8309 libbsm should support AUE_sudo audit event

[unleashed.git] / usr / src / cmd / auditrecord / audit_record_attr.txt

# audit_record_attr.txt
# Two "#" are comments that are copied to audit_record_attr
# other comments are removed.
##
## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
##
## CDDL HEADER START
##
## The contents of this file are subject to the terms of the
## Common Development and Distribution License (the "License").
## You may not use this file except in compliance with the License.
##
## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
## or http://www.opensolaris.org/os/licensing.
## See the License for the specific language governing permissions
## and limitations under the License.
##
## When distributing Covered Code, include this CDDL HEADER in each
## file and include the License file at usr/src/OPENSOLARIS.LICENSE.
## If applicable, add the following below this CDDL HEADER, with the
## fields enclosed by brackets "[]" replaced with your own identifying
## information: Portions Copyright [yyyy] [name of copyright owner]
##
## CDDL HEADER END
##
##

# source file for describing audit records.

# This file is in two sections.  The first is a list of attribute /
# value pairs used to provide short cuts in annotating the audit
# records.  The second is for annotation for each audit record.

# first section: general attributes

# skipClass=<class name of items to skip if only in that class>
# skipClass=no    # uncomment to filter unused events

# token name abbreviations
# token=alias:fullname  -- short names for key tokens

token=arg:argument
token=attr:attribute
token=acl:acl_entry
token=cmd:command
token=data:data
token=exec_args:exec_arguments
token=exec_env:exec_environment
token=group:group
token=inaddr:ip_addr
token=inet:socket
token=ipc:ipc
token=ipc_perm:ipc_perm
token=newgroup:newgroups
token=path:path
token=path_attr:attribute_path
token=privset:privilege
token=proc:process
token=text:text
token=tid:terminal_adr
token=uauth:use_of_authorization
token=upriv:use_of_privilege
token=user:user_object
token=zone:zonename
token=fmri:service_instance
token=label:mandatory_label

token=head:header
token=subj:subject
token=ret:return
token=exit:exit

# note names -- certain notes show up repeatedly; collected here
#
# To achieve the maximum line length to be less than 80 characters, the 
# note names (message=) can be defined as a multi line, each line except the
# last one finished with the backslash character. 

message=ipc_perm:The ipc and ipc_perm tokens are not included if \
  the message ID is not valid.


# basic record pattern ("insert" is where event-specific tokens
# are listed.)

kernel=head:insert:subj:[upriv]:ret
user=head:subj:insert:ret

# Second Section
# Annotation Section
#
# Most audit records need annotation beyond what is provided by
# the files audit_event and audit_class.  At a minimum, a record
# is represented by a label and a format.
#
# label=record_id             like AUE_ACCEPT
# format=token_alias
#
# there is no end line; a new label= end the preceding definition
# and starts the next.
#
# format values are a list of token names, separated by colons.  The
# name is either one of the values described above (token=) or is
# a value to be taken literally.  If a token name ends with a digit,
# the digit is an index into an array of comments.  In the few cases
# where there are no tokens (other than header, subject, return/exit),
# use "format=kernel" or "format="user".
#
# comment is an array of strings separated by colons.  If comments
# are listed on separate lines (recommended due to better
# readability/sustainability of the file), the preceding comment 
# must end with  a colon.  The array starts at 1. (If the comment 
# contains a colon, use "&colon;" without the quotes.)
#
# case is used to generate alternate descriptions for a given
# record.
#
# Constraints - the string length; bear in mind, that any annotation of
# primitives below longer than is specified, will be silently truncated 
# to given/defined amount of characters in the auditrecord(1M) runtime:
#
#     primitive <= max (non-truncated) string length
#       case    <= unlimited; if necessary, text continues on a new line
#       comment <= unlimited; if necessary, text continues on a new line
#       label   <= 43
#       note    <= unlimited; if necessary, text continues on a new line
#       program <= 20
#       see     <= 39
#       syscall <= 20
#       title   <= 46
#       token   <= 28 (full name)
#
# To achieve the maximum line length to be less than 80 characters, one can
# define the unlimited primitives as a multi line, each line except the
# last one finished with the backslash character. In addition to above
# mentioned, the "format=" record attribute follows the same rule.
#
#
# AUE_ACCEPT illustrates the use of all the above.  Note that
# case is not nested; ellipsis (...) is used to give the effect
# of nesting.

