1 # audit_record_attr.txt
2 # Two "#" are comments that are copied to audit_record_attr
3 # other comments are removed.
4 ##
5 ## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
6 ##
7 ## CDDL HEADER START
8 ##
9 ## The contents of this file are subject to the terms of the
10 ## Common Development and Distribution License (the "License").
11 ## You may not use this file except in compliance with the License.
12 ##
13 ## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
14 ## or http://www.opensolaris.org/os/licensing.
15 ## See the License for the specific language governing permissions
16 ## and limitations under the License.
17 ##
18 ## When distributing Covered Code, include this CDDL HEADER in each
19 ## file and include the License file at usr/src/OPENSOLARIS.LICENSE.
20 ## If applicable, add the following below this CDDL HEADER, with the
21 ## fields enclosed by brackets "[]" replaced with your own identifying
22 ## information: Portions Copyright [yyyy] [name of copyright owner]
23 ##
24 ## CDDL HEADER END
25 ##
26 ##
27
28 # source file for describing audit records.
29
30 # This file is in two sections. The first is a list of attribute /
31 # value pairs used to provide short cuts in annotating the audit
32 # records. The second is for annotation for each audit record.
33
34 # first section: general attributes
35
36 # skipClass=<class name of items to skip if only in that class>
37 # skipClass=no # uncomment to filter unused events
38
39 # token name abbreviations
40 # token=alias:fullname -- short names for key tokens
41
42 token=arg:argument
43 token=attr:attribute
44 token=acl:acl_entry
45 token=cmd:command
46 token=data:data
47 token=exec_args:exec_arguments
48 token=exec_env:exec_environment
49 token=group:group
50 token=inaddr:ip_addr
51 token=inet:socket
52 token=ipc:ipc
53 token=ipc_perm:ipc_perm
54 token=newgroup:newgroups
55 token=path:path
56 token=path_attr:attribute_path
57 token=privset:privilege
58 token=proc:process
59 token=text:text
60 token=tid:terminal_adr
61 token=uauth:use_of_authorization
62 token=upriv:use_of_privilege
63 token=user:user_object
64 token=zone:zonename
65 token=fmri:service_instance
66 token=label:mandatory_label
67
68 token=head:header
69 token=subj:subject
70 token=ret:return
71 token=exit:exit
72
73 # note names -- certain notes show up repeatedly; collected here
74 #
75 # To achieve the maximum line length to be less than 80 characters, the
76 # note names (message=) can be defined as a multi line, each line except the
77 # last one finished with the backslash character.
78
79 message=ipc_perm:The ipc and ipc_perm tokens are not included if \
80 the message ID is not valid.
81
82
83 # basic record pattern ("insert" is where event-specific tokens
84 # are listed.)
85
86 kernel=head:insert:subj:[upriv]:ret
87 user=head:subj:insert:ret
88
89 # Second Section
90 # Annotation Section
91 #
92 # Most audit records need annotation beyond what is provided by
93 # the files audit_event and audit_class. At a minimum, a record
94 # is represented by a label and a format.
95 #
96 # label=record_id like AUE_ACCEPT
97 # format=token_alias
98 #
99 # there is no end line; a new label= end the preceding definition
100 # and starts the next.
101 #
102 # format values are a list of token names, separated by colons. The
103 # name is either one of the values described above (token=) or is
104 # a value to be taken literally. If a token name ends with a digit,
105 # the digit is an index into an array of comments. In the few cases
106 # where there are no tokens (other than header, subject, return/exit),
107 # use "format=kernel" or "format="user".
108 #
109 # comment is an array of strings separated by colons. If comments
110 # are listed on separate lines (recommended due to better
111 # readability/sustainability of the file), the preceding comment
112 # must end with a colon. The array starts at 1. (If the comment
113 # contains a colon, use ":" without the quotes.)
114 #
115 # case is used to generate alternate descriptions for a given
116 # record.
117 #
118 # Constraints - the string length; bear in mind, that any annotation of
119 # primitives below longer than is specified, will be silently truncated
120 # to given/defined amount of characters in the auditrecord(1M) runtime:
121 #
122 # primitive <= max (non-truncated) string length
123 # case <= unlimited; if necessary, text continues on a new line
124 # comment <= unlimited; if necessary, text continues on a new line
125 # label <= 43
126 # note <= unlimited; if necessary, text continues on a new line
127 # program <= 20
128 # see <= 39
129 # syscall <= 20
130 # title <= 46
131 # token <= 28 (full name)
132 #
133 # To achieve the maximum line length to be less than 80 characters, one can
134 # define the unlimited primitives as a multi line, each line except the
135 # last one finished with the backslash character. In addition to above
136 # mentioned, the "format=" record attribute follows the same rule.
137 #
138 #
139 # AUE_ACCEPT illustrates the use of all the above. Note that
140 # case is not nested; ellipsis (...) is used to give the effect
141 # of nesting.
142
143 label=AUE_ACCEPT
144 #accept(2) failure
145 case=Invalid socket file descriptor
146 format=arg1
147 comment=1, file descriptor, "so"
148 #accept(2) non SOCK_STREAM socket
149 case=If the socket address is not part of the AF_INET family
150 format=arg1:arg2:arg3
151 comment=1, "so", file descriptor:
152 comment="family", so_family:
153 comment="type", so_type
154 case=If the socket address is part of the AF_INET family
155 case=...If there is no vnode for this file descriptor
156 format=[arg]1
157 comment=1, file descriptor, "Bad so"
158 #accept(2) SOCK_STREAM socket-not bound
159 case=...or if the socket is not bound
160 format=[arg]1:[inet]2
161 comment=1, file descriptor, "so":
162 comment=local/foreign address (0.0.0.0)
163 case=...or if the socket address length = 0
164 format=[arg]1:[inet]2
165 comment=1, file descriptor, "so":
166 comment=local/foreign address (0.0.0.0)
167 case=...or for all other conditions
168 format=inet1:[inet]1
169 comment=socket address
170 #accept(2) failure
171 # header
172 # au_to_arg32 "so",file descriptor
173 # subject
174 # return <errno != 0>
175 #
176 #accept(2) non SOCK_STREAM socket
177 # header
178 # au_to_arg32 "so", file descriptor
179 # au_to_arg32 "family", so_family
180 # au_to_arg32 "type", so_type
181 # subject
182 # return success
183 #
184 #accept(2) SOCK_STREAM socket-not bound
185 # header
186 # au_to_arg32 "so", file descriptor
187 # au_to_socket_ex local/foreign address (0.0.0.0)
188 # subject
189 # return success
190 #
191 #accept(2) SOCK_STREAM socket-bound
192 # header
193 # au_to_arg32 "so", file descriptor
194 # au_to_socket_ex
195 # subject
196 # return success
197
198
199
200 label=AUE_ACCESS
201 format=path1:[attr]
202 comment=may be truncated in failure case
203 # header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec
204 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ
205 # attribute,100777,41416,staff,8388608,402255,0
206 # subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30
207 # return,success,0
208 # trailer,163
209 #
210 # header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec
211 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail
212 # attribute,100000,root,other,8388608,402257,0
213 # subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30
214 # return,failure: Permission denied,-1
215 # trailer,163
216 #
217 # header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec
218 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2
219 # subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30
220 # return,failure: No such file or directory,-1
221 # trailer,135
222
223 label=AUE_ACCT
224 case=Zero path
225 format=arg1
226 comment=1, 0, "accounting off"
227 case=Non-zero path
228 format=path1:[attr]2
229 comment=may be truncated in failure case:
230 comment=omitted if failure
231
232 label=AUE_ACLSET
233 syscall=acl
234 format=arg1:arg2:(0..n)[acl]3
235 comment=2, SETACL, "cmd":
236 comment=3, number of ACL entries, "nentries":
237 comment=Access Control List entries
238
239 label=AUE_ADJTIME
240 format=kernel
241
242 label=AUE_ASYNC_DAEMON
243 skip=Not used
244
245 label=AUE_ASYNC_DAEMON_EXIT
246 skip=Not used
247
248 label=AUE_AUDIT
249 skip=Not used. (Placeholder for the set AUE_AUDIT_*.)
250
251 label=AUE_AUDITON
252 skip=Not used. (Placeholder for the set AUE_AUDITON_*.)
253
254 label=AUE_AUDITON_GESTATE
255 skip=Not used
256
257 label=AUE_AUDITON_GETAMASK
258 format=kernel
259 syscall=auditon: GETAMASK
260
261 label=AUE_AUDITON_GETCAR
262 format=kernel
263 syscall=auditon: GETCAR
264 # header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec
265 # subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30
266 # return,success,0
267 # trailer,68
268
269 label=AUE_AUDITON_GETCLASS
270 format=kernel
271 syscall=auditon: GETCLASS
272 # header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec
273 # subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1
274 # return,success,0
275 # trailer,68
276
277 label=AUE_AUDITON_GETCOND
278 format=kernel
279 syscall=auditon: GETCOND
280 # header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec
281 # subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1
282 # return,success,0
283 # trailer,68
284
285 label=AUE_AUDITON_GETCWD
286 format=kernel
287 syscall=auditon: GETCWD
288 # header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec
289 # subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1
290 # return,success,0
291 # trailer,68
292
293 label=AUE_AUDITON_GETKMASK
294 format=kernel
295 syscall=auditon: GETKMASK
296 # header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec
297 # subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1
298 # return,success,0
299 # trailer,68
300
301 label=AUE_AUDITON_GETSTAT
302 format=kernel
303 syscall=auditon: A_GETSTAT
304 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec
305 # subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1
306 # return,success,0
307 # trailer,68
308
309 label=AUE_AUDITON_GPOLICY
310 format=kernel
311 syscall=auditon: GPOLICY
312 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec
313 # subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1
314 # return,success,0
315 # trailer,68
316
317 label=AUE_AUDITON_GQCTRL
318 format=kernel
319 syscall=auditon: GQCTRL
320 # header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec
321 # subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1
322 # return,success,0
323 # trailer,68
324
325
326 label=AUE_AUDITON_GTERMID
327 skip=Not used.
328
329 label=AUE_AUDITON_SESTATE
330 skip=Not used.
331
332 label=AUE_AUDITON_SETAMASK
333 format=[arg]1:[arg]2
334 comment=2, "setamask as_success", user default audit preselection mask:
335 comment=2, "setamask as_failure", user default audit preselection mask
336 syscall=auditon: SETAMASK
337
338 label=AUE_AUDITON_SETCLASS
339 format=[arg]1:[arg]2
340 comment=2, "setclass:ec_event", event number:
341 comment=3, "setclass:ec_class", class mask
342 syscall=auditon: SETCLASS
343 # header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec
344 # argument,2,0x0,setclass:ec_event
345 # argument,3,0x0,setclass:ec_class
346 # subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1
347 # return,success,0
348 # trailer,120
349
350 label=AUE_AUDITON_SETCOND
351 format=[arg]1
352 comment=3, "setcond", audit state
353 syscall=auditon: SETCOND
354
355 label=AUE_AUDITON_SETKMASK
356 format=[arg]1:[arg]2
357 comment=2, "setkmask as_success", kernel non-attributable mask:
358 comment=2, "setkmask as_failure", kernel non-attributable mask
359 syscall=auditon: SETKMASK
360 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec
361 # argument,2,0x0,setkmask:as_success
362 # argument,2,0x0,setkmask:as_failure
363 # subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1
364 # return,success,0
365 # trailer,124
366 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec
367 # argument,2,0x0,setkmask:as_success
368 # argument,2,0x0,setkmask:as_failure
369 # subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1
370 # return,failure: Not owner,-1
371 # trailer,124
372
373 label=AUE_AUDITON_SETSMASK
374 format=[arg]1:[arg]2
375 comment=3, "setsmask:as_success", session ID mask:
376 comment=3, "setsmask:as_failure", session ID mask
377 syscall=auditon: SETSMASK
378 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec
379 # argument,3,0x400,setsmask:as_success
380 # argument,3,0x400,setsmask:as_failure
381 # subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1
382 # return,success,0
383 # trailer,124
384 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec
385 # argument,3,0x400,setsmask:as_success
386 # argument,3,0x400,setsmask:as_failure
387 # subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1
388 # return,failure: Not owner,-1
389 # trailer,124
390
391 label=AUE_AUDITON_SETSTAT
392 format=kernel
393 syscall=auditon: SETSTAT
394 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec
395 # subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1
396 # return,success,0
397 # trailer,68
398 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec
399 # subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1
400 # return,failure: Not owner,-1
401 # trailer,68
402
403 label=AUE_AUDITON_SETUMASK
404 format=[arg]1:[arg]2
405 comment=3, "setumask:as_success", audit ID mask:
406 comment=3, "setumask:as_failure", audit ID mask
407 syscall=auditon: SETUMASK
408 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec
409 # argument,3,0x400,setumask:as_success
410 # argument,3,0x400,setumask:as_failure
411 # subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1
412 # return,success,0
413 # trailer,124
414 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec
415 # argument,3,0x400,setumask:as_success
416 # argument,3,0x400,setumask:as_failure
417 # subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1
418 # return,failure: Not owner,-1
419 # trailer,124
420
421 label=AUE_AUDITON_SPOLICY
422 format=[arg]1
423 comment=1, audit policy flags, "setpolicy"
424 syscall=auditon: SPOLICY
425 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec
426 # argument,3,0x200,setpolicy
427 # subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1
428 # return,success,0
429 # trailer,86
430 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec
431 # argument,3,0x200,setpolicy
432 # subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1
433 # return,failure: Not owner,-1
434 # trailer,86
435
436 label=AUE_AUDITON_SQCTRL
437 format=[arg]1:[arg]2:[arg]3:[arg]4
438 comment=3, "setqctrl:aq_hiwater", queue control param.:
439 comment=3, "setqctrl:aq_lowater", queue control param.:
440 comment=3, "setqctrl:aq_bufsz", queue control param.:
441 comment=3, "setqctrl:aq_delay", queue control param.
442 syscall=auditon: SQCTRL
443 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec
444 # argument,3,0x64,setqctrl:aq_hiwater
445 # argument,3,0xa,setqctrl:aq_lowater
446 # argument,3,0x400,setqctrl:aq_bufsz
447 # argument,3,0x14,setqctrl:aq_delay
448 # subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1
449 # return,success,0
450 # trailer,176
451 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec
452 # argument,3,0x64,setqctrl:aq_hiwater
453 # argument,3,0xa,setqctrl:aq_lowater
454 # argument,3,0x400,setqctrl:aq_bufsz
455 # argument,3,0x14,setqctrl:aq_delay
456 # subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1
457 # return,failure: Not owner,-1
458 # trailer,176
459
460 label=AUE_AUDITON_STERMID
461 skip=Not used.
462
463 label=AUE_AUDITSTAT
464 skip=Not used.
465
466 label=AUE_AUDITSVC
467 skip=Not used.
468
469 label=AUE_AUDITSYS
470 skip=Not used. (Place holder for various auditing events.)
471
472 label=AUE_BIND
473 # differs from documented version.
474 # cases "no vnode" not fully confirmed
475 # family and type need argument number
476 case=Invalid socket handle
477 format=arg1
478 comment=1, file descriptor, "so"
479 case=If there is no vnode for this file descriptor
480 case=or if the socket is not of the AF_INET family
481 format=arg1:arg2:arg3
482 comment=1, file descriptor, "so":
483 comment=1, socket family, "family":
484 comment=1, socket type, "type"
485 case=or for all other conditions
486 format=arg1:inet2
487 comment=1, file descriptor, "so":
488 comment=socket address
489
490 label=AUE_BRANDSYS
491 # generic mechanism to allow user-space and kernel components of a brand
492 # to communicate. The interpretation of the arguments to the call is
493 # left entirely up to the brand.
494 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7
495 comment=1, command, "cmd":
496 comment=2, command args, "arg":
497 comment=3, command args, "arg":
498 comment=4, command args, "arg":
499 comment=5, command args, "arg":
500 comment=6, command args, "arg":
501 comment=7, command args, "arg"
502
503 label=AUE_BSMSYS
504 skip=Not used.
505
506 label=AUE_CHDIR
507 format=path:[attr]
508 # header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec
509 # path,/export/home/CC_final/icenine/arv/chdir/obj_succ
510 # attribute,40777,root,other,8388608,231558,0
511 # subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1
512 # return,success,0
513 # trailer,151
514 # header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec
515 # path,/export/home/CC_final/icenine/arv/chdir/obj_fail
516 # attribute,40000,root,other,8388608,237646,0
517 # subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1
518 # return,failure: Permission denied,-1
519 # trailer,151
520
521 label=AUE_CHMOD
522 format=arg1:path:[attr]
523 comment=2, mode, "new file mode"
524 # header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec
525 # argument,2,0x1f8,new file mode
526 # path,/export/home/CC_final/icenine/arv/chmod/obj_succ
527 # attribute,100770,tuser10,other,8388608,243608,0
528 # subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1
529 # return,success,0
530 # trailer,173
531 # header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec
532 # argument,2,0x1f8,new file mode
533 # path,/export/home/CC_final/icenine/arv/chmod/obj_fail
534 # attribute,100600,root,other,8388608,243609,0
535 # subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1
536 # return,failure: Not owner,-1
537 # trailer,173
538
539 label=AUE_CHOWN
540 format=arg1:arg2
541 comment=2, uid, "new file uid":
542 comment=3, gid, "new file gid"
543 # header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec
544 # argument,2,0x271a,new file uid
545 # argument,3,0xffffffff,new file gid
546 # path,/export/home/CC_final/icenine/arv/chown/obj_succ
547 # attribute,100644,tuser10,other,8388608,268406,0
548 # subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1
549 # return,success,0
550 # trailer,193
551 # header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec
552 # argument,2,0x271a,new file uid
553 # argument,3,0xffffffff,new file gid
554 # path,/export/home/CC_final/icenine/arv/chown/obj_fail
555 # attribute,100644,root,other,8388608,268407,0
556 # subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1
557 # return,failure: Not owner,-1
558 # trailer,193
559
560 label=AUE_CHROOT
561 format=path:[attr]
562 # header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec
563 # path,/
564 # attribute,40755,root,root,8388608,2,0
565 # subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1
566 # return,success,0
567 # trailer,104
568 # header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec
569 # path,/export/home/CC_final/icenine/arv/chroot/obj_fail
570 # attribute,40777,tuser10,other,8388608,335110,0
571 # subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1
572 # return,failure: Not owner,-1
573 # trailer,152
574
575 label=AUE_CLOCK_SETTIME
576 format=kernel
577
578 label=AUE_CLOSE
579 format=arg1:[path]:[attr]
580 comment=1, file descriptor, "fd"
581
582 label=AUE_CONFIGKSSL
583 case=Adding KSSL entry.
584 format=text1:inaddr2:text3:text4
585 comment=opcode, KSSL_ADD_ENTRY:
586 comment=local IP address:
587 comment=SSL port number:
588 comment=proxy port number
589 case=Deleting KSSL entry.
590 format=text1:inaddr2:text3
591 comment=opcode, KSSL_DELETE_ENTRY:
592 comment=local IP address:
593 comment=SSL port number
594
595 label=AUE_CONNECT
596 # cases "no vnode" not fully confirmed
597 case=If there is no vnode for this file descriptor
598 case=If the socket address is not part of the AF_INET family
599 format=arg1:arg2:arg3
600 comment=1, file descriptor, "so":
601 comment=1, socket family, "family":
602 comment=1, socket type, "type"
603 case=If the socket address is part of the AF_INET family
604 format=arg1:inet2
605 comment=1, file descriptor, "so":
606 comment=socket address
607
608 label=AUE_CORE
609 syscall=none
610 title=process dumped core
611 see=none
612 format=path:[attr]:arg1
613 comment=1, signal, "signal"
614 # see uts/common/c2/audit.c
615
616 label=AUE_CREAT
617 # obsolete - see open(2)
618 format=path:[attr]
619 # does not match old BSM manual
620 # header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec
621 # path,/export/home/CC_final/icenine/arv/creat/obj_succ
622 # attribute,100644,tuser10,other,8388608,49679,0
623 # subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1
624 # return,success,8
625 # trailer,151
626 # header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec
627 # path,/devices/pseudo/mm@0:null
628 # subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1
629 # return,success,8
630 # trailer,107
631 # header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec
632 # path,/obj_fail
633 # subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1
634 # return,failure: Permission denied,-1
635 # trailer,83
636
637 label=AUE_CRYPTOADM
638 title=kernel cryptographic framework
639 format=text1:(0..n)[text]2
640 comment=cryptoadm command/operation:
641 comment=mechanism list
642
643 label=AUE_DOORFS
644 skip=Not used. (Place holder for set of door audit events.)
645
646 label=AUE_DOORFS_DOOR_BIND
647 skip=Not used.
648 syscall=doorfs: DOOR_BIND
649
650 label=AUE_DOORFS_DOOR_CALL
651 format=arg1:proc2
652 comment=1, door ID, "door ID":
653 comment=for process that owns the door
654 syscall=doorfs: DOOR_CALL
655
656 label=AUE_DOORFS_DOOR_CREATE
657 format=arg1
658 comment=1, door attributes, "door attr"
659 syscall=doorfs: DOOR_CREATE
660
661 label=AUE_DOORFS_DOOR_CRED
662 skip=Not used.
663 syscall=doorfs: DOOR_CRED
664
665 label=AUE_DOORFS_DOOR_INFO
666 skip=Not used.
667 syscall=doorfs: DOOR_INFO
668
669 label=AUE_DOORFS_DOOR_RETURN
670 format=kernel
671 syscall=doorfs: DOOR_RETURN
672
673 label=AUE_DOORFS_DOOR_REVOKE
674 format=arg1
675 comment=1, door ID, "door ID"
676 syscall=doorfs: DOOR_REVOKE
677
678 label=AUE_DOORFS_DOOR_UNBIND
679 skip=Not used.
680 syscall=doorfs: DOOR_UNBIND
681
682 label=AUE_DUP2
683 skip=Not used.
684
685 label=AUE_ENTERPROM
686 title=enter prom
687 syscall=none
688 format=head:text1:ret
689 comment="kmdb"
690 # header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00
691 # text,kmdb
692 # return,success,0
693
694 label=AUE_EXEC
695 # obsolete - see execve(2)
696 format=path:[attr]1:[exec_args]2:[exec_env]3
697 comment=omitted on error:
698 comment=output if argv policy is set:
699 comment=output if arge policy is set
700
701 label=AUE_EXECVE
702 format=path:[attr]1:[exec_args]2:[exec_env]3
703 comment=omitted on error:
704 comment=output if argv policy is set:
705 comment=output if arge policy is set
706 # header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec
707 # path,/devices/pseudo/mm@0:null
708 # subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1
709 # return,success,8
710 # trailer,107
711 # header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec
712 # path,/usr/bin/pig
713 # subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1
714 # return,failure: No such file or directory,-1
715 # trailer,86
716
717 label=AUE_PFEXEC
718 format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5
719 comment=pathname of the executable:
720 comment=pathname of working directory:
721 comment=privileges if the limit or inheritable set are changed:
722 comment=process if ruid, euid, rgid or egid is changed:
723 comment=output if arge policy is set
724
725 label=AUE_sudo
726 format=exec_args1:[text]2
727 comment=command args:
728 comment=error message (failure only)
729
730 label=AUE_EXIT
731 format=arg1:[text]2
732 comment=1, exit status, "exit status":
733 comment=event aborted
734
735 label=AUE_EXITPROM
736 title=exit prom
737 syscall=none
738 format=head:text1:ret
739 comment="kmdb"
740 # header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00
741 # text,kmdb
742 # return,success,0
743
744 label=AUE_EXPORTFS
745 skip=Not used.
746
747 label=AUE_FACCESSAT
748 # obsolete
749 see=access(2)
750 format=path:[attr]
751
752 label=AUE_FACLSET
753 syscall=facl
754 case=Invalid file descriptor
755 format=arg1:arg2
756 comment=2, SETACL, "cmd":
757 comment=3, number of ACL entries, "nentries"
758 case=Zero path
759 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4
760 comment=2, SETACL, "cmd":
761 comment=3, number of ACL entries, "nentries":
762 comment=1, file descriptor, "no path: fd":
763 comment=ACLs
764 case=Non-zero path
765 format=arg1:arg2:path:[attr]:(0..n)[acl]3
766 comment=2, SETACL, "cmd":
767 comment=3, number of ACL entries, "nentries":
768 comment=ACLs
769
770 label=AUE_FCHDIR
771 format=[path]:[attr]
772 # header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec
773 # path,/export/home/CC_final/icenine/arv/fchdir/obj_succ
774 # attribute,40777,tuser10,other,8388608,207662,0
775 # subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1
776 # return,success,0
777 # trailer,150
778 # header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec
779 # subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1
780 # return,failure: Permission denied,-1
781 # trailer,68
782
783 label=AUE_FCHMOD
784 case=With a valid file descriptor and path
785 format=arg1:path:[attr]
786 comment=2, mode, "new file mode"
787 case=With a valid file descriptor and invalid path
788 format=arg1:[arg]2:[attr]
789 comment=2, mode, "new file mode":
790 comment=1, file descriptor, "no path: fd"
791 case=With an invalid file descriptor
792 format=arg1
793 comment=2, mode, "new file mode"
794 # header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec
795 # argument,2,0x1a4,new file mode
796 # path,/export/home/CC/icenine/arv/fchmod/obj_succ
797 # attribute,100644,tuser10,other,7602240,26092,0
798 # subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1
799 # return,success,0
800 # trailer,168
801 # header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec
802 # argument,2,0x1a4,new file mode
803 # subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1
804 # return,failure: Bad file number,-1
805 # trailer,90
806 # header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec
807 # argument,2,0x1a4,new file mode
808 # path,/export/home/CC/icenine/arv/fchmod/obj_fail
809 # attribute,100644,root,other,7602240,26093,0
810 # subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1
811 # return,failure: Not owner,-1
812 # trailer,168
813
814 label=AUE_FCHOWN
815 case=With a valid file descriptor
816 format=arg1:arg2:[path]:[attr]
817 comment=2, uid, "new file uid":
818 comment=3, gid, "new file gid"
819 case=With an invalid file descriptor
820 format=arg1:arg2:[arg]3:[attr]
821 comment=2, uid, "new file uid":
822 comment=3, gid, "new file gid":
823 comment=1, file descriptor, "no path fd"
824
825 label=AUE_FCHOWNAT
826 # obsolete
827 see=openat(2)
828 case=With a valid absolute/relative file path
829 format=path:[attr]
830 case=With an file path eq. NULL and valid file descriptor
831 format=kernel
832
833 label=AUE_FCHROOT
834 format=[path]:[attr]
835 # fchroot -> chdirec -> audit_chdirec
836
837 label=AUE_FCNTL
838 case=With a valid file descriptor
839 format=arg1:[arg]2:path:attr
840 comment=2, command, "cmd":
841 comment=3, flags, "flags"
842 case=With an invalid file descriptor
843 format=arg1:[arg]2:arg3
844 comment=2, command, "cmd":
845 comment=3, flags, "flags":
846 comment=1, file descriptor, "no path fd"
847 note=Flags are included only when cmd is F_SETFL.
848
849 label=AUE_FLOCK
850 skip=Not used.
851
852 label=AUE_FORKALL
853 format=[arg]1
854 comment=0, pid, "child PID"
855 note=The forkall(2) return values are undefined because the audit record
856 note=is produced at the point that the child process is spawned.
857 # see audit.c
858
859 label=AUE_FORK1
860 format=[arg]1
861 comment=0, pid, "child PID"
862 note=The fork1(2) return values are undefined because the audit record
863 note=is produced at the point that the child process is spawned.
864 # see audit.c
865
866 label=AUE_FSAT
867 # obsolete
868 skip=Not used. (Placeholder for AUE_*AT records)
869
870 label=AUE_FSTAT
871 skip=Not used.
872
873 label=AUE_FSTATAT
874 # obsolete
875 format=path:[attr]
876
877 label=AUE_FSTATFS
878 case=With a valid file descriptor
879 format=[path]:[attr]
880 case=With an invalid file descriptor
881 format=arg1
882 comment=1, file descriptor, "no path fd"
883
884 label=AUE_FTRUNCATE
885 skip=Not used.
886
887 label=AUE_FUSERS
888 syscall=utssys: UTS_FUSERS
889 format=path:attr
890
891 label=AUE_FUTIMESAT
892 # obsolete
893 format=[path]:[attr]
894
895 label=AUE_GETAUDIT
896 format=kernel
897 # header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec
898 # subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1
899 # return,success,0
900 # trailer,68
901 # header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec
902 # subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1
903 # return,success,0
904 # trailer,68
905
906 label=AUE_GETAUDIT_ADDR
907 format=kernel
908 # header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec
909 # subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2
910 # return,success,0
911
912 label=AUE_GETAUID
913 format=kernel
914 # header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec
915 # subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1
916 # return,success,0
917 # trailer,68
918 # header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec
919 # subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1
920 # return,failure: Not owner,-1
921 # trailer,68
922
923 label=AUE_GETDENTS
924 skip=Not used.
925 #Not security relevant
926
927 label=AUE_GETKERNSTATE
928 skip=Not used.
929
930 label=AUE_GETMSG
931 case=With a valid file descriptor
932 format=arg1:[path]:attr:arg2
933 comment=1, file descriptor, "fd":
934 comment=4, priority, "pri"
935 case=With an invalid file descriptor
936 format=arg1:arg2
937 comment=1, file descriptor, "fd":
938 comment=4, priority, "pri"
939
940 label=AUE_GETPMSG
941 case=With a valid file descriptor
942 format=arg1:[path]:attr
943 comment=1, file descriptor, "fd"
944 case=With an invalid file descriptor
945 format=arg1
946 comment=1, file descriptor, "fd"
947
948 label=AUE_GETPORTAUDIT
949 format=Not used.
950
951 label=AUE_GETUSERAUDIT
952 skip=Not used.
953
954 label=AUE_INST_SYNC
955 format=arg1
956 comment=2, flags value, "flags"
957
958 label=AUE_IOCTL
959 case=With an invalid file descriptor
960 format=arg1:arg2:arg3
961 comment=1, file descriptor, "fd":
962 comment=2, command, "cmd":
963 comment=3, arg, "arg"
964 case=With a valid file descriptor
965 format=path:[attr]:arg1:arg2
966 comment=2, ioctl cmd, "cmd":
967 comment=3, ioctl arg, "arg"
968 case=Non-file file descriptor
969 format=arg1:arg2:arg3
970 comment=1, file descriptor, "fd":
971 comment=2, ioctl cmd, "cmd":
972 comment=3, ioctl arg, "arg"
973 case=Bad file name
974 format=arg1:arg2:arg3
975 comment=1, file descriptor, "no path: fd":
976 comment=2, ioctl cmd, "cmd":
977 comment=3, ioctl arg, "arg"
978 # old BSM manual misses a case
979
980 label=AUE_JUNK
981 skip=Not used.
982
983 label=AUE_KILL
984 case=Valid process
985 format=arg1:[proc]
986 comment=2, signo, "signal"
987 case=Zero or negative process
988 format=arg1:arg2
989 comment=2, signo, "signal":
990 comment=1, pid, "process"
991
992 label=AUE_KILLPG
993 skip=Not used.
994
995 label=AUE_LCHOWN
996 format=arg1:arg2:path:[attr]
997 comment=2, uid, "new file uid":
998 comment=3, gid, "new file gid"
999
1000 label=AUE_LINK
1001 format=path1:[attr]:path2
1002 comment=from path:
1003 comment=to path
1004
1005 label=AUE_LSEEK
1006 skip=Not used.
1007
1008 label=AUE_LSTAT
1009 format=path:[attr]
1010
1011 label=AUE_LXSTAT
1012 # obsolete
1013 skip=Not used.
1014
1015 label=AUE_MCTL
1016 skip=Not used.
1017
1018 label=AUE_MEMCNTL
1019 format=arg1:arg2:arg3:arg4:arg5:arg6
1020 comment=1, base address, "base":
1021 comment=2, length, "len":
1022 comment=3, command, "cmd":
1023 comment=4, command args, "arg":
1024 comment=5, command attributes, "attr":
1025 comment=6, 0, "mask"
1026
1027 label=AUE_MKDIR
1028 format=arg1:path:[attr]
1029 comment=2, mode, "mode"
1030
1031 label=AUE_MKNOD
1032 format=arg1:arg2:path:[attr]
1033 comment=2, mode, "mode":
1034 comment=3, dev, "dev"
1035
1036 label=AUE_MMAP
1037 case=With a valid file descriptor
1038 format=arg1:arg2:[path]3:[attr]
1039 comment=1, segment address, "addr":
1040 comment=2, segment address, "len":
1041 comment=if no path, then argument: \
1042 1, "nopath: fd", file descriptor
1043 case=With an invalid file descriptor
1044 format=arg1:arg2:arg3
1045 comment=1, segment address, "addr":
1046 comment=2, segment address, "len":
1047 comment=1, file descriptor, "no path: fd"
1048
1049 label=AUE_MODADDMAJ
1050 title=modctl: bind module
1051 syscall=modctl
1052 format=[text]1:[text]2:text3:arg4:(0..n)[text]5
1053 comment=driver major number:
1054 comment=driver name:
1055 comment=driver major number or "no drvname":
1056 comment=5, number of aliases, "":
1057 comment=aliases
1058
1059 label=AUE_MODADDPRIV
1060 format=kernel
1061
1062 label=AUE_MODCONFIG
1063 skip=Not used.
1064
1065 label=AUE_MODCTL
1066 skip=Not used. (placeholder)
1067
1068 label=AUE_MODDEVPLCY
1069 syscall=modctl
1070 title=modctl: set device policy
1071 case=If unknown minor name/pattern
1072 format=arg1:arg2:arg3:arg4:arg5
1073 comment=2, "major", major number:
1074 comment=2, "lomin", low minor number, if known:
1075 comment=2, "himin", hi minor number, if known:
1076 comment=privileges required for reading:
1077 comment=privileges required for writing
1078 case=else
1079 format=arg1:text2:arg3:arg4
1080 comment=2, "major", major number:
1081 comment=minor name/pattern:
1082 comment=privileges required for reading:
1083 comment=privileges required for writing
1084
1085 label=AUE_MODLOAD
1086 syscall=modctl
1087 title=modctl: load module
1088 format=[text]1:text2
1089 comment=default path:
1090 comment=filename path
1091
1092 label=AUE_MODUNLOAD
1093 syscall=modctl
1094 title=modctl: unload module
1095 format=arg1
1096 comment=1, module ID, "id"
1097
1098 label=AUE_MOUNT
1099 case=UNIX file system
1100 format=arg1:text2:path:[attr]
1101 comment=3, flags, "flags":
1102 comment=filesystem type
1103 case=NFS file system
1104 format=arg1:text2:text3:arg4:path:[attr]
1105 comment=3, flags, "flags":
1106 comment=filesystem type:
1107 comment=host name:
1108 comment=3, flags, "internal flags"
1109 # unix example:
1110 # header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec
1111 # argument,3,0x104,flags
1112 # text,ufs
1113 # path,/var2
1114 # attribute,40755,root,root,32,12160,0
1115 # path,/devices/pci@1f,4000/scsi@3/sd@0,0:e
1116 # attribute,60640,root,sys,32,231268,137438953476
1117 # subject,abc,root,other,root,other,1726,1715,255 66049 ohboy
1118 # return,success,4290707268
1119 # ^^^^^^^^^^ <- bugid 4333559
1120
1121 label=AUE_MSGCTL
1122 format=arg1:[ipc]:[ipc_perm]
1123 comment=1, message ID, "msg ID"
1124 note=ipc_perm
1125 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1126
1127 label=AUE_MSGCTL_RMID
1128 format=arg1:[ipc]:[ipc_perm]
1129 comment=1, message ID, "msg ID"
1130 note=ipc_perm
1131 syscall=msgctl: IPC_RMID
1132 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1133
1134 label=AUE_MSGCTL_SET
1135 format=arg1:[ipc]:[ipc_perm]
1136 comment=1, message ID, "msg ID"
1137 note=ipc_perm
1138 syscall=msgctl: IPC_SET
1139 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1140
1141 label=AUE_MSGCTL_STAT
1142 format=arg1:[ipc]:[ipc_perm]
1143 comment=1, message ID, "msg ID"
1144 note=ipc_perm
1145 syscall=msgctl: IPC_STAT
1146 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1147
1148 label=AUE_MSGGET
1149 format=arg1:ipc
1150 comment=1, message key, "msg key"
1151 note=ipc_perm
1152 syscall=msgget
1153
1154 label=AUE_MSGGETL
1155 skip=Not used.
1156
1157 label=AUE_MSGRCV
1158 format=arg1:[ipc]:[ipc_perm]
1159 comment=1, message ID, "msg ID"
1160 note=ipc_perm
1161 syscall=msgrcv
1162 # ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc
1163
1164 label=AUE_MSGRCVL
1165 skip=Not used.
1166
1167 label=AUE_MSGSND
1168 format=arg1:[ipc]:[ipc_perm]
1169 comment=1, message ID, "msg ID"
1170 note=ipc_perm
1171 syscall=msgsnd
1172 # ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc
1173
1174 label=AUE_MSGSNDL
1175 skip=Not used.
1176
1177 label=AUE_MSGSYS
1178 skip=Not used. (Placeholder for AUE_MSG* events.)
1179
1180 label=AUE_MUNMAP
1181 format=arg1:arg2
1182 comment=1, address of memory, "addr":
1183 comment=2, memory segment size, "len"
1184
1185 label=AUE_NFS
1186 skip=Not used.
1187
1188 label=AUE_NFSSVC_EXIT
1189 skip=Not used.
1190
1191 label=AUE_NFS_GETFH
1192 skip=Not used.
1193
1194 label=AUE_NFS_SVC
1195 skip=Not used.
1196
1197 label=AUE_NICE
1198 format=kernel
1199
1200 label=AUE_NULL
1201 skip=Not used. (placeholder)
1202 # used internal to audit_event.c for minimal audit
1203
1204 label=AUE_NTP_ADJTIME
1205 format=kernel
1206
1207 label=AUE_ONESIDE
1208 skip=Not used.
1209
1210 label=AUE_OPEN
1211 skip=Not used. (placeholder for AUE_OPEN_*).
1212
1213 label=AUE_OPEN_R
1214 format=path:[path_attr]:[attr]
1215 see=open(2) - read
1216
1217 label=AUE_OPENAT_R
1218 # obsolete
1219 format=path:[path_attr]:[attr]
1220 see=openat(2)
1221
1222 label=AUE_OPEN_RC
1223 format=path:[path_attr]:[attr]
1224 see=open(2) - read,creat
1225
1226 label=AUE_OPENAT_RC
1227 # obsolete
1228 see=openat(2)
1229 format=path:[path_attr]:[attr]
1230
1231 label=AUE_OPEN_RT
1232 format=path:[path_attr]:[attr]
1233 see=open(2) - read,trunc
1234
1235 label=AUE_OPENAT_RT
1236 # obsolete
1237 see=openat(2)
1238 format=path:[path_attr]:[attr]
1239
1240 label=AUE_OPEN_RTC
1241 format=path:[path_attr]:[attr]
1242 see=open(2) - read,trunc,creat
1243
1244 label=AUE_OPENAT_RTC
1245 # obsolete
1246 see=openat(2)
1247 format=path:[path_attr]:[attr]
1248
1249 label=AUE_OPEN_RW
1250 format=path:[path_attr]:[attr]
1251 see=open(2) - read,write
1252
1253 label=AUE_OPENAT_RW
1254 # obsolete
1255 see=openat(2)
1256 format=path:[path_attr]:[attr]
1257 # aui_fsat(): fm & O_RDWR
1258
1259 label=AUE_OPEN_RWC
1260 format=path:[path_attr]:[attr]
1261 see=open(2) - read,write,creat
1262
1263 label=AUE_OPENAT_RWC
1264 # obsolete
1265 see=openat(2)
1266 format=path:[path_attr]:[attr]
1267
1268 label=AUE_OPEN_RWT
1269 format=path:[path_attr]:[attr]
1270 see=open(2) - read,write,trunc
1271
1272 label=AUE_OPENAT_RWT
1273 # obsolete
1274 see=openat(2)
1275 format=path:[path_attr]:[attr]
1276
1277 label=AUE_OPEN_RWTC
1278 format=path:[path_attr]:[attr]
1279 see=open(2) - read,write,trunc,creat
1280
1281 label=AUE_OPENAT_RWTC
1282 # obsolete
1283 see=openat(2)
1284 format=path:[path_attr]:[attr]
1285
1286 label=AUE_OPEN_W
1287 format=path:[path_attr]:[attr]
1288 see=open(2) - write
1289
1290 label=AUE_OPENAT_W
1291 see=openat(2)
1292 format=path:[path_attr]:[attr]
1293
1294 label=AUE_OPEN_WC
1295 format=path:[path_attr]:[attr]
1296 see=open(2) - write,creat
1297
1298 label=AUE_OPENAT_WC
1299 see=openat(2)
1300 format=path:[path_attr]:[attr]
1301
1302 label=AUE_OPEN_WT
1303 format=path:[path_attr]:[attr]
1304 see=open(2) - write,trunc
1305
1306 label=AUE_OPENAT_WT
1307 see=openat(2)
1308 format=path:[path_attr]:[attr]
1309
1310 label=AUE_OPEN_WTC
1311 format=path:[path_attr]:[attr]
1312 see=open(2) - write,trunc,creat
1313
1314 label=AUE_OPENAT_WTC
1315 see=openat(2)
1316 format=path:[path_attr]:[attr]
1317
1318 label=AUE_OPEN_S
1319 format=path:[path_attr]:[attr]
1320 see=open(2) - search
1321
1322 label=AUE_OPEN_E
1323 format=path:[path_attr]:[attr]
1324 see=open(2) - exec
1325
1326 label=AUE_OSETPGRP
1327 skip=Not used.
1328
1329 label=AUE_OSTAT
1330 # obsolete
1331 skip=Not used.
1332
1333 label=AUE_PATHCONF
1334 format=path:[attr]
1335
1336 label=AUE_PIPE
1337 format=kernel
1338 # class is no, not usually printed
1339
1340 label=AUE_PORTFS
1341 skip=Not used (placeholder for AUE_PORTFS_*).
1342
1343 label=AUE_PORTFS
1344 skip=Not used (placeholder for AUE_PORTFS_*).
1345
1346 label=AUE_PORTFS_ASSOCIATE
1347 syscall=portfs
1348 see=port_associate(3C)
1349 case=Port association via PORT_SOURCE_FILE
1350 format=[path]1:attr
1351 comment=name of the file/directory to be watched
1352
1353 label=AUE_PORTFS_DISSOCIATE
1354 syscall=portfs
1355 see=port_dissociate(3C)
1356 case=Port disassociation via PORT_SOURCE_FILE
1357 format=kernel
1358
1359 label=AUE_PRIOCNTLSYS
1360 syscall=priocntl
1361 see=priocntl(2)
1362 format=arg1:arg2
1363 comment=1, priocntl version number, "pc_version":
1364 comment=3, command, "cmd"
1365
1366 label=AUE_PROCESSOR_BIND
1367 case=No LWP/thread bound to the processor
1368 format=arg1:arg2:text3:[proc]
1369 comment=1, type of ID, "ID type":
1370 comment=2, ID value, "ID":
1371 comment="PBIND_NONE"
1372 case=With processor bound
1373 format=arg1:arg2:arg3:[proc]
1374 comment=1, type of ID, "ID type":
1375 comment=2, ID value, "ID":
1376 comment=3, processor ID, "processor_id"
1377
1378 label=AUE_PUTMSG
1379 see=putmsg(2)
1380 format=arg1:[path]:[attr]:arg2
1381 comment=1, file descriptor, "fd":
1382 comment=4, priority, "pri"
1383
1384 label=AUE_PUTPMSG
1385 see=putpmsg(2)
1386 format=arg1:[path]:[attr]:arg2:arg3
1387 comment=1, file descriptor, "fd":
1388 comment=4, priority, "pri":
1389 comment=5, flags, "flags"
1390
1391 label=AUE_P_ONLINE
1392 format=arg1:arg2:text3
1393 comment=1, processor ID, "processor ID":
1394 comment=2, flags value, "flags":
1395 comment=text form of flags. Values: \
1396 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS
1397
1398 label=AUE_QUOTACTL
1399 skip=Not used.
1400
1401 label=AUE_READ
1402 skip=Not used. (Placeholder for AUE_READ_* events)
1403
1404 label=AUE_READL
1405 skip=Not used. (Obsolete)
1406
1407 label=AUE_READLINK
1408 format=path:[attr]
1409
1410 label=AUE_READV
1411 skip=Not used (obsolete)
1412 # detritus from CMS
1413
1414 label=AUE_READVL
1415 skip=Not used (obsolete)
1416 # detritus from CMS
1417
1418 label=AUE_REBOOT
1419 skip=Not used.
1420
1421 label=AUE_RECV
1422 case=If address family is AF_INET or AF_INET6
1423 format=[arg]1:[inet]
1424 comment=1, file descriptor, "so"
1425 case=If address family is AF_UNIX and path is defined
1426 format=[path]1:[attr]
1427 comment=1, file descriptor, "so"
1428 case=If address family is AF_UNIX and path is NULL
1429 format=[path]1:[attr]
1430 comment=1, file descriptor, "no path: fd"
1431 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1432 format=[arg]1:[arg]2:[arg]3
1433 comment=1, file descriptor, "so":
1434 comment=1, family, "family":
1435 comment=1, type, "type"
1436 # associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237])
1437
1438 label=AUE_RECVFROM
1439 format=inet:arg1:[arg]2:inet3:arg4
1440 comment=3, message length, "len":
1441 comment=4, flags, "flags":
1442 comment=from address:
1443 comment=6, address length, "tolen"
1444 note=The socket token for a bad socket is reported as "argument
1445 note=token (1, socket descriptor, "fd")"
1446
1447 label=AUE_RECVMSG
1448 case=If invalid file descriptor
1449 format=arg1:arg2
1450 comment=1, file descriptor, "so":
1451 comment=3, flags, "flags"
1452 case=If valid file descriptor and socket is AF_UNIX and no path
1453 format=arg1:[attr]
1454 comment=1, file descriptor, "no path: fd"
1455 case=If valid file descriptor and socket is AF_UNIX and path defined
1456 format=path:attr
1457 case=If valid file descriptor and socket is AF_INET or AF_INET6
1458 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM
1459 format=arg1:arg2:inet
1460 comment=1, file descriptor, "so":
1461 comment=2, flags, "flags"
1462 case=.. if socket type is unknown
1463 format=arg1:arg2:arg3:arg4
1464 comment=1, file descriptor, "so":
1465 comment=1, family, "family":
1466 comment=1, type, "type":
1467 comment=3, flags, "flags"
1468
1469 label=AUE_RENAME
1470 format=path1:[attr]1:[path]2
1471 comment=from name:
1472 comment=to name
1473
1474 label=AUE_RENAMEAT
1475 # obsolete
1476 format=path1:[attr]1:[path]2
1477 comment=from name:
1478 comment=to name
1479
1480 label=AUE_RFSSYS
1481 skip=Not used.
1482 # apparently replaced
1483
1484 label=AUE_RMDIR
1485 format=path:[attr]
1486
1487 label=AUE_SEMCTL
1488 format=arg1:[ipc]:[ipc_perm]
1489 comment=1, semaphore ID, "sem ID"
1490 note=ipc_perm
1491 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1492
1493 label=AUE_SEMCTL_GETALL
1494 format=arg1:[ipc]:[ipc_perm]
1495 comment=1, semaphore ID, "sem ID"
1496 note=ipc_perm
1497 syscall=semctl: GETALL
1498 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1499
1500 label=AUE_SEMCTL_GETNCNT
1501 format=arg1:[ipc]:[ipc_perm]
1502 comment=1, semaphore ID, "sem ID"
1503 note=ipc_perm
1504 syscall=semctl: GETNCNT
1505 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1506
1507 label=AUE_SEMCTL_GETPID
1508 format=arg1:[ipc]:[ipc_perm]
1509 comment=1, semaphore ID, "sem ID"
1510 note=ipc_perm
1511 syscall=semctl: GETPID
1512 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1513
1514 label=AUE_SEMCTL_GETVAL
1515 format=arg1:[ipc]:[ipc_perm]
1516 comment=1, semaphore ID, "sem ID"
1517 note=ipc_perm
1518 syscall=semctl: GETVAL
1519 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1520
1521 label=AUE_SEMCTL_GETZCNT
1522 format=arg1:[ipc]:[ipc_perm]
1523 comment=1, semaphore ID, "sem ID"
1524 note=ipc_perm
1525 syscall=semctl: GETZCNT
1526 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1527
1528 label=AUE_SEMCTL_RMID
1529 format=arg1:[ipc]:[ipc_perm]
1530 comment=1, semaphore ID, "sem ID"
1531 note=ipc_perm
1532 syscall=semctl: IPC_RMID
1533 # ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1534
1535 label=AUE_SEMCTL_SET
1536 format=arg1:[ipc]:[ipc_perm]
1537 comment=1, semaphore ID, "sem ID"
1538 note=ipc_perm
1539 syscall=semctl: IPC_SET
1540 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1541
1542 label=AUE_SEMCTL_SETALL
1543 format=arg1:[ipc]:[ipc_perm]
1544 comment=1, semaphore ID, "sem ID"
1545 note=ipc_perm
1546 syscall=semctl: SETALL
1547 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1548
1549 label=AUE_SEMCTL_SETVAL
1550 format=arg1:[ipc]:[ipc_perm]
1551 comment=1, semaphore ID, "sem ID"
1552 note=ipc_perm
1553 syscall=semctl: SETVAL
1554 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1555
1556 label=AUE_SEMCTL_STAT
1557 format=arg1:[ipc]:[ipc_perm]
1558 comment=1, semaphore ID, "sem ID"
1559 note=ipc_perm
1560 syscall=semctl: IPC_STAT
1561 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1562
1563 label=AUE_SEMGET
1564 format=arg1:[ipc_perm]:ipc
1565 comment=1, semaphore ID, "sem key"
1566 note=ipc_perm
1567 syscall=semctl: SETVAL
1568 # ipc_perm token: semget -> audit_ipcget
1569
1570 label=AUE_SEMGETL
1571 skip=Not used.
1572
1573 label=AUE_SEMOP
1574 format=arg1:[ipc]:[ipc_perm]
1575 comment=1, semaphore ID, "sem ID"
1576 note=ipc_perm
1577 # ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc
1578
1579 label=AUE_SEMSYS
1580 skip=Not used. (place holder) -- defaults to a semget variant
1581
1582 label=AUE_SEND
1583 case=If address family is AF_INET or AF_INET6
1584 format=[arg]1:[inet]
1585 comment=1, file descriptor, "so"
1586 case=If address family is AF_UNIX and path is defined
1587 format=[path]1:[attr]
1588 comment=1, file descriptor, "so"
1589 case=If address family is AF_UNIX and path is NULL
1590 format=[path]1:[attr]
1591 comment=1, file descriptor, "no path: fd"
1592 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1593 format=[arg]1:[arg]2:[arg]3
1594 comment=1, file descriptor, "so":
1595 comment=1, family, "family":
1596 comment=1, type, "type"
1597 # associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240])
1598
1599 label=AUE_SENDMSG
1600 case=If invalid file descriptor
1601 format=arg1:arg2
1602 comment=1, file descriptor, "so":
1603 comment=3, flags, "flags"
1604 case=If valid file descriptor
1605 case=...and address family is AF_UNIX and path is defined
1606 format=path:attr
1607 case=...and address family is AF_UNIX and path is NULL
1608 format=path1:attr
1609 comment=1, file descriptor, "nopath: fd"
1610 case=...and address family is AF_INET or AF_INET6, \
1611 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1612 format=arg1:arg2:inet
1613 comment=1, file descriptor, "so":
1614 comment=3, flags, "flags"
1615 case=...and unknown address family or address family AF_INET or AF_INET6 \
1616 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1617 format=arg1:arg2:arg3:arg4
1618 comment=1, file descriptor, "so":
1619 comment=1, family, "family":
1620 comment=1, type, "type":
1621 comment=1, flags, "flags"
1622
1623 label=AUE_SENDTO
1624 case=If invalid file descriptor
1625 format=arg1:arg2
1626 comment=1, file descriptor, "so":
1627 comment=3, flags, "flags"
1628 case=If valid file descriptor
1629 case=...and socket is AF_UNIX and path is defined
1630 format=path:attr
1631 case=...and address family is AF_UNIX and path is NULL
1632 format=path1:attr
1633 comment=1, file descriptor, "nopath: fd"
1634 case=...and address family is AF_INET or AF_INET6
1635 format=arg1:arg2:inet
1636 comment=1, file descriptor, "so":
1637 comment=3, flags, "flags"
1638 case=...and unknown address family
1639 format=arg1:arg2:arg3:arg4
1640 comment=1, file descriptor, "so":
1641 comment=1, family, "family":
1642 comment=1, type, "type":
1643 comment=1, flags, "flags"
1644
1645 label=AUE_SETAUDIT
1646 case=With a valid program stack address
1647 format=arg1:arg2:arg3:arg4:arg5:arg6
1648 comment=1, audit user ID, "setaudit:auid":
1649 comment=1, terminal ID, "setaudit:port":
1650 comment=1, terminal ID, "setaudit:machine":
1651 comment=1, preselection mask, "setaudit:as_success":
1652 comment=1, preselection mask, "setaudit:as_failure":
1653 comment=1, audit session ID, "setaudit:asid"
1654 case=With an invalid program stack address
1655 format=kernel
1656 # header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec
1657 # argument,1,0x271a,setaudit:auid
1658 # argument,1,0x3ff0201,setaudit:port
1659 # argument,1,0x8192591e,setaudit:machine
1660 # argument,1,0x400,setaudit:as_success
1661 # argument,1,0x400,setaudit:as_failure
1662 # argument,1,0x16f,setaudit:asid
1663 # subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1
1664 # return,success,0
1665 # trailer,215
1666 # header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec
1667 # argument,1,0x271a,setaudit:auid
1668 # argument,1,0x3ff0201,setaudit:port
1669 # argument,1,0x8192591e,setaudit:machine
1670 # argument,1,0x400,setaudit:as_success
1671 # argument,1,0x400,setaudit:as_failure
1672 # argument,1,0x16f,setaudit:asid
1673 # subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1
1674 # return,success,0
1675 # trailer,215
1676
1677 label=AUE_SETAUDIT_ADDR
1678 case=With a valid program stack address
1679 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7
1680 comment=1, audit user ID, "auid":
1681 comment=1, terminal ID, "port":
1682 comment=1, type, "type":
1683 comment=1, terminal ID, "ip address":
1684 comment=1, preselection mask, "as_success":
1685 comment=1, preselection mask, "as_failure":
1686 comment=1, audit session ID, "asid"
1687 case=With an invalid program stack address
1688 format=kernel
1689 # header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec
1690 # argument,1,0x15fa7,auid
1691 # argument,1,0x0,port
1692 # argument,1,0x4,type
1693 # ip address,tmach2
1694 # argument,1,0x9c00,as_success
1695 # argument,1,0x9c00,as_failure
1696 # argument,1,0x1f1,asid
1697 # subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2
1698 # return,success,0
1699
1700 label=AUE_SETAUID
1701 format=arg1
1702 comment=2, audit user ID, "setauid"
1703
1704 label=AUE_SETDOMAINNAME
1705 skip=Not used. (See AUE_SYSINFO)
1706 # See AUE_SYSINFO with SI_SET_SRPC_DOMAIN
1707
1708 label=AUE_SETEGID
1709 format=arg1
1710 comment=1, group ID, "gid"
1711
1712 label=AUE_SETEUID
1713 format=arg1
1714 comment=1, user ID, "euid"
1715
1716 label=AUE_SETGID
1717 format=arg1
1718 comment=1, group ID, "gid"
1719
1720 label=AUE_SETGROUPS
1721 note=If more than NGROUPS_MAX_DEFAULT groups listed,
1722 note=no tokens are generated.
1723 case=If no groups in list
1724 format=[arg]1
1725 comment=1, 0, "setgroups"
1726 case=If 1 or more groups in list
1727 format=(1..n)arg1
1728 comment=1, gid, "setgroups"
1729
1730 label=AUE_SETHOSTNAME
1731 skip=Not used. (See AUE_SYSINFO)
1732 # See sysinfo call with command SI_SET_HOSTNAME
1733
1734 label=AUE_SETKERNSTATE
1735 skip=Not used.
1736
1737 label=AUE_SETPGID
1738 format=[proc]:[arg]1
1739 comment=2, pgid, "pgid"
1740
1741 label=AUE_SETPGRP
1742 format=kernel
1743
1744 label=AUE_SETPRIORITY
1745 skip=Not used.
1746
1747 label=AUE_SETPPRIV
1748 case=operation privileges off
1749 format=arg1:privset2
1750 comment=setppriv operation:
1751 comment=privileges actually switched off
1752 case=operation privileges on
1753 format=arg1:privset2
1754 comment=setppriv operation:
1755 comment=privileges actually switched on
1756 case=operation privileges off
1757 format=arg1:privset2:privset3
1758 comment=setppriv operation:
1759 comment=privileges before privset:
1760 comment=privileges after privset
1761 #header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec
1762 #argument,2,0x2,op
1763 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1764 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1765 #subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0
1766 #return,success,0
1767
1768 label=AUE_SETREGID
1769 format=arg1:arg2
1770 comment=1, real group ID, "rgid":
1771 comment=2, effective group ID, "egid"
1772
1773 label=AUE_SETREUID
1774 format=arg1:arg2
1775 comment=1, real user ID, "ruid":
1776 comment=2, effective user ID, "euid"
1777
1778 label=AUE_SETRLIMIT
1779 format=kernel
1780 # header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec
1781 # subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2
1782 # return,success,0
1783
1784 label=AUE_SETSID
1785 format=kernel
1786
1787 label=AUE_SETSOCKOPT
1788 case=Invalid file descriptor
1789 format=arg1:arg2
1790 comment=1, file descriptor, "so":
1791 comment=2, level, "level"
1792 case=Valid file descriptor
1793 case=...and socket is AF_UNIX
1794 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8
1795 comment=if no path, will be argument: 1, "nopath: fd", \
1796 file descriptor:
1797 comment=1, file descriptor, "so":
1798 comment=1, family, "family":
1799 comment=1, type, "type":
1800 comment=2, protocol level, "level":
1801 comment=3, option name, "optname":
1802 comment=5, option length, "optlen":
1803 comment=option data
1804 case=...and socket is AF_INET or AF_INET6
1805 format=arg1:arg2:arg3:[arg]4:[data]5:inet
1806 comment=1, file descriptor, "so":
1807 comment=2, protocol level, "level":
1808 comment=3, option name, "optname":
1809 comment=5, option length, "optlen":
1810 comment=option data
1811 case=...and socket adddress family is unknown
1812 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7
1813 comment=1, file descriptor, "so":
1814 comment=1, family, "family":
1815 comment=1, type, "type":
1816 comment=2, protocol level, "level":
1817 comment=3, option name, "optname":
1818 comment=5, option length, "optlen":
1819 comment=option data
1820
1821 label=AUE_SETTIMEOFDAY
1822 skip=Not used.
1823
1824 label=AUE_SETUID
1825 syscall=setuid
1826 format=arg1
1827 comment=1, "uid" to be set
1828
1829 label=AUE_SETUSERAUDIT
1830 skip=Not used.
1831
1832 label=AUE_SHMAT
1833 format=arg1:arg2:[ipc]:[ipc_perm]
1834 comment=1, shared memory ID, "shm ID":
1835 comment=2, shared mem addr, "shm addr"
1836 note=ipc_perm
1837 # ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc
1838
1839 label=AUE_SHMCTL
1840 format=arg1:[ipc]:[ipc_perm]
1841 comment=1, shared memory ID, "shm ID"
1842 note=ipc_perm
1843 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1844
1845 label=AUE_SHMCTL_RMID
1846 format=arg1:[ipc]:[ipc_perm]
1847 comment=1, shared memory ID, "shm ID"
1848 note=ipc_perm
1849 syscall=semctl: IPC_RMID
1850 # ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1851
1852 label=AUE_SHMCTL_SET
1853 format=arg1:[ipc]:[ipc_perm]
1854 comment=1, shared memory ID, "shm ID"
1855 note=ipc_perm
1856 syscall=semctl: IPC_SET
1857 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1858
1859 label=AUE_SHMCTL_STAT
1860 format=arg1:[ipc]:[ipc_perm]
1861 comment=1, shared memory ID, "shm ID"
1862 note=ipc_perm
1863 syscall=semctl: IPC_STAT
1864 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1865
1866 label=AUE_SHMDT
1867 format=arg1
1868 comment=1, shared memory address, "shm adr"
1869
1870 label=AUE_SHMGET
1871 format=arg1:[ipc_perm]:[ipc]
1872 comment=0, shared memory key, "shm key"
1873 note=ipc_perm
1874 # ipc_perm: shmget -> audit_ipcget
1875
1876 label=AUE_SHMGETL
1877 skip=Not used.
1878
1879 label=AUE_SHMSYS
1880 skip=Not used. (Placeholder for shmget and shmctl*)
1881
1882 label=AUE_SHUTDOWN
1883 case=If the socket address is invalid
1884 format=[arg]1:[text]2:[text]3
1885 comment=1, file descriptor, "fd":
1886 comment=bad socket address:
1887 comment=bad peer address
1888 case=If the socket address is part of the AF_INET family
1889 case=..with zero file descriptor
1890 format=arg1:[arg]2:[arg]3:[arg]4
1891 comment=1, file descriptor, "so":
1892 comment=1, family, "family":
1893 comment=1, type, "type":
1894 comment=2, how shutdown code, "how"
1895 case=...with non-zero file descriptor
1896 format=arg1:arg2:inet
1897 comment=1, file descriptor, "so":
1898 comment=2, how shutdown code, "how"
1899 case=If the socket address is AF_UNIX
1900 case=...with zero file descriptor
1901 format=path1:arg2:[arg]3:[arg]4:[arg]5
1902 comment=If error: argument: \
1903 1, "no path: fd", file descriptor:
1904 comment=1, file descriptor, "so":
1905 comment=1, family, "family":
1906 comment=1, type, "type":
1907 comment=2, how shutdown code, "how"
1908 case=...with non-zero file descriptor
1909 format=path1:arg2:arg3:inet
1910 comment=If error: argument: \
1911 1, file descriptor, "no path: fd":
1912 comment=1, file descriptor, "so":
1913 comment=2, how shutdown code, "how"
1914 #old BSM manual wrong; used audit_event.c
1915
1916 label=AUE_SOCKACCEPT
1917 syscall=getmsg: socket accept
1918 format=inet:arg1:[path]:attr:arg2
1919 comment=1, file descriptor, "fd":
1920 comment=4, priority, "pri"
1921 # see putmsg and getmsg for record format
1922 # See audit.c for inet token and audit_start.c for other reference
1923
1924 label=AUE_SOCKCONFIG
1925 format=arg1:arg2:arg3:[path]4
1926 comment=1, domain address, "domain":
1927 comment=2, type, "type":
1928 comment=3, protocol, "protocol":
1929 comment=If no path:argument -- 3, 0, "devpath"
1930
1931 label=AUE_SOCKCONNECT
1932 syscall=putmsg: socket connect
1933 format=inet:arg1:[path]:attr:arg2
1934 comment=1, file descriptor, "fd":
1935 comment=4, priority, "pri"
1936 # same as AUE_SOCKACCEPT
1937
1938 label=AUE_SOCKET
1939 format=arg1:[arg]2:arg3
1940 comment=1, socket domain, "domain":
1941 comment=2, socket type, "type":
1942 comment=3, socket protocol, "protocol"
1943
1944 label=AUE_SOCKETPAIR
1945 skip=Not used.
1946 # unreferenced
1947
1948 label=AUE_SOCKRECEIVE
1949 syscall=getmsg
1950 format=inet:arg1:[path]:attr:arg2
1951 comment=1, file descriptor, "fd":
1952 comment=4, priority, "pri"
1953 # see AUE_SOCKACCEPT
1954
1955 label=AUE_SOCKSEND
1956 syscall=putmsg
1957 format=inet:arg1:[path]:attr:arg2
1958 comment=1, file descriptor, "fd":
1959 comment=4, priority, "pri"
1960 # see AUE_SOCKACCEPT
1961
1962 label=AUE_STAT
1963 format=path:[attr]
1964
1965 label=AUE_STATFS
1966 format=path:[attr]
1967
1968 label=AUE_STATVFS
1969 format=path:[attr]
1970
1971 label=AUE_STIME
1972 format=kernel
1973
1974 label=AUE_SWAPON
1975 skip=Not used.
1976
1977 label=AUE_SYMLINK
1978 format=path:text1:[attr]
1979 comment=symbolic link string
1980
1981 label=AUE_SYSINFO
1982 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands
1983 note=are currently audited.
1984 format=arg1:[text]2
1985 comment=1, command, "cmd":
1986 comment=name
1987
1988 label=AUE_SYSTEMBOOT
1989 title=system booted
1990 syscall=none
1991 format=head:text1
1992 comment="booting kernel"
1993 # see audit_start.c and audit_io.c
1994 # no subject or return / exit token
1995 # header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec
1996 # text,booting kernel
1997
1998 label=AUE_TRUNCATE
1999 skip=Not used.
2000
2001 label=AUE_UMOUNT
2002 syscall=umount: old version
2003 note=Implemented as call of the newer umount2(2).
2004 format=path:arg1:[path]:[attr]
2005 comment=2, mflag value = 0, "flags"
2006
2007 label=AUE_UMOUNT2
2008 syscall=umount2
2009 format=path:arg1:[path]:[attr]
2010 comment=2, mflag value, "flags"
2011
2012 label=AUE_UNLINK
2013 format=path:[attr]
2014
2015 label=AUE_UNLINKAT
2016 # obsolete
2017 see=openat(2)
2018 format=path:[attr]
2019
2020 label=AUE_UNMOUNT
2021 skip=Not used.
2022
2023 label=AUE_UTIME
2024 # obsolete
2025 format=path:[attr]
2026
2027 label=AUE_UTIMES
2028 see=futimens(2)
2029 format=path:[attr]
2030
2031 label=AUE_VFORK
2032 format=arg1
2033 comment=0, pid, "child PID"
2034 note=The vfork(2) return values are undefined because the audit record is
2035 note=produced at the point that the child process is spawned.
2036
2037 label=AUE_VPIXSYS
2038 skip=Not used.
2039
2040 label=AUE_VTRACE
2041 skip=Not used.
2042
2043 label=AUE_WRITE
2044 format=path1:attr
2045 comment=if no path, argument -- "1, file descriptor, "no path: fd"
2046 note:An audit record is generated for write only once per file close.
2047
2048 label=AUE_WRITEV
2049 skip=Not used. (obsolete)
2050
2051 label=AUE_XMKNOD
2052 # obsolete
2053 skip=Not used.
2054
2055 label=AUE_XSTAT
2056 # obsolete
2057 skip=Not Used.
2058
2059 label=AUE_PF_POLICY_ADDRULE
2060 title=Add IPsec policy rule
2061 see=
2062 syscall=none
2063 format=arg1:arg2:[zone]3:[text]4
2064 comment=Operation applied to active policy (1 is active, 0 is inactive):
2065 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2066 comment=affected zone:
2067 comment=Name of target tunnel
2068
2069 label=AUE_PF_POLICY_DELRULE
2070 title=Delete IPsec policy rule
2071 see=
2072 syscall=none
2073 format=arg1:arg2:[zone]3:[text]4
2074 comment=Operation applied to active policy (1 is active, 0 is inactive):
2075 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2076 comment=affected zone:
2077 comment=Name of target tunnel
2078
2079 label=AUE_PF_POLICY_CLONE
2080 title=Clone IPsec policy
2081 see=
2082 syscall=none
2083 format=arg1:arg2:[zone]3:[text]4
2084 comment=Operation applied to active policy (1 is active, 0 is inactive):
2085 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2086 comment=affected zone:
2087 comment=Name of target tunnel
2088
2089 label=AUE_PF_POLICY_FLIP
2090 title=Flip IPsec policy
2091 see=
2092 syscall=none
2093 format=arg1:arg2:[zone]3:[text]4
2094 comment=Operation applied to active policy (1 is active, 0 is inactive):
2095 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2096 comment=affected zone:
2097 comment=Name of target tunnel
2098
2099 label=AUE_PF_POLICY_FLUSH
2100 title=Flip IPsec policy rules
2101 see=
2102 syscall=none
2103 format=arg1:arg2:[zone]3:[text]4
2104 comment=Operation applied to active policy (1 is active, 0 is inactive):
2105 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2106 comment=affected zone:
2107 comment=Name of target tunnel
2108
2109 label=AUE_PF_POLICY_ALGS
2110 title=Update IPsec algorithms
2111 see=
2112 syscall=none
2113 format=arg1:arg2:[zone]3:[text]4
2114 comment=Operation applied to active policy (1 is active, 0 is inactive):
2115 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2116 comment=affected zone:
2117 comment=Name of target tunnel
2118
2119 label=AUE_allocate_fail
2120 program=/usr/sbin/allocate
2121 title=allocate: allocate-device failure
2122 format=(0..n)[text]1
2123 comment=command line arguments
2124 # see audit_allocate.c
2125
2126 label=AUE_allocate_succ
2127 program=/usr/sbin/allocate
2128 title=allocate: allocate-device success
2129 format=(0..n)[text]1
2130 comment=command line arguments
2131 # see audit_allocate.c
2132
2133 label=AUE_at_create
2134 program=/usr/bin/at
2135 title=at: at-create crontab
2136 format=path
2137
2138 label=AUE_at_delete
2139 program=/usr/bin/at
2140 title=at: at-delete atjob (at or atrm)
2141 format=text1:path
2142 comment="ancillary file:" filename or "bad format of at-job name"
2143
2144 label=AUE_at_perm
2145 skip=Not used.
2146 # not referenced outside uevents.h
2147
2148 label=AUE_create_user
2149 skip=Not used.
2150
2151 label=AUE_cron_invoke
2152 program=/usr/sbin/cron
2153 title=cron: cron-invoke at or cron
2154 case=If issue with account find
2155 format=text1
2156 comment="bad user" name or "user <name> account expired"
2157 case=else
2158 format=text1:text2
2159 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \
2160 or "unknown job type (<job_type_id>)":
2161 comment=command
2162
2163 label=AUE_crontab_create
2164 program=/usr/bin/crontab
2165 title=crontab: crontab created
2166 format=path
2167 # See audit_crontab.c
2168
2169 label=AUE_crontab_delete
2170 program=/usr/bin/crontab
2171 title=crontab: crontab delete
2172 format=path
2173 # See audit_crontab.c
2174
2175 label=AUE_crontab_mod
2176 program=/usr/bin/crontab
2177 title=crontab: crontab modify
2178 format=path
2179 # See audit_crontab.c
2180
2181 label=AUE_crontab_perm
2182 skip=Not used.
2183
2184 label=AUE_deallocate_fail
2185 program=/usr/sbin/deallocate
2186 title=deallocate-device failure
2187 format=(0..n)[text]1
2188 comment=command line arguments
2189 # See audit_allocate.c
2190
2191 label=AUE_deallocate_succ
2192 program=/usr/sbin/deallocate
2193 title=deallocate-device success
2194 format=(0..n)[text]1
2195 comment=command line arguments
2196 # See audit_allocate.c
2197
2198 label=AUE_delete_user
2199 skip=Not used.
2200
2201 label=AUE_disable_user
2202 skip=Not used.
2203
2204 label=AUE_enable_user
2205 skip=Not used.
2206
2207 label=AUE_ftpd
2208 program=/usr/sbin/in.ftpd
2209 title=in.ftpd
2210 format=[text]1
2211 comment=error message
2212 # See audit_ftpd
2213
2214 label=AUE_ftpd_logout
2215 program=/usr/sbin/in.ftpd
2216 title=in.ftpd
2217 format=user
2218 # See audit_ftpd
2219
2220 label=AUE_halt_solaris
2221 program=/usr/sbin/halt
2222 title=halt
2223 format=user
2224 # See audit_halt.c
2225
2226 label=AUE_kadmind_auth
2227 format=text1:text2:text3
2228 comment=Op: <requested information>:
2229 comment=Arg: <argument for Op>:
2230 comment=Client: <client principal name>
2231 # See audit_kadmin.c / common_audit()
2232
2233 label=AUE_kadmind_unauth
2234 format=text1:text2:text3
2235 comment=Op: <requested information>:
2236 comment=Arg: <argument for Op>:
2237 comment=Client: <client principal name>
2238 # See audit_kadmin.c / common_audit()
2239
2240 label=AUE_krb5kdc_as_req
2241 format=text1:text2
2242 comment=Client: <client principal name>:
2243 comment=Service: <requested service name>
2244 # See audit_krb5kdc.c / common_audit()
2245
2246 label=AUE_krb5kdc_tgs_req
2247 format=text1:text2
2248 comment=Client: <client principal name>:
2249 comment=Service: <requested service name>
2250 # See audit_krb5kdc.c / common_audit()
2251
2252 label=AUE_krb5kdc_tgs_req_alt_tgt
2253 format=text1:text2
2254 comment=Client: <client principal name>:
2255 comment=Service: <requested service name>
2256 # See audit_krb5kdc.c / common_audit()
2257
2258 label=AUE_krb5kdc_tgs_req_2ndtktmm
2259 format=text1:text2
2260 comment=Client: <client principal name>:
2261 comment=Service: <requested service name>
2262 # See audit_krb5kdc.c / common_audit()
2263
2264 label=AUE_listdevice_fail
2265 title=allocate-list devices failure
2266 program=/usr/sbin/allocate
2267 format=(0..n)[text]1
2268 comment=command line arguments
2269 # See audit_allocate.c
2270
2271 label=AUE_listdevice_succ
2272 title=allocate-list devices success
2273 program=/usr/sbin/allocate
2274 format=(0..n)[text]1
2275 comment=command line arguments
2276 # See audit_allocate.c
2277
2278 label=AUE_modify_user
2279 skip=Not used.
2280
2281 label=AUE_mountd_mount
2282 title=mountd: NFS mount
2283 program=/usr/lib/nfs/mountd
2284 see=mountd(1M)
2285 format=text1:path2
2286 comment=remote client hostname:
2287 comment=mount dir
2288 # See audit_mountd.c
2289
2290 label=AUE_mountd_umount
2291 title=mountd: NFS unmount
2292 program=/usr/lib/nfs/mountd
2293 format=text1:path2
2294 comment=remote client hostname:
2295 comment=mount dir
2296 # See audit_mountd.c
2297
2298 label=AUE_poweroff_solaris
2299 program=/usr/sbin/poweroff
2300 title=poweroff
2301 format=user
2302 # See audit_halt.c
2303
2304 label=AUE_reboot_solaris
2305 program=/usr/sbin/reboot
2306 title=reboot
2307 format=user
2308 # See audit_reboot.c
2309 # header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec
2310 # subject,tuser1,root,other,root,other,10422,497,0 0 tmach2
2311 # return,success,0
2312
2313 label=AUE_rexd
2314 program=/usr/sbin/rpc.rexd
2315 title=rpc.rexd
2316 format=[text]1:text2:text3:[text]4:[text]5
2317 comment=error message (failure only):
2318 comment="Remote execution requested by:" hostname:
2319 comment="Username:" username:
2320 comment="User id:" user ID (failure only):
2321 comment="Command line:" command attempted
2322 # See audit_rexd.c
2323
2324 label=AUE_rexecd
2325 program=/usr/sbin/rpc.rexecd
2326 title=rpc.rexecd
2327 format=[text]1:text2:text3:text4
2328 comment=error message (failure only):
2329 comment="Remote execution requested by:" hostname:
2330 comment="Username:" username:
2331 comment="Command line:" command attempted
2332 # See audit_rexecd.c
2333
2334 label=AUE_rshd
2335 program=/usr/sbin/in.rshd
2336 title=in.rshd
2337 format=text1:text2:[text]3:[text]4
2338 comment="cmd" command:
2339 comment="remote user" remote user:
2340 comment="local user" local user:
2341 comment=failure message
2342 # See audit_rshd.c
2343
2344 label=AUE_shutdown_solaris
2345 title=shutdown
2346 program=/usr/ucb/shutdown
2347 format=user
2348 # See audit_shutdown.c
2349
2350 label=AUE_smserverd
2351 program=/usr/lib/smedia/rpc.smserverd
2352 format=[text]1:[text]2
2353 comment=state change:
2354 comment=vid, pid, major/minor device
2355 # see usr/src/cmd/smserverd
2356 # code shows a third token, path, but it isn't implemented.
2357
2358 label=AUE_uadmin_solaris
2359 title=uadmin (obsolete)
2360 program=
2361 see=
2362 format=text1:text2
2363 comment=function code:
2364 comment=argument code
2365 # not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml
2366
2367 label=AUE_LABELSYS_TNRH
2368 title=config Trusted Network remote host cache
2369 see=tnrh(2)
2370 syscall=labelsys: TSOL_TNRH
2371 case=With the flush command (cmd=3)
2372 format=arg1
2373 comment=1, command, "cmd"
2374 case=With the load (cmd=1) and delete (cmd=2) commands
2375 format=arg1:inaddr2:arg3
2376 comment=1, command, "cmd":
2377 comment=ip address of host:
2378 comment=2, prefix length, "prefix len"
2379
2380 label=AUE_LABELSYS_TNRHTP
2381 title=config Trusted Network remote host template
2382 see=tnrhtp(2)
2383 syscall=labelsys: TSOL_TNRHTP
2384 case=With the flush command (cmd=3)
2385 format=arg1
2386 comment=1, command, "cmd"
2387 case=With the load (cmd=1) and delete (cmd=2) commands
2388 format=arg1:text2
2389 comment=1, command, "cmd":
2390 comment=name of template
2391
2392 label=AUE_LABELSYS_TNMLP
2393 title=config Trusted Network multi-level port entry
2394 see=tnmlp(2)
2395 syscall=labelsys: TSOL_TNMLP
2396 case=With the flush command (cmd=3)
2397 format=arg1:text2
2398 comment=1, command, "cmd":
2399 comment="shared", or name of zone
2400 case=With the load (cmd=1) and delete (cmd=2) commands
2401 format=arg1:text2:arg3:arg4:[arg]5
2402 comment=1, command, "cmd":
2403 comment="shared", or name of zone:
2404 comment=2, protocol number, "proto num":
2405 comment=2, starting mlp port number, "mlp_port":
2406 comment=2, ending mlp port number, "mlp_port_upper"