDDL HEADER in each
21 ## file and include the License file at usr/src/OPENSOLARIS.LICENSE.
22 ## If applicable, add the following below this CDDL HEADER, with the
23 ## fields enclosed by brackets "[]" replaced with your own identifying
24 ## information: Portions Copyright [yyyy] [name of copyright owner]
25 ##
26 ## CDDL HEADER END
27 ##
28 ##
29
30 # source file for describing audit records.
31
32 # This file is in two sections. The first is a list of attribute /
33 # value pairs used to provide short cuts in annotating the audit
34 # records. The second is for annotation for each audit record.
35
36 # first section: general attributes
37
38 # skipClass=<class name of items to skip if only in that class>
39 # skipClass=no # uncomment to filter unused events
40
41 # token name abbreviations
42 # token=alias:fullname -- short names for key tokens
43
44 token=arg:argument
45 token=attr:attribute
46 token=acl:acl_entry
47 token=cmd:command
48 token=data:data
49 token=exec_args:exec_arguments
50 token=exec_env:exec_environment
51 token=group:group
52 token=inaddr:ip_addr
53 token=inet:socket
54 token=ipc:ipc
55 token=ipc_perm:ipc_perm
56 token=newgroup:newgroups
57 token=path:path
58 token=path_attr:attribute_path
59 token=privset:privilege
60 token=proc:process
61 token=text:text
62 token=tid:terminal_adr
63 token=uauth:use_of_authorization
64 token=upriv:use_of_privilege
65 token=user:user_object
66 token=zone:zonename
67 token=fmri:service_instance
68 token=label:mandatory_label
69
70 token=head:header
71 token=subj:subject
72 token=ret:return
73 token=exit:exit
74
75 # note names -- certain notes show up repeatedly; collected here
76 #
77 # To achieve the maximum line length to be less than 80 characters, the
78 # note names (message=) can be defined as a multi line, each line except the
79 # last one finished with the backslash character.
80
81 message=ipc_perm:The ipc and ipc_perm tokens are not included if \
82 the message ID is not valid.
83
84
85 # basic record pattern ("insert" is where event-specific tokens
86 # are listed.)
87
88 kernel=head:insert:subj:[upriv]:ret
89 user=head:subj:insert:ret
90
91 # Second Section
92 # Annotation Section
93 #
94 # Most audit records need annotation beyond what is provided by
95 # the files audit_event and audit_class. At a minimum, a record
96 # is represented by a label and a format.
97 #
98 # label=record_id like AUE_ACCEPT
99 # format=token_alias
100 #
101 # there is no end line; a new label= end the preceding definition
102 # and starts the next.
103 #
104 # format values are a list of token names, separated by colons. The
105 # name is either one of the values described above (token=) or is
106 # a value to be taken literally. If a token name ends with a digit,
107 # the digit is an index into an array of comments. In the few cases
108 # where there are no tokens (other than header, subject, return/exit),
109 # use "format=kernel" or "format="user".
110 #
111 # comment is an array of strings separated by colons. If comments
112 # are listed on separate lines (recommended due to better
113 # readability/sustainability of the file), the preceding comment
114 # must end with a colon. The array starts at 1. (If the comment
115 # contains a colon, use ":" without the quotes.)
116 #
117 # case is used to generate alternate descriptions for a given
118 # record.
119 #
120 # Constraints - the string length; bear in mind, that any annotation of
121 # primitives below longer than is specified, will be silently truncated
122 # to given/defined amount of characters in the auditrecord(1M) runtime:
123 #
124 # primitive <= max (non-truncated) string length
125 # case <= unlimited; if necessary, text continues on a new line
126 # comment <= unlimited; if necessary, text continues on a new line
127 # label <= 43
128 # note <= unlimited; if necessary, text continues on a new line
129 # program <= 20
130 # see <= 39
131 # syscall <= 20
132 # title <= 46
133 # token <= 28 (full name)
134 #
135 # To achieve the maximum line length to be less than 80 characters, one can
136 # define the unlimited primitives as a multi line, each line except the
137 # last one finished with the backslash character. In addition to above
138 # mentioned, the "format=" record attribute follows the same rule.
139 #
140 #
141 # AUE_ACCEPT illustrates the use of all the above. Note that
142 # case is not nested; ellipsis (...) is used to give the effect
143 # of nesting.
144
145 label=AUE_ACCEPT
146 #accept(2) failure
147 case=Invalid socket file descriptor
148 format=arg1
149 comment=1, file descriptor, "so"
150 #accept(2) non SOCK_STREAM socket
151 case=If the socket address is not part of the AF_INET family
152 format=arg1:arg2:arg3
153 comment=1, "so", file descriptor:
154 comment="family", so_family:
155 comment="type", so_type
156 case=If the socket address is part of the AF_INET family
157 case=...If there is no vnode for this file descriptor
158 format=[arg]1
159 comment=1, file descriptor, "Bad so"
160 #accept(2) SOCK_STREAM socket-not bound
161 case=...or if the socket is not bound
162 format=[arg]1:[inet]2
163 comment=1, file descriptor, "so":
164 comment=local/foreign address (0.0.0.0)
165 case=...or if the socket address length = 0
166 format=[arg]1:[inet]2
167 comment=1, file descriptor, "so":
168 comment=local/foreign address (0.0.0.0)
169 case=...or for all other conditions
170 format=inet1:[inet]1
171 comment=socket address
172 #accept(2) failure
173 # header
174 # au_to_arg32 "so",file descriptor
175 # subject
176 # return <errno != 0>
177 #
178 #accept(2) non SOCK_STREAM socket
179 # header
180 # au_to_arg32 "so", file descriptor
181 # au_to_arg32 "family", so_family
182 # au_to_arg32 "type", so_type
183 # subject
184 # return success
185 #
186 #accept(2) SOCK_STREAM socket-not bound
187 # header
188 # au_to_arg32 "so", file descriptor
189 # au_to_socket_ex local/foreign address (0.0.0.0)
190 # subject
191 # return success
192 #
193 #accept(2) SOCK_STREAM socket-bound
194 # header
195 # au_to_arg32 "so", file descriptor
196 # au_to_socket_ex
197 # subject
198 # return success
199
200
201
202 label=AUE_ACCESS
203 format=path1:[attr]
204 comment=may be truncated in failure case
205 # header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec
206 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ
207 # attribute,100777,41416,staff,8388608,402255,0
208 # subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30
209 # return,success,0
210 # trailer,163
211 #
212 # header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec
213 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail
214 # attribute,100000,root,other,8388608,402257,0
215 # subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30
216 # return,failure: Permission denied,-1
217 # trailer,163
218 #
219 # header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec
220 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2
221 # subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30
222 # return,failure: No such file or directory,-1
223 # trailer,135
224
225 label=AUE_ACCT
226 case=Zero path
227 format=arg1
228 comment=1, 0, "accounting off"
229 case=Non-zero path
230 format=path1:[attr]2
231 comment=may be truncated in failure case:
232 comment=omitted if failure
233
234 label=AUE_ACLSET
235 syscall=acl
236 format=arg1:arg2:(0..n)[acl]3
237 comment=2, SETACL, "cmd":
238 comment=3, number of ACL entries, "nentries":
239 comment=Access Control List entries
240
241 label=AUE_ADJTIME
242 format=kernel
243
244 label=AUE_ASYNC_DAEMON
245 skip=Not used
246
247 label=AUE_ASYNC_DAEMON_EXIT
248 skip=Not used
249
250 label=AUE_AUDIT
251 skip=Not used. (Placeholder for the set AUE_AUDIT_*.)
252
253 label=AUE_AUDITON
254 skip=Not used. (Placeholder for the set AUE_AUDITON_*.)
255
256 label=AUE_AUDITON_GESTATE
257 skip=Not used
258
259 label=AUE_AUDITON_GETAMASK
260 format=kernel
261 syscall=auditon: GETAMASK
262
263 label=AUE_AUDITON_GETCAR
264 format=kernel
265 syscall=auditon: GETCAR
266 # header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec
267 # subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30
268 # return,success,0
269 # trailer,68
270
271 label=AUE_AUDITON_GETCLASS
272 format=kernel
273 syscall=auditon: GETCLASS
274 # header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec
275 # subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1
276 # return,success,0
277 # trailer,68
278
279 label=AUE_AUDITON_GETCOND
280 format=kernel
281 syscall=auditon: GETCOND
282 # header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec
283 # subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1
284 # return,success,0
285 # trailer,68
286
287 label=AUE_AUDITON_GETCWD
288 format=kernel
289 syscall=auditon: GETCWD
290 # header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec
291 # subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1
292 # return,success,0
293 # trailer,68
294
295 label=AUE_AUDITON_GETKMASK
296 format=kernel
297 syscall=auditon: GETKMASK
298 # header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec
299 # subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1
300 # return,success,0
301 # trailer,68
302
303 label=AUE_AUDITON_GETSTAT
304 format=kernel
305 syscall=auditon: A_GETSTAT
306 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec
307 # subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1
308 # return,success,0
309 # trailer,68
310
311 label=AUE_AUDITON_GPOLICY
312 format=kernel
313 syscall=auditon: GPOLICY
314 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec
315 # subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1
316 # return,success,0
317 # trailer,68
318
319 label=AUE_AUDITON_GQCTRL
320 format=kernel
321 syscall=auditon: GQCTRL
322 # header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec
323 # subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1
324 # return,success,0
325 # trailer,68
326
327
328 label=AUE_AUDITON_GTERMID
329 skip=Not used.
330
331 label=AUE_AUDITON_SESTATE
332 skip=Not used.
333
334 label=AUE_AUDITON_SETAMASK
335 format=[arg]1:[arg]2
336 comment=2, "setamask as_success", user default audit preselection mask:
337 comment=2, "setamask as_failure", user default audit preselection mask
338 syscall=auditon: SETAMASK
339
340 label=AUE_AUDITON_SETCLASS
341 format=[arg]1:[arg]2
342 comment=2, "setclass:ec_event", event number:
343 comment=3, "setclass:ec_class", class mask
344 syscall=auditon: SETCLASS
345 # header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec
346 # argument,2,0x0,setclass:ec_event
347 # argument,3,0x0,setclass:ec_class
348 # subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1
349 # return,success,0
350 # trailer,120
351
352 label=AUE_AUDITON_SETCOND
353 format=[arg]1
354 comment=3, "setcond", audit state
355 syscall=auditon: SETCOND
356
357 label=AUE_AUDITON_SETKMASK
358 format=[arg]1:[arg]2
359 comment=2, "setkmask as_success", kernel non-attributable mask:
360 comment=2, "setkmask as_failure", kernel non-attributable mask
361 syscall=auditon: SETKMASK
362 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec
363 # argument,2,0x0,setkmask:as_success
364 # argument,2,0x0,setkmask:as_failure
365 # subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1
366 # return,success,0
367 # trailer,124
368 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec
369 # argument,2,0x0,setkmask:as_success
370 # argument,2,0x0,setkmask:as_failure
371 # subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1
372 # return,failure: Not owner,-1
373 # trailer,124
374
375 label=AUE_AUDITON_SETSMASK
376 format=[arg]1:[arg]2
377 comment=3, "setsmask:as_success", session ID mask:
378 comment=3, "setsmask:as_failure", session ID mask
379 syscall=auditon: SETSMASK
380 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec
381 # argument,3,0x400,setsmask:as_success
382 # argument,3,0x400,setsmask:as_failure
383 # subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1
384 # return,success,0
385 # trailer,124
386 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec
387 # argument,3,0x400,setsmask:as_success
388 # argument,3,0x400,setsmask:as_failure
389 # subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1
390 # return,failure: Not owner,-1
391 # trailer,124
392
393 label=AUE_AUDITON_SETSTAT
394 format=kernel
395 syscall=auditon: SETSTAT
396 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec
397 # subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1
398 # return,success,0
399 # trailer,68
400 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec
401 # subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1
402 # return,failure: Not owner,-1
403 # trailer,68
404
405 label=AUE_AUDITON_SETUMASK
406 format=[arg]1:[arg]2
407 comment=3, "setumask:as_success", audit ID mask:
408 comment=3, "setumask:as_failure", audit ID mask
409 syscall=auditon: SETUMASK
410 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec
411 # argument,3,0x400,setumask:as_success
412 # argument,3,0x400,setumask:as_failure
413 # subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1
414 # return,success,0
415 # trailer,124
416 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec
417 # argument,3,0x400,setumask:as_success
418 # argument,3,0x400,setumask:as_failure
419 # subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1
420 # return,failure: Not owner,-1
421 # trailer,124
422
423 label=AUE_AUDITON_SPOLICY
424 format=[arg]1
425 comment=1, audit policy flags, "setpolicy"
426 syscall=auditon: SPOLICY
427 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec
428 # argument,3,0x200,setpolicy
429 # subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1
430 # return,success,0
431 # trailer,86
432 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec
433 # argument,3,0x200,setpolicy
434 # subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1
435 # return,failure: Not owner,-1
436 # trailer,86
437
438 label=AUE_AUDITON_SQCTRL
439 format=[arg]1:[arg]2:[arg]3:[arg]4
440 comment=3, "setqctrl:aq_hiwater", queue control param.:
441 comment=3, "setqctrl:aq_lowater", queue control param.:
442 comment=3, "setqctrl:aq_bufsz", queue control param.:
443 comment=3, "setqctrl:aq_delay", queue control param.
444 syscall=auditon: SQCTRL
445 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec
446 # argument,3,0x64,setqctrl:aq_hiwater
447 # argument,3,0xa,setqctrl:aq_lowater
448 # argument,3,0x400,setqctrl:aq_bufsz
449 # argument,3,0x14,setqctrl:aq_delay
450 # subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1
451 # return,success,0
452 # trailer,176
453 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec
454 # argument,3,0x64,setqctrl:aq_hiwater
455 # argument,3,0xa,setqctrl:aq_lowater
456 # argument,3,0x400,setqctrl:aq_bufsz
457 # argument,3,0x14,setqctrl:aq_delay
458 # subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1
459 # return,failure: Not owner,-1
460 # trailer,176
461
462 label=AUE_AUDITON_STERMID
463 skip=Not used.
464
465 label=AUE_AUDITSTAT
466 skip=Not used.
467
468 label=AUE_AUDITSVC
469 skip=Not used.
470
471 label=AUE_AUDITSYS
472 skip=Not used. (Place holder for various auditing events.)
473
474 label=AUE_BIND
475 # differs from documented version.
476 # cases "no vnode" not fully confirmed
477 # family and type need argument number
478 case=Invalid socket handle
479 format=arg1
480 comment=1, file descriptor, "so"
481 case=If there is no vnode for this file descriptor
482 case=or if the socket is not of the AF_INET family
483 format=arg1:arg2:arg3
484 comment=1, file descriptor, "so":
485 comment=1, socket family, "family":
486 comment=1, socket type, "type"
487 case=or for all other conditions
488 format=arg1:inet2
489 comment=1, file descriptor, "so":
490 comment=socket address
491
492 label=AUE_BRANDSYS
493 # generic mechanism to allow user-space and kernel components of a brand
494 # to communicate. The interpretation of the arguments to the call is
495 # left entirely up to the brand.
496 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7
497 comment=1, command, "cmd":
498 comment=2, command args, "arg":
499 comment=3, command args, "arg":
500 comment=4, command args, "arg":
501 comment=5, command args, "arg":
502 comment=6, command args, "arg":
503 comment=7, command args, "arg"
504
505 label=AUE_BSMSYS
506 skip=Not used.
507
508 label=AUE_CHDIR
509 format=path:[attr]
510 # header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec
511 # path,/export/home/CC_final/icenine/arv/chdir/obj_succ
512 # attribute,40777,root,other,8388608,231558,0
513 # subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1
514 # return,success,0
515 # trailer,151
516 # header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec
517 # path,/export/home/CC_final/icenine/arv/chdir/obj_fail
518 # attribute,40000,root,other,8388608,237646,0
519 # subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1
520 # return,failure: Permission denied,-1
521 # trailer,151
522
523 label=AUE_CHMOD
524 format=arg1:path:[attr]
525 comment=2, mode, "new file mode"
526 # header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec
527 # argument,2,0x1f8,new file mode
528 # path,/export/home/CC_final/icenine/arv/chmod/obj_succ
529 # attribute,100770,tuser10,other,8388608,243608,0
530 # subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1
531 # return,success,0
532 # trailer,173
533 # header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec
534 # argument,2,0x1f8,new file mode
535 # path,/export/home/CC_final/icenine/arv/chmod/obj_fail
536 # attribute,100600,root,other,8388608,243609,0
537 # subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1
538 # return,failure: Not owner,-1
539 # trailer,173
540
541 label=AUE_CHOWN
542 format=arg1:arg2
543 comment=2, uid, "new file uid":
544 comment=3, gid, "new file gid"
545 # header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec
546 # argument,2,0x271a,new file uid
547 # argument,3,0xffffffff,new file gid
548 # path,/export/home/CC_final/icenine/arv/chown/obj_succ
549 # attribute,100644,tuser10,other,8388608,268406,0
550 # subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1
551 # return,success,0
552 # trailer,193
553 # header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec
554 # argument,2,0x271a,new file uid
555 # argument,3,0xffffffff,new file gid
556 # path,/export/home/CC_final/icenine/arv/chown/obj_fail
557 # attribute,100644,root,other,8388608,268407,0
558 # subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1
559 # return,failure: Not owner,-1
560 # trailer,193
561
562 label=AUE_CHROOT
563 format=path:[attr]
564 # header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec
565 # path,/
566 # attribute,40755,root,root,8388608,2,0
567 # subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1
568 # return,success,0
569 # trailer,104
570 # header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec
571 # path,/export/home/CC_final/icenine/arv/chroot/obj_fail
572 # attribute,40777,tuser10,other,8388608,335110,0
573 # subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1
574 # return,failure: Not owner,-1
575 # trailer,152
576
577 label=AUE_CLOCK_SETTIME
578 format=kernel
579
580 label=AUE_CLOSE
581 format=arg1:[path]:[attr]
582 comment=1, file descriptor, "fd"
583
584 label=AUE_CONFIGKSSL
585 case=Adding KSSL entry.
586 format=text1:inaddr2:text3:text4
587 comment=opcode, KSSL_ADD_ENTRY:
588 comment=local IP address:
589 comment=SSL port number:
590 comment=proxy port number
591 case=Deleting KSSL entry.
592 format=text1:inaddr2:text3
593 comment=opcode, KSSL_DELETE_ENTRY:
594 comment=local IP address:
595 comment=SSL port number
596
597 label=AUE_CONNECT
598 # cases "no vnode" not fully confirmed
599 case=If there is no vnode for this file descriptor
600 case=If the socket address is not part of the AF_INET family
601 format=arg1:arg2:arg3
602 comment=1, file descriptor, "so":
603 comment=1, socket family, "family":
604 comment=1, socket type, "type"
605 case=If the socket address is part of the AF_INET family
606 format=arg1:inet2
607 comment=1, file descriptor, "so":
608 comment=socket address
609
610 label=AUE_CORE
611 syscall=none
612 title=process dumped core
613 see=none
614 format=path:[attr]:arg1
615 comment=1, signal, "signal"
616 # see uts/common/c2/audit.c
617
618 label=AUE_CREAT
619 # obsolete - see open(2)
620 format=path:[attr]
621 # does not match old BSM manual
622 # header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec
623 # path,/export/home/CC_final/icenine/arv/creat/obj_succ
624 # attribute,100644,tuser10,other,8388608,49679,0
625 # subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1
626 # return,success,8
627 # trailer,151
628 # header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec
629 # path,/devices/pseudo/mm@0:null
630 # subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1
631 # return,success,8
632 # trailer,107
633 # header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec
634 # path,/obj_fail
635 # subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1
636 # return,failure: Permission denied,-1
637 # trailer,83
638
639 label=AUE_CRYPTOADM
640 title=kernel cryptographic framework
641 format=text1:(0..n)[text]2
642 comment=cryptoadm command/operation:
643 comment=mechanism list
644
645 label=AUE_DOORFS
646 skip=Not used. (Place holder for set of door audit events.)
647
648 label=AUE_DOORFS_DOOR_BIND
649 skip=Not used.
650 syscall=doorfs: DOOR_BIND
651
652 label=AUE_DOORFS_DOOR_CALL
653 format=arg1:proc2
654 comment=1, door ID, "door ID":
655 comment=for process that owns the door
656 syscall=doorfs: DOOR_CALL
657
658 label=AUE_DOORFS_DOOR_CREATE
659 format=arg1
660 comment=1, door attributes, "door attr"
661 syscall=doorfs: DOOR_CREATE
662
663 label=AUE_DOORFS_DOOR_CRED
664 skip=Not used.
665 syscall=doorfs: DOOR_CRED
666
667 label=AUE_DOORFS_DOOR_INFO
668 skip=Not used.
669 syscall=doorfs: DOOR_INFO
670
671 label=AUE_DOORFS_DOOR_RETURN
672 format=kernel
673 syscall=doorfs: DOOR_RETURN
674
675 label=AUE_DOORFS_DOOR_REVOKE
676 format=arg1
677 comment=1, door ID, "door ID"
678 syscall=doorfs: DOOR_REVOKE
679
680 label=AUE_DOORFS_DOOR_UNBIND
681 skip=Not used.
682 syscall=doorfs: DOOR_UNBIND
683
684 label=AUE_DUP2
685 skip=Not used.
686
687 label=AUE_ENTERPROM
688 title=enter prom
689 syscall=none
690 format=head:text1:ret
691 comment="kmdb"
692 # header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00
693 # text,kmdb
694 # return,success,0
695
696 label=AUE_EXEC
697 # obsolete - see execve(2)
698 format=path:[attr]1:[exec_args]2:[exec_env]3
699 comment=omitted on error:
700 comment=output if argv policy is set:
701 comment=output if arge policy is set
702
703 label=AUE_EXECVE
704 format=path:[attr]1:[exec_args]2:[exec_env]3
705 comment=omitted on error:
706 comment=output if argv policy is set:
707 comment=output if arge policy is set
708 # header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec
709 # path,/devices/pseudo/mm@0:null
710 # subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1
711 # return,success,8
712 # trailer,107
713 # header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec
714 # path,/usr/bin/pig
715 # subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1
716 # return,failure: No such file or directory,-1
717 # trailer,86
718
719 label=AUE_PFEXEC
720 format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5
721 comment=pathname of the executable:
722 comment=pathname of working directory:
723 comment=privileges if the limit or inheritable set are changed:
724 comment=process if ruid, euid, rgid or egid is changed:
725 comment=output if arge policy is set
726
727 label=AUE_sudo
728 format=exec_args1:[text]2
729 comment=command args:
730 comment=error message (failure only)
731
732 label=AUE_EXIT
733 format=arg1:[text]2
734 comment=1, exit status, "exit status":
735 comment=event aborted
736
737 label=AUE_EXITPROM
738 title=exit prom
739 syscall=none
740 format=head:text1:ret
741 comment="kmdb"
742 # header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00
743 # text,kmdb
744 # return,success,0
745
746 label=AUE_EXPORTFS
747 skip=Not used.
748
749 label=AUE_FACCESSAT
750 # obsolete
751 see=access(2)
752 format=path:[attr]
753
754 label=AUE_FACLSET
755 syscall=facl
756 case=Invalid file descriptor
757 format=arg1:arg2
758 comment=2, SETACL, "cmd":
759 comment=3, number of ACL entries, "nentries"
760 case=Zero path
761 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4
762 comment=2, SETACL, "cmd":
763 comment=3, number of ACL entries, "nentries":
764 comment=1, file descriptor, "no path: fd":
765 comment=ACLs
766 case=Non-zero path
767 format=arg1:arg2:path:[attr]:(0..n)[acl]3
768 comment=2, SETACL, "cmd":
769 comment=3, number of ACL entries, "nentries":
770 comment=ACLs
771
772 label=AUE_FCHDIR
773 format=[path]:[attr]
774 # header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec
775 # path,/export/home/CC_final/icenine/arv/fchdir/obj_succ
776 # attribute,40777,tuser10,other,8388608,207662,0
777 # subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1
778 # return,success,0
779 # trailer,150
780 # header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec
781 # subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1
782 # return,failure: Permission denied,-1
783 # trailer,68
784
785 label=AUE_FCHMOD
786 case=With a valid file descriptor and path
787 format=arg1:path:[attr]
788 comment=2, mode, "new file mode"
789 case=With a valid file descriptor and invalid path
790 format=arg1:[arg]2:[attr]
791 comment=2, mode, "new file mode":
792 comment=1, file descriptor, "no path: fd"
793 case=With an invalid file descriptor
794 format=arg1
795 comment=2, mode, "new file mode"
796 # header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec
797 # argument,2,0x1a4,new file mode
798 # path,/export/home/CC/icenine/arv/fchmod/obj_succ
799 # attribute,100644,tuser10,other,7602240,26092,0
800 # subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1
801 # return,success,0
802 # trailer,168
803 # header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec
804 # argument,2,0x1a4,new file mode
805 # subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1
806 # return,failure: Bad file number,-1
807 # trailer,90
808 # header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec
809 # argument,2,0x1a4,new file mode
810 # path,/export/home/CC/icenine/arv/fchmod/obj_fail
811 # attribute,100644,root,other,7602240,26093,0
812 # subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1
813 # return,failure: Not owner,-1
814 # trailer,168
815
816 label=AUE_FCHOWN
817 case=With a valid file descriptor
818 format=arg1:arg2:[path]:[attr]
819 comment=2, uid, "new file uid":
820 comment=3, gid, "new file gid"
821 case=With an invalid file descriptor
822 format=arg1:arg2:[arg]3:[attr]
823 comment=2, uid, "new file uid":
824 comment=3, gid, "new file gid":
825 comment=1, file descriptor, "no path fd"
826
827 label=AUE_FCHOWNAT
828 # obsolete
829 see=openat(2)
830 case=With a valid absolute/relative file path
831 format=path:[attr]
832 case=With an file path eq. NULL and valid file descriptor
833 format=kernel
834
835 label=AUE_FCHROOT
836 format=[path]:[attr]
837 # fchroot -> chdirec -> audit_chdirec
838
839 label=AUE_FCNTL
840 case=With a valid file descriptor
841 format=arg1:[arg]2:path:attr
842 comment=2, command, "cmd":
843 comment=3, flags, "flags"
844 case=With an invalid file descriptor
845 format=arg1:[arg]2:arg3
846 comment=2, command, "cmd":
847 comment=3, flags, "flags":
848 comment=1, file descriptor, "no path fd"
849 note=Flags are included only when cmd is F_SETFL.
850
851 label=AUE_FLOCK
852 skip=Not used.
853
854 label=AUE_FORKALL
855 format=[arg]1
856 comment=0, pid, "child PID"
857 note=The forkall(2) return values are undefined because the audit record
858 note=is produced at the point that the child process is spawned.
859 # see audit.c
860
861 label=AUE_FORK1
862 format=[arg]1
863 comment=0, pid, "child PID"
864 note=The fork1(2) return values are undefined because the audit record
865 note=is produced at the point that the child process is spawned.
866 # see audit.c
867
868 label=AUE_FSAT
869 # obsolete
870 skip=Not used. (Placeholder for AUE_*AT records)
871
872 label=AUE_FSTAT
873 skip=Not used.
874
875 label=AUE_FSTATAT
876 # obsolete
877 format=path:[attr]
878
879 label=AUE_FSTATFS
880 case=With a valid file descriptor
881 format=[path]:[attr]
882 case=With an invalid file descriptor
883 format=arg1
884 comment=1, file descriptor, "no path fd"
885
886 label=AUE_FTRUNCATE
887 skip=Not used.
888
889 label=AUE_FUSERS
890 syscall=utssys: UTS_FUSERS
891 format=path:attr
892
893 label=AUE_FUTIMESAT
894 # obsolete
895 format=[path]:[attr]
896
897 label=AUE_GETAUDIT
898 format=kernel
899 # header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec
900 # subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1
901 # return,success,0
902 # trailer,68
903 # header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec
904 # subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1
905 # return,success,0
906 # trailer,68
907
908 label=AUE_GETAUDIT_ADDR
909 format=kernel
910 # header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec
911 # subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2
912 # return,success,0
913
914 label=AUE_GETAUID
915 format=kernel
916 # header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec
917 # subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1
918 # return,success,0
919 # trailer,68
920 # header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec
921 # subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1
922 # return,failure: Not owner,-1
923 # trailer,68
924
925 label=AUE_GETDENTS
926 skip=Not used.
927 #Not security relevant
928
929 label=AUE_GETKERNSTATE
930 skip=Not used.
931
932 label=AUE_GETMSG
933 case=With a valid file descriptor
934 format=arg1:[path]:attr:arg2
935 comment=1, file descriptor, "fd":
936 comment=4, priority, "pri"
937 case=With an invalid file descriptor
938 format=arg1:arg2
939 comment=1, file descriptor, "fd":
940 comment=4, priority, "pri"
941
942 label=AUE_GETPMSG
943 case=With a valid file descriptor
944 format=arg1:[path]:attr
945 comment=1, file descriptor, "fd"
946 case=With an invalid file descriptor
947 format=arg1
948 comment=1, file descriptor, "fd"
949
950 label=AUE_GETPORTAUDIT
951 format=Not used.
952
953 label=AUE_GETUSERAUDIT
954 skip=Not used.
955
956 label=AUE_INST_SYNC
957 format=arg1
958 comment=2, flags value, "flags"
959
960 label=AUE_IOCTL
961 case=With an invalid file descriptor
962 format=arg1:arg2:arg3
963 comment=1, file descriptor, "fd":
964 comment=2, command, "cmd":
965 comment=3, arg, "arg"
966 case=With a valid file descriptor
967 format=path:[attr]:arg1:arg2
968 comment=2, ioctl cmd, "cmd":
969 comment=3, ioctl arg, "arg"
970 case=Non-file file descriptor
971 format=arg1:arg2:arg3
972 comment=1, file descriptor, "fd":
973 comment=2, ioctl cmd, "cmd":
974 comment=3, ioctl arg, "arg"
975 case=Bad file name
976 format=arg1:arg2:arg3
977 comment=1, file descriptor, "no path: fd":
978 comment=2, ioctl cmd, "cmd":
979 comment=3, ioctl arg, "arg"
980 # old BSM manual misses a case
981
982 label=AUE_JUNK
983 skip=Not used.
984
985 label=AUE_KILL
986 case=Valid process
987 format=arg1:[proc]
988 comment=2, signo, "signal"
989 case=Zero or negative process
990 format=arg1:arg2
991 comment=2, signo, "signal":
992 comment=1, pid, "process"
993
994 label=AUE_KILLPG
995 skip=Not used.
996
997 label=AUE_LCHOWN
998 format=arg1:arg2:path:[attr]
999 comment=2, uid, "new file uid":
1000 comment=3, gid, "new file gid"
1001
1002 label=AUE_LINK
1003 format=path1:[attr]:path2
1004 comment=from path:
1005 comment=to path
1006
1007 label=AUE_LSEEK
1008 skip=Not used.
1009
1010 label=AUE_LSTAT
1011 format=path:[attr]
1012
1013 label=AUE_LXSTAT
1014 # obsolete
1015 skip=Not used.
1016
1017 label=AUE_MCTL
1018 skip=Not used.
1019
1020 label=AUE_MEMCNTL
1021 format=arg1:arg2:arg3:arg4:arg5:arg6
1022 comment=1, base address, "base":
1023 comment=2, length, "len":
1024 comment=3, command, "cmd":
1025 comment=4, command args, "arg":
1026 comment=5, command attributes, "attr":
1027 comment=6, 0, "mask"
1028
1029 label=AUE_MKDIR
1030 format=arg1:path:[attr]
1031 comment=2, mode, "mode"
1032
1033 label=AUE_MKNOD
1034 format=arg1:arg2:path:[attr]
1035 comment=2, mode, "mode":
1036 comment=3, dev, "dev"
1037
1038 label=AUE_MMAP
1039 case=With a valid file descriptor
1040 format=arg1:arg2:[path]3:[attr]
1041 comment=1, segment address, "addr":
1042 comment=2, segment address, "len":
1043 comment=if no path, then argument: \
1044 1, "nopath: fd", file descriptor
1045 case=With an invalid file descriptor
1046 format=arg1:arg2:arg3
1047 comment=1, segment address, "addr":
1048 comment=2, segment address, "len":
1049 comment=1, file descriptor, "no path: fd"
1050
1051 label=AUE_MODADDMAJ
1052 title=modctl: bind module
1053 syscall=modctl
1054 format=[text]1:[text]2:text3:arg4:(0..n)[text]5
1055 comment=driver major number:
1056 comment=driver name:
1057 comment=driver major number or "no drvname":
1058 comment=5, number of aliases, "":
1059 comment=aliases
1060
1061 label=AUE_MODADDPRIV
1062 format=kernel
1063
1064 label=AUE_MODCONFIG
1065 skip=Not used.
1066
1067 label=AUE_MODCTL
1068 skip=Not used. (placeholder)
1069
1070 label=AUE_MODDEVPLCY
1071 syscall=modctl
1072 title=modctl: set device policy
1073 case=If unknown minor name/pattern
1074 format=arg1:arg2:arg3:arg4:arg5
1075 comment=2, "major", major number:
1076 comment=2, "lomin", low minor number, if known:
1077 comment=2, "himin", hi minor number, if known:
1078 comment=privileges required for reading:
1079 comment=privileges required for writing
1080 case=else
1081 format=arg1:text2:arg3:arg4
1082 comment=2, "major", major number:
1083 comment=minor name/pattern:
1084 comment=privileges required for reading:
1085 comment=privileges required for writing
1086
1087 label=AUE_MODLOAD
1088 syscall=modctl
1089 title=modctl: load module
1090 format=[text]1:text2
1091 comment=default path:
1092 comment=filename path
1093
1094 label=AUE_MODUNLOAD
1095 syscall=modctl
1096 title=modctl: unload module
1097 format=arg1
1098 comment=1, module ID, "id"
1099
1100 label=AUE_MOUNT
1101 case=UNIX file system
1102 format=arg1:text2:path:[attr]
1103 comment=3, flags, "flags":
1104 comment=filesystem type
1105 case=NFS file system
1106 format=arg1:text2:text3:arg4:path:[attr]
1107 comment=3, flags, "flags":
1108 comment=filesystem type:
1109 comment=host name:
1110 comment=3, flags, "internal flags"
1111 # unix example:
1112 # header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec
1113 # argument,3,0x104,flags
1114 # text,ufs
1115 # path,/var2
1116 # attribute,40755,root,root,32,12160,0
1117 # path,/devices/pci@1f,4000/scsi@3/sd@0,0:e
1118 # attribute,60640,root,sys,32,231268,137438953476
1119 # subject,abc,root,other,root,other,1726,1715,255 66049 ohboy
1120 # return,success,4290707268
1121 # ^^^^^^^^^^ <- bugid 4333559
1122
1123 label=AUE_MSGCTL
1124 format=arg1:[ipc]:[ipc_perm]
1125 comment=1, message ID, "msg ID"
1126 note=ipc_perm
1127 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1128
1129 label=AUE_MSGCTL_RMID
1130 format=arg1:[ipc]:[ipc_perm]
1131 comment=1, message ID, "msg ID"
1132 note=ipc_perm
1133 syscall=msgctl: IPC_RMID
1134 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1135
1136 label=AUE_MSGCTL_SET
1137 format=arg1:[ipc]:[ipc_perm]
1138 comment=1, message ID, "msg ID"
1139 note=ipc_perm
1140 syscall=msgctl: IPC_SET
1141 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1142
1143 label=AUE_MSGCTL_STAT
1144 format=arg1:[ipc]:[ipc_perm]
1145 comment=1, message ID, "msg ID"
1146 note=ipc_perm
1147 syscall=msgctl: IPC_STAT
1148 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1149
1150 label=AUE_MSGGET
1151 format=arg1:ipc
1152 comment=1, message key, "msg key"
1153 note=ipc_perm
1154 syscall=msgget
1155
1156 label=AUE_MSGGETL
1157 skip=Not used.
1158
1159 label=AUE_MSGRCV
1160 format=arg1:[ipc]:[ipc_perm]
1161 comment=1, message ID, "msg ID"
1162 note=ipc_perm
1163 syscall=msgrcv
1164 # ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc
1165
1166 label=AUE_MSGRCVL
1167 skip=Not used.
1168
1169 label=AUE_MSGSND
1170 format=arg1:[ipc]:[ipc_perm]
1171 comment=1, message ID, "msg ID"
1172 note=ipc_perm
1173 syscall=msgsnd
1174 # ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc
1175
1176 label=AUE_MSGSNDL
1177 skip=Not used.
1178
1179 label=AUE_MSGSYS
1180 skip=Not used. (Placeholder for AUE_MSG* events.)
1181
1182 label=AUE_MUNMAP
1183 format=arg1:arg2
1184 comment=1, address of memory, "addr":
1185 comment=2, memory segment size, "len"
1186
1187 label=AUE_NFS
1188 skip=Not used.
1189
1190 label=AUE_NFSSVC_EXIT
1191 skip=Not used.
1192
1193 label=AUE_NFS_GETFH
1194 skip=Not used.
1195
1196 label=AUE_NFS_SVC
1197 skip=Not used.
1198
1199 label=AUE_NICE
1200 format=kernel
1201
1202 label=AUE_NULL
1203 skip=Not used. (placeholder)
1204 # used internal to audit_event.c for minimal audit
1205
1206 label=AUE_NTP_ADJTIME
1207 format=kernel
1208
1209 label=AUE_ONESIDE
1210 skip=Not used.
1211
1212 label=AUE_OPEN
1213 skip=Not used. (placeholder for AUE_OPEN_*).