label=AUE_ACCEPT
#accept(2) failure
  case=Invalid socket file descriptor
    format=arg1
      comment=1, file descriptor, "so"
#accept(2) non SOCK_STREAM socket
  case=If the socket address is not part of the AF_INET family
    format=arg1:arg2:arg3
      comment=1, "so", file descriptor:
      comment="family", so_family:
      comment="type", so_type
  case=If the socket address is part of the AF_INET family
    case=...If there is no vnode for this file descriptor
      format=[arg]1
        comment=1, file descriptor, "Bad so"
#accept(2) SOCK_STREAM socket-not bound
    case=...or if the socket is not bound
      format=[arg]1:[inet]2
        comment=1, file descriptor, "so":
        comment=local/foreign address (0.0.0.0)
    case=...or if the socket address length = 0
      format=[arg]1:[inet]2
        comment=1, file descriptor, "so":
        comment=local/foreign address (0.0.0.0)
    case=...or for all other conditions
      format=inet1:[inet]1
        comment=socket address
#accept(2) failure
#       header
#       au_to_arg32     "so",file descriptor
#       subject
#       return  <errno != 0>
#
#accept(2) non SOCK_STREAM socket
#       header
#       au_to_arg32     "so", file descriptor
#       au_to_arg32     "family", so_family
#       au_to_arg32     "type", so_type
#       subject
#       return success
#
#accept(2) SOCK_STREAM socket-not bound
#       header
#       au_to_arg32     "so", file descriptor
#       au_to_socket_ex local/foreign address (0.0.0.0)
#       subject
#       return success
#
#accept(2) SOCK_STREAM socket-bound
#       header
#       au_to_arg32     "so", file descriptor
#       au_to_socket_ex
#       subject
#       return success



label=AUE_ACCESS
  format=path1:[attr]
    comment=may be truncated in failure case
#       header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec
#       path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ
#       attribute,100777,41416,staff,8388608,402255,0
#       subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30
#       return,success,0
#       trailer,163
#
#       header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec
#       path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail
#       attribute,100000,root,other,8388608,402257,0
#       subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30
#       return,failure: Permission denied,-1
#       trailer,163
#
#       header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec
#       path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2
#       subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30
#       return,failure: No such file or directory,-1
#       trailer,135

label=AUE_ACCT
  case=Zero path
    format=arg1
      comment=1, 0, "accounting off"
  case=Non-zero path
    format=path1:[attr]2
      comment=may be truncated in failure case:
      comment=omitted if failure

label=AUE_ACLSET
  syscall=acl
  format=arg1:arg2:(0..n)[acl]3
    comment=2, SETACL, "cmd":
    comment=3, number of ACL entries, "nentries":
    comment=Access Control List entries

label=AUE_ADJTIME
  format=kernel

label=AUE_ASYNC_DAEMON
  skip=Not used

label=AUE_ASYNC_DAEMON_EXIT
  skip=Not used

label=AUE_AUDIT
  skip=Not used.  (Placeholder for the set AUE_AUDIT_*.)

label=AUE_AUDITON
  skip=Not used.  (Placeholder for the set AUE_AUDITON_*.)

label=AUE_AUDITON_GESTATE
  skip=Not used

label=AUE_AUDITON_GETAMASK
  format=kernel
  syscall=auditon: GETAMASK

label=AUE_AUDITON_GETCAR
  format=kernel
  syscall=auditon: GETCAR
#       header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec
#       subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30
#       return,success,0
#       trailer,68

label=AUE_AUDITON_GETCLASS
  format=kernel
  syscall=auditon: GETCLASS
#       header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec
#       subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1
#       return,success,0
#       trailer,68

label=AUE_AUDITON_GETCOND
  format=kernel
  syscall=auditon: GETCOND
#       header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec
#       subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1
#       return,success,0
#       trailer,68

label=AUE_AUDITON_GETCWD
  format=kernel
  syscall=auditon: GETCWD
#       header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec
#       subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1
#       return,success,0
#       trailer,68

label=AUE_AUDITON_GETKMASK
  format=kernel
  syscall=auditon: GETKMASK
#       header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec
#       subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1
#       return,success,0
#       trailer,68

label=AUE_AUDITON_GETSTAT
  format=kernel
  syscall=auditon: A_GETSTAT
#       header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec
#       subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1
#       return,success,0
#       trailer,68

label=AUE_AUDITON_GPOLICY
  format=kernel
  syscall=auditon: GPOLICY
#       header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec
#       subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1
#       return,success,0
#       trailer,68

label=AUE_AUDITON_GQCTRL
  format=kernel
  syscall=auditon: GQCTRL
#       header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec
#       subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1
#       return,success,0
#       trailer,68


label=AUE_AUDITON_GTERMID
  skip=Not used.

label=AUE_AUDITON_SESTATE
  skip=Not used.

label=AUE_AUDITON_SETAMASK
  format=[arg]1:[arg]2
    comment=2, "setamask as_success", user default audit preselection mask:
    comment=2, "setamask as_failure", user default audit preselection mask
  syscall=auditon: SETAMASK

label=AUE_AUDITON_SETCLASS
  format=[arg]1:[arg]2
    comment=2, "setclass&colon;ec_event", event number:
    comment=3, "setclass&colon;ec_class", class mask
  syscall=auditon: SETCLASS
#       header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec
#       argument,2,0x0,setclass:ec_event
#       argument,3,0x0,setclass:ec_class
#       subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1
#       return,success,0
#       trailer,120

label=AUE_AUDITON_SETCOND
  format=[arg]1
    comment=3, "setcond", audit state
  syscall=auditon: SETCOND

label=AUE_AUDITON_SETKMASK
  format=[arg]1:[arg]2
    comment=2, "setkmask as_success", kernel non-attributable mask:
    comment=2, "setkmask as_failure", kernel non-attributable mask
  syscall=auditon: SETKMASK
#       header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec
#       argument,2,0x0,setkmask:as_success
#       argument,2,0x0,setkmask:as_failure
#       subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1
#       return,success,0
#       trailer,124
#       header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec
#       argument,2,0x0,setkmask:as_success
#       argument,2,0x0,setkmask:as_failure
#       subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1
#       return,failure: Not owner,-1
#       trailer,124

label=AUE_AUDITON_SETSMASK
  format=[arg]1:[arg]2
    comment=3, "setsmask&colon;as_success", session ID mask:
    comment=3, "setsmask&colon;as_failure", session ID mask
  syscall=auditon: SETSMASK
#       header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec
#       argument,3,0x400,setsmask:as_success
#       argument,3,0x400,setsmask:as_failure
#       subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1
#       return,success,0
#       trailer,124
#       header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec
#       argument,3,0x400,setsmask:as_success
#       argument,3,0x400,setsmask:as_failure
#       subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1
#       return,failure: Not owner,-1
#       trailer,124

label=AUE_AUDITON_SETSTAT
  format=kernel
  syscall=auditon: SETSTAT
#       header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec
#       subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1
#       return,success,0
#       trailer,68
#       header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec
#       subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1
#       return,failure: Not owner,-1
#       trailer,68

label=AUE_AUDITON_SETUMASK
  format=[arg]1:[arg]2
    comment=3, "setumask&colon;as_success", audit ID mask:
    comment=3, "setumask&colon;as_failure", audit ID mask
  syscall=auditon: SETUMASK
#       header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec
#       argument,3,0x400,setumask:as_success
#       argument,3,0x400,setumask:as_failure
#       subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1
#       return,success,0
#       trailer,124
#       header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec
#       argument,3,0x400,setumask:as_success
#       argument,3,0x400,setumask:as_failure
#       subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1
#       return,failure: Not owner,-1
#       trailer,124

label=AUE_AUDITON_SPOLICY
  format=[arg]1
    comment=1, audit policy flags, "setpolicy"
  syscall=auditon: SPOLICY
#       header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec
#       argument,3,0x200,setpolicy
#       subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1
#       return,success,0
#       trailer,86
#       header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec
#       argument,3,0x200,setpolicy
#       subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1
#       return,failure: Not owner,-1
#       trailer,86

label=AUE_AUDITON_SQCTRL
  format=[arg]1:[arg]2:[arg]3:[arg]4
    comment=3, "setqctrl&colon;aq_hiwater", queue control param.:
    comment=3, "setqctrl&colon;aq_lowater", queue control param.:
    comment=3, "setqctrl&colon;aq_bufsz", queue control param.:
    comment=3, "setqctrl&colon;aq_delay", queue control param.
  syscall=auditon: SQCTRL
#       header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec
#       argument,3,0x64,setqctrl:aq_hiwater
#       argument,3,0xa,setqctrl:aq_lowater
#       argument,3,0x400,setqctrl:aq_bufsz
#       argument,3,0x14,setqctrl:aq_delay
#       subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1
#       return,success,0
#       trailer,176
#       header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec
#       argument,3,0x64,setqctrl:aq_hiwater
#       argument,3,0xa,setqctrl:aq_lowater
#       argument,3,0x400,setqctrl:aq_bufsz
#       argument,3,0x14,setqctrl:aq_delay
#       subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1
#       return,failure: Not owner,-1
#       trailer,176

label=AUE_AUDITON_STERMID
  skip=Not used.

label=AUE_AUDITSTAT
  skip=Not used.

label=AUE_AUDITSVC
  skip=Not used.

label=AUE_AUDITSYS
  skip=Not used. (Place holder for various auditing events.)

label=AUE_BIND
# differs from documented version.
# cases "no vnode" not fully confirmed
# family and type need argument number
  case=Invalid socket handle
    format=arg1
      comment=1, file descriptor, "so"
  case=If there is no vnode for this file descriptor
  case=or if the socket is not of the AF_INET family
    format=arg1:arg2:arg3
      comment=1, file descriptor, "so":
      comment=1, socket family, "family":
      comment=1, socket type, "type"
  case=or for all other conditions
    format=arg1:inet2
      comment=1, file descriptor, "so":
      comment=socket address

label=AUE_BRANDSYS
# generic mechanism to allow user-space and kernel components of a brand
# to communicate.  The interpretation of the arguments to the call is
# left entirely up to the brand.
  format=arg1:arg2:arg3:arg4:arg5:arg6:arg7
    comment=1, command, "cmd":
    comment=2, command args, "arg":
    comment=3, command args, "arg":
    comment=4, command args, "arg":
    comment=5, command args, "arg":
    comment=6, command args, "arg":
    comment=7, command args, "arg"

label=AUE_BSMSYS
  skip=Not used.

label=AUE_CHDIR
  format=path:[attr]
#       header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec
#       path,/export/home/CC_final/icenine/arv/chdir/obj_succ
#       attribute,40777,root,other,8388608,231558,0
#       subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1
#       return,success,0
#       trailer,151
#       header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec
#       path,/export/home/CC_final/icenine/arv/chdir/obj_fail
#       attribute,40000,root,other,8388608,237646,0
#       subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1
#       return,failure: Permission denied,-1
#       trailer,151

label=AUE_CHMOD
  format=arg1:path:[attr]
    comment=2, mode, "new file mode"
#       header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec
#       argument,2,0x1f8,new file mode
#       path,/export/home/CC_final/icenine/arv/chmod/obj_succ
#       attribute,100770,tuser10,other,8388608,243608,0
#       subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1
#       return,success,0
#       trailer,173
#       header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec
#       argument,2,0x1f8,new file mode
#       path,/export/home/CC_final/icenine/arv/chmod/obj_fail
#       attribute,100600,root,other,8388608,243609,0
#       subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1
#       return,failure: Not owner,-1
#       trailer,173

label=AUE_CHOWN
  format=arg1:arg2
    comment=2, uid, "new file uid":
    comment=3, gid, "new file gid"
#       header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec
#       argument,2,0x271a,new file uid
#       argument,3,0xffffffff,new file gid
#       path,/export/home/CC_final/icenine/arv/chown/obj_succ
#       attribute,100644,tuser10,other,8388608,268406,0
#       subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1
#       return,success,0
#       trailer,193
#       header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec
#       argument,2,0x271a,new file uid
#       argument,3,0xffffffff,new file gid
#       path,/export/home/CC_final/icenine/arv/chown/obj_fail
#       attribute,100644,root,other,8388608,268407,0
#       subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1
#       return,failure: Not owner,-1
#       trailer,193

label=AUE_CHROOT
  format=path:[attr]
#       header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec
#       path,/
#       attribute,40755,root,root,8388608,2,0
#       subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1
#       return,success,0
#       trailer,104
#       header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec
#       path,/export/home/CC_final/icenine/arv/chroot/obj_fail
#       attribute,40777,tuser10,other,8388608,335110,0
#       subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1
#       return,failure: Not owner,-1
#       trailer,152

label=AUE_CLOCK_SETTIME
  format=kernel

label=AUE_CLOSE
  format=arg1:[path]:[attr]
    comment=1, file descriptor, "fd"

label=AUE_CONFIGKSSL
  case=Adding KSSL entry.
    format=text1:inaddr2:text3:text4
      comment=opcode, KSSL_ADD_ENTRY:
      comment=local IP address:
      comment=SSL port number:
      comment=proxy port number
  case=Deleting KSSL entry.
    format=text1:inaddr2:text3
      comment=opcode, KSSL_DELETE_ENTRY:
      comment=local IP address:
      comment=SSL port number

label=AUE_CONNECT
# cases "no vnode" not fully confirmed
  case=If there is no vnode for this file descriptor
  case=If the socket address is not part of the AF_INET family
    format=arg1:arg2:arg3
      comment=1, file descriptor, "so":
      comment=1, socket family, "family":
      comment=1, socket type, "type"
  case=If the socket address is part of the AF_INET family
    format=arg1:inet2
      comment=1, file descriptor, "so":
      comment=socket address

label=AUE_CORE
  syscall=none
  title=process dumped core
  see=none
  format=path:[attr]:arg1
    comment=1, signal, "signal"
# see uts/common/c2/audit.c

label=AUE_CREAT
# obsolete - see open(2)
  format=path:[attr]
# does not match old BSM manual
#       header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec
#       path,/export/home/CC_final/icenine/arv/creat/obj_succ
#       attribute,100644,tuser10,other,8388608,49679,0
#       subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1
#       return,success,8
#       trailer,151
#       header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec
#       path,/devices/pseudo/mm@0:null
#       subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1
#       return,success,8
#       trailer,107
#       header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec
#       path,/obj_fail
#       subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1
#       return,failure: Permission denied,-1
#       trailer,83

label=AUE_CRYPTOADM
  title=kernel cryptographic framework
  format=text1:(0..n)[text]2
  comment=cryptoadm command/operation:
  comment=mechanism list

label=AUE_DOORFS
  skip=Not used.  (Place holder for set of door audit events.)

label=AUE_DOORFS_DOOR_BIND
  skip=Not used.
  syscall=doorfs:  DOOR_BIND

label=AUE_DOORFS_DOOR_CALL
  format=arg1:proc2
    comment=1, door ID, "door ID":
    comment=for process that owns the door
  syscall=doorfs:  DOOR_CALL

label=AUE_DOORFS_DOOR_CREATE
  format=arg1
    comment=1, door attributes, "door attr"
  syscall=doorfs:  DOOR_CREATE

label=AUE_DOORFS_DOOR_CRED
  skip=Not used.
  syscall=doorfs:  DOOR_CRED

label=AUE_DOORFS_DOOR_INFO
  skip=Not used.
  syscall=doorfs:  DOOR_INFO

label=AUE_DOORFS_DOOR_RETURN
  format=kernel
  syscall=doorfs:  DOOR_RETURN

label=AUE_DOORFS_DOOR_REVOKE
  format=arg1
    comment=1, door ID, "door ID"
  syscall=doorfs:  DOOR_REVOKE

label=AUE_DOORFS_DOOR_UNBIND
  skip=Not used.
  syscall=doorfs:  DOOR_UNBIND

label=AUE_DUP2
skip=Not used.

label=AUE_ENTERPROM
  title=enter prom
  syscall=none
  format=head:text1:ret
    comment="kmdb"
#       header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00
#       text,kmdb
#       return,success,0

label=AUE_EXEC
# obsolete - see execve(2)
  format=path:[attr]1:[exec_args]2:[exec_env]3
    comment=omitted on error:
    comment=output if argv policy is set:
    comment=output if arge policy is set

label=AUE_EXECVE
  format=path:[attr]1:[exec_args]2:[exec_env]3
    comment=omitted on error:
    comment=output if argv policy is set:
    comment=output if arge policy is set
#       header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec
#       path,/devices/pseudo/mm@0:null
#       subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1
#       return,success,8
#       trailer,107
#       header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec
#       path,/usr/bin/pig
#       subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1
#       return,failure: No such file or directory,-1
#       trailer,86

label=AUE_PFEXEC
  format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5
    comment=pathname of the executable:
    comment=pathname of working directory:
    comment=privileges if the limit or inheritable set are changed:
    comment=process if ruid, euid, rgid or egid is changed:
    comment=output if arge policy is set

label=AUE_sudo
  format=exec_args1:[text]2
    comment=command args:
    comment=error message (failure only)

label=AUE_EXIT
  format=arg1:[text]2
    comment=1, exit status, "exit status":
    comment=event aborted

label=AUE_EXITPROM
  title=exit prom
  syscall=none
  format=head:text1:ret
    comment="kmdb"
#       header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00
#       text,kmdb
#       return,success,0

label=AUE_EXPORTFS
  skip=Not used.

label=AUE_FACCESSAT
# obsolete
  see=access(2)
  format=path:[attr]

label=AUE_FACLSET
  syscall=facl
  case=Invalid file descriptor
    format=arg1:arg2
      comment=2, SETACL, "cmd":
      comment=3, number of ACL entries, "nentries"
  case=Zero path
    format=arg1:arg2:arg3:[attr]:(0..n)[acl]4
      comment=2, SETACