1 () () 2 3 4 5 <?xml version="1.0" encoding="UTF-8" ?> 6 7 <!-- 8 Copyright 2010 Sun Microsystems, Inc. All rights reserved. 9 Use is subject to license terms. 10 11 CDDL HEADER START 12 13 The contents of this file are subject to the terms of the 14 Common Development and Distribution License (the "License"). 15 You may not use this file except in compliance with the License. 16 17 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 18 or http://www.opensolaris.org/os/licensing. 19 See the License for the specific language governing permissions 20 and limitations under the License. 21 22 When distributing Covered Code, include this CDDL HEADER in each 23 file and include the License file at usr/src/OPENSOLARIS.LICENSE. 24 If applicable, add the following below this CDDL HEADER, with the 25 fields enclosed by brackets "[]" replaced with your own identifying 26 information: Portions Copyright [yyyy] [name of copyright owner] 27 28 CDDL HEADER END --> 29 30 31 <!--Entity Definitions--> 32 33 <!-- timeattr or iso8601 34 35 timeattr: the time/date to the second in strftime(3C) default format, 36 followed by milliseconds offset. 37 38 Example: time="Mon May 06 12:10:18 2002" msec="750" 39 40 iso8601: ISO 8601 standard format date time and timezone; YYYY-MM-DD 41 HH:MM:SS.sss +/-HH:MM; year, month, day 24 hour time with milliseconds + or 42 - offset from Universal Time (UTC, aka GMT) Example: 43 iso8601="2003-09-17 16:47:41.831 -07:00" 44 45 --> <!ENTITY % timeattr "time CDATA #IMPLIED msec 46 CDATA #IMPLIED"> 47 48 <!ENTITY % iso8601 "iso8601 CDATA #IMPLIED"> 49 50 <!-- xinfo Generic info for X related tokens. --> <!ENTITY % xinfo 51 "xid CDATA #REQUIRED xcreator-uid CDATA #REQUIRED"> 52 53 <!-- reserved_toks 54 55 This represents the set of "reserved" tokens whose placement is fixed. 56 57 --> <!ENTITY % reserved_toks "( file | 58 record | host | sequence 59 ) "> 60 61 <!-- normaltoks 62 63 This represents the set of all tokens other than the "reserved" tokens. 64 65 --> <!ENTITY % normaltoks "( acl | 66 arbitrary | argument | attribute | 67 cmd | exit | exec_args | 68 exec_env | fmri | group 69 | ip | ip_address | 70 IPC | IPC_perm | ip_port 71 | liaison | opaque | 72 path | path_attr | privilege | 73 process | return | 74 sensitivity_label | old_socket | socket 75 | subject | text | 76 user | use_of_authorization | 77 use_of_privilege | X_atom | X_client 78 | X_color_map | X_cursor | 79 X_font | X_graphic_context | X_pixmap 80 | X_property | X_selection | 81 X_window | zone ) "> 82 83 <!--Element Definitions--> 84 85 <!-- 86 87 The main element, "audit", consists of a sequence of file & record tokens. 88 89 --> <!ELEMENT audit (file | record)*> 90 91 <!-- file token --> <!ELEMENT file (#PCDATA)> <!ATTLIST file 92 %iso8601;> 93 94 95 <!-- record token 96 97 Audit records will have this general layout of tokens after the first token 98 (which is the record token): 99 (tokens),subject,group,(tokens),return,sequence,host 100 101 (all tokens after the record token are optional; the host token is unused.) 102 103 --> <!ELEMENT record ( (%normaltoks;)*, sequence?, 104 host? ) > <!ATTLIST record version CDATA #REQUIRED 105 event CDATA #REQUIRED modifier CDATA #IMPLIED 106 host CDATA #IMPLIED %iso8601; > 107 108 <!-- text token --> <!ELEMENT text (#PCDATA)> 109 110 <!-- user token --> <!ELEMENT user EMPTY> <!ATTLIST user uid 111 CDATA #REQUIRED username CDATA #REQUIRED > 112 113 <!-- path token --> <!ELEMENT path (#PCDATA)> 114 115 <!-- path_attr token --> <!ELEMENT path_attr (xattr*)> <!ELEMENT xattr 116 (#PCDATA)> 117 118 <!-- host token --> <!ELEMENT host (#PCDATA)> 119 120 <!-- subject token --> <!ELEMENT subject EMPTY> <!ATTLIST subject 121 audit-uid CDATA #REQUIRED uid CDATA #REQUIRED gid 122 CDATA #REQUIRED ruid CDATA #REQUIRED rgid CDATA 123 #REQUIRED pid CDATA #REQUIRED sid CDATA 124 #REQUIRED tid CDATA #REQUIRED > 125 126 <!-- process token --> <!ELEMENT process EMPTY> <!ATTLIST process 127 audit-uid CDATA #REQUIRED uid CDATA #REQUIRED gid 128 CDATA #REQUIRED ruid CDATA #REQUIRED rgid CDATA 129 #REQUIRED pid CDATA #REQUIRED sid CDATA 130 #REQUIRED tid CDATA #REQUIRED > 131 132 <!-- return token --> <!ELEMENT return EMPTY> <!ATTLIST return 133 errval CDATA #REQUIRED retval CDATA #REQUIRED > 134 135 <!-- exit token --> <!ELEMENT exit EMPTY> <!ATTLIST exit 136 errval CDATA #REQUIRED retval CDATA #REQUIRED > 137 138 <!-- sequence token --> <!ELEMENT sequence EMPTY> <!ATTLIST sequence 139 seq-num CDATA #REQUIRED > 140 141 <!-- fmri token --> <!ELEMENT fmri (#PCDATA)> 142 143 <!-- group token --> <!ELEMENT group (gid)*> <!ELEMENT gid 144 (#PCDATA)> 145 146 <!-- opaque token --> <!ELEMENT opaque (#PCDATA)> 147 148 <!-- liaison token --> <!-- (NOTE: liaison is obsolete and is no longer 149 generated --> <!ELEMENT liaison (#PCDATA)> 150 151 <!-- argument token --> <!ELEMENT argument EMPTY> <!ATTLIST argument 152 arg-num CDATA #REQUIRED value CDATA #REQUIRED 153 desc CDATA #REQUIRED > 154 155 <!-- attribute token --> <!ELEMENT attribute EMPTY> <!ATTLIST attribute 156 mode CDATA #REQUIRED uid CDATA #REQUIRED gid 157 CDATA #REQUIRED fsid CDATA #REQUIRED nodeid 158 CDATA #REQUIRED device CDATA #REQUIRED > 159 160 <!-- cmd token --> <!ELEMENT cmd (argv*, arge*)> <!ELEMENT argv 161 (#PCDATA)> <!ELEMENT arge (#PCDATA)> 162 163 <!-- exec_args token --> <!ELEMENT exec_args (arg*)> <!ELEMENT arg 164 (#PCDATA)> 165 166 <!-- exec_env token --> <!ELEMENT exec_env (env*)> <!ELEMENT env 167 (#PCDATA)> 168 169 <!-- arbitrary token --> <!ELEMENT arbitrary (#PCDATA)> <!ATTLIST 170 arbitrary print CDATA #REQUIRED type CDATA 171 #REQUIRED count CDATA #REQUIRED > 172 173 <!-- privilege token --> <!ELEMENT privilege (#PCDATA)> <!ATTLIST 174 privilege set-type CDATA #REQUIRED > 175 176 <!-- secflags token --> <!ELEMENT secflags (#PCDATA)> <!ATTLIST 177 secflags set-type CDATA #REQUIRED > 178 179 180 <!-- use_of_privilege token --> <!ELEMENT use_of_privilege (#PCDATA)> 181 <!ATTLIST use_of_privilege result CDATA #REQUIRED > 182 183 <!-- sensitivity_label token --> <!ELEMENT sensitivity_label (#PCDATA)> 184 185 <!-- use_of_authorization token --> <!ELEMENT use_of_authorization 186 (#PCDATA)> 187 188 <!-- IPC token --> <!ELEMENT IPC EMPTY> <!ATTLIST IPC 189 ipc-type CDATA #REQUIRED ipc-id CDATA #REQUIRED > 190 191 <!-- IPC_perm token --> <!ELEMENT IPC_perm EMPTY> <!ATTLIST IPC_perm 192 uid CDATA #REQUIRED gid CDATA #REQUIRED creator- 193 uid CDATA #REQUIRED creator-gid CDATA #REQUIRED mode 194 CDATA #REQUIRED seq CDATA #REQUIRED key CDATA 195 #REQUIRED > 196 197 <!-- ip_address token --> <!ELEMENT ip_address (#PCDATA)> 198 199 <!-- ip_port token --> <!-- (NOTE: ip_port is obsolete and is no longer 200 generated --> <!ELEMENT ip_port (#PCDATA)> 201 202 <!-- ip token --> <!-- (NOTE: ip is obsolete and is no longer generated --> 203 <!ELEMENT ip EMPTY> <!ATTLIST ip version CDATA 204 #REQUIRED service_type CDATA #REQUIRED len CDATA 205 #REQUIRED id CDATA #REQUIRED offset CDATA 206 #REQUIRED time_to_live CDATA #REQUIRED protocol CDATA 207 #REQUIRED cksum CDATA #REQUIRED src_addr CDATA 208 #REQUIRED dest_addr CDATA #REQUIRED > 209 210 <!-- old_socket token --> <!ELEMENT old_socket EMPTY> <!ATTLIST 211 old_socket type CDATA #REQUIRED port CDATA 212 #REQUIRED addr CDATA #REQUIRED > 213 214 <!-- socket token --> <!ELEMENT socket EMPTY> <!ATTLIST socket 215 sock_domain CDATA #REQUIRED sock_type CDATA #REQUIRED 216 lport CDATA #REQUIRED laddr CDATA #REQUIRED 217 fport CDATA #REQUIRED faddr CDATA #REQUIRED > 218 219 <!-- acl token --> <!ELEMENT acl EMPTY> <!ATTLIST acl 220 type CDATA #IMPLIED value CDATA #IMPLIED 221 mode CDATA #IMPLIED flags CDATA #IMPLIED id 222 CDATA #IMPLIED access_mask CDATA #IMPLIED > 223 224 <!-- tid token --> <!-- future intent: contain one of ipadr | MTUadr | device 225 --> <!ELEMENT tid (ipadr*)> <!ATTLIST tid type CDATA 226 #REQUIRED > 227 228 <!-- ipadr content of tid token --> <!ELEMENT ipadr EMPTY> 229 <!ATTLIST ipadr local-port CDATA #REQUIRED remote-port 230 CDATA #REQUIRED host CDATA #REQUIRED > 231 232 <!-- X_atom token --> <!ELEMENT X_atom (#PCDATA)> 233 234 <!-- X_color_map token --> <!ELEMENT X_color_map EMPTY> <!ATTLIST 235 X_color_map %xinfo;> 236 237 <!-- X_cursor token --> <!ELEMENT X_cursor EMPTY> <!ATTLIST X_cursor 238 %xinfo;> 239 240 <!-- X_font token --> <!ELEMENT X_font EMPTY> <!ATTLIST X_font 241 %xinfo;> 242 243 <!-- X_graphic_context token --> <!ELEMENT X_graphic_context EMPTY> 244 <!ATTLIST X_graphic_context %xinfo;> 245 246 <!-- X_pixmap token --> <!ELEMENT X_pixmap EMPTY> <!ATTLIST X_pixmap 247 %xinfo;> 248 249 <!-- X_window token --> <!ELEMENT X_window EMPTY> <!ATTLIST X_window 250 %xinfo;> 251 252 <!-- X_property token --> <!ELEMENT X_property (#PCDATA)> <!ATTLIST 253 X_property %xinfo;> 254 255 <!-- X_client token --> <!ELEMENT X_client (#PCDATA)> 256 257 <!-- X_selection token --> <!ELEMENT X_selection (xsel_text, xsel_type, 258 xsel_data)> <!ELEMENT x_sel_text (#PCDATA)> <!ELEMENT x_sel_type 259 (#PCDATA)> <!ELEMENT x_sel_data (#PCDATA)> 260 261 <!-- zonename token --> <!ELEMENT zone EMPTY> <!ATTLIST zone 262 name CDATA #REQUIRED > 263 264 265 266 June 15, 2016 ()