1214
1215 label=AUE_OPEN_R
1216 format=path:[path_attr]:[attr]
1217 see=open(2) - read
1218
1219 label=AUE_OPENAT_R
1220 # obsolete
1221 format=path:[path_attr]:[attr]
1222 see=openat(2)
1223
1224 label=AUE_OPEN_RC
1225 format=path:[path_attr]:[attr]
1226 see=open(2) - read,creat
1227
1228 label=AUE_OPENAT_RC
1229 # obsolete
1230 see=openat(2)
1231 format=path:[path_attr]:[attr]
1232
1233 label=AUE_OPEN_RT
1234 format=path:[path_attr]:[attr]
1235 see=open(2) - read,trunc
1236
1237 label=AUE_OPENAT_RT
1238 # obsolete
1239 see=openat(2)
1240 format=path:[path_attr]:[attr]
1241
1242 label=AUE_OPEN_RTC
1243 format=path:[path_attr]:[attr]
1244 see=open(2) - read,trunc,creat
1245
1246 label=AUE_OPENAT_RTC
1247 # obsolete
1248 see=openat(2)
1249 format=path:[path_attr]:[attr]
1250
1251 label=AUE_OPEN_RW
1252 format=path:[path_attr]:[attr]
1253 see=open(2) - read,write
1254
1255 label=AUE_OPENAT_RW
1256 # obsolete
1257 see=openat(2)
1258 format=path:[path_attr]:[attr]
1259 # aui_fsat(): fm & O_RDWR
1260
1261 label=AUE_OPEN_RWC
1262 format=path:[path_attr]:[attr]
1263 see=open(2) - read,write,creat
1264
1265 label=AUE_OPENAT_RWC
1266 # obsolete
1267 see=openat(2)
1268 format=path:[path_attr]:[attr]
1269
1270 label=AUE_OPEN_RWT
1271 format=path:[path_attr]:[attr]
1272 see=open(2) - read,write,trunc
1273
1274 label=AUE_OPENAT_RWT
1275 # obsolete
1276 see=openat(2)
1277 format=path:[path_attr]:[attr]
1278
1279 label=AUE_OPEN_RWTC
1280 format=path:[path_attr]:[attr]
1281 see=open(2) - read,write,trunc,creat
1282
1283 label=AUE_OPENAT_RWTC
1284 # obsolete
1285 see=openat(2)
1286 format=path:[path_attr]:[attr]
1287
1288 label=AUE_OPEN_W
1289 format=path:[path_attr]:[attr]
1290 see=open(2) - write
1291
1292 label=AUE_OPENAT_W
1293 see=openat(2)
1294 format=path:[path_attr]:[attr]
1295
1296 label=AUE_OPEN_WC
1297 format=path:[path_attr]:[attr]
1298 see=open(2) - write,creat
1299
1300 label=AUE_OPENAT_WC
1301 see=openat(2)
1302 format=path:[path_attr]:[attr]
1303
1304 label=AUE_OPEN_WT
1305 format=path:[path_attr]:[attr]
1306 see=open(2) - write,trunc
1307
1308 label=AUE_OPENAT_WT
1309 see=openat(2)
1310 format=path:[path_attr]:[attr]
1311
1312 label=AUE_OPEN_WTC
1313 format=path:[path_attr]:[attr]
1314 see=open(2) - write,trunc,creat
1315
1316 label=AUE_OPENAT_WTC
1317 see=openat(2)
1318 format=path:[path_attr]:[attr]
1319
1320 label=AUE_OPEN_S
1321 format=path:[path_attr]:[attr]
1322 see=open(2) - search
1323
1324 label=AUE_OPEN_E
1325 format=path:[path_attr]:[attr]
1326 see=open(2) - exec
1327
1328 label=AUE_OSETPGRP
1329 skip=Not used.
1330
1331 label=AUE_OSTAT
1332 # obsolete
1333 skip=Not used.
1334
1335 label=AUE_PATHCONF
1336 format=path:[attr]
1337
1338 label=AUE_PIPE
1339 format=kernel
1340 # class is no, not usually printed
1341
1342 label=AUE_PORTFS
1343 skip=Not used (placeholder for AUE_PORTFS_*).
1344
1345 label=AUE_PORTFS
1346 skip=Not used (placeholder for AUE_PORTFS_*).
1347
1348 label=AUE_PORTFS_ASSOCIATE
1349 syscall=portfs
1350 see=port_associate(3C)
1351 case=Port association via PORT_SOURCE_FILE
1352 format=[path]1:attr
1353 comment=name of the file/directory to be watched
1354
1355 label=AUE_PORTFS_DISSOCIATE
1356 syscall=portfs
1357 see=port_dissociate(3C)
1358 case=Port disassociation via PORT_SOURCE_FILE
1359 format=kernel
1360
1361 label=AUE_PRIOCNTLSYS
1362 syscall=priocntl
1363 see=priocntl(2)
1364 format=arg1:arg2
1365 comment=1, priocntl version number, "pc_version":
1366 comment=3, command, "cmd"
1367
1368 label=AUE_PROCESSOR_BIND
1369 case=No LWP/thread bound to the processor
1370 format=arg1:arg2:text3:[proc]
1371 comment=1, type of ID, "ID type":
1372 comment=2, ID value, "ID":
1373 comment="PBIND_NONE"
1374 case=With processor bound
1375 format=arg1:arg2:arg3:[proc]
1376 comment=1, type of ID, "ID type":
1377 comment=2, ID value, "ID":
1378 comment=3, processor ID, "processor_id"
1379
1380 label=AUE_PUTMSG
1381 see=putmsg(2)
1382 format=arg1:[path]:[attr]:arg2
1383 comment=1, file descriptor, "fd":
1384 comment=4, priority, "pri"
1385
1386 label=AUE_PUTPMSG
1387 see=putpmsg(2)
1388 format=arg1:[path]:[attr]:arg2:arg3
1389 comment=1, file descriptor, "fd":
1390 comment=4, priority, "pri":
1391 comment=5, flags, "flags"
1392
1393 label=AUE_P_ONLINE
1394 format=arg1:arg2:text3
1395 comment=1, processor ID, "processor ID":
1396 comment=2, flags value, "flags":
1397 comment=text form of flags. Values: \
1398 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS, P_DISABLED
1399
1400 label=AUE_QUOTACTL
1401 skip=Not used.
1402
1403 label=AUE_READ
1404 skip=Not used. (Placeholder for AUE_READ_* events)
1405
1406 label=AUE_READL
1407 skip=Not used. (Obsolete)
1408
1409 label=AUE_READLINK
1410 format=path:[attr]
1411
1412 label=AUE_READV
1413 skip=Not used (obsolete)
1414 # detritus from CMS
1415
1416 label=AUE_READVL
1417 skip=Not used (obsolete)
1418 # detritus from CMS
1419
1420 label=AUE_REBOOT
1421 skip=Not used.
1422
1423 label=AUE_RECV
1424 case=If address family is AF_INET or AF_INET6
1425 format=[arg]1:[inet]
1426 comment=1, file descriptor, "so"
1427 case=If address family is AF_UNIX and path is defined
1428 format=[path]1:[attr]
1429 comment=1, file descriptor, "so"
1430 case=If address family is AF_UNIX and path is NULL
1431 format=[path]1:[attr]
1432 comment=1, file descriptor, "no path: fd"
1433 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1434 format=[arg]1:[arg]2:[arg]3
1435 comment=1, file descriptor, "so":
1436 comment=1, family, "family":
1437 comment=1, type, "type"
1438 # associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237])
1439
1440 label=AUE_RECVFROM
1441 format=inet:arg1:[arg]2:inet3:arg4
1442 comment=3, message length, "len":
1443 comment=4, flags, "flags":
1444 comment=from address:
1445 comment=6, address length, "tolen"
1446 note=The socket token for a bad socket is reported as "argument
1447 note=token (1, socket descriptor, "fd")"
1448
1449 label=AUE_RECVMSG
1450 case=If invalid file descriptor
1451 format=arg1:arg2
1452 comment=1, file descriptor, "so":
1453 comment=3, flags, "flags"
1454 case=If valid file descriptor and socket is AF_UNIX and no path
1455 format=arg1:[attr]
1456 comment=1, file descriptor, "no path: fd"
1457 case=If valid file descriptor and socket is AF_UNIX and path defined
1458 format=path:attr
1459 case=If valid file descriptor and socket is AF_INET or AF_INET6
1460 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM
1461 format=arg1:arg2:inet
1462 comment=1, file descriptor, "so":
1463 comment=2, flags, "flags"
1464 case=.. if socket type is unknown
1465 format=arg1:arg2:arg3:arg4
1466 comment=1, file descriptor, "so":
1467 comment=1, family, "family":
1468 comment=1, type, "type":
1469 comment=3, flags, "flags"
1470
1471 label=AUE_RENAME
1472 format=path1:[attr]1:[path]2
1473 comment=from name:
1474 comment=to name
1475
1476 label=AUE_RENAMEAT
1477 # obsolete
1478 format=path1:[attr]1:[path]2
1479 comment=from name:
1480 comment=to name
1481
1482 label=AUE_RFSSYS
1483 skip=Not used.
1484 # apparently replaced
1485
1486 label=AUE_RMDIR
1487 format=path:[attr]
1488
1489 label=AUE_SACL
1490 title=File Access Audit
1491 syscall=none
1492 see=none
1493 format=head:path:arg1:[text]2:subj
1494 comment="access_mask":
1495 comment="Windows SID"
1496
1497 label=AUE_SEMCTL
1498 format=arg1:[ipc]:[ipc_perm]
1499 comment=1, semaphore ID, "sem ID"
1500 note=ipc_perm
1501 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1502
1503 label=AUE_SEMCTL_GETALL
1504 format=arg1:[ipc]:[ipc_perm]
1505 comment=1, semaphore ID, "sem ID"
1506 note=ipc_perm
1507 syscall=semctl: GETALL
1508 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1509
1510 label=AUE_SEMCTL_GETNCNT
1511 format=arg1:[ipc]:[ipc_perm]
1512 comment=1, semaphore ID, "sem ID"
1513 note=ipc_perm
1514 syscall=semctl: GETNCNT
1515 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1516
1517 label=AUE_SEMCTL_GETPID
1518 format=arg1:[ipc]:[ipc_perm]
1519 comment=1, semaphore ID, "sem ID"
1520 note=ipc_perm
1521 syscall=semctl: GETPID
1522 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1523
1524 label=AUE_SEMCTL_GETVAL
1525 format=arg1:[ipc]:[ipc_perm]
1526 comment=1, semaphore ID, "sem ID"
1527 note=ipc_perm
1528 syscall=semctl: GETVAL
1529 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1530
1531 label=AUE_SEMCTL_GETZCNT
1532 format=arg1:[ipc]:[ipc_perm]
1533 comment=1, semaphore ID, "sem ID"
1534 note=ipc_perm
1535 syscall=semctl: GETZCNT
1536 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1537
1538 label=AUE_SEMCTL_RMID
1539 format=arg1:[ipc]:[ipc_perm]
1540 comment=1, semaphore ID, "sem ID"
1541 note=ipc_perm
1542 syscall=semctl: IPC_RMID
1543 # ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1544
1545 label=AUE_SEMCTL_SET
1546 format=arg1:[ipc]:[ipc_perm]
1547 comment=1, semaphore ID, "sem ID"
1548 note=ipc_perm
1549 syscall=semctl: IPC_SET
1550 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1551
1552 label=AUE_SEMCTL_SETALL
1553 format=arg1:[ipc]:[ipc_perm]
1554 comment=1, semaphore ID, "sem ID"
1555 note=ipc_perm
1556 syscall=semctl: SETALL
1557 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1558
1559 label=AUE_SEMCTL_SETVAL
1560 format=arg1:[ipc]:[ipc_perm]
1561 comment=1, semaphore ID, "sem ID"
1562 note=ipc_perm
1563 syscall=semctl: SETVAL
1564 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1565
1566 label=AUE_SEMCTL_STAT
1567 format=arg1:[ipc]:[ipc_perm]
1568 comment=1, semaphore ID, "sem ID"
1569 note=ipc_perm
1570 syscall=semctl: IPC_STAT
1571 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1572
1573 label=AUE_SEMGET
1574 format=arg1:[ipc_perm]:ipc
1575 comment=1, semaphore ID, "sem key"
1576 note=ipc_perm
1577 syscall=semctl: SETVAL
1578 # ipc_perm token: semget -> audit_ipcget
1579
1580 label=AUE_SEMGETL
1581 skip=Not used.
1582
1583 label=AUE_SEMOP
1584 format=arg1:[ipc]:[ipc_perm]
1585 comment=1, semaphore ID, "sem ID"
1586 note=ipc_perm
1587 # ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc
1588
1589 label=AUE_SEMSYS
1590 skip=Not used. (place holder) -- defaults to a semget variant
1591
1592 label=AUE_SEND
1593 case=If address family is AF_INET or AF_INET6
1594 format=[arg]1:[inet]
1595 comment=1, file descriptor, "so"
1596 case=If address family is AF_UNIX and path is defined
1597 format=[path]1:[attr]
1598 comment=1, file descriptor, "so"
1599 case=If address family is AF_UNIX and path is NULL
1600 format=[path]1:[attr]
1601 comment=1, file descriptor, "no path: fd"
1602 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1603 format=[arg]1:[arg]2:[arg]3
1604 comment=1, file descriptor, "so":
1605 comment=1, family, "family":
1606 comment=1, type, "type"
1607 # associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240])
1608
1609 label=AUE_SENDMSG
1610 case=If invalid file descriptor
1611 format=arg1:arg2
1612 comment=1, file descriptor, "so":
1613 comment=3, flags, "flags"
1614 case=If valid file descriptor
1615 case=...and address family is AF_UNIX and path is defined
1616 format=path:attr
1617 case=...and address family is AF_UNIX and path is NULL
1618 format=path1:attr
1619 comment=1, file descriptor, "nopath: fd"
1620 case=...and address family is AF_INET or AF_INET6, \
1621 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1622 format=arg1:arg2:inet
1623 comment=1, file descriptor, "so":
1624 comment=3, flags, "flags"
1625 case=...and unknown address family or address family AF_INET or AF_INET6 \
1626 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1627 format=arg1:arg2:arg3:arg4
1628 comment=1, file descriptor, "so":
1629 comment=1, family, "family":
1630 comment=1, type, "type":
1631 comment=1, flags, "flags"
1632
1633 label=AUE_SENDTO
1634 case=If invalid file descriptor
1635 format=arg1:arg2
1636 comment=1, file descriptor, "so":
1637 comment=3, flags, "flags"
1638 case=If valid file descriptor
1639 case=...and socket is AF_UNIX and path is defined
1640 format=path:attr
1641 case=...and address family is AF_UNIX and path is NULL
1642 format=path1:attr
1643 comment=1, file descriptor, "nopath: fd"
1644 case=...and address family is AF_INET or AF_INET6
1645 format=arg1:arg2:inet
1646 comment=1, file descriptor, "so":
1647 comment=3, flags, "flags"
1648 case=...and unknown address family
1649 format=arg1:arg2:arg3:arg4
1650 comment=1, file descriptor, "so":
1651 comment=1, family, "family":
1652 comment=1, type, "type":
1653 comment=1, flags, "flags"
1654
1655 label=AUE_SETAUDIT
1656 case=With a valid program stack address
1657 format=arg1:arg2:arg3:arg4:arg5:arg6
1658 comment=1, audit user ID, "setaudit:auid":
1659 comment=1, terminal ID, "setaudit:port":
1660 comment=1, terminal ID, "setaudit:machine":
1661 comment=1, preselection mask, "setaudit:as_success":
1662 comment=1, preselection mask, "setaudit:as_failure":
1663 comment=1, audit session ID, "setaudit:asid"
1664 case=With an invalid program stack address
1665 format=kernel
1666 # header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec
1667 # argument,1,0x271a,setaudit:auid
1668 # argument,1,0x3ff0201,setaudit:port
1669 # argument,1,0x8192591e,setaudit:machine
1670 # argument,1,0x400,setaudit:as_success
1671 # argument,1,0x400,setaudit:as_failure
1672 # argument,1,0x16f,setaudit:asid
1673 # subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1
1674 # return,success,0
1675 # trailer,215
1676 # header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec
1677 # argument,1,0x271a,setaudit:auid
1678 # argument,1,0x3ff0201,setaudit:port
1679 # argument,1,0x8192591e,setaudit:machine
1680 # argument,1,0x400,setaudit:as_success
1681 # argument,1,0x400,setaudit:as_failure
1682 # argument,1,0x16f,setaudit:asid
1683 # subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1
1684 # return,success,0
1685 # trailer,215
1686
1687 label=AUE_SETAUDIT_ADDR
1688 case=With a valid program stack address
1689 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7
1690 comment=1, audit user ID, "auid":
1691 comment=1, terminal ID, "port":
1692 comment=1, type, "type":
1693 comment=1, terminal ID, "ip address":
1694 comment=1, preselection mask, "as_success":
1695 comment=1, preselection mask, "as_failure":
1696 comment=1, audit session ID, "asid"
1697 case=With an invalid program stack address
1698 format=kernel
1699 # header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec
1700 # argument,1,0x15fa7,auid
1701 # argument,1,0x0,port
1702 # argument,1,0x4,type
1703 # ip address,tmach2
1704 # argument,1,0x9c00,as_success
1705 # argument,1,0x9c00,as_failure
1706 # argument,1,0x1f1,asid
1707 # subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2
1708 # return,success,0
1709
1710 label=AUE_SETAUID
1711 format=arg1
1712 comment=2, audit user ID, "setauid"
1713
1714 label=AUE_SETDOMAINNAME
1715 skip=Not used. (See AUE_SYSINFO)
1716 # See AUE_SYSINFO with SI_SET_SRPC_DOMAIN
1717
1718 label=AUE_SETEGID
1719 format=arg1
1720 comment=1, group ID, "gid"
1721
1722 label=AUE_SETEUID
1723 format=arg1
1724 comment=1, user ID, "euid"
1725
1726 label=AUE_SETGID
1727 format=arg1
1728 comment=1, group ID, "gid"
1729
1730 label=AUE_SETGROUPS
1731 note=If more than NGROUPS_MAX_DEFAULT groups listed,
1732 note=no tokens are generated.
1733 case=If no groups in list
1734 format=[arg]1
1735 comment=1, 0, "setgroups"
1736 case=If 1 or more groups in list
1737 format=(1..n)arg1
1738 comment=1, gid, "setgroups"
1739
1740 label=AUE_SETHOSTNAME
1741 skip=Not used. (See AUE_SYSINFO)
1742 # See sysinfo call with command SI_SET_HOSTNAME
1743
1744 label=AUE_SETKERNSTATE
1745 skip=Not used.
1746
1747 label=AUE_SETPGID
1748 format=[proc]:[arg]1
1749 comment=2, pgid, "pgid"
1750
1751 label=AUE_SETPGRP
1752 format=kernel
1753
1754 label=AUE_SETPRIORITY
1755 skip=Not used.
1756
1757 label=AUE_SETPPRIV
1758 case=operation privileges off
1759 format=arg1:privset2
1760 comment=setppriv operation:
1761 comment=privileges actually switched off
1762 case=operation privileges on
1763 format=arg1:privset2
1764 comment=setppriv operation:
1765 comment=privileges actually switched on
1766 case=operation privileges off
1767 format=arg1:privset2:privset3
1768 comment=setppriv operation:
1769 comment=privileges before privset:
1770 comment=privileges after privset
1771 #header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec
1772 #argument,2,0x2,op
1773 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1774 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1775 #subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0
1776 #return,success,0
1777
1778 label=AUE_SETREGID
1779 format=arg1:arg2
1780 comment=1, real group ID, "rgid":
1781 comment=2, effective group ID, "egid"
1782
1783 label=AUE_SETREUID
1784 format=arg1:arg2
1785 comment=1, real user ID, "ruid":
1786 comment=2, effective user ID, "euid"
1787
1788 label=AUE_SETRLIMIT
1789 format=kernel
1790 # header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec
1791 # subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2
1792 # return,success,0
1793
1794 label=AUE_SETSID
1795 format=kernel
1796
1797 label=AUE_SETSOCKOPT
1798 case=Invalid file descriptor
1799 format=arg1:arg2
1800 comment=1, file descriptor, "so":
1801 comment=2, level, "level"
1802 case=Valid file descriptor
1803 case=...and socket is AF_UNIX
1804 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8
1805 comment=if no path, will be argument: 1, "nopath: fd", \
1806 file descriptor:
1807 comment=1, file descriptor, "so":
1808 comment=1, family, "family":
1809 comment=1, type, "type":
1810 comment=2, protocol level, "level":
1811 comment=3, option name, "optname":
1812 comment=5, option length, "optlen":
1813 comment=option data
1814 case=...and socket is AF_INET or AF_INET6
1815 format=arg1:arg2:arg3:[arg]4:[data]5:inet
1816 comment=1, file descriptor, "so":
1817 comment=2, protocol level, "level":
1818 comment=3, option name, "optname":
1819 comment=5, option length, "optlen":
1820 comment=option data
1821 case=...and socket adddress family is unknown
1822 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7
1823 comment=1, file descriptor, "so":
1824 comment=1, family, "family":
1825 comment=1, type, "type":
1826 comment=2, protocol level, "level":
1827 comment=3, option name, "optname":
1828 comment=5, option length, "optlen":
1829 comment=option data
1830
1831 label=AUE_SETTIMEOFDAY
1832 skip=Not used.
1833
1834 label=AUE_SETUID
1835 syscall=setuid
1836 format=arg1
1837 comment=1, "uid" to be set
1838
1839 label=AUE_SETUSERAUDIT
1840 skip=Not used.
1841
1842 label=AUE_SHMAT
1843 format=arg1:arg2:[ipc]:[ipc_perm]
1844 comment=1, shared memory ID, "shm ID":
1845 comment=2, shared mem addr, "shm addr"
1846 note=ipc_perm
1847 # ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc
1848
1849 label=AUE_SHMCTL
1850 format=arg1:[ipc]:[ipc_perm]
1851 comment=1, shared memory ID, "shm ID"
1852 note=ipc_perm
1853 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1854
1855 label=AUE_SHMCTL_RMID
1856 format=arg1:[ipc]:[ipc_perm]
1857 comment=1, shared memory ID, "shm ID"
1858 note=ipc_perm
1859 syscall=semctl: IPC_RMID
1860 # ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1861
1862 label=AUE_SHMCTL_SET
1863 format=arg1:[ipc]:[ipc_perm]
1864 comment=1, shared memory ID, "shm ID"
1865 note=ipc_perm
1866 syscall=semctl: IPC_SET
1867 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1868
1869 label=AUE_SHMCTL_STAT
1870 format=arg1:[ipc]:[ipc_perm]
1871 comment=1, shared memory ID, "shm ID"
1872 note=ipc_perm
1873 syscall=semctl: IPC_STAT
1874 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1875
1876 label=AUE_SHMDT
1877 format=arg1
1878 comment=1, shared memory address, "shm adr"
1879
1880 label=AUE_SHMGET
1881 format=arg1:[ipc_perm]:[ipc]
1882 comment=0, shared memory key, "shm key"
1883 note=ipc_perm
1884 # ipc_perm: shmget -> audit_ipcget
1885
1886 label=AUE_SHMGETL
1887 skip=Not used.
1888
1889 label=AUE_SHMSYS
1890 skip=Not used. (Placeholder for shmget and shmctl*)
1891
1892 label=AUE_SHUTDOWN
1893 case=If the socket address is invalid
1894 format=[arg]1:[text]2:[text]3
1895 comment=1, file descriptor, "fd":
1896 comment=bad socket address:
1897 comment=bad peer address
1898 case=If the socket address is part of the AF_INET family
1899 case=..with zero file descriptor
1900 format=arg1:[arg]2:[arg]3:[arg]4
1901 comment=1, file descriptor, "so":
1902 comment=1, family, "family":
1903 comment=1, type, "type":
1904 comment=2, how shutdown code, "how"
1905 case=...with non-zero file descriptor
1906 format=arg1:arg2:inet
1907 comment=1, file descriptor, "so":
1908 comment=2, how shutdown code, "how"
1909 case=If the socket address is AF_UNIX
1910 case=...with zero file descriptor
1911 format=path1:arg2:[arg]3:[arg]4:[arg]5
1912 comment=If error: argument: \
1913 1, "no path: fd", file descriptor:
1914 comment=1, file descriptor, "so":
1915 comment=1, family, "family":
1916 comment=1, type, "type":
1917 comment=2, how shutdown code, "how"
1918 case=...with non-zero file descriptor
1919 format=path1:arg2:arg3:inet
1920 comment=If error: argument: \
1921 1, file descriptor, "no path: fd":
1922 comment=1, file descriptor, "so":
1923 comment=2, how shutdown code, "how"
1924 #old BSM manual wrong; used audit_event.c
1925
1926 label=AUE_SOCKACCEPT
1927 syscall=getmsg: socket accept
1928 format=inet:arg1:[path]:attr:arg2
1929 comment=1, file descriptor, "fd":
1930 comment=4, priority, "pri"
1931 # see putmsg and getmsg for record format
1932 # See audit.c for inet token and audit_start.c for other reference
1933
1934 label=AUE_SOCKCONFIG
1935 format=arg1:arg2:arg3:[path]4
1936 comment=1, domain address, "domain":
1937 comment=2, type, "type":
1938 comment=3, protocol, "protocol":
1939 comment=If no path:argument -- 3, 0, "devpath"
1940
1941 label=AUE_SOCKCONNECT
1942 syscall=putmsg: socket connect
1943 format=inet:arg1:[path]:attr:arg2
1944 comment=1, file descriptor, "fd":
1945 comment=4, priority, "pri"
1946 # same as AUE_SOCKACCEPT
1947
1948 label=AUE_SOCKET
1949 format=arg1:[arg]2:arg3
1950 comment=1, socket domain, "domain":
1951 comment=2, socket type, "type":
1952 comment=3, socket protocol, "protocol"
1953
1954 label=AUE_SOCKETPAIR
1955 skip=Not used.
1956 # unreferenced
1957
1958 label=AUE_SOCKRECEIVE
1959 syscall=getmsg
1960 format=inet:arg1:[path]:attr:arg2
1961 comment=1, file descriptor, "fd":
1962 comment=4, priority, "pri"
1963 # see AUE_SOCKACCEPT
1964
1965 label=AUE_SOCKSEND
1966 syscall=putmsg
1967 format=inet:arg1:[path]:attr:arg2
1968 comment=1, file descriptor, "fd":
1969 comment=4, priority, "pri"
1970 # see AUE_SOCKACCEPT
1971
1972 label=AUE_STAT
1973 format=path:[attr]
1974
1975 label=AUE_STATFS
1976 format=path:[attr]
1977
1978 label=AUE_STATVFS
1979 format=path:[attr]
1980
1981 label=AUE_STIME
1982 format=kernel
1983
1984 label=AUE_SWAPON
1985 skip=Not used.
1986
1987 label=AUE_SYMLINK
1988 format=path:text1:[attr]
1989 comment=symbolic link string
1990
1991 label=AUE_SYSINFO
1992 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands
1993 note=are currently audited.
1994 format=arg1:[text]2
1995 comment=1, command, "cmd":
1996 comment=name
1997
1998 label=AUE_SYSTEMBOOT
1999 title=system booted
2000 syscall=none
2001 format=head:text1
2002 comment="booting kernel"
2003 # see audit_start.c and audit_io.c
2004 # no subject or return / exit token
2005 # header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec
2006 # text,booting kernel
2007
2008 label=AUE_TRUNCATE
2009 skip=Not used.
2010
2011 label=AUE_UMOUNT
2012 syscall=umount: old version
2013 note=Implemented as call of the newer umount2(2).
2014 format=path:arg1:[path]:[attr]
2015 comment=2, mflag value = 0, "flags"
2016
2017 label=AUE_UMOUNT2
2018 syscall=umount2
2019 format=path:arg1:[path]:[attr]
2020 comment=2, mflag value, "flags"
2021
2022 label=AUE_UNLINK
2023 format=path:[attr]
2024
2025 label=AUE_UNLINKAT
2026 # obsolete
2027 see=openat(2)
2028 format=path:[attr]
2029
2030 label=AUE_UNMOUNT
2031 skip=Not used.
2032
2033 label=AUE_UTIME
2034 # obsolete
2035 format=path:[attr]
2036
2037 label=AUE_UTIMES
2038 see=futimens(2)
2039 format=path:[attr]
2040
2041 label=AUE_VFORK
2042 format=arg1
2043 comment=0, pid, "child PID"
2044 note=The vfork(2) return values are undefined because the audit record is
2045 note=produced at the point that the child process is spawned.
2046
2047 label=AUE_VPIXSYS
2048 skip=Not used.
2049
2050 label=AUE_VTRACE
2051 skip=Not used.
2052
2053 label=AUE_WRITE
2054 format=path1:attr
2055 comment=if no path, argument -- "1, file descriptor, "no path: fd"
2056 note:An audit record is generated for write only once per file close.
2057
2058 label=AUE_WRITEV
2059 skip=Not used. (obsolete)
2060
2061 label=AUE_XMKNOD
2062 # obsolete
2063 skip=Not used.
2064
2065 label=AUE_XSTAT
2066 # obsolete
2067 skip=Not Used.
2068
2069 label=AUE_PF_POLICY_ADDRULE
2070 title=Add IPsec policy rule
2071 see=
2072 syscall=none
2073 format=arg1:arg2:[zone]3:[text]4
2074 comment=Operation applied to active policy (1 is active, 0 is inactive):
2075 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2076 comment=affected zone:
2077 comment=Name of target tunnel
2078
2079 label=AUE_PF_POLICY_DELRULE
2080 title=Delete IPsec policy rule
2081 see=
2082 syscall=none
2083 format=arg1:arg2:[zone]3:[text]4
2084 comment=Operation applied to active policy (1 is active, 0 is inactive):
2085 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2086 comment=affected zone:
2087 comment=Name of target tunnel
2088
2089 label=AUE_PF_POLICY_CLONE
2090 title=Clone IPsec policy
2091 see=
2092 syscall=none
2093 format=arg1:arg2:[zone]3:[text]4
2094 comment=Operation applied to active policy (1 is active, 0 is inactive):
2095 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2096 comment=affected zone:
2097 comment=Name of target tunnel
2098
2099 label=AUE_PF_POLICY_FLIP
2100 title=Flip IPsec policy
2101 see=
2102 syscall=none
2103 format=arg1:arg2:[zone]3:[text]4
2104 comment=Operation applied to active policy (1 is active, 0 is inactive):
2105 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2106 comment=affected zone:
2107 comment=Name of target tunnel
2108
2109 label=AUE_PF_POLICY_FLUSH
2110 title=Flip IPsec policy rules
2111 see=
2112 syscall=none
2113 format=arg1:arg2:[zone]3:[text]4
2114 comment=Operation applied to active policy (1 is active, 0 is inactive):
2115 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2116 comment=affected zone:
2117 comment=Name of target tunnel
2118
2119 label=AUE_PF_POLICY_ALGS
2120 title=Update IPsec algorithms
2121 see=
2122 syscall=none
2123 format=arg1:arg2:[zone]3:[text]4
2124 comment=Operation applied to active policy (1 is active, 0 is inactive):
2125 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2126 comment=affected zone:
2127 comment=Name of target tunnel
2128
2129 label=AUE_allocate_fail
2130 program=/usr/sbin/allocate
2131 title=allocate: allocate-device failure
2132 format=(0..n)[text]1
2133 comment=command line arguments
2134 # see audit_allocate.c
2135
2136 label=AUE_allocate_succ
2137 program=/usr/sbin/allocate
2138 title=allocate: allocate-device success
2139 format=(0..n)[text]1
2140 comment=command line arguments
2141 # see audit_allocate.c
2142
2143 label=AUE_at_create
2144 program=/usr/bin/at
2145 title=at: at-create crontab
2146 format=path
2147
2148 label=AUE_at_delete
2149 program=/usr/bin/at
2150 title=at: at-delete atjob (at or atrm)
2151 format=text1:path
2152 comment="ancillary file:" filename or "bad format of at-job name"
2153
2154 label=AUE_at_perm
2155 skip=Not used.
2156 # not referenced outside uevents.h
2157
2158 label=AUE_create_user
2159 skip=Not used.
2160
2161 label=AUE_cron_invoke
2162 program=/usr/sbin/cron
2163 title=cron: cron-invoke at or cron
2164 case=If issue with account find
2165 format=text1
2166 comment="bad user" name or "user <name> account expired"
2167 case=else
2168 format=text1:text2
2169 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \
2170 or "unknown job type (<job_type_id>)":
2171 comment=command
2172
2173 label=AUE_crontab_create
2174 program=/usr/bin/crontab
2175 title=crontab: crontab created
2176 format=path
2177 # See audit_crontab.c
2178
2179 label=AUE_crontab_delete
2180 program=/usr/bin/crontab
2181 title=crontab: crontab delete
2182 format=path
2183 # See audit_crontab.c
2184
2185 label=AUE_crontab_mod
2186 program=/usr/bin/crontab
2187 title=crontab: crontab modify
2188 format=path
2189 # See audit_crontab.c
2190
2191 label=AUE_crontab_perm
2192 skip=Not used.
2193
2194 label=AUE_deallocate_fail
2195 program=/usr/sbin/deallocate
2196 title=deallocate-device failure
2197 format=(0..n)[text]1
2198 comment=command line arguments
2199 # See audit_allocate.c
2200
2201 label=AUE_deallocate_succ
2202 program=/usr/sbin/deallocate
2203 title=deallocate-device success
2204 format=(0..n)[text]1
2205 comment=command line arguments
2206 # See audit_allocate.c
2207
2208 label=AUE_delete_user
2209 skip=Not used.
2210
2211 label=AUE_disable_user
2212 skip=Not used.
2213
2214 label=AUE_enable_user
2215 skip=Not used.
2216
2217 label=AUE_ftpd
2218 program=/usr/sbin/in.ftpd
2219 title=in.ftpd
2220 format=[text]1
2221 comment=error message
2222 # See audit_ftpd
2223
2224 label=AUE_ftpd_logout
2225 program=/usr/sbin/in.ftpd
2226 title=in.ftpd
2227 format=user
2228 # See audit_ftpd
2229
2230 label=AUE_halt_solaris
2231 program=/usr/sbin/halt
2232 title=halt
2233 format=user
2234 # See audit_halt.c
2235
2236 label=AUE_kadmind_auth
2237 format=text1:text2:text3
2238 comment=Op: <requested information>:
2239 comment=Arg: <argument for Op>:
2240 comment=Client: <client principal name>
2241 # See audit_kadmin.c / common_audit()
2242
2243 label=AUE_kadmind_unauth
2244 format=text1:text2:text3
2245 comment=Op: <requested information>:
2246 comment=Arg: <argument for Op>:
2247 comment=Client: <client principal name>
2248 # See audit_kadmin.c / common_audit()
2249
2250 label=AUE_krb5kdc_as_req
2251 format=text1:text2
2252 comment=Client: <client principal name>:
2253 comment=Service: <requested service name>
2254 # See audit_krb5kdc.c / common_audit()
2255
2256 label=AUE_krb5kdc_tgs_req
2257 format=text1:text2
2258 comment=Client: <client principal name>:
2259 comment=Service: <requested service name>
2260 # See audit_krb5kdc.c / common_audit()
2261
2262 label=AUE_krb5kdc_tgs_req_alt_tgt
2263 format=text1:text2
2264 comment=Client: <client principal name>:
2265 comment=Service: <requested service name>
2266 # See audit_krb5kdc.c / common_audit()
2267
2268 label=AUE_krb5kdc_tgs_req_2ndtktmm
2269 format=text1:text2
2270 comment=Client: <client principal name>:
2271 comment=Service: <requested service name>
2272 # See audit_krb5kdc.c / common_audit()
2273
2274 label=AUE_listdevice_fail
2275 title=allocate-list devices failure
2276 program=/usr/sbin/allocate
2277 format=(0..n)[text]1
2278 comment=command line arguments
2279 # See audit_allocate.c
2280
2281 label=AUE_listdevice_succ
2282 title=allocate-list devices success
2283 program=/usr/sbin/allocate
2284 format=(0..n)[text]1
2285 comment=command line arguments
2286 # See audit_allocate.c
2287
2288 label=AUE_modify_user
2289 skip=Not used.
2290
2291 label=AUE_mountd_mount
2292 title=mountd: NFS mount
2293 program=/usr/lib/nfs/mountd
2294 see=mountd(1M)
2295 format=text1:path2
2296 comment=remote client hostname:
2297 comment=mount dir
2298 # See audit_mountd.c
2299
2300 label=AUE_mountd_umount
2301 title=mountd: NFS unmount
2302 program=/usr/lib/nfs/mountd
2303 format=text1:path2
2304 comment=remote client hostname:
2305 comment=mount dir
2306 # See audit_mountd.c
2307
2308 label=AUE_poweroff_solaris
2309 program=/usr/sbin/poweroff
2310 title=poweroff
2311 format=user
2312 # See audit_halt.c
2313
2314 label=AUE_reboot_solaris
2315 program=/usr/sbin/reboot
2316 title=reboot
2317 format=user
2318 # See audit_reboot.c
2319 # header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec
2320 # subject,tuser1,root,other,root,other,10422,497,0 0 tmach2
2321 # return,success,0
2322
2323 label=AUE_rexd
2324 program=/usr/sbin/rpc.rexd
2325 title=rpc.rexd
2326 format=[text]1:text2:text3:[text]4:[text]5
2327 comment=error message (failure only):
2328 comment="Remote execution requested by:" hostname:
2329 comment="Username:" username:
2330 comment="User id:" user ID (failure only):
2331 comment="Command line:" command attempted
2332 # See audit_rexd.c
2333
2334 label=AUE_rexecd
2335 program=/usr/sbin/rpc.rexecd
2336 title=rpc.rexecd
2337 format=[text]1:text2:text3:text4
2338 comment=error message (failure only):
2339 comment="Remote execution requested by:" hostname:
2340 comment="Username:" username:
2341 comment="Command line:" command attempted
2342 # See audit_rexecd.c
2343
2344 label=AUE_rshd
2345 program=/usr/sbin/in.rshd
2346 title=in.rshd
2347 format=text1:text2:[text]3:[text]4
2348 comment="cmd" command:
2349 comment="remote user" remote user:
2350 comment="local user" local user:
2351 comment=failure message
2352 # See audit_rshd.c
2353
2354 label=AUE_shutdown_solaris
2355 title=shutdown
2356 program=/usr/ucb/shutdown
2357 format=user
2358 # See audit_shutdown.c
2359
2360 label=AUE_smserverd
2361 program=/usr/lib/smedia/rpc.smserverd
2362 format=[text]1:[text]2
2363 comment=state change:
2364 comment=vid, pid, major/minor device
2365 # see usr/src/cmd/smserverd
2366 # code shows a third token, path, but it isn't implemented.
2367
2368 label=AUE_uadmin_solaris
2369 title=uadmin (obsolete)
2370 program=
2371 see=
2372 format=text1:text2
2373 comment=function code:
2374 comment=argument code
2375 # not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml
2376
2377 label=AUE_LABELSYS_TNRH
2378 title=config Trusted Network remote host cache
2379 see=tnrh(2)
2380 syscall=labelsys: TSOL_TNRH
2381 case=With the flush command (cmd=3)
2382 format=arg1
2383 comment=1, command, "cmd"
2384 case=With the load (cmd=1) and delete (cmd=2) commands
2385 format=arg1:inaddr2:arg3
2386 comment=1, command, "cmd":
2387 comment=ip address of host:
2388 comment=2, prefix length, "prefix len"
2389
2390 label=AUE_LABELSYS_TNRHTP
2391 title=config Trusted Network remote host template
2392 see=tnrhtp(2)
2393 syscall=labelsys: TSOL_TNRHTP
2394 case=With the flush command (cmd=3)
2395 format=arg1
2396 comment=1, command, "cmd"
2397 case=With the load (cmd=1) and delete (cmd=2) commands
2398 format=arg1:text2
2399 comment=1, command, "cmd":
2400 comment=name of template
2401
2402 label=AUE_LABELSYS_TNMLP
2403 title=config Trusted Network multi-level port entry
2404 see=tnmlp(2)
2405 syscall=labelsys: TSOL_TNMLP
2406 case=With the flush command (cmd=3)
2407 format=arg1:text2
2408 comment=1, command, "cmd":
2409 comment="shared", or name of zone
2410 case=With the load (cmd=1) and delete (cmd=2) commands
2411 format=arg1:text2:arg3:arg4:[arg]5
2412 comment=1, command, "cmd":
2413 comment="shared", or name of zone:
2414 comment=2, protocol number, "proto num":
2415 comment=2, starting mlp port number, "mlp_port":
2416 comment=2, ending mlp port number, "mlp_port_upper"