1 # audit_record_attr.txt
2 # Two "#" are comments that are copied to audit_record_attr
3 # other comments are removed.
4 ##
5 ## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
6 ## Copyright 2018 Nexenta Systems, Inc. All rights reserved.
7 ## Copyright 2019 Joyent, Inc.
8 ##
9 ## CDDL HEADER START
10 ##
11 ## The contents of this file are subject to the terms of the
12 ## Common Development and Distribution License (the "License").
13 ## You may not use this file except in compliance with the License.
14 ##
15 ## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
16 ## or http://www.opensolaris.org/os/licensing.
17 ## See the License for the specific language governing permissions
18 ## and limitations under the License.
19 ##
20 ## When distributing Covered Code, include this CDDL HEADER in each
21 ## file and include the License file at usr/src/OPENSOLARIS.LICENSE.
22 ## If applicable, add the following below this CDDL HEADER, with the
23 ## fields enclosed by brackets "[]" replaced with your own identifying
24 ## information: Portions Copyright [yyyy] [name of copyright owner]
25 ##
26 ## CDDL HEADER END
27 ##
28 ##
29
30 # source file for describing audit records.
31
32 # This file is in two sections. The first is a list of attribute /
33 # value pairs used to provide short cuts in annotating the audit
34 # records. The second is for annotation for each audit record.
35
36 # first section: general attributes
37
38 # skipClass=<class name of items to skip if only in that class>
39 # skipClass=no # uncomment to filter unused events
40
41 # token name abbreviations
42 # token=alias:fullname -- short names for key tokens
43
44 token=arg:argument
45 token=attr:attribute
46 token=acl:acl_entry
47 token=cmd:command
48 token=data:data
49 token=exec_args:exec_arguments
50 token=exec_env:exec_environment
51 token=group:group
52 token=inaddr:ip_addr
53 token=inet:socket
54 token=ipc:ipc
55 token=ipc_perm:ipc_perm
56 token=newgroup:newgroups
57 token=path:path
58 token=path_attr:attribute_path
59 token=privset:privilege
60 token=proc:process
61 token=text:text
62 token=tid:terminal_adr
63 token=uauth:use_of_authorization
64 token=upriv:use_of_privilege
65 token=user:user_object
66 token=zone:zonename
67 token=fmri:service_instance
68 token=label:mandatory_label
69
70 token=head:header
71 token=subj:subject
72 token=ret:return
73 token=exit:exit
74
75 # note names -- certain notes show up repeatedly; collected here
76 #
77 # To achieve the maximum line length to be less than 80 characters, the
78 # note names (message=) can be defined as a multi line, each line except the
79 # last one finished with the backslash character.
80
81 message=ipc_perm:The ipc and ipc_perm tokens are not included if \
82 the message ID is not valid.
83
84
85 # basic record pattern ("insert" is where event-specific tokens
86 # are listed.)
87
88 kernel=head:insert:subj:[upriv]:ret
89 user=head:subj:insert:ret
90
91 # Second Section
92 # Annotation Section
93 #
94 # Most audit records need annotation beyond what is provided by
95 # the files audit_event and audit_class. At a minimum, a record
96 # is represented by a label and a format.
97 #
98 # label=record_id like AUE_ACCEPT
99 # format=token_alias
100 #
101 # there is no end line; a new label= end the preceding definition
102 # and starts the next.
103 #
104 # format values are a list of token names, separated by colons. The
105 # name is either one of the values described above (token=) or is
106 # a value to be taken literally. If a token name ends with a digit,
107 # the digit is an index into an array of comments. In the few cases
108 # where there are no tokens (other than header, subject, return/exit),
109 # use "format=kernel" or "format="user".
110 #
111 # comment is an array of strings separated by colons. If comments
112 # are listed on separate lines (recommended due to better
113 # readability/sustainability of the file), the preceding comment
114 # must end with a colon. The array starts at 1. (If the comment
115 # contains a colon, use ":" without the quotes.)
116 #
117 # case is used to generate alternate descriptions for a given
118 # record.
119 #
120 # Constraints - the string length; bear in mind, that any annotation of
121 # primitives below longer than is specified, will be silently truncated
122 # to given/defined amount of characters in the auditrecord(1M) runtime:
123 #
124 # primitive <= max (non-truncated) string length
125 # case <= unlimited; if necessary, text continues on a new line
126 # comment <= unlimited; if necessary, text continues on a new line
127 # label <= 43
128 # note <= unlimited; if necessary, text continues on a new line
129 # program <= 20
130 # see <= 39
131 # syscall <= 20
132 # title <= 46
133 # token <= 28 (full name)
134 #
135 # To achieve the maximum line length to be less than 80 characters, one can
136 # define the unlimited primitives as a multi line, each line except the
137 # last one finished with the backslash character. In addition to above
138 # mentioned, the "format=" record attribute follows the same rule.
139 #
140 #
141 # AUE_ACCEPT illustrates the use of all the above. Note that
142 # case is not nested; ellipsis (...) is used to give the effect
143 # of nesting.
144
145 label=AUE_ACCEPT
146 #accept(2) failure
147 case=Invalid socket file descriptor
148 format=arg1
149 comment=1, file descriptor, "so"
150 #accept(2) non SOCK_STREAM socket
151 case=If the socket address is not part of the AF_INET family
152 format=arg1:arg2:arg3
153 comment=1, "so", file descriptor:
154 comment="family", so_family:
155 comment="type", so_type
156 case=If the socket address is part of the AF_INET family
157 case=...If there is no vnode for this file descriptor
158 format=[arg]1
159 comment=1, file descriptor, "Bad so"
160 #accept(2) SOCK_STREAM socket-not bound
161 case=...or if the socket is not bound
162 format=[arg]1:[inet]2
163 comment=1, file descriptor, "so":
164 comment=local/foreign address (0.0.0.0)
165 case=...or if the socket address length = 0
166 format=[arg]1:[inet]2
167 comment=1, file descriptor, "so":
168 comment=local/foreign address (0.0.0.0)
169 case=...or for all other conditions
170 format=inet1:[inet]1
171 comment=socket address
172 #accept(2) failure
173 # header
174 # au_to_arg32 "so",file descriptor
175 # subject
176 # return <errno != 0>
177 #
178 #accept(2) non SOCK_STREAM socket
179 # header
180 # au_to_arg32 "so", file descriptor
181 # au_to_arg32 "family", so_family
182 # au_to_arg32 "type", so_type
183 # subject
184 # return success
185 #
186 #accept(2) SOCK_STREAM socket-not bound
187 # header
188 # au_to_arg32 "so", file descriptor
189 # au_to_socket_ex local/foreign address (0.0.0.0)
190 # subject
191 # return success
192 #
193 #accept(2) SOCK_STREAM socket-bound
194 # header
195 # au_to_arg32 "so", file descriptor
196 # au_to_socket_ex
197 # subject
198 # return success
199
200
201
202 label=AUE_ACCESS
203 format=path1:[attr]
204 comment=may be truncated in failure case
205 # header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec
206 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ
207 # attribute,100777,41416,staff,8388608,402255,0
208 # subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30
209 # return,success,0
210 # trailer,163
211 #
212 # header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec
213 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail
214 # attribute,100000,root,other,8388608,402257,0
215 # subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30
216 # return,failure: Permission denied,-1
217 # trailer,163
218 #
219 # header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec
220 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2
221 # subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30
222 # return,failure: No such file or directory,-1
223 # trailer,135
224
225 label=AUE_ACCT
226 case=Zero path
227 format=arg1
228 comment=1, 0, "accounting off"
229 case=Non-zero path
230 format=path1:[attr]2
231 comment=may be truncated in failure case:
232 comment=omitted if failure
233
234 label=AUE_ACLSET
235 syscall=acl
236 format=arg1:arg2:(0..n)[acl]3
237 comment=2, SETACL, "cmd":
238 comment=3, number of ACL entries, "nentries":
239 comment=Access Control List entries
240
241 label=AUE_ADJTIME
242 format=kernel
243
244 label=AUE_ASYNC_DAEMON
245 skip=Not used
246
247 label=AUE_ASYNC_DAEMON_EXIT
248 skip=Not used
249
250 label=AUE_AUDIT
251 skip=Not used. (Placeholder for the set AUE_AUDIT_*.)
252
253 label=AUE_AUDITON
254 skip=Not used. (Placeholder for the set AUE_AUDITON_*.)
255
256 label=AUE_AUDITON_GESTATE
257 skip=Not used
258
259 label=AUE_AUDITON_GETAMASK
260 format=kernel
261 syscall=auditon: GETAMASK
262
263 label=AUE_AUDITON_GETCAR
264 format=kernel
265 syscall=auditon: GETCAR
266 # header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec
267 # subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30
268 # return,success,0
269 # trailer,68
270
271 label=AUE_AUDITON_GETCLASS
272 format=kernel
273 syscall=auditon: GETCLASS
274 # header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec
275 # subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1
276 # return,success,0
277 # trailer,68
278
279 label=AUE_AUDITON_GETCOND
280 format=kernel
281 syscall=auditon: GETCOND
282 # header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec
283 # subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1
284 # return,success,0
285 # trailer,68
286
287 label=AUE_AUDITON_GETCWD
288 format=kernel
289 syscall=auditon: GETCWD
290 # header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec
291 # subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1
292 # return,success,0
293 # trailer,68
294
295 label=AUE_AUDITON_GETKMASK
296 format=kernel
297 syscall=auditon: GETKMASK
298 # header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec
299 # subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1
300 # return,success,0
301 # trailer,68
302
303 label=AUE_AUDITON_GETSTAT
304 format=kernel
305 syscall=auditon: A_GETSTAT
306 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec
307 # subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1
308 # return,success,0
309 # trailer,68
310
311 label=AUE_AUDITON_GPOLICY
312 format=kernel
313 syscall=auditon: GPOLICY
314 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec
315 # subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1
316 # return,success,0
317 # trailer,68
318
319 label=AUE_AUDITON_GQCTRL
320 format=kernel
321 syscall=auditon: GQCTRL
322 # header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec
323 # subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1
324 # return,success,0
325 # trailer,68
326
327
328 label=AUE_AUDITON_GTERMID
329 skip=Not used.
330
331 label=AUE_AUDITON_SESTATE
332 skip=Not used.
333
334 label=AUE_AUDITON_SETAMASK
335 format=[arg]1:[arg]2
336 comment=2, "setamask as_success", user default audit preselection mask:
337 comment=2, "setamask as_failure", user default audit preselection mask
338 syscall=auditon: SETAMASK
339
340 label=AUE_AUDITON_SETCLASS
341 format=[arg]1:[arg]2
342 comment=2, "setclass:ec_event", event number:
343 comment=3, "setclass:ec_class", class mask
344 syscall=auditon: SETCLASS
345 # header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec
346 # argument,2,0x0,setclass:ec_event
347 # argument,3,0x0,setclass:ec_class
348 # subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1
349 # return,success,0
350 # trailer,120
351
352 label=AUE_AUDITON_SETCOND
353 format=[arg]1
354 comment=3, "setcond", audit state
355 syscall=auditon: SETCOND
356
357 label=AUE_AUDITON_SETKMASK
358 format=[arg]1:[arg]2
359 comment=2, "setkmask as_success", kernel non-attributable mask:
360 comment=2, "setkmask as_failure", kernel non-attributable mask
361 syscall=auditon: SETKMASK
362 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec
363 # argument,2,0x0,setkmask:as_success
364 # argument,2,0x0,setkmask:as_failure
365 # subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1
366 # return,success,0
367 # trailer,124
368 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec
369 # argument,2,0x0,setkmask:as_success
370 # argument,2,0x0,setkmask:as_failure
371 # subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1
372 # return,failure: Not owner,-1
373 # trailer,124
374
375 label=AUE_AUDITON_SETSMASK
376 format=[arg]1:[arg]2
377 comment=3, "setsmask:as_success", session ID mask:
378 comment=3, "setsmask:as_failure", session ID mask
379 syscall=auditon: SETSMASK
380 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec
381 # argument,3,0x400,setsmask:as_success
382 # argument,3,0x400,setsmask:as_failure
383 # subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1
384 # return,success,0
385 # trailer,124
386 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec
387 # argument,3,0x400,setsmask:as_success
388 # argument,3,0x400,setsmask:as_failure
389 # subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1
390 # return,failure: Not owner,-1
391 # trailer,124
392
393 label=AUE_AUDITON_SETSTAT
394 format=kernel
395 syscall=auditon: SETSTAT
396 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec
397 # subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1
398 # return,success,0
399 # trailer,68
400 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec
401 # subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1
402 # return,failure: Not owner,-1
403 # trailer,68
404
405 label=AUE_AUDITON_SETUMASK
406 format=[arg]1:[arg]2
407 comment=3, "setumask:as_success", audit ID mask:
408 comment=3, "setumask:as_failure", audit ID mask
409 syscall=auditon: SETUMASK
410 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec
411 # argument,3,0x400,setumask:as_success
412 # argument,3,0x400,setumask:as_failure
413 # subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1
414 # return,success,0
415 # trailer,124
416 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec
417 # argument,3,0x400,setumask:as_success
418 # argument,3,0x400,setumask:as_failure
419 # subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1
420 # return,failure: Not owner,-1
421 # trailer,124
422
423 label=AUE_AUDITON_SPOLICY
424 format=[arg]1
425 comment=1, audit policy flags, "setpolicy"
426 syscall=auditon: SPOLICY
427 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec
428 # argument,3,0x200,setpolicy
429 # subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1
430 # return,success,0
431 # trailer,86
432 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec
433 # argument,3,0x200,setpolicy
434 # subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1
435 # return,failure: Not owner,-1
436 # trailer,86
437
438 label=AUE_AUDITON_SQCTRL
439 format=[arg]1:[arg]2:[arg]3:[arg]4
440 comment=3, "setqctrl:aq_hiwater", queue control param.:
441 comment=3, "setqctrl:aq_lowater", queue control param.:
442 comment=3, "setqctrl:aq_bufsz", queue control param.:
443 comment=3, "setqctrl:aq_delay", queue control param.
444 syscall=auditon: SQCTRL
445 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec
446 # argument,3,0x64,setqctrl:aq_hiwater
447 # argument,3,0xa,setqctrl:aq_lowater
448 # argument,3,0x400,setqctrl:aq_bufsz
449 # argument,3,0x14,setqctrl:aq_delay
450 # subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1
451 # return,success,0
452 # trailer,176
453 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec
454 # argument,3,0x64,setqctrl:aq_hiwater
455 # argument,3,0xa,setqctrl:aq_lowater
456 # argument,3,0x400,setqctrl:aq_bufsz
457 # argument,3,0x14,setqctrl:aq_delay
458 # subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1
459 # return,failure: Not owner,-1
460 # trailer,176
461
462 label=AUE_AUDITON_SETPMASK
463 format=[arg]1:[arg]2
464 comment=3, "setpmask:pid", process
465 comment=3, "setpmask:as_success", audit ID mask:
466 comment=3, "setpmask:as_failure", audit ID mask
467 syscall=auditon: SETPMASK
468
469 label=AUE_AUDITON_SETKAUDIT
470 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7
471 comment=1, audit user ID, "auid":
472 comment=1, terminal ID, "port":
473 comment=1, type, "type":
474 comment=1, terminal ID, "ip address":
475 comment=1, preselection mask, "as_success":
476 comment=1, preselection mask, "as_failure":
477 comment=1, audit session ID, "asid"
478 syscall=auditon: SETKAUDIT
479
480 label=AUE_AUDITON_GETPINFO
481 format=kernel
482 syscall=auditon: GETPINFO
483
484 label=AUE_AUDITON_GETKAUDIT
485 format=kernel
486 syscall=auditon: GETKAUDIT
487
488 label=AUE_AUDITON_OTHER
489 format=kernel
490 syscall=auditon: OTHER
491
492 label=AUE_AUDITON_STERMID
493 skip=Not used.
494
495 label=AUE_AUDITSTAT
496 skip=Not used.
497
498 label=AUE_AUDITSVC
499 skip=Not used.
500
501 label=AUE_AUDITSYS
502 skip=Not used. (Place holder for various auditing events.)
503
504 label=AUE_BIND
505 # differs from documented version.
506 # cases "no vnode" not fully confirmed
507 # family and type need argument number
508 case=Invalid socket handle
509 format=arg1
510 comment=1, file descriptor, "so"
511 case=If there is no vnode for this file descriptor
512 case=or if the socket is not of the AF_INET family
513 format=arg1:arg2:arg3
514 comment=1, file descriptor, "so":
515 comment=1, socket family, "family":
516 comment=1, socket type, "type"
517 case=or for all other conditions
518 format=arg1:inet2
519 comment=1, file descriptor, "so":
520 comment=socket address
521
522 label=AUE_BRANDSYS
523 # generic mechanism to allow user-space and kernel components of a brand
524 # to communicate. The interpretation of the arguments to the call is
525 # left entirely up to the brand.
526 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7
527 comment=1, command, "cmd":
528 comment=2, command args, "arg":
529 comment=3, command args, "arg":
530 comment=4, command args, "arg":
531 comment=5, command args, "arg":
532 comment=6, command args, "arg":
533 comment=7, command args, "arg"
534
535 label=AUE_BSMSYS
536 skip=Not used.
537
538 label=AUE_CHDIR
539 format=path:[attr]
540 # header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec
541 # path,/export/home/CC_final/icenine/arv/chdir/obj_succ
542 # attribute,40777,root,other,8388608,231558,0
543 # subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1
544 # return,success,0
545 # trailer,151
546 # header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec
547 # path,/export/home/CC_final/icenine/arv/chdir/obj_fail
548 # attribute,40000,root,other,8388608,237646,0
549 # subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1
550 # return,failure: Permission denied,-1
551 # trailer,151
552
553 label=AUE_CHMOD
554 format=arg1:path:[attr]
555 comment=2, mode, "new file mode"
556 # header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec
557 # argument,2,0x1f8,new file mode
558 # path,/export/home/CC_final/icenine/arv/chmod/obj_succ
559 # attribute,100770,tuser10,other,8388608,243608,0
560 # subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1
561 # return,success,0
562 # trailer,173
563 # header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec
564 # argument,2,0x1f8,new file mode
565 # path,/export/home/CC_final/icenine/arv/chmod/obj_fail
566 # attribute,100600,root,other,8388608,243609,0
567 # subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1
568 # return,failure: Not owner,-1
569 # trailer,173
570
571 label=AUE_CHOWN
572 format=arg1:arg2
573 comment=2, uid, "new file uid":
574 comment=3, gid, "new file gid"
575 # header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec
576 # argument,2,0x271a,new file uid
577 # argument,3,0xffffffff,new file gid
578 # path,/export/home/CC_final/icenine/arv/chown/obj_succ
579 # attribute,100644,tuser10,other,8388608,268406,0
580 # subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1
581 # return,success,0
582 # trailer,193
583 # header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec
584 # argument,2,0x271a,new file uid
585 # argument,3,0xffffffff,new file gid
586 # path,/export/home/CC_final/icenine/arv/chown/obj_fail
587 # attribute,100644,root,other,8388608,268407,0
588 # subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1
589 # return,failure: Not owner,-1
590 # trailer,193
591
592 label=AUE_CHROOT
593 format=path:[attr]
594 # header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec
595 # path,/
596 # attribute,40755,root,root,8388608,2,0
597 # subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1
598 # return,success,0
599 # trailer,104
600 # header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec
601 # path,/export/home/CC_final/icenine/arv/chroot/obj_fail
602 # attribute,40777,tuser10,other,8388608,335110,0
603 # subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1
604 # return,failure: Not owner,-1
605 # trailer,152
606
607 label=AUE_CLOCK_SETTIME
608 format=kernel
609
610 label=AUE_CLOSE
611 format=arg1:[path]:[attr]
612 comment=1, file descriptor, "fd"
613
614 label=AUE_CONFIGKSSL
615 case=Adding KSSL entry.
616 format=text1:inaddr2:text3:text4
617 comment=opcode, KSSL_ADD_ENTRY:
618 comment=local IP address:
619 comment=SSL port number:
620 comment=proxy port number
621 case=Deleting KSSL entry.
622 format=text1:inaddr2:text3
623 comment=opcode, KSSL_DELETE_ENTRY:
624 comment=local IP address:
625 comment=SSL port number
626
627 label=AUE_CONNECT
628 # cases "no vnode" not fully confirmed
629 case=If there is no vnode for this file descriptor
630 case=If the socket address is not part of the AF_INET family
631 format=arg1:arg2:arg3
632 comment=1, file descriptor, "so":
633 comment=1, socket family, "family":
634 comment=1, socket type, "type"
635 case=If the socket address is part of the AF_INET family
636 format=arg1:inet2
637 comment=1, file descriptor, "so":
638 comment=socket address
639
640 label=AUE_CORE
641 syscall=none
642 title=process dumped core
643 see=none
644 format=path:[attr]:arg1
645 comment=1, signal, "signal"
646 # see uts/common/c2/audit.c
647
648 label=AUE_CREAT
649 # obsolete - see open(2)
650 format=path:[attr]
651 # does not match old BSM manual
652 # header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec
653 # path,/export/home/CC_final/icenine/arv/creat/obj_succ
654 # attribute,100644,tuser10,other,8388608,49679,0
655 # subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1
656 # return,success,8
657 # trailer,151
658 # header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec
659 # path,/devices/pseudo/mm@0:null
660 # subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1
661 # return,success,8
662 # trailer,107
663 # header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec
664 # path,/obj_fail
665 # subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1
666 # return,failure: Permission denied,-1
667 # trailer,83
668
669 label=AUE_CRYPTOADM
670 title=kernel cryptographic framework
671 format=text1:(0..n)[text]2
672 comment=cryptoadm command/operation:
673 comment=mechanism list
674
675 label=AUE_DOORFS
676 skip=Not used. (Place holder for set of door audit events.)
677
678 label=AUE_DOORFS_DOOR_BIND
679 skip=Not used.
680 syscall=doorfs: DOOR_BIND
681
682 label=AUE_DOORFS_DOOR_CALL
683 format=arg1:proc2
684 comment=1, door ID, "door ID":
685 comment=for process that owns the door
686 syscall=doorfs: DOOR_CALL
687
688 label=AUE_DOORFS_DOOR_CREATE
689 format=arg1
690 comment=1, door attributes, "door attr"
691 syscall=doorfs: DOOR_CREATE
692
693 label=AUE_DOORFS_DOOR_CRED
694 skip=Not used.
695 syscall=doorfs: DOOR_CRED
696
697 label=AUE_DOORFS_DOOR_INFO
698 skip=Not used.
699 syscall=doorfs: DOOR_INFO
700
701 label=AUE_DOORFS_DOOR_RETURN
702 format=kernel
703 syscall=doorfs: DOOR_RETURN
704
705 label=AUE_DOORFS_DOOR_REVOKE
706 format=arg1
707 comment=1, door ID, "door ID"
708 syscall=doorfs: DOOR_REVOKE
709
710 label=AUE_DOORFS_DOOR_UNBIND
711 skip=Not used.
712 syscall=doorfs: DOOR_UNBIND
713
714 label=AUE_DUP2
715 skip=Not used.
716
717 label=AUE_ENTERPROM
718 title=enter prom
719 syscall=none
720 format=head:text1:ret
721 comment="kmdb"
722 # header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00
723 # text,kmdb
724 # return,success,0
725
726 label=AUE_EXEC
727 # obsolete - see execve(2)
728 format=path:[attr]1:[exec_args]2:[exec_env]3
729 comment=omitted on error:
730 comment=output if argv policy is set:
731 comment=output if arge policy is set
732
733 label=AUE_EXECVE
734 format=path:[attr]1:[exec_args]2:[exec_env]3
735 comment=omitted on error:
736 comment=output if argv policy is set:
737 comment=output if arge policy is set
738 # header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec
739 # path,/devices/pseudo/mm@0:null
740 # subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1
741 # return,success,8
742 # trailer,107
743 # header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec
744 # path,/usr/bin/pig
745 # subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1
746 # return,failure: No such file or directory,-1
747 # trailer,86
748
749 label=AUE_PFEXEC
750 format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5
751 comment=pathname of the executable:
752 comment=pathname of working directory:
753 comment=privileges if the limit or inheritable set are changed:
754 comment=process if ruid, euid, rgid or egid is changed:
755 comment=output if arge policy is set
756
757 label=AUE_sudo
758 format=exec_args1:[text]2
759 comment=command args:
760 comment=error message (failure only)
761
762 label=AUE_EXIT
763 format=arg1:[text]2
764 comment=1, exit status, "exit status":
765 comment=event aborted
766
767 label=AUE_EXITPROM
768 title=exit prom
769 syscall=none
770 format=head:text1:ret
771 comment="kmdb"
772 # header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00
773 # text,kmdb
774 # return,success,0
775
776 label=AUE_EXPORTFS
777 skip=Not used.
778
779 label=AUE_FACCESSAT
780 # obsolete
781 see=access(2)
782 format=path:[attr]
783
784 label=AUE_FACLSET
785 syscall=facl
786 case=Invalid file descriptor
787 format=arg1:arg2
788 comment=2, SETACL, "cmd":
789 comment=3, number of ACL entries, "nentries"
790 case=Zero path
791 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4
792 comment=2, SETACL, "cmd":
793 comment=3, number of ACL entries, "nentries":
794 comment=1, file descriptor, "no path: fd":
795 comment=ACLs
796 case=Non-zero path
797 format=arg1:arg2:path:[attr]:(0..n)[acl]3
798 comment=2, SETACL, "cmd":
799 comment=3, number of ACL entries, "nentries":
800 comment=ACLs
801
802 label=AUE_FCHDIR
803 format=[path]:[attr]
804 # header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec
805 # path,/export/home/CC_final/icenine/arv/fchdir/obj_succ
806 # attribute,40777,tuser10,other,8388608,207662,0
807 # subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1
808 # return,success,0
809 # trailer,150
810 # header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec
811 # subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1
812 # return,failure: Permission denied,-1
813 # trailer,68
814
815 label=AUE_FCHMOD
816 case=With a valid file descriptor and path
817 format=arg1:path:[attr]
818 comment=2, mode, "new file mode"
819 case=With a valid file descriptor and invalid path
820 format=arg1:[arg]2:[attr]
821 comment=2, mode, "new file mode":
822 comment=1, file descriptor, "no path: fd"
823 case=With an invalid file descriptor
824 format=arg1
825 comment=2, mode, "new file mode"
826 # header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec
827 # argument,2,0x1a4,new file mode
828 # path,/export/home/CC/icenine/arv/fchmod/obj_succ
829 # attribute,100644,tuser10,other,7602240,26092,0
830 # subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1
831 # return,success,0
832 # trailer,168
833 # header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec
834 # argument,2,0x1a4,new file mode
835 # subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1
836 # return,failure: Bad file number,-1
837 # trailer,90
838 # header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec
839 # argument,2,0x1a4,new file mode
840 # path,/export/home/CC/icenine/arv/fchmod/obj_fail
841 # attribute,100644,root,other,7602240,26093,0
842 # subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1
843 # return,failure: Not owner,-1
844 # trailer,168
845
846 label=AUE_FCHOWN
847 case=With a valid file descriptor
848 format=arg1:arg2:[path]:[attr]
849 comment=2, uid, "new file uid":
850 comment=3, gid, "new file gid"
851 case=With an invalid file descriptor
852 format=arg1:arg2:[arg]3:[attr]
853 comment=2, uid, "new file uid":
854 comment=3, gid, "new file gid":
855 comment=1, file descriptor, "no path fd"
856
857 label=AUE_FCHOWNAT
858 # obsolete
859 see=openat(2)
860 case=With a valid absolute/relative file path
861 format=path:[attr]
862 case=With an file path eq. NULL and valid file descriptor
863 format=kernel
864
865 label=AUE_FCHROOT
866 format=[path]:[attr]
867 # fchroot -> chdirec -> audit_chdirec
868
869 label=AUE_FCNTL
870 case=With a valid file descriptor
871 format=arg1:[arg]2:path:attr
872 comment=2, command, "cmd":
873 comment=3, flags, "flags"
874 case=With an invalid file descriptor
875 format=arg1:[arg]2:arg3
876 comment=2, command, "cmd":
877 comment=3, flags, "flags":
878 comment=1, file descriptor, "no path fd"
879 note=Flags are included only when cmd is F_SETFL.
880
881 label=AUE_FLOCK
882 skip=Not used.
883
884 label=AUE_FORKALL
885 format=[arg]1
886 comment=0, pid, "child PID"
887 note=The forkall(2) return values are undefined because the audit record
888 note=is produced at the point that the child process is spawned.
889 # see audit.c
890
891 label=AUE_FORK1
892 format=[arg]1
893 comment=0, pid, "child PID"
894 note=The fork1(2) return values are undefined because the audit record
895 note=is produced at the point that the child process is spawned.
896 # see audit.c
897
898 label=AUE_FSAT
899 # obsolete
900 skip=Not used. (Placeholder for AUE_*AT records)
901
902 label=AUE_FSTAT
903 skip=Not used.
904
905 label=AUE_FSTATAT
906 # obsolete
907 format=path:[attr]
908
909 label=AUE_FSTATFS
910 case=With a valid file descriptor
911 format=[path]:[attr]
912 case=With an invalid file descriptor
913 format=arg1
914 comment=1, file descriptor, "no path fd"
915
916 label=AUE_FTRUNCATE
917 skip=Not used.
918
919 label=AUE_FUSERS
920 syscall=utssys: UTS_FUSERS
921 format=path:attr
922
923 label=AUE_FUTIMESAT
924 # obsolete
925 format=[path]:[attr]
926
927 label=AUE_GETAUDIT
928 format=kernel
929 # header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec
930 # subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1
931 # return,success,0
932 # trailer,68
933 # header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec
934 # subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1
935 # return,success,0
936 # trailer,68
937
938 label=AUE_GETAUDIT_ADDR
939 format=kernel
940 # header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec
941 # subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2
942 # return,success,0
943
944 label=AUE_GETAUID
945 format=kernel
946 # header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec
947 # subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1
948 # return,success,0
949 # trailer,68
950 # header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec
951 # subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1
952 # return,failure: Not owner,-1
953 # trailer,68
954
955 label=AUE_GETDENTS
956 skip=Not used.
957 #Not security relevant
958
959 label=AUE_GETKERNSTATE
960 skip=Not used.
961
962 label=AUE_GETMSG
963 case=With a valid file descriptor
964 format=arg1:[path]:attr:arg2
965 comment=1, file descriptor, "fd":
966 comment=4, priority, "pri"
967 case=With an invalid file descriptor
968 format=arg1:arg2
969 comment=1, file descriptor, "fd":
970 comment=4, priority, "pri"
971
972 label=AUE_GETPMSG
973 case=With a valid file descriptor
974 format=arg1:[path]:attr
975 comment=1, file descriptor, "fd"
976 case=With an invalid file descriptor
977 format=arg1
978 comment=1, file descriptor, "fd"
979
980 label=AUE_GETPORTAUDIT
981 format=Not used.
982
983 label=AUE_GETUSERAUDIT
984 skip=Not used.
985
986 label=AUE_INST_SYNC
987 format=arg1
988 comment=2, flags value, "flags"
989
990 label=AUE_IOCTL
991 case=With an invalid file descriptor
992 format=arg1:arg2:arg3
993 comment=1, file descriptor, "fd":
994 comment=2, command, "cmd":
995 comment=3, arg, "arg"
996 case=With a valid file descriptor
997 format=path:[attr]:arg1:arg2
998 comment=2, ioctl cmd, "cmd":
999 comment=3, ioctl arg, "arg"
1000 case=Non-file file descriptor
1001 format=arg1:arg2:arg3
1002 comment=1, file descriptor, "fd":
1003 comment=2, ioctl cmd, "cmd":
1004 comment=3, ioctl arg, "arg"
1005 case=Bad file name
1006 format=arg1:arg2:arg3
1007 comment=1, file descriptor, "no path: fd":
1008 comment=2, ioctl cmd, "cmd":
1009 comment=3, ioctl arg, "arg"
1010 # old BSM manual misses a case
1011
1012 label=AUE_JUNK
1013 skip=Not used.
1014
1015 label=AUE_KILL
1016 case=Valid process
1017 format=arg1:[proc]
1018 comment=2, signo, "signal"
1019 case=Zero or negative process
1020 format=arg1:arg2
1021 comment=2, signo, "signal":
1022 comment=1, pid, "process"
1023
1024 label=AUE_KILLPG
1025 skip=Not used.
1026
1027 label=AUE_LCHOWN
1028 format=arg1:arg2:path:[attr]
1029 comment=2, uid, "new file uid":
1030 comment=3, gid, "new file gid"
1031
1032 label=AUE_LINK
1033 format=path1:[attr]:path2
1034 comment=from path:
1035 comment=to path
1036
1037 label=AUE_LSEEK
1038 skip=Not used.
1039
1040 label=AUE_LSTAT
1041 format=path:[attr]
1042
1043 label=AUE_LXSTAT
1044 # obsolete
1045 skip=Not used.
1046
1047 label=AUE_MCTL
1048 skip=Not used.
1049
1050 label=AUE_MEMCNTL
1051 format=arg1:arg2:arg3:arg4:arg5:arg6
1052 comment=1, base address, "base":
1053 comment=2, length, "len":
1054 comment=3, command, "cmd":
1055 comment=4, command args, "arg":
1056 comment=5, command attributes, "attr":
1057 comment=6, 0, "mask"
1058
1059 label=AUE_MKDIR
1060 format=arg1:path:[attr]
1061 comment=2, mode, "mode"
1062
1063 label=AUE_MKNOD
1064 format=arg1:arg2:path:[attr]
1065 comment=2, mode, "mode":
1066 comment=3, dev, "dev"
1067
1068 label=AUE_MMAP
1069 case=With a valid file descriptor
1070 format=arg1:arg2:[path]3:[attr]
1071 comment=1, segment address, "addr":
1072 comment=2, segment address, "len":
1073 comment=if no path, then argument: \
1074 1, "nopath: fd", file descriptor
1075 case=With an invalid file descriptor
1076 format=arg1:arg2:arg3
1077 comment=1, segment address, "addr":
1078 comment=2, segment address, "len":
1079 comment=1, file descriptor, "no path: fd"
1080
1081 label=AUE_MODADDMAJ
1082 title=modctl: bind module
1083 syscall=modctl
1084 format=[text]1:[text]2:text3:arg4:(0..n)[text]5
1085 comment=driver major number:
1086 comment=driver name:
1087 comment=driver major number or "no drvname":
1088 comment=5, number of aliases, "":
1089 comment=aliases
1090
1091 label=AUE_MODADDPRIV
1092 format=kernel
1093
1094 label=AUE_MODCONFIG
1095 skip=Not used.
1096
1097 label=AUE_MODCTL
1098 skip=Not used. (placeholder)
1099
1100 label=AUE_MODDEVPLCY
1101 syscall=modctl
1102 title=modctl: set device policy
1103 case=If unknown minor name/pattern
1104 format=arg1:arg2:arg3:arg4:arg5
1105 comment=2, "major", major number:
1106 comment=2, "lomin", low minor number, if known:
1107 comment=2, "himin", hi minor number, if known:
1108 comment=privileges required for reading:
1109 comment=privileges required for writing
1110 case=else
1111 format=arg1:text2:arg3:arg4
1112 comment=2, "major", major number:
1113 comment=minor name/pattern:
1114 comment=privileges required for reading:
1115 comment=privileges required for writing
1116
1117 label=AUE_MODLOAD
1118 syscall=modctl
1119 title=modctl: load module
1120 format=[text]1:text2
1121 comment=default path:
1122 comment=filename path
1123
1124 label=AUE_MODUNLOAD
1125 syscall=modctl
1126 title=modctl: unload module
1127 format=arg1
1128 comment=1, module ID, "id"
1129
1130 label=AUE_MOUNT
1131 case=UNIX file system
1132 format=arg1:text2:path:[attr]
1133 comment=3, flags, "flags":
1134 comment=filesystem type
1135 case=NFS file system
1136 format=arg1:text2:text3:arg4:path:[attr]
1137 comment=3, flags, "flags":
1138 comment=filesystem type:
1139 comment=host name:
1140 comment=3, flags, "internal flags"
1141 # unix example:
1142 # header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec
1143 # argument,3,0x104,flags
1144 # text,ufs
1145 # path,/var2
1146 # attribute,40755,root,root,32,12160,0
1147 # path,/devices/pci@1f,4000/scsi@3/sd@0,0:e
1148 # attribute,60640,root,sys,32,231268,137438953476
1149 # subject,abc,root,other,root,other,1726,1715,255 66049 ohboy
1150 # return,success,4290707268
1151 # ^^^^^^^^^^ <- bugid 4333559
1152
1153 label=AUE_MSGCTL
1154 format=arg1:[ipc]:[ipc_perm]
1155 comment=1, message ID, "msg ID"
1156 note=ipc_perm
1157 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1158
1159 label=AUE_MSGCTL_RMID
1160 format=arg1:[ipc]:[ipc_perm]
1161 comment=1, message ID, "msg ID"
1162 note=ipc_perm
1163 syscall=msgctl: IPC_RMID
1164 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1165
1166 label=AUE_MSGCTL_SET
1167 format=arg1:[ipc]:[ipc_perm]
1168 comment=1, message ID, "msg ID"
1169 note=ipc_perm
1170 syscall=msgctl: IPC_SET
1171 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1172
1173 label=AUE_MSGCTL_STAT
1174 format=arg1:[ipc]:[ipc_perm]
1175 comment=1, message ID, "msg ID"
1176 note=ipc_perm
1177 syscall=msgctl: IPC_STAT
1178 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1179
1180 label=AUE_MSGGET
1181 format=arg1:ipc
1182 comment=1, message key, "msg key"
1183 note=ipc_perm
1184 syscall=msgget
1185
1186 label=AUE_MSGGETL
1187 skip=Not used.
1188
1189 label=AUE_MSGRCV
1190 format=arg1:[ipc]:[ipc_perm]
1191 comment=1, message ID, "msg ID"
1192 note=ipc_perm
1193 syscall=msgrcv
1194 # ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc
1195
1196 label=AUE_MSGRCVL
1197 skip=Not used.
1198
1199 label=AUE_MSGSND
1200 format=arg1:[ipc]:[ipc_perm]
1201 comment=1, message ID, "msg ID"
1202 note=ipc_perm
1203 syscall=msgsnd
1204 # ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc
1205
1206 label=AUE_MSGSNDL
1207 skip=Not used.
1208
1209 label=AUE_MSGSYS
1210 skip=Not used. (Placeholder for AUE_MSG* events.)
1211
1212 label=AUE_MUNMAP
1213 format=arg1:arg2
1214 comment=1, address of memory, "addr":
1215 comment=2, memory segment size, "len"
1216
1217 label=AUE_NFS
1218 skip=Not used.
1219
1220 label=AUE_NFSSVC_EXIT
1221 skip=Not used.
1222
1223 label=AUE_NFS_GETFH
1224 skip=Not used.
1225
1226 label=AUE_NFS_SVC
1227 skip=Not used.
1228
1229 label=AUE_NICE
1230 format=kernel
1231
1232 label=AUE_NULL
1233 skip=Not used. (placeholder)
1234 # used internal to audit_event.c for minimal audit
1235
1236 label=AUE_NTP_ADJTIME
1237 format=kernel
1238
1239 label=AUE_ONESIDE
1240 skip=Not used.
1241
1242 label=AUE_OPEN
1243 skip=Not used. (placeholder for AUE_OPEN_*).
1244
1245 label=AUE_OPEN_R
1246 format=path:[path_attr]:[attr]
1247 see=open(2) - read
1248
1249 label=AUE_OPENAT_R
1250 # obsolete
1251 format=path:[path_attr]:[attr]
1252 see=openat(2)
1253
1254 label=AUE_OPEN_RC
1255 format=path:[path_attr]:[attr]
1256 see=open(2) - read,creat
1257
1258 label=AUE_OPENAT_RC
1259 # obsolete
1260 see=openat(2)
1261 format=path:[path_attr]:[attr]
1262
1263 label=AUE_OPEN_RT
1264 format=path:[path_attr]:[attr]
1265 see=open(2) - read,trunc
1266
1267 label=AUE_OPENAT_RT
1268 # obsolete
1269 see=openat(2)
1270 format=path:[path_attr]:[attr]
1271
1272 label=AUE_OPEN_RTC
1273 format=path:[path_attr]:[attr]
1274 see=open(2) - read,trunc,creat
1275
1276 label=AUE_OPENAT_RTC
1277 # obsolete
1278 see=openat(2)
1279 format=path:[path_attr]:[attr]
1280
1281 label=AUE_OPEN_RW
1282 format=path:[path_attr]:[attr]
1283 see=open(2) - read,write
1284
1285 label=AUE_OPENAT_RW
1286 # obsolete
1287 see=openat(2)
1288 format=path:[path_attr]:[attr]
1289 # aui_fsat(): fm & O_RDWR
1290
1291 label=AUE_OPEN_RWC
1292 format=path:[path_attr]:[attr]
1293 see=open(2) - read,write,creat
1294
1295 label=AUE_OPENAT_RWC
1296 # obsolete
1297 see=openat(2)
1298 format=path:[path_attr]:[attr]
1299
1300 label=AUE_OPEN_RWT
1301 format=path:[path_attr]:[attr]
1302 see=open(2) - read,write,trunc
1303
1304 label=AUE_OPENAT_RWT
1305 # obsolete
1306 see=openat(2)
1307 format=path:[path_attr]:[attr]
1308
1309 label=AUE_OPEN_RWTC
1310 format=path:[path_attr]:[attr]
1311 see=open(2) - read,write,trunc,creat
1312
1313 label=AUE_OPENAT_RWTC
1314 # obsolete
1315 see=openat(2)
1316 format=path:[path_attr]:[attr]
1317
1318 label=AUE_OPEN_W
1319 format=path:[path_attr]:[attr]
1320 see=open(2) - write
1321
1322 label=AUE_OPENAT_W
1323 see=openat(2)
1324 format=path:[path_attr]:[attr]
1325
1326 label=AUE_OPEN_WC
1327 format=path:[path_attr]:[attr]
1328 see=open(2) - write,creat
1329
1330 label=AUE_OPENAT_WC
1331 see=openat(2)
1332 format=path:[path_attr]:[attr]
1333
1334 label=AUE_OPEN_WT
1335 format=path:[path_attr]:[attr]
1336 see=open(2) - write,trunc
1337
1338 label=AUE_OPENAT_WT
1339 see=openat(2)
1340 format=path:[path_attr]:[attr]
1341
1342 label=AUE_OPEN_WTC
1343 format=path:[path_attr]:[attr]
1344 see=open(2) - write,trunc,creat
1345
1346 label=AUE_OPENAT_WTC
1347 see=openat(2)
1348 format=path:[path_attr]:[attr]
1349
1350 label=AUE_OPEN_S
1351 format=path:[path_attr]:[attr]
1352 see=open(2) - search
1353
1354 label=AUE_OPEN_E
1355 format=path:[path_attr]:[attr]
1356 see=open(2) - exec
1357
1358 label=AUE_OSETPGRP
1359 skip=Not used.
1360
1361 label=AUE_OSTAT
1362 # obsolete
1363 skip=Not used.
1364
1365 label=AUE_PATHCONF
1366 format=path:[attr]
1367
1368 label=AUE_PIPE
1369 format=kernel
1370 # class is no, not usually printed
1371
1372 label=AUE_PORTFS
1373 skip=Not used (placeholder for AUE_PORTFS_*).
1374
1375 label=AUE_PORTFS
1376 skip=Not used (placeholder for AUE_PORTFS_*).
1377
1378 label=AUE_PORTFS_ASSOCIATE
1379 syscall=portfs
1380 see=port_associate(3C)
1381 case=Port association via PORT_SOURCE_FILE
1382 format=[path]1:attr
1383 comment=name of the file/directory to be watched
1384
1385 label=AUE_PORTFS_DISSOCIATE
1386 syscall=portfs
1387 see=port_dissociate(3C)
1388 case=Port disassociation via PORT_SOURCE_FILE
1389 format=kernel
1390
1391 label=AUE_PRIOCNTLSYS
1392 syscall=priocntl
1393 see=priocntl(2)
1394 format=arg1:arg2
1395 comment=1, priocntl version number, "pc_version":
1396 comment=3, command, "cmd"
1397
1398 label=AUE_PROCESSOR_BIND
1399 case=No LWP/thread bound to the processor
1400 format=arg1:arg2:text3:[proc]
1401 comment=1, type of ID, "ID type":
1402 comment=2, ID value, "ID":
1403 comment="PBIND_NONE"
1404 case=With processor bound
1405 format=arg1:arg2:arg3:[proc]
1406 comment=1, type of ID, "ID type":
1407 comment=2, ID value, "ID":
1408 comment=3, processor ID, "processor_id"
1409
1410 label=AUE_PUTMSG
1411 see=putmsg(2)
1412 format=arg1:[path]:[attr]:arg2
1413 comment=1, file descriptor, "fd":
1414 comment=4, priority, "pri"
1415
1416 label=AUE_PUTPMSG
1417 see=putpmsg(2)
1418 format=arg1:[path]:[attr]:arg2:arg3
1419 comment=1, file descriptor, "fd":
1420 comment=4, priority, "pri":
1421 comment=5, flags, "flags"
1422
1423 label=AUE_P_ONLINE
1424 format=arg1:arg2:text3
1425 comment=1, processor ID, "processor ID":
1426 comment=2, flags value, "flags":
1427 comment=text form of flags. Values: \
1428 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS, P_DISABLED
1429
1430 label=AUE_QUOTACTL
1431 skip=Not used.
1432
1433 label=AUE_READ
1434 skip=Not used. (Placeholder for AUE_READ_* events)
1435
1436 label=AUE_READL
1437 skip=Not used. (Obsolete)
1438
1439 label=AUE_READLINK
1440 format=path:[attr]
1441
1442 label=AUE_READV
1443 skip=Not used (obsolete)
1444 # detritus from CMS
1445
1446 label=AUE_READVL
1447 skip=Not used (obsolete)
1448 # detritus from CMS
1449
1450 label=AUE_REBOOT
1451 skip=Not used.
1452
1453 label=AUE_RECV
1454 case=If address family is AF_INET or AF_INET6
1455 format=[arg]1:[inet]
1456 comment=1, file descriptor, "so"
1457 case=If address family is AF_UNIX and path is defined
1458 format=[path]1:[attr]
1459 comment=1, file descriptor, "so"
1460 case=If address family is AF_UNIX and path is NULL
1461 format=[path]1:[attr]
1462 comment=1, file descriptor, "no path: fd"
1463 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1464 format=[arg]1:[arg]2:[arg]3
1465 comment=1, file descriptor, "so":
1466 comment=1, family, "family":
1467 comment=1, type, "type"
1468 # associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237])
1469
1470 label=AUE_RECVFROM
1471 format=inet:arg1:[arg]2:inet3:arg4
1472 comment=3, message length, "len":
1473 comment=4, flags, "flags":
1474 comment=from address:
1475 comment=6, address length, "tolen"
1476 note=The socket token for a bad socket is reported as "argument
1477 note=token (1, socket descriptor, "fd")"
1478
1479 label=AUE_RECVMSG
1480 case=If invalid file descriptor
1481 format=arg1:arg2
1482 comment=1, file descriptor, "so":
1483 comment=3, flags, "flags"
1484 case=If valid file descriptor and socket is AF_UNIX and no path
1485 format=arg1:[attr]
1486 comment=1, file descriptor, "no path: fd"
1487 case=If valid file descriptor and socket is AF_UNIX and path defined
1488 format=path:attr
1489 case=If valid file descriptor and socket is AF_INET or AF_INET6
1490 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM
1491 format=arg1:arg2:inet
1492 comment=1, file descriptor, "so":
1493 comment=2, flags, "flags"
1494 case=.. if socket type is unknown
1495 format=arg1:arg2:arg3:arg4
1496 comment=1, file descriptor, "so":
1497 comment=1, family, "family":
1498 comment=1, type, "type":
1499 comment=3, flags, "flags"
1500
1501 label=AUE_RENAME
1502 format=path1:[attr]1:[path]2
1503 comment=from name:
1504 comment=to name
1505
1506 label=AUE_RENAMEAT
1507 # obsolete
1508 format=path1:[attr]1:[path]2
1509 comment=from name:
1510 comment=to name
1511
1512 label=AUE_RFSSYS
1513 skip=Not used.
1514 # apparently replaced
1515
1516 label=AUE_RMDIR
1517 format=path:[attr]
1518
1519 label=AUE_SACL
1520 title=File Access Audit
1521 syscall=none
1522 see=none
1523 format=head:path:arg1:[text]2:subj
1524 comment="access_mask":
1525 comment="Windows SID"
1526
1527 label=AUE_SEMCTL
1528 format=arg1:[ipc]:[ipc_perm]
1529 comment=1, semaphore ID, "sem ID"
1530 note=ipc_perm
1531 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1532
1533 label=AUE_SEMCTL_GETALL
1534 format=arg1:[ipc]:[ipc_perm]
1535 comment=1, semaphore ID, "sem ID"
1536 note=ipc_perm
1537 syscall=semctl: GETALL
1538 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1539
1540 label=AUE_SEMCTL_GETNCNT
1541 format=arg1:[ipc]:[ipc_perm]
1542 comment=1, semaphore ID, "sem ID"
1543 note=ipc_perm
1544 syscall=semctl: GETNCNT
1545 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1546
1547 label=AUE_SEMCTL_GETPID
1548 format=arg1:[ipc]:[ipc_perm]
1549 comment=1, semaphore ID, "sem ID"
1550 note=ipc_perm
1551 syscall=semctl: GETPID
1552 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1553
1554 label=AUE_SEMCTL_GETVAL
1555 format=arg1:[ipc]:[ipc_perm]
1556 comment=1, semaphore ID, "sem ID"
1557 note=ipc_perm
1558 syscall=semctl: GETVAL
1559 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1560
1561 label=AUE_SEMCTL_GETZCNT
1562 format=arg1:[ipc]:[ipc_perm]
1563 comment=1, semaphore ID, "sem ID"
1564 note=ipc_perm
1565 syscall=semctl: GETZCNT
1566 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1567
1568 label=AUE_SEMCTL_RMID
1569 format=arg1:[ipc]:[ipc_perm]
1570 comment=1, semaphore ID, "sem ID"
1571 note=ipc_perm
1572 syscall=semctl: IPC_RMID
1573 # ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1574
1575 label=AUE_SEMCTL_SET
1576 format=arg1:[ipc]:[ipc_perm]
1577 comment=1, semaphore ID, "sem ID"
1578 note=ipc_perm
1579 syscall=semctl: IPC_SET
1580 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1581
1582 label=AUE_SEMCTL_SETALL
1583 format=arg1:[ipc]:[ipc_perm]
1584 comment=1, semaphore ID, "sem ID"
1585 note=ipc_perm
1586 syscall=semctl: SETALL
1587 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1588
1589 label=AUE_SEMCTL_SETVAL
1590 format=arg1:[ipc]:[ipc_perm]
1591 comment=1, semaphore ID, "sem ID"
1592 note=ipc_perm
1593 syscall=semctl: SETVAL
1594 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1595
1596 label=AUE_SEMCTL_STAT
1597 format=arg1:[ipc]:[ipc_perm]
1598 comment=1, semaphore ID, "sem ID"
1599 note=ipc_perm
1600 syscall=semctl: IPC_STAT
1601 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1602
1603 label=AUE_SEMGET
1604 format=arg1:[ipc_perm]:ipc
1605 comment=1, semaphore ID, "sem key"
1606 note=ipc_perm
1607 syscall=semctl: SETVAL
1608 # ipc_perm token: semget -> audit_ipcget
1609
1610 label=AUE_SEMGETL
1611 skip=Not used.
1612
1613 label=AUE_SEMOP
1614 format=arg1:[ipc]:[ipc_perm]
1615 comment=1, semaphore ID, "sem ID"
1616 note=ipc_perm
1617 # ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc
1618
1619 label=AUE_SEMSYS
1620 skip=Not used. (place holder) -- defaults to a semget variant
1621
1622 label=AUE_SEND
1623 case=If address family is AF_INET or AF_INET6
1624 format=[arg]1:[inet]
1625 comment=1, file descriptor, "so"
1626 case=If address family is AF_UNIX and path is defined
1627 format=[path]1:[attr]
1628 comment=1, file descriptor, "so"
1629 case=If address family is AF_UNIX and path is NULL
1630 format=[path]1:[attr]
1631 comment=1, file descriptor, "no path: fd"
1632 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1633 format=[arg]1:[arg]2:[arg]3
1634 comment=1, file descriptor, "so":
1635 comment=1, family, "family":
1636 comment=1, type, "type"
1637 # associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240])
1638
1639 label=AUE_SENDMSG
1640 case=If invalid file descriptor
1641 format=arg1:arg2
1642 comment=1, file descriptor, "so":
1643 comment=3, flags, "flags"
1644 case=If valid file descriptor
1645 case=...and address family is AF_UNIX and path is defined
1646 format=path:attr
1647 case=...and address family is AF_UNIX and path is NULL
1648 format=path1:attr
1649 comment=1, file descriptor, "nopath: fd"
1650 case=...and address family is AF_INET or AF_INET6, \
1651 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1652 format=arg1:arg2:inet
1653 comment=1, file descriptor, "so":
1654 comment=3, flags, "flags"
1655 case=...and unknown address family or address family AF_INET or AF_INET6 \
1656 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1657 format=arg1:arg2:arg3:arg4
1658 comment=1, file descriptor, "so":
1659 comment=1, family, "family":
1660 comment=1, type, "type":
1661 comment=1, flags, "flags"
1662
1663 label=AUE_SENDTO
1664 case=If invalid file descriptor
1665 format=arg1:arg2
1666 comment=1, file descriptor, "so":
1667 comment=3, flags, "flags"
1668 case=If valid file descriptor
1669 case=...and socket is AF_UNIX and path is defined
1670 format=path:attr
1671 case=...and address family is AF_UNIX and path is NULL
1672 format=path1:attr
1673 comment=1, file descriptor, "nopath: fd"
1674 case=...and address family is AF_INET or AF_INET6
1675 format=arg1:arg2:inet
1676 comment=1, file descriptor, "so":
1677 comment=3, flags, "flags"
1678 case=...and unknown address family
1679 format=arg1:arg2:arg3:arg4
1680 comment=1, file descriptor, "so":
1681 comment=1, family, "family":
1682 comment=1, type, "type":
1683 comment=1, flags, "flags"
1684
1685 label=AUE_SETAUDIT
1686 case=With a valid program stack address
1687 format=arg1:arg2:arg3:arg4:arg5:arg6
1688 comment=1, audit user ID, "setaudit:auid":
1689 comment=1, terminal ID, "setaudit:port":
1690 comment=1, terminal ID, "setaudit:machine":
1691 comment=1, preselection mask, "setaudit:as_success":
1692 comment=1, preselection mask, "setaudit:as_failure":
1693 comment=1, audit session ID, "setaudit:asid"
1694 case=With an invalid program stack address
1695 format=kernel
1696 # header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec
1697 # argument,1,0x271a,setaudit:auid
1698 # argument,1,0x3ff0201,setaudit:port
1699 # argument,1,0x8192591e,setaudit:machine
1700 # argument,1,0x400,setaudit:as_success
1701 # argument,1,0x400,setaudit:as_failure
1702 # argument,1,0x16f,setaudit:asid
1703 # subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1
1704 # return,success,0
1705 # trailer,215
1706 # header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec
1707 # argument,1,0x271a,setaudit:auid
1708 # argument,1,0x3ff0201,setaudit:port
1709 # argument,1,0x8192591e,setaudit:machine
1710 # argument,1,0x400,setaudit:as_success
1711 # argument,1,0x400,setaudit:as_failure
1712 # argument,1,0x16f,setaudit:asid
1713 # subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1
1714 # return,success,0
1715 # trailer,215
1716
1717 label=AUE_SETAUDIT_ADDR
1718 case=With a valid program stack address
1719 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7
1720 comment=1, audit user ID, "auid":
1721 comment=1, terminal ID, "port":
1722 comment=1, type, "type":
1723 comment=1, terminal ID, "ip address":
1724 comment=1, preselection mask, "as_success":
1725 comment=1, preselection mask, "as_failure":
1726 comment=1, audit session ID, "asid"
1727 case=With an invalid program stack address
1728 format=kernel
1729 # header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec
1730 # argument,1,0x15fa7,auid
1731 # argument,1,0x0,port
1732 # argument,1,0x4,type
1733 # ip address,tmach2
1734 # argument,1,0x9c00,as_success
1735 # argument,1,0x9c00,as_failure
1736 # argument,1,0x1f1,asid
1737 # subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2
1738 # return,success,0
1739
1740 label=AUE_SETAUID
1741 format=arg1
1742 comment=2, audit user ID, "setauid"
1743
1744 label=AUE_SETDOMAINNAME
1745 skip=Not used. (See AUE_SYSINFO)
1746 # See AUE_SYSINFO with SI_SET_SRPC_DOMAIN
1747
1748 label=AUE_SETEGID
1749 format=arg1
1750 comment=1, group ID, "gid"
1751
1752 label=AUE_SETEUID
1753 format=arg1
1754 comment=1, user ID, "euid"
1755
1756 label=AUE_SETGID
1757 format=arg1
1758 comment=1, group ID, "gid"
1759
1760 label=AUE_SETGROUPS
1761 note=If more than NGROUPS_MAX_DEFAULT groups listed,
1762 note=no tokens are generated.
1763 case=If no groups in list
1764 format=[arg]1
1765 comment=1, 0, "setgroups"
1766 case=If 1 or more groups in list
1767 format=(1..n)arg1
1768 comment=1, gid, "setgroups"
1769
1770 label=AUE_SETHOSTNAME
1771 skip=Not used. (See AUE_SYSINFO)
1772 # See sysinfo call with command SI_SET_HOSTNAME
1773
1774 label=AUE_SETKERNSTATE
1775 skip=Not used.
1776
1777 label=AUE_SETPGID
1778 format=[proc]:[arg]1
1779 comment=2, pgid, "pgid"
1780
1781 label=AUE_SETPGRP
1782 format=kernel
1783
1784 label=AUE_SETPRIORITY
1785 skip=Not used.
1786
1787 label=AUE_SETPPRIV
1788 case=operation privileges off
1789 format=arg1:privset2
1790 comment=setppriv operation:
1791 comment=privileges actually switched off
1792 case=operation privileges on
1793 format=arg1:privset2
1794 comment=setppriv operation:
1795 comment=privileges actually switched on
1796 case=operation privileges off
1797 format=arg1:privset2:privset3
1798 comment=setppriv operation:
1799 comment=privileges before privset:
1800 comment=privileges after privset
1801 #header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec
1802 #argument,2,0x2,op
1803 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1804 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1805 #subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0
1806 #return,success,0
1807
1808 label=AUE_SETREGID
1809 format=arg1:arg2
1810 comment=1, real group ID, "rgid":
1811 comment=2, effective group ID, "egid"
1812
1813 label=AUE_SETREUID
1814 format=arg1:arg2
1815 comment=1, real user ID, "ruid":
1816 comment=2, effective user ID, "euid"
1817
1818 label=AUE_SETRLIMIT
1819 format=kernel
1820 # header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec
1821 # subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2
1822 # return,success,0
1823
1824 label=AUE_SETSID
1825 format=kernel
1826
1827 label=AUE_SETSOCKOPT
1828 case=Invalid file descriptor
1829 format=arg1:arg2
1830 comment=1, file descriptor, "so":
1831 comment=2, level, "level"
1832 case=Valid file descriptor
1833 case=...and socket is AF_UNIX
1834 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8
1835 comment=if no path, will be argument: 1, "nopath: fd", \
1836 file descriptor:
1837 comment=1, file descriptor, "so":
1838 comment=1, family, "family":
1839 comment=1, type, "type":
1840 comment=2, protocol level, "level":
1841 comment=3, option name, "optname":
1842 comment=5, option length, "optlen":
1843 comment=option data
1844 case=...and socket is AF_INET or AF_INET6
1845 format=arg1:arg2:arg3:[arg]4:[data]5:inet
1846 comment=1, file descriptor, "so":
1847 comment=2, protocol level, "level":
1848 comment=3, option name, "optname":
1849 comment=5, option length, "optlen":
1850 comment=option data
1851 case=...and socket adddress family is unknown
1852 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7
1853 comment=1, file descriptor, "so":
1854 comment=1, family, "family":
1855 comment=1, type, "type":
1856 comment=2, protocol level, "level":
1857 comment=3, option name, "optname":
1858 comment=5, option length, "optlen":
1859 comment=option data
1860
1861 label=AUE_SETTIMEOFDAY
1862 skip=Not used.
1863
1864 label=AUE_SETUID
1865 syscall=setuid
1866 format=arg1
1867 comment=1, "uid" to be set
1868
1869 label=AUE_SETUSERAUDIT
1870 skip=Not used.
1871
1872 label=AUE_SHMAT
1873 format=arg1:arg2:[ipc]:[ipc_perm]
1874 comment=1, shared memory ID, "shm ID":
1875 comment=2, shared mem addr, "shm addr"
1876 note=ipc_perm
1877 # ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc
1878
1879 label=AUE_SHMCTL
1880 format=arg1:[ipc]:[ipc_perm]
1881 comment=1, shared memory ID, "shm ID"
1882 note=ipc_perm
1883 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1884
1885 label=AUE_SHMCTL_RMID
1886 format=arg1:[ipc]:[ipc_perm]
1887 comment=1, shared memory ID, "shm ID"
1888 note=ipc_perm
1889 syscall=semctl: IPC_RMID
1890 # ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1891
1892 label=AUE_SHMCTL_SET
1893 format=arg1:[ipc]:[ipc_perm]
1894 comment=1, shared memory ID, "shm ID"
1895 note=ipc_perm
1896 syscall=semctl: IPC_SET
1897 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1898
1899 label=AUE_SHMCTL_STAT
1900 format=arg1:[ipc]:[ipc_perm]
1901 comment=1, shared memory ID, "shm ID"
1902 note=ipc_perm
1903 syscall=semctl: IPC_STAT
1904 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1905
1906 label=AUE_SHMDT
1907 format=arg1
1908 comment=1, shared memory address, "shm adr"
1909
1910 label=AUE_SHMGET
1911 format=arg1:[ipc_perm]:[ipc]
1912 comment=0, shared memory key, "shm key"
1913 note=ipc_perm
1914 # ipc_perm: shmget -> audit_ipcget
1915
1916 label=AUE_SHMGETL
1917 skip=Not used.
1918
1919 label=AUE_SHMSYS
1920 skip=Not used. (Placeholder for shmget and shmctl*)
1921
1922 label=AUE_SHUTDOWN
1923 case=If the socket address is invalid
1924 format=[arg]1:[text]2:[text]3
1925 comment=1, file descriptor, "fd":
1926 comment=bad socket address:
1927 comment=bad peer address
1928 case=If the socket address is part of the AF_INET family
1929 case=..with zero file descriptor
1930 format=arg1:[arg]2:[arg]3:[arg]4
1931 comment=1, file descriptor, "so":
1932 comment=1, family, "family":
1933 comment=1, type, "type":
1934 comment=2, how shutdown code, "how"
1935 case=...with non-zero file descriptor
1936 format=arg1:arg2:inet
1937 comment=1, file descriptor, "so":
1938 comment=2, how shutdown code, "how"
1939 case=If the socket address is AF_UNIX
1940 case=...with zero file descriptor
1941 format=path1:arg2:[arg]3:[arg]4:[arg]5
1942 comment=If error: argument: \
1943 1, "no path: fd", file descriptor:
1944 comment=1, file descriptor, "so":
1945 comment=1, family, "family":
1946 comment=1, type, "type":
1947 comment=2, how shutdown code, "how"
1948 case=...with non-zero file descriptor
1949 format=path1:arg2:arg3:inet
1950 comment=If error: argument: \
1951 1, file descriptor, "no path: fd":
1952 comment=1, file descriptor, "so":
1953 comment=2, how shutdown code, "how"
1954 #old BSM manual wrong; used audit_event.c
1955
1956 label=AUE_SOCKACCEPT
1957 syscall=getmsg: socket accept
1958 format=inet:arg1:[path]:attr:arg2
1959 comment=1, file descriptor, "fd":
1960 comment=4, priority, "pri"
1961 # see putmsg and getmsg for record format
1962 # See audit.c for inet token and audit_start.c for other reference
1963
1964 label=AUE_SOCKCONFIG
1965 format=arg1:arg2:arg3:[path]4
1966 comment=1, domain address, "domain":
1967 comment=2, type, "type":
1968 comment=3, protocol, "protocol":
1969 comment=If no path:argument -- 3, 0, "devpath"
1970
1971 label=AUE_SOCKCONNECT
1972 syscall=putmsg: socket connect
1973 format=inet:arg1:[path]:attr:arg2
1974 comment=1, file descriptor, "fd":
1975 comment=4, priority, "pri"
1976 # same as AUE_SOCKACCEPT
1977
1978 label=AUE_SOCKET
1979 format=arg1:[arg]2:arg3
1980 comment=1, socket domain, "domain":
1981 comment=2, socket type, "type":
1982 comment=3, socket protocol, "protocol"
1983
1984 label=AUE_SOCKETPAIR
1985 skip=Not used.
1986 # unreferenced
1987
1988 label=AUE_SOCKRECEIVE
1989 syscall=getmsg
1990 format=inet:arg1:[path]:attr:arg2
1991 comment=1, file descriptor, "fd":
1992 comment=4, priority, "pri"
1993 # see AUE_SOCKACCEPT
1994
1995 label=AUE_SOCKSEND
1996 syscall=putmsg
1997 format=inet:arg1:[path]:attr:arg2
1998 comment=1, file descriptor, "fd":
1999 comment=4, priority, "pri"
2000 # see AUE_SOCKACCEPT
2001
2002 label=AUE_STAT
2003 format=path:[attr]
2004
2005 label=AUE_STATFS
2006 format=path:[attr]
2007
2008 label=AUE_STATVFS
2009 format=path:[attr]
2010
2011 label=AUE_STIME
2012 format=kernel
2013
2014 label=AUE_SWAPON
2015 skip=Not used.
2016
2017 label=AUE_SYMLINK
2018 format=path:text1:[attr]
2019 comment=symbolic link string
2020
2021 label=AUE_SYSINFO
2022 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands
2023 note=are currently audited.
2024 format=arg1:[text]2
2025 comment=1, command, "cmd":
2026 comment=name
2027
2028 label=AUE_SYSTEMBOOT
2029 title=system booted
2030 syscall=none
2031 format=head:text1
2032 comment="booting kernel"
2033 # see audit_start.c and audit_io.c
2034 # no subject or return / exit token
2035 # header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec
2036 # text,booting kernel
2037
2038 label=AUE_TRUNCATE
2039 skip=Not used.
2040
2041 label=AUE_UMOUNT
2042 syscall=umount: old version
2043 note=Implemented as call of the newer umount2(2).
2044 format=path:arg1:[path]:[attr]
2045 comment=2, mflag value = 0, "flags"
2046
2047 label=AUE_UMOUNT2
2048 syscall=umount2
2049 format=path:arg1:[path]:[attr]
2050 comment=2, mflag value, "flags"
2051
2052 label=AUE_UNLINK
2053 format=path:[attr]
2054
2055 label=AUE_UNLINKAT
2056 # obsolete
2057 see=openat(2)
2058 format=path:[attr]
2059
2060 label=AUE_UNMOUNT
2061 skip=Not used.
2062
2063 label=AUE_UTIME
2064 # obsolete
2065 format=path:[attr]
2066
2067 label=AUE_UTIMES
2068 see=futimens(2)
2069 format=path:[attr]
2070
2071 label=AUE_VFORK
2072 format=arg1
2073 comment=0, pid, "child PID"
2074 note=The vfork(2) return values are undefined because the audit record is
2075 note=produced at the point that the child process is spawned.
2076
2077 label=AUE_VPIXSYS
2078 skip=Not used.
2079
2080 label=AUE_VTRACE
2081 skip=Not used.
2082
2083 label=AUE_WRITE
2084 format=path1:attr
2085 comment=if no path, argument -- "1, file descriptor, "no path: fd"
2086 note:An audit record is generated for write only once per file close.
2087
2088 label=AUE_WRITEV
2089 skip=Not used. (obsolete)
2090
2091 label=AUE_XMKNOD
2092 # obsolete
2093 skip=Not used.
2094
2095 label=AUE_XSTAT
2096 # obsolete
2097 skip=Not Used.
2098
2099 label=AUE_PF_POLICY_ADDRULE
2100 title=Add IPsec policy rule
2101 see=
2102 syscall=none
2103 format=arg1:arg2:[zone]3:[text]4
2104 comment=Operation applied to active policy (1 is active, 0 is inactive):
2105 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2106 comment=affected zone:
2107 comment=Name of target tunnel
2108
2109 label=AUE_PF_POLICY_DELRULE
2110 title=Delete IPsec policy rule
2111 see=
2112 syscall=none
2113 format=arg1:arg2:[zone]3:[text]4
2114 comment=Operation applied to active policy (1 is active, 0 is inactive):
2115 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2116 comment=affected zone:
2117 comment=Name of target tunnel
2118
2119 label=AUE_PF_POLICY_CLONE
2120 title=Clone IPsec policy
2121 see=
2122 syscall=none
2123 format=arg1:arg2:[zone]3:[text]4
2124 comment=Operation applied to active policy (1 is active, 0 is inactive):
2125 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2126 comment=affected zone:
2127 comment=Name of target tunnel
2128
2129 label=AUE_PF_POLICY_FLIP
2130 title=Flip IPsec policy
2131 see=
2132 syscall=none
2133 format=arg1:arg2:[zone]3:[text]4
2134 comment=Operation applied to active policy (1 is active, 0 is inactive):
2135 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2136 comment=affected zone:
2137 comment=Name of target tunnel
2138
2139 label=AUE_PF_POLICY_FLUSH
2140 title=Flip IPsec policy rules
2141 see=
2142 syscall=none
2143 format=arg1:arg2:[zone]3:[text]4
2144 comment=Operation applied to active policy (1 is active, 0 is inactive):
2145 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2146 comment=affected zone:
2147 comment=Name of target tunnel
2148
2149 label=AUE_PF_POLICY_ALGS
2150 title=Update IPsec algorithms
2151 see=
2152 syscall=none
2153 format=arg1:arg2:[zone]3:[text]4
2154 comment=Operation applied to active policy (1 is active, 0 is inactive):
2155 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2156 comment=affected zone:
2157 comment=Name of target tunnel
2158
2159 label=AUE_allocate_fail
2160 program=/usr/sbin/allocate
2161 title=allocate: allocate-device failure
2162 format=(0..n)[text]1
2163 comment=command line arguments
2164 # see audit_allocate.c
2165
2166 label=AUE_allocate_succ
2167 program=/usr/sbin/allocate
2168 title=allocate: allocate-device success
2169 format=(0..n)[text]1
2170 comment=command line arguments
2171 # see audit_allocate.c
2172
2173 label=AUE_at_create
2174 program=/usr/bin/at
2175 title=at: at-create crontab
2176 format=path
2177
2178 label=AUE_at_delete
2179 program=/usr/bin/at
2180 title=at: at-delete atjob (at or atrm)
2181 format=text1:path
2182 comment="ancillary file:" filename or "bad format of at-job name"
2183
2184 label=AUE_at_perm
2185 skip=Not used.
2186 # not referenced outside uevents.h
2187
2188 label=AUE_create_user
2189 skip=Not used.
2190
2191 label=AUE_cron_invoke
2192 program=/usr/sbin/cron
2193 title=cron: cron-invoke at or cron
2194 case=If issue with account find
2195 format=text1
2196 comment="bad user" name or "user <name> account expired"
2197 case=else
2198 format=text1:text2
2199 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \
2200 or "unknown job type (<job_type_id>)":
2201 comment=command
2202
2203 label=AUE_crontab_create
2204 program=/usr/bin/crontab
2205 title=crontab: crontab created
2206 format=path
2207 # See audit_crontab.c
2208
2209 label=AUE_crontab_delete
2210 program=/usr/bin/crontab
2211 title=crontab: crontab delete
2212 format=path
2213 # See audit_crontab.c
2214
2215 label=AUE_crontab_mod
2216 program=/usr/bin/crontab
2217 title=crontab: crontab modify
2218 format=path
2219 # See audit_crontab.c
2220
2221 label=AUE_crontab_perm
2222 skip=Not used.
2223
2224 label=AUE_deallocate_fail
2225 program=/usr/sbin/deallocate
2226 title=deallocate-device failure
2227 format=(0..n)[text]1
2228 comment=command line arguments
2229 # See audit_allocate.c
2230
2231 label=AUE_deallocate_succ
2232 program=/usr/sbin/deallocate
2233 title=deallocate-device success
2234 format=(0..n)[text]1
2235 comment=command line arguments
2236 # See audit_allocate.c
2237
2238 label=AUE_delete_user
2239 skip=Not used.
2240
2241 label=AUE_disable_user
2242 skip=Not used.
2243
2244 label=AUE_enable_user
2245 skip=Not used.
2246
2247 label=AUE_ftpd
2248 program=/usr/sbin/in.ftpd
2249 title=in.ftpd
2250 format=[text]1
2251 comment=error message
2252 # See audit_ftpd
2253
2254 label=AUE_ftpd_logout
2255 program=/usr/sbin/in.ftpd
2256 title=in.ftpd
2257 format=user
2258 # See audit_ftpd
2259
2260 label=AUE_halt_solaris
2261 program=/usr/sbin/halt
2262 title=halt
2263 format=user
2264 # See audit_halt.c
2265
2266 label=AUE_kadmind_auth
2267 format=text1:text2:text3
2268 comment=Op: <requested information>:
2269 comment=Arg: <argument for Op>:
2270 comment=Client: <client principal name>
2271 # See audit_kadmin.c / common_audit()
2272
2273 label=AUE_kadmind_unauth
2274 format=text1:text2:text3
2275 comment=Op: <requested information>:
2276 comment=Arg: <argument for Op>:
2277 comment=Client: <client principal name>
2278 # See audit_kadmin.c / common_audit()
2279
2280 label=AUE_krb5kdc_as_req
2281 format=text1:text2
2282 comment=Client: <client principal name>:
2283 comment=Service: <requested service name>
2284 # See audit_krb5kdc.c / common_audit()
2285
2286 label=AUE_krb5kdc_tgs_req
2287 format=text1:text2
2288 comment=Client: <client principal name>:
2289 comment=Service: <requested service name>
2290 # See audit_krb5kdc.c / common_audit()
2291
2292 label=AUE_krb5kdc_tgs_req_alt_tgt
2293 format=text1:text2
2294 comment=Client: <client principal name>:
2295 comment=Service: <requested service name>
2296 # See audit_krb5kdc.c / common_audit()
2297
2298 label=AUE_krb5kdc_tgs_req_2ndtktmm
2299 format=text1:text2
2300 comment=Client: <client principal name>:
2301 comment=Service: <requested service name>
2302 # See audit_krb5kdc.c / common_audit()
2303
2304 label=AUE_listdevice_fail
2305 title=allocate-list devices failure
2306 program=/usr/sbin/allocate
2307 format=(0..n)[text]1
2308 comment=command line arguments
2309 # See audit_allocate.c
2310
2311 label=AUE_listdevice_succ
2312 title=allocate-list devices success
2313 program=/usr/sbin/allocate
2314 format=(0..n)[text]1
2315 comment=command line arguments
2316 # See audit_allocate.c
2317
2318 label=AUE_modify_user
2319 skip=Not used.
2320
2321 label=AUE_mountd_mount
2322 title=mountd: NFS mount
2323 program=/usr/lib/nfs/mountd
2324 see=mountd(1M)
2325 format=text1:path2
2326 comment=remote client hostname:
2327 comment=mount dir
2328 # See audit_mountd.c
2329
2330 label=AUE_mountd_umount
2331 title=mountd: NFS unmount
2332 program=/usr/lib/nfs/mountd
2333 format=text1:path2
2334 comment=remote client hostname:
2335 comment=mount dir
2336 # See audit_mountd.c
2337
2338 label=AUE_poweroff_solaris
2339 program=/usr/sbin/poweroff
2340 title=poweroff
2341 format=user
2342 # See audit_halt.c
2343
2344 label=AUE_reboot_solaris
2345 program=/usr/sbin/reboot
2346 title=reboot
2347 format=user
2348 # See audit_reboot.c
2349 # header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec
2350 # subject,tuser1,root,other,root,other,10422,497,0 0 tmach2
2351 # return,success,0
2352
2353 label=AUE_rexd
2354 program=/usr/sbin/rpc.rexd
2355 title=rpc.rexd
2356 format=[text]1:text2:text3:[text]4:[text]5
2357 comment=error message (failure only):
2358 comment="Remote execution requested by:" hostname:
2359 comment="Username:" username:
2360 comment="User id:" user ID (failure only):
2361 comment="Command line:" command attempted
2362 # See audit_rexd.c
2363
2364 label=AUE_rexecd
2365 program=/usr/sbin/rpc.rexecd
2366 title=rpc.rexecd
2367 format=[text]1:text2:text3:text4
2368 comment=error message (failure only):
2369 comment="Remote execution requested by:" hostname:
2370 comment="Username:" username:
2371 comment="Command line:" command attempted
2372 # See audit_rexecd.c
2373
2374 label=AUE_rshd
2375 program=/usr/sbin/in.rshd
2376 title=in.rshd
2377 format=text1:text2:[text]3:[text]4
2378 comment="cmd" command:
2379 comment="remote user" remote user:
2380 comment="local user" local user:
2381 comment=failure message
2382 # See audit_rshd.c
2383
2384 label=AUE_shutdown_solaris
2385 title=shutdown
2386 program=/usr/ucb/shutdown
2387 format=user
2388 # See audit_shutdown.c
2389
2390 label=AUE_smserverd
2391 program=/usr/lib/smedia/rpc.smserverd
2392 format=[text]1:[text]2
2393 comment=state change:
2394 comment=vid, pid, major/minor device
2395 # see usr/src/cmd/smserverd
2396 # code shows a third token, path, but it isn't implemented.
2397
2398 label=AUE_uadmin_solaris
2399 title=uadmin (obsolete)
2400 program=
2401 see=
2402 format=text1:text2
2403 comment=function code:
2404 comment=argument code
2405 # not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml
2406
2407 label=AUE_LABELSYS_TNRH
2408 title=config Trusted Network remote host cache
2409 see=tnrh(2)
2410 syscall=labelsys: TSOL_TNRH
2411 case=With the flush command (cmd=3)
2412 format=arg1
2413 comment=1, command, "cmd"
2414 case=With the load (cmd=1) and delete (cmd=2) commands
2415 format=arg1:inaddr2:arg3
2416 comment=1, command, "cmd":
2417 comment=ip address of host:
2418 comment=2, prefix length, "prefix len"
2419
2420 label=AUE_LABELSYS_TNRHTP
2421 title=config Trusted Network remote host template
2422 see=tnrhtp(2)
2423 syscall=labelsys: TSOL_TNRHTP
2424 case=With the flush command (cmd=3)
2425 format=arg1
2426 comment=1, command, "cmd"
2427 case=With the load (cmd=1) and delete (cmd=2) commands
2428 format=arg1:text2
2429 comment=1, command, "cmd":
2430 comment=name of template
2431
2432 label=AUE_LABELSYS_TNMLP
2433 title=config Trusted Network multi-level port entry
2434 see=tnmlp(2)
2435 syscall=labelsys: TSOL_TNMLP
2436 case=With the flush command (cmd=3)
2437 format=arg1:text2
2438 comment=1, command, "cmd":
2439 comment="shared", or name of zone
2440 case=With the load (cmd=1) and delete (cmd=2) commands
2441 format=arg1:text2:arg3:arg4:[arg]5
2442 comment=1, command, "cmd":
2443 comment="shared", or name of zone:
2444 comment=2, protocol number, "proto num":
2445 comment=2, starting mlp port number, "mlp_port":
2446 comment=2, ending mlp port number, "mlp_port_upper"