Print this page
11842 Want audit events for auditon(A_SETPMASK) and friends
Reviewed by: John Levon <john.levon@joyent.com>
Reviewed by: Andy Fiddaman <andy@omniosce.org>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/auditrecord/audit_record_attr.txt
+++ new/usr/src/cmd/auditrecord/audit_record_attr.txt
1 1 # audit_record_attr.txt
2 2 # Two "#" are comments that are copied to audit_record_attr
3 3 # other comments are removed.
4 4 ##
5 5 ## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
6 6 ## Copyright 2018 Nexenta Systems, Inc. All rights reserved.
7 7 ## Copyright 2019 Joyent, Inc.
8 8 ##
9 9 ## CDDL HEADER START
10 10 ##
11 11 ## The contents of this file are subject to the terms of the
12 12 ## Common Development and Distribution License (the "License").
13 13 ## You may not use this file except in compliance with the License.
14 14 ##
15 15 ## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
16 16 ## or http://www.opensolaris.org/os/licensing.
17 17 ## See the License for the specific language governing permissions
18 18 ## and limitations under the License.
19 19 ##
20 20 ## When distributing Covered Code, include this CDDL HEADER in each
21 21 ## file and include the License file at usr/src/OPENSOLARIS.LICENSE.
22 22 ## If applicable, add the following below this CDDL HEADER, with the
23 23 ## fields enclosed by brackets "[]" replaced with your own identifying
24 24 ## information: Portions Copyright [yyyy] [name of copyright owner]
25 25 ##
26 26 ## CDDL HEADER END
27 27 ##
28 28 ##
29 29
30 30 # source file for describing audit records.
31 31
32 32 # This file is in two sections. The first is a list of attribute /
33 33 # value pairs used to provide short cuts in annotating the audit
34 34 # records. The second is for annotation for each audit record.
35 35
36 36 # first section: general attributes
37 37
38 38 # skipClass=<class name of items to skip if only in that class>
39 39 # skipClass=no # uncomment to filter unused events
40 40
41 41 # token name abbreviations
42 42 # token=alias:fullname -- short names for key tokens
43 43
44 44 token=arg:argument
45 45 token=attr:attribute
46 46 token=acl:acl_entry
47 47 token=cmd:command
48 48 token=data:data
49 49 token=exec_args:exec_arguments
50 50 token=exec_env:exec_environment
51 51 token=group:group
52 52 token=inaddr:ip_addr
53 53 token=inet:socket
54 54 token=ipc:ipc
55 55 token=ipc_perm:ipc_perm
56 56 token=newgroup:newgroups
57 57 token=path:path
58 58 token=path_attr:attribute_path
59 59 token=privset:privilege
60 60 token=proc:process
61 61 token=text:text
62 62 token=tid:terminal_adr
63 63 token=uauth:use_of_authorization
64 64 token=upriv:use_of_privilege
65 65 token=user:user_object
66 66 token=zone:zonename
67 67 token=fmri:service_instance
68 68 token=label:mandatory_label
69 69
70 70 token=head:header
71 71 token=subj:subject
72 72 token=ret:return
73 73 token=exit:exit
74 74
75 75 # note names -- certain notes show up repeatedly; collected here
76 76 #
77 77 # To achieve the maximum line length to be less than 80 characters, the
78 78 # note names (message=) can be defined as a multi line, each line except the
79 79 # last one finished with the backslash character.
80 80
81 81 message=ipc_perm:The ipc and ipc_perm tokens are not included if \
82 82 the message ID is not valid.
83 83
84 84
85 85 # basic record pattern ("insert" is where event-specific tokens
86 86 # are listed.)
87 87
88 88 kernel=head:insert:subj:[upriv]:ret
89 89 user=head:subj:insert:ret
90 90
91 91 # Second Section
92 92 # Annotation Section
93 93 #
94 94 # Most audit records need annotation beyond what is provided by
95 95 # the files audit_event and audit_class. At a minimum, a record
96 96 # is represented by a label and a format.
97 97 #
98 98 # label=record_id like AUE_ACCEPT
99 99 # format=token_alias
100 100 #
101 101 # there is no end line; a new label= end the preceding definition
102 102 # and starts the next.
103 103 #
104 104 # format values are a list of token names, separated by colons. The
105 105 # name is either one of the values described above (token=) or is
106 106 # a value to be taken literally. If a token name ends with a digit,
107 107 # the digit is an index into an array of comments. In the few cases
108 108 # where there are no tokens (other than header, subject, return/exit),
109 109 # use "format=kernel" or "format="user".
110 110 #
111 111 # comment is an array of strings separated by colons. If comments
112 112 # are listed on separate lines (recommended due to better
113 113 # readability/sustainability of the file), the preceding comment
114 114 # must end with a colon. The array starts at 1. (If the comment
115 115 # contains a colon, use ":" without the quotes.)
116 116 #
117 117 # case is used to generate alternate descriptions for a given
118 118 # record.
119 119 #
120 120 # Constraints - the string length; bear in mind, that any annotation of
121 121 # primitives below longer than is specified, will be silently truncated
122 122 # to given/defined amount of characters in the auditrecord(1M) runtime:
123 123 #
124 124 # primitive <= max (non-truncated) string length
125 125 # case <= unlimited; if necessary, text continues on a new line
126 126 # comment <= unlimited; if necessary, text continues on a new line
127 127 # label <= 43
128 128 # note <= unlimited; if necessary, text continues on a new line
129 129 # program <= 20
130 130 # see <= 39
131 131 # syscall <= 20
132 132 # title <= 46
133 133 # token <= 28 (full name)
134 134 #
135 135 # To achieve the maximum line length to be less than 80 characters, one can
136 136 # define the unlimited primitives as a multi line, each line except the
137 137 # last one finished with the backslash character. In addition to above
138 138 # mentioned, the "format=" record attribute follows the same rule.
139 139 #
140 140 #
141 141 # AUE_ACCEPT illustrates the use of all the above. Note that
142 142 # case is not nested; ellipsis (...) is used to give the effect
143 143 # of nesting.
144 144
145 145 label=AUE_ACCEPT
146 146 #accept(2) failure
147 147 case=Invalid socket file descriptor
148 148 format=arg1
149 149 comment=1, file descriptor, "so"
150 150 #accept(2) non SOCK_STREAM socket
151 151 case=If the socket address is not part of the AF_INET family
152 152 format=arg1:arg2:arg3
153 153 comment=1, "so", file descriptor:
154 154 comment="family", so_family:
155 155 comment="type", so_type
156 156 case=If the socket address is part of the AF_INET family
157 157 case=...If there is no vnode for this file descriptor
158 158 format=[arg]1
159 159 comment=1, file descriptor, "Bad so"
160 160 #accept(2) SOCK_STREAM socket-not bound
161 161 case=...or if the socket is not bound
162 162 format=[arg]1:[inet]2
163 163 comment=1, file descriptor, "so":
164 164 comment=local/foreign address (0.0.0.0)
165 165 case=...or if the socket address length = 0
166 166 format=[arg]1:[inet]2
167 167 comment=1, file descriptor, "so":
168 168 comment=local/foreign address (0.0.0.0)
169 169 case=...or for all other conditions
170 170 format=inet1:[inet]1
171 171 comment=socket address
172 172 #accept(2) failure
173 173 # header
174 174 # au_to_arg32 "so",file descriptor
175 175 # subject
176 176 # return <errno != 0>
177 177 #
178 178 #accept(2) non SOCK_STREAM socket
179 179 # header
180 180 # au_to_arg32 "so", file descriptor
181 181 # au_to_arg32 "family", so_family
182 182 # au_to_arg32 "type", so_type
183 183 # subject
184 184 # return success
185 185 #
186 186 #accept(2) SOCK_STREAM socket-not bound
187 187 # header
188 188 # au_to_arg32 "so", file descriptor
189 189 # au_to_socket_ex local/foreign address (0.0.0.0)
190 190 # subject
191 191 # return success
192 192 #
193 193 #accept(2) SOCK_STREAM socket-bound
194 194 # header
195 195 # au_to_arg32 "so", file descriptor
196 196 # au_to_socket_ex
197 197 # subject
198 198 # return success
199 199
200 200
201 201
202 202 label=AUE_ACCESS
203 203 format=path1:[attr]
204 204 comment=may be truncated in failure case
205 205 # header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec
206 206 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ
207 207 # attribute,100777,41416,staff,8388608,402255,0
208 208 # subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30
209 209 # return,success,0
210 210 # trailer,163
211 211 #
212 212 # header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec
213 213 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail
214 214 # attribute,100000,root,other,8388608,402257,0
215 215 # subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30
216 216 # return,failure: Permission denied,-1
217 217 # trailer,163
218 218 #
219 219 # header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec
220 220 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2
221 221 # subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30
222 222 # return,failure: No such file or directory,-1
223 223 # trailer,135
224 224
225 225 label=AUE_ACCT
226 226 case=Zero path
227 227 format=arg1
228 228 comment=1, 0, "accounting off"
229 229 case=Non-zero path
230 230 format=path1:[attr]2
231 231 comment=may be truncated in failure case:
232 232 comment=omitted if failure
233 233
234 234 label=AUE_ACLSET
235 235 syscall=acl
236 236 format=arg1:arg2:(0..n)[acl]3
237 237 comment=2, SETACL, "cmd":
238 238 comment=3, number of ACL entries, "nentries":
239 239 comment=Access Control List entries
240 240
241 241 label=AUE_ADJTIME
242 242 format=kernel
243 243
244 244 label=AUE_ASYNC_DAEMON
245 245 skip=Not used
246 246
247 247 label=AUE_ASYNC_DAEMON_EXIT
248 248 skip=Not used
249 249
250 250 label=AUE_AUDIT
251 251 skip=Not used. (Placeholder for the set AUE_AUDIT_*.)
252 252
253 253 label=AUE_AUDITON
254 254 skip=Not used. (Placeholder for the set AUE_AUDITON_*.)
255 255
256 256 label=AUE_AUDITON_GESTATE
257 257 skip=Not used
258 258
259 259 label=AUE_AUDITON_GETAMASK
260 260 format=kernel
261 261 syscall=auditon: GETAMASK
262 262
263 263 label=AUE_AUDITON_GETCAR
264 264 format=kernel
265 265 syscall=auditon: GETCAR
266 266 # header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec
267 267 # subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30
268 268 # return,success,0
269 269 # trailer,68
270 270
271 271 label=AUE_AUDITON_GETCLASS
272 272 format=kernel
273 273 syscall=auditon: GETCLASS
274 274 # header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec
275 275 # subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1
276 276 # return,success,0
277 277 # trailer,68
278 278
279 279 label=AUE_AUDITON_GETCOND
280 280 format=kernel
281 281 syscall=auditon: GETCOND
282 282 # header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec
283 283 # subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1
284 284 # return,success,0
285 285 # trailer,68
286 286
287 287 label=AUE_AUDITON_GETCWD
288 288 format=kernel
289 289 syscall=auditon: GETCWD
290 290 # header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec
291 291 # subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1
292 292 # return,success,0
293 293 # trailer,68
294 294
295 295 label=AUE_AUDITON_GETKMASK
296 296 format=kernel
297 297 syscall=auditon: GETKMASK
298 298 # header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec
299 299 # subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1
300 300 # return,success,0
301 301 # trailer,68
302 302
303 303 label=AUE_AUDITON_GETSTAT
304 304 format=kernel
305 305 syscall=auditon: A_GETSTAT
306 306 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec
307 307 # subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1
308 308 # return,success,0
309 309 # trailer,68
310 310
311 311 label=AUE_AUDITON_GPOLICY
312 312 format=kernel
313 313 syscall=auditon: GPOLICY
314 314 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec
315 315 # subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1
316 316 # return,success,0
317 317 # trailer,68
318 318
319 319 label=AUE_AUDITON_GQCTRL
320 320 format=kernel
321 321 syscall=auditon: GQCTRL
322 322 # header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec
323 323 # subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1
324 324 # return,success,0
325 325 # trailer,68
326 326
327 327
328 328 label=AUE_AUDITON_GTERMID
329 329 skip=Not used.
330 330
331 331 label=AUE_AUDITON_SESTATE
332 332 skip=Not used.
333 333
334 334 label=AUE_AUDITON_SETAMASK
335 335 format=[arg]1:[arg]2
336 336 comment=2, "setamask as_success", user default audit preselection mask:
337 337 comment=2, "setamask as_failure", user default audit preselection mask
338 338 syscall=auditon: SETAMASK
339 339
340 340 label=AUE_AUDITON_SETCLASS
341 341 format=[arg]1:[arg]2
342 342 comment=2, "setclass:ec_event", event number:
343 343 comment=3, "setclass:ec_class", class mask
344 344 syscall=auditon: SETCLASS
345 345 # header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec
346 346 # argument,2,0x0,setclass:ec_event
347 347 # argument,3,0x0,setclass:ec_class
348 348 # subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1
349 349 # return,success,0
350 350 # trailer,120
351 351
352 352 label=AUE_AUDITON_SETCOND
353 353 format=[arg]1
354 354 comment=3, "setcond", audit state
355 355 syscall=auditon: SETCOND
356 356
357 357 label=AUE_AUDITON_SETKMASK
358 358 format=[arg]1:[arg]2
359 359 comment=2, "setkmask as_success", kernel non-attributable mask:
360 360 comment=2, "setkmask as_failure", kernel non-attributable mask
361 361 syscall=auditon: SETKMASK
362 362 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec
363 363 # argument,2,0x0,setkmask:as_success
364 364 # argument,2,0x0,setkmask:as_failure
365 365 # subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1
366 366 # return,success,0
367 367 # trailer,124
368 368 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec
369 369 # argument,2,0x0,setkmask:as_success
370 370 # argument,2,0x0,setkmask:as_failure
371 371 # subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1
372 372 # return,failure: Not owner,-1
373 373 # trailer,124
374 374
375 375 label=AUE_AUDITON_SETSMASK
376 376 format=[arg]1:[arg]2
377 377 comment=3, "setsmask:as_success", session ID mask:
378 378 comment=3, "setsmask:as_failure", session ID mask
379 379 syscall=auditon: SETSMASK
380 380 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec
381 381 # argument,3,0x400,setsmask:as_success
382 382 # argument,3,0x400,setsmask:as_failure
383 383 # subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1
384 384 # return,success,0
385 385 # trailer,124
386 386 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec
387 387 # argument,3,0x400,setsmask:as_success
388 388 # argument,3,0x400,setsmask:as_failure
389 389 # subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1
390 390 # return,failure: Not owner,-1
391 391 # trailer,124
392 392
393 393 label=AUE_AUDITON_SETSTAT
394 394 format=kernel
395 395 syscall=auditon: SETSTAT
396 396 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec
397 397 # subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1
398 398 # return,success,0
399 399 # trailer,68
400 400 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec
401 401 # subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1
402 402 # return,failure: Not owner,-1
403 403 # trailer,68
404 404
405 405 label=AUE_AUDITON_SETUMASK
406 406 format=[arg]1:[arg]2
407 407 comment=3, "setumask:as_success", audit ID mask:
408 408 comment=3, "setumask:as_failure", audit ID mask
409 409 syscall=auditon: SETUMASK
410 410 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec
411 411 # argument,3,0x400,setumask:as_success
412 412 # argument,3,0x400,setumask:as_failure
413 413 # subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1
414 414 # return,success,0
415 415 # trailer,124
416 416 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec
417 417 # argument,3,0x400,setumask:as_success
418 418 # argument,3,0x400,setumask:as_failure
419 419 # subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1
420 420 # return,failure: Not owner,-1
421 421 # trailer,124
422 422
423 423 label=AUE_AUDITON_SPOLICY
424 424 format=[arg]1
425 425 comment=1, audit policy flags, "setpolicy"
426 426 syscall=auditon: SPOLICY
427 427 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec
428 428 # argument,3,0x200,setpolicy
429 429 # subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1
430 430 # return,success,0
431 431 # trailer,86
432 432 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec
433 433 # argument,3,0x200,setpolicy
434 434 # subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1
435 435 # return,failure: Not owner,-1
436 436 # trailer,86
437 437
438 438 label=AUE_AUDITON_SQCTRL
439 439 format=[arg]1:[arg]2:[arg]3:[arg]4
440 440 comment=3, "setqctrl:aq_hiwater", queue control param.:
441 441 comment=3, "setqctrl:aq_lowater", queue control param.:
442 442 comment=3, "setqctrl:aq_bufsz", queue control param.:
443 443 comment=3, "setqctrl:aq_delay", queue control param.
444 444 syscall=auditon: SQCTRL
445 445 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec
446 446 # argument,3,0x64,setqctrl:aq_hiwater
447 447 # argument,3,0xa,setqctrl:aq_lowater
448 448 # argument,3,0x400,setqctrl:aq_bufsz
449 449 # argument,3,0x14,setqctrl:aq_delay
450 450 # subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1
451 451 # return,success,0
|
↓ open down ↓ |
451 lines elided |
↑ open up ↑ |
452 452 # trailer,176
453 453 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec
454 454 # argument,3,0x64,setqctrl:aq_hiwater
455 455 # argument,3,0xa,setqctrl:aq_lowater
456 456 # argument,3,0x400,setqctrl:aq_bufsz
457 457 # argument,3,0x14,setqctrl:aq_delay
458 458 # subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1
459 459 # return,failure: Not owner,-1
460 460 # trailer,176
461 461
462 +label=AUE_AUDITON_SETPMASK
463 + format=[arg]1:[arg]2
464 + comment=3, "setpmask:pid", process
465 + comment=3, "setpmask:as_success", audit ID mask:
466 + comment=3, "setpmask:as_failure", audit ID mask
467 + syscall=auditon: SETPMASK
468 +
469 +label=AUE_AUDITON_SETKAUDIT
470 + format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7
471 + comment=1, audit user ID, "auid":
472 + comment=1, terminal ID, "port":
473 + comment=1, type, "type":
474 + comment=1, terminal ID, "ip address":
475 + comment=1, preselection mask, "as_success":
476 + comment=1, preselection mask, "as_failure":
477 + comment=1, audit session ID, "asid"
478 + syscall=auditon: SETKAUDIT
479 +
480 +label=AUE_AUDITON_GETPINFO
481 + format=kernel
482 + syscall=auditon: GETPINFO
483 +
484 +label=AUE_AUDITON_GETKAUDIT
485 + format=kernel
486 + syscall=auditon: GETKAUDIT
487 +
488 +label=AUE_AUDITON_OTHER
489 + format=kernel
490 + syscall=auditon: OTHER
491 +
462 492 label=AUE_AUDITON_STERMID
463 493 skip=Not used.
464 494
465 495 label=AUE_AUDITSTAT
466 496 skip=Not used.
467 497
468 498 label=AUE_AUDITSVC
469 499 skip=Not used.
470 500
471 501 label=AUE_AUDITSYS
472 502 skip=Not used. (Place holder for various auditing events.)
473 503
474 504 label=AUE_BIND
475 505 # differs from documented version.
476 506 # cases "no vnode" not fully confirmed
477 507 # family and type need argument number
478 508 case=Invalid socket handle
479 509 format=arg1
480 510 comment=1, file descriptor, "so"
481 511 case=If there is no vnode for this file descriptor
482 512 case=or if the socket is not of the AF_INET family
483 513 format=arg1:arg2:arg3
484 514 comment=1, file descriptor, "so":
485 515 comment=1, socket family, "family":
486 516 comment=1, socket type, "type"
487 517 case=or for all other conditions
488 518 format=arg1:inet2
489 519 comment=1, file descriptor, "so":
490 520 comment=socket address
491 521
492 522 label=AUE_BRANDSYS
493 523 # generic mechanism to allow user-space and kernel components of a brand
494 524 # to communicate. The interpretation of the arguments to the call is
495 525 # left entirely up to the brand.
496 526 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7
497 527 comment=1, command, "cmd":
498 528 comment=2, command args, "arg":
499 529 comment=3, command args, "arg":
500 530 comment=4, command args, "arg":
501 531 comment=5, command args, "arg":
502 532 comment=6, command args, "arg":
503 533 comment=7, command args, "arg"
504 534
505 535 label=AUE_BSMSYS
506 536 skip=Not used.
507 537
508 538 label=AUE_CHDIR
509 539 format=path:[attr]
510 540 # header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec
511 541 # path,/export/home/CC_final/icenine/arv/chdir/obj_succ
512 542 # attribute,40777,root,other,8388608,231558,0
513 543 # subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1
514 544 # return,success,0
515 545 # trailer,151
516 546 # header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec
517 547 # path,/export/home/CC_final/icenine/arv/chdir/obj_fail
518 548 # attribute,40000,root,other,8388608,237646,0
519 549 # subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1
520 550 # return,failure: Permission denied,-1
521 551 # trailer,151
522 552
523 553 label=AUE_CHMOD
524 554 format=arg1:path:[attr]
525 555 comment=2, mode, "new file mode"
526 556 # header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec
527 557 # argument,2,0x1f8,new file mode
528 558 # path,/export/home/CC_final/icenine/arv/chmod/obj_succ
529 559 # attribute,100770,tuser10,other,8388608,243608,0
530 560 # subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1
531 561 # return,success,0
532 562 # trailer,173
533 563 # header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec
534 564 # argument,2,0x1f8,new file mode
535 565 # path,/export/home/CC_final/icenine/arv/chmod/obj_fail
536 566 # attribute,100600,root,other,8388608,243609,0
537 567 # subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1
538 568 # return,failure: Not owner,-1
539 569 # trailer,173
540 570
541 571 label=AUE_CHOWN
542 572 format=arg1:arg2
543 573 comment=2, uid, "new file uid":
544 574 comment=3, gid, "new file gid"
545 575 # header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec
546 576 # argument,2,0x271a,new file uid
547 577 # argument,3,0xffffffff,new file gid
548 578 # path,/export/home/CC_final/icenine/arv/chown/obj_succ
549 579 # attribute,100644,tuser10,other,8388608,268406,0
550 580 # subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1
551 581 # return,success,0
552 582 # trailer,193
553 583 # header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec
554 584 # argument,2,0x271a,new file uid
555 585 # argument,3,0xffffffff,new file gid
556 586 # path,/export/home/CC_final/icenine/arv/chown/obj_fail
557 587 # attribute,100644,root,other,8388608,268407,0
558 588 # subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1
559 589 # return,failure: Not owner,-1
560 590 # trailer,193
561 591
562 592 label=AUE_CHROOT
563 593 format=path:[attr]
564 594 # header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec
565 595 # path,/
566 596 # attribute,40755,root,root,8388608,2,0
567 597 # subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1
568 598 # return,success,0
569 599 # trailer,104
570 600 # header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec
571 601 # path,/export/home/CC_final/icenine/arv/chroot/obj_fail
572 602 # attribute,40777,tuser10,other,8388608,335110,0
573 603 # subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1
574 604 # return,failure: Not owner,-1
575 605 # trailer,152
576 606
577 607 label=AUE_CLOCK_SETTIME
578 608 format=kernel
579 609
580 610 label=AUE_CLOSE
581 611 format=arg1:[path]:[attr]
582 612 comment=1, file descriptor, "fd"
583 613
584 614 label=AUE_CONFIGKSSL
585 615 case=Adding KSSL entry.
586 616 format=text1:inaddr2:text3:text4
587 617 comment=opcode, KSSL_ADD_ENTRY:
588 618 comment=local IP address:
589 619 comment=SSL port number:
590 620 comment=proxy port number
591 621 case=Deleting KSSL entry.
592 622 format=text1:inaddr2:text3
593 623 comment=opcode, KSSL_DELETE_ENTRY:
594 624 comment=local IP address:
595 625 comment=SSL port number
596 626
597 627 label=AUE_CONNECT
598 628 # cases "no vnode" not fully confirmed
599 629 case=If there is no vnode for this file descriptor
600 630 case=If the socket address is not part of the AF_INET family
601 631 format=arg1:arg2:arg3
602 632 comment=1, file descriptor, "so":
603 633 comment=1, socket family, "family":
604 634 comment=1, socket type, "type"
605 635 case=If the socket address is part of the AF_INET family
606 636 format=arg1:inet2
607 637 comment=1, file descriptor, "so":
608 638 comment=socket address
609 639
610 640 label=AUE_CORE
611 641 syscall=none
612 642 title=process dumped core
613 643 see=none
614 644 format=path:[attr]:arg1
615 645 comment=1, signal, "signal"
616 646 # see uts/common/c2/audit.c
617 647
618 648 label=AUE_CREAT
619 649 # obsolete - see open(2)
620 650 format=path:[attr]
621 651 # does not match old BSM manual
622 652 # header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec
623 653 # path,/export/home/CC_final/icenine/arv/creat/obj_succ
624 654 # attribute,100644,tuser10,other,8388608,49679,0
625 655 # subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1
626 656 # return,success,8
627 657 # trailer,151
628 658 # header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec
629 659 # path,/devices/pseudo/mm@0:null
630 660 # subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1
631 661 # return,success,8
632 662 # trailer,107
633 663 # header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec
634 664 # path,/obj_fail
635 665 # subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1
636 666 # return,failure: Permission denied,-1
637 667 # trailer,83
638 668
639 669 label=AUE_CRYPTOADM
640 670 title=kernel cryptographic framework
641 671 format=text1:(0..n)[text]2
642 672 comment=cryptoadm command/operation:
643 673 comment=mechanism list
644 674
645 675 label=AUE_DOORFS
646 676 skip=Not used. (Place holder for set of door audit events.)
647 677
648 678 label=AUE_DOORFS_DOOR_BIND
649 679 skip=Not used.
650 680 syscall=doorfs: DOOR_BIND
651 681
652 682 label=AUE_DOORFS_DOOR_CALL
653 683 format=arg1:proc2
654 684 comment=1, door ID, "door ID":
655 685 comment=for process that owns the door
656 686 syscall=doorfs: DOOR_CALL
657 687
658 688 label=AUE_DOORFS_DOOR_CREATE
659 689 format=arg1
660 690 comment=1, door attributes, "door attr"
661 691 syscall=doorfs: DOOR_CREATE
662 692
663 693 label=AUE_DOORFS_DOOR_CRED
664 694 skip=Not used.
665 695 syscall=doorfs: DOOR_CRED
666 696
667 697 label=AUE_DOORFS_DOOR_INFO
668 698 skip=Not used.
669 699 syscall=doorfs: DOOR_INFO
670 700
671 701 label=AUE_DOORFS_DOOR_RETURN
672 702 format=kernel
673 703 syscall=doorfs: DOOR_RETURN
674 704
675 705 label=AUE_DOORFS_DOOR_REVOKE
676 706 format=arg1
677 707 comment=1, door ID, "door ID"
678 708 syscall=doorfs: DOOR_REVOKE
679 709
680 710 label=AUE_DOORFS_DOOR_UNBIND
681 711 skip=Not used.
682 712 syscall=doorfs: DOOR_UNBIND
683 713
684 714 label=AUE_DUP2
685 715 skip=Not used.
686 716
687 717 label=AUE_ENTERPROM
688 718 title=enter prom
689 719 syscall=none
690 720 format=head:text1:ret
691 721 comment="kmdb"
692 722 # header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00
693 723 # text,kmdb
694 724 # return,success,0
695 725
696 726 label=AUE_EXEC
697 727 # obsolete - see execve(2)
698 728 format=path:[attr]1:[exec_args]2:[exec_env]3
699 729 comment=omitted on error:
700 730 comment=output if argv policy is set:
701 731 comment=output if arge policy is set
702 732
703 733 label=AUE_EXECVE
704 734 format=path:[attr]1:[exec_args]2:[exec_env]3
705 735 comment=omitted on error:
706 736 comment=output if argv policy is set:
707 737 comment=output if arge policy is set
708 738 # header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec
709 739 # path,/devices/pseudo/mm@0:null
710 740 # subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1
711 741 # return,success,8
712 742 # trailer,107
713 743 # header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec
714 744 # path,/usr/bin/pig
715 745 # subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1
716 746 # return,failure: No such file or directory,-1
717 747 # trailer,86
718 748
719 749 label=AUE_PFEXEC
720 750 format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5
721 751 comment=pathname of the executable:
722 752 comment=pathname of working directory:
723 753 comment=privileges if the limit or inheritable set are changed:
724 754 comment=process if ruid, euid, rgid or egid is changed:
725 755 comment=output if arge policy is set
726 756
727 757 label=AUE_sudo
728 758 format=exec_args1:[text]2
729 759 comment=command args:
730 760 comment=error message (failure only)
731 761
732 762 label=AUE_EXIT
733 763 format=arg1:[text]2
734 764 comment=1, exit status, "exit status":
735 765 comment=event aborted
736 766
737 767 label=AUE_EXITPROM
738 768 title=exit prom
739 769 syscall=none
740 770 format=head:text1:ret
741 771 comment="kmdb"
742 772 # header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00
743 773 # text,kmdb
744 774 # return,success,0
745 775
746 776 label=AUE_EXPORTFS
747 777 skip=Not used.
748 778
749 779 label=AUE_FACCESSAT
750 780 # obsolete
751 781 see=access(2)
752 782 format=path:[attr]
753 783
754 784 label=AUE_FACLSET
755 785 syscall=facl
756 786 case=Invalid file descriptor
757 787 format=arg1:arg2
758 788 comment=2, SETACL, "cmd":
759 789 comment=3, number of ACL entries, "nentries"
760 790 case=Zero path
761 791 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4
762 792 comment=2, SETACL, "cmd":
763 793 comment=3, number of ACL entries, "nentries":
764 794 comment=1, file descriptor, "no path: fd":
765 795 comment=ACLs
766 796 case=Non-zero path
767 797 format=arg1:arg2:path:[attr]:(0..n)[acl]3
768 798 comment=2, SETACL, "cmd":
769 799 comment=3, number of ACL entries, "nentries":
770 800 comment=ACLs
771 801
772 802 label=AUE_FCHDIR
773 803 format=[path]:[attr]
774 804 # header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec
775 805 # path,/export/home/CC_final/icenine/arv/fchdir/obj_succ
776 806 # attribute,40777,tuser10,other,8388608,207662,0
777 807 # subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1
778 808 # return,success,0
779 809 # trailer,150
780 810 # header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec
781 811 # subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1
782 812 # return,failure: Permission denied,-1
783 813 # trailer,68
784 814
785 815 label=AUE_FCHMOD
786 816 case=With a valid file descriptor and path
787 817 format=arg1:path:[attr]
788 818 comment=2, mode, "new file mode"
789 819 case=With a valid file descriptor and invalid path
790 820 format=arg1:[arg]2:[attr]
791 821 comment=2, mode, "new file mode":
792 822 comment=1, file descriptor, "no path: fd"
793 823 case=With an invalid file descriptor
794 824 format=arg1
795 825 comment=2, mode, "new file mode"
796 826 # header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec
797 827 # argument,2,0x1a4,new file mode
798 828 # path,/export/home/CC/icenine/arv/fchmod/obj_succ
799 829 # attribute,100644,tuser10,other,7602240,26092,0
800 830 # subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1
801 831 # return,success,0
802 832 # trailer,168
803 833 # header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec
804 834 # argument,2,0x1a4,new file mode
805 835 # subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1
806 836 # return,failure: Bad file number,-1
807 837 # trailer,90
808 838 # header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec
809 839 # argument,2,0x1a4,new file mode
810 840 # path,/export/home/CC/icenine/arv/fchmod/obj_fail
811 841 # attribute,100644,root,other,7602240,26093,0
812 842 # subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1
813 843 # return,failure: Not owner,-1
814 844 # trailer,168
815 845
816 846 label=AUE_FCHOWN
817 847 case=With a valid file descriptor
818 848 format=arg1:arg2:[path]:[attr]
819 849 comment=2, uid, "new file uid":
820 850 comment=3, gid, "new file gid"
821 851 case=With an invalid file descriptor
822 852 format=arg1:arg2:[arg]3:[attr]
823 853 comment=2, uid, "new file uid":
824 854 comment=3, gid, "new file gid":
825 855 comment=1, file descriptor, "no path fd"
826 856
827 857 label=AUE_FCHOWNAT
828 858 # obsolete
829 859 see=openat(2)
830 860 case=With a valid absolute/relative file path
831 861 format=path:[attr]
832 862 case=With an file path eq. NULL and valid file descriptor
833 863 format=kernel
834 864
835 865 label=AUE_FCHROOT
836 866 format=[path]:[attr]
837 867 # fchroot -> chdirec -> audit_chdirec
838 868
839 869 label=AUE_FCNTL
840 870 case=With a valid file descriptor
841 871 format=arg1:[arg]2:path:attr
842 872 comment=2, command, "cmd":
843 873 comment=3, flags, "flags"
844 874 case=With an invalid file descriptor
845 875 format=arg1:[arg]2:arg3
846 876 comment=2, command, "cmd":
847 877 comment=3, flags, "flags":
848 878 comment=1, file descriptor, "no path fd"
849 879 note=Flags are included only when cmd is F_SETFL.
850 880
851 881 label=AUE_FLOCK
852 882 skip=Not used.
853 883
854 884 label=AUE_FORKALL
855 885 format=[arg]1
856 886 comment=0, pid, "child PID"
857 887 note=The forkall(2) return values are undefined because the audit record
858 888 note=is produced at the point that the child process is spawned.
859 889 # see audit.c
860 890
861 891 label=AUE_FORK1
862 892 format=[arg]1
863 893 comment=0, pid, "child PID"
864 894 note=The fork1(2) return values are undefined because the audit record
865 895 note=is produced at the point that the child process is spawned.
866 896 # see audit.c
867 897
868 898 label=AUE_FSAT
869 899 # obsolete
870 900 skip=Not used. (Placeholder for AUE_*AT records)
871 901
872 902 label=AUE_FSTAT
873 903 skip=Not used.
874 904
875 905 label=AUE_FSTATAT
876 906 # obsolete
877 907 format=path:[attr]
878 908
879 909 label=AUE_FSTATFS
880 910 case=With a valid file descriptor
881 911 format=[path]:[attr]
882 912 case=With an invalid file descriptor
883 913 format=arg1
884 914 comment=1, file descriptor, "no path fd"
885 915
886 916 label=AUE_FTRUNCATE
887 917 skip=Not used.
888 918
889 919 label=AUE_FUSERS
890 920 syscall=utssys: UTS_FUSERS
891 921 format=path:attr
892 922
893 923 label=AUE_FUTIMESAT
894 924 # obsolete
895 925 format=[path]:[attr]
896 926
897 927 label=AUE_GETAUDIT
898 928 format=kernel
899 929 # header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec
900 930 # subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1
901 931 # return,success,0
902 932 # trailer,68
903 933 # header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec
904 934 # subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1
905 935 # return,success,0
906 936 # trailer,68
907 937
908 938 label=AUE_GETAUDIT_ADDR
909 939 format=kernel
910 940 # header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec
911 941 # subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2
912 942 # return,success,0
913 943
914 944 label=AUE_GETAUID
915 945 format=kernel
916 946 # header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec
917 947 # subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1
918 948 # return,success,0
919 949 # trailer,68
920 950 # header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec
921 951 # subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1
922 952 # return,failure: Not owner,-1
923 953 # trailer,68
924 954
925 955 label=AUE_GETDENTS
926 956 skip=Not used.
927 957 #Not security relevant
928 958
929 959 label=AUE_GETKERNSTATE
930 960 skip=Not used.
931 961
932 962 label=AUE_GETMSG
933 963 case=With a valid file descriptor
934 964 format=arg1:[path]:attr:arg2
935 965 comment=1, file descriptor, "fd":
936 966 comment=4, priority, "pri"
937 967 case=With an invalid file descriptor
938 968 format=arg1:arg2
939 969 comment=1, file descriptor, "fd":
940 970 comment=4, priority, "pri"
941 971
942 972 label=AUE_GETPMSG
943 973 case=With a valid file descriptor
944 974 format=arg1:[path]:attr
945 975 comment=1, file descriptor, "fd"
946 976 case=With an invalid file descriptor
947 977 format=arg1
948 978 comment=1, file descriptor, "fd"
949 979
950 980 label=AUE_GETPORTAUDIT
951 981 format=Not used.
952 982
953 983 label=AUE_GETUSERAUDIT
954 984 skip=Not used.
955 985
956 986 label=AUE_INST_SYNC
957 987 format=arg1
958 988 comment=2, flags value, "flags"
959 989
960 990 label=AUE_IOCTL
961 991 case=With an invalid file descriptor
962 992 format=arg1:arg2:arg3
963 993 comment=1, file descriptor, "fd":
964 994 comment=2, command, "cmd":
965 995 comment=3, arg, "arg"
966 996 case=With a valid file descriptor
967 997 format=path:[attr]:arg1:arg2
968 998 comment=2, ioctl cmd, "cmd":
969 999 comment=3, ioctl arg, "arg"
970 1000 case=Non-file file descriptor
971 1001 format=arg1:arg2:arg3
972 1002 comment=1, file descriptor, "fd":
973 1003 comment=2, ioctl cmd, "cmd":
974 1004 comment=3, ioctl arg, "arg"
975 1005 case=Bad file name
976 1006 format=arg1:arg2:arg3
977 1007 comment=1, file descriptor, "no path: fd":
978 1008 comment=2, ioctl cmd, "cmd":
979 1009 comment=3, ioctl arg, "arg"
980 1010 # old BSM manual misses a case
981 1011
982 1012 label=AUE_JUNK
983 1013 skip=Not used.
984 1014
985 1015 label=AUE_KILL
986 1016 case=Valid process
987 1017 format=arg1:[proc]
988 1018 comment=2, signo, "signal"
989 1019 case=Zero or negative process
990 1020 format=arg1:arg2
991 1021 comment=2, signo, "signal":
992 1022 comment=1, pid, "process"
993 1023
994 1024 label=AUE_KILLPG
995 1025 skip=Not used.
996 1026
997 1027 label=AUE_LCHOWN
998 1028 format=arg1:arg2:path:[attr]
999 1029 comment=2, uid, "new file uid":
1000 1030 comment=3, gid, "new file gid"
1001 1031
1002 1032 label=AUE_LINK
1003 1033 format=path1:[attr]:path2
1004 1034 comment=from path:
1005 1035 comment=to path
1006 1036
1007 1037 label=AUE_LSEEK
1008 1038 skip=Not used.
1009 1039
1010 1040 label=AUE_LSTAT
1011 1041 format=path:[attr]
1012 1042
1013 1043 label=AUE_LXSTAT
1014 1044 # obsolete
1015 1045 skip=Not used.
1016 1046
1017 1047 label=AUE_MCTL
1018 1048 skip=Not used.
1019 1049
1020 1050 label=AUE_MEMCNTL
1021 1051 format=arg1:arg2:arg3:arg4:arg5:arg6
1022 1052 comment=1, base address, "base":
1023 1053 comment=2, length, "len":
1024 1054 comment=3, command, "cmd":
1025 1055 comment=4, command args, "arg":
1026 1056 comment=5, command attributes, "attr":
1027 1057 comment=6, 0, "mask"
1028 1058
1029 1059 label=AUE_MKDIR
1030 1060 format=arg1:path:[attr]
1031 1061 comment=2, mode, "mode"
1032 1062
1033 1063 label=AUE_MKNOD
1034 1064 format=arg1:arg2:path:[attr]
1035 1065 comment=2, mode, "mode":
1036 1066 comment=3, dev, "dev"
1037 1067
1038 1068 label=AUE_MMAP
1039 1069 case=With a valid file descriptor
1040 1070 format=arg1:arg2:[path]3:[attr]
1041 1071 comment=1, segment address, "addr":
1042 1072 comment=2, segment address, "len":
1043 1073 comment=if no path, then argument: \
1044 1074 1, "nopath: fd", file descriptor
1045 1075 case=With an invalid file descriptor
1046 1076 format=arg1:arg2:arg3
1047 1077 comment=1, segment address, "addr":
1048 1078 comment=2, segment address, "len":
1049 1079 comment=1, file descriptor, "no path: fd"
1050 1080
1051 1081 label=AUE_MODADDMAJ
1052 1082 title=modctl: bind module
1053 1083 syscall=modctl
1054 1084 format=[text]1:[text]2:text3:arg4:(0..n)[text]5
1055 1085 comment=driver major number:
1056 1086 comment=driver name:
1057 1087 comment=driver major number or "no drvname":
1058 1088 comment=5, number of aliases, "":
1059 1089 comment=aliases
1060 1090
1061 1091 label=AUE_MODADDPRIV
1062 1092 format=kernel
1063 1093
1064 1094 label=AUE_MODCONFIG
1065 1095 skip=Not used.
1066 1096
1067 1097 label=AUE_MODCTL
1068 1098 skip=Not used. (placeholder)
1069 1099
1070 1100 label=AUE_MODDEVPLCY
1071 1101 syscall=modctl
1072 1102 title=modctl: set device policy
1073 1103 case=If unknown minor name/pattern
1074 1104 format=arg1:arg2:arg3:arg4:arg5
1075 1105 comment=2, "major", major number:
1076 1106 comment=2, "lomin", low minor number, if known:
1077 1107 comment=2, "himin", hi minor number, if known:
1078 1108 comment=privileges required for reading:
1079 1109 comment=privileges required for writing
1080 1110 case=else
1081 1111 format=arg1:text2:arg3:arg4
1082 1112 comment=2, "major", major number:
1083 1113 comment=minor name/pattern:
1084 1114 comment=privileges required for reading:
1085 1115 comment=privileges required for writing
1086 1116
1087 1117 label=AUE_MODLOAD
1088 1118 syscall=modctl
1089 1119 title=modctl: load module
1090 1120 format=[text]1:text2
1091 1121 comment=default path:
1092 1122 comment=filename path
1093 1123
1094 1124 label=AUE_MODUNLOAD
1095 1125 syscall=modctl
1096 1126 title=modctl: unload module
1097 1127 format=arg1
1098 1128 comment=1, module ID, "id"
1099 1129
1100 1130 label=AUE_MOUNT
1101 1131 case=UNIX file system
1102 1132 format=arg1:text2:path:[attr]
1103 1133 comment=3, flags, "flags":
1104 1134 comment=filesystem type
1105 1135 case=NFS file system
1106 1136 format=arg1:text2:text3:arg4:path:[attr]
1107 1137 comment=3, flags, "flags":
1108 1138 comment=filesystem type:
1109 1139 comment=host name:
1110 1140 comment=3, flags, "internal flags"
1111 1141 # unix example:
1112 1142 # header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec
1113 1143 # argument,3,0x104,flags
1114 1144 # text,ufs
1115 1145 # path,/var2
1116 1146 # attribute,40755,root,root,32,12160,0
1117 1147 # path,/devices/pci@1f,4000/scsi@3/sd@0,0:e
1118 1148 # attribute,60640,root,sys,32,231268,137438953476
1119 1149 # subject,abc,root,other,root,other,1726,1715,255 66049 ohboy
1120 1150 # return,success,4290707268
1121 1151 # ^^^^^^^^^^ <- bugid 4333559
1122 1152
1123 1153 label=AUE_MSGCTL
1124 1154 format=arg1:[ipc]:[ipc_perm]
1125 1155 comment=1, message ID, "msg ID"
1126 1156 note=ipc_perm
1127 1157 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1128 1158
1129 1159 label=AUE_MSGCTL_RMID
1130 1160 format=arg1:[ipc]:[ipc_perm]
1131 1161 comment=1, message ID, "msg ID"
1132 1162 note=ipc_perm
1133 1163 syscall=msgctl: IPC_RMID
1134 1164 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1135 1165
1136 1166 label=AUE_MSGCTL_SET
1137 1167 format=arg1:[ipc]:[ipc_perm]
1138 1168 comment=1, message ID, "msg ID"
1139 1169 note=ipc_perm
1140 1170 syscall=msgctl: IPC_SET
1141 1171 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1142 1172
1143 1173 label=AUE_MSGCTL_STAT
1144 1174 format=arg1:[ipc]:[ipc_perm]
1145 1175 comment=1, message ID, "msg ID"
1146 1176 note=ipc_perm
1147 1177 syscall=msgctl: IPC_STAT
1148 1178 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1149 1179
1150 1180 label=AUE_MSGGET
1151 1181 format=arg1:ipc
1152 1182 comment=1, message key, "msg key"
1153 1183 note=ipc_perm
1154 1184 syscall=msgget
1155 1185
1156 1186 label=AUE_MSGGETL
1157 1187 skip=Not used.
1158 1188
1159 1189 label=AUE_MSGRCV
1160 1190 format=arg1:[ipc]:[ipc_perm]
1161 1191 comment=1, message ID, "msg ID"
1162 1192 note=ipc_perm
1163 1193 syscall=msgrcv
1164 1194 # ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc
1165 1195
1166 1196 label=AUE_MSGRCVL
1167 1197 skip=Not used.
1168 1198
1169 1199 label=AUE_MSGSND
1170 1200 format=arg1:[ipc]:[ipc_perm]
1171 1201 comment=1, message ID, "msg ID"
1172 1202 note=ipc_perm
1173 1203 syscall=msgsnd
1174 1204 # ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc
1175 1205
1176 1206 label=AUE_MSGSNDL
1177 1207 skip=Not used.
1178 1208
1179 1209 label=AUE_MSGSYS
1180 1210 skip=Not used. (Placeholder for AUE_MSG* events.)
1181 1211
1182 1212 label=AUE_MUNMAP
1183 1213 format=arg1:arg2
1184 1214 comment=1, address of memory, "addr":
1185 1215 comment=2, memory segment size, "len"
1186 1216
1187 1217 label=AUE_NFS
1188 1218 skip=Not used.
1189 1219
1190 1220 label=AUE_NFSSVC_EXIT
1191 1221 skip=Not used.
1192 1222
1193 1223 label=AUE_NFS_GETFH
1194 1224 skip=Not used.
1195 1225
1196 1226 label=AUE_NFS_SVC
1197 1227 skip=Not used.
1198 1228
1199 1229 label=AUE_NICE
1200 1230 format=kernel
1201 1231
1202 1232 label=AUE_NULL
1203 1233 skip=Not used. (placeholder)
1204 1234 # used internal to audit_event.c for minimal audit
1205 1235
1206 1236 label=AUE_NTP_ADJTIME
1207 1237 format=kernel
1208 1238
1209 1239 label=AUE_ONESIDE
1210 1240 skip=Not used.
1211 1241
1212 1242 label=AUE_OPEN
1213 1243 skip=Not used. (placeholder for AUE_OPEN_*).
1214 1244
1215 1245 label=AUE_OPEN_R
1216 1246 format=path:[path_attr]:[attr]
1217 1247 see=open(2) - read
1218 1248
1219 1249 label=AUE_OPENAT_R
1220 1250 # obsolete
1221 1251 format=path:[path_attr]:[attr]
1222 1252 see=openat(2)
1223 1253
1224 1254 label=AUE_OPEN_RC
1225 1255 format=path:[path_attr]:[attr]
1226 1256 see=open(2) - read,creat
1227 1257
1228 1258 label=AUE_OPENAT_RC
1229 1259 # obsolete
1230 1260 see=openat(2)
1231 1261 format=path:[path_attr]:[attr]
1232 1262
1233 1263 label=AUE_OPEN_RT
1234 1264 format=path:[path_attr]:[attr]
1235 1265 see=open(2) - read,trunc
1236 1266
1237 1267 label=AUE_OPENAT_RT
1238 1268 # obsolete
1239 1269 see=openat(2)
1240 1270 format=path:[path_attr]:[attr]
1241 1271
1242 1272 label=AUE_OPEN_RTC
1243 1273 format=path:[path_attr]:[attr]
1244 1274 see=open(2) - read,trunc,creat
1245 1275
1246 1276 label=AUE_OPENAT_RTC
1247 1277 # obsolete
1248 1278 see=openat(2)
1249 1279 format=path:[path_attr]:[attr]
1250 1280
1251 1281 label=AUE_OPEN_RW
1252 1282 format=path:[path_attr]:[attr]
1253 1283 see=open(2) - read,write
1254 1284
1255 1285 label=AUE_OPENAT_RW
1256 1286 # obsolete
1257 1287 see=openat(2)
1258 1288 format=path:[path_attr]:[attr]
1259 1289 # aui_fsat(): fm & O_RDWR
1260 1290
1261 1291 label=AUE_OPEN_RWC
1262 1292 format=path:[path_attr]:[attr]
1263 1293 see=open(2) - read,write,creat
1264 1294
1265 1295 label=AUE_OPENAT_RWC
1266 1296 # obsolete
1267 1297 see=openat(2)
1268 1298 format=path:[path_attr]:[attr]
1269 1299
1270 1300 label=AUE_OPEN_RWT
1271 1301 format=path:[path_attr]:[attr]
1272 1302 see=open(2) - read,write,trunc
1273 1303
1274 1304 label=AUE_OPENAT_RWT
1275 1305 # obsolete
1276 1306 see=openat(2)
1277 1307 format=path:[path_attr]:[attr]
1278 1308
1279 1309 label=AUE_OPEN_RWTC
1280 1310 format=path:[path_attr]:[attr]
1281 1311 see=open(2) - read,write,trunc,creat
1282 1312
1283 1313 label=AUE_OPENAT_RWTC
1284 1314 # obsolete
1285 1315 see=openat(2)
1286 1316 format=path:[path_attr]:[attr]
1287 1317
1288 1318 label=AUE_OPEN_W
1289 1319 format=path:[path_attr]:[attr]
1290 1320 see=open(2) - write
1291 1321
1292 1322 label=AUE_OPENAT_W
1293 1323 see=openat(2)
1294 1324 format=path:[path_attr]:[attr]
1295 1325
1296 1326 label=AUE_OPEN_WC
1297 1327 format=path:[path_attr]:[attr]
1298 1328 see=open(2) - write,creat
1299 1329
1300 1330 label=AUE_OPENAT_WC
1301 1331 see=openat(2)
1302 1332 format=path:[path_attr]:[attr]
1303 1333
1304 1334 label=AUE_OPEN_WT
1305 1335 format=path:[path_attr]:[attr]
1306 1336 see=open(2) - write,trunc
1307 1337
1308 1338 label=AUE_OPENAT_WT
1309 1339 see=openat(2)
1310 1340 format=path:[path_attr]:[attr]
1311 1341
1312 1342 label=AUE_OPEN_WTC
1313 1343 format=path:[path_attr]:[attr]
1314 1344 see=open(2) - write,trunc,creat
1315 1345
1316 1346 label=AUE_OPENAT_WTC
1317 1347 see=openat(2)
1318 1348 format=path:[path_attr]:[attr]
1319 1349
1320 1350 label=AUE_OPEN_S
1321 1351 format=path:[path_attr]:[attr]
1322 1352 see=open(2) - search
1323 1353
1324 1354 label=AUE_OPEN_E
1325 1355 format=path:[path_attr]:[attr]
1326 1356 see=open(2) - exec
1327 1357
1328 1358 label=AUE_OSETPGRP
1329 1359 skip=Not used.
1330 1360
1331 1361 label=AUE_OSTAT
1332 1362 # obsolete
1333 1363 skip=Not used.
1334 1364
1335 1365 label=AUE_PATHCONF
1336 1366 format=path:[attr]
1337 1367
1338 1368 label=AUE_PIPE
1339 1369 format=kernel
1340 1370 # class is no, not usually printed
1341 1371
1342 1372 label=AUE_PORTFS
1343 1373 skip=Not used (placeholder for AUE_PORTFS_*).
1344 1374
1345 1375 label=AUE_PORTFS
1346 1376 skip=Not used (placeholder for AUE_PORTFS_*).
1347 1377
1348 1378 label=AUE_PORTFS_ASSOCIATE
1349 1379 syscall=portfs
1350 1380 see=port_associate(3C)
1351 1381 case=Port association via PORT_SOURCE_FILE
1352 1382 format=[path]1:attr
1353 1383 comment=name of the file/directory to be watched
1354 1384
1355 1385 label=AUE_PORTFS_DISSOCIATE
1356 1386 syscall=portfs
1357 1387 see=port_dissociate(3C)
1358 1388 case=Port disassociation via PORT_SOURCE_FILE
1359 1389 format=kernel
1360 1390
1361 1391 label=AUE_PRIOCNTLSYS
1362 1392 syscall=priocntl
1363 1393 see=priocntl(2)
1364 1394 format=arg1:arg2
1365 1395 comment=1, priocntl version number, "pc_version":
1366 1396 comment=3, command, "cmd"
1367 1397
1368 1398 label=AUE_PROCESSOR_BIND
1369 1399 case=No LWP/thread bound to the processor
1370 1400 format=arg1:arg2:text3:[proc]
1371 1401 comment=1, type of ID, "ID type":
1372 1402 comment=2, ID value, "ID":
1373 1403 comment="PBIND_NONE"
1374 1404 case=With processor bound
1375 1405 format=arg1:arg2:arg3:[proc]
1376 1406 comment=1, type of ID, "ID type":
1377 1407 comment=2, ID value, "ID":
1378 1408 comment=3, processor ID, "processor_id"
1379 1409
1380 1410 label=AUE_PUTMSG
1381 1411 see=putmsg(2)
1382 1412 format=arg1:[path]:[attr]:arg2
1383 1413 comment=1, file descriptor, "fd":
1384 1414 comment=4, priority, "pri"
1385 1415
1386 1416 label=AUE_PUTPMSG
1387 1417 see=putpmsg(2)
1388 1418 format=arg1:[path]:[attr]:arg2:arg3
1389 1419 comment=1, file descriptor, "fd":
1390 1420 comment=4, priority, "pri":
1391 1421 comment=5, flags, "flags"
1392 1422
1393 1423 label=AUE_P_ONLINE
1394 1424 format=arg1:arg2:text3
1395 1425 comment=1, processor ID, "processor ID":
1396 1426 comment=2, flags value, "flags":
1397 1427 comment=text form of flags. Values: \
1398 1428 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS, P_DISABLED
1399 1429
1400 1430 label=AUE_QUOTACTL
1401 1431 skip=Not used.
1402 1432
1403 1433 label=AUE_READ
1404 1434 skip=Not used. (Placeholder for AUE_READ_* events)
1405 1435
1406 1436 label=AUE_READL
1407 1437 skip=Not used. (Obsolete)
1408 1438
1409 1439 label=AUE_READLINK
1410 1440 format=path:[attr]
1411 1441
1412 1442 label=AUE_READV
1413 1443 skip=Not used (obsolete)
1414 1444 # detritus from CMS
1415 1445
1416 1446 label=AUE_READVL
1417 1447 skip=Not used (obsolete)
1418 1448 # detritus from CMS
1419 1449
1420 1450 label=AUE_REBOOT
1421 1451 skip=Not used.
1422 1452
1423 1453 label=AUE_RECV
1424 1454 case=If address family is AF_INET or AF_INET6
1425 1455 format=[arg]1:[inet]
1426 1456 comment=1, file descriptor, "so"
1427 1457 case=If address family is AF_UNIX and path is defined
1428 1458 format=[path]1:[attr]
1429 1459 comment=1, file descriptor, "so"
1430 1460 case=If address family is AF_UNIX and path is NULL
1431 1461 format=[path]1:[attr]
1432 1462 comment=1, file descriptor, "no path: fd"
1433 1463 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1434 1464 format=[arg]1:[arg]2:[arg]3
1435 1465 comment=1, file descriptor, "so":
1436 1466 comment=1, family, "family":
1437 1467 comment=1, type, "type"
1438 1468 # associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237])
1439 1469
1440 1470 label=AUE_RECVFROM
1441 1471 format=inet:arg1:[arg]2:inet3:arg4
1442 1472 comment=3, message length, "len":
1443 1473 comment=4, flags, "flags":
1444 1474 comment=from address:
1445 1475 comment=6, address length, "tolen"
1446 1476 note=The socket token for a bad socket is reported as "argument
1447 1477 note=token (1, socket descriptor, "fd")"
1448 1478
1449 1479 label=AUE_RECVMSG
1450 1480 case=If invalid file descriptor
1451 1481 format=arg1:arg2
1452 1482 comment=1, file descriptor, "so":
1453 1483 comment=3, flags, "flags"
1454 1484 case=If valid file descriptor and socket is AF_UNIX and no path
1455 1485 format=arg1:[attr]
1456 1486 comment=1, file descriptor, "no path: fd"
1457 1487 case=If valid file descriptor and socket is AF_UNIX and path defined
1458 1488 format=path:attr
1459 1489 case=If valid file descriptor and socket is AF_INET or AF_INET6
1460 1490 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM
1461 1491 format=arg1:arg2:inet
1462 1492 comment=1, file descriptor, "so":
1463 1493 comment=2, flags, "flags"
1464 1494 case=.. if socket type is unknown
1465 1495 format=arg1:arg2:arg3:arg4
1466 1496 comment=1, file descriptor, "so":
1467 1497 comment=1, family, "family":
1468 1498 comment=1, type, "type":
1469 1499 comment=3, flags, "flags"
1470 1500
1471 1501 label=AUE_RENAME
1472 1502 format=path1:[attr]1:[path]2
1473 1503 comment=from name:
1474 1504 comment=to name
1475 1505
1476 1506 label=AUE_RENAMEAT
1477 1507 # obsolete
1478 1508 format=path1:[attr]1:[path]2
1479 1509 comment=from name:
1480 1510 comment=to name
1481 1511
1482 1512 label=AUE_RFSSYS
1483 1513 skip=Not used.
1484 1514 # apparently replaced
1485 1515
1486 1516 label=AUE_RMDIR
1487 1517 format=path:[attr]
1488 1518
1489 1519 label=AUE_SACL
1490 1520 title=File Access Audit
1491 1521 syscall=none
1492 1522 see=none
1493 1523 format=head:path:arg1:[text]2:subj
1494 1524 comment="access_mask":
1495 1525 comment="Windows SID"
1496 1526
1497 1527 label=AUE_SEMCTL
1498 1528 format=arg1:[ipc]:[ipc_perm]
1499 1529 comment=1, semaphore ID, "sem ID"
1500 1530 note=ipc_perm
1501 1531 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1502 1532
1503 1533 label=AUE_SEMCTL_GETALL
1504 1534 format=arg1:[ipc]:[ipc_perm]
1505 1535 comment=1, semaphore ID, "sem ID"
1506 1536 note=ipc_perm
1507 1537 syscall=semctl: GETALL
1508 1538 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1509 1539
1510 1540 label=AUE_SEMCTL_GETNCNT
1511 1541 format=arg1:[ipc]:[ipc_perm]
1512 1542 comment=1, semaphore ID, "sem ID"
1513 1543 note=ipc_perm
1514 1544 syscall=semctl: GETNCNT
1515 1545 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1516 1546
1517 1547 label=AUE_SEMCTL_GETPID
1518 1548 format=arg1:[ipc]:[ipc_perm]
1519 1549 comment=1, semaphore ID, "sem ID"
1520 1550 note=ipc_perm
1521 1551 syscall=semctl: GETPID
1522 1552 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1523 1553
1524 1554 label=AUE_SEMCTL_GETVAL
1525 1555 format=arg1:[ipc]:[ipc_perm]
1526 1556 comment=1, semaphore ID, "sem ID"
1527 1557 note=ipc_perm
1528 1558 syscall=semctl: GETVAL
1529 1559 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1530 1560
1531 1561 label=AUE_SEMCTL_GETZCNT
1532 1562 format=arg1:[ipc]:[ipc_perm]
1533 1563 comment=1, semaphore ID, "sem ID"
1534 1564 note=ipc_perm
1535 1565 syscall=semctl: GETZCNT
1536 1566 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1537 1567
1538 1568 label=AUE_SEMCTL_RMID
1539 1569 format=arg1:[ipc]:[ipc_perm]
1540 1570 comment=1, semaphore ID, "sem ID"
1541 1571 note=ipc_perm
1542 1572 syscall=semctl: IPC_RMID
1543 1573 # ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1544 1574
1545 1575 label=AUE_SEMCTL_SET
1546 1576 format=arg1:[ipc]:[ipc_perm]
1547 1577 comment=1, semaphore ID, "sem ID"
1548 1578 note=ipc_perm
1549 1579 syscall=semctl: IPC_SET
1550 1580 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1551 1581
1552 1582 label=AUE_SEMCTL_SETALL
1553 1583 format=arg1:[ipc]:[ipc_perm]
1554 1584 comment=1, semaphore ID, "sem ID"
1555 1585 note=ipc_perm
1556 1586 syscall=semctl: SETALL
1557 1587 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1558 1588
1559 1589 label=AUE_SEMCTL_SETVAL
1560 1590 format=arg1:[ipc]:[ipc_perm]
1561 1591 comment=1, semaphore ID, "sem ID"
1562 1592 note=ipc_perm
1563 1593 syscall=semctl: SETVAL
1564 1594 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1565 1595
1566 1596 label=AUE_SEMCTL_STAT
1567 1597 format=arg1:[ipc]:[ipc_perm]
1568 1598 comment=1, semaphore ID, "sem ID"
1569 1599 note=ipc_perm
1570 1600 syscall=semctl: IPC_STAT
1571 1601 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1572 1602
1573 1603 label=AUE_SEMGET
1574 1604 format=arg1:[ipc_perm]:ipc
1575 1605 comment=1, semaphore ID, "sem key"
1576 1606 note=ipc_perm
1577 1607 syscall=semctl: SETVAL
1578 1608 # ipc_perm token: semget -> audit_ipcget
1579 1609
1580 1610 label=AUE_SEMGETL
1581 1611 skip=Not used.
1582 1612
1583 1613 label=AUE_SEMOP
1584 1614 format=arg1:[ipc]:[ipc_perm]
1585 1615 comment=1, semaphore ID, "sem ID"
1586 1616 note=ipc_perm
1587 1617 # ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc
1588 1618
1589 1619 label=AUE_SEMSYS
1590 1620 skip=Not used. (place holder) -- defaults to a semget variant
1591 1621
1592 1622 label=AUE_SEND
1593 1623 case=If address family is AF_INET or AF_INET6
1594 1624 format=[arg]1:[inet]
1595 1625 comment=1, file descriptor, "so"
1596 1626 case=If address family is AF_UNIX and path is defined
1597 1627 format=[path]1:[attr]
1598 1628 comment=1, file descriptor, "so"
1599 1629 case=If address family is AF_UNIX and path is NULL
1600 1630 format=[path]1:[attr]
1601 1631 comment=1, file descriptor, "no path: fd"
1602 1632 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1603 1633 format=[arg]1:[arg]2:[arg]3
1604 1634 comment=1, file descriptor, "so":
1605 1635 comment=1, family, "family":
1606 1636 comment=1, type, "type"
1607 1637 # associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240])
1608 1638
1609 1639 label=AUE_SENDMSG
1610 1640 case=If invalid file descriptor
1611 1641 format=arg1:arg2
1612 1642 comment=1, file descriptor, "so":
1613 1643 comment=3, flags, "flags"
1614 1644 case=If valid file descriptor
1615 1645 case=...and address family is AF_UNIX and path is defined
1616 1646 format=path:attr
1617 1647 case=...and address family is AF_UNIX and path is NULL
1618 1648 format=path1:attr
1619 1649 comment=1, file descriptor, "nopath: fd"
1620 1650 case=...and address family is AF_INET or AF_INET6, \
1621 1651 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1622 1652 format=arg1:arg2:inet
1623 1653 comment=1, file descriptor, "so":
1624 1654 comment=3, flags, "flags"
1625 1655 case=...and unknown address family or address family AF_INET or AF_INET6 \
1626 1656 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1627 1657 format=arg1:arg2:arg3:arg4
1628 1658 comment=1, file descriptor, "so":
1629 1659 comment=1, family, "family":
1630 1660 comment=1, type, "type":
1631 1661 comment=1, flags, "flags"
1632 1662
1633 1663 label=AUE_SENDTO
1634 1664 case=If invalid file descriptor
1635 1665 format=arg1:arg2
1636 1666 comment=1, file descriptor, "so":
1637 1667 comment=3, flags, "flags"
1638 1668 case=If valid file descriptor
1639 1669 case=...and socket is AF_UNIX and path is defined
1640 1670 format=path:attr
1641 1671 case=...and address family is AF_UNIX and path is NULL
1642 1672 format=path1:attr
1643 1673 comment=1, file descriptor, "nopath: fd"
1644 1674 case=...and address family is AF_INET or AF_INET6
1645 1675 format=arg1:arg2:inet
1646 1676 comment=1, file descriptor, "so":
1647 1677 comment=3, flags, "flags"
1648 1678 case=...and unknown address family
1649 1679 format=arg1:arg2:arg3:arg4
1650 1680 comment=1, file descriptor, "so":
1651 1681 comment=1, family, "family":
1652 1682 comment=1, type, "type":
1653 1683 comment=1, flags, "flags"
1654 1684
1655 1685 label=AUE_SETAUDIT
1656 1686 case=With a valid program stack address
1657 1687 format=arg1:arg2:arg3:arg4:arg5:arg6
1658 1688 comment=1, audit user ID, "setaudit:auid":
1659 1689 comment=1, terminal ID, "setaudit:port":
1660 1690 comment=1, terminal ID, "setaudit:machine":
1661 1691 comment=1, preselection mask, "setaudit:as_success":
1662 1692 comment=1, preselection mask, "setaudit:as_failure":
1663 1693 comment=1, audit session ID, "setaudit:asid"
1664 1694 case=With an invalid program stack address
1665 1695 format=kernel
1666 1696 # header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec
1667 1697 # argument,1,0x271a,setaudit:auid
1668 1698 # argument,1,0x3ff0201,setaudit:port
1669 1699 # argument,1,0x8192591e,setaudit:machine
1670 1700 # argument,1,0x400,setaudit:as_success
1671 1701 # argument,1,0x400,setaudit:as_failure
1672 1702 # argument,1,0x16f,setaudit:asid
1673 1703 # subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1
1674 1704 # return,success,0
1675 1705 # trailer,215
1676 1706 # header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec
1677 1707 # argument,1,0x271a,setaudit:auid
1678 1708 # argument,1,0x3ff0201,setaudit:port
1679 1709 # argument,1,0x8192591e,setaudit:machine
1680 1710 # argument,1,0x400,setaudit:as_success
1681 1711 # argument,1,0x400,setaudit:as_failure
1682 1712 # argument,1,0x16f,setaudit:asid
1683 1713 # subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1
1684 1714 # return,success,0
1685 1715 # trailer,215
1686 1716
1687 1717 label=AUE_SETAUDIT_ADDR
1688 1718 case=With a valid program stack address
1689 1719 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7
1690 1720 comment=1, audit user ID, "auid":
1691 1721 comment=1, terminal ID, "port":
1692 1722 comment=1, type, "type":
1693 1723 comment=1, terminal ID, "ip address":
1694 1724 comment=1, preselection mask, "as_success":
1695 1725 comment=1, preselection mask, "as_failure":
1696 1726 comment=1, audit session ID, "asid"
1697 1727 case=With an invalid program stack address
1698 1728 format=kernel
1699 1729 # header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec
1700 1730 # argument,1,0x15fa7,auid
1701 1731 # argument,1,0x0,port
1702 1732 # argument,1,0x4,type
1703 1733 # ip address,tmach2
1704 1734 # argument,1,0x9c00,as_success
1705 1735 # argument,1,0x9c00,as_failure
1706 1736 # argument,1,0x1f1,asid
1707 1737 # subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2
1708 1738 # return,success,0
1709 1739
1710 1740 label=AUE_SETAUID
1711 1741 format=arg1
1712 1742 comment=2, audit user ID, "setauid"
1713 1743
1714 1744 label=AUE_SETDOMAINNAME
1715 1745 skip=Not used. (See AUE_SYSINFO)
1716 1746 # See AUE_SYSINFO with SI_SET_SRPC_DOMAIN
1717 1747
1718 1748 label=AUE_SETEGID
1719 1749 format=arg1
1720 1750 comment=1, group ID, "gid"
1721 1751
1722 1752 label=AUE_SETEUID
1723 1753 format=arg1
1724 1754 comment=1, user ID, "euid"
1725 1755
1726 1756 label=AUE_SETGID
1727 1757 format=arg1
1728 1758 comment=1, group ID, "gid"
1729 1759
1730 1760 label=AUE_SETGROUPS
1731 1761 note=If more than NGROUPS_MAX_DEFAULT groups listed,
1732 1762 note=no tokens are generated.
1733 1763 case=If no groups in list
1734 1764 format=[arg]1
1735 1765 comment=1, 0, "setgroups"
1736 1766 case=If 1 or more groups in list
1737 1767 format=(1..n)arg1
1738 1768 comment=1, gid, "setgroups"
1739 1769
1740 1770 label=AUE_SETHOSTNAME
1741 1771 skip=Not used. (See AUE_SYSINFO)
1742 1772 # See sysinfo call with command SI_SET_HOSTNAME
1743 1773
1744 1774 label=AUE_SETKERNSTATE
1745 1775 skip=Not used.
1746 1776
1747 1777 label=AUE_SETPGID
1748 1778 format=[proc]:[arg]1
1749 1779 comment=2, pgid, "pgid"
1750 1780
1751 1781 label=AUE_SETPGRP
1752 1782 format=kernel
1753 1783
1754 1784 label=AUE_SETPRIORITY
1755 1785 skip=Not used.
1756 1786
1757 1787 label=AUE_SETPPRIV
1758 1788 case=operation privileges off
1759 1789 format=arg1:privset2
1760 1790 comment=setppriv operation:
1761 1791 comment=privileges actually switched off
1762 1792 case=operation privileges on
1763 1793 format=arg1:privset2
1764 1794 comment=setppriv operation:
1765 1795 comment=privileges actually switched on
1766 1796 case=operation privileges off
1767 1797 format=arg1:privset2:privset3
1768 1798 comment=setppriv operation:
1769 1799 comment=privileges before privset:
1770 1800 comment=privileges after privset
1771 1801 #header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec
1772 1802 #argument,2,0x2,op
1773 1803 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1774 1804 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1775 1805 #subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0
1776 1806 #return,success,0
1777 1807
1778 1808 label=AUE_SETREGID
1779 1809 format=arg1:arg2
1780 1810 comment=1, real group ID, "rgid":
1781 1811 comment=2, effective group ID, "egid"
1782 1812
1783 1813 label=AUE_SETREUID
1784 1814 format=arg1:arg2
1785 1815 comment=1, real user ID, "ruid":
1786 1816 comment=2, effective user ID, "euid"
1787 1817
1788 1818 label=AUE_SETRLIMIT
1789 1819 format=kernel
1790 1820 # header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec
1791 1821 # subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2
1792 1822 # return,success,0
1793 1823
1794 1824 label=AUE_SETSID
1795 1825 format=kernel
1796 1826
1797 1827 label=AUE_SETSOCKOPT
1798 1828 case=Invalid file descriptor
1799 1829 format=arg1:arg2
1800 1830 comment=1, file descriptor, "so":
1801 1831 comment=2, level, "level"
1802 1832 case=Valid file descriptor
1803 1833 case=...and socket is AF_UNIX
1804 1834 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8
1805 1835 comment=if no path, will be argument: 1, "nopath: fd", \
1806 1836 file descriptor:
1807 1837 comment=1, file descriptor, "so":
1808 1838 comment=1, family, "family":
1809 1839 comment=1, type, "type":
1810 1840 comment=2, protocol level, "level":
1811 1841 comment=3, option name, "optname":
1812 1842 comment=5, option length, "optlen":
1813 1843 comment=option data
1814 1844 case=...and socket is AF_INET or AF_INET6
1815 1845 format=arg1:arg2:arg3:[arg]4:[data]5:inet
1816 1846 comment=1, file descriptor, "so":
1817 1847 comment=2, protocol level, "level":
1818 1848 comment=3, option name, "optname":
1819 1849 comment=5, option length, "optlen":
1820 1850 comment=option data
1821 1851 case=...and socket adddress family is unknown
1822 1852 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7
1823 1853 comment=1, file descriptor, "so":
1824 1854 comment=1, family, "family":
1825 1855 comment=1, type, "type":
1826 1856 comment=2, protocol level, "level":
1827 1857 comment=3, option name, "optname":
1828 1858 comment=5, option length, "optlen":
1829 1859 comment=option data
1830 1860
1831 1861 label=AUE_SETTIMEOFDAY
1832 1862 skip=Not used.
1833 1863
1834 1864 label=AUE_SETUID
1835 1865 syscall=setuid
1836 1866 format=arg1
1837 1867 comment=1, "uid" to be set
1838 1868
1839 1869 label=AUE_SETUSERAUDIT
1840 1870 skip=Not used.
1841 1871
1842 1872 label=AUE_SHMAT
1843 1873 format=arg1:arg2:[ipc]:[ipc_perm]
1844 1874 comment=1, shared memory ID, "shm ID":
1845 1875 comment=2, shared mem addr, "shm addr"
1846 1876 note=ipc_perm
1847 1877 # ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc
1848 1878
1849 1879 label=AUE_SHMCTL
1850 1880 format=arg1:[ipc]:[ipc_perm]
1851 1881 comment=1, shared memory ID, "shm ID"
1852 1882 note=ipc_perm
1853 1883 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1854 1884
1855 1885 label=AUE_SHMCTL_RMID
1856 1886 format=arg1:[ipc]:[ipc_perm]
1857 1887 comment=1, shared memory ID, "shm ID"
1858 1888 note=ipc_perm
1859 1889 syscall=semctl: IPC_RMID
1860 1890 # ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1861 1891
1862 1892 label=AUE_SHMCTL_SET
1863 1893 format=arg1:[ipc]:[ipc_perm]
1864 1894 comment=1, shared memory ID, "shm ID"
1865 1895 note=ipc_perm
1866 1896 syscall=semctl: IPC_SET
1867 1897 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1868 1898
1869 1899 label=AUE_SHMCTL_STAT
1870 1900 format=arg1:[ipc]:[ipc_perm]
1871 1901 comment=1, shared memory ID, "shm ID"
1872 1902 note=ipc_perm
1873 1903 syscall=semctl: IPC_STAT
1874 1904 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1875 1905
1876 1906 label=AUE_SHMDT
1877 1907 format=arg1
1878 1908 comment=1, shared memory address, "shm adr"
1879 1909
1880 1910 label=AUE_SHMGET
1881 1911 format=arg1:[ipc_perm]:[ipc]
1882 1912 comment=0, shared memory key, "shm key"
1883 1913 note=ipc_perm
1884 1914 # ipc_perm: shmget -> audit_ipcget
1885 1915
1886 1916 label=AUE_SHMGETL
1887 1917 skip=Not used.
1888 1918
1889 1919 label=AUE_SHMSYS
1890 1920 skip=Not used. (Placeholder for shmget and shmctl*)
1891 1921
1892 1922 label=AUE_SHUTDOWN
1893 1923 case=If the socket address is invalid
1894 1924 format=[arg]1:[text]2:[text]3
1895 1925 comment=1, file descriptor, "fd":
1896 1926 comment=bad socket address:
1897 1927 comment=bad peer address
1898 1928 case=If the socket address is part of the AF_INET family
1899 1929 case=..with zero file descriptor
1900 1930 format=arg1:[arg]2:[arg]3:[arg]4
1901 1931 comment=1, file descriptor, "so":
1902 1932 comment=1, family, "family":
1903 1933 comment=1, type, "type":
1904 1934 comment=2, how shutdown code, "how"
1905 1935 case=...with non-zero file descriptor
1906 1936 format=arg1:arg2:inet
1907 1937 comment=1, file descriptor, "so":
1908 1938 comment=2, how shutdown code, "how"
1909 1939 case=If the socket address is AF_UNIX
1910 1940 case=...with zero file descriptor
1911 1941 format=path1:arg2:[arg]3:[arg]4:[arg]5
1912 1942 comment=If error: argument: \
1913 1943 1, "no path: fd", file descriptor:
1914 1944 comment=1, file descriptor, "so":
1915 1945 comment=1, family, "family":
1916 1946 comment=1, type, "type":
1917 1947 comment=2, how shutdown code, "how"
1918 1948 case=...with non-zero file descriptor
1919 1949 format=path1:arg2:arg3:inet
1920 1950 comment=If error: argument: \
1921 1951 1, file descriptor, "no path: fd":
1922 1952 comment=1, file descriptor, "so":
1923 1953 comment=2, how shutdown code, "how"
1924 1954 #old BSM manual wrong; used audit_event.c
1925 1955
1926 1956 label=AUE_SOCKACCEPT
1927 1957 syscall=getmsg: socket accept
1928 1958 format=inet:arg1:[path]:attr:arg2
1929 1959 comment=1, file descriptor, "fd":
1930 1960 comment=4, priority, "pri"
1931 1961 # see putmsg and getmsg for record format
1932 1962 # See audit.c for inet token and audit_start.c for other reference
1933 1963
1934 1964 label=AUE_SOCKCONFIG
1935 1965 format=arg1:arg2:arg3:[path]4
1936 1966 comment=1, domain address, "domain":
1937 1967 comment=2, type, "type":
1938 1968 comment=3, protocol, "protocol":
1939 1969 comment=If no path:argument -- 3, 0, "devpath"
1940 1970
1941 1971 label=AUE_SOCKCONNECT
1942 1972 syscall=putmsg: socket connect
1943 1973 format=inet:arg1:[path]:attr:arg2
1944 1974 comment=1, file descriptor, "fd":
1945 1975 comment=4, priority, "pri"
1946 1976 # same as AUE_SOCKACCEPT
1947 1977
1948 1978 label=AUE_SOCKET
1949 1979 format=arg1:[arg]2:arg3
1950 1980 comment=1, socket domain, "domain":
1951 1981 comment=2, socket type, "type":
1952 1982 comment=3, socket protocol, "protocol"
1953 1983
1954 1984 label=AUE_SOCKETPAIR
1955 1985 skip=Not used.
1956 1986 # unreferenced
1957 1987
1958 1988 label=AUE_SOCKRECEIVE
1959 1989 syscall=getmsg
1960 1990 format=inet:arg1:[path]:attr:arg2
1961 1991 comment=1, file descriptor, "fd":
1962 1992 comment=4, priority, "pri"
1963 1993 # see AUE_SOCKACCEPT
1964 1994
1965 1995 label=AUE_SOCKSEND
1966 1996 syscall=putmsg
1967 1997 format=inet:arg1:[path]:attr:arg2
1968 1998 comment=1, file descriptor, "fd":
1969 1999 comment=4, priority, "pri"
1970 2000 # see AUE_SOCKACCEPT
1971 2001
1972 2002 label=AUE_STAT
1973 2003 format=path:[attr]
1974 2004
1975 2005 label=AUE_STATFS
1976 2006 format=path:[attr]
1977 2007
1978 2008 label=AUE_STATVFS
1979 2009 format=path:[attr]
1980 2010
1981 2011 label=AUE_STIME
1982 2012 format=kernel
1983 2013
1984 2014 label=AUE_SWAPON
1985 2015 skip=Not used.
1986 2016
1987 2017 label=AUE_SYMLINK
1988 2018 format=path:text1:[attr]
1989 2019 comment=symbolic link string
1990 2020
1991 2021 label=AUE_SYSINFO
1992 2022 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands
1993 2023 note=are currently audited.
1994 2024 format=arg1:[text]2
1995 2025 comment=1, command, "cmd":
1996 2026 comment=name
1997 2027
1998 2028 label=AUE_SYSTEMBOOT
1999 2029 title=system booted
2000 2030 syscall=none
2001 2031 format=head:text1
2002 2032 comment="booting kernel"
2003 2033 # see audit_start.c and audit_io.c
2004 2034 # no subject or return / exit token
2005 2035 # header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec
2006 2036 # text,booting kernel
2007 2037
2008 2038 label=AUE_TRUNCATE
2009 2039 skip=Not used.
2010 2040
2011 2041 label=AUE_UMOUNT
2012 2042 syscall=umount: old version
2013 2043 note=Implemented as call of the newer umount2(2).
2014 2044 format=path:arg1:[path]:[attr]
2015 2045 comment=2, mflag value = 0, "flags"
2016 2046
2017 2047 label=AUE_UMOUNT2
2018 2048 syscall=umount2
2019 2049 format=path:arg1:[path]:[attr]
2020 2050 comment=2, mflag value, "flags"
2021 2051
2022 2052 label=AUE_UNLINK
2023 2053 format=path:[attr]
2024 2054
2025 2055 label=AUE_UNLINKAT
2026 2056 # obsolete
2027 2057 see=openat(2)
2028 2058 format=path:[attr]
2029 2059
2030 2060 label=AUE_UNMOUNT
2031 2061 skip=Not used.
2032 2062
2033 2063 label=AUE_UTIME
2034 2064 # obsolete
2035 2065 format=path:[attr]
2036 2066
2037 2067 label=AUE_UTIMES
2038 2068 see=futimens(2)
2039 2069 format=path:[attr]
2040 2070
2041 2071 label=AUE_VFORK
2042 2072 format=arg1
2043 2073 comment=0, pid, "child PID"
2044 2074 note=The vfork(2) return values are undefined because the audit record is
2045 2075 note=produced at the point that the child process is spawned.
2046 2076
2047 2077 label=AUE_VPIXSYS
2048 2078 skip=Not used.
2049 2079
2050 2080 label=AUE_VTRACE
2051 2081 skip=Not used.
2052 2082
2053 2083 label=AUE_WRITE
2054 2084 format=path1:attr
2055 2085 comment=if no path, argument -- "1, file descriptor, "no path: fd"
2056 2086 note:An audit record is generated for write only once per file close.
2057 2087
2058 2088 label=AUE_WRITEV
2059 2089 skip=Not used. (obsolete)
2060 2090
2061 2091 label=AUE_XMKNOD
2062 2092 # obsolete
2063 2093 skip=Not used.
2064 2094
2065 2095 label=AUE_XSTAT
2066 2096 # obsolete
2067 2097 skip=Not Used.
2068 2098
2069 2099 label=AUE_PF_POLICY_ADDRULE
2070 2100 title=Add IPsec policy rule
2071 2101 see=
2072 2102 syscall=none
2073 2103 format=arg1:arg2:[zone]3:[text]4
2074 2104 comment=Operation applied to active policy (1 is active, 0 is inactive):
2075 2105 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2076 2106 comment=affected zone:
2077 2107 comment=Name of target tunnel
2078 2108
2079 2109 label=AUE_PF_POLICY_DELRULE
2080 2110 title=Delete IPsec policy rule
2081 2111 see=
2082 2112 syscall=none
2083 2113 format=arg1:arg2:[zone]3:[text]4
2084 2114 comment=Operation applied to active policy (1 is active, 0 is inactive):
2085 2115 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2086 2116 comment=affected zone:
2087 2117 comment=Name of target tunnel
2088 2118
2089 2119 label=AUE_PF_POLICY_CLONE
2090 2120 title=Clone IPsec policy
2091 2121 see=
2092 2122 syscall=none
2093 2123 format=arg1:arg2:[zone]3:[text]4
2094 2124 comment=Operation applied to active policy (1 is active, 0 is inactive):
2095 2125 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2096 2126 comment=affected zone:
2097 2127 comment=Name of target tunnel
2098 2128
2099 2129 label=AUE_PF_POLICY_FLIP
2100 2130 title=Flip IPsec policy
2101 2131 see=
2102 2132 syscall=none
2103 2133 format=arg1:arg2:[zone]3:[text]4
2104 2134 comment=Operation applied to active policy (1 is active, 0 is inactive):
2105 2135 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2106 2136 comment=affected zone:
2107 2137 comment=Name of target tunnel
2108 2138
2109 2139 label=AUE_PF_POLICY_FLUSH
2110 2140 title=Flip IPsec policy rules
2111 2141 see=
2112 2142 syscall=none
2113 2143 format=arg1:arg2:[zone]3:[text]4
2114 2144 comment=Operation applied to active policy (1 is active, 0 is inactive):
2115 2145 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2116 2146 comment=affected zone:
2117 2147 comment=Name of target tunnel
2118 2148
2119 2149 label=AUE_PF_POLICY_ALGS
2120 2150 title=Update IPsec algorithms
2121 2151 see=
2122 2152 syscall=none
2123 2153 format=arg1:arg2:[zone]3:[text]4
2124 2154 comment=Operation applied to active policy (1 is active, 0 is inactive):
2125 2155 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2126 2156 comment=affected zone:
2127 2157 comment=Name of target tunnel
2128 2158
2129 2159 label=AUE_allocate_fail
2130 2160 program=/usr/sbin/allocate
2131 2161 title=allocate: allocate-device failure
2132 2162 format=(0..n)[text]1
2133 2163 comment=command line arguments
2134 2164 # see audit_allocate.c
2135 2165
2136 2166 label=AUE_allocate_succ
2137 2167 program=/usr/sbin/allocate
2138 2168 title=allocate: allocate-device success
2139 2169 format=(0..n)[text]1
2140 2170 comment=command line arguments
2141 2171 # see audit_allocate.c
2142 2172
2143 2173 label=AUE_at_create
2144 2174 program=/usr/bin/at
2145 2175 title=at: at-create crontab
2146 2176 format=path
2147 2177
2148 2178 label=AUE_at_delete
2149 2179 program=/usr/bin/at
2150 2180 title=at: at-delete atjob (at or atrm)
2151 2181 format=text1:path
2152 2182 comment="ancillary file:" filename or "bad format of at-job name"
2153 2183
2154 2184 label=AUE_at_perm
2155 2185 skip=Not used.
2156 2186 # not referenced outside uevents.h
2157 2187
2158 2188 label=AUE_create_user
2159 2189 skip=Not used.
2160 2190
2161 2191 label=AUE_cron_invoke
2162 2192 program=/usr/sbin/cron
2163 2193 title=cron: cron-invoke at or cron
2164 2194 case=If issue with account find
2165 2195 format=text1
2166 2196 comment="bad user" name or "user <name> account expired"
2167 2197 case=else
2168 2198 format=text1:text2
2169 2199 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \
2170 2200 or "unknown job type (<job_type_id>)":
2171 2201 comment=command
2172 2202
2173 2203 label=AUE_crontab_create
2174 2204 program=/usr/bin/crontab
2175 2205 title=crontab: crontab created
2176 2206 format=path
2177 2207 # See audit_crontab.c
2178 2208
2179 2209 label=AUE_crontab_delete
2180 2210 program=/usr/bin/crontab
2181 2211 title=crontab: crontab delete
2182 2212 format=path
2183 2213 # See audit_crontab.c
2184 2214
2185 2215 label=AUE_crontab_mod
2186 2216 program=/usr/bin/crontab
2187 2217 title=crontab: crontab modify
2188 2218 format=path
2189 2219 # See audit_crontab.c
2190 2220
2191 2221 label=AUE_crontab_perm
2192 2222 skip=Not used.
2193 2223
2194 2224 label=AUE_deallocate_fail
2195 2225 program=/usr/sbin/deallocate
2196 2226 title=deallocate-device failure
2197 2227 format=(0..n)[text]1
2198 2228 comment=command line arguments
2199 2229 # See audit_allocate.c
2200 2230
2201 2231 label=AUE_deallocate_succ
2202 2232 program=/usr/sbin/deallocate
2203 2233 title=deallocate-device success
2204 2234 format=(0..n)[text]1
2205 2235 comment=command line arguments
2206 2236 # See audit_allocate.c
2207 2237
2208 2238 label=AUE_delete_user
2209 2239 skip=Not used.
2210 2240
2211 2241 label=AUE_disable_user
2212 2242 skip=Not used.
2213 2243
2214 2244 label=AUE_enable_user
2215 2245 skip=Not used.
2216 2246
2217 2247 label=AUE_ftpd
2218 2248 program=/usr/sbin/in.ftpd
2219 2249 title=in.ftpd
2220 2250 format=[text]1
2221 2251 comment=error message
2222 2252 # See audit_ftpd
2223 2253
2224 2254 label=AUE_ftpd_logout
2225 2255 program=/usr/sbin/in.ftpd
2226 2256 title=in.ftpd
2227 2257 format=user
2228 2258 # See audit_ftpd
2229 2259
2230 2260 label=AUE_halt_solaris
2231 2261 program=/usr/sbin/halt
2232 2262 title=halt
2233 2263 format=user
2234 2264 # See audit_halt.c
2235 2265
2236 2266 label=AUE_kadmind_auth
2237 2267 format=text1:text2:text3
2238 2268 comment=Op: <requested information>:
2239 2269 comment=Arg: <argument for Op>:
2240 2270 comment=Client: <client principal name>
2241 2271 # See audit_kadmin.c / common_audit()
2242 2272
2243 2273 label=AUE_kadmind_unauth
2244 2274 format=text1:text2:text3
2245 2275 comment=Op: <requested information>:
2246 2276 comment=Arg: <argument for Op>:
2247 2277 comment=Client: <client principal name>
2248 2278 # See audit_kadmin.c / common_audit()
2249 2279
2250 2280 label=AUE_krb5kdc_as_req
2251 2281 format=text1:text2
2252 2282 comment=Client: <client principal name>:
2253 2283 comment=Service: <requested service name>
2254 2284 # See audit_krb5kdc.c / common_audit()
2255 2285
2256 2286 label=AUE_krb5kdc_tgs_req
2257 2287 format=text1:text2
2258 2288 comment=Client: <client principal name>:
2259 2289 comment=Service: <requested service name>
2260 2290 # See audit_krb5kdc.c / common_audit()
2261 2291
2262 2292 label=AUE_krb5kdc_tgs_req_alt_tgt
2263 2293 format=text1:text2
2264 2294 comment=Client: <client principal name>:
2265 2295 comment=Service: <requested service name>
2266 2296 # See audit_krb5kdc.c / common_audit()
2267 2297
2268 2298 label=AUE_krb5kdc_tgs_req_2ndtktmm
2269 2299 format=text1:text2
2270 2300 comment=Client: <client principal name>:
2271 2301 comment=Service: <requested service name>
2272 2302 # See audit_krb5kdc.c / common_audit()
2273 2303
2274 2304 label=AUE_listdevice_fail
2275 2305 title=allocate-list devices failure
2276 2306 program=/usr/sbin/allocate
2277 2307 format=(0..n)[text]1
2278 2308 comment=command line arguments
2279 2309 # See audit_allocate.c
2280 2310
2281 2311 label=AUE_listdevice_succ
2282 2312 title=allocate-list devices success
2283 2313 program=/usr/sbin/allocate
2284 2314 format=(0..n)[text]1
2285 2315 comment=command line arguments
2286 2316 # See audit_allocate.c
2287 2317
2288 2318 label=AUE_modify_user
2289 2319 skip=Not used.
2290 2320
2291 2321 label=AUE_mountd_mount
2292 2322 title=mountd: NFS mount
2293 2323 program=/usr/lib/nfs/mountd
2294 2324 see=mountd(1M)
2295 2325 format=text1:path2
2296 2326 comment=remote client hostname:
2297 2327 comment=mount dir
2298 2328 # See audit_mountd.c
2299 2329
2300 2330 label=AUE_mountd_umount
2301 2331 title=mountd: NFS unmount
2302 2332 program=/usr/lib/nfs/mountd
2303 2333 format=text1:path2
2304 2334 comment=remote client hostname:
2305 2335 comment=mount dir
2306 2336 # See audit_mountd.c
2307 2337
2308 2338 label=AUE_poweroff_solaris
2309 2339 program=/usr/sbin/poweroff
2310 2340 title=poweroff
2311 2341 format=user
2312 2342 # See audit_halt.c
2313 2343
2314 2344 label=AUE_reboot_solaris
2315 2345 program=/usr/sbin/reboot
2316 2346 title=reboot
2317 2347 format=user
2318 2348 # See audit_reboot.c
2319 2349 # header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec
2320 2350 # subject,tuser1,root,other,root,other,10422,497,0 0 tmach2
2321 2351 # return,success,0
2322 2352
2323 2353 label=AUE_rexd
2324 2354 program=/usr/sbin/rpc.rexd
2325 2355 title=rpc.rexd
2326 2356 format=[text]1:text2:text3:[text]4:[text]5
2327 2357 comment=error message (failure only):
2328 2358 comment="Remote execution requested by:" hostname:
2329 2359 comment="Username:" username:
2330 2360 comment="User id:" user ID (failure only):
2331 2361 comment="Command line:" command attempted
2332 2362 # See audit_rexd.c
2333 2363
2334 2364 label=AUE_rexecd
2335 2365 program=/usr/sbin/rpc.rexecd
2336 2366 title=rpc.rexecd
2337 2367 format=[text]1:text2:text3:text4
2338 2368 comment=error message (failure only):
2339 2369 comment="Remote execution requested by:" hostname:
2340 2370 comment="Username:" username:
2341 2371 comment="Command line:" command attempted
2342 2372 # See audit_rexecd.c
2343 2373
2344 2374 label=AUE_rshd
2345 2375 program=/usr/sbin/in.rshd
2346 2376 title=in.rshd
2347 2377 format=text1:text2:[text]3:[text]4
2348 2378 comment="cmd" command:
2349 2379 comment="remote user" remote user:
2350 2380 comment="local user" local user:
2351 2381 comment=failure message
2352 2382 # See audit_rshd.c
2353 2383
2354 2384 label=AUE_shutdown_solaris
2355 2385 title=shutdown
2356 2386 program=/usr/ucb/shutdown
2357 2387 format=user
2358 2388 # See audit_shutdown.c
2359 2389
2360 2390 label=AUE_smserverd
2361 2391 program=/usr/lib/smedia/rpc.smserverd
2362 2392 format=[text]1:[text]2
2363 2393 comment=state change:
2364 2394 comment=vid, pid, major/minor device
2365 2395 # see usr/src/cmd/smserverd
2366 2396 # code shows a third token, path, but it isn't implemented.
2367 2397
2368 2398 label=AUE_uadmin_solaris
2369 2399 title=uadmin (obsolete)
2370 2400 program=
2371 2401 see=
2372 2402 format=text1:text2
2373 2403 comment=function code:
2374 2404 comment=argument code
2375 2405 # not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml
2376 2406
2377 2407 label=AUE_LABELSYS_TNRH
2378 2408 title=config Trusted Network remote host cache
2379 2409 see=tnrh(2)
2380 2410 syscall=labelsys: TSOL_TNRH
2381 2411 case=With the flush command (cmd=3)
2382 2412 format=arg1
2383 2413 comment=1, command, "cmd"
2384 2414 case=With the load (cmd=1) and delete (cmd=2) commands
2385 2415 format=arg1:inaddr2:arg3
2386 2416 comment=1, command, "cmd":
2387 2417 comment=ip address of host:
2388 2418 comment=2, prefix length, "prefix len"
2389 2419
2390 2420 label=AUE_LABELSYS_TNRHTP
2391 2421 title=config Trusted Network remote host template
2392 2422 see=tnrhtp(2)
2393 2423 syscall=labelsys: TSOL_TNRHTP
2394 2424 case=With the flush command (cmd=3)
2395 2425 format=arg1
2396 2426 comment=1, command, "cmd"
2397 2427 case=With the load (cmd=1) and delete (cmd=2) commands
2398 2428 format=arg1:text2
2399 2429 comment=1, command, "cmd":
2400 2430 comment=name of template
2401 2431
2402 2432 label=AUE_LABELSYS_TNMLP
2403 2433 title=config Trusted Network multi-level port entry
2404 2434 see=tnmlp(2)
2405 2435 syscall=labelsys: TSOL_TNMLP
2406 2436 case=With the flush command (cmd=3)
2407 2437 format=arg1:text2
2408 2438 comment=1, command, "cmd":
2409 2439 comment="shared", or name of zone
2410 2440 case=With the load (cmd=1) and delete (cmd=2) commands
2411 2441 format=arg1:text2:arg3:arg4:[arg]5
2412 2442 comment=1, command, "cmd":
2413 2443 comment="shared", or name of zone:
2414 2444 comment=2, protocol number, "proto num":
2415 2445 comment=2, starting mlp port number, "mlp_port":
2416 2446 comment=2, ending mlp port number, "mlp_port_upper"
|
↓ open down ↓ |
1945 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX