1 # audit_record_attr.txt
2 # Two "#" are comments that are copied to audit_record_attr
3 # other comments are removed.
4 ##
5 ## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
6 ## Copyright 2018 Nexenta Systems, Inc. All rights reserved.
7 ##
8 ## CDDL HEADER START
9 ##
10 ## The contents of this file are subject to the terms of the
11 ## Common Development and Distribution License (the "License").
12 ## You may not use this file except in compliance with the License.
13 ##
14 ## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
15 ## or http://www.opensolaris.org/os/licensing.
16 ## See the License for the specific language governing permissions
17 ## and limitations under the License.
18 ##
19 ## When distributing Covered Code, include this CDDL HEADER in each
20 ## file and include the License file at usr/src/OPENSOLARIS.LICENSE.
21 ## If applicable, add the following below this CDDL HEADER, with the
22 ## fields enclosed by brackets "[]" replaced with your own identifying
23 ## information: Portions Copyright [yyyy] [name of copyright owner]
24 ##
25 ## CDDL HEADER END
26 ##
27 ##
28
29 # source file for describing audit records.
30
31 # This file is in two sections. The first is a list of attribute /
32 # value pairs used to provide short cuts in annotating the audit
33 # records. The second is for annotation for each audit record.
34
35 # first section: general attributes
36
37 # skipClass=<class name of items to skip if only in that class>
38 # skipClass=no # uncomment to filter unused events
39
40 # token name abbreviations
41 # token=alias:fullname -- short names for key tokens
42
43 token=arg:argument
44 token=attr:attribute
45 token=acl:acl_entry
46 token=cmd:command
47 token=data:data
48 token=exec_args:exec_arguments
49 token=exec_env:exec_environment
50 token=group:group
51 token=inaddr:ip_addr
52 token=inet:socket
53 token=ipc:ipc
54 token=ipc_perm:ipc_perm
55 token=newgroup:newgroups
56 token=path:path
57 token=path_attr:attribute_path
58 token=privset:privilege
59 token=proc:process
60 token=text:text
61 token=tid:terminal_adr
62 token=uauth:use_of_authorization
63 token=upriv:use_of_privilege
64 token=user:user_object
65 token=zone:zonename
66 token=fmri:service_instance
67 token=label:mandatory_label
68
69 token=head:header
70 token=subj:subject
71 token=ret:return
72 token=exit:exit
73
74 # note names -- certain notes show up repeatedly; collected here
75 #
76 # To achieve the maximum line length to be less than 80 characters, the
77 # note names (message=) can be defined as a multi line, each line except the
78 # last one finished with the backslash character.
79
80 message=ipc_perm:The ipc and ipc_perm tokens are not included if \
81 the message ID is not valid.
82
83
84 # basic record pattern ("insert" is where event-specific tokens
85 # are listed.)
86
87 kernel=head:insert:subj:[upriv]:ret
88 user=head:subj:insert:ret
89
90 # Second Section
91 # Annotation Section
92 #
93 # Most audit records need annotation beyond what is provided by
94 # the files audit_event and audit_class. At a minimum, a record
95 # is represented by a label and a format.
96 #
97 # label=record_id like AUE_ACCEPT
98 # format=token_alias
99 #
100 # there is no end line; a new label= end the preceding definition
101 # and starts the next.
102 #
103 # format values are a list of token names, separated by colons. The
104 # name is either one of the values described above (token=) or is
105 # a value to be taken literally. If a token name ends with a digit,
106 # the digit is an index into an array of comments. In the few cases
107 # where there are no tokens (other than header, subject, return/exit),
108 # use "format=kernel" or "format="user".
109 #
110 # comment is an array of strings separated by colons. If comments
111 # are listed on separate lines (recommended due to better
112 # readability/sustainability of the file), the preceding comment
113 # must end with a colon. The array starts at 1. (If the comment
114 # contains a colon, use ":" without the quotes.)
115 #
116 # case is used to generate alternate descriptions for a given
117 # record.
118 #
119 # Constraints - the string length; bear in mind, that any annotation of
120 # primitives below longer than is specified, will be silently truncated
121 # to given/defined amount of characters in the auditrecord(1M) runtime:
122 #
123 # primitive <= max (non-truncated) string length
124 # case <= unlimited; if necessary, text continues on a new line
125 # comment <= unlimited; if necessary, text continues on a new line
126 # label <= 43
127 # note <= unlimited; if necessary, text continues on a new line
128 # program <= 20
129 # see <= 39
130 # syscall <= 20
131 # title <= 46
132 # token <= 28 (full name)
133 #
134 # To achieve the maximum line length to be less than 80 characters, one can
135 # define the unlimited primitives as a multi line, each line except the
136 # last one finished with the backslash character. In addition to above
137 # mentioned, the "format=" record attribute follows the same rule.
138 #
139 #
140 # AUE_ACCEPT illustrates the use of all the above. Note that
141 # case is not nested; ellipsis (...) is used to give the effect
142 # of nesting.
143
144 label=AUE_ACCEPT
145 #accept(2) failure
146 case=Invalid socket file descriptor
147 format=arg1
148 comment=1, file descriptor, "so"
149 #accept(2) non SOCK_STREAM socket
150 case=If the socket address is not part of the AF_INET family
151 format=arg1:arg2:arg3
152 comment=1, "so", file descriptor:
153 comment="family", so_family:
154 comment="type", so_type
155 case=If the socket address is part of the AF_INET family
156 case=...If there is no vnode for this file descriptor
157 format=[arg]1
158 comment=1, file descriptor, "Bad so"
159 #accept(2) SOCK_STREAM socket-not bound
160 case=...or if the socket is not bound
161 format=[arg]1:[inet]2
162 comment=1, file descriptor, "so":
163 comment=local/foreign address (0.0.0.0)
164 case=...or if the socket address length = 0
165 format=[arg]1:[inet]2
166 comment=1, file descriptor, "so":
167 comment=local/foreign address (0.0.0.0)
168 case=...or for all other conditions
169 format=inet1:[inet]1
170 comment=socket address
171 #accept(2) failure
172 # header
173 # au_to_arg32 "so",file descriptor
174 # subject
175 # return <errno != 0>
176 #
177 #accept(2) non SOCK_STREAM socket
178 # header
179 # au_to_arg32 "so", file descriptor
180 # au_to_arg32 "family", so_family
181 # au_to_arg32 "type", so_type
182 # subject
183 # return success
184 #
185 #accept(2) SOCK_STREAM socket-not bound
186 # header
187 # au_to_arg32 "so", file descriptor
188 # au_to_socket_ex local/foreign address (0.0.0.0)
189 # subject
190 # return success
191 #
192 #accept(2) SOCK_STREAM socket-bound
193 # header
194 # au_to_arg32 "so", file descriptor
195 # au_to_socket_ex
196 # subject
197 # return success
198
199
200
201 label=AUE_ACCESS
202 format=path1:[attr]
203 comment=may be truncated in failure case
204 # header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec
205 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ
206 # attribute,100777,41416,staff,8388608,402255,0
207 # subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30
208 # return,success,0
209 # trailer,163
210 #
211 # header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec
212 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail
213 # attribute,100000,root,other,8388608,402257,0
214 # subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30
215 # return,failure: Permission denied,-1
216 # trailer,163
217 #
218 # header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec
219 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2
220 # subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30
221 # return,failure: No such file or directory,-1
222 # trailer,135
223
224 label=AUE_ACCT
225 case=Zero path
226 format=arg1
227 comment=1, 0, "accounting off"
228 case=Non-zero path
229 format=path1:[attr]2
230 comment=may be truncated in failure case:
231 comment=omitted if failure
232
233 label=AUE_ACLSET
234 syscall=acl
235 format=arg1:arg2:(0..n)[acl]3
236 comment=2, SETACL, "cmd":
237 comment=3, number of ACL entries, "nentries":
238 comment=Access Control List entries
239
240 label=AUE_ADJTIME
241 format=kernel
242
243 label=AUE_ASYNC_DAEMON
244 skip=Not used
245
246 label=AUE_ASYNC_DAEMON_EXIT
247 skip=Not used
248
249 label=AUE_AUDIT
250 skip=Not used. (Placeholder for the set AUE_AUDIT_*.)
251
252 label=AUE_AUDITON
253 skip=Not used. (Placeholder for the set AUE_AUDITON_*.)
254
255 label=AUE_AUDITON_GESTATE
256 skip=Not used
257
258 label=AUE_AUDITON_GETAMASK
259 format=kernel
260 syscall=auditon: GETAMASK
261
262 label=AUE_AUDITON_GETCAR
263 format=kernel
264 syscall=auditon: GETCAR
265 # header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec
266 # subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30
267 # return,success,0
268 # trailer,68
269
270 label=AUE_AUDITON_GETCLASS
271 format=kernel
272 syscall=auditon: GETCLASS
273 # header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec
274 # subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1
275 # return,success,0
276 # trailer,68
277
278 label=AUE_AUDITON_GETCOND
279 format=kernel
280 syscall=auditon: GETCOND
281 # header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec
282 # subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1
283 # return,success,0
284 # trailer,68
285
286 label=AUE_AUDITON_GETCWD
287 format=kernel
288 syscall=auditon: GETCWD
289 # header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec
290 # subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1
291 # return,success,0
292 # trailer,68
293
294 label=AUE_AUDITON_GETKMASK
295 format=kernel
296 syscall=auditon: GETKMASK
297 # header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec
298 # subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1
299 # return,success,0
300 # trailer,68
301
302 label=AUE_AUDITON_GETSTAT
303 format=kernel
304 syscall=auditon: A_GETSTAT
305 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec
306 # subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1
307 # return,success,0
308 # trailer,68
309
310 label=AUE_AUDITON_GPOLICY
311 format=kernel
312 syscall=auditon: GPOLICY
313 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec
314 # subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1
315 # return,success,0
316 # trailer,68
317
318 label=AUE_AUDITON_GQCTRL
319 format=kernel
320 syscall=auditon: GQCTRL
321 # header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec
322 # subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1
323 # return,success,0
324 # trailer,68
325
326
327 label=AUE_AUDITON_GTERMID
328 skip=Not used.
329
330 label=AUE_AUDITON_SESTATE
331 skip=Not used.
332
333 label=AUE_AUDITON_SETAMASK
334 format=[arg]1:[arg]2
335 comment=2, "setamask as_success", user default audit preselection mask:
336 comment=2, "setamask as_failure", user default audit preselection mask
337 syscall=auditon: SETAMASK
338
339 label=AUE_AUDITON_SETCLASS
340 format=[arg]1:[arg]2
341 comment=2, "setclass:ec_event", event number:
342 comment=3, "setclass:ec_class", class mask
343 syscall=auditon: SETCLASS
344 # header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec
345 # argument,2,0x0,setclass:ec_event
346 # argument,3,0x0,setclass:ec_class
347 # subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1
348 # return,success,0
349 # trailer,120
350
351 label=AUE_AUDITON_SETCOND
352 format=[arg]1
353 comment=3, "setcond", audit state
354 syscall=auditon: SETCOND
355
356 label=AUE_AUDITON_SETKMASK
357 format=[arg]1:[arg]2
358 comment=2, "setkmask as_success", kernel non-attributable mask:
359 comment=2, "setkmask as_failure", kernel non-attributable mask
360 syscall=auditon: SETKMASK
361 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec
362 # argument,2,0x0,setkmask:as_success
363 # argument,2,0x0,setkmask:as_failure
364 # subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1
365 # return,success,0
366 # trailer,124
367 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec
368 # argument,2,0x0,setkmask:as_success
369 # argument,2,0x0,setkmask:as_failure
370 # subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1
371 # return,failure: Not owner,-1
372 # trailer,124
373
374 label=AUE_AUDITON_SETSMASK
375 format=[arg]1:[arg]2
376 comment=3, "setsmask:as_success", session ID mask:
377 comment=3, "setsmask:as_failure", session ID mask
378 syscall=auditon: SETSMASK
379 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec
380 # argument,3,0x400,setsmask:as_success
381 # argument,3,0x400,setsmask:as_failure
382 # subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1
383 # return,success,0
384 # trailer,124
385 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec
386 # argument,3,0x400,setsmask:as_success
387 # argument,3,0x400,setsmask:as_failure
388 # subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1
389 # return,failure: Not owner,-1
390 # trailer,124
391
392 label=AUE_AUDITON_SETSTAT
393 format=kernel
394 syscall=auditon: SETSTAT
395 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec
396 # subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1
397 # return,success,0
398 # trailer,68
399 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec
400 # subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1
401 # return,failure: Not owner,-1
402 # trailer,68
403
404 label=AUE_AUDITON_SETUMASK
405 format=[arg]1:[arg]2
406 comment=3, "setumask:as_success", audit ID mask:
407 comment=3, "setumask:as_failure", audit ID mask
408 syscall=auditon: SETUMASK
409 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec
410 # argument,3,0x400,setumask:as_success
411 # argument,3,0x400,setumask:as_failure
412 # subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1
413 # return,success,0
414 # trailer,124
415 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec
416 # argument,3,0x400,setumask:as_success
417 # argument,3,0x400,setumask:as_failure
418 # subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1
419 # return,failure: Not owner,-1
420 # trailer,124
421
422 label=AUE_AUDITON_SPOLICY
423 format=[arg]1
424 comment=1, audit policy flags, "setpolicy"
425 syscall=auditon: SPOLICY
426 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec
427 # argument,3,0x200,setpolicy
428 # subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1
429 # return,success,0
430 # trailer,86
431 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec
432 # argument,3,0x200,setpolicy
433 # subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1
434 # return,failure: Not owner,-1
435 # trailer,86
436
437 label=AUE_AUDITON_SQCTRL
438 format=[arg]1:[arg]2:[arg]3:[arg]4
439 comment=3, "setqctrl:aq_hiwater", queue control param.:
440 comment=3, "setqctrl:aq_lowater", queue control param.:
441 comment=3, "setqctrl:aq_bufsz", queue control param.:
442 comment=3, "setqctrl:aq_delay", queue control param.
443 syscall=auditon: SQCTRL
444 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec
445 # argument,3,0x64,setqctrl:aq_hiwater
446 # argument,3,0xa,setqctrl:aq_lowater
447 # argument,3,0x400,setqctrl:aq_bufsz
448 # argument,3,0x14,setqctrl:aq_delay
449 # subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1
450 # return,success,0
451 # trailer,176
452 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec
453 # argument,3,0x64,setqctrl:aq_hiwater
454 # argument,3,0xa,setqctrl:aq_lowater
455 # argument,3,0x400,setqctrl:aq_bufsz
456 # argument,3,0x14,setqctrl:aq_delay
457 # subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1
458 # return,failure: Not owner,-1
459 # trailer,176
460
461 label=AUE_AUDITON_STERMID
462 skip=Not used.
463
464 label=AUE_AUDITSTAT
465 skip=Not used.
466
467 label=AUE_AUDITSVC
468 skip=Not used.
469
470 label=AUE_AUDITSYS
471 skip=Not used. (Place holder for various auditing events.)
472
473 label=AUE_BIND
474 # differs from documented version.
475 # cases "no vnode" not fully confirmed
476 # family and type need argument number
477 case=Invalid socket handle
478 format=arg1
479 comment=1, file descriptor, "so"
480 case=If there is no vnode for this file descriptor
481 case=or if the socket is not of the AF_INET family
482 format=arg1:arg2:arg3
483 comment=1, file descriptor, "so":
484 comment=1, socket family, "family":
485 comment=1, socket type, "type"
486 case=or for all other conditions
487 format=arg1:inet2
488 comment=1, file descriptor, "so":
489 comment=socket address
490
491 label=AUE_BRANDSYS
492 # generic mechanism to allow user-space and kernel components of a brand
493 # to communicate. The interpretation of the arguments to the call is
494 # left entirely up to the brand.
495 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7
496 comment=1, command, "cmd":
497 comment=2, command args, "arg":
498 comment=3, command args, "arg":
499 comment=4, command args, "arg":
500 comment=5, command args, "arg":
501 comment=6, command args, "arg":
502 comment=7, command args, "arg"
503
504 label=AUE_BSMSYS
505 skip=Not used.
506
507 label=AUE_CHDIR
508 format=path:[attr]
509 # header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec
510 # path,/export/home/CC_final/icenine/arv/chdir/obj_succ
511 # attribute,40777,root,other,8388608,231558,0
512 # subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1
513 # return,success,0
514 # trailer,151
515 # header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec
516 # path,/export/home/CC_final/icenine/arv/chdir/obj_fail
517 # attribute,40000,root,other,8388608,237646,0
518 # subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1
519 # return,failure: Permission denied,-1
520 # trailer,151
521
522 label=AUE_CHMOD
523 format=arg1:path:[attr]
524 comment=2, mode, "new file mode"
525 # header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec
526 # argument,2,0x1f8,new file mode
527 # path,/export/home/CC_final/icenine/arv/chmod/obj_succ
528 # attribute,100770,tuser10,other,8388608,243608,0
529 # subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1
530 # return,success,0
531 # trailer,173
532 # header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec
533 # argument,2,0x1f8,new file mode
534 # path,/export/home/CC_final/icenine/arv/chmod/obj_fail
535 # attribute,100600,root,other,8388608,243609,0
536 # subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1
537 # return,failure: Not owner,-1
538 # trailer,173
539
540 label=AUE_CHOWN
541 format=arg1:arg2
542 comment=2, uid, "new file uid":
543 comment=3, gid, "new file gid"
544 # header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec
545 # argument,2,0x271a,new file uid
546 # argument,3,0xffffffff,new file gid
547 # path,/export/home/CC_final/icenine/arv/chown/obj_succ
548 # attribute,100644,tuser10,other,8388608,268406,0
549 # subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1
550 # return,success,0
551 # trailer,193
552 # header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec
553 # argument,2,0x271a,new file uid
554 # argument,3,0xffffffff,new file gid
555 # path,/export/home/CC_final/icenine/arv/chown/obj_fail
556 # attribute,100644,root,other,8388608,268407,0
557 # subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1
558 # return,failure: Not owner,-1
559 # trailer,193
560
561 label=AUE_CHROOT
562 format=path:[attr]
563 # header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec
564 # path,/
565 # attribute,40755,root,root,8388608,2,0
566 # subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1
567 # return,success,0
568 # trailer,104
569 # header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec
570 # path,/export/home/CC_final/icenine/arv/chroot/obj_fail
571 # attribute,40777,tuser10,other,8388608,335110,0
572 # subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1
573 # return,failure: Not owner,-1
574 # trailer,152
575
576 label=AUE_CLOCK_SETTIME
577 format=kernel
578
579 label=AUE_CLOSE
580 format=arg1:[path]:[attr]
581 comment=1, file descriptor, "fd"
582
583 label=AUE_CONFIGKSSL
584 case=Adding KSSL entry.
585 format=text1:inaddr2:text3:text4
586 comment=opcode, KSSL_ADD_ENTRY:
587 comment=local IP address:
588 comment=SSL port number:
589 comment=proxy port number
590 case=Deleting KSSL entry.
591 format=text1:inaddr2:text3
592 comment=opcode, KSSL_DELETE_ENTRY:
593 comment=local IP address:
594 comment=SSL port number
595
596 label=AUE_CONNECT
597 # cases "no vnode" not fully confirmed
598 case=If there is no vnode for this file descriptor
599 case=If the socket address is not part of the AF_INET family
600 format=arg1:arg2:arg3
601 comment=1, file descriptor, "so":
602 comment=1, socket family, "family":
603 comment=1, socket type, "type"
604 case=If the socket address is part of the AF_INET family
605 format=arg1:inet2
606 comment=1, file descriptor, "so":
607 comment=socket address
608
609 label=AUE_CORE
610 syscall=none
611 title=process dumped core
612 see=none
613 format=path:[attr]:arg1
614 comment=1, signal, "signal"
615 # see uts/common/c2/audit.c
616
617 label=AUE_CREAT
618 # obsolete - see open(2)
619 format=path:[attr]
620 # does not match old BSM manual
621 # header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec
622 # path,/export/home/CC_final/icenine/arv/creat/obj_succ
623 # attribute,100644,tuser10,other,8388608,49679,0
624 # subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1
625 # return,success,8
626 # trailer,151
627 # header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec
628 # path,/devices/pseudo/mm@0:null
629 # subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1
630 # return,success,8
631 # trailer,107
632 # header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec
633 # path,/obj_fail
634 # subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1
635 # return,failure: Permission denied,-1
636 # trailer,83
637
638 label=AUE_CRYPTOADM
639 title=kernel cryptographic framework
640 format=text1:(0..n)[text]2
641 comment=cryptoadm command/operation:
642 comment=mechanism list
643
644 label=AUE_DOORFS
645 skip=Not used. (Place holder for set of door audit events.)
646
647 label=AUE_DOORFS_DOOR_BIND
648 skip=Not used.
649 syscall=doorfs: DOOR_BIND
650
651 label=AUE_DOORFS_DOOR_CALL
652 format=arg1:proc2
653 comment=1, door ID, "door ID":
654 comment=for process that owns the door
655 syscall=doorfs: DOOR_CALL
656
657 label=AUE_DOORFS_DOOR_CREATE
658 format=arg1
659 comment=1, door attributes, "door attr"
660 syscall=doorfs: DOOR_CREATE
661
662 label=AUE_DOORFS_DOOR_CRED
663 skip=Not used.
664 syscall=doorfs: DOOR_CRED
665
666 label=AUE_DOORFS_DOOR_INFO
667 skip=Not used.
668 syscall=doorfs: DOOR_INFO
669
670 label=AUE_DOORFS_DOOR_RETURN
671 format=kernel
672 syscall=doorfs: DOOR_RETURN
673
674 label=AUE_DOORFS_DOOR_REVOKE
675 format=arg1
676 comment=1, door ID, "door ID"
677 syscall=doorfs: DOOR_REVOKE
678
679 label=AUE_DOORFS_DOOR_UNBIND
680 skip=Not used.
681 syscall=doorfs: DOOR_UNBIND
682
683 label=AUE_DUP2
684 skip=Not used.
685
686 label=AUE_ENTERPROM
687 title=enter prom
688 syscall=none
689 format=head:text1:ret
690 comment="kmdb"
691 # header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00
692 # text,kmdb
693 # return,success,0
694
695 label=AUE_EXEC
696 # obsolete - see execve(2)
697 format=path:[attr]1:[exec_args]2:[exec_env]3
698 comment=omitted on error:
699 comment=output if argv policy is set:
700 comment=output if arge policy is set
701
702 label=AUE_EXECVE
703 format=path:[attr]1:[exec_args]2:[exec_env]3
704 comment=omitted on error:
705 comment=output if argv policy is set:
706 comment=output if arge policy is set
707 # header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec
708 # path,/devices/pseudo/mm@0:null
709 # subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1
710 # return,success,8
711 # trailer,107
712 # header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec
713 # path,/usr/bin/pig
714 # subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1
715 # return,failure: No such file or directory,-1
716 # trailer,86
717
718 label=AUE_PFEXEC
719 format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5
720 comment=pathname of the executable:
721 comment=pathname of working directory:
722 comment=privileges if the limit or inheritable set are changed:
723 comment=process if ruid, euid, rgid or egid is changed:
724 comment=output if arge policy is set
725
726 label=AUE_sudo
727 format=exec_args1:[text]2
728 comment=command args:
729 comment=error message (failure only)
730
731 label=AUE_EXIT
732 format=arg1:[text]2
733 comment=1, exit status, "exit status":
734 comment=event aborted
735
736 label=AUE_EXITPROM
737 title=exit prom
738 syscall=none
739 format=head:text1:ret
740 comment="kmdb"
741 # header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00
742 # text,kmdb
743 # return,success,0
744
745 label=AUE_EXPORTFS
746 skip=Not used.
747
748 label=AUE_FACCESSAT
749 # obsolete
750 see=access(2)
751 format=path:[attr]
752
753 label=AUE_FACLSET
754 syscall=facl
755 case=Invalid file descriptor
756 format=arg1:arg2
757 comment=2, SETACL, "cmd":
758 comment=3, number of ACL entries, "nentries"
759 case=Zero path
760 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4
761 comment=2, SETACL, "cmd":
762 comment=3, number of ACL entries, "nentries":
763 comment=1, file descriptor, "no path: fd":
764 comment=ACLs
765 case=Non-zero path
766 format=arg1:arg2:path:[attr]:(0..n)[acl]3
767 comment=2, SETACL, "cmd":
768 comment=3, number of ACL entries, "nentries":
769 comment=ACLs
770
771 label=AUE_FCHDIR
772 format=[path]:[attr]
773 # header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec
774 # path,/export/home/CC_final/icenine/arv/fchdir/obj_succ
775 # attribute,40777,tuser10,other,8388608,207662,0
776 # subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1
777 # return,success,0
778 # trailer,150
779 # header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec
780 # subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1
781 # return,failure: Permission denied,-1
782 # trailer,68
783
784 label=AUE_FCHMOD
785 case=With a valid file descriptor and path
786 format=arg1:path:[attr]
787 comment=2, mode, "new file mode"
788 case=With a valid file descriptor and invalid path
789 format=arg1:[arg]2:[attr]
790 comment=2, mode, "new file mode":
791 comment=1, file descriptor, "no path: fd"
792 case=With an invalid file descriptor
793 format=arg1
794 comment=2, mode, "new file mode"
795 # header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec
796 # argument,2,0x1a4,new file mode
797 # path,/export/home/CC/icenine/arv/fchmod/obj_succ
798 # attribute,100644,tuser10,other,7602240,26092,0
799 # subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1
800 # return,success,0
801 # trailer,168
802 # header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec
803 # argument,2,0x1a4,new file mode
804 # subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1
805 # return,failure: Bad file number,-1
806 # trailer,90
807 # header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec
808 # argument,2,0x1a4,new file mode
809 # path,/export/home/CC/icenine/arv/fchmod/obj_fail
810 # attribute,100644,root,other,7602240,26093,0
811 # subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1
812 # return,failure: Not owner,-1
813 # trailer,168
814
815 label=AUE_FCHOWN
816 case=With a valid file descriptor
817 format=arg1:arg2:[path]:[attr]
818 comment=2, uid, "new file uid":
819 comment=3, gid, "new file gid"
820 case=With an invalid file descriptor
821 format=arg1:arg2:[arg]3:[attr]
822 comment=2, uid, "new file uid":
823 comment=3, gid, "new file gid":
824 comment=1, file descriptor, "no path fd"
825
826 label=AUE_FCHOWNAT
827 # obsolete
828 see=openat(2)
829 case=With a valid absolute/relative file path
830 format=path:[attr]
831 case=With an file path eq. NULL and valid file descriptor
832 format=kernel
833
834 label=AUE_FCHROOT
835 format=[path]:[attr]
836 # fchroot -> chdirec -> audit_chdirec
837
838 label=AUE_FCNTL
839 case=With a valid file descriptor
840 format=arg1:[arg]2:path:attr
841 comment=2, command, "cmd":
842 comment=3, flags, "flags"
843 case=With an invalid file descriptor
844 format=arg1:[arg]2:arg3
845 comment=2, command, "cmd":
846 comment=3, flags, "flags":
847 comment=1, file descriptor, "no path fd"
848 note=Flags are included only when cmd is F_SETFL.
849
850 label=AUE_FLOCK
851 skip=Not used.
852
853 label=AUE_FORKALL
854 format=[arg]1
855 comment=0, pid, "child PID"
856 note=The forkall(2) return values are undefined because the audit record
857 note=is produced at the point that the child process is spawned.
858 # see audit.c
859
860 label=AUE_FORK1
861 format=[arg]1
862 comment=0, pid, "child PID"
863 note=The fork1(2) return values are undefined because the audit record
864 note=is produced at the point that the child process is spawned.
865 # see audit.c
866
867 label=AUE_FSAT
868 # obsolete
869 skip=Not used. (Placeholder for AUE_*AT records)
870
871 label=AUE_FSTAT
872 skip=Not used.
873
874 label=AUE_FSTATAT
875 # obsolete
876 format=path:[attr]
877
878 label=AUE_FSTATFS
879 case=With a valid file descriptor
880 format=[path]:[attr]
881 case=With an invalid file descriptor
882 format=arg1
883 comment=1, file descriptor, "no path fd"
884
885 label=AUE_FTRUNCATE
886 skip=Not used.
887
888 label=AUE_FUSERS
889 syscall=utssys: UTS_FUSERS
890 format=path:attr
891
892 label=AUE_FUTIMESAT
893 # obsolete
894 format=[path]:[attr]
895
896 label=AUE_GETAUDIT
897 format=kernel
898 # header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec
899 # subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1
900 # return,success,0
901 # trailer,68
902 # header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec
903 # subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1
904 # return,success,0
905 # trailer,68
906
907 label=AUE_GETAUDIT_ADDR
908 format=kernel
909 # header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec
910 # subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2
911 # return,success,0
912
913 label=AUE_GETAUID
914 format=kernel
915 # header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec
916 # subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1
917 # return,success,0
918 # trailer,68
919 # header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec
920 # subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1
921 # return,failure: Not owner,-1
922 # trailer,68
923
924 label=AUE_GETDENTS
925 skip=Not used.
926 #Not security relevant
927
928 label=AUE_GETKERNSTATE
929 skip=Not used.
930
931 label=AUE_GETMSG
932 case=With a valid file descriptor
933 format=arg1:[path]:attr:arg2
934 comment=1, file descriptor, "fd":
935 comment=4, priority, "pri"
936 case=With an invalid file descriptor
937 format=arg1:arg2
938 comment=1, file descriptor, "fd":
939 comment=4, priority, "pri"
940
941 label=AUE_GETPMSG
942 case=With a valid file descriptor
943 format=arg1:[path]:attr
944 comment=1, file descriptor, "fd"
945 case=With an invalid file descriptor
946 format=arg1
947 comment=1, file descriptor, "fd"
948
949 label=AUE_GETPORTAUDIT
950 format=Not used.
951
952 label=AUE_GETUSERAUDIT
953 skip=Not used.
954
955 label=AUE_INST_SYNC
956 format=arg1
957 comment=2, flags value, "flags"
958
959 label=AUE_IOCTL
960 case=With an invalid file descriptor
961 format=arg1:arg2:arg3
962 comment=1, file descriptor, "fd":
963 comment=2, command, "cmd":
964 comment=3, arg, "arg"
965 case=With a valid file descriptor
966 format=path:[attr]:arg1:arg2
967 comment=2, ioctl cmd, "cmd":
968 comment=3, ioctl arg, "arg"
969 case=Non-file file descriptor
970 format=arg1:arg2:arg3
971 comment=1, file descriptor, "fd":
972 comment=2, ioctl cmd, "cmd":
973 comment=3, ioctl arg, "arg"
974 case=Bad file name
975 format=arg1:arg2:arg3
976 comment=1, file descriptor, "no path: fd":
977 comment=2, ioctl cmd, "cmd":
978 comment=3, ioctl arg, "arg"
979 # old BSM manual misses a case
980
981 label=AUE_JUNK
982 skip=Not used.
983
984 label=AUE_KILL
985 case=Valid process
986 format=arg1:[proc]
987 comment=2, signo, "signal"
988 case=Zero or negative process
989 format=arg1:arg2
990 comment=2, signo, "signal":
991 comment=1, pid, "process"
992
993 label=AUE_KILLPG
994 skip=Not used.
995
996 label=AUE_LCHOWN
997 format=arg1:arg2:path:[attr]
998 comment=2, uid, "new file uid":
999 comment=3, gid, "new file gid"
1000
1001 label=AUE_LINK
1002 format=path1:[attr]:path2
1003 comment=from path:
1004 comment=to path
1005
1006 label=AUE_LSEEK
1007 skip=Not used.
1008
1009 label=AUE_LSTAT
1010 format=path:[attr]
1011
1012 label=AUE_LXSTAT
1013 # obsolete
1014 skip=Not used.
1015
1016 label=AUE_MCTL
1017 skip=Not used.
1018
1019 label=AUE_MEMCNTL
1020 format=arg1:arg2:arg3:arg4:arg5:arg6
1021 comment=1, base address, "base":
1022 comment=2, length, "len":
1023 comment=3, command, "cmd":
1024 comment=4, command args, "arg":
1025 comment=5, command attributes, "attr":
1026 comment=6, 0, "mask"
1027
1028 label=AUE_MKDIR
1029 format=arg1:path:[attr]
1030 comment=2, mode, "mode"
1031
1032 label=AUE_MKNOD
1033 format=arg1:arg2:path:[attr]
1034 comment=2, mode, "mode":
1035 comment=3, dev, "dev"
1036
1037 label=AUE_MMAP
1038 case=With a valid file descriptor
1039 format=arg1:arg2:[path]3:[attr]
1040 comment=1, segment address, "addr":
1041 comment=2, segment address, "len":
1042 comment=if no path, then argument: \
1043 1, "nopath: fd", file descriptor
1044 case=With an invalid file descriptor
1045 format=arg1:arg2:arg3
1046 comment=1, segment address, "addr":
1047 comment=2, segment address, "len":
1048 comment=1, file descriptor, "no path: fd"
1049
1050 label=AUE_MODADDMAJ
1051 title=modctl: bind module
1052 syscall=modctl
1053 format=[text]1:[text]2:text3:arg4:(0..n)[text]5
1054 comment=driver major number:
1055 comment=driver name:
1056 comment=driver major number or "no drvname":
1057 comment=5, number of aliases, "":
1058 comment=aliases
1059
1060 label=AUE_MODADDPRIV
1061 format=kernel
1062
1063 label=AUE_MODCONFIG
1064 skip=Not used.
1065
1066 label=AUE_MODCTL
1067 skip=Not used. (placeholder)
1068
1069 label=AUE_MODDEVPLCY
1070 syscall=modctl
1071 title=modctl: set device policy
1072 case=If unknown minor name/pattern
1073 format=arg1:arg2:arg3:arg4:arg5
1074 comment=2, "major", major number:
1075 comment=2, "lomin", low minor number, if known:
1076 comment=2, "himin", hi minor number, if known:
1077 comment=privileges required for reading:
1078 comment=privileges required for writing
1079 case=else
1080 format=arg1:text2:arg3:arg4
1081 comment=2, "major", major number:
1082 comment=minor name/pattern:
1083 comment=privileges required for reading:
1084 comment=privileges required for writing
1085
1086 label=AUE_MODLOAD
1087 syscall=modctl
1088 title=modctl: load module
1089 format=[text]1:text2
1090 comment=default path:
1091 comment=filename path
1092
1093 label=AUE_MODUNLOAD
1094 syscall=modctl
1095 title=modctl: unload module
1096 format=arg1
1097 comment=1, module ID, "id"
1098
1099 label=AUE_MOUNT
1100 case=UNIX file system
1101 format=arg1:text2:path:[attr]
1102 comment=3, flags, "flags":
1103 comment=filesystem type
1104 case=NFS file system
1105 format=arg1:text2:text3:arg4:path:[attr]
1106 comment=3, flags, "flags":
1107 comment=filesystem type:
1108 comment=host name:
1109 comment=3, flags, "internal flags"
1110 # unix example:
1111 # header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec
1112 # argument,3,0x104,flags
1113 # text,ufs
1114 # path,/var2
1115 # attribute,40755,root,root,32,12160,0
1116 # path,/devices/pci@1f,4000/scsi@3/sd@0,0:e
1117 # attribute,60640,root,sys,32,231268,137438953476
1118 # subject,abc,root,other,root,other,1726,1715,255 66049 ohboy
1119 # return,success,4290707268
1120 # ^^^^^^^^^^ <- bugid 4333559
1121
1122 label=AUE_MSGCTL
1123 format=arg1:[ipc]:[ipc_perm]
1124 comment=1, message ID, "msg ID"
1125 note=ipc_perm
1126 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1127
1128 label=AUE_MSGCTL_RMID
1129 format=arg1:[ipc]:[ipc_perm]
1130 comment=1, message ID, "msg ID"
1131 note=ipc_perm
1132 syscall=msgctl: IPC_RMID
1133 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1134
1135 label=AUE_MSGCTL_SET
1136 format=arg1:[ipc]:[ipc_perm]
1137 comment=1, message ID, "msg ID"
1138 note=ipc_perm
1139 syscall=msgctl: IPC_SET
1140 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1141
1142 label=AUE_MSGCTL_STAT
1143 format=arg1:[ipc]:[ipc_perm]
1144 comment=1, message ID, "msg ID"
1145 note=ipc_perm
1146 syscall=msgctl: IPC_STAT
1147 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1148
1149 label=AUE_MSGGET
1150 format=arg1:ipc
1151 comment=1, message key, "msg key"
1152 note=ipc_perm
1153 syscall=msgget
1154
1155 label=AUE_MSGGETL
1156 skip=Not used.
1157
1158 label=AUE_MSGRCV
1159 format=arg1:[ipc]:[ipc_perm]
1160 comment=1, message ID, "msg ID"
1161 note=ipc_perm
1162 syscall=msgrcv
1163 # ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc
1164
1165 label=AUE_MSGRCVL
1166 skip=Not used.
1167
1168 label=AUE_MSGSND
1169 format=arg1:[ipc]:[ipc_perm]
1170 comment=1, message ID, "msg ID"
1171 note=ipc_perm
1172 syscall=msgsnd
1173 # ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc
1174
1175 label=AUE_MSGSNDL
1176 skip=Not used.
1177
1178 label=AUE_MSGSYS
1179 skip=Not used. (Placeholder for AUE_MSG* events.)
1180
1181 label=AUE_MUNMAP
1182 format=arg1:arg2
1183 comment=1, address of memory, "addr":
1184 comment=2, memory segment size, "len"
1185
1186 label=AUE_NFS
1187 skip=Not used.
1188
1189 label=AUE_NFSSVC_EXIT
1190 skip=Not used.
1191
1192 label=AUE_NFS_GETFH
1193 skip=Not used.
1194
1195 label=AUE_NFS_SVC
1196 skip=Not used.
1197
1198 label=AUE_NICE
1199 format=kernel
1200
1201 label=AUE_NULL
1202 skip=Not used. (placeholder)
1203 # used internal to audit_event.c for minimal audit
1204
1205 label=AUE_NTP_ADJTIME
1206 format=kernel
1207
1208 label=AUE_ONESIDE
1209 skip=Not used.
1210
1211 label=AUE_OPEN
1212 skip=Not used. (placeholder for AUE_OPEN_*).
1213
1214 label=AUE_OPEN_R
1215 format=path:[path_attr]:[attr]
1216 see=open(2) - read
1217
1218 label=AUE_OPENAT_R
1219 # obsolete
1220 format=path:[path_attr]:[attr]
1221 see=openat(2)
1222
1223 label=AUE_OPEN_RC
1224 format=path:[path_attr]:[attr]
1225 see=open(2) - read,creat
1226
1227 label=AUE_OPENAT_RC
1228 # obsolete
1229 see=openat(2)
1230 format=path:[path_attr]:[attr]
1231
1232 label=AUE_OPEN_RT
1233 format=path:[path_attr]:[attr]
1234 see=open(2) - read,trunc
1235
1236 label=AUE_OPENAT_RT
1237 # obsolete
1238 see=openat(2)
1239 format=path:[path_attr]:[attr]
1240
1241 label=AUE_OPEN_RTC
1242 format=path:[path_attr]:[attr]
1243 see=open(2) - read,trunc,creat
1244
1245 label=AUE_OPENAT_RTC
1246 # obsolete
1247 see=openat(2)
1248 format=path:[path_attr]:[attr]
1249
1250 label=AUE_OPEN_RW
1251 format=path:[path_attr]:[attr]
1252 see=open(2) - read,write
1253
1254 label=AUE_OPENAT_RW
1255 # obsolete
1256 see=openat(2)
1257 format=path:[path_attr]:[attr]
1258 # aui_fsat(): fm & O_RDWR
1259
1260 label=AUE_OPEN_RWC
1261 format=path:[path_attr]:[attr]
1262 see=open(2) - read,write,creat
1263
1264 label=AUE_OPENAT_RWC
1265 # obsolete
1266 see=openat(2)
1267 format=path:[path_attr]:[attr]
1268
1269 label=AUE_OPEN_RWT
1270 format=path:[path_attr]:[attr]
1271 see=open(2) - read,write,trunc
1272
1273 label=AUE_OPENAT_RWT
1274 # obsolete
1275 see=openat(2)
1276 format=path:[path_attr]:[attr]
1277
1278 label=AUE_OPEN_RWTC
1279 format=path:[path_attr]:[attr]
1280 see=open(2) - read,write,trunc,creat
1281
1282 label=AUE_OPENAT_RWTC
1283 # obsolete
1284 see=openat(2)
1285 format=path:[path_attr]:[attr]
1286
1287 label=AUE_OPEN_W
1288 format=path:[path_attr]:[attr]
1289 see=open(2) - write
1290
1291 label=AUE_OPENAT_W
1292 see=openat(2)
1293 format=path:[path_attr]:[attr]
1294
1295 label=AUE_OPEN_WC
1296 format=path:[path_attr]:[attr]
1297 see=open(2) - write,creat
1298
1299 label=AUE_OPENAT_WC
1300 see=openat(2)
1301 format=path:[path_attr]:[attr]
1302
1303 label=AUE_OPEN_WT
1304 format=path:[path_attr]:[attr]
1305 see=open(2) - write,trunc
1306
1307 label=AUE_OPENAT_WT
1308 see=openat(2)
1309 format=path:[path_attr]:[attr]
1310
1311 label=AUE_OPEN_WTC
1312 format=path:[path_attr]:[attr]
1313 see=open(2) - write,trunc,creat
1314
1315 label=AUE_OPENAT_WTC
1316 see=openat(2)
1317 format=path:[path_attr]:[attr]
1318
1319 label=AUE_OPEN_S
1320 format=path:[path_attr]:[attr]
1321 see=open(2) - search
1322
1323 label=AUE_OPEN_E
1324 format=path:[path_attr]:[attr]
1325 see=open(2) - exec
1326
1327 label=AUE_OSETPGRP
1328 skip=Not used.
1329
1330 label=AUE_OSTAT
1331 # obsolete
1332 skip=Not used.
1333
1334 label=AUE_PATHCONF
1335 format=path:[attr]
1336
1337 label=AUE_PIPE
1338 format=kernel
1339 # class is no, not usually printed
1340
1341 label=AUE_PORTFS
1342 skip=Not used (placeholder for AUE_PORTFS_*).
1343
1344 label=AUE_PORTFS
1345 skip=Not used (placeholder for AUE_PORTFS_*).
1346
1347 label=AUE_PORTFS_ASSOCIATE
1348 syscall=portfs
1349 see=port_associate(3C)
1350 case=Port association via PORT_SOURCE_FILE
1351 format=[path]1:attr
1352 comment=name of the file/directory to be watched
1353
1354 label=AUE_PORTFS_DISSOCIATE
1355 syscall=portfs
1356 see=port_dissociate(3C)
1357 case=Port disassociation via PORT_SOURCE_FILE
1358 format=kernel
1359
1360 label=AUE_PRIOCNTLSYS
1361 syscall=priocntl
1362 see=priocntl(2)
1363 format=arg1:arg2
1364 comment=1, priocntl version number, "pc_version":
1365 comment=3, command, "cmd"
1366
1367 label=AUE_PROCESSOR_BIND
1368 case=No LWP/thread bound to the processor
1369 format=arg1:arg2:text3:[proc]
1370 comment=1, type of ID, "ID type":
1371 comment=2, ID value, "ID":
1372 comment="PBIND_NONE"
1373 case=With processor bound
1374 format=arg1:arg2:arg3:[proc]
1375 comment=1, type of ID, "ID type":
1376 comment=2, ID value, "ID":
1377 comment=3, processor ID, "processor_id"
1378
1379 label=AUE_PUTMSG
1380 see=putmsg(2)
1381 format=arg1:[path]:[attr]:arg2
1382 comment=1, file descriptor, "fd":
1383 comment=4, priority, "pri"
1384
1385 label=AUE_PUTPMSG
1386 see=putpmsg(2)
1387 format=arg1:[path]:[attr]:arg2:arg3
1388 comment=1, file descriptor, "fd":
1389 comment=4, priority, "pri":
1390 comment=5, flags, "flags"
1391
1392 label=AUE_P_ONLINE
1393 format=arg1:arg2:text3
1394 comment=1, processor ID, "processor ID":
1395 comment=2, flags value, "flags":
1396 comment=text form of flags. Values: \
1397 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS
1398
1399 label=AUE_QUOTACTL
1400 skip=Not used.
1401
1402 label=AUE_READ
1403 skip=Not used. (Placeholder for AUE_READ_* events)
1404
1405 label=AUE_READL
1406 skip=Not used. (Obsolete)
1407
1408 label=AUE_READLINK
1409 format=path:[attr]
1410
1411 label=AUE_READV
1412 skip=Not used (obsolete)
1413 # detritus from CMS
1414
1415 label=AUE_READVL
1416 skip=Not used (obsolete)
1417 # detritus from CMS
1418
1419 label=AUE_REBOOT
1420 skip=Not used.
1421
1422 label=AUE_RECV
1423 case=If address family is AF_INET or AF_INET6
1424 format=[arg]1:[inet]
1425 comment=1, file descriptor, "so"
1426 case=If address family is AF_UNIX and path is defined
1427 format=[path]1:[attr]
1428 comment=1, file descriptor, "so"
1429 case=If address family is AF_UNIX and path is NULL
1430 format=[path]1:[attr]
1431 comment=1, file descriptor, "no path: fd"
1432 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1433 format=[arg]1:[arg]2:[arg]3
1434 comment=1, file descriptor, "so":
1435 comment=1, family, "family":
1436 comment=1, type, "type"
1437 # associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237])
1438
1439 label=AUE_RECVFROM
1440 format=inet:arg1:[arg]2:inet3:arg4
1441 comment=3, message length, "len":
1442 comment=4, flags, "flags":
1443 comment=from address:
1444 comment=6, address length, "tolen"
1445 note=The socket token for a bad socket is reported as "argument
1446 note=token (1, socket descriptor, "fd")"
1447
1448 label=AUE_RECVMSG
1449 case=If invalid file descriptor
1450 format=arg1:arg2
1451 comment=1, file descriptor, "so":
1452 comment=3, flags, "flags"
1453 case=If valid file descriptor and socket is AF_UNIX and no path
1454 format=arg1:[attr]
1455 comment=1, file descriptor, "no path: fd"
1456 case=If valid file descriptor and socket is AF_UNIX and path defined
1457 format=path:attr
1458 case=If valid file descriptor and socket is AF_INET or AF_INET6
1459 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM
1460 format=arg1:arg2:inet
1461 comment=1, file descriptor, "so":
1462 comment=2, flags, "flags"
1463 case=.. if socket type is unknown
1464 format=arg1:arg2:arg3:arg4
1465 comment=1, file descriptor, "so":
1466 comment=1, family, "family":
1467 comment=1, type, "type":
1468 comment=3, flags, "flags"
1469
1470 label=AUE_RENAME
1471 format=path1:[attr]1:[path]2
1472 comment=from name:
1473 comment=to name
1474
1475 label=AUE_RENAMEAT
1476 # obsolete
1477 format=path1:[attr]1:[path]2
1478 comment=from name:
1479 comment=to name
1480
1481 label=AUE_RFSSYS
1482 skip=Not used.
1483 # apparently replaced
1484
1485 label=AUE_RMDIR
1486 format=path:[attr]
1487
1488 label=AUE_SACL
1489 title=File Access Audit
1490 syscall=none
1491 see=none
1492 format=head:path:arg1:[text]2:subj
1493 comment="access_mask":
1494 comment="Windows SID"
1495
1496 label=AUE_SEMCTL
1497 format=arg1:[ipc]:[ipc_perm]
1498 comment=1, semaphore ID, "sem ID"
1499 note=ipc_perm
1500 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1501
1502 label=AUE_SEMCTL_GETALL
1503 format=arg1:[ipc]:[ipc_perm]
1504 comment=1, semaphore ID, "sem ID"
1505 note=ipc_perm
1506 syscall=semctl: GETALL
1507 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1508
1509 label=AUE_SEMCTL_GETNCNT
1510 format=arg1:[ipc]:[ipc_perm]
1511 comment=1, semaphore ID, "sem ID"
1512 note=ipc_perm
1513 syscall=semctl: GETNCNT
1514 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1515
1516 label=AUE_SEMCTL_GETPID
1517 format=arg1:[ipc]:[ipc_perm]
1518 comment=1, semaphore ID, "sem ID"
1519 note=ipc_perm
1520 syscall=semctl: GETPID
1521 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1522
1523 label=AUE_SEMCTL_GETVAL
1524 format=arg1:[ipc]:[ipc_perm]
1525 comment=1, semaphore ID, "sem ID"
1526 note=ipc_perm
1527 syscall=semctl: GETVAL
1528 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1529
1530 label=AUE_SEMCTL_GETZCNT
1531 format=arg1:[ipc]:[ipc_perm]
1532 comment=1, semaphore ID, "sem ID"
1533 note=ipc_perm
1534 syscall=semctl: GETZCNT
1535 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1536
1537 label=AUE_SEMCTL_RMID
1538 format=arg1:[ipc]:[ipc_perm]
1539 comment=1, semaphore ID, "sem ID"
1540 note=ipc_perm
1541 syscall=semctl: IPC_RMID
1542 # ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1543
1544 label=AUE_SEMCTL_SET
1545 format=arg1:[ipc]:[ipc_perm]
1546 comment=1, semaphore ID, "sem ID"
1547 note=ipc_perm
1548 syscall=semctl: IPC_SET
1549 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1550
1551 label=AUE_SEMCTL_SETALL
1552 format=arg1:[ipc]:[ipc_perm]
1553 comment=1, semaphore ID, "sem ID"
1554 note=ipc_perm
1555 syscall=semctl: SETALL
1556 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1557
1558 label=AUE_SEMCTL_SETVAL
1559 format=arg1:[ipc]:[ipc_perm]
1560 comment=1, semaphore ID, "sem ID"
1561 note=ipc_perm
1562 syscall=semctl: SETVAL
1563 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1564
1565 label=AUE_SEMCTL_STAT
1566 format=arg1:[ipc]:[ipc_perm]
1567 comment=1, semaphore ID, "sem ID"
1568 note=ipc_perm
1569 syscall=semctl: IPC_STAT
1570 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1571
1572 label=AUE_SEMGET
1573 format=arg1:[ipc_perm]:ipc
1574 comment=1, semaphore ID, "sem key"
1575 note=ipc_perm
1576 syscall=semctl: SETVAL
1577 # ipc_perm token: semget -> audit_ipcget
1578
1579 label=AUE_SEMGETL
1580 skip=Not used.
1581
1582 label=AUE_SEMOP
1583 format=arg1:[ipc]:[ipc_perm]
1584 comment=1, semaphore ID, "sem ID"
1585 note=ipc_perm
1586 # ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc
1587
1588 label=AUE_SEMSYS
1589 skip=Not used. (place holder) -- defaults to a semget variant
1590
1591 label=AUE_SEND
1592 case=If address family is AF_INET or AF_INET6
1593 format=[arg]1:[inet]
1594 comment=1, file descriptor, "so"
1595 case=If address family is AF_UNIX and path is defined
1596 format=[path]1:[attr]
1597 comment=1, file descriptor, "so"
1598 case=If address family is AF_UNIX and path is NULL
1599 format=[path]1:[attr]
1600 comment=1, file descriptor, "no path: fd"
1601 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1602 format=[arg]1:[arg]2:[arg]3
1603 comment=1, file descriptor, "so":
1604 comment=1, family, "family":
1605 comment=1, type, "type"
1606 # associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240])
1607
1608 label=AUE_SENDMSG
1609 case=If invalid file descriptor
1610 format=arg1:arg2
1611 comment=1, file descriptor, "so":
1612 comment=3, flags, "flags"
1613 case=If valid file descriptor
1614 case=...and address family is AF_UNIX and path is defined
1615 format=path:attr
1616 case=...and address family is AF_UNIX and path is NULL
1617 format=path1:attr
1618 comment=1, file descriptor, "nopath: fd"
1619 case=...and address family is AF_INET or AF_INET6, \
1620 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1621 format=arg1:arg2:inet
1622 comment=1, file descriptor, "so":
1623 comment=3, flags, "flags"
1624 case=...and unknown address family or address family AF_INET or AF_INET6 \
1625 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1626 format=arg1:arg2:arg3:arg4
1627 comment=1, file descriptor, "so":
1628 comment=1, family, "family":
1629 comment=1, type, "type":
1630 comment=1, flags, "flags"
1631
1632 label=AUE_SENDTO
1633 case=If invalid file descriptor
1634 format=arg1:arg2
1635 comment=1, file descriptor, "so":
1636 comment=3, flags, "flags"
1637 case=If valid file descriptor
1638 case=...and socket is AF_UNIX and path is defined
1639 format=path:attr
1640 case=...and address family is AF_UNIX and path is NULL
1641 format=path1:attr
1642 comment=1, file descriptor, "nopath: fd"
1643 case=...and address family is AF_INET or AF_INET6
1644 format=arg1:arg2:inet
1645 comment=1, file descriptor, "so":
1646 comment=3, flags, "flags"
1647 case=...and unknown address family
1648 format=arg1:arg2:arg3:arg4
1649 comment=1, file descriptor, "so":
1650 comment=1, family, "family":
1651 comment=1, type, "type":
1652 comment=1, flags, "flags"
1653
1654 label=AUE_SETAUDIT
1655 case=With a valid program stack address
1656 format=arg1:arg2:arg3:arg4:arg5:arg6
1657 comment=1, audit user ID, "setaudit:auid":
1658 comment=1, terminal ID, "setaudit:port":
1659 comment=1, terminal ID, "setaudit:machine":
1660 comment=1, preselection mask, "setaudit:as_success":
1661 comment=1, preselection mask, "setaudit:as_failure":
1662 comment=1, audit session ID, "setaudit:asid"
1663 case=With an invalid program stack address
1664 format=kernel
1665 # header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec
1666 # argument,1,0x271a,setaudit:auid
1667 # argument,1,0x3ff0201,setaudit:port
1668 # argument,1,0x8192591e,setaudit:machine
1669 # argument,1,0x400,setaudit:as_success
1670 # argument,1,0x400,setaudit:as_failure
1671 # argument,1,0x16f,setaudit:asid
1672 # subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1
1673 # return,success,0
1674 # trailer,215
1675 # header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec
1676 # argument,1,0x271a,setaudit:auid
1677 # argument,1,0x3ff0201,setaudit:port
1678 # argument,1,0x8192591e,setaudit:machine
1679 # argument,1,0x400,setaudit:as_success
1680 # argument,1,0x400,setaudit:as_failure
1681 # argument,1,0x16f,setaudit:asid
1682 # subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1
1683 # return,success,0
1684 # trailer,215
1685
1686 label=AUE_SETAUDIT_ADDR
1687 case=With a valid program stack address
1688 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7
1689 comment=1, audit user ID, "auid":
1690 comment=1, terminal ID, "port":
1691 comment=1, type, "type":
1692 comment=1, terminal ID, "ip address":
1693 comment=1, preselection mask, "as_success":
1694 comment=1, preselection mask, "as_failure":
1695 comment=1, audit session ID, "asid"
1696 case=With an invalid program stack address
1697 format=kernel
1698 # header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec
1699 # argument,1,0x15fa7,auid
1700 # argument,1,0x0,port
1701 # argument,1,0x4,type
1702 # ip address,tmach2
1703 # argument,1,0x9c00,as_success
1704 # argument,1,0x9c00,as_failure
1705 # argument,1,0x1f1,asid
1706 # subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2
1707 # return,success,0
1708
1709 label=AUE_SETAUID
1710 format=arg1
1711 comment=2, audit user ID, "setauid"
1712
1713 label=AUE_SETDOMAINNAME
1714 skip=Not used. (See AUE_SYSINFO)
1715 # See AUE_SYSINFO with SI_SET_SRPC_DOMAIN
1716
1717 label=AUE_SETEGID
1718 format=arg1
1719 comment=1, group ID, "gid"
1720
1721 label=AUE_SETEUID
1722 format=arg1
1723 comment=1, user ID, "euid"
1724
1725 label=AUE_SETGID
1726 format=arg1
1727 comment=1, group ID, "gid"
1728
1729 label=AUE_SETGROUPS
1730 note=If more than NGROUPS_MAX_DEFAULT groups listed,
1731 note=no tokens are generated.
1732 case=If no groups in list
1733 format=[arg]1
1734 comment=1, 0, "setgroups"
1735 case=If 1 or more groups in list
1736 format=(1..n)arg1
1737 comment=1, gid, "setgroups"
1738
1739 label=AUE_SETHOSTNAME
1740 skip=Not used. (See AUE_SYSINFO)
1741 # See sysinfo call with command SI_SET_HOSTNAME
1742
1743 label=AUE_SETKERNSTATE
1744 skip=Not used.
1745
1746 label=AUE_SETPGID
1747 format=[proc]:[arg]1
1748 comment=2, pgid, "pgid"
1749
1750 label=AUE_SETPGRP
1751 format=kernel
1752
1753 label=AUE_SETPRIORITY
1754 skip=Not used.
1755
1756 label=AUE_SETPPRIV
1757 case=operation privileges off
1758 format=arg1:privset2
1759 comment=setppriv operation:
1760 comment=privileges actually switched off
1761 case=operation privileges on
1762 format=arg1:privset2
1763 comment=setppriv operation:
1764 comment=privileges actually switched on
1765 case=operation privileges off
1766 format=arg1:privset2:privset3
1767 comment=setppriv operation:
1768 comment=privileges before privset:
1769 comment=privileges after privset
1770 #header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec
1771 #argument,2,0x2,op
1772 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1773 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1774 #subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0
1775 #return,success,0
1776
1777 label=AUE_SETREGID
1778 format=arg1:arg2
1779 comment=1, real group ID, "rgid":
1780 comment=2, effective group ID, "egid"
1781
1782 label=AUE_SETREUID
1783 format=arg1:arg2
1784 comment=1, real user ID, "ruid":
1785 comment=2, effective user ID, "euid"
1786
1787 label=AUE_SETRLIMIT
1788 format=kernel
1789 # header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec
1790 # subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2
1791 # return,success,0
1792
1793 label=AUE_SETSID
1794 format=kernel
1795
1796 label=AUE_SETSOCKOPT
1797 case=Invalid file descriptor
1798 format=arg1:arg2
1799 comment=1, file descriptor, "so":
1800 comment=2, level, "level"
1801 case=Valid file descriptor
1802 case=...and socket is AF_UNIX
1803 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8
1804 comment=if no path, will be argument: 1, "nopath: fd", \
1805 file descriptor:
1806 comment=1, file descriptor, "so":
1807 comment=1, family, "family":
1808 comment=1, type, "type":
1809 comment=2, protocol level, "level":
1810 comment=3, option name, "optname":
1811 comment=5, option length, "optlen":
1812 comment=option data
1813 case=...and socket is AF_INET or AF_INET6
1814 format=arg1:arg2:arg3:[arg]4:[data]5:inet
1815 comment=1, file descriptor, "so":
1816 comment=2, protocol level, "level":
1817 comment=3, option name, "optname":
1818 comment=5, option length, "optlen":
1819 comment=option data
1820 case=...and socket adddress family is unknown
1821 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7
1822 comment=1, file descriptor, "so":
1823 comment=1, family, "family":
1824 comment=1, type, "type":
1825 comment=2, protocol level, "level":
1826 comment=3, option name, "optname":
1827 comment=5, option length, "optlen":
1828 comment=option data
1829
1830 label=AUE_SETTIMEOFDAY
1831 skip=Not used.
1832
1833 label=AUE_SETUID
1834 syscall=setuid
1835 format=arg1
1836 comment=1, "uid" to be set
1837
1838 label=AUE_SETUSERAUDIT
1839 skip=Not used.
1840
1841 label=AUE_SHMAT
1842 format=arg1:arg2:[ipc]:[ipc_perm]
1843 comment=1, shared memory ID, "shm ID":
1844 comment=2, shared mem addr, "shm addr"
1845 note=ipc_perm
1846 # ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc
1847
1848 label=AUE_SHMCTL
1849 format=arg1:[ipc]:[ipc_perm]
1850 comment=1, shared memory ID, "shm ID"
1851 note=ipc_perm
1852 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1853
1854 label=AUE_SHMCTL_RMID
1855 format=arg1:[ipc]:[ipc_perm]
1856 comment=1, shared memory ID, "shm ID"
1857 note=ipc_perm
1858 syscall=semctl: IPC_RMID
1859 # ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1860
1861 label=AUE_SHMCTL_SET
1862 format=arg1:[ipc]:[ipc_perm]
1863 comment=1, shared memory ID, "shm ID"
1864 note=ipc_perm
1865 syscall=semctl: IPC_SET
1866 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1867
1868 label=AUE_SHMCTL_STAT
1869 format=arg1:[ipc]:[ipc_perm]
1870 comment=1, shared memory ID, "shm ID"
1871 note=ipc_perm
1872 syscall=semctl: IPC_STAT
1873 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1874
1875 label=AUE_SHMDT
1876 format=arg1
1877 comment=1, shared memory address, "shm adr"
1878
1879 label=AUE_SHMGET
1880 format=arg1:[ipc_perm]:[ipc]
1881 comment=0, shared memory key, "shm key"
1882 note=ipc_perm
1883 # ipc_perm: shmget -> audit_ipcget
1884
1885 label=AUE_SHMGETL
1886 skip=Not used.
1887
1888 label=AUE_SHMSYS
1889 skip=Not used. (Placeholder for shmget and shmctl*)
1890
1891 label=AUE_SHUTDOWN
1892 case=If the socket address is invalid
1893 format=[arg]1:[text]2:[text]3
1894 comment=1, file descriptor, "fd":
1895 comment=bad socket address:
1896 comment=bad peer address
1897 case=If the socket address is part of the AF_INET family
1898 case=..with zero file descriptor
1899 format=arg1:[arg]2:[arg]3:[arg]4
1900 comment=1, file descriptor, "so":
1901 comment=1, family, "family":
1902 comment=1, type, "type":
1903 comment=2, how shutdown code, "how"
1904 case=...with non-zero file descriptor
1905 format=arg1:arg2:inet
1906 comment=1, file descriptor, "so":
1907 comment=2, how shutdown code, "how"
1908 case=If the socket address is AF_UNIX
1909 case=...with zero file descriptor
1910 format=path1:arg2:[arg]3:[arg]4:[arg]5
1911 comment=If error: argument: \
1912 1, "no path: fd", file descriptor:
1913 comment=1, file descriptor, "so":
1914 comment=1, family, "family":
1915 comment=1, type, "type":
1916 comment=2, how shutdown code, "how"
1917 case=...with non-zero file descriptor
1918 format=path1:arg2:arg3:inet
1919 comment=If error: argument: \
1920 1, file descriptor, "no path: fd":
1921 comment=1, file descriptor, "so":
1922 comment=2, how shutdown code, "how"
1923 #old BSM manual wrong; used audit_event.c
1924
1925 label=AUE_SOCKACCEPT
1926 syscall=getmsg: socket accept
1927 format=inet:arg1:[path]:attr:arg2
1928 comment=1, file descriptor, "fd":
1929 comment=4, priority, "pri"
1930 # see putmsg and getmsg for record format
1931 # See audit.c for inet token and audit_start.c for other reference
1932
1933 label=AUE_SOCKCONFIG
1934 format=arg1:arg2:arg3:[path]4
1935 comment=1, domain address, "domain":
1936 comment=2, type, "type":
1937 comment=3, protocol, "protocol":
1938 comment=If no path:argument -- 3, 0, "devpath"
1939
1940 label=AUE_SOCKCONNECT
1941 syscall=putmsg: socket connect
1942 format=inet:arg1:[path]:attr:arg2
1943 comment=1, file descriptor, "fd":
1944 comment=4, priority, "pri"
1945 # same as AUE_SOCKACCEPT
1946
1947 label=AUE_SOCKET
1948 format=arg1:[arg]2:arg3
1949 comment=1, socket domain, "domain":
1950 comment=2, socket type, "type":
1951 comment=3, socket protocol, "protocol"
1952
1953 label=AUE_SOCKETPAIR
1954 skip=Not used.
1955 # unreferenced
1956
1957 label=AUE_SOCKRECEIVE
1958 syscall=getmsg
1959 format=inet:arg1:[path]:attr:arg2
1960 comment=1, file descriptor, "fd":
1961 comment=4, priority, "pri"
1962 # see AUE_SOCKACCEPT
1963
1964 label=AUE_SOCKSEND
1965 syscall=putmsg
1966 format=inet:arg1:[path]:attr:arg2
1967 comment=1, file descriptor, "fd":
1968 comment=4, priority, "pri"
1969 # see AUE_SOCKACCEPT
1970
1971 label=AUE_STAT
1972 format=path:[attr]
1973
1974 label=AUE_STATFS
1975 format=path:[attr]
1976
1977 label=AUE_STATVFS
1978 format=path:[attr]
1979
1980 label=AUE_STIME
1981 format=kernel
1982
1983 label=AUE_SWAPON
1984 skip=Not used.
1985
1986 label=AUE_SYMLINK
1987 format=path:text1:[attr]
1988 comment=symbolic link string
1989
1990 label=AUE_SYSINFO
1991 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands
1992 note=are currently audited.
1993 format=arg1:[text]2
1994 comment=1, command, "cmd":
1995 comment=name
1996
1997 label=AUE_SYSTEMBOOT
1998 title=system booted
1999 syscall=none
2000 format=head:text1
2001 comment="booting kernel"
2002 # see audit_start.c and audit_io.c
2003 # no subject or return / exit token
2004 # header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec
2005 # text,booting kernel
2006
2007 label=AUE_TRUNCATE
2008 skip=Not used.
2009
2010 label=AUE_UMOUNT
2011 syscall=umount: old version
2012 note=Implemented as call of the newer umount2(2).
2013 format=path:arg1:[path]:[attr]
2014 comment=2, mflag value = 0, "flags"
2015
2016 label=AUE_UMOUNT2
2017 syscall=umount2
2018 format=path:arg1:[path]:[attr]
2019 comment=2, mflag value, "flags"
2020
2021 label=AUE_UNLINK
2022 format=path:[attr]
2023
2024 label=AUE_UNLINKAT
2025 # obsolete
2026 see=openat(2)
2027 format=path:[attr]
2028
2029 label=AUE_UNMOUNT
2030 skip=Not used.
2031
2032 label=AUE_UTIME
2033 # obsolete
2034 format=path:[attr]
2035
2036 label=AUE_UTIMES
2037 see=futimens(2)
2038 format=path:[attr]
2039
2040 label=AUE_VFORK
2041 format=arg1
2042 comment=0, pid, "child PID"
2043 note=The vfork(2) return values are undefined because the audit record is
2044 note=produced at the point that the child process is spawned.
2045
2046 label=AUE_VPIXSYS
2047 skip=Not used.
2048
2049 label=AUE_VTRACE
2050 skip=Not used.
2051
2052 label=AUE_WRITE
2053 format=path1:attr
2054 comment=if no path, argument -- "1, file descriptor, "no path: fd"
2055 note:An audit record is generated for write only once per file close.
2056
2057 label=AUE_WRITEV
2058 skip=Not used. (obsolete)
2059
2060 label=AUE_XMKNOD
2061 # obsolete
2062 skip=Not used.
2063
2064 label=AUE_XSTAT
2065 # obsolete
2066 skip=Not Used.
2067
2068 label=AUE_PF_POLICY_ADDRULE
2069 title=Add IPsec policy rule
2070 see=
2071 syscall=none
2072 format=arg1:arg2:[zone]3:[text]4
2073 comment=Operation applied to active policy (1 is active, 0 is inactive):
2074 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2075 comment=affected zone:
2076 comment=Name of target tunnel
2077
2078 label=AUE_PF_POLICY_DELRULE
2079 title=Delete IPsec policy rule
2080 see=
2081 syscall=none
2082 format=arg1:arg2:[zone]3:[text]4
2083 comment=Operation applied to active policy (1 is active, 0 is inactive):
2084 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2085 comment=affected zone:
2086 comment=Name of target tunnel
2087
2088 label=AUE_PF_POLICY_CLONE
2089 title=Clone IPsec policy
2090 see=
2091 syscall=none
2092 format=arg1:arg2:[zone]3:[text]4
2093 comment=Operation applied to active policy (1 is active, 0 is inactive):
2094 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2095 comment=affected zone:
2096 comment=Name of target tunnel
2097
2098 label=AUE_PF_POLICY_FLIP
2099 title=Flip IPsec policy
2100 see=
2101 syscall=none
2102 format=arg1:arg2:[zone]3:[text]4
2103 comment=Operation applied to active policy (1 is active, 0 is inactive):
2104 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2105 comment=affected zone:
2106 comment=Name of target tunnel
2107
2108 label=AUE_PF_POLICY_FLUSH
2109 title=Flip IPsec policy rules
2110 see=
2111 syscall=none
2112 format=arg1:arg2:[zone]3:[text]4
2113 comment=Operation applied to active policy (1 is active, 0 is inactive):
2114 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2115 comment=affected zone:
2116 comment=Name of target tunnel
2117
2118 label=AUE_PF_POLICY_ALGS
2119 title=Update IPsec algorithms
2120 see=
2121 syscall=none
2122 format=arg1:arg2:[zone]3:[text]4
2123 comment=Operation applied to active policy (1 is active, 0 is inactive):
2124 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2125 comment=affected zone:
2126 comment=Name of target tunnel
2127
2128 label=AUE_allocate_fail
2129 program=/usr/sbin/allocate
2130 title=allocate: allocate-device failure
2131 format=(0..n)[text]1
2132 comment=command line arguments
2133 # see audit_allocate.c
2134
2135 label=AUE_allocate_succ
2136 program=/usr/sbin/allocate
2137 title=allocate: allocate-device success
2138 format=(0..n)[text]1
2139 comment=command line arguments
2140 # see audit_allocate.c
2141
2142 label=AUE_at_create
2143 program=/usr/bin/at
2144 title=at: at-create crontab
2145 format=path
2146
2147 label=AUE_at_delete
2148 program=/usr/bin/at
2149 title=at: at-delete atjob (at or atrm)
2150 format=text1:path
2151 comment="ancillary file:" filename or "bad format of at-job name"
2152
2153 label=AUE_at_perm
2154 skip=Not used.
2155 # not referenced outside uevents.h
2156
2157 label=AUE_create_user
2158 skip=Not used.
2159
2160 label=AUE_cron_invoke
2161 program=/usr/sbin/cron
2162 title=cron: cron-invoke at or cron
2163 case=If issue with account find
2164 format=text1
2165 comment="bad user" name or "user <name> account expired"
2166 case=else
2167 format=text1:text2
2168 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \
2169 or "unknown job type (<job_type_id>)":
2170 comment=command
2171
2172 label=AUE_crontab_create
2173 program=/usr/bin/crontab
2174 title=crontab: crontab created
2175 format=path
2176 # See audit_crontab.c
2177
2178 label=AUE_crontab_delete
2179 program=/usr/bin/crontab
2180 title=crontab: crontab delete
2181 format=path
2182 # See audit_crontab.c
2183
2184 label=AUE_crontab_mod
2185 program=/usr/bin/crontab
2186 title=crontab: crontab modify
2187 format=path
2188 # See audit_crontab.c
2189
2190 label=AUE_crontab_perm
2191 skip=Not used.
2192
2193 label=AUE_deallocate_fail
2194 program=/usr/sbin/deallocate
2195 title=deallocate-device failure
2196 format=(0..n)[text]1
2197 comment=command line arguments
2198 # See audit_allocate.c
2199
2200 label=AUE_deallocate_succ
2201 program=/usr/sbin/deallocate
2202 title=deallocate-device success
2203 format=(0..n)[text]1
2204 comment=command line arguments
2205 # See audit_allocate.c
2206
2207 label=AUE_delete_user
2208 skip=Not used.
2209
2210 label=AUE_disable_user
2211 skip=Not used.
2212
2213 label=AUE_enable_user
2214 skip=Not used.
2215
2216 label=AUE_ftpd
2217 program=/usr/sbin/in.ftpd
2218 title=in.ftpd
2219 format=[text]1
2220 comment=error message
2221 # See audit_ftpd
2222
2223 label=AUE_ftpd_logout
2224 program=/usr/sbin/in.ftpd
2225 title=in.ftpd
2226 format=user
2227 # See audit_ftpd
2228
2229 label=AUE_halt_solaris
2230 program=/usr/sbin/halt
2231 title=halt
2232 format=user
2233 # See audit_halt.c
2234
2235 label=AUE_kadmind_auth
2236 format=text1:text2:text3
2237 comment=Op: <requested information>:
2238 comment=Arg: <argument for Op>:
2239 comment=Client: <client principal name>
2240 # See audit_kadmin.c / common_audit()
2241
2242 label=AUE_kadmind_unauth
2243 format=text1:text2:text3
2244 comment=Op: <requested information>:
2245 comment=Arg: <argument for Op>:
2246 comment=Client: <client principal name>
2247 # See audit_kadmin.c / common_audit()
2248
2249 label=AUE_krb5kdc_as_req
2250 format=text1:text2
2251 comment=Client: <client principal name>:
2252 comment=Service: <requested service name>
2253 # See audit_krb5kdc.c / common_audit()
2254
2255 label=AUE_krb5kdc_tgs_req
2256 format=text1:text2
2257 comment=Client: <client principal name>:
2258 comment=Service: <requested service name>
2259 # See audit_krb5kdc.c / common_audit()
2260
2261 label=AUE_krb5kdc_tgs_req_alt_tgt
2262 format=text1:text2
2263 comment=Client: <client principal name>:
2264 comment=Service: <requested service name>
2265 # See audit_krb5kdc.c / common_audit()
2266
2267 label=AUE_krb5kdc_tgs_req_2ndtktmm
2268 format=text1:text2
2269 comment=Client: <client principal name>:
2270 comment=Service: <requested service name>
2271 # See audit_krb5kdc.c / common_audit()
2272
2273 label=AUE_listdevice_fail
2274 title=allocate-list devices failure
2275 program=/usr/sbin/allocate
2276 format=(0..n)[text]1
2277 comment=command line arguments
2278 # See audit_allocate.c
2279
2280 label=AUE_listdevice_succ
2281 title=allocate-list devices success
2282 program=/usr/sbin/allocate
2283 format=(0..n)[text]1
2284 comment=command line arguments
2285 # See audit_allocate.c
2286
2287 label=AUE_modify_user
2288 skip=Not used.
2289
2290 label=AUE_mountd_mount
2291 title=mountd: NFS mount
2292 program=/usr/lib/nfs/mountd
2293 see=mountd(1M)
2294 format=text1:path2
2295 comment=remote client hostname:
2296 comment=mount dir
2297 # See audit_mountd.c
2298
2299 label=AUE_mountd_umount
2300 title=mountd: NFS unmount
2301 program=/usr/lib/nfs/mountd
2302 format=text1:path2
2303 comment=remote client hostname:
2304 comment=mount dir
2305 # See audit_mountd.c
2306
2307 label=AUE_poweroff_solaris
2308 program=/usr/sbin/poweroff
2309 title=poweroff
2310 format=user
2311 # See audit_halt.c
2312
2313 label=AUE_reboot_solaris
2314 program=/usr/sbin/reboot
2315 title=reboot
2316 format=user
2317 # See audit_reboot.c
2318 # header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec
2319 # subject,tuser1,root,other,root,other,10422,497,0 0 tmach2
2320 # return,success,0
2321
2322 label=AUE_rexd
2323 program=/usr/sbin/rpc.rexd
2324 title=rpc.rexd
2325 format=[text]1:text2:text3:[text]4:[text]5
2326 comment=error message (failure only):
2327 comment="Remote execution requested by:" hostname:
2328 comment="Username:" username:
2329 comment="User id:" user ID (failure only):
2330 comment="Command line:" command attempted
2331 # See audit_rexd.c
2332
2333 label=AUE_rexecd
2334 program=/usr/sbin/rpc.rexecd
2335 title=rpc.rexecd
2336 format=[text]1:text2:text3:text4
2337 comment=error message (failure only):
2338 comment="Remote execution requested by:" hostname:
2339 comment="Username:" username:
2340 comment="Command line:" command attempted
2341 # See audit_rexecd.c
2342
2343 label=AUE_rshd
2344 program=/usr/sbin/in.rshd
2345 title=in.rshd
2346 format=text1:text2:[text]3:[text]4
2347 comment="cmd" command:
2348 comment="remote user" remote user:
2349 comment="local user" local user:
2350 comment=failure message
2351 # See audit_rshd.c
2352
2353 label=AUE_shutdown_solaris
2354 title=shutdown
2355 program=/usr/ucb/shutdown
2356 format=user
2357 # See audit_shutdown.c
2358
2359 label=AUE_smserverd
2360 program=/usr/lib/smedia/rpc.smserverd
2361 format=[text]1:[text]2
2362 comment=state change:
2363 comment=vid, pid, major/minor device
2364 # see usr/src/cmd/smserverd
2365 # code shows a third token, path, but it isn't implemented.
2366
2367 label=AUE_uadmin_solaris
2368 title=uadmin (obsolete)
2369 program=
2370 see=
2371 format=text1:text2
2372 comment=function code:
2373 comment=argument code
2374 # not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml
2375
2376 label=AUE_LABELSYS_TNRH
2377 title=config Trusted Network remote host cache
2378 see=tnrh(2)
2379 syscall=labelsys: TSOL_TNRH
2380 case=With the flush command (cmd=3)
2381 format=arg1
2382 comment=1, command, "cmd"
2383 case=With the load (cmd=1) and delete (cmd=2) commands
2384 format=arg1:inaddr2:arg3
2385 comment=1, command, "cmd":
2386 comment=ip address of host:
2387 comment=2, prefix length, "prefix len"
2388
2389 label=AUE_LABELSYS_TNRHTP
2390 title=config Trusted Network remote host template
2391 see=tnrhtp(2)
2392 syscall=labelsys: TSOL_TNRHTP
2393 case=With the flush command (cmd=3)
2394 format=arg1
2395 comment=1, command, "cmd"
2396 case=With the load (cmd=1) and delete (cmd=2) commands
2397 format=arg1:text2
2398 comment=1, command, "cmd":
2399 comment=name of template
2400
2401 label=AUE_LABELSYS_TNMLP
2402 title=config Trusted Network multi-level port entry
2403 see=tnmlp(2)
2404 syscall=labelsys: TSOL_TNMLP
2405 case=With the flush command (cmd=3)
2406 format=arg1:text2
2407 comment=1, command, "cmd":
2408 comment="shared", or name of zone
2409 case=With the load (cmd=1) and delete (cmd=2) commands
2410 format=arg1:text2:arg3:arg4:[arg]5
2411 comment=1, command, "cmd":
2412 comment="shared", or name of zone:
2413 comment=2, protocol number, "proto num":
2414 comment=2, starting mlp port number, "mlp_port":
2415 comment=2, ending mlp port number, "mlp_port_upper"