Print this page
11037 SMB File access audit logging (reserve IDs)
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/auditrecord/audit_record_attr.txt
+++ new/usr/src/cmd/auditrecord/audit_record_attr.txt
1 1 # audit_record_attr.txt
2 2 # Two "#" are comments that are copied to audit_record_attr
3 3 # other comments are removed.
4 4 ##
5 5 ## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
6 +## Copyright 2018 Nexenta Systems, Inc. All rights reserved.
6 7 ## Copyright 2019 Joyent, Inc.
7 8 ##
8 9 ## CDDL HEADER START
9 10 ##
10 11 ## The contents of this file are subject to the terms of the
11 12 ## Common Development and Distribution License (the "License").
12 13 ## You may not use this file except in compliance with the License.
13 14 ##
14 15 ## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
15 16 ## or http://www.opensolaris.org/os/licensing.
16 17 ## See the License for the specific language governing permissions
17 18 ## and limitations under the License.
18 19 ##
19 20 ## When distributing Covered Code, include this CDDL HEADER in each
20 21 ## file and include the License file at usr/src/OPENSOLARIS.LICENSE.
21 22 ## If applicable, add the following below this CDDL HEADER, with the
22 23 ## fields enclosed by brackets "[]" replaced with your own identifying
23 24 ## information: Portions Copyright [yyyy] [name of copyright owner]
24 25 ##
25 26 ## CDDL HEADER END
26 27 ##
27 28 ##
28 29
29 30 # source file for describing audit records.
30 31
31 32 # This file is in two sections. The first is a list of attribute /
32 33 # value pairs used to provide short cuts in annotating the audit
33 34 # records. The second is for annotation for each audit record.
34 35
35 36 # first section: general attributes
36 37
37 38 # skipClass=<class name of items to skip if only in that class>
38 39 # skipClass=no # uncomment to filter unused events
39 40
40 41 # token name abbreviations
41 42 # token=alias:fullname -- short names for key tokens
42 43
43 44 token=arg:argument
44 45 token=attr:attribute
45 46 token=acl:acl_entry
46 47 token=cmd:command
47 48 token=data:data
48 49 token=exec_args:exec_arguments
49 50 token=exec_env:exec_environment
50 51 token=group:group
51 52 token=inaddr:ip_addr
52 53 token=inet:socket
53 54 token=ipc:ipc
54 55 token=ipc_perm:ipc_perm
55 56 token=newgroup:newgroups
56 57 token=path:path
57 58 token=path_attr:attribute_path
58 59 token=privset:privilege
59 60 token=proc:process
60 61 token=text:text
61 62 token=tid:terminal_adr
62 63 token=uauth:use_of_authorization
63 64 token=upriv:use_of_privilege
64 65 token=user:user_object
65 66 token=zone:zonename
66 67 token=fmri:service_instance
67 68 token=label:mandatory_label
68 69
69 70 token=head:header
70 71 token=subj:subject
71 72 token=ret:return
72 73 token=exit:exit
73 74
74 75 # note names -- certain notes show up repeatedly; collected here
75 76 #
76 77 # To achieve the maximum line length to be less than 80 characters, the
77 78 # note names (message=) can be defined as a multi line, each line except the
78 79 # last one finished with the backslash character.
79 80
80 81 message=ipc_perm:The ipc and ipc_perm tokens are not included if \
81 82 the message ID is not valid.
82 83
83 84
84 85 # basic record pattern ("insert" is where event-specific tokens
85 86 # are listed.)
86 87
87 88 kernel=head:insert:subj:[upriv]:ret
88 89 user=head:subj:insert:ret
89 90
90 91 # Second Section
91 92 # Annotation Section
92 93 #
93 94 # Most audit records need annotation beyond what is provided by
94 95 # the files audit_event and audit_class. At a minimum, a record
95 96 # is represented by a label and a format.
96 97 #
97 98 # label=record_id like AUE_ACCEPT
98 99 # format=token_alias
99 100 #
100 101 # there is no end line; a new label= end the preceding definition
101 102 # and starts the next.
102 103 #
103 104 # format values are a list of token names, separated by colons. The
104 105 # name is either one of the values described above (token=) or is
105 106 # a value to be taken literally. If a token name ends with a digit,
106 107 # the digit is an index into an array of comments. In the few cases
107 108 # where there are no tokens (other than header, subject, return/exit),
108 109 # use "format=kernel" or "format="user".
109 110 #
110 111 # comment is an array of strings separated by colons. If comments
111 112 # are listed on separate lines (recommended due to better
112 113 # readability/sustainability of the file), the preceding comment
113 114 # must end with a colon. The array starts at 1. (If the comment
114 115 # contains a colon, use ":" without the quotes.)
115 116 #
116 117 # case is used to generate alternate descriptions for a given
117 118 # record.
118 119 #
119 120 # Constraints - the string length; bear in mind, that any annotation of
120 121 # primitives below longer than is specified, will be silently truncated
121 122 # to given/defined amount of characters in the auditrecord(1M) runtime:
122 123 #
123 124 # primitive <= max (non-truncated) string length
124 125 # case <= unlimited; if necessary, text continues on a new line
125 126 # comment <= unlimited; if necessary, text continues on a new line
126 127 # label <= 43
127 128 # note <= unlimited; if necessary, text continues on a new line
128 129 # program <= 20
129 130 # see <= 39
130 131 # syscall <= 20
131 132 # title <= 46
132 133 # token <= 28 (full name)
133 134 #
134 135 # To achieve the maximum line length to be less than 80 characters, one can
135 136 # define the unlimited primitives as a multi line, each line except the
136 137 # last one finished with the backslash character. In addition to above
137 138 # mentioned, the "format=" record attribute follows the same rule.
138 139 #
139 140 #
140 141 # AUE_ACCEPT illustrates the use of all the above. Note that
141 142 # case is not nested; ellipsis (...) is used to give the effect
142 143 # of nesting.
143 144
144 145 label=AUE_ACCEPT
145 146 #accept(2) failure
146 147 case=Invalid socket file descriptor
147 148 format=arg1
148 149 comment=1, file descriptor, "so"
149 150 #accept(2) non SOCK_STREAM socket
150 151 case=If the socket address is not part of the AF_INET family
151 152 format=arg1:arg2:arg3
152 153 comment=1, "so", file descriptor:
153 154 comment="family", so_family:
154 155 comment="type", so_type
155 156 case=If the socket address is part of the AF_INET family
156 157 case=...If there is no vnode for this file descriptor
157 158 format=[arg]1
158 159 comment=1, file descriptor, "Bad so"
159 160 #accept(2) SOCK_STREAM socket-not bound
160 161 case=...or if the socket is not bound
161 162 format=[arg]1:[inet]2
162 163 comment=1, file descriptor, "so":
163 164 comment=local/foreign address (0.0.0.0)
164 165 case=...or if the socket address length = 0
165 166 format=[arg]1:[inet]2
166 167 comment=1, file descriptor, "so":
167 168 comment=local/foreign address (0.0.0.0)
168 169 case=...or for all other conditions
169 170 format=inet1:[inet]1
170 171 comment=socket address
171 172 #accept(2) failure
172 173 # header
173 174 # au_to_arg32 "so",file descriptor
174 175 # subject
175 176 # return <errno != 0>
176 177 #
177 178 #accept(2) non SOCK_STREAM socket
178 179 # header
179 180 # au_to_arg32 "so", file descriptor
180 181 # au_to_arg32 "family", so_family
181 182 # au_to_arg32 "type", so_type
182 183 # subject
183 184 # return success
184 185 #
185 186 #accept(2) SOCK_STREAM socket-not bound
186 187 # header
187 188 # au_to_arg32 "so", file descriptor
188 189 # au_to_socket_ex local/foreign address (0.0.0.0)
189 190 # subject
190 191 # return success
191 192 #
192 193 #accept(2) SOCK_STREAM socket-bound
193 194 # header
194 195 # au_to_arg32 "so", file descriptor
195 196 # au_to_socket_ex
196 197 # subject
197 198 # return success
198 199
199 200
200 201
201 202 label=AUE_ACCESS
202 203 format=path1:[attr]
203 204 comment=may be truncated in failure case
204 205 # header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec
205 206 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ
206 207 # attribute,100777,41416,staff,8388608,402255,0
207 208 # subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30
208 209 # return,success,0
209 210 # trailer,163
210 211 #
211 212 # header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec
212 213 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail
213 214 # attribute,100000,root,other,8388608,402257,0
214 215 # subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30
215 216 # return,failure: Permission denied,-1
216 217 # trailer,163
217 218 #
218 219 # header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec
219 220 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2
220 221 # subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30
221 222 # return,failure: No such file or directory,-1
222 223 # trailer,135
223 224
224 225 label=AUE_ACCT
225 226 case=Zero path
226 227 format=arg1
227 228 comment=1, 0, "accounting off"
228 229 case=Non-zero path
229 230 format=path1:[attr]2
230 231 comment=may be truncated in failure case:
231 232 comment=omitted if failure
232 233
233 234 label=AUE_ACLSET
234 235 syscall=acl
235 236 format=arg1:arg2:(0..n)[acl]3
236 237 comment=2, SETACL, "cmd":
237 238 comment=3, number of ACL entries, "nentries":
238 239 comment=Access Control List entries
239 240
240 241 label=AUE_ADJTIME
241 242 format=kernel
242 243
243 244 label=AUE_ASYNC_DAEMON
244 245 skip=Not used
245 246
246 247 label=AUE_ASYNC_DAEMON_EXIT
247 248 skip=Not used
248 249
249 250 label=AUE_AUDIT
250 251 skip=Not used. (Placeholder for the set AUE_AUDIT_*.)
251 252
252 253 label=AUE_AUDITON
253 254 skip=Not used. (Placeholder for the set AUE_AUDITON_*.)
254 255
255 256 label=AUE_AUDITON_GESTATE
256 257 skip=Not used
257 258
258 259 label=AUE_AUDITON_GETAMASK
259 260 format=kernel
260 261 syscall=auditon: GETAMASK
261 262
262 263 label=AUE_AUDITON_GETCAR
263 264 format=kernel
264 265 syscall=auditon: GETCAR
265 266 # header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec
266 267 # subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30
267 268 # return,success,0
268 269 # trailer,68
269 270
270 271 label=AUE_AUDITON_GETCLASS
271 272 format=kernel
272 273 syscall=auditon: GETCLASS
273 274 # header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec
274 275 # subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1
275 276 # return,success,0
276 277 # trailer,68
277 278
278 279 label=AUE_AUDITON_GETCOND
279 280 format=kernel
280 281 syscall=auditon: GETCOND
281 282 # header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec
282 283 # subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1
283 284 # return,success,0
284 285 # trailer,68
285 286
286 287 label=AUE_AUDITON_GETCWD
287 288 format=kernel
288 289 syscall=auditon: GETCWD
289 290 # header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec
290 291 # subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1
291 292 # return,success,0
292 293 # trailer,68
293 294
294 295 label=AUE_AUDITON_GETKMASK
295 296 format=kernel
296 297 syscall=auditon: GETKMASK
297 298 # header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec
298 299 # subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1
299 300 # return,success,0
300 301 # trailer,68
301 302
302 303 label=AUE_AUDITON_GETSTAT
303 304 format=kernel
304 305 syscall=auditon: A_GETSTAT
305 306 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec
306 307 # subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1
307 308 # return,success,0
308 309 # trailer,68
309 310
310 311 label=AUE_AUDITON_GPOLICY
311 312 format=kernel
312 313 syscall=auditon: GPOLICY
313 314 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec
314 315 # subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1
315 316 # return,success,0
316 317 # trailer,68
317 318
318 319 label=AUE_AUDITON_GQCTRL
319 320 format=kernel
320 321 syscall=auditon: GQCTRL
321 322 # header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec
322 323 # subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1
323 324 # return,success,0
324 325 # trailer,68
325 326
326 327
327 328 label=AUE_AUDITON_GTERMID
328 329 skip=Not used.
329 330
330 331 label=AUE_AUDITON_SESTATE
331 332 skip=Not used.
332 333
333 334 label=AUE_AUDITON_SETAMASK
334 335 format=[arg]1:[arg]2
335 336 comment=2, "setamask as_success", user default audit preselection mask:
336 337 comment=2, "setamask as_failure", user default audit preselection mask
337 338 syscall=auditon: SETAMASK
338 339
339 340 label=AUE_AUDITON_SETCLASS
340 341 format=[arg]1:[arg]2
341 342 comment=2, "setclass:ec_event", event number:
342 343 comment=3, "setclass:ec_class", class mask
343 344 syscall=auditon: SETCLASS
344 345 # header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec
345 346 # argument,2,0x0,setclass:ec_event
346 347 # argument,3,0x0,setclass:ec_class
347 348 # subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1
348 349 # return,success,0
349 350 # trailer,120
350 351
351 352 label=AUE_AUDITON_SETCOND
352 353 format=[arg]1
353 354 comment=3, "setcond", audit state
354 355 syscall=auditon: SETCOND
355 356
356 357 label=AUE_AUDITON_SETKMASK
357 358 format=[arg]1:[arg]2
358 359 comment=2, "setkmask as_success", kernel non-attributable mask:
359 360 comment=2, "setkmask as_failure", kernel non-attributable mask
360 361 syscall=auditon: SETKMASK
361 362 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec
362 363 # argument,2,0x0,setkmask:as_success
363 364 # argument,2,0x0,setkmask:as_failure
364 365 # subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1
365 366 # return,success,0
366 367 # trailer,124
367 368 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec
368 369 # argument,2,0x0,setkmask:as_success
369 370 # argument,2,0x0,setkmask:as_failure
370 371 # subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1
371 372 # return,failure: Not owner,-1
372 373 # trailer,124
373 374
374 375 label=AUE_AUDITON_SETSMASK
375 376 format=[arg]1:[arg]2
376 377 comment=3, "setsmask:as_success", session ID mask:
377 378 comment=3, "setsmask:as_failure", session ID mask
378 379 syscall=auditon: SETSMASK
379 380 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec
380 381 # argument,3,0x400,setsmask:as_success
381 382 # argument,3,0x400,setsmask:as_failure
382 383 # subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1
383 384 # return,success,0
384 385 # trailer,124
385 386 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec
386 387 # argument,3,0x400,setsmask:as_success
387 388 # argument,3,0x400,setsmask:as_failure
388 389 # subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1
389 390 # return,failure: Not owner,-1
390 391 # trailer,124
391 392
392 393 label=AUE_AUDITON_SETSTAT
393 394 format=kernel
394 395 syscall=auditon: SETSTAT
395 396 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec
396 397 # subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1
397 398 # return,success,0
398 399 # trailer,68
399 400 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec
400 401 # subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1
401 402 # return,failure: Not owner,-1
402 403 # trailer,68
403 404
404 405 label=AUE_AUDITON_SETUMASK
405 406 format=[arg]1:[arg]2
406 407 comment=3, "setumask:as_success", audit ID mask:
407 408 comment=3, "setumask:as_failure", audit ID mask
408 409 syscall=auditon: SETUMASK
409 410 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec
410 411 # argument,3,0x400,setumask:as_success
411 412 # argument,3,0x400,setumask:as_failure
412 413 # subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1
413 414 # return,success,0
414 415 # trailer,124
415 416 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec
416 417 # argument,3,0x400,setumask:as_success
417 418 # argument,3,0x400,setumask:as_failure
418 419 # subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1
419 420 # return,failure: Not owner,-1
420 421 # trailer,124
421 422
422 423 label=AUE_AUDITON_SPOLICY
423 424 format=[arg]1
424 425 comment=1, audit policy flags, "setpolicy"
425 426 syscall=auditon: SPOLICY
426 427 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec
427 428 # argument,3,0x200,setpolicy
428 429 # subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1
429 430 # return,success,0
430 431 # trailer,86
431 432 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec
432 433 # argument,3,0x200,setpolicy
433 434 # subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1
434 435 # return,failure: Not owner,-1
435 436 # trailer,86
436 437
437 438 label=AUE_AUDITON_SQCTRL
438 439 format=[arg]1:[arg]2:[arg]3:[arg]4
439 440 comment=3, "setqctrl:aq_hiwater", queue control param.:
440 441 comment=3, "setqctrl:aq_lowater", queue control param.:
441 442 comment=3, "setqctrl:aq_bufsz", queue control param.:
442 443 comment=3, "setqctrl:aq_delay", queue control param.
443 444 syscall=auditon: SQCTRL
444 445 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec
445 446 # argument,3,0x64,setqctrl:aq_hiwater
446 447 # argument,3,0xa,setqctrl:aq_lowater
447 448 # argument,3,0x400,setqctrl:aq_bufsz
448 449 # argument,3,0x14,setqctrl:aq_delay
449 450 # subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1
450 451 # return,success,0
451 452 # trailer,176
452 453 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec
453 454 # argument,3,0x64,setqctrl:aq_hiwater
454 455 # argument,3,0xa,setqctrl:aq_lowater
455 456 # argument,3,0x400,setqctrl:aq_bufsz
456 457 # argument,3,0x14,setqctrl:aq_delay
457 458 # subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1
458 459 # return,failure: Not owner,-1
459 460 # trailer,176
460 461
461 462 label=AUE_AUDITON_STERMID
462 463 skip=Not used.
463 464
464 465 label=AUE_AUDITSTAT
465 466 skip=Not used.
466 467
467 468 label=AUE_AUDITSVC
468 469 skip=Not used.
469 470
470 471 label=AUE_AUDITSYS
471 472 skip=Not used. (Place holder for various auditing events.)
472 473
473 474 label=AUE_BIND
474 475 # differs from documented version.
475 476 # cases "no vnode" not fully confirmed
476 477 # family and type need argument number
477 478 case=Invalid socket handle
478 479 format=arg1
479 480 comment=1, file descriptor, "so"
480 481 case=If there is no vnode for this file descriptor
481 482 case=or if the socket is not of the AF_INET family
482 483 format=arg1:arg2:arg3
483 484 comment=1, file descriptor, "so":
484 485 comment=1, socket family, "family":
485 486 comment=1, socket type, "type"
486 487 case=or for all other conditions
487 488 format=arg1:inet2
488 489 comment=1, file descriptor, "so":
489 490 comment=socket address
490 491
491 492 label=AUE_BRANDSYS
492 493 # generic mechanism to allow user-space and kernel components of a brand
493 494 # to communicate. The interpretation of the arguments to the call is
494 495 # left entirely up to the brand.
495 496 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7
496 497 comment=1, command, "cmd":
497 498 comment=2, command args, "arg":
498 499 comment=3, command args, "arg":
499 500 comment=4, command args, "arg":
500 501 comment=5, command args, "arg":
501 502 comment=6, command args, "arg":
502 503 comment=7, command args, "arg"
503 504
504 505 label=AUE_BSMSYS
505 506 skip=Not used.
506 507
507 508 label=AUE_CHDIR
508 509 format=path:[attr]
509 510 # header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec
510 511 # path,/export/home/CC_final/icenine/arv/chdir/obj_succ
511 512 # attribute,40777,root,other,8388608,231558,0
512 513 # subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1
513 514 # return,success,0
514 515 # trailer,151
515 516 # header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec
516 517 # path,/export/home/CC_final/icenine/arv/chdir/obj_fail
517 518 # attribute,40000,root,other,8388608,237646,0
518 519 # subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1
519 520 # return,failure: Permission denied,-1
520 521 # trailer,151
521 522
522 523 label=AUE_CHMOD
523 524 format=arg1:path:[attr]
524 525 comment=2, mode, "new file mode"
525 526 # header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec
526 527 # argument,2,0x1f8,new file mode
527 528 # path,/export/home/CC_final/icenine/arv/chmod/obj_succ
528 529 # attribute,100770,tuser10,other,8388608,243608,0
529 530 # subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1
530 531 # return,success,0
531 532 # trailer,173
532 533 # header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec
533 534 # argument,2,0x1f8,new file mode
534 535 # path,/export/home/CC_final/icenine/arv/chmod/obj_fail
535 536 # attribute,100600,root,other,8388608,243609,0
536 537 # subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1
537 538 # return,failure: Not owner,-1
538 539 # trailer,173
539 540
540 541 label=AUE_CHOWN
541 542 format=arg1:arg2
542 543 comment=2, uid, "new file uid":
543 544 comment=3, gid, "new file gid"
544 545 # header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec
545 546 # argument,2,0x271a,new file uid
546 547 # argument,3,0xffffffff,new file gid
547 548 # path,/export/home/CC_final/icenine/arv/chown/obj_succ
548 549 # attribute,100644,tuser10,other,8388608,268406,0
549 550 # subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1
550 551 # return,success,0
551 552 # trailer,193
552 553 # header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec
553 554 # argument,2,0x271a,new file uid
554 555 # argument,3,0xffffffff,new file gid
555 556 # path,/export/home/CC_final/icenine/arv/chown/obj_fail
556 557 # attribute,100644,root,other,8388608,268407,0
557 558 # subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1
558 559 # return,failure: Not owner,-1
559 560 # trailer,193
560 561
561 562 label=AUE_CHROOT
562 563 format=path:[attr]
563 564 # header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec
564 565 # path,/
565 566 # attribute,40755,root,root,8388608,2,0
566 567 # subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1
567 568 # return,success,0
568 569 # trailer,104
569 570 # header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec
570 571 # path,/export/home/CC_final/icenine/arv/chroot/obj_fail
571 572 # attribute,40777,tuser10,other,8388608,335110,0
572 573 # subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1
573 574 # return,failure: Not owner,-1
574 575 # trailer,152
575 576
576 577 label=AUE_CLOCK_SETTIME
577 578 format=kernel
578 579
579 580 label=AUE_CLOSE
580 581 format=arg1:[path]:[attr]
581 582 comment=1, file descriptor, "fd"
582 583
583 584 label=AUE_CONFIGKSSL
584 585 case=Adding KSSL entry.
585 586 format=text1:inaddr2:text3:text4
586 587 comment=opcode, KSSL_ADD_ENTRY:
587 588 comment=local IP address:
588 589 comment=SSL port number:
589 590 comment=proxy port number
590 591 case=Deleting KSSL entry.
591 592 format=text1:inaddr2:text3
592 593 comment=opcode, KSSL_DELETE_ENTRY:
593 594 comment=local IP address:
594 595 comment=SSL port number
595 596
596 597 label=AUE_CONNECT
597 598 # cases "no vnode" not fully confirmed
598 599 case=If there is no vnode for this file descriptor
599 600 case=If the socket address is not part of the AF_INET family
600 601 format=arg1:arg2:arg3
601 602 comment=1, file descriptor, "so":
602 603 comment=1, socket family, "family":
603 604 comment=1, socket type, "type"
604 605 case=If the socket address is part of the AF_INET family
605 606 format=arg1:inet2
606 607 comment=1, file descriptor, "so":
607 608 comment=socket address
608 609
609 610 label=AUE_CORE
610 611 syscall=none
611 612 title=process dumped core
612 613 see=none
613 614 format=path:[attr]:arg1
614 615 comment=1, signal, "signal"
615 616 # see uts/common/c2/audit.c
616 617
617 618 label=AUE_CREAT
618 619 # obsolete - see open(2)
619 620 format=path:[attr]
620 621 # does not match old BSM manual
621 622 # header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec
622 623 # path,/export/home/CC_final/icenine/arv/creat/obj_succ
623 624 # attribute,100644,tuser10,other,8388608,49679,0
624 625 # subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1
625 626 # return,success,8
626 627 # trailer,151
627 628 # header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec
628 629 # path,/devices/pseudo/mm@0:null
629 630 # subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1
630 631 # return,success,8
631 632 # trailer,107
632 633 # header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec
633 634 # path,/obj_fail
634 635 # subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1
635 636 # return,failure: Permission denied,-1
636 637 # trailer,83
637 638
638 639 label=AUE_CRYPTOADM
639 640 title=kernel cryptographic framework
640 641 format=text1:(0..n)[text]2
641 642 comment=cryptoadm command/operation:
642 643 comment=mechanism list
643 644
644 645 label=AUE_DOORFS
645 646 skip=Not used. (Place holder for set of door audit events.)
646 647
647 648 label=AUE_DOORFS_DOOR_BIND
648 649 skip=Not used.
649 650 syscall=doorfs: DOOR_BIND
650 651
651 652 label=AUE_DOORFS_DOOR_CALL
652 653 format=arg1:proc2
653 654 comment=1, door ID, "door ID":
654 655 comment=for process that owns the door
655 656 syscall=doorfs: DOOR_CALL
656 657
657 658 label=AUE_DOORFS_DOOR_CREATE
658 659 format=arg1
659 660 comment=1, door attributes, "door attr"
660 661 syscall=doorfs: DOOR_CREATE
661 662
662 663 label=AUE_DOORFS_DOOR_CRED
663 664 skip=Not used.
664 665 syscall=doorfs: DOOR_CRED
665 666
666 667 label=AUE_DOORFS_DOOR_INFO
667 668 skip=Not used.
668 669 syscall=doorfs: DOOR_INFO
669 670
670 671 label=AUE_DOORFS_DOOR_RETURN
671 672 format=kernel
672 673 syscall=doorfs: DOOR_RETURN
673 674
674 675 label=AUE_DOORFS_DOOR_REVOKE
675 676 format=arg1
676 677 comment=1, door ID, "door ID"
677 678 syscall=doorfs: DOOR_REVOKE
678 679
679 680 label=AUE_DOORFS_DOOR_UNBIND
680 681 skip=Not used.
681 682 syscall=doorfs: DOOR_UNBIND
682 683
683 684 label=AUE_DUP2
684 685 skip=Not used.
685 686
686 687 label=AUE_ENTERPROM
687 688 title=enter prom
688 689 syscall=none
689 690 format=head:text1:ret
690 691 comment="kmdb"
691 692 # header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00
692 693 # text,kmdb
693 694 # return,success,0
694 695
695 696 label=AUE_EXEC
696 697 # obsolete - see execve(2)
697 698 format=path:[attr]1:[exec_args]2:[exec_env]3
698 699 comment=omitted on error:
699 700 comment=output if argv policy is set:
700 701 comment=output if arge policy is set
701 702
702 703 label=AUE_EXECVE
703 704 format=path:[attr]1:[exec_args]2:[exec_env]3
704 705 comment=omitted on error:
705 706 comment=output if argv policy is set:
706 707 comment=output if arge policy is set
707 708 # header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec
708 709 # path,/devices/pseudo/mm@0:null
709 710 # subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1
710 711 # return,success,8
711 712 # trailer,107
712 713 # header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec
713 714 # path,/usr/bin/pig
714 715 # subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1
715 716 # return,failure: No such file or directory,-1
716 717 # trailer,86
717 718
718 719 label=AUE_PFEXEC
719 720 format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5
720 721 comment=pathname of the executable:
721 722 comment=pathname of working directory:
722 723 comment=privileges if the limit or inheritable set are changed:
723 724 comment=process if ruid, euid, rgid or egid is changed:
724 725 comment=output if arge policy is set
725 726
726 727 label=AUE_sudo
727 728 format=exec_args1:[text]2
728 729 comment=command args:
729 730 comment=error message (failure only)
730 731
731 732 label=AUE_EXIT
732 733 format=arg1:[text]2
733 734 comment=1, exit status, "exit status":
734 735 comment=event aborted
735 736
736 737 label=AUE_EXITPROM
737 738 title=exit prom
738 739 syscall=none
739 740 format=head:text1:ret
740 741 comment="kmdb"
741 742 # header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00
742 743 # text,kmdb
743 744 # return,success,0
744 745
745 746 label=AUE_EXPORTFS
746 747 skip=Not used.
747 748
748 749 label=AUE_FACCESSAT
749 750 # obsolete
750 751 see=access(2)
751 752 format=path:[attr]
752 753
753 754 label=AUE_FACLSET
754 755 syscall=facl
755 756 case=Invalid file descriptor
756 757 format=arg1:arg2
757 758 comment=2, SETACL, "cmd":
758 759 comment=3, number of ACL entries, "nentries"
759 760 case=Zero path
760 761 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4
761 762 comment=2, SETACL, "cmd":
762 763 comment=3, number of ACL entries, "nentries":
763 764 comment=1, file descriptor, "no path: fd":
764 765 comment=ACLs
765 766 case=Non-zero path
766 767 format=arg1:arg2:path:[attr]:(0..n)[acl]3
767 768 comment=2, SETACL, "cmd":
768 769 comment=3, number of ACL entries, "nentries":
769 770 comment=ACLs
770 771
771 772 label=AUE_FCHDIR
772 773 format=[path]:[attr]
773 774 # header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec
774 775 # path,/export/home/CC_final/icenine/arv/fchdir/obj_succ
775 776 # attribute,40777,tuser10,other,8388608,207662,0
776 777 # subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1
777 778 # return,success,0
778 779 # trailer,150
779 780 # header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec
780 781 # subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1
781 782 # return,failure: Permission denied,-1
782 783 # trailer,68
783 784
784 785 label=AUE_FCHMOD
785 786 case=With a valid file descriptor and path
786 787 format=arg1:path:[attr]
787 788 comment=2, mode, "new file mode"
788 789 case=With a valid file descriptor and invalid path
789 790 format=arg1:[arg]2:[attr]
790 791 comment=2, mode, "new file mode":
791 792 comment=1, file descriptor, "no path: fd"
792 793 case=With an invalid file descriptor
793 794 format=arg1
794 795 comment=2, mode, "new file mode"
795 796 # header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec
796 797 # argument,2,0x1a4,new file mode
797 798 # path,/export/home/CC/icenine/arv/fchmod/obj_succ
798 799 # attribute,100644,tuser10,other,7602240,26092,0
799 800 # subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1
800 801 # return,success,0
801 802 # trailer,168
802 803 # header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec
803 804 # argument,2,0x1a4,new file mode
804 805 # subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1
805 806 # return,failure: Bad file number,-1
806 807 # trailer,90
807 808 # header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec
808 809 # argument,2,0x1a4,new file mode
809 810 # path,/export/home/CC/icenine/arv/fchmod/obj_fail
810 811 # attribute,100644,root,other,7602240,26093,0
811 812 # subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1
812 813 # return,failure: Not owner,-1
813 814 # trailer,168
814 815
815 816 label=AUE_FCHOWN
816 817 case=With a valid file descriptor
817 818 format=arg1:arg2:[path]:[attr]
818 819 comment=2, uid, "new file uid":
819 820 comment=3, gid, "new file gid"
820 821 case=With an invalid file descriptor
821 822 format=arg1:arg2:[arg]3:[attr]
822 823 comment=2, uid, "new file uid":
823 824 comment=3, gid, "new file gid":
824 825 comment=1, file descriptor, "no path fd"
825 826
826 827 label=AUE_FCHOWNAT
827 828 # obsolete
828 829 see=openat(2)
829 830 case=With a valid absolute/relative file path
830 831 format=path:[attr]
831 832 case=With an file path eq. NULL and valid file descriptor
832 833 format=kernel
833 834
834 835 label=AUE_FCHROOT
835 836 format=[path]:[attr]
836 837 # fchroot -> chdirec -> audit_chdirec
837 838
838 839 label=AUE_FCNTL
839 840 case=With a valid file descriptor
840 841 format=arg1:[arg]2:path:attr
841 842 comment=2, command, "cmd":
842 843 comment=3, flags, "flags"
843 844 case=With an invalid file descriptor
844 845 format=arg1:[arg]2:arg3
845 846 comment=2, command, "cmd":
846 847 comment=3, flags, "flags":
847 848 comment=1, file descriptor, "no path fd"
848 849 note=Flags are included only when cmd is F_SETFL.
849 850
850 851 label=AUE_FLOCK
851 852 skip=Not used.
852 853
853 854 label=AUE_FORKALL
854 855 format=[arg]1
855 856 comment=0, pid, "child PID"
856 857 note=The forkall(2) return values are undefined because the audit record
857 858 note=is produced at the point that the child process is spawned.
858 859 # see audit.c
859 860
860 861 label=AUE_FORK1
861 862 format=[arg]1
862 863 comment=0, pid, "child PID"
863 864 note=The fork1(2) return values are undefined because the audit record
864 865 note=is produced at the point that the child process is spawned.
865 866 # see audit.c
866 867
867 868 label=AUE_FSAT
868 869 # obsolete
869 870 skip=Not used. (Placeholder for AUE_*AT records)
870 871
871 872 label=AUE_FSTAT
872 873 skip=Not used.
873 874
874 875 label=AUE_FSTATAT
875 876 # obsolete
876 877 format=path:[attr]
877 878
878 879 label=AUE_FSTATFS
879 880 case=With a valid file descriptor
880 881 format=[path]:[attr]
881 882 case=With an invalid file descriptor
882 883 format=arg1
883 884 comment=1, file descriptor, "no path fd"
884 885
885 886 label=AUE_FTRUNCATE
886 887 skip=Not used.
887 888
888 889 label=AUE_FUSERS
889 890 syscall=utssys: UTS_FUSERS
890 891 format=path:attr
891 892
892 893 label=AUE_FUTIMESAT
893 894 # obsolete
894 895 format=[path]:[attr]
895 896
896 897 label=AUE_GETAUDIT
897 898 format=kernel
898 899 # header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec
899 900 # subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1
900 901 # return,success,0
901 902 # trailer,68
902 903 # header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec
903 904 # subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1
904 905 # return,success,0
905 906 # trailer,68
906 907
907 908 label=AUE_GETAUDIT_ADDR
908 909 format=kernel
909 910 # header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec
910 911 # subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2
911 912 # return,success,0
912 913
913 914 label=AUE_GETAUID
914 915 format=kernel
915 916 # header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec
916 917 # subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1
917 918 # return,success,0
918 919 # trailer,68
919 920 # header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec
920 921 # subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1
921 922 # return,failure: Not owner,-1
922 923 # trailer,68
923 924
924 925 label=AUE_GETDENTS
925 926 skip=Not used.
926 927 #Not security relevant
927 928
928 929 label=AUE_GETKERNSTATE
929 930 skip=Not used.
930 931
931 932 label=AUE_GETMSG
932 933 case=With a valid file descriptor
933 934 format=arg1:[path]:attr:arg2
934 935 comment=1, file descriptor, "fd":
935 936 comment=4, priority, "pri"
936 937 case=With an invalid file descriptor
937 938 format=arg1:arg2
938 939 comment=1, file descriptor, "fd":
939 940 comment=4, priority, "pri"
940 941
941 942 label=AUE_GETPMSG
942 943 case=With a valid file descriptor
943 944 format=arg1:[path]:attr
944 945 comment=1, file descriptor, "fd"
945 946 case=With an invalid file descriptor
946 947 format=arg1
947 948 comment=1, file descriptor, "fd"
948 949
949 950 label=AUE_GETPORTAUDIT
950 951 format=Not used.
951 952
952 953 label=AUE_GETUSERAUDIT
953 954 skip=Not used.
954 955
955 956 label=AUE_INST_SYNC
956 957 format=arg1
957 958 comment=2, flags value, "flags"
958 959
959 960 label=AUE_IOCTL
960 961 case=With an invalid file descriptor
961 962 format=arg1:arg2:arg3
962 963 comment=1, file descriptor, "fd":
963 964 comment=2, command, "cmd":
964 965 comment=3, arg, "arg"
965 966 case=With a valid file descriptor
966 967 format=path:[attr]:arg1:arg2
967 968 comment=2, ioctl cmd, "cmd":
968 969 comment=3, ioctl arg, "arg"
969 970 case=Non-file file descriptor
970 971 format=arg1:arg2:arg3
971 972 comment=1, file descriptor, "fd":
972 973 comment=2, ioctl cmd, "cmd":
973 974 comment=3, ioctl arg, "arg"
974 975 case=Bad file name
975 976 format=arg1:arg2:arg3
976 977 comment=1, file descriptor, "no path: fd":
977 978 comment=2, ioctl cmd, "cmd":
978 979 comment=3, ioctl arg, "arg"
979 980 # old BSM manual misses a case
980 981
981 982 label=AUE_JUNK
982 983 skip=Not used.
983 984
984 985 label=AUE_KILL
985 986 case=Valid process
986 987 format=arg1:[proc]
987 988 comment=2, signo, "signal"
988 989 case=Zero or negative process
989 990 format=arg1:arg2
990 991 comment=2, signo, "signal":
991 992 comment=1, pid, "process"
992 993
993 994 label=AUE_KILLPG
994 995 skip=Not used.
995 996
996 997 label=AUE_LCHOWN
997 998 format=arg1:arg2:path:[attr]
998 999 comment=2, uid, "new file uid":
999 1000 comment=3, gid, "new file gid"
1000 1001
1001 1002 label=AUE_LINK
1002 1003 format=path1:[attr]:path2
1003 1004 comment=from path:
1004 1005 comment=to path
1005 1006
1006 1007 label=AUE_LSEEK
1007 1008 skip=Not used.
1008 1009
1009 1010 label=AUE_LSTAT
1010 1011 format=path:[attr]
1011 1012
1012 1013 label=AUE_LXSTAT
1013 1014 # obsolete
1014 1015 skip=Not used.
1015 1016
1016 1017 label=AUE_MCTL
1017 1018 skip=Not used.
1018 1019
1019 1020 label=AUE_MEMCNTL
1020 1021 format=arg1:arg2:arg3:arg4:arg5:arg6
1021 1022 comment=1, base address, "base":
1022 1023 comment=2, length, "len":
1023 1024 comment=3, command, "cmd":
1024 1025 comment=4, command args, "arg":
1025 1026 comment=5, command attributes, "attr":
1026 1027 comment=6, 0, "mask"
1027 1028
1028 1029 label=AUE_MKDIR
1029 1030 format=arg1:path:[attr]
1030 1031 comment=2, mode, "mode"
1031 1032
1032 1033 label=AUE_MKNOD
1033 1034 format=arg1:arg2:path:[attr]
1034 1035 comment=2, mode, "mode":
1035 1036 comment=3, dev, "dev"
1036 1037
1037 1038 label=AUE_MMAP
1038 1039 case=With a valid file descriptor
1039 1040 format=arg1:arg2:[path]3:[attr]
1040 1041 comment=1, segment address, "addr":
1041 1042 comment=2, segment address, "len":
1042 1043 comment=if no path, then argument: \
1043 1044 1, "nopath: fd", file descriptor
1044 1045 case=With an invalid file descriptor
1045 1046 format=arg1:arg2:arg3
1046 1047 comment=1, segment address, "addr":
1047 1048 comment=2, segment address, "len":
1048 1049 comment=1, file descriptor, "no path: fd"
1049 1050
1050 1051 label=AUE_MODADDMAJ
1051 1052 title=modctl: bind module
1052 1053 syscall=modctl
1053 1054 format=[text]1:[text]2:text3:arg4:(0..n)[text]5
1054 1055 comment=driver major number:
1055 1056 comment=driver name:
1056 1057 comment=driver major number or "no drvname":
1057 1058 comment=5, number of aliases, "":
1058 1059 comment=aliases
1059 1060
1060 1061 label=AUE_MODADDPRIV
1061 1062 format=kernel
1062 1063
1063 1064 label=AUE_MODCONFIG
1064 1065 skip=Not used.
1065 1066
1066 1067 label=AUE_MODCTL
1067 1068 skip=Not used. (placeholder)
1068 1069
1069 1070 label=AUE_MODDEVPLCY
1070 1071 syscall=modctl
1071 1072 title=modctl: set device policy
1072 1073 case=If unknown minor name/pattern
1073 1074 format=arg1:arg2:arg3:arg4:arg5
1074 1075 comment=2, "major", major number:
1075 1076 comment=2, "lomin", low minor number, if known:
1076 1077 comment=2, "himin", hi minor number, if known:
1077 1078 comment=privileges required for reading:
1078 1079 comment=privileges required for writing
1079 1080 case=else
1080 1081 format=arg1:text2:arg3:arg4
1081 1082 comment=2, "major", major number:
1082 1083 comment=minor name/pattern:
1083 1084 comment=privileges required for reading:
1084 1085 comment=privileges required for writing
1085 1086
1086 1087 label=AUE_MODLOAD
1087 1088 syscall=modctl
1088 1089 title=modctl: load module
1089 1090 format=[text]1:text2
1090 1091 comment=default path:
1091 1092 comment=filename path
1092 1093
1093 1094 label=AUE_MODUNLOAD
1094 1095 syscall=modctl
1095 1096 title=modctl: unload module
1096 1097 format=arg1
1097 1098 comment=1, module ID, "id"
1098 1099
1099 1100 label=AUE_MOUNT
1100 1101 case=UNIX file system
1101 1102 format=arg1:text2:path:[attr]
1102 1103 comment=3, flags, "flags":
1103 1104 comment=filesystem type
1104 1105 case=NFS file system
1105 1106 format=arg1:text2:text3:arg4:path:[attr]
1106 1107 comment=3, flags, "flags":
1107 1108 comment=filesystem type:
1108 1109 comment=host name:
1109 1110 comment=3, flags, "internal flags"
1110 1111 # unix example:
1111 1112 # header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec
1112 1113 # argument,3,0x104,flags
1113 1114 # text,ufs
1114 1115 # path,/var2
1115 1116 # attribute,40755,root,root,32,12160,0
1116 1117 # path,/devices/pci@1f,4000/scsi@3/sd@0,0:e
1117 1118 # attribute,60640,root,sys,32,231268,137438953476
1118 1119 # subject,abc,root,other,root,other,1726,1715,255 66049 ohboy
1119 1120 # return,success,4290707268
1120 1121 # ^^^^^^^^^^ <- bugid 4333559
1121 1122
1122 1123 label=AUE_MSGCTL
1123 1124 format=arg1:[ipc]:[ipc_perm]
1124 1125 comment=1, message ID, "msg ID"
1125 1126 note=ipc_perm
1126 1127 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1127 1128
1128 1129 label=AUE_MSGCTL_RMID
1129 1130 format=arg1:[ipc]:[ipc_perm]
1130 1131 comment=1, message ID, "msg ID"
1131 1132 note=ipc_perm
1132 1133 syscall=msgctl: IPC_RMID
1133 1134 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1134 1135
1135 1136 label=AUE_MSGCTL_SET
1136 1137 format=arg1:[ipc]:[ipc_perm]
1137 1138 comment=1, message ID, "msg ID"
1138 1139 note=ipc_perm
1139 1140 syscall=msgctl: IPC_SET
1140 1141 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1141 1142
1142 1143 label=AUE_MSGCTL_STAT
1143 1144 format=arg1:[ipc]:[ipc_perm]
1144 1145 comment=1, message ID, "msg ID"
1145 1146 note=ipc_perm
1146 1147 syscall=msgctl: IPC_STAT
1147 1148 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1148 1149
1149 1150 label=AUE_MSGGET
1150 1151 format=arg1:ipc
1151 1152 comment=1, message key, "msg key"
1152 1153 note=ipc_perm
1153 1154 syscall=msgget
1154 1155
1155 1156 label=AUE_MSGGETL
1156 1157 skip=Not used.
1157 1158
1158 1159 label=AUE_MSGRCV
1159 1160 format=arg1:[ipc]:[ipc_perm]
1160 1161 comment=1, message ID, "msg ID"
1161 1162 note=ipc_perm
1162 1163 syscall=msgrcv
1163 1164 # ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc
1164 1165
1165 1166 label=AUE_MSGRCVL
1166 1167 skip=Not used.
1167 1168
1168 1169 label=AUE_MSGSND
1169 1170 format=arg1:[ipc]:[ipc_perm]
1170 1171 comment=1, message ID, "msg ID"
1171 1172 note=ipc_perm
1172 1173 syscall=msgsnd
1173 1174 # ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc
1174 1175
1175 1176 label=AUE_MSGSNDL
1176 1177 skip=Not used.
1177 1178
1178 1179 label=AUE_MSGSYS
1179 1180 skip=Not used. (Placeholder for AUE_MSG* events.)
1180 1181
1181 1182 label=AUE_MUNMAP
1182 1183 format=arg1:arg2
1183 1184 comment=1, address of memory, "addr":
1184 1185 comment=2, memory segment size, "len"
1185 1186
1186 1187 label=AUE_NFS
1187 1188 skip=Not used.
1188 1189
1189 1190 label=AUE_NFSSVC_EXIT
1190 1191 skip=Not used.
1191 1192
1192 1193 label=AUE_NFS_GETFH
1193 1194 skip=Not used.
1194 1195
1195 1196 label=AUE_NFS_SVC
1196 1197 skip=Not used.
1197 1198
1198 1199 label=AUE_NICE
1199 1200 format=kernel
1200 1201
1201 1202 label=AUE_NULL
1202 1203 skip=Not used. (placeholder)
1203 1204 # used internal to audit_event.c for minimal audit
1204 1205
1205 1206 label=AUE_NTP_ADJTIME
1206 1207 format=kernel
1207 1208
1208 1209 label=AUE_ONESIDE
1209 1210 skip=Not used.
1210 1211
1211 1212 label=AUE_OPEN
1212 1213 skip=Not used. (placeholder for AUE_OPEN_*).
1213 1214
1214 1215 label=AUE_OPEN_R
1215 1216 format=path:[path_attr]:[attr]
1216 1217 see=open(2) - read
1217 1218
1218 1219 label=AUE_OPENAT_R
1219 1220 # obsolete
1220 1221 format=path:[path_attr]:[attr]
1221 1222 see=openat(2)
1222 1223
1223 1224 label=AUE_OPEN_RC
1224 1225 format=path:[path_attr]:[attr]
1225 1226 see=open(2) - read,creat
1226 1227
1227 1228 label=AUE_OPENAT_RC
1228 1229 # obsolete
1229 1230 see=openat(2)
1230 1231 format=path:[path_attr]:[attr]
1231 1232
1232 1233 label=AUE_OPEN_RT
1233 1234 format=path:[path_attr]:[attr]
1234 1235 see=open(2) - read,trunc
1235 1236
1236 1237 label=AUE_OPENAT_RT
1237 1238 # obsolete
1238 1239 see=openat(2)
1239 1240 format=path:[path_attr]:[attr]
1240 1241
1241 1242 label=AUE_OPEN_RTC
1242 1243 format=path:[path_attr]:[attr]
1243 1244 see=open(2) - read,trunc,creat
1244 1245
1245 1246 label=AUE_OPENAT_RTC
1246 1247 # obsolete
1247 1248 see=openat(2)
1248 1249 format=path:[path_attr]:[attr]
1249 1250
1250 1251 label=AUE_OPEN_RW
1251 1252 format=path:[path_attr]:[attr]
1252 1253 see=open(2) - read,write
1253 1254
1254 1255 label=AUE_OPENAT_RW
1255 1256 # obsolete
1256 1257 see=openat(2)
1257 1258 format=path:[path_attr]:[attr]
1258 1259 # aui_fsat(): fm & O_RDWR
1259 1260
1260 1261 label=AUE_OPEN_RWC
1261 1262 format=path:[path_attr]:[attr]
1262 1263 see=open(2) - read,write,creat
1263 1264
1264 1265 label=AUE_OPENAT_RWC
1265 1266 # obsolete
1266 1267 see=openat(2)
1267 1268 format=path:[path_attr]:[attr]
1268 1269
1269 1270 label=AUE_OPEN_RWT
1270 1271 format=path:[path_attr]:[attr]
1271 1272 see=open(2) - read,write,trunc
1272 1273
1273 1274 label=AUE_OPENAT_RWT
1274 1275 # obsolete
1275 1276 see=openat(2)
1276 1277 format=path:[path_attr]:[attr]
1277 1278
1278 1279 label=AUE_OPEN_RWTC
1279 1280 format=path:[path_attr]:[attr]
1280 1281 see=open(2) - read,write,trunc,creat
1281 1282
1282 1283 label=AUE_OPENAT_RWTC
1283 1284 # obsolete
1284 1285 see=openat(2)
1285 1286 format=path:[path_attr]:[attr]
1286 1287
1287 1288 label=AUE_OPEN_W
1288 1289 format=path:[path_attr]:[attr]
1289 1290 see=open(2) - write
1290 1291
1291 1292 label=AUE_OPENAT_W
1292 1293 see=openat(2)
1293 1294 format=path:[path_attr]:[attr]
1294 1295
1295 1296 label=AUE_OPEN_WC
1296 1297 format=path:[path_attr]:[attr]
1297 1298 see=open(2) - write,creat
1298 1299
1299 1300 label=AUE_OPENAT_WC
1300 1301 see=openat(2)
1301 1302 format=path:[path_attr]:[attr]
1302 1303
1303 1304 label=AUE_OPEN_WT
1304 1305 format=path:[path_attr]:[attr]
1305 1306 see=open(2) - write,trunc
1306 1307
1307 1308 label=AUE_OPENAT_WT
1308 1309 see=openat(2)
1309 1310 format=path:[path_attr]:[attr]
1310 1311
1311 1312 label=AUE_OPEN_WTC
1312 1313 format=path:[path_attr]:[attr]
1313 1314 see=open(2) - write,trunc,creat
1314 1315
1315 1316 label=AUE_OPENAT_WTC
1316 1317 see=openat(2)
1317 1318 format=path:[path_attr]:[attr]
1318 1319
1319 1320 label=AUE_OPEN_S
1320 1321 format=path:[path_attr]:[attr]
1321 1322 see=open(2) - search
1322 1323
1323 1324 label=AUE_OPEN_E
1324 1325 format=path:[path_attr]:[attr]
1325 1326 see=open(2) - exec
1326 1327
1327 1328 label=AUE_OSETPGRP
1328 1329 skip=Not used.
1329 1330
1330 1331 label=AUE_OSTAT
1331 1332 # obsolete
1332 1333 skip=Not used.
1333 1334
1334 1335 label=AUE_PATHCONF
1335 1336 format=path:[attr]
1336 1337
1337 1338 label=AUE_PIPE
1338 1339 format=kernel
1339 1340 # class is no, not usually printed
1340 1341
1341 1342 label=AUE_PORTFS
1342 1343 skip=Not used (placeholder for AUE_PORTFS_*).
1343 1344
1344 1345 label=AUE_PORTFS
1345 1346 skip=Not used (placeholder for AUE_PORTFS_*).
1346 1347
1347 1348 label=AUE_PORTFS_ASSOCIATE
1348 1349 syscall=portfs
1349 1350 see=port_associate(3C)
1350 1351 case=Port association via PORT_SOURCE_FILE
1351 1352 format=[path]1:attr
1352 1353 comment=name of the file/directory to be watched
1353 1354
1354 1355 label=AUE_PORTFS_DISSOCIATE
1355 1356 syscall=portfs
1356 1357 see=port_dissociate(3C)
1357 1358 case=Port disassociation via PORT_SOURCE_FILE
1358 1359 format=kernel
1359 1360
1360 1361 label=AUE_PRIOCNTLSYS
1361 1362 syscall=priocntl
1362 1363 see=priocntl(2)
1363 1364 format=arg1:arg2
1364 1365 comment=1, priocntl version number, "pc_version":
1365 1366 comment=3, command, "cmd"
1366 1367
1367 1368 label=AUE_PROCESSOR_BIND
1368 1369 case=No LWP/thread bound to the processor
1369 1370 format=arg1:arg2:text3:[proc]
1370 1371 comment=1, type of ID, "ID type":
1371 1372 comment=2, ID value, "ID":
1372 1373 comment="PBIND_NONE"
1373 1374 case=With processor bound
1374 1375 format=arg1:arg2:arg3:[proc]
1375 1376 comment=1, type of ID, "ID type":
1376 1377 comment=2, ID value, "ID":
1377 1378 comment=3, processor ID, "processor_id"
1378 1379
1379 1380 label=AUE_PUTMSG
1380 1381 see=putmsg(2)
1381 1382 format=arg1:[path]:[attr]:arg2
1382 1383 comment=1, file descriptor, "fd":
1383 1384 comment=4, priority, "pri"
1384 1385
1385 1386 label=AUE_PUTPMSG
1386 1387 see=putpmsg(2)
1387 1388 format=arg1:[path]:[attr]:arg2:arg3
1388 1389 comment=1, file descriptor, "fd":
1389 1390 comment=4, priority, "pri":
1390 1391 comment=5, flags, "flags"
1391 1392
1392 1393 label=AUE_P_ONLINE
1393 1394 format=arg1:arg2:text3
1394 1395 comment=1, processor ID, "processor ID":
1395 1396 comment=2, flags value, "flags":
1396 1397 comment=text form of flags. Values: \
1397 1398 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS, P_DISABLED
1398 1399
1399 1400 label=AUE_QUOTACTL
1400 1401 skip=Not used.
1401 1402
1402 1403 label=AUE_READ
1403 1404 skip=Not used. (Placeholder for AUE_READ_* events)
1404 1405
1405 1406 label=AUE_READL
1406 1407 skip=Not used. (Obsolete)
1407 1408
1408 1409 label=AUE_READLINK
1409 1410 format=path:[attr]
1410 1411
1411 1412 label=AUE_READV
1412 1413 skip=Not used (obsolete)
1413 1414 # detritus from CMS
1414 1415
1415 1416 label=AUE_READVL
1416 1417 skip=Not used (obsolete)
1417 1418 # detritus from CMS
1418 1419
1419 1420 label=AUE_REBOOT
1420 1421 skip=Not used.
1421 1422
1422 1423 label=AUE_RECV
1423 1424 case=If address family is AF_INET or AF_INET6
1424 1425 format=[arg]1:[inet]
1425 1426 comment=1, file descriptor, "so"
1426 1427 case=If address family is AF_UNIX and path is defined
1427 1428 format=[path]1:[attr]
1428 1429 comment=1, file descriptor, "so"
1429 1430 case=If address family is AF_UNIX and path is NULL
1430 1431 format=[path]1:[attr]
1431 1432 comment=1, file descriptor, "no path: fd"
1432 1433 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1433 1434 format=[arg]1:[arg]2:[arg]3
1434 1435 comment=1, file descriptor, "so":
1435 1436 comment=1, family, "family":
1436 1437 comment=1, type, "type"
1437 1438 # associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237])
1438 1439
1439 1440 label=AUE_RECVFROM
1440 1441 format=inet:arg1:[arg]2:inet3:arg4
1441 1442 comment=3, message length, "len":
1442 1443 comment=4, flags, "flags":
1443 1444 comment=from address:
1444 1445 comment=6, address length, "tolen"
1445 1446 note=The socket token for a bad socket is reported as "argument
1446 1447 note=token (1, socket descriptor, "fd")"
1447 1448
1448 1449 label=AUE_RECVMSG
1449 1450 case=If invalid file descriptor
1450 1451 format=arg1:arg2
1451 1452 comment=1, file descriptor, "so":
1452 1453 comment=3, flags, "flags"
1453 1454 case=If valid file descriptor and socket is AF_UNIX and no path
1454 1455 format=arg1:[attr]
1455 1456 comment=1, file descriptor, "no path: fd"
1456 1457 case=If valid file descriptor and socket is AF_UNIX and path defined
1457 1458 format=path:attr
1458 1459 case=If valid file descriptor and socket is AF_INET or AF_INET6
1459 1460 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM
1460 1461 format=arg1:arg2:inet
1461 1462 comment=1, file descriptor, "so":
1462 1463 comment=2, flags, "flags"
1463 1464 case=.. if socket type is unknown
1464 1465 format=arg1:arg2:arg3:arg4
1465 1466 comment=1, file descriptor, "so":
1466 1467 comment=1, family, "family":
1467 1468 comment=1, type, "type":
1468 1469 comment=3, flags, "flags"
1469 1470
1470 1471 label=AUE_RENAME
1471 1472 format=path1:[attr]1:[path]2
1472 1473 comment=from name:
1473 1474 comment=to name
1474 1475
1475 1476 label=AUE_RENAMEAT
1476 1477 # obsolete
1477 1478 format=path1:[attr]1:[path]2
|
↓ open down ↓ |
1462 lines elided |
↑ open up ↑ |
1478 1479 comment=from name:
1479 1480 comment=to name
1480 1481
1481 1482 label=AUE_RFSSYS
1482 1483 skip=Not used.
1483 1484 # apparently replaced
1484 1485
1485 1486 label=AUE_RMDIR
1486 1487 format=path:[attr]
1487 1488
1489 +label=AUE_SACL
1490 + title=File Access Audit
1491 + syscall=none
1492 + see=none
1493 + format=head:path:arg1:[text]2:subj
1494 + comment="access_mask":
1495 + comment="Windows SID"
1496 +
1488 1497 label=AUE_SEMCTL
1489 1498 format=arg1:[ipc]:[ipc_perm]
1490 1499 comment=1, semaphore ID, "sem ID"
1491 1500 note=ipc_perm
1492 1501 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1493 1502
1494 1503 label=AUE_SEMCTL_GETALL
1495 1504 format=arg1:[ipc]:[ipc_perm]
1496 1505 comment=1, semaphore ID, "sem ID"
1497 1506 note=ipc_perm
1498 1507 syscall=semctl: GETALL
1499 1508 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1500 1509
1501 1510 label=AUE_SEMCTL_GETNCNT
1502 1511 format=arg1:[ipc]:[ipc_perm]
1503 1512 comment=1, semaphore ID, "sem ID"
1504 1513 note=ipc_perm
1505 1514 syscall=semctl: GETNCNT
1506 1515 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1507 1516
1508 1517 label=AUE_SEMCTL_GETPID
1509 1518 format=arg1:[ipc]:[ipc_perm]
1510 1519 comment=1, semaphore ID, "sem ID"
1511 1520 note=ipc_perm
1512 1521 syscall=semctl: GETPID
1513 1522 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1514 1523
1515 1524 label=AUE_SEMCTL_GETVAL
1516 1525 format=arg1:[ipc]:[ipc_perm]
1517 1526 comment=1, semaphore ID, "sem ID"
1518 1527 note=ipc_perm
1519 1528 syscall=semctl: GETVAL
1520 1529 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1521 1530
1522 1531 label=AUE_SEMCTL_GETZCNT
1523 1532 format=arg1:[ipc]:[ipc_perm]
1524 1533 comment=1, semaphore ID, "sem ID"
1525 1534 note=ipc_perm
1526 1535 syscall=semctl: GETZCNT
1527 1536 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1528 1537
1529 1538 label=AUE_SEMCTL_RMID
1530 1539 format=arg1:[ipc]:[ipc_perm]
1531 1540 comment=1, semaphore ID, "sem ID"
1532 1541 note=ipc_perm
1533 1542 syscall=semctl: IPC_RMID
1534 1543 # ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1535 1544
1536 1545 label=AUE_SEMCTL_SET
1537 1546 format=arg1:[ipc]:[ipc_perm]
1538 1547 comment=1, semaphore ID, "sem ID"
1539 1548 note=ipc_perm
1540 1549 syscall=semctl: IPC_SET
1541 1550 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1542 1551
1543 1552 label=AUE_SEMCTL_SETALL
1544 1553 format=arg1:[ipc]:[ipc_perm]
1545 1554 comment=1, semaphore ID, "sem ID"
1546 1555 note=ipc_perm
1547 1556 syscall=semctl: SETALL
1548 1557 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1549 1558
1550 1559 label=AUE_SEMCTL_SETVAL
1551 1560 format=arg1:[ipc]:[ipc_perm]
1552 1561 comment=1, semaphore ID, "sem ID"
1553 1562 note=ipc_perm
1554 1563 syscall=semctl: SETVAL
1555 1564 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1556 1565
1557 1566 label=AUE_SEMCTL_STAT
1558 1567 format=arg1:[ipc]:[ipc_perm]
1559 1568 comment=1, semaphore ID, "sem ID"
1560 1569 note=ipc_perm
1561 1570 syscall=semctl: IPC_STAT
1562 1571 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1563 1572
1564 1573 label=AUE_SEMGET
1565 1574 format=arg1:[ipc_perm]:ipc
1566 1575 comment=1, semaphore ID, "sem key"
1567 1576 note=ipc_perm
1568 1577 syscall=semctl: SETVAL
1569 1578 # ipc_perm token: semget -> audit_ipcget
1570 1579
1571 1580 label=AUE_SEMGETL
1572 1581 skip=Not used.
1573 1582
1574 1583 label=AUE_SEMOP
1575 1584 format=arg1:[ipc]:[ipc_perm]
1576 1585 comment=1, semaphore ID, "sem ID"
1577 1586 note=ipc_perm
1578 1587 # ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc
1579 1588
1580 1589 label=AUE_SEMSYS
1581 1590 skip=Not used. (place holder) -- defaults to a semget variant
1582 1591
1583 1592 label=AUE_SEND
1584 1593 case=If address family is AF_INET or AF_INET6
1585 1594 format=[arg]1:[inet]
1586 1595 comment=1, file descriptor, "so"
1587 1596 case=If address family is AF_UNIX and path is defined
1588 1597 format=[path]1:[attr]
1589 1598 comment=1, file descriptor, "so"
1590 1599 case=If address family is AF_UNIX and path is NULL
1591 1600 format=[path]1:[attr]
1592 1601 comment=1, file descriptor, "no path: fd"
1593 1602 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1594 1603 format=[arg]1:[arg]2:[arg]3
1595 1604 comment=1, file descriptor, "so":
1596 1605 comment=1, family, "family":
1597 1606 comment=1, type, "type"
1598 1607 # associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240])
1599 1608
1600 1609 label=AUE_SENDMSG
1601 1610 case=If invalid file descriptor
1602 1611 format=arg1:arg2
1603 1612 comment=1, file descriptor, "so":
1604 1613 comment=3, flags, "flags"
1605 1614 case=If valid file descriptor
1606 1615 case=...and address family is AF_UNIX and path is defined
1607 1616 format=path:attr
1608 1617 case=...and address family is AF_UNIX and path is NULL
1609 1618 format=path1:attr
1610 1619 comment=1, file descriptor, "nopath: fd"
1611 1620 case=...and address family is AF_INET or AF_INET6, \
1612 1621 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1613 1622 format=arg1:arg2:inet
1614 1623 comment=1, file descriptor, "so":
1615 1624 comment=3, flags, "flags"
1616 1625 case=...and unknown address family or address family AF_INET or AF_INET6 \
1617 1626 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1618 1627 format=arg1:arg2:arg3:arg4
1619 1628 comment=1, file descriptor, "so":
1620 1629 comment=1, family, "family":
1621 1630 comment=1, type, "type":
1622 1631 comment=1, flags, "flags"
1623 1632
1624 1633 label=AUE_SENDTO
1625 1634 case=If invalid file descriptor
1626 1635 format=arg1:arg2
1627 1636 comment=1, file descriptor, "so":
1628 1637 comment=3, flags, "flags"
1629 1638 case=If valid file descriptor
1630 1639 case=...and socket is AF_UNIX and path is defined
1631 1640 format=path:attr
1632 1641 case=...and address family is AF_UNIX and path is NULL
1633 1642 format=path1:attr
1634 1643 comment=1, file descriptor, "nopath: fd"
1635 1644 case=...and address family is AF_INET or AF_INET6
1636 1645 format=arg1:arg2:inet
1637 1646 comment=1, file descriptor, "so":
1638 1647 comment=3, flags, "flags"
1639 1648 case=...and unknown address family
1640 1649 format=arg1:arg2:arg3:arg4
1641 1650 comment=1, file descriptor, "so":
1642 1651 comment=1, family, "family":
1643 1652 comment=1, type, "type":
1644 1653 comment=1, flags, "flags"
1645 1654
1646 1655 label=AUE_SETAUDIT
1647 1656 case=With a valid program stack address
1648 1657 format=arg1:arg2:arg3:arg4:arg5:arg6
1649 1658 comment=1, audit user ID, "setaudit:auid":
1650 1659 comment=1, terminal ID, "setaudit:port":
1651 1660 comment=1, terminal ID, "setaudit:machine":
1652 1661 comment=1, preselection mask, "setaudit:as_success":
1653 1662 comment=1, preselection mask, "setaudit:as_failure":
1654 1663 comment=1, audit session ID, "setaudit:asid"
1655 1664 case=With an invalid program stack address
1656 1665 format=kernel
1657 1666 # header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec
1658 1667 # argument,1,0x271a,setaudit:auid
1659 1668 # argument,1,0x3ff0201,setaudit:port
1660 1669 # argument,1,0x8192591e,setaudit:machine
1661 1670 # argument,1,0x400,setaudit:as_success
1662 1671 # argument,1,0x400,setaudit:as_failure
1663 1672 # argument,1,0x16f,setaudit:asid
1664 1673 # subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1
1665 1674 # return,success,0
1666 1675 # trailer,215
1667 1676 # header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec
1668 1677 # argument,1,0x271a,setaudit:auid
1669 1678 # argument,1,0x3ff0201,setaudit:port
1670 1679 # argument,1,0x8192591e,setaudit:machine
1671 1680 # argument,1,0x400,setaudit:as_success
1672 1681 # argument,1,0x400,setaudit:as_failure
1673 1682 # argument,1,0x16f,setaudit:asid
1674 1683 # subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1
1675 1684 # return,success,0
1676 1685 # trailer,215
1677 1686
1678 1687 label=AUE_SETAUDIT_ADDR
1679 1688 case=With a valid program stack address
1680 1689 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7
1681 1690 comment=1, audit user ID, "auid":
1682 1691 comment=1, terminal ID, "port":
1683 1692 comment=1, type, "type":
1684 1693 comment=1, terminal ID, "ip address":
1685 1694 comment=1, preselection mask, "as_success":
1686 1695 comment=1, preselection mask, "as_failure":
1687 1696 comment=1, audit session ID, "asid"
1688 1697 case=With an invalid program stack address
1689 1698 format=kernel
1690 1699 # header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec
1691 1700 # argument,1,0x15fa7,auid
1692 1701 # argument,1,0x0,port
1693 1702 # argument,1,0x4,type
1694 1703 # ip address,tmach2
1695 1704 # argument,1,0x9c00,as_success
1696 1705 # argument,1,0x9c00,as_failure
1697 1706 # argument,1,0x1f1,asid
1698 1707 # subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2
1699 1708 # return,success,0
1700 1709
1701 1710 label=AUE_SETAUID
1702 1711 format=arg1
1703 1712 comment=2, audit user ID, "setauid"
1704 1713
1705 1714 label=AUE_SETDOMAINNAME
1706 1715 skip=Not used. (See AUE_SYSINFO)
1707 1716 # See AUE_SYSINFO with SI_SET_SRPC_DOMAIN
1708 1717
1709 1718 label=AUE_SETEGID
1710 1719 format=arg1
1711 1720 comment=1, group ID, "gid"
1712 1721
1713 1722 label=AUE_SETEUID
1714 1723 format=arg1
1715 1724 comment=1, user ID, "euid"
1716 1725
1717 1726 label=AUE_SETGID
1718 1727 format=arg1
1719 1728 comment=1, group ID, "gid"
1720 1729
1721 1730 label=AUE_SETGROUPS
1722 1731 note=If more than NGROUPS_MAX_DEFAULT groups listed,
1723 1732 note=no tokens are generated.
1724 1733 case=If no groups in list
1725 1734 format=[arg]1
1726 1735 comment=1, 0, "setgroups"
1727 1736 case=If 1 or more groups in list
1728 1737 format=(1..n)arg1
1729 1738 comment=1, gid, "setgroups"
1730 1739
1731 1740 label=AUE_SETHOSTNAME
1732 1741 skip=Not used. (See AUE_SYSINFO)
1733 1742 # See sysinfo call with command SI_SET_HOSTNAME
1734 1743
1735 1744 label=AUE_SETKERNSTATE
1736 1745 skip=Not used.
1737 1746
1738 1747 label=AUE_SETPGID
1739 1748 format=[proc]:[arg]1
1740 1749 comment=2, pgid, "pgid"
1741 1750
1742 1751 label=AUE_SETPGRP
1743 1752 format=kernel
1744 1753
1745 1754 label=AUE_SETPRIORITY
1746 1755 skip=Not used.
1747 1756
1748 1757 label=AUE_SETPPRIV
1749 1758 case=operation privileges off
1750 1759 format=arg1:privset2
1751 1760 comment=setppriv operation:
1752 1761 comment=privileges actually switched off
1753 1762 case=operation privileges on
1754 1763 format=arg1:privset2
1755 1764 comment=setppriv operation:
1756 1765 comment=privileges actually switched on
1757 1766 case=operation privileges off
1758 1767 format=arg1:privset2:privset3
1759 1768 comment=setppriv operation:
1760 1769 comment=privileges before privset:
1761 1770 comment=privileges after privset
1762 1771 #header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec
1763 1772 #argument,2,0x2,op
1764 1773 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1765 1774 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1766 1775 #subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0
1767 1776 #return,success,0
1768 1777
1769 1778 label=AUE_SETREGID
1770 1779 format=arg1:arg2
1771 1780 comment=1, real group ID, "rgid":
1772 1781 comment=2, effective group ID, "egid"
1773 1782
1774 1783 label=AUE_SETREUID
1775 1784 format=arg1:arg2
1776 1785 comment=1, real user ID, "ruid":
1777 1786 comment=2, effective user ID, "euid"
1778 1787
1779 1788 label=AUE_SETRLIMIT
1780 1789 format=kernel
1781 1790 # header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec
1782 1791 # subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2
1783 1792 # return,success,0
1784 1793
1785 1794 label=AUE_SETSID
1786 1795 format=kernel
1787 1796
1788 1797 label=AUE_SETSOCKOPT
1789 1798 case=Invalid file descriptor
1790 1799 format=arg1:arg2
1791 1800 comment=1, file descriptor, "so":
1792 1801 comment=2, level, "level"
1793 1802 case=Valid file descriptor
1794 1803 case=...and socket is AF_UNIX
1795 1804 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8
1796 1805 comment=if no path, will be argument: 1, "nopath: fd", \
1797 1806 file descriptor:
1798 1807 comment=1, file descriptor, "so":
1799 1808 comment=1, family, "family":
1800 1809 comment=1, type, "type":
1801 1810 comment=2, protocol level, "level":
1802 1811 comment=3, option name, "optname":
1803 1812 comment=5, option length, "optlen":
1804 1813 comment=option data
1805 1814 case=...and socket is AF_INET or AF_INET6
1806 1815 format=arg1:arg2:arg3:[arg]4:[data]5:inet
1807 1816 comment=1, file descriptor, "so":
1808 1817 comment=2, protocol level, "level":
1809 1818 comment=3, option name, "optname":
1810 1819 comment=5, option length, "optlen":
1811 1820 comment=option data
1812 1821 case=...and socket adddress family is unknown
1813 1822 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7
1814 1823 comment=1, file descriptor, "so":
1815 1824 comment=1, family, "family":
1816 1825 comment=1, type, "type":
1817 1826 comment=2, protocol level, "level":
1818 1827 comment=3, option name, "optname":
1819 1828 comment=5, option length, "optlen":
1820 1829 comment=option data
1821 1830
1822 1831 label=AUE_SETTIMEOFDAY
1823 1832 skip=Not used.
1824 1833
1825 1834 label=AUE_SETUID
1826 1835 syscall=setuid
1827 1836 format=arg1
1828 1837 comment=1, "uid" to be set
1829 1838
1830 1839 label=AUE_SETUSERAUDIT
1831 1840 skip=Not used.
1832 1841
1833 1842 label=AUE_SHMAT
1834 1843 format=arg1:arg2:[ipc]:[ipc_perm]
1835 1844 comment=1, shared memory ID, "shm ID":
1836 1845 comment=2, shared mem addr, "shm addr"
1837 1846 note=ipc_perm
1838 1847 # ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc
1839 1848
1840 1849 label=AUE_SHMCTL
1841 1850 format=arg1:[ipc]:[ipc_perm]
1842 1851 comment=1, shared memory ID, "shm ID"
1843 1852 note=ipc_perm
1844 1853 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1845 1854
1846 1855 label=AUE_SHMCTL_RMID
1847 1856 format=arg1:[ipc]:[ipc_perm]
1848 1857 comment=1, shared memory ID, "shm ID"
1849 1858 note=ipc_perm
1850 1859 syscall=semctl: IPC_RMID
1851 1860 # ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1852 1861
1853 1862 label=AUE_SHMCTL_SET
1854 1863 format=arg1:[ipc]:[ipc_perm]
1855 1864 comment=1, shared memory ID, "shm ID"
1856 1865 note=ipc_perm
1857 1866 syscall=semctl: IPC_SET
1858 1867 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1859 1868
1860 1869 label=AUE_SHMCTL_STAT
1861 1870 format=arg1:[ipc]:[ipc_perm]
1862 1871 comment=1, shared memory ID, "shm ID"
1863 1872 note=ipc_perm
1864 1873 syscall=semctl: IPC_STAT
1865 1874 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1866 1875
1867 1876 label=AUE_SHMDT
1868 1877 format=arg1
1869 1878 comment=1, shared memory address, "shm adr"
1870 1879
1871 1880 label=AUE_SHMGET
1872 1881 format=arg1:[ipc_perm]:[ipc]
1873 1882 comment=0, shared memory key, "shm key"
1874 1883 note=ipc_perm
1875 1884 # ipc_perm: shmget -> audit_ipcget
1876 1885
1877 1886 label=AUE_SHMGETL
1878 1887 skip=Not used.
1879 1888
1880 1889 label=AUE_SHMSYS
1881 1890 skip=Not used. (Placeholder for shmget and shmctl*)
1882 1891
1883 1892 label=AUE_SHUTDOWN
1884 1893 case=If the socket address is invalid
1885 1894 format=[arg]1:[text]2:[text]3
1886 1895 comment=1, file descriptor, "fd":
1887 1896 comment=bad socket address:
1888 1897 comment=bad peer address
1889 1898 case=If the socket address is part of the AF_INET family
1890 1899 case=..with zero file descriptor
1891 1900 format=arg1:[arg]2:[arg]3:[arg]4
1892 1901 comment=1, file descriptor, "so":
1893 1902 comment=1, family, "family":
1894 1903 comment=1, type, "type":
1895 1904 comment=2, how shutdown code, "how"
1896 1905 case=...with non-zero file descriptor
1897 1906 format=arg1:arg2:inet
1898 1907 comment=1, file descriptor, "so":
1899 1908 comment=2, how shutdown code, "how"
1900 1909 case=If the socket address is AF_UNIX
1901 1910 case=...with zero file descriptor
1902 1911 format=path1:arg2:[arg]3:[arg]4:[arg]5
1903 1912 comment=If error: argument: \
1904 1913 1, "no path: fd", file descriptor:
1905 1914 comment=1, file descriptor, "so":
1906 1915 comment=1, family, "family":
1907 1916 comment=1, type, "type":
1908 1917 comment=2, how shutdown code, "how"
1909 1918 case=...with non-zero file descriptor
1910 1919 format=path1:arg2:arg3:inet
1911 1920 comment=If error: argument: \
1912 1921 1, file descriptor, "no path: fd":
1913 1922 comment=1, file descriptor, "so":
1914 1923 comment=2, how shutdown code, "how"
1915 1924 #old BSM manual wrong; used audit_event.c
1916 1925
1917 1926 label=AUE_SOCKACCEPT
1918 1927 syscall=getmsg: socket accept
1919 1928 format=inet:arg1:[path]:attr:arg2
1920 1929 comment=1, file descriptor, "fd":
1921 1930 comment=4, priority, "pri"
1922 1931 # see putmsg and getmsg for record format
1923 1932 # See audit.c for inet token and audit_start.c for other reference
1924 1933
1925 1934 label=AUE_SOCKCONFIG
1926 1935 format=arg1:arg2:arg3:[path]4
1927 1936 comment=1, domain address, "domain":
1928 1937 comment=2, type, "type":
1929 1938 comment=3, protocol, "protocol":
1930 1939 comment=If no path:argument -- 3, 0, "devpath"
1931 1940
1932 1941 label=AUE_SOCKCONNECT
1933 1942 syscall=putmsg: socket connect
1934 1943 format=inet:arg1:[path]:attr:arg2
1935 1944 comment=1, file descriptor, "fd":
1936 1945 comment=4, priority, "pri"
1937 1946 # same as AUE_SOCKACCEPT
1938 1947
1939 1948 label=AUE_SOCKET
1940 1949 format=arg1:[arg]2:arg3
1941 1950 comment=1, socket domain, "domain":
1942 1951 comment=2, socket type, "type":
1943 1952 comment=3, socket protocol, "protocol"
1944 1953
1945 1954 label=AUE_SOCKETPAIR
1946 1955 skip=Not used.
1947 1956 # unreferenced
1948 1957
1949 1958 label=AUE_SOCKRECEIVE
1950 1959 syscall=getmsg
1951 1960 format=inet:arg1:[path]:attr:arg2
1952 1961 comment=1, file descriptor, "fd":
1953 1962 comment=4, priority, "pri"
1954 1963 # see AUE_SOCKACCEPT
1955 1964
1956 1965 label=AUE_SOCKSEND
1957 1966 syscall=putmsg
1958 1967 format=inet:arg1:[path]:attr:arg2
1959 1968 comment=1, file descriptor, "fd":
1960 1969 comment=4, priority, "pri"
1961 1970 # see AUE_SOCKACCEPT
1962 1971
1963 1972 label=AUE_STAT
1964 1973 format=path:[attr]
1965 1974
1966 1975 label=AUE_STATFS
1967 1976 format=path:[attr]
1968 1977
1969 1978 label=AUE_STATVFS
1970 1979 format=path:[attr]
1971 1980
1972 1981 label=AUE_STIME
1973 1982 format=kernel
1974 1983
1975 1984 label=AUE_SWAPON
1976 1985 skip=Not used.
1977 1986
1978 1987 label=AUE_SYMLINK
1979 1988 format=path:text1:[attr]
1980 1989 comment=symbolic link string
1981 1990
1982 1991 label=AUE_SYSINFO
1983 1992 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands
1984 1993 note=are currently audited.
1985 1994 format=arg1:[text]2
1986 1995 comment=1, command, "cmd":
1987 1996 comment=name
1988 1997
1989 1998 label=AUE_SYSTEMBOOT
1990 1999 title=system booted
1991 2000 syscall=none
1992 2001 format=head:text1
1993 2002 comment="booting kernel"
1994 2003 # see audit_start.c and audit_io.c
1995 2004 # no subject or return / exit token
1996 2005 # header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec
1997 2006 # text,booting kernel
1998 2007
1999 2008 label=AUE_TRUNCATE
2000 2009 skip=Not used.
2001 2010
2002 2011 label=AUE_UMOUNT
2003 2012 syscall=umount: old version
2004 2013 note=Implemented as call of the newer umount2(2).
2005 2014 format=path:arg1:[path]:[attr]
2006 2015 comment=2, mflag value = 0, "flags"
2007 2016
2008 2017 label=AUE_UMOUNT2
2009 2018 syscall=umount2
2010 2019 format=path:arg1:[path]:[attr]
2011 2020 comment=2, mflag value, "flags"
2012 2021
2013 2022 label=AUE_UNLINK
2014 2023 format=path:[attr]
2015 2024
2016 2025 label=AUE_UNLINKAT
2017 2026 # obsolete
2018 2027 see=openat(2)
2019 2028 format=path:[attr]
2020 2029
2021 2030 label=AUE_UNMOUNT
2022 2031 skip=Not used.
2023 2032
2024 2033 label=AUE_UTIME
2025 2034 # obsolete
2026 2035 format=path:[attr]
2027 2036
2028 2037 label=AUE_UTIMES
2029 2038 see=futimens(2)
2030 2039 format=path:[attr]
2031 2040
2032 2041 label=AUE_VFORK
2033 2042 format=arg1
2034 2043 comment=0, pid, "child PID"
2035 2044 note=The vfork(2) return values are undefined because the audit record is
2036 2045 note=produced at the point that the child process is spawned.
2037 2046
2038 2047 label=AUE_VPIXSYS
2039 2048 skip=Not used.
2040 2049
2041 2050 label=AUE_VTRACE
2042 2051 skip=Not used.
2043 2052
2044 2053 label=AUE_WRITE
2045 2054 format=path1:attr
2046 2055 comment=if no path, argument -- "1, file descriptor, "no path: fd"
2047 2056 note:An audit record is generated for write only once per file close.
2048 2057
2049 2058 label=AUE_WRITEV
2050 2059 skip=Not used. (obsolete)
2051 2060
2052 2061 label=AUE_XMKNOD
2053 2062 # obsolete
2054 2063 skip=Not used.
2055 2064
2056 2065 label=AUE_XSTAT
2057 2066 # obsolete
2058 2067 skip=Not Used.
2059 2068
2060 2069 label=AUE_PF_POLICY_ADDRULE
2061 2070 title=Add IPsec policy rule
2062 2071 see=
2063 2072 syscall=none
2064 2073 format=arg1:arg2:[zone]3:[text]4
2065 2074 comment=Operation applied to active policy (1 is active, 0 is inactive):
2066 2075 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2067 2076 comment=affected zone:
2068 2077 comment=Name of target tunnel
2069 2078
2070 2079 label=AUE_PF_POLICY_DELRULE
2071 2080 title=Delete IPsec policy rule
2072 2081 see=
2073 2082 syscall=none
2074 2083 format=arg1:arg2:[zone]3:[text]4
2075 2084 comment=Operation applied to active policy (1 is active, 0 is inactive):
2076 2085 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2077 2086 comment=affected zone:
2078 2087 comment=Name of target tunnel
2079 2088
2080 2089 label=AUE_PF_POLICY_CLONE
2081 2090 title=Clone IPsec policy
2082 2091 see=
2083 2092 syscall=none
2084 2093 format=arg1:arg2:[zone]3:[text]4
2085 2094 comment=Operation applied to active policy (1 is active, 0 is inactive):
2086 2095 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2087 2096 comment=affected zone:
2088 2097 comment=Name of target tunnel
2089 2098
2090 2099 label=AUE_PF_POLICY_FLIP
2091 2100 title=Flip IPsec policy
2092 2101 see=
2093 2102 syscall=none
2094 2103 format=arg1:arg2:[zone]3:[text]4
2095 2104 comment=Operation applied to active policy (1 is active, 0 is inactive):
2096 2105 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2097 2106 comment=affected zone:
2098 2107 comment=Name of target tunnel
2099 2108
2100 2109 label=AUE_PF_POLICY_FLUSH
2101 2110 title=Flip IPsec policy rules
2102 2111 see=
2103 2112 syscall=none
2104 2113 format=arg1:arg2:[zone]3:[text]4
2105 2114 comment=Operation applied to active policy (1 is active, 0 is inactive):
2106 2115 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2107 2116 comment=affected zone:
2108 2117 comment=Name of target tunnel
2109 2118
2110 2119 label=AUE_PF_POLICY_ALGS
2111 2120 title=Update IPsec algorithms
2112 2121 see=
2113 2122 syscall=none
2114 2123 format=arg1:arg2:[zone]3:[text]4
2115 2124 comment=Operation applied to active policy (1 is active, 0 is inactive):
2116 2125 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2117 2126 comment=affected zone:
2118 2127 comment=Name of target tunnel
2119 2128
2120 2129 label=AUE_allocate_fail
2121 2130 program=/usr/sbin/allocate
2122 2131 title=allocate: allocate-device failure
2123 2132 format=(0..n)[text]1
2124 2133 comment=command line arguments
2125 2134 # see audit_allocate.c
2126 2135
2127 2136 label=AUE_allocate_succ
2128 2137 program=/usr/sbin/allocate
2129 2138 title=allocate: allocate-device success
2130 2139 format=(0..n)[text]1
2131 2140 comment=command line arguments
2132 2141 # see audit_allocate.c
2133 2142
2134 2143 label=AUE_at_create
2135 2144 program=/usr/bin/at
2136 2145 title=at: at-create crontab
2137 2146 format=path
2138 2147
2139 2148 label=AUE_at_delete
2140 2149 program=/usr/bin/at
2141 2150 title=at: at-delete atjob (at or atrm)
2142 2151 format=text1:path
2143 2152 comment="ancillary file:" filename or "bad format of at-job name"
2144 2153
2145 2154 label=AUE_at_perm
2146 2155 skip=Not used.
2147 2156 # not referenced outside uevents.h
2148 2157
2149 2158 label=AUE_create_user
2150 2159 skip=Not used.
2151 2160
2152 2161 label=AUE_cron_invoke
2153 2162 program=/usr/sbin/cron
2154 2163 title=cron: cron-invoke at or cron
2155 2164 case=If issue with account find
2156 2165 format=text1
2157 2166 comment="bad user" name or "user <name> account expired"
2158 2167 case=else
2159 2168 format=text1:text2
2160 2169 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \
2161 2170 or "unknown job type (<job_type_id>)":
2162 2171 comment=command
2163 2172
2164 2173 label=AUE_crontab_create
2165 2174 program=/usr/bin/crontab
2166 2175 title=crontab: crontab created
2167 2176 format=path
2168 2177 # See audit_crontab.c
2169 2178
2170 2179 label=AUE_crontab_delete
2171 2180 program=/usr/bin/crontab
2172 2181 title=crontab: crontab delete
2173 2182 format=path
2174 2183 # See audit_crontab.c
2175 2184
2176 2185 label=AUE_crontab_mod
2177 2186 program=/usr/bin/crontab
2178 2187 title=crontab: crontab modify
2179 2188 format=path
2180 2189 # See audit_crontab.c
2181 2190
2182 2191 label=AUE_crontab_perm
2183 2192 skip=Not used.
2184 2193
2185 2194 label=AUE_deallocate_fail
2186 2195 program=/usr/sbin/deallocate
2187 2196 title=deallocate-device failure
2188 2197 format=(0..n)[text]1
2189 2198 comment=command line arguments
2190 2199 # See audit_allocate.c
2191 2200
2192 2201 label=AUE_deallocate_succ
2193 2202 program=/usr/sbin/deallocate
2194 2203 title=deallocate-device success
2195 2204 format=(0..n)[text]1
2196 2205 comment=command line arguments
2197 2206 # See audit_allocate.c
2198 2207
2199 2208 label=AUE_delete_user
2200 2209 skip=Not used.
2201 2210
2202 2211 label=AUE_disable_user
2203 2212 skip=Not used.
2204 2213
2205 2214 label=AUE_enable_user
2206 2215 skip=Not used.
2207 2216
2208 2217 label=AUE_ftpd
2209 2218 program=/usr/sbin/in.ftpd
2210 2219 title=in.ftpd
2211 2220 format=[text]1
2212 2221 comment=error message
2213 2222 # See audit_ftpd
2214 2223
2215 2224 label=AUE_ftpd_logout
2216 2225 program=/usr/sbin/in.ftpd
2217 2226 title=in.ftpd
2218 2227 format=user
2219 2228 # See audit_ftpd
2220 2229
2221 2230 label=AUE_halt_solaris
2222 2231 program=/usr/sbin/halt
2223 2232 title=halt
2224 2233 format=user
2225 2234 # See audit_halt.c
2226 2235
2227 2236 label=AUE_kadmind_auth
2228 2237 format=text1:text2:text3
2229 2238 comment=Op: <requested information>:
2230 2239 comment=Arg: <argument for Op>:
2231 2240 comment=Client: <client principal name>
2232 2241 # See audit_kadmin.c / common_audit()
2233 2242
2234 2243 label=AUE_kadmind_unauth
2235 2244 format=text1:text2:text3
2236 2245 comment=Op: <requested information>:
2237 2246 comment=Arg: <argument for Op>:
2238 2247 comment=Client: <client principal name>
2239 2248 # See audit_kadmin.c / common_audit()
2240 2249
2241 2250 label=AUE_krb5kdc_as_req
2242 2251 format=text1:text2
2243 2252 comment=Client: <client principal name>:
2244 2253 comment=Service: <requested service name>
2245 2254 # See audit_krb5kdc.c / common_audit()
2246 2255
2247 2256 label=AUE_krb5kdc_tgs_req
2248 2257 format=text1:text2
2249 2258 comment=Client: <client principal name>:
2250 2259 comment=Service: <requested service name>
2251 2260 # See audit_krb5kdc.c / common_audit()
2252 2261
2253 2262 label=AUE_krb5kdc_tgs_req_alt_tgt
2254 2263 format=text1:text2
2255 2264 comment=Client: <client principal name>:
2256 2265 comment=Service: <requested service name>
2257 2266 # See audit_krb5kdc.c / common_audit()
2258 2267
2259 2268 label=AUE_krb5kdc_tgs_req_2ndtktmm
2260 2269 format=text1:text2
2261 2270 comment=Client: <client principal name>:
2262 2271 comment=Service: <requested service name>
2263 2272 # See audit_krb5kdc.c / common_audit()
2264 2273
2265 2274 label=AUE_listdevice_fail
2266 2275 title=allocate-list devices failure
2267 2276 program=/usr/sbin/allocate
2268 2277 format=(0..n)[text]1
2269 2278 comment=command line arguments
2270 2279 # See audit_allocate.c
2271 2280
2272 2281 label=AUE_listdevice_succ
2273 2282 title=allocate-list devices success
2274 2283 program=/usr/sbin/allocate
2275 2284 format=(0..n)[text]1
2276 2285 comment=command line arguments
2277 2286 # See audit_allocate.c
2278 2287
2279 2288 label=AUE_modify_user
2280 2289 skip=Not used.
2281 2290
2282 2291 label=AUE_mountd_mount
2283 2292 title=mountd: NFS mount
2284 2293 program=/usr/lib/nfs/mountd
2285 2294 see=mountd(1M)
2286 2295 format=text1:path2
2287 2296 comment=remote client hostname:
2288 2297 comment=mount dir
2289 2298 # See audit_mountd.c
2290 2299
2291 2300 label=AUE_mountd_umount
2292 2301 title=mountd: NFS unmount
2293 2302 program=/usr/lib/nfs/mountd
2294 2303 format=text1:path2
2295 2304 comment=remote client hostname:
2296 2305 comment=mount dir
2297 2306 # See audit_mountd.c
2298 2307
2299 2308 label=AUE_poweroff_solaris
2300 2309 program=/usr/sbin/poweroff
2301 2310 title=poweroff
2302 2311 format=user
2303 2312 # See audit_halt.c
2304 2313
2305 2314 label=AUE_reboot_solaris
2306 2315 program=/usr/sbin/reboot
2307 2316 title=reboot
2308 2317 format=user
2309 2318 # See audit_reboot.c
2310 2319 # header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec
2311 2320 # subject,tuser1,root,other,root,other,10422,497,0 0 tmach2
2312 2321 # return,success,0
2313 2322
2314 2323 label=AUE_rexd
2315 2324 program=/usr/sbin/rpc.rexd
2316 2325 title=rpc.rexd
2317 2326 format=[text]1:text2:text3:[text]4:[text]5
2318 2327 comment=error message (failure only):
2319 2328 comment="Remote execution requested by:" hostname:
2320 2329 comment="Username:" username:
2321 2330 comment="User id:" user ID (failure only):
2322 2331 comment="Command line:" command attempted
2323 2332 # See audit_rexd.c
2324 2333
2325 2334 label=AUE_rexecd
2326 2335 program=/usr/sbin/rpc.rexecd
2327 2336 title=rpc.rexecd
2328 2337 format=[text]1:text2:text3:text4
2329 2338 comment=error message (failure only):
2330 2339 comment="Remote execution requested by:" hostname:
2331 2340 comment="Username:" username:
2332 2341 comment="Command line:" command attempted
2333 2342 # See audit_rexecd.c
2334 2343
2335 2344 label=AUE_rshd
2336 2345 program=/usr/sbin/in.rshd
2337 2346 title=in.rshd
2338 2347 format=text1:text2:[text]3:[text]4
2339 2348 comment="cmd" command:
2340 2349 comment="remote user" remote user:
2341 2350 comment="local user" local user:
2342 2351 comment=failure message
2343 2352 # See audit_rshd.c
2344 2353
2345 2354 label=AUE_shutdown_solaris
2346 2355 title=shutdown
2347 2356 program=/usr/ucb/shutdown
2348 2357 format=user
2349 2358 # See audit_shutdown.c
2350 2359
2351 2360 label=AUE_smserverd
2352 2361 program=/usr/lib/smedia/rpc.smserverd
2353 2362 format=[text]1:[text]2
2354 2363 comment=state change:
2355 2364 comment=vid, pid, major/minor device
2356 2365 # see usr/src/cmd/smserverd
2357 2366 # code shows a third token, path, but it isn't implemented.
2358 2367
2359 2368 label=AUE_uadmin_solaris
2360 2369 title=uadmin (obsolete)
2361 2370 program=
2362 2371 see=
2363 2372 format=text1:text2
2364 2373 comment=function code:
2365 2374 comment=argument code
2366 2375 # not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml
2367 2376
2368 2377 label=AUE_LABELSYS_TNRH
2369 2378 title=config Trusted Network remote host cache
2370 2379 see=tnrh(2)
2371 2380 syscall=labelsys: TSOL_TNRH
2372 2381 case=With the flush command (cmd=3)
2373 2382 format=arg1
2374 2383 comment=1, command, "cmd"
2375 2384 case=With the load (cmd=1) and delete (cmd=2) commands
2376 2385 format=arg1:inaddr2:arg3
2377 2386 comment=1, command, "cmd":
2378 2387 comment=ip address of host:
2379 2388 comment=2, prefix length, "prefix len"
2380 2389
2381 2390 label=AUE_LABELSYS_TNRHTP
2382 2391 title=config Trusted Network remote host template
2383 2392 see=tnrhtp(2)
2384 2393 syscall=labelsys: TSOL_TNRHTP
2385 2394 case=With the flush command (cmd=3)
2386 2395 format=arg1
2387 2396 comment=1, command, "cmd"
2388 2397 case=With the load (cmd=1) and delete (cmd=2) commands
2389 2398 format=arg1:text2
2390 2399 comment=1, command, "cmd":
2391 2400 comment=name of template
2392 2401
2393 2402 label=AUE_LABELSYS_TNMLP
2394 2403 title=config Trusted Network multi-level port entry
2395 2404 see=tnmlp(2)
2396 2405 syscall=labelsys: TSOL_TNMLP
2397 2406 case=With the flush command (cmd=3)
2398 2407 format=arg1:text2
2399 2408 comment=1, command, "cmd":
2400 2409 comment="shared", or name of zone
2401 2410 case=With the load (cmd=1) and delete (cmd=2) commands
2402 2411 format=arg1:text2:arg3:arg4:[arg]5
2403 2412 comment=1, command, "cmd":
2404 2413 comment="shared", or name of zone:
2405 2414 comment=2, protocol number, "proto num":
2406 2415 comment=2, starting mlp port number, "mlp_port":
2407 2416 comment=2, ending mlp port number, "mlp_port_upper"
|
↓ open down ↓ |
910 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX