Print this page
NEX-13644 File access audit logging
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/auditrecord/audit_record_attr.txt
+++ new/usr/src/cmd/auditrecord/audit_record_attr.txt
1 1 # audit_record_attr.txt
2 2 # Two "#" are comments that are copied to audit_record_attr
3 3 # other comments are removed.
4 4 ##
5 5 ## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
6 +## Copyright 2018 Nexenta Systems, Inc. All rights reserved.
6 7 ##
7 8 ## CDDL HEADER START
8 9 ##
9 10 ## The contents of this file are subject to the terms of the
10 11 ## Common Development and Distribution License (the "License").
11 12 ## You may not use this file except in compliance with the License.
12 13 ##
13 14 ## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
14 15 ## or http://www.opensolaris.org/os/licensing.
15 16 ## See the License for the specific language governing permissions
16 17 ## and limitations under the License.
17 18 ##
18 19 ## When distributing Covered Code, include this CDDL HEADER in each
19 20 ## file and include the License file at usr/src/OPENSOLARIS.LICENSE.
20 21 ## If applicable, add the following below this CDDL HEADER, with the
21 22 ## fields enclosed by brackets "[]" replaced with your own identifying
22 23 ## information: Portions Copyright [yyyy] [name of copyright owner]
23 24 ##
24 25 ## CDDL HEADER END
25 26 ##
26 27 ##
27 28
28 29 # source file for describing audit records.
29 30
30 31 # This file is in two sections. The first is a list of attribute /
31 32 # value pairs used to provide short cuts in annotating the audit
32 33 # records. The second is for annotation for each audit record.
33 34
34 35 # first section: general attributes
35 36
36 37 # skipClass=<class name of items to skip if only in that class>
37 38 # skipClass=no # uncomment to filter unused events
38 39
39 40 # token name abbreviations
40 41 # token=alias:fullname -- short names for key tokens
41 42
42 43 token=arg:argument
43 44 token=attr:attribute
44 45 token=acl:acl_entry
45 46 token=cmd:command
46 47 token=data:data
47 48 token=exec_args:exec_arguments
48 49 token=exec_env:exec_environment
49 50 token=group:group
50 51 token=inaddr:ip_addr
51 52 token=inet:socket
52 53 token=ipc:ipc
53 54 token=ipc_perm:ipc_perm
54 55 token=newgroup:newgroups
55 56 token=path:path
56 57 token=path_attr:attribute_path
57 58 token=privset:privilege
58 59 token=proc:process
59 60 token=text:text
60 61 token=tid:terminal_adr
61 62 token=uauth:use_of_authorization
62 63 token=upriv:use_of_privilege
63 64 token=user:user_object
64 65 token=zone:zonename
65 66 token=fmri:service_instance
66 67 token=label:mandatory_label
67 68
68 69 token=head:header
69 70 token=subj:subject
70 71 token=ret:return
71 72 token=exit:exit
72 73
73 74 # note names -- certain notes show up repeatedly; collected here
74 75 #
75 76 # To achieve the maximum line length to be less than 80 characters, the
76 77 # note names (message=) can be defined as a multi line, each line except the
77 78 # last one finished with the backslash character.
78 79
79 80 message=ipc_perm:The ipc and ipc_perm tokens are not included if \
80 81 the message ID is not valid.
81 82
82 83
83 84 # basic record pattern ("insert" is where event-specific tokens
84 85 # are listed.)
85 86
86 87 kernel=head:insert:subj:[upriv]:ret
87 88 user=head:subj:insert:ret
88 89
89 90 # Second Section
90 91 # Annotation Section
91 92 #
92 93 # Most audit records need annotation beyond what is provided by
93 94 # the files audit_event and audit_class. At a minimum, a record
94 95 # is represented by a label and a format.
95 96 #
96 97 # label=record_id like AUE_ACCEPT
97 98 # format=token_alias
98 99 #
99 100 # there is no end line; a new label= end the preceding definition
100 101 # and starts the next.
101 102 #
102 103 # format values are a list of token names, separated by colons. The
103 104 # name is either one of the values described above (token=) or is
104 105 # a value to be taken literally. If a token name ends with a digit,
105 106 # the digit is an index into an array of comments. In the few cases
106 107 # where there are no tokens (other than header, subject, return/exit),
107 108 # use "format=kernel" or "format="user".
108 109 #
109 110 # comment is an array of strings separated by colons. If comments
110 111 # are listed on separate lines (recommended due to better
111 112 # readability/sustainability of the file), the preceding comment
112 113 # must end with a colon. The array starts at 1. (If the comment
113 114 # contains a colon, use ":" without the quotes.)
114 115 #
115 116 # case is used to generate alternate descriptions for a given
116 117 # record.
117 118 #
118 119 # Constraints - the string length; bear in mind, that any annotation of
119 120 # primitives below longer than is specified, will be silently truncated
120 121 # to given/defined amount of characters in the auditrecord(1M) runtime:
121 122 #
122 123 # primitive <= max (non-truncated) string length
123 124 # case <= unlimited; if necessary, text continues on a new line
124 125 # comment <= unlimited; if necessary, text continues on a new line
125 126 # label <= 43
126 127 # note <= unlimited; if necessary, text continues on a new line
127 128 # program <= 20
128 129 # see <= 39
129 130 # syscall <= 20
130 131 # title <= 46
131 132 # token <= 28 (full name)
132 133 #
133 134 # To achieve the maximum line length to be less than 80 characters, one can
134 135 # define the unlimited primitives as a multi line, each line except the
135 136 # last one finished with the backslash character. In addition to above
136 137 # mentioned, the "format=" record attribute follows the same rule.
137 138 #
138 139 #
139 140 # AUE_ACCEPT illustrates the use of all the above. Note that
140 141 # case is not nested; ellipsis (...) is used to give the effect
141 142 # of nesting.
142 143
143 144 label=AUE_ACCEPT
144 145 #accept(2) failure
145 146 case=Invalid socket file descriptor
146 147 format=arg1
147 148 comment=1, file descriptor, "so"
148 149 #accept(2) non SOCK_STREAM socket
149 150 case=If the socket address is not part of the AF_INET family
150 151 format=arg1:arg2:arg3
151 152 comment=1, "so", file descriptor:
152 153 comment="family", so_family:
153 154 comment="type", so_type
154 155 case=If the socket address is part of the AF_INET family
155 156 case=...If there is no vnode for this file descriptor
156 157 format=[arg]1
157 158 comment=1, file descriptor, "Bad so"
158 159 #accept(2) SOCK_STREAM socket-not bound
159 160 case=...or if the socket is not bound
160 161 format=[arg]1:[inet]2
161 162 comment=1, file descriptor, "so":
162 163 comment=local/foreign address (0.0.0.0)
163 164 case=...or if the socket address length = 0
164 165 format=[arg]1:[inet]2
165 166 comment=1, file descriptor, "so":
166 167 comment=local/foreign address (0.0.0.0)
167 168 case=...or for all other conditions
168 169 format=inet1:[inet]1
169 170 comment=socket address
170 171 #accept(2) failure
171 172 # header
172 173 # au_to_arg32 "so",file descriptor
173 174 # subject
174 175 # return <errno != 0>
175 176 #
176 177 #accept(2) non SOCK_STREAM socket
177 178 # header
178 179 # au_to_arg32 "so", file descriptor
179 180 # au_to_arg32 "family", so_family
180 181 # au_to_arg32 "type", so_type
181 182 # subject
182 183 # return success
183 184 #
184 185 #accept(2) SOCK_STREAM socket-not bound
185 186 # header
186 187 # au_to_arg32 "so", file descriptor
187 188 # au_to_socket_ex local/foreign address (0.0.0.0)
188 189 # subject
189 190 # return success
190 191 #
191 192 #accept(2) SOCK_STREAM socket-bound
192 193 # header
193 194 # au_to_arg32 "so", file descriptor
194 195 # au_to_socket_ex
195 196 # subject
196 197 # return success
197 198
198 199
199 200
200 201 label=AUE_ACCESS
201 202 format=path1:[attr]
202 203 comment=may be truncated in failure case
203 204 # header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec
204 205 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ
205 206 # attribute,100777,41416,staff,8388608,402255,0
206 207 # subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30
207 208 # return,success,0
208 209 # trailer,163
209 210 #
210 211 # header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec
211 212 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail
212 213 # attribute,100000,root,other,8388608,402257,0
213 214 # subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30
214 215 # return,failure: Permission denied,-1
215 216 # trailer,163
216 217 #
217 218 # header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec
218 219 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2
219 220 # subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30
220 221 # return,failure: No such file or directory,-1
221 222 # trailer,135
222 223
223 224 label=AUE_ACCT
224 225 case=Zero path
225 226 format=arg1
226 227 comment=1, 0, "accounting off"
227 228 case=Non-zero path
228 229 format=path1:[attr]2
229 230 comment=may be truncated in failure case:
230 231 comment=omitted if failure
231 232
232 233 label=AUE_ACLSET
233 234 syscall=acl
234 235 format=arg1:arg2:(0..n)[acl]3
235 236 comment=2, SETACL, "cmd":
236 237 comment=3, number of ACL entries, "nentries":
237 238 comment=Access Control List entries
238 239
239 240 label=AUE_ADJTIME
240 241 format=kernel
241 242
242 243 label=AUE_ASYNC_DAEMON
243 244 skip=Not used
244 245
245 246 label=AUE_ASYNC_DAEMON_EXIT
246 247 skip=Not used
247 248
248 249 label=AUE_AUDIT
249 250 skip=Not used. (Placeholder for the set AUE_AUDIT_*.)
250 251
251 252 label=AUE_AUDITON
252 253 skip=Not used. (Placeholder for the set AUE_AUDITON_*.)
253 254
254 255 label=AUE_AUDITON_GESTATE
255 256 skip=Not used
256 257
257 258 label=AUE_AUDITON_GETAMASK
258 259 format=kernel
259 260 syscall=auditon: GETAMASK
260 261
261 262 label=AUE_AUDITON_GETCAR
262 263 format=kernel
263 264 syscall=auditon: GETCAR
264 265 # header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec
265 266 # subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30
266 267 # return,success,0
267 268 # trailer,68
268 269
269 270 label=AUE_AUDITON_GETCLASS
270 271 format=kernel
271 272 syscall=auditon: GETCLASS
272 273 # header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec
273 274 # subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1
274 275 # return,success,0
275 276 # trailer,68
276 277
277 278 label=AUE_AUDITON_GETCOND
278 279 format=kernel
279 280 syscall=auditon: GETCOND
280 281 # header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec
281 282 # subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1
282 283 # return,success,0
283 284 # trailer,68
284 285
285 286 label=AUE_AUDITON_GETCWD
286 287 format=kernel
287 288 syscall=auditon: GETCWD
288 289 # header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec
289 290 # subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1
290 291 # return,success,0
291 292 # trailer,68
292 293
293 294 label=AUE_AUDITON_GETKMASK
294 295 format=kernel
295 296 syscall=auditon: GETKMASK
296 297 # header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec
297 298 # subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1
298 299 # return,success,0
299 300 # trailer,68
300 301
301 302 label=AUE_AUDITON_GETSTAT
302 303 format=kernel
303 304 syscall=auditon: A_GETSTAT
304 305 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec
305 306 # subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1
306 307 # return,success,0
307 308 # trailer,68
308 309
309 310 label=AUE_AUDITON_GPOLICY
310 311 format=kernel
311 312 syscall=auditon: GPOLICY
312 313 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec
313 314 # subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1
314 315 # return,success,0
315 316 # trailer,68
316 317
317 318 label=AUE_AUDITON_GQCTRL
318 319 format=kernel
319 320 syscall=auditon: GQCTRL
320 321 # header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec
321 322 # subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1
322 323 # return,success,0
323 324 # trailer,68
324 325
325 326
326 327 label=AUE_AUDITON_GTERMID
327 328 skip=Not used.
328 329
329 330 label=AUE_AUDITON_SESTATE
330 331 skip=Not used.
331 332
332 333 label=AUE_AUDITON_SETAMASK
333 334 format=[arg]1:[arg]2
334 335 comment=2, "setamask as_success", user default audit preselection mask:
335 336 comment=2, "setamask as_failure", user default audit preselection mask
336 337 syscall=auditon: SETAMASK
337 338
338 339 label=AUE_AUDITON_SETCLASS
339 340 format=[arg]1:[arg]2
340 341 comment=2, "setclass:ec_event", event number:
341 342 comment=3, "setclass:ec_class", class mask
342 343 syscall=auditon: SETCLASS
343 344 # header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec
344 345 # argument,2,0x0,setclass:ec_event
345 346 # argument,3,0x0,setclass:ec_class
346 347 # subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1
347 348 # return,success,0
348 349 # trailer,120
349 350
350 351 label=AUE_AUDITON_SETCOND
351 352 format=[arg]1
352 353 comment=3, "setcond", audit state
353 354 syscall=auditon: SETCOND
354 355
355 356 label=AUE_AUDITON_SETKMASK
356 357 format=[arg]1:[arg]2
357 358 comment=2, "setkmask as_success", kernel non-attributable mask:
358 359 comment=2, "setkmask as_failure", kernel non-attributable mask
359 360 syscall=auditon: SETKMASK
360 361 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec
361 362 # argument,2,0x0,setkmask:as_success
362 363 # argument,2,0x0,setkmask:as_failure
363 364 # subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1
364 365 # return,success,0
365 366 # trailer,124
366 367 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec
367 368 # argument,2,0x0,setkmask:as_success
368 369 # argument,2,0x0,setkmask:as_failure
369 370 # subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1
370 371 # return,failure: Not owner,-1
371 372 # trailer,124
372 373
373 374 label=AUE_AUDITON_SETSMASK
374 375 format=[arg]1:[arg]2
375 376 comment=3, "setsmask:as_success", session ID mask:
376 377 comment=3, "setsmask:as_failure", session ID mask
377 378 syscall=auditon: SETSMASK
378 379 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec
379 380 # argument,3,0x400,setsmask:as_success
380 381 # argument,3,0x400,setsmask:as_failure
381 382 # subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1
382 383 # return,success,0
383 384 # trailer,124
384 385 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec
385 386 # argument,3,0x400,setsmask:as_success
386 387 # argument,3,0x400,setsmask:as_failure
387 388 # subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1
388 389 # return,failure: Not owner,-1
389 390 # trailer,124
390 391
391 392 label=AUE_AUDITON_SETSTAT
392 393 format=kernel
393 394 syscall=auditon: SETSTAT
394 395 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec
395 396 # subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1
396 397 # return,success,0
397 398 # trailer,68
398 399 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec
399 400 # subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1
400 401 # return,failure: Not owner,-1
401 402 # trailer,68
402 403
403 404 label=AUE_AUDITON_SETUMASK
404 405 format=[arg]1:[arg]2
405 406 comment=3, "setumask:as_success", audit ID mask:
406 407 comment=3, "setumask:as_failure", audit ID mask
407 408 syscall=auditon: SETUMASK
408 409 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec
409 410 # argument,3,0x400,setumask:as_success
410 411 # argument,3,0x400,setumask:as_failure
411 412 # subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1
412 413 # return,success,0
413 414 # trailer,124
414 415 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec
415 416 # argument,3,0x400,setumask:as_success
416 417 # argument,3,0x400,setumask:as_failure
417 418 # subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1
418 419 # return,failure: Not owner,-1
419 420 # trailer,124
420 421
421 422 label=AUE_AUDITON_SPOLICY
422 423 format=[arg]1
423 424 comment=1, audit policy flags, "setpolicy"
424 425 syscall=auditon: SPOLICY
425 426 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec
426 427 # argument,3,0x200,setpolicy
427 428 # subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1
428 429 # return,success,0
429 430 # trailer,86
430 431 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec
431 432 # argument,3,0x200,setpolicy
432 433 # subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1
433 434 # return,failure: Not owner,-1
434 435 # trailer,86
435 436
436 437 label=AUE_AUDITON_SQCTRL
437 438 format=[arg]1:[arg]2:[arg]3:[arg]4
438 439 comment=3, "setqctrl:aq_hiwater", queue control param.:
439 440 comment=3, "setqctrl:aq_lowater", queue control param.:
440 441 comment=3, "setqctrl:aq_bufsz", queue control param.:
441 442 comment=3, "setqctrl:aq_delay", queue control param.
442 443 syscall=auditon: SQCTRL
443 444 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec
444 445 # argument,3,0x64,setqctrl:aq_hiwater
445 446 # argument,3,0xa,setqctrl:aq_lowater
446 447 # argument,3,0x400,setqctrl:aq_bufsz
447 448 # argument,3,0x14,setqctrl:aq_delay
448 449 # subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1
449 450 # return,success,0
450 451 # trailer,176
451 452 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec
452 453 # argument,3,0x64,setqctrl:aq_hiwater
453 454 # argument,3,0xa,setqctrl:aq_lowater
454 455 # argument,3,0x400,setqctrl:aq_bufsz
455 456 # argument,3,0x14,setqctrl:aq_delay
456 457 # subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1
457 458 # return,failure: Not owner,-1
458 459 # trailer,176
459 460
460 461 label=AUE_AUDITON_STERMID
461 462 skip=Not used.
462 463
463 464 label=AUE_AUDITSTAT
464 465 skip=Not used.
465 466
466 467 label=AUE_AUDITSVC
467 468 skip=Not used.
468 469
469 470 label=AUE_AUDITSYS
470 471 skip=Not used. (Place holder for various auditing events.)
471 472
472 473 label=AUE_BIND
473 474 # differs from documented version.
474 475 # cases "no vnode" not fully confirmed
475 476 # family and type need argument number
476 477 case=Invalid socket handle
477 478 format=arg1
478 479 comment=1, file descriptor, "so"
479 480 case=If there is no vnode for this file descriptor
480 481 case=or if the socket is not of the AF_INET family
481 482 format=arg1:arg2:arg3
482 483 comment=1, file descriptor, "so":
483 484 comment=1, socket family, "family":
484 485 comment=1, socket type, "type"
485 486 case=or for all other conditions
486 487 format=arg1:inet2
487 488 comment=1, file descriptor, "so":
488 489 comment=socket address
489 490
490 491 label=AUE_BRANDSYS
491 492 # generic mechanism to allow user-space and kernel components of a brand
492 493 # to communicate. The interpretation of the arguments to the call is
493 494 # left entirely up to the brand.
494 495 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7
495 496 comment=1, command, "cmd":
496 497 comment=2, command args, "arg":
497 498 comment=3, command args, "arg":
498 499 comment=4, command args, "arg":
499 500 comment=5, command args, "arg":
500 501 comment=6, command args, "arg":
501 502 comment=7, command args, "arg"
502 503
503 504 label=AUE_BSMSYS
504 505 skip=Not used.
505 506
506 507 label=AUE_CHDIR
507 508 format=path:[attr]
508 509 # header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec
509 510 # path,/export/home/CC_final/icenine/arv/chdir/obj_succ
510 511 # attribute,40777,root,other,8388608,231558,0
511 512 # subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1
512 513 # return,success,0
513 514 # trailer,151
514 515 # header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec
515 516 # path,/export/home/CC_final/icenine/arv/chdir/obj_fail
516 517 # attribute,40000,root,other,8388608,237646,0
517 518 # subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1
518 519 # return,failure: Permission denied,-1
519 520 # trailer,151
520 521
521 522 label=AUE_CHMOD
522 523 format=arg1:path:[attr]
523 524 comment=2, mode, "new file mode"
524 525 # header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec
525 526 # argument,2,0x1f8,new file mode
526 527 # path,/export/home/CC_final/icenine/arv/chmod/obj_succ
527 528 # attribute,100770,tuser10,other,8388608,243608,0
528 529 # subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1
529 530 # return,success,0
530 531 # trailer,173
531 532 # header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec
532 533 # argument,2,0x1f8,new file mode
533 534 # path,/export/home/CC_final/icenine/arv/chmod/obj_fail
534 535 # attribute,100600,root,other,8388608,243609,0
535 536 # subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1
536 537 # return,failure: Not owner,-1
537 538 # trailer,173
538 539
539 540 label=AUE_CHOWN
540 541 format=arg1:arg2
541 542 comment=2, uid, "new file uid":
542 543 comment=3, gid, "new file gid"
543 544 # header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec
544 545 # argument,2,0x271a,new file uid
545 546 # argument,3,0xffffffff,new file gid
546 547 # path,/export/home/CC_final/icenine/arv/chown/obj_succ
547 548 # attribute,100644,tuser10,other,8388608,268406,0
548 549 # subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1
549 550 # return,success,0
550 551 # trailer,193
551 552 # header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec
552 553 # argument,2,0x271a,new file uid
553 554 # argument,3,0xffffffff,new file gid
554 555 # path,/export/home/CC_final/icenine/arv/chown/obj_fail
555 556 # attribute,100644,root,other,8388608,268407,0
556 557 # subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1
557 558 # return,failure: Not owner,-1
558 559 # trailer,193
559 560
560 561 label=AUE_CHROOT
561 562 format=path:[attr]
562 563 # header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec
563 564 # path,/
564 565 # attribute,40755,root,root,8388608,2,0
565 566 # subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1
566 567 # return,success,0
567 568 # trailer,104
568 569 # header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec
569 570 # path,/export/home/CC_final/icenine/arv/chroot/obj_fail
570 571 # attribute,40777,tuser10,other,8388608,335110,0
571 572 # subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1
572 573 # return,failure: Not owner,-1
573 574 # trailer,152
574 575
575 576 label=AUE_CLOCK_SETTIME
576 577 format=kernel
577 578
578 579 label=AUE_CLOSE
579 580 format=arg1:[path]:[attr]
580 581 comment=1, file descriptor, "fd"
581 582
582 583 label=AUE_CONFIGKSSL
583 584 case=Adding KSSL entry.
584 585 format=text1:inaddr2:text3:text4
585 586 comment=opcode, KSSL_ADD_ENTRY:
586 587 comment=local IP address:
587 588 comment=SSL port number:
588 589 comment=proxy port number
589 590 case=Deleting KSSL entry.
590 591 format=text1:inaddr2:text3
591 592 comment=opcode, KSSL_DELETE_ENTRY:
592 593 comment=local IP address:
593 594 comment=SSL port number
594 595
595 596 label=AUE_CONNECT
596 597 # cases "no vnode" not fully confirmed
597 598 case=If there is no vnode for this file descriptor
598 599 case=If the socket address is not part of the AF_INET family
599 600 format=arg1:arg2:arg3
600 601 comment=1, file descriptor, "so":
601 602 comment=1, socket family, "family":
602 603 comment=1, socket type, "type"
603 604 case=If the socket address is part of the AF_INET family
604 605 format=arg1:inet2
605 606 comment=1, file descriptor, "so":
606 607 comment=socket address
607 608
608 609 label=AUE_CORE
609 610 syscall=none
610 611 title=process dumped core
611 612 see=none
612 613 format=path:[attr]:arg1
613 614 comment=1, signal, "signal"
614 615 # see uts/common/c2/audit.c
615 616
616 617 label=AUE_CREAT
617 618 # obsolete - see open(2)
618 619 format=path:[attr]
619 620 # does not match old BSM manual
620 621 # header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec
621 622 # path,/export/home/CC_final/icenine/arv/creat/obj_succ
622 623 # attribute,100644,tuser10,other,8388608,49679,0
623 624 # subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1
624 625 # return,success,8
625 626 # trailer,151
626 627 # header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec
627 628 # path,/devices/pseudo/mm@0:null
628 629 # subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1
629 630 # return,success,8
630 631 # trailer,107
631 632 # header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec
632 633 # path,/obj_fail
633 634 # subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1
634 635 # return,failure: Permission denied,-1
635 636 # trailer,83
636 637
637 638 label=AUE_CRYPTOADM
638 639 title=kernel cryptographic framework
639 640 format=text1:(0..n)[text]2
640 641 comment=cryptoadm command/operation:
641 642 comment=mechanism list
642 643
643 644 label=AUE_DOORFS
644 645 skip=Not used. (Place holder for set of door audit events.)
645 646
646 647 label=AUE_DOORFS_DOOR_BIND
647 648 skip=Not used.
648 649 syscall=doorfs: DOOR_BIND
649 650
650 651 label=AUE_DOORFS_DOOR_CALL
651 652 format=arg1:proc2
652 653 comment=1, door ID, "door ID":
653 654 comment=for process that owns the door
654 655 syscall=doorfs: DOOR_CALL
655 656
656 657 label=AUE_DOORFS_DOOR_CREATE
657 658 format=arg1
658 659 comment=1, door attributes, "door attr"
659 660 syscall=doorfs: DOOR_CREATE
660 661
661 662 label=AUE_DOORFS_DOOR_CRED
662 663 skip=Not used.
663 664 syscall=doorfs: DOOR_CRED
664 665
665 666 label=AUE_DOORFS_DOOR_INFO
666 667 skip=Not used.
667 668 syscall=doorfs: DOOR_INFO
668 669
669 670 label=AUE_DOORFS_DOOR_RETURN
670 671 format=kernel
671 672 syscall=doorfs: DOOR_RETURN
672 673
673 674 label=AUE_DOORFS_DOOR_REVOKE
674 675 format=arg1
675 676 comment=1, door ID, "door ID"
676 677 syscall=doorfs: DOOR_REVOKE
677 678
678 679 label=AUE_DOORFS_DOOR_UNBIND
679 680 skip=Not used.
680 681 syscall=doorfs: DOOR_UNBIND
681 682
682 683 label=AUE_DUP2
683 684 skip=Not used.
684 685
685 686 label=AUE_ENTERPROM
686 687 title=enter prom
687 688 syscall=none
688 689 format=head:text1:ret
689 690 comment="kmdb"
690 691 # header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00
691 692 # text,kmdb
692 693 # return,success,0
693 694
694 695 label=AUE_EXEC
695 696 # obsolete - see execve(2)
696 697 format=path:[attr]1:[exec_args]2:[exec_env]3
697 698 comment=omitted on error:
698 699 comment=output if argv policy is set:
699 700 comment=output if arge policy is set
700 701
701 702 label=AUE_EXECVE
702 703 format=path:[attr]1:[exec_args]2:[exec_env]3
703 704 comment=omitted on error:
704 705 comment=output if argv policy is set:
705 706 comment=output if arge policy is set
706 707 # header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec
707 708 # path,/devices/pseudo/mm@0:null
708 709 # subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1
709 710 # return,success,8
710 711 # trailer,107
711 712 # header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec
712 713 # path,/usr/bin/pig
713 714 # subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1
714 715 # return,failure: No such file or directory,-1
715 716 # trailer,86
716 717
717 718 label=AUE_PFEXEC
718 719 format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5
719 720 comment=pathname of the executable:
720 721 comment=pathname of working directory:
721 722 comment=privileges if the limit or inheritable set are changed:
722 723 comment=process if ruid, euid, rgid or egid is changed:
723 724 comment=output if arge policy is set
724 725
725 726 label=AUE_sudo
726 727 format=exec_args1:[text]2
727 728 comment=command args:
728 729 comment=error message (failure only)
729 730
730 731 label=AUE_EXIT
731 732 format=arg1:[text]2
732 733 comment=1, exit status, "exit status":
733 734 comment=event aborted
734 735
735 736 label=AUE_EXITPROM
736 737 title=exit prom
737 738 syscall=none
738 739 format=head:text1:ret
739 740 comment="kmdb"
740 741 # header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00
741 742 # text,kmdb
742 743 # return,success,0
743 744
744 745 label=AUE_EXPORTFS
745 746 skip=Not used.
746 747
747 748 label=AUE_FACCESSAT
748 749 # obsolete
749 750 see=access(2)
750 751 format=path:[attr]
751 752
752 753 label=AUE_FACLSET
753 754 syscall=facl
754 755 case=Invalid file descriptor
755 756 format=arg1:arg2
756 757 comment=2, SETACL, "cmd":
757 758 comment=3, number of ACL entries, "nentries"
758 759 case=Zero path
759 760 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4
760 761 comment=2, SETACL, "cmd":
761 762 comment=3, number of ACL entries, "nentries":
762 763 comment=1, file descriptor, "no path: fd":
763 764 comment=ACLs
764 765 case=Non-zero path
765 766 format=arg1:arg2:path:[attr]:(0..n)[acl]3
766 767 comment=2, SETACL, "cmd":
767 768 comment=3, number of ACL entries, "nentries":
768 769 comment=ACLs
769 770
770 771 label=AUE_FCHDIR
771 772 format=[path]:[attr]
772 773 # header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec
773 774 # path,/export/home/CC_final/icenine/arv/fchdir/obj_succ
774 775 # attribute,40777,tuser10,other,8388608,207662,0
775 776 # subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1
776 777 # return,success,0
777 778 # trailer,150
778 779 # header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec
779 780 # subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1
780 781 # return,failure: Permission denied,-1
781 782 # trailer,68
782 783
783 784 label=AUE_FCHMOD
784 785 case=With a valid file descriptor and path
785 786 format=arg1:path:[attr]
786 787 comment=2, mode, "new file mode"
787 788 case=With a valid file descriptor and invalid path
788 789 format=arg1:[arg]2:[attr]
789 790 comment=2, mode, "new file mode":
790 791 comment=1, file descriptor, "no path: fd"
791 792 case=With an invalid file descriptor
792 793 format=arg1
793 794 comment=2, mode, "new file mode"
794 795 # header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec
795 796 # argument,2,0x1a4,new file mode
796 797 # path,/export/home/CC/icenine/arv/fchmod/obj_succ
797 798 # attribute,100644,tuser10,other,7602240,26092,0
798 799 # subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1
799 800 # return,success,0
800 801 # trailer,168
801 802 # header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec
802 803 # argument,2,0x1a4,new file mode
803 804 # subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1
804 805 # return,failure: Bad file number,-1
805 806 # trailer,90
806 807 # header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec
807 808 # argument,2,0x1a4,new file mode
808 809 # path,/export/home/CC/icenine/arv/fchmod/obj_fail
809 810 # attribute,100644,root,other,7602240,26093,0
810 811 # subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1
811 812 # return,failure: Not owner,-1
812 813 # trailer,168
813 814
814 815 label=AUE_FCHOWN
815 816 case=With a valid file descriptor
816 817 format=arg1:arg2:[path]:[attr]
817 818 comment=2, uid, "new file uid":
818 819 comment=3, gid, "new file gid"
819 820 case=With an invalid file descriptor
820 821 format=arg1:arg2:[arg]3:[attr]
821 822 comment=2, uid, "new file uid":
822 823 comment=3, gid, "new file gid":
823 824 comment=1, file descriptor, "no path fd"
824 825
825 826 label=AUE_FCHOWNAT
826 827 # obsolete
827 828 see=openat(2)
828 829 case=With a valid absolute/relative file path
829 830 format=path:[attr]
830 831 case=With an file path eq. NULL and valid file descriptor
831 832 format=kernel
832 833
833 834 label=AUE_FCHROOT
834 835 format=[path]:[attr]
835 836 # fchroot -> chdirec -> audit_chdirec
836 837
837 838 label=AUE_FCNTL
838 839 case=With a valid file descriptor
839 840 format=arg1:[arg]2:path:attr
840 841 comment=2, command, "cmd":
841 842 comment=3, flags, "flags"
842 843 case=With an invalid file descriptor
843 844 format=arg1:[arg]2:arg3
844 845 comment=2, command, "cmd":
845 846 comment=3, flags, "flags":
846 847 comment=1, file descriptor, "no path fd"
847 848 note=Flags are included only when cmd is F_SETFL.
848 849
849 850 label=AUE_FLOCK
850 851 skip=Not used.
851 852
852 853 label=AUE_FORKALL
853 854 format=[arg]1
854 855 comment=0, pid, "child PID"
855 856 note=The forkall(2) return values are undefined because the audit record
856 857 note=is produced at the point that the child process is spawned.
857 858 # see audit.c
858 859
859 860 label=AUE_FORK1
860 861 format=[arg]1
861 862 comment=0, pid, "child PID"
862 863 note=The fork1(2) return values are undefined because the audit record
863 864 note=is produced at the point that the child process is spawned.
864 865 # see audit.c
865 866
866 867 label=AUE_FSAT
867 868 # obsolete
868 869 skip=Not used. (Placeholder for AUE_*AT records)
869 870
870 871 label=AUE_FSTAT
871 872 skip=Not used.
872 873
873 874 label=AUE_FSTATAT
874 875 # obsolete
875 876 format=path:[attr]
876 877
877 878 label=AUE_FSTATFS
878 879 case=With a valid file descriptor
879 880 format=[path]:[attr]
880 881 case=With an invalid file descriptor
881 882 format=arg1
882 883 comment=1, file descriptor, "no path fd"
883 884
884 885 label=AUE_FTRUNCATE
885 886 skip=Not used.
886 887
887 888 label=AUE_FUSERS
888 889 syscall=utssys: UTS_FUSERS
889 890 format=path:attr
890 891
891 892 label=AUE_FUTIMESAT
892 893 # obsolete
893 894 format=[path]:[attr]
894 895
895 896 label=AUE_GETAUDIT
896 897 format=kernel
897 898 # header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec
898 899 # subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1
899 900 # return,success,0
900 901 # trailer,68
901 902 # header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec
902 903 # subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1
903 904 # return,success,0
904 905 # trailer,68
905 906
906 907 label=AUE_GETAUDIT_ADDR
907 908 format=kernel
908 909 # header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec
909 910 # subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2
910 911 # return,success,0
911 912
912 913 label=AUE_GETAUID
913 914 format=kernel
914 915 # header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec
915 916 # subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1
916 917 # return,success,0
917 918 # trailer,68
918 919 # header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec
919 920 # subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1
920 921 # return,failure: Not owner,-1
921 922 # trailer,68
922 923
923 924 label=AUE_GETDENTS
924 925 skip=Not used.
925 926 #Not security relevant
926 927
927 928 label=AUE_GETKERNSTATE
928 929 skip=Not used.
929 930
930 931 label=AUE_GETMSG
931 932 case=With a valid file descriptor
932 933 format=arg1:[path]:attr:arg2
933 934 comment=1, file descriptor, "fd":
934 935 comment=4, priority, "pri"
935 936 case=With an invalid file descriptor
936 937 format=arg1:arg2
937 938 comment=1, file descriptor, "fd":
938 939 comment=4, priority, "pri"
939 940
940 941 label=AUE_GETPMSG
941 942 case=With a valid file descriptor
942 943 format=arg1:[path]:attr
943 944 comment=1, file descriptor, "fd"
944 945 case=With an invalid file descriptor
945 946 format=arg1
946 947 comment=1, file descriptor, "fd"
947 948
948 949 label=AUE_GETPORTAUDIT
949 950 format=Not used.
950 951
951 952 label=AUE_GETUSERAUDIT
952 953 skip=Not used.
953 954
954 955 label=AUE_INST_SYNC
955 956 format=arg1
956 957 comment=2, flags value, "flags"
957 958
958 959 label=AUE_IOCTL
959 960 case=With an invalid file descriptor
960 961 format=arg1:arg2:arg3
961 962 comment=1, file descriptor, "fd":
962 963 comment=2, command, "cmd":
963 964 comment=3, arg, "arg"
964 965 case=With a valid file descriptor
965 966 format=path:[attr]:arg1:arg2
966 967 comment=2, ioctl cmd, "cmd":
967 968 comment=3, ioctl arg, "arg"
968 969 case=Non-file file descriptor
969 970 format=arg1:arg2:arg3
970 971 comment=1, file descriptor, "fd":
971 972 comment=2, ioctl cmd, "cmd":
972 973 comment=3, ioctl arg, "arg"
973 974 case=Bad file name
974 975 format=arg1:arg2:arg3
975 976 comment=1, file descriptor, "no path: fd":
976 977 comment=2, ioctl cmd, "cmd":
977 978 comment=3, ioctl arg, "arg"
978 979 # old BSM manual misses a case
979 980
980 981 label=AUE_JUNK
981 982 skip=Not used.
982 983
983 984 label=AUE_KILL
984 985 case=Valid process
985 986 format=arg1:[proc]
986 987 comment=2, signo, "signal"
987 988 case=Zero or negative process
988 989 format=arg1:arg2
989 990 comment=2, signo, "signal":
990 991 comment=1, pid, "process"
991 992
992 993 label=AUE_KILLPG
993 994 skip=Not used.
994 995
995 996 label=AUE_LCHOWN
996 997 format=arg1:arg2:path:[attr]
997 998 comment=2, uid, "new file uid":
998 999 comment=3, gid, "new file gid"
999 1000
1000 1001 label=AUE_LINK
1001 1002 format=path1:[attr]:path2
1002 1003 comment=from path:
1003 1004 comment=to path
1004 1005
1005 1006 label=AUE_LSEEK
1006 1007 skip=Not used.
1007 1008
1008 1009 label=AUE_LSTAT
1009 1010 format=path:[attr]
1010 1011
1011 1012 label=AUE_LXSTAT
1012 1013 # obsolete
1013 1014 skip=Not used.
1014 1015
1015 1016 label=AUE_MCTL
1016 1017 skip=Not used.
1017 1018
1018 1019 label=AUE_MEMCNTL
1019 1020 format=arg1:arg2:arg3:arg4:arg5:arg6
1020 1021 comment=1, base address, "base":
1021 1022 comment=2, length, "len":
1022 1023 comment=3, command, "cmd":
1023 1024 comment=4, command args, "arg":
1024 1025 comment=5, command attributes, "attr":
1025 1026 comment=6, 0, "mask"
1026 1027
1027 1028 label=AUE_MKDIR
1028 1029 format=arg1:path:[attr]
1029 1030 comment=2, mode, "mode"
1030 1031
1031 1032 label=AUE_MKNOD
1032 1033 format=arg1:arg2:path:[attr]
1033 1034 comment=2, mode, "mode":
1034 1035 comment=3, dev, "dev"
1035 1036
1036 1037 label=AUE_MMAP
1037 1038 case=With a valid file descriptor
1038 1039 format=arg1:arg2:[path]3:[attr]
1039 1040 comment=1, segment address, "addr":
1040 1041 comment=2, segment address, "len":
1041 1042 comment=if no path, then argument: \
1042 1043 1, "nopath: fd", file descriptor
1043 1044 case=With an invalid file descriptor
1044 1045 format=arg1:arg2:arg3
1045 1046 comment=1, segment address, "addr":
1046 1047 comment=2, segment address, "len":
1047 1048 comment=1, file descriptor, "no path: fd"
1048 1049
1049 1050 label=AUE_MODADDMAJ
1050 1051 title=modctl: bind module
1051 1052 syscall=modctl
1052 1053 format=[text]1:[text]2:text3:arg4:(0..n)[text]5
1053 1054 comment=driver major number:
1054 1055 comment=driver name:
1055 1056 comment=driver major number or "no drvname":
1056 1057 comment=5, number of aliases, "":
1057 1058 comment=aliases
1058 1059
1059 1060 label=AUE_MODADDPRIV
1060 1061 format=kernel
1061 1062
1062 1063 label=AUE_MODCONFIG
1063 1064 skip=Not used.
1064 1065
1065 1066 label=AUE_MODCTL
1066 1067 skip=Not used. (placeholder)
1067 1068
1068 1069 label=AUE_MODDEVPLCY
1069 1070 syscall=modctl
1070 1071 title=modctl: set device policy
1071 1072 case=If unknown minor name/pattern
1072 1073 format=arg1:arg2:arg3:arg4:arg5
1073 1074 comment=2, "major", major number:
1074 1075 comment=2, "lomin", low minor number, if known:
1075 1076 comment=2, "himin", hi minor number, if known:
1076 1077 comment=privileges required for reading:
1077 1078 comment=privileges required for writing
1078 1079 case=else
1079 1080 format=arg1:text2:arg3:arg4
1080 1081 comment=2, "major", major number:
1081 1082 comment=minor name/pattern:
1082 1083 comment=privileges required for reading:
1083 1084 comment=privileges required for writing
1084 1085
1085 1086 label=AUE_MODLOAD
1086 1087 syscall=modctl
1087 1088 title=modctl: load module
1088 1089 format=[text]1:text2
1089 1090 comment=default path:
1090 1091 comment=filename path
1091 1092
1092 1093 label=AUE_MODUNLOAD
1093 1094 syscall=modctl
1094 1095 title=modctl: unload module
1095 1096 format=arg1
1096 1097 comment=1, module ID, "id"
1097 1098
1098 1099 label=AUE_MOUNT
1099 1100 case=UNIX file system
1100 1101 format=arg1:text2:path:[attr]
1101 1102 comment=3, flags, "flags":
1102 1103 comment=filesystem type
1103 1104 case=NFS file system
1104 1105 format=arg1:text2:text3:arg4:path:[attr]
1105 1106 comment=3, flags, "flags":
1106 1107 comment=filesystem type:
1107 1108 comment=host name:
1108 1109 comment=3, flags, "internal flags"
1109 1110 # unix example:
1110 1111 # header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec
1111 1112 # argument,3,0x104,flags
1112 1113 # text,ufs
1113 1114 # path,/var2
1114 1115 # attribute,40755,root,root,32,12160,0
1115 1116 # path,/devices/pci@1f,4000/scsi@3/sd@0,0:e
1116 1117 # attribute,60640,root,sys,32,231268,137438953476
1117 1118 # subject,abc,root,other,root,other,1726,1715,255 66049 ohboy
1118 1119 # return,success,4290707268
1119 1120 # ^^^^^^^^^^ <- bugid 4333559
1120 1121
1121 1122 label=AUE_MSGCTL
1122 1123 format=arg1:[ipc]:[ipc_perm]
1123 1124 comment=1, message ID, "msg ID"
1124 1125 note=ipc_perm
1125 1126 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1126 1127
1127 1128 label=AUE_MSGCTL_RMID
1128 1129 format=arg1:[ipc]:[ipc_perm]
1129 1130 comment=1, message ID, "msg ID"
1130 1131 note=ipc_perm
1131 1132 syscall=msgctl: IPC_RMID
1132 1133 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1133 1134
1134 1135 label=AUE_MSGCTL_SET
1135 1136 format=arg1:[ipc]:[ipc_perm]
1136 1137 comment=1, message ID, "msg ID"
1137 1138 note=ipc_perm
1138 1139 syscall=msgctl: IPC_SET
1139 1140 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1140 1141
1141 1142 label=AUE_MSGCTL_STAT
1142 1143 format=arg1:[ipc]:[ipc_perm]
1143 1144 comment=1, message ID, "msg ID"
1144 1145 note=ipc_perm
1145 1146 syscall=msgctl: IPC_STAT
1146 1147 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1147 1148
1148 1149 label=AUE_MSGGET
1149 1150 format=arg1:ipc
1150 1151 comment=1, message key, "msg key"
1151 1152 note=ipc_perm
1152 1153 syscall=msgget
1153 1154
1154 1155 label=AUE_MSGGETL
1155 1156 skip=Not used.
1156 1157
1157 1158 label=AUE_MSGRCV
1158 1159 format=arg1:[ipc]:[ipc_perm]
1159 1160 comment=1, message ID, "msg ID"
1160 1161 note=ipc_perm
1161 1162 syscall=msgrcv
1162 1163 # ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc
1163 1164
1164 1165 label=AUE_MSGRCVL
1165 1166 skip=Not used.
1166 1167
1167 1168 label=AUE_MSGSND
1168 1169 format=arg1:[ipc]:[ipc_perm]
1169 1170 comment=1, message ID, "msg ID"
1170 1171 note=ipc_perm
1171 1172 syscall=msgsnd
1172 1173 # ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc
1173 1174
1174 1175 label=AUE_MSGSNDL
1175 1176 skip=Not used.
1176 1177
1177 1178 label=AUE_MSGSYS
1178 1179 skip=Not used. (Placeholder for AUE_MSG* events.)
1179 1180
1180 1181 label=AUE_MUNMAP
1181 1182 format=arg1:arg2
1182 1183 comment=1, address of memory, "addr":
1183 1184 comment=2, memory segment size, "len"
1184 1185
1185 1186 label=AUE_NFS
1186 1187 skip=Not used.
1187 1188
1188 1189 label=AUE_NFSSVC_EXIT
1189 1190 skip=Not used.
1190 1191
1191 1192 label=AUE_NFS_GETFH
1192 1193 skip=Not used.
1193 1194
1194 1195 label=AUE_NFS_SVC
1195 1196 skip=Not used.
1196 1197
1197 1198 label=AUE_NICE
1198 1199 format=kernel
1199 1200
1200 1201 label=AUE_NULL
1201 1202 skip=Not used. (placeholder)
1202 1203 # used internal to audit_event.c for minimal audit
1203 1204
1204 1205 label=AUE_NTP_ADJTIME
1205 1206 format=kernel
1206 1207
1207 1208 label=AUE_ONESIDE
1208 1209 skip=Not used.
1209 1210
1210 1211 label=AUE_OPEN
1211 1212 skip=Not used. (placeholder for AUE_OPEN_*).
1212 1213
1213 1214 label=AUE_OPEN_R
1214 1215 format=path:[path_attr]:[attr]
1215 1216 see=open(2) - read
1216 1217
1217 1218 label=AUE_OPENAT_R
1218 1219 # obsolete
1219 1220 format=path:[path_attr]:[attr]
1220 1221 see=openat(2)
1221 1222
1222 1223 label=AUE_OPEN_RC
1223 1224 format=path:[path_attr]:[attr]
1224 1225 see=open(2) - read,creat
1225 1226
1226 1227 label=AUE_OPENAT_RC
1227 1228 # obsolete
1228 1229 see=openat(2)
1229 1230 format=path:[path_attr]:[attr]
1230 1231
1231 1232 label=AUE_OPEN_RT
1232 1233 format=path:[path_attr]:[attr]
1233 1234 see=open(2) - read,trunc
1234 1235
1235 1236 label=AUE_OPENAT_RT
1236 1237 # obsolete
1237 1238 see=openat(2)
1238 1239 format=path:[path_attr]:[attr]
1239 1240
1240 1241 label=AUE_OPEN_RTC
1241 1242 format=path:[path_attr]:[attr]
1242 1243 see=open(2) - read,trunc,creat
1243 1244
1244 1245 label=AUE_OPENAT_RTC
1245 1246 # obsolete
1246 1247 see=openat(2)
1247 1248 format=path:[path_attr]:[attr]
1248 1249
1249 1250 label=AUE_OPEN_RW
1250 1251 format=path:[path_attr]:[attr]
1251 1252 see=open(2) - read,write
1252 1253
1253 1254 label=AUE_OPENAT_RW
1254 1255 # obsolete
1255 1256 see=openat(2)
1256 1257 format=path:[path_attr]:[attr]
1257 1258 # aui_fsat(): fm & O_RDWR
1258 1259
1259 1260 label=AUE_OPEN_RWC
1260 1261 format=path:[path_attr]:[attr]
1261 1262 see=open(2) - read,write,creat
1262 1263
1263 1264 label=AUE_OPENAT_RWC
1264 1265 # obsolete
1265 1266 see=openat(2)
1266 1267 format=path:[path_attr]:[attr]
1267 1268
1268 1269 label=AUE_OPEN_RWT
1269 1270 format=path:[path_attr]:[attr]
1270 1271 see=open(2) - read,write,trunc
1271 1272
1272 1273 label=AUE_OPENAT_RWT
1273 1274 # obsolete
1274 1275 see=openat(2)
1275 1276 format=path:[path_attr]:[attr]
1276 1277
1277 1278 label=AUE_OPEN_RWTC
1278 1279 format=path:[path_attr]:[attr]
1279 1280 see=open(2) - read,write,trunc,creat
1280 1281
1281 1282 label=AUE_OPENAT_RWTC
1282 1283 # obsolete
1283 1284 see=openat(2)
1284 1285 format=path:[path_attr]:[attr]
1285 1286
1286 1287 label=AUE_OPEN_W
1287 1288 format=path:[path_attr]:[attr]
1288 1289 see=open(2) - write
1289 1290
1290 1291 label=AUE_OPENAT_W
1291 1292 see=openat(2)
1292 1293 format=path:[path_attr]:[attr]
1293 1294
1294 1295 label=AUE_OPEN_WC
1295 1296 format=path:[path_attr]:[attr]
1296 1297 see=open(2) - write,creat
1297 1298
1298 1299 label=AUE_OPENAT_WC
1299 1300 see=openat(2)
1300 1301 format=path:[path_attr]:[attr]
1301 1302
1302 1303 label=AUE_OPEN_WT
1303 1304 format=path:[path_attr]:[attr]
1304 1305 see=open(2) - write,trunc
1305 1306
1306 1307 label=AUE_OPENAT_WT
1307 1308 see=openat(2)
1308 1309 format=path:[path_attr]:[attr]
1309 1310
1310 1311 label=AUE_OPEN_WTC
1311 1312 format=path:[path_attr]:[attr]
1312 1313 see=open(2) - write,trunc,creat
1313 1314
1314 1315 label=AUE_OPENAT_WTC
1315 1316 see=openat(2)
1316 1317 format=path:[path_attr]:[attr]
1317 1318
1318 1319 label=AUE_OPEN_S
1319 1320 format=path:[path_attr]:[attr]
1320 1321 see=open(2) - search
1321 1322
1322 1323 label=AUE_OPEN_E
1323 1324 format=path:[path_attr]:[attr]
1324 1325 see=open(2) - exec
1325 1326
1326 1327 label=AUE_OSETPGRP
1327 1328 skip=Not used.
1328 1329
1329 1330 label=AUE_OSTAT
1330 1331 # obsolete
1331 1332 skip=Not used.
1332 1333
1333 1334 label=AUE_PATHCONF
1334 1335 format=path:[attr]
1335 1336
1336 1337 label=AUE_PIPE
1337 1338 format=kernel
1338 1339 # class is no, not usually printed
1339 1340
1340 1341 label=AUE_PORTFS
1341 1342 skip=Not used (placeholder for AUE_PORTFS_*).
1342 1343
1343 1344 label=AUE_PORTFS
1344 1345 skip=Not used (placeholder for AUE_PORTFS_*).
1345 1346
1346 1347 label=AUE_PORTFS_ASSOCIATE
1347 1348 syscall=portfs
1348 1349 see=port_associate(3C)
1349 1350 case=Port association via PORT_SOURCE_FILE
1350 1351 format=[path]1:attr
1351 1352 comment=name of the file/directory to be watched
1352 1353
1353 1354 label=AUE_PORTFS_DISSOCIATE
1354 1355 syscall=portfs
1355 1356 see=port_dissociate(3C)
1356 1357 case=Port disassociation via PORT_SOURCE_FILE
1357 1358 format=kernel
1358 1359
1359 1360 label=AUE_PRIOCNTLSYS
1360 1361 syscall=priocntl
1361 1362 see=priocntl(2)
1362 1363 format=arg1:arg2
1363 1364 comment=1, priocntl version number, "pc_version":
1364 1365 comment=3, command, "cmd"
1365 1366
1366 1367 label=AUE_PROCESSOR_BIND
1367 1368 case=No LWP/thread bound to the processor
1368 1369 format=arg1:arg2:text3:[proc]
1369 1370 comment=1, type of ID, "ID type":
1370 1371 comment=2, ID value, "ID":
1371 1372 comment="PBIND_NONE"
1372 1373 case=With processor bound
1373 1374 format=arg1:arg2:arg3:[proc]
1374 1375 comment=1, type of ID, "ID type":
1375 1376 comment=2, ID value, "ID":
1376 1377 comment=3, processor ID, "processor_id"
1377 1378
1378 1379 label=AUE_PUTMSG
1379 1380 see=putmsg(2)
1380 1381 format=arg1:[path]:[attr]:arg2
1381 1382 comment=1, file descriptor, "fd":
1382 1383 comment=4, priority, "pri"
1383 1384
1384 1385 label=AUE_PUTPMSG
1385 1386 see=putpmsg(2)
1386 1387 format=arg1:[path]:[attr]:arg2:arg3
1387 1388 comment=1, file descriptor, "fd":
1388 1389 comment=4, priority, "pri":
1389 1390 comment=5, flags, "flags"
1390 1391
1391 1392 label=AUE_P_ONLINE
1392 1393 format=arg1:arg2:text3
1393 1394 comment=1, processor ID, "processor ID":
1394 1395 comment=2, flags value, "flags":
1395 1396 comment=text form of flags. Values: \
1396 1397 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS
1397 1398
1398 1399 label=AUE_QUOTACTL
1399 1400 skip=Not used.
1400 1401
1401 1402 label=AUE_READ
1402 1403 skip=Not used. (Placeholder for AUE_READ_* events)
1403 1404
1404 1405 label=AUE_READL
1405 1406 skip=Not used. (Obsolete)
1406 1407
1407 1408 label=AUE_READLINK
1408 1409 format=path:[attr]
1409 1410
1410 1411 label=AUE_READV
1411 1412 skip=Not used (obsolete)
1412 1413 # detritus from CMS
1413 1414
1414 1415 label=AUE_READVL
1415 1416 skip=Not used (obsolete)
1416 1417 # detritus from CMS
1417 1418
1418 1419 label=AUE_REBOOT
1419 1420 skip=Not used.
1420 1421
1421 1422 label=AUE_RECV
1422 1423 case=If address family is AF_INET or AF_INET6
1423 1424 format=[arg]1:[inet]
1424 1425 comment=1, file descriptor, "so"
1425 1426 case=If address family is AF_UNIX and path is defined
1426 1427 format=[path]1:[attr]
1427 1428 comment=1, file descriptor, "so"
1428 1429 case=If address family is AF_UNIX and path is NULL
1429 1430 format=[path]1:[attr]
1430 1431 comment=1, file descriptor, "no path: fd"
1431 1432 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1432 1433 format=[arg]1:[arg]2:[arg]3
1433 1434 comment=1, file descriptor, "so":
1434 1435 comment=1, family, "family":
1435 1436 comment=1, type, "type"
1436 1437 # associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237])
1437 1438
1438 1439 label=AUE_RECVFROM
1439 1440 format=inet:arg1:[arg]2:inet3:arg4
1440 1441 comment=3, message length, "len":
1441 1442 comment=4, flags, "flags":
1442 1443 comment=from address:
1443 1444 comment=6, address length, "tolen"
1444 1445 note=The socket token for a bad socket is reported as "argument
1445 1446 note=token (1, socket descriptor, "fd")"
1446 1447
1447 1448 label=AUE_RECVMSG
1448 1449 case=If invalid file descriptor
1449 1450 format=arg1:arg2
1450 1451 comment=1, file descriptor, "so":
1451 1452 comment=3, flags, "flags"
1452 1453 case=If valid file descriptor and socket is AF_UNIX and no path
1453 1454 format=arg1:[attr]
1454 1455 comment=1, file descriptor, "no path: fd"
1455 1456 case=If valid file descriptor and socket is AF_UNIX and path defined
1456 1457 format=path:attr
1457 1458 case=If valid file descriptor and socket is AF_INET or AF_INET6
1458 1459 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM
1459 1460 format=arg1:arg2:inet
1460 1461 comment=1, file descriptor, "so":
1461 1462 comment=2, flags, "flags"
1462 1463 case=.. if socket type is unknown
1463 1464 format=arg1:arg2:arg3:arg4
1464 1465 comment=1, file descriptor, "so":
1465 1466 comment=1, family, "family":
1466 1467 comment=1, type, "type":
1467 1468 comment=3, flags, "flags"
1468 1469
1469 1470 label=AUE_RENAME
1470 1471 format=path1:[attr]1:[path]2
1471 1472 comment=from name:
1472 1473 comment=to name
1473 1474
1474 1475 label=AUE_RENAMEAT
1475 1476 # obsolete
1476 1477 format=path1:[attr]1:[path]2
|
↓ open down ↓ |
1461 lines elided |
↑ open up ↑ |
1477 1478 comment=from name:
1478 1479 comment=to name
1479 1480
1480 1481 label=AUE_RFSSYS
1481 1482 skip=Not used.
1482 1483 # apparently replaced
1483 1484
1484 1485 label=AUE_RMDIR
1485 1486 format=path:[attr]
1486 1487
1488 +label=AUE_SACL
1489 + title=File Access Audit
1490 + syscall=none
1491 + see=none
1492 + format=head:path:arg1:[text]2:subj
1493 + comment="access_mask":
1494 + comment="Windows SID"
1495 +
1487 1496 label=AUE_SEMCTL
1488 1497 format=arg1:[ipc]:[ipc_perm]
1489 1498 comment=1, semaphore ID, "sem ID"
1490 1499 note=ipc_perm
1491 1500 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1492 1501
1493 1502 label=AUE_SEMCTL_GETALL
1494 1503 format=arg1:[ipc]:[ipc_perm]
1495 1504 comment=1, semaphore ID, "sem ID"
1496 1505 note=ipc_perm
1497 1506 syscall=semctl: GETALL
1498 1507 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1499 1508
1500 1509 label=AUE_SEMCTL_GETNCNT
1501 1510 format=arg1:[ipc]:[ipc_perm]
1502 1511 comment=1, semaphore ID, "sem ID"
1503 1512 note=ipc_perm
1504 1513 syscall=semctl: GETNCNT
1505 1514 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1506 1515
1507 1516 label=AUE_SEMCTL_GETPID
1508 1517 format=arg1:[ipc]:[ipc_perm]
1509 1518 comment=1, semaphore ID, "sem ID"
1510 1519 note=ipc_perm
1511 1520 syscall=semctl: GETPID
1512 1521 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1513 1522
1514 1523 label=AUE_SEMCTL_GETVAL
1515 1524 format=arg1:[ipc]:[ipc_perm]
1516 1525 comment=1, semaphore ID, "sem ID"
1517 1526 note=ipc_perm
1518 1527 syscall=semctl: GETVAL
1519 1528 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1520 1529
1521 1530 label=AUE_SEMCTL_GETZCNT
1522 1531 format=arg1:[ipc]:[ipc_perm]
1523 1532 comment=1, semaphore ID, "sem ID"
1524 1533 note=ipc_perm
1525 1534 syscall=semctl: GETZCNT
1526 1535 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1527 1536
1528 1537 label=AUE_SEMCTL_RMID
1529 1538 format=arg1:[ipc]:[ipc_perm]
1530 1539 comment=1, semaphore ID, "sem ID"
1531 1540 note=ipc_perm
1532 1541 syscall=semctl: IPC_RMID
1533 1542 # ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1534 1543
1535 1544 label=AUE_SEMCTL_SET
1536 1545 format=arg1:[ipc]:[ipc_perm]
1537 1546 comment=1, semaphore ID, "sem ID"
1538 1547 note=ipc_perm
1539 1548 syscall=semctl: IPC_SET
1540 1549 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1541 1550
1542 1551 label=AUE_SEMCTL_SETALL
1543 1552 format=arg1:[ipc]:[ipc_perm]
1544 1553 comment=1, semaphore ID, "sem ID"
1545 1554 note=ipc_perm
1546 1555 syscall=semctl: SETALL
1547 1556 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1548 1557
1549 1558 label=AUE_SEMCTL_SETVAL
1550 1559 format=arg1:[ipc]:[ipc_perm]
1551 1560 comment=1, semaphore ID, "sem ID"
1552 1561 note=ipc_perm
1553 1562 syscall=semctl: SETVAL
1554 1563 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1555 1564
1556 1565 label=AUE_SEMCTL_STAT
1557 1566 format=arg1:[ipc]:[ipc_perm]
1558 1567 comment=1, semaphore ID, "sem ID"
1559 1568 note=ipc_perm
1560 1569 syscall=semctl: IPC_STAT
1561 1570 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1562 1571
1563 1572 label=AUE_SEMGET
1564 1573 format=arg1:[ipc_perm]:ipc
1565 1574 comment=1, semaphore ID, "sem key"
1566 1575 note=ipc_perm
1567 1576 syscall=semctl: SETVAL
1568 1577 # ipc_perm token: semget -> audit_ipcget
1569 1578
1570 1579 label=AUE_SEMGETL
1571 1580 skip=Not used.
1572 1581
1573 1582 label=AUE_SEMOP
1574 1583 format=arg1:[ipc]:[ipc_perm]
1575 1584 comment=1, semaphore ID, "sem ID"
1576 1585 note=ipc_perm
1577 1586 # ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc
1578 1587
1579 1588 label=AUE_SEMSYS
1580 1589 skip=Not used. (place holder) -- defaults to a semget variant
1581 1590
1582 1591 label=AUE_SEND
1583 1592 case=If address family is AF_INET or AF_INET6
1584 1593 format=[arg]1:[inet]
1585 1594 comment=1, file descriptor, "so"
1586 1595 case=If address family is AF_UNIX and path is defined
1587 1596 format=[path]1:[attr]
1588 1597 comment=1, file descriptor, "so"
1589 1598 case=If address family is AF_UNIX and path is NULL
1590 1599 format=[path]1:[attr]
1591 1600 comment=1, file descriptor, "no path: fd"
1592 1601 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1593 1602 format=[arg]1:[arg]2:[arg]3
1594 1603 comment=1, file descriptor, "so":
1595 1604 comment=1, family, "family":
1596 1605 comment=1, type, "type"
1597 1606 # associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240])
1598 1607
1599 1608 label=AUE_SENDMSG
1600 1609 case=If invalid file descriptor
1601 1610 format=arg1:arg2
1602 1611 comment=1, file descriptor, "so":
1603 1612 comment=3, flags, "flags"
1604 1613 case=If valid file descriptor
1605 1614 case=...and address family is AF_UNIX and path is defined
1606 1615 format=path:attr
1607 1616 case=...and address family is AF_UNIX and path is NULL
1608 1617 format=path1:attr
1609 1618 comment=1, file descriptor, "nopath: fd"
1610 1619 case=...and address family is AF_INET or AF_INET6, \
1611 1620 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1612 1621 format=arg1:arg2:inet
1613 1622 comment=1, file descriptor, "so":
1614 1623 comment=3, flags, "flags"
1615 1624 case=...and unknown address family or address family AF_INET or AF_INET6 \
1616 1625 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1617 1626 format=arg1:arg2:arg3:arg4
1618 1627 comment=1, file descriptor, "so":
1619 1628 comment=1, family, "family":
1620 1629 comment=1, type, "type":
1621 1630 comment=1, flags, "flags"
1622 1631
1623 1632 label=AUE_SENDTO
1624 1633 case=If invalid file descriptor
1625 1634 format=arg1:arg2
1626 1635 comment=1, file descriptor, "so":
1627 1636 comment=3, flags, "flags"
1628 1637 case=If valid file descriptor
1629 1638 case=...and socket is AF_UNIX and path is defined
1630 1639 format=path:attr
1631 1640 case=...and address family is AF_UNIX and path is NULL
1632 1641 format=path1:attr
1633 1642 comment=1, file descriptor, "nopath: fd"
1634 1643 case=...and address family is AF_INET or AF_INET6
1635 1644 format=arg1:arg2:inet
1636 1645 comment=1, file descriptor, "so":
1637 1646 comment=3, flags, "flags"
1638 1647 case=...and unknown address family
1639 1648 format=arg1:arg2:arg3:arg4
1640 1649 comment=1, file descriptor, "so":
1641 1650 comment=1, family, "family":
1642 1651 comment=1, type, "type":
1643 1652 comment=1, flags, "flags"
1644 1653
1645 1654 label=AUE_SETAUDIT
1646 1655 case=With a valid program stack address
1647 1656 format=arg1:arg2:arg3:arg4:arg5:arg6
1648 1657 comment=1, audit user ID, "setaudit:auid":
1649 1658 comment=1, terminal ID, "setaudit:port":
1650 1659 comment=1, terminal ID, "setaudit:machine":
1651 1660 comment=1, preselection mask, "setaudit:as_success":
1652 1661 comment=1, preselection mask, "setaudit:as_failure":
1653 1662 comment=1, audit session ID, "setaudit:asid"
1654 1663 case=With an invalid program stack address
1655 1664 format=kernel
1656 1665 # header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec
1657 1666 # argument,1,0x271a,setaudit:auid
1658 1667 # argument,1,0x3ff0201,setaudit:port
1659 1668 # argument,1,0x8192591e,setaudit:machine
1660 1669 # argument,1,0x400,setaudit:as_success
1661 1670 # argument,1,0x400,setaudit:as_failure
1662 1671 # argument,1,0x16f,setaudit:asid
1663 1672 # subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1
1664 1673 # return,success,0
1665 1674 # trailer,215
1666 1675 # header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec
1667 1676 # argument,1,0x271a,setaudit:auid
1668 1677 # argument,1,0x3ff0201,setaudit:port
1669 1678 # argument,1,0x8192591e,setaudit:machine
1670 1679 # argument,1,0x400,setaudit:as_success
1671 1680 # argument,1,0x400,setaudit:as_failure
1672 1681 # argument,1,0x16f,setaudit:asid
1673 1682 # subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1
1674 1683 # return,success,0
1675 1684 # trailer,215
1676 1685
1677 1686 label=AUE_SETAUDIT_ADDR
1678 1687 case=With a valid program stack address
1679 1688 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7
1680 1689 comment=1, audit user ID, "auid":
1681 1690 comment=1, terminal ID, "port":
1682 1691 comment=1, type, "type":
1683 1692 comment=1, terminal ID, "ip address":
1684 1693 comment=1, preselection mask, "as_success":
1685 1694 comment=1, preselection mask, "as_failure":
1686 1695 comment=1, audit session ID, "asid"
1687 1696 case=With an invalid program stack address
1688 1697 format=kernel
1689 1698 # header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec
1690 1699 # argument,1,0x15fa7,auid
1691 1700 # argument,1,0x0,port
1692 1701 # argument,1,0x4,type
1693 1702 # ip address,tmach2
1694 1703 # argument,1,0x9c00,as_success
1695 1704 # argument,1,0x9c00,as_failure
1696 1705 # argument,1,0x1f1,asid
1697 1706 # subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2
1698 1707 # return,success,0
1699 1708
1700 1709 label=AUE_SETAUID
1701 1710 format=arg1
1702 1711 comment=2, audit user ID, "setauid"
1703 1712
1704 1713 label=AUE_SETDOMAINNAME
1705 1714 skip=Not used. (See AUE_SYSINFO)
1706 1715 # See AUE_SYSINFO with SI_SET_SRPC_DOMAIN
1707 1716
1708 1717 label=AUE_SETEGID
1709 1718 format=arg1
1710 1719 comment=1, group ID, "gid"
1711 1720
1712 1721 label=AUE_SETEUID
1713 1722 format=arg1
1714 1723 comment=1, user ID, "euid"
1715 1724
1716 1725 label=AUE_SETGID
1717 1726 format=arg1
1718 1727 comment=1, group ID, "gid"
1719 1728
1720 1729 label=AUE_SETGROUPS
1721 1730 note=If more than NGROUPS_MAX_DEFAULT groups listed,
1722 1731 note=no tokens are generated.
1723 1732 case=If no groups in list
1724 1733 format=[arg]1
1725 1734 comment=1, 0, "setgroups"
1726 1735 case=If 1 or more groups in list
1727 1736 format=(1..n)arg1
1728 1737 comment=1, gid, "setgroups"
1729 1738
1730 1739 label=AUE_SETHOSTNAME
1731 1740 skip=Not used. (See AUE_SYSINFO)
1732 1741 # See sysinfo call with command SI_SET_HOSTNAME
1733 1742
1734 1743 label=AUE_SETKERNSTATE
1735 1744 skip=Not used.
1736 1745
1737 1746 label=AUE_SETPGID
1738 1747 format=[proc]:[arg]1
1739 1748 comment=2, pgid, "pgid"
1740 1749
1741 1750 label=AUE_SETPGRP
1742 1751 format=kernel
1743 1752
1744 1753 label=AUE_SETPRIORITY
1745 1754 skip=Not used.
1746 1755
1747 1756 label=AUE_SETPPRIV
1748 1757 case=operation privileges off
1749 1758 format=arg1:privset2
1750 1759 comment=setppriv operation:
1751 1760 comment=privileges actually switched off
1752 1761 case=operation privileges on
1753 1762 format=arg1:privset2
1754 1763 comment=setppriv operation:
1755 1764 comment=privileges actually switched on
1756 1765 case=operation privileges off
1757 1766 format=arg1:privset2:privset3
1758 1767 comment=setppriv operation:
1759 1768 comment=privileges before privset:
1760 1769 comment=privileges after privset
1761 1770 #header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec
1762 1771 #argument,2,0x2,op
1763 1772 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1764 1773 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1765 1774 #subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0
1766 1775 #return,success,0
1767 1776
1768 1777 label=AUE_SETREGID
1769 1778 format=arg1:arg2
1770 1779 comment=1, real group ID, "rgid":
1771 1780 comment=2, effective group ID, "egid"
1772 1781
1773 1782 label=AUE_SETREUID
1774 1783 format=arg1:arg2
1775 1784 comment=1, real user ID, "ruid":
1776 1785 comment=2, effective user ID, "euid"
1777 1786
1778 1787 label=AUE_SETRLIMIT
1779 1788 format=kernel
1780 1789 # header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec
1781 1790 # subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2
1782 1791 # return,success,0
1783 1792
1784 1793 label=AUE_SETSID
1785 1794 format=kernel
1786 1795
1787 1796 label=AUE_SETSOCKOPT
1788 1797 case=Invalid file descriptor
1789 1798 format=arg1:arg2
1790 1799 comment=1, file descriptor, "so":
1791 1800 comment=2, level, "level"
1792 1801 case=Valid file descriptor
1793 1802 case=...and socket is AF_UNIX
1794 1803 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8
1795 1804 comment=if no path, will be argument: 1, "nopath: fd", \
1796 1805 file descriptor:
1797 1806 comment=1, file descriptor, "so":
1798 1807 comment=1, family, "family":
1799 1808 comment=1, type, "type":
1800 1809 comment=2, protocol level, "level":
1801 1810 comment=3, option name, "optname":
1802 1811 comment=5, option length, "optlen":
1803 1812 comment=option data
1804 1813 case=...and socket is AF_INET or AF_INET6
1805 1814 format=arg1:arg2:arg3:[arg]4:[data]5:inet
1806 1815 comment=1, file descriptor, "so":
1807 1816 comment=2, protocol level, "level":
1808 1817 comment=3, option name, "optname":
1809 1818 comment=5, option length, "optlen":
1810 1819 comment=option data
1811 1820 case=...and socket adddress family is unknown
1812 1821 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7
1813 1822 comment=1, file descriptor, "so":
1814 1823 comment=1, family, "family":
1815 1824 comment=1, type, "type":
1816 1825 comment=2, protocol level, "level":
1817 1826 comment=3, option name, "optname":
1818 1827 comment=5, option length, "optlen":
1819 1828 comment=option data
1820 1829
1821 1830 label=AUE_SETTIMEOFDAY
1822 1831 skip=Not used.
1823 1832
1824 1833 label=AUE_SETUID
1825 1834 syscall=setuid
1826 1835 format=arg1
1827 1836 comment=1, "uid" to be set
1828 1837
1829 1838 label=AUE_SETUSERAUDIT
1830 1839 skip=Not used.
1831 1840
1832 1841 label=AUE_SHMAT
1833 1842 format=arg1:arg2:[ipc]:[ipc_perm]
1834 1843 comment=1, shared memory ID, "shm ID":
1835 1844 comment=2, shared mem addr, "shm addr"
1836 1845 note=ipc_perm
1837 1846 # ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc
1838 1847
1839 1848 label=AUE_SHMCTL
1840 1849 format=arg1:[ipc]:[ipc_perm]
1841 1850 comment=1, shared memory ID, "shm ID"
1842 1851 note=ipc_perm
1843 1852 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1844 1853
1845 1854 label=AUE_SHMCTL_RMID
1846 1855 format=arg1:[ipc]:[ipc_perm]
1847 1856 comment=1, shared memory ID, "shm ID"
1848 1857 note=ipc_perm
1849 1858 syscall=semctl: IPC_RMID
1850 1859 # ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1851 1860
1852 1861 label=AUE_SHMCTL_SET
1853 1862 format=arg1:[ipc]:[ipc_perm]
1854 1863 comment=1, shared memory ID, "shm ID"
1855 1864 note=ipc_perm
1856 1865 syscall=semctl: IPC_SET
1857 1866 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1858 1867
1859 1868 label=AUE_SHMCTL_STAT
1860 1869 format=arg1:[ipc]:[ipc_perm]
1861 1870 comment=1, shared memory ID, "shm ID"
1862 1871 note=ipc_perm
1863 1872 syscall=semctl: IPC_STAT
1864 1873 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1865 1874
1866 1875 label=AUE_SHMDT
1867 1876 format=arg1
1868 1877 comment=1, shared memory address, "shm adr"
1869 1878
1870 1879 label=AUE_SHMGET
1871 1880 format=arg1:[ipc_perm]:[ipc]
1872 1881 comment=0, shared memory key, "shm key"
1873 1882 note=ipc_perm
1874 1883 # ipc_perm: shmget -> audit_ipcget
1875 1884
1876 1885 label=AUE_SHMGETL
1877 1886 skip=Not used.
1878 1887
1879 1888 label=AUE_SHMSYS
1880 1889 skip=Not used. (Placeholder for shmget and shmctl*)
1881 1890
1882 1891 label=AUE_SHUTDOWN
1883 1892 case=If the socket address is invalid
1884 1893 format=[arg]1:[text]2:[text]3
1885 1894 comment=1, file descriptor, "fd":
1886 1895 comment=bad socket address:
1887 1896 comment=bad peer address
1888 1897 case=If the socket address is part of the AF_INET family
1889 1898 case=..with zero file descriptor
1890 1899 format=arg1:[arg]2:[arg]3:[arg]4
1891 1900 comment=1, file descriptor, "so":
1892 1901 comment=1, family, "family":
1893 1902 comment=1, type, "type":
1894 1903 comment=2, how shutdown code, "how"
1895 1904 case=...with non-zero file descriptor
1896 1905 format=arg1:arg2:inet
1897 1906 comment=1, file descriptor, "so":
1898 1907 comment=2, how shutdown code, "how"
1899 1908 case=If the socket address is AF_UNIX
1900 1909 case=...with zero file descriptor
1901 1910 format=path1:arg2:[arg]3:[arg]4:[arg]5
1902 1911 comment=If error: argument: \
1903 1912 1, "no path: fd", file descriptor:
1904 1913 comment=1, file descriptor, "so":
1905 1914 comment=1, family, "family":
1906 1915 comment=1, type, "type":
1907 1916 comment=2, how shutdown code, "how"
1908 1917 case=...with non-zero file descriptor
1909 1918 format=path1:arg2:arg3:inet
1910 1919 comment=If error: argument: \
1911 1920 1, file descriptor, "no path: fd":
1912 1921 comment=1, file descriptor, "so":
1913 1922 comment=2, how shutdown code, "how"
1914 1923 #old BSM manual wrong; used audit_event.c
1915 1924
1916 1925 label=AUE_SOCKACCEPT
1917 1926 syscall=getmsg: socket accept
1918 1927 format=inet:arg1:[path]:attr:arg2
1919 1928 comment=1, file descriptor, "fd":
1920 1929 comment=4, priority, "pri"
1921 1930 # see putmsg and getmsg for record format
1922 1931 # See audit.c for inet token and audit_start.c for other reference
1923 1932
1924 1933 label=AUE_SOCKCONFIG
1925 1934 format=arg1:arg2:arg3:[path]4
1926 1935 comment=1, domain address, "domain":
1927 1936 comment=2, type, "type":
1928 1937 comment=3, protocol, "protocol":
1929 1938 comment=If no path:argument -- 3, 0, "devpath"
1930 1939
1931 1940 label=AUE_SOCKCONNECT
1932 1941 syscall=putmsg: socket connect
1933 1942 format=inet:arg1:[path]:attr:arg2
1934 1943 comment=1, file descriptor, "fd":
1935 1944 comment=4, priority, "pri"
1936 1945 # same as AUE_SOCKACCEPT
1937 1946
1938 1947 label=AUE_SOCKET
1939 1948 format=arg1:[arg]2:arg3
1940 1949 comment=1, socket domain, "domain":
1941 1950 comment=2, socket type, "type":
1942 1951 comment=3, socket protocol, "protocol"
1943 1952
1944 1953 label=AUE_SOCKETPAIR
1945 1954 skip=Not used.
1946 1955 # unreferenced
1947 1956
1948 1957 label=AUE_SOCKRECEIVE
1949 1958 syscall=getmsg
1950 1959 format=inet:arg1:[path]:attr:arg2
1951 1960 comment=1, file descriptor, "fd":
1952 1961 comment=4, priority, "pri"
1953 1962 # see AUE_SOCKACCEPT
1954 1963
1955 1964 label=AUE_SOCKSEND
1956 1965 syscall=putmsg
1957 1966 format=inet:arg1:[path]:attr:arg2
1958 1967 comment=1, file descriptor, "fd":
1959 1968 comment=4, priority, "pri"
1960 1969 # see AUE_SOCKACCEPT
1961 1970
1962 1971 label=AUE_STAT
1963 1972 format=path:[attr]
1964 1973
1965 1974 label=AUE_STATFS
1966 1975 format=path:[attr]
1967 1976
1968 1977 label=AUE_STATVFS
1969 1978 format=path:[attr]
1970 1979
1971 1980 label=AUE_STIME
1972 1981 format=kernel
1973 1982
1974 1983 label=AUE_SWAPON
1975 1984 skip=Not used.
1976 1985
1977 1986 label=AUE_SYMLINK
1978 1987 format=path:text1:[attr]
1979 1988 comment=symbolic link string
1980 1989
1981 1990 label=AUE_SYSINFO
1982 1991 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands
1983 1992 note=are currently audited.
1984 1993 format=arg1:[text]2
1985 1994 comment=1, command, "cmd":
1986 1995 comment=name
1987 1996
1988 1997 label=AUE_SYSTEMBOOT
1989 1998 title=system booted
1990 1999 syscall=none
1991 2000 format=head:text1
1992 2001 comment="booting kernel"
1993 2002 # see audit_start.c and audit_io.c
1994 2003 # no subject or return / exit token
1995 2004 # header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec
1996 2005 # text,booting kernel
1997 2006
1998 2007 label=AUE_TRUNCATE
1999 2008 skip=Not used.
2000 2009
2001 2010 label=AUE_UMOUNT
2002 2011 syscall=umount: old version
2003 2012 note=Implemented as call of the newer umount2(2).
2004 2013 format=path:arg1:[path]:[attr]
2005 2014 comment=2, mflag value = 0, "flags"
2006 2015
2007 2016 label=AUE_UMOUNT2
2008 2017 syscall=umount2
2009 2018 format=path:arg1:[path]:[attr]
2010 2019 comment=2, mflag value, "flags"
2011 2020
2012 2021 label=AUE_UNLINK
2013 2022 format=path:[attr]
2014 2023
2015 2024 label=AUE_UNLINKAT
2016 2025 # obsolete
2017 2026 see=openat(2)
2018 2027 format=path:[attr]
2019 2028
2020 2029 label=AUE_UNMOUNT
2021 2030 skip=Not used.
2022 2031
2023 2032 label=AUE_UTIME
2024 2033 # obsolete
2025 2034 format=path:[attr]
2026 2035
2027 2036 label=AUE_UTIMES
2028 2037 see=futimens(2)
2029 2038 format=path:[attr]
2030 2039
2031 2040 label=AUE_VFORK
2032 2041 format=arg1
2033 2042 comment=0, pid, "child PID"
2034 2043 note=The vfork(2) return values are undefined because the audit record is
2035 2044 note=produced at the point that the child process is spawned.
2036 2045
2037 2046 label=AUE_VPIXSYS
2038 2047 skip=Not used.
2039 2048
2040 2049 label=AUE_VTRACE
2041 2050 skip=Not used.
2042 2051
2043 2052 label=AUE_WRITE
2044 2053 format=path1:attr
2045 2054 comment=if no path, argument -- "1, file descriptor, "no path: fd"
2046 2055 note:An audit record is generated for write only once per file close.
2047 2056
2048 2057 label=AUE_WRITEV
2049 2058 skip=Not used. (obsolete)
2050 2059
2051 2060 label=AUE_XMKNOD
2052 2061 # obsolete
2053 2062 skip=Not used.
2054 2063
2055 2064 label=AUE_XSTAT
2056 2065 # obsolete
2057 2066 skip=Not Used.
2058 2067
2059 2068 label=AUE_PF_POLICY_ADDRULE
2060 2069 title=Add IPsec policy rule
2061 2070 see=
2062 2071 syscall=none
2063 2072 format=arg1:arg2:[zone]3:[text]4
2064 2073 comment=Operation applied to active policy (1 is active, 0 is inactive):
2065 2074 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2066 2075 comment=affected zone:
2067 2076 comment=Name of target tunnel
2068 2077
2069 2078 label=AUE_PF_POLICY_DELRULE
2070 2079 title=Delete IPsec policy rule
2071 2080 see=
2072 2081 syscall=none
2073 2082 format=arg1:arg2:[zone]3:[text]4
2074 2083 comment=Operation applied to active policy (1 is active, 0 is inactive):
2075 2084 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2076 2085 comment=affected zone:
2077 2086 comment=Name of target tunnel
2078 2087
2079 2088 label=AUE_PF_POLICY_CLONE
2080 2089 title=Clone IPsec policy
2081 2090 see=
2082 2091 syscall=none
2083 2092 format=arg1:arg2:[zone]3:[text]4
2084 2093 comment=Operation applied to active policy (1 is active, 0 is inactive):
2085 2094 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2086 2095 comment=affected zone:
2087 2096 comment=Name of target tunnel
2088 2097
2089 2098 label=AUE_PF_POLICY_FLIP
2090 2099 title=Flip IPsec policy
2091 2100 see=
2092 2101 syscall=none
2093 2102 format=arg1:arg2:[zone]3:[text]4
2094 2103 comment=Operation applied to active policy (1 is active, 0 is inactive):
2095 2104 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2096 2105 comment=affected zone:
2097 2106 comment=Name of target tunnel
2098 2107
2099 2108 label=AUE_PF_POLICY_FLUSH
2100 2109 title=Flip IPsec policy rules
2101 2110 see=
2102 2111 syscall=none
2103 2112 format=arg1:arg2:[zone]3:[text]4
2104 2113 comment=Operation applied to active policy (1 is active, 0 is inactive):
2105 2114 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2106 2115 comment=affected zone:
2107 2116 comment=Name of target tunnel
2108 2117
2109 2118 label=AUE_PF_POLICY_ALGS
2110 2119 title=Update IPsec algorithms
2111 2120 see=
2112 2121 syscall=none
2113 2122 format=arg1:arg2:[zone]3:[text]4
2114 2123 comment=Operation applied to active policy (1 is active, 0 is inactive):
2115 2124 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2116 2125 comment=affected zone:
2117 2126 comment=Name of target tunnel
2118 2127
2119 2128 label=AUE_allocate_fail
2120 2129 program=/usr/sbin/allocate
2121 2130 title=allocate: allocate-device failure
2122 2131 format=(0..n)[text]1
2123 2132 comment=command line arguments
2124 2133 # see audit_allocate.c
2125 2134
2126 2135 label=AUE_allocate_succ
2127 2136 program=/usr/sbin/allocate
2128 2137 title=allocate: allocate-device success
2129 2138 format=(0..n)[text]1
2130 2139 comment=command line arguments
2131 2140 # see audit_allocate.c
2132 2141
2133 2142 label=AUE_at_create
2134 2143 program=/usr/bin/at
2135 2144 title=at: at-create crontab
2136 2145 format=path
2137 2146
2138 2147 label=AUE_at_delete
2139 2148 program=/usr/bin/at
2140 2149 title=at: at-delete atjob (at or atrm)
2141 2150 format=text1:path
2142 2151 comment="ancillary file:" filename or "bad format of at-job name"
2143 2152
2144 2153 label=AUE_at_perm
2145 2154 skip=Not used.
2146 2155 # not referenced outside uevents.h
2147 2156
2148 2157 label=AUE_create_user
2149 2158 skip=Not used.
2150 2159
2151 2160 label=AUE_cron_invoke
2152 2161 program=/usr/sbin/cron
2153 2162 title=cron: cron-invoke at or cron
2154 2163 case=If issue with account find
2155 2164 format=text1
2156 2165 comment="bad user" name or "user <name> account expired"
2157 2166 case=else
2158 2167 format=text1:text2
2159 2168 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \
2160 2169 or "unknown job type (<job_type_id>)":
2161 2170 comment=command
2162 2171
2163 2172 label=AUE_crontab_create
2164 2173 program=/usr/bin/crontab
2165 2174 title=crontab: crontab created
2166 2175 format=path
2167 2176 # See audit_crontab.c
2168 2177
2169 2178 label=AUE_crontab_delete
2170 2179 program=/usr/bin/crontab
2171 2180 title=crontab: crontab delete
2172 2181 format=path
2173 2182 # See audit_crontab.c
2174 2183
2175 2184 label=AUE_crontab_mod
2176 2185 program=/usr/bin/crontab
2177 2186 title=crontab: crontab modify
2178 2187 format=path
2179 2188 # See audit_crontab.c
2180 2189
2181 2190 label=AUE_crontab_perm
2182 2191 skip=Not used.
2183 2192
2184 2193 label=AUE_deallocate_fail
2185 2194 program=/usr/sbin/deallocate
2186 2195 title=deallocate-device failure
2187 2196 format=(0..n)[text]1
2188 2197 comment=command line arguments
2189 2198 # See audit_allocate.c
2190 2199
2191 2200 label=AUE_deallocate_succ
2192 2201 program=/usr/sbin/deallocate
2193 2202 title=deallocate-device success
2194 2203 format=(0..n)[text]1
2195 2204 comment=command line arguments
2196 2205 # See audit_allocate.c
2197 2206
2198 2207 label=AUE_delete_user
2199 2208 skip=Not used.
2200 2209
2201 2210 label=AUE_disable_user
2202 2211 skip=Not used.
2203 2212
2204 2213 label=AUE_enable_user
2205 2214 skip=Not used.
2206 2215
2207 2216 label=AUE_ftpd
2208 2217 program=/usr/sbin/in.ftpd
2209 2218 title=in.ftpd
2210 2219 format=[text]1
2211 2220 comment=error message
2212 2221 # See audit_ftpd
2213 2222
2214 2223 label=AUE_ftpd_logout
2215 2224 program=/usr/sbin/in.ftpd
2216 2225 title=in.ftpd
2217 2226 format=user
2218 2227 # See audit_ftpd
2219 2228
2220 2229 label=AUE_halt_solaris
2221 2230 program=/usr/sbin/halt
2222 2231 title=halt
2223 2232 format=user
2224 2233 # See audit_halt.c
2225 2234
2226 2235 label=AUE_kadmind_auth
2227 2236 format=text1:text2:text3
2228 2237 comment=Op: <requested information>:
2229 2238 comment=Arg: <argument for Op>:
2230 2239 comment=Client: <client principal name>
2231 2240 # See audit_kadmin.c / common_audit()
2232 2241
2233 2242 label=AUE_kadmind_unauth
2234 2243 format=text1:text2:text3
2235 2244 comment=Op: <requested information>:
2236 2245 comment=Arg: <argument for Op>:
2237 2246 comment=Client: <client principal name>
2238 2247 # See audit_kadmin.c / common_audit()
2239 2248
2240 2249 label=AUE_krb5kdc_as_req
2241 2250 format=text1:text2
2242 2251 comment=Client: <client principal name>:
2243 2252 comment=Service: <requested service name>
2244 2253 # See audit_krb5kdc.c / common_audit()
2245 2254
2246 2255 label=AUE_krb5kdc_tgs_req
2247 2256 format=text1:text2
2248 2257 comment=Client: <client principal name>:
2249 2258 comment=Service: <requested service name>
2250 2259 # See audit_krb5kdc.c / common_audit()
2251 2260
2252 2261 label=AUE_krb5kdc_tgs_req_alt_tgt
2253 2262 format=text1:text2
2254 2263 comment=Client: <client principal name>:
2255 2264 comment=Service: <requested service name>
2256 2265 # See audit_krb5kdc.c / common_audit()
2257 2266
2258 2267 label=AUE_krb5kdc_tgs_req_2ndtktmm
2259 2268 format=text1:text2
2260 2269 comment=Client: <client principal name>:
2261 2270 comment=Service: <requested service name>
2262 2271 # See audit_krb5kdc.c / common_audit()
2263 2272
2264 2273 label=AUE_listdevice_fail
2265 2274 title=allocate-list devices failure
2266 2275 program=/usr/sbin/allocate
2267 2276 format=(0..n)[text]1
2268 2277 comment=command line arguments
2269 2278 # See audit_allocate.c
2270 2279
2271 2280 label=AUE_listdevice_succ
2272 2281 title=allocate-list devices success
2273 2282 program=/usr/sbin/allocate
2274 2283 format=(0..n)[text]1
2275 2284 comment=command line arguments
2276 2285 # See audit_allocate.c
2277 2286
2278 2287 label=AUE_modify_user
2279 2288 skip=Not used.
2280 2289
2281 2290 label=AUE_mountd_mount
2282 2291 title=mountd: NFS mount
2283 2292 program=/usr/lib/nfs/mountd
2284 2293 see=mountd(1M)
2285 2294 format=text1:path2
2286 2295 comment=remote client hostname:
2287 2296 comment=mount dir
2288 2297 # See audit_mountd.c
2289 2298
2290 2299 label=AUE_mountd_umount
2291 2300 title=mountd: NFS unmount
2292 2301 program=/usr/lib/nfs/mountd
2293 2302 format=text1:path2
2294 2303 comment=remote client hostname:
2295 2304 comment=mount dir
2296 2305 # See audit_mountd.c
2297 2306
2298 2307 label=AUE_poweroff_solaris
2299 2308 program=/usr/sbin/poweroff
2300 2309 title=poweroff
2301 2310 format=user
2302 2311 # See audit_halt.c
2303 2312
2304 2313 label=AUE_reboot_solaris
2305 2314 program=/usr/sbin/reboot
2306 2315 title=reboot
2307 2316 format=user
2308 2317 # See audit_reboot.c
2309 2318 # header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec
2310 2319 # subject,tuser1,root,other,root,other,10422,497,0 0 tmach2
2311 2320 # return,success,0
2312 2321
2313 2322 label=AUE_rexd
2314 2323 program=/usr/sbin/rpc.rexd
2315 2324 title=rpc.rexd
2316 2325 format=[text]1:text2:text3:[text]4:[text]5
2317 2326 comment=error message (failure only):
2318 2327 comment="Remote execution requested by:" hostname:
2319 2328 comment="Username:" username:
2320 2329 comment="User id:" user ID (failure only):
2321 2330 comment="Command line:" command attempted
2322 2331 # See audit_rexd.c
2323 2332
2324 2333 label=AUE_rexecd
2325 2334 program=/usr/sbin/rpc.rexecd
2326 2335 title=rpc.rexecd
2327 2336 format=[text]1:text2:text3:text4
2328 2337 comment=error message (failure only):
2329 2338 comment="Remote execution requested by:" hostname:
2330 2339 comment="Username:" username:
2331 2340 comment="Command line:" command attempted
2332 2341 # See audit_rexecd.c
2333 2342
2334 2343 label=AUE_rshd
2335 2344 program=/usr/sbin/in.rshd
2336 2345 title=in.rshd
2337 2346 format=text1:text2:[text]3:[text]4
2338 2347 comment="cmd" command:
2339 2348 comment="remote user" remote user:
2340 2349 comment="local user" local user:
2341 2350 comment=failure message
2342 2351 # See audit_rshd.c
2343 2352
2344 2353 label=AUE_shutdown_solaris
2345 2354 title=shutdown
2346 2355 program=/usr/ucb/shutdown
2347 2356 format=user
2348 2357 # See audit_shutdown.c
2349 2358
2350 2359 label=AUE_smserverd
2351 2360 program=/usr/lib/smedia/rpc.smserverd
2352 2361 format=[text]1:[text]2
2353 2362 comment=state change:
2354 2363 comment=vid, pid, major/minor device
2355 2364 # see usr/src/cmd/smserverd
2356 2365 # code shows a third token, path, but it isn't implemented.
2357 2366
2358 2367 label=AUE_uadmin_solaris
2359 2368 title=uadmin (obsolete)
2360 2369 program=
2361 2370 see=
2362 2371 format=text1:text2
2363 2372 comment=function code:
2364 2373 comment=argument code
2365 2374 # not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml
2366 2375
2367 2376 label=AUE_LABELSYS_TNRH
2368 2377 title=config Trusted Network remote host cache
2369 2378 see=tnrh(2)
2370 2379 syscall=labelsys: TSOL_TNRH
2371 2380 case=With the flush command (cmd=3)
2372 2381 format=arg1
2373 2382 comment=1, command, "cmd"
2374 2383 case=With the load (cmd=1) and delete (cmd=2) commands
2375 2384 format=arg1:inaddr2:arg3
2376 2385 comment=1, command, "cmd":
2377 2386 comment=ip address of host:
2378 2387 comment=2, prefix length, "prefix len"
2379 2388
2380 2389 label=AUE_LABELSYS_TNRHTP
2381 2390 title=config Trusted Network remote host template
2382 2391 see=tnrhtp(2)
2383 2392 syscall=labelsys: TSOL_TNRHTP
2384 2393 case=With the flush command (cmd=3)
2385 2394 format=arg1
2386 2395 comment=1, command, "cmd"
2387 2396 case=With the load (cmd=1) and delete (cmd=2) commands
2388 2397 format=arg1:text2
2389 2398 comment=1, command, "cmd":
2390 2399 comment=name of template
2391 2400
2392 2401 label=AUE_LABELSYS_TNMLP
2393 2402 title=config Trusted Network multi-level port entry
2394 2403 see=tnmlp(2)
2395 2404 syscall=labelsys: TSOL_TNMLP
2396 2405 case=With the flush command (cmd=3)
2397 2406 format=arg1:text2
2398 2407 comment=1, command, "cmd":
2399 2408 comment="shared", or name of zone
2400 2409 case=With the load (cmd=1) and delete (cmd=2) commands
2401 2410 format=arg1:text2:arg3:arg4:[arg]5
2402 2411 comment=1, command, "cmd":
2403 2412 comment="shared", or name of zone:
2404 2413 comment=2, protocol number, "proto num":
2405 2414 comment=2, starting mlp port number, "mlp_port":
2406 2415 comment=2, ending mlp port number, "mlp_port_upper"
|
↓ open down ↓ |
910 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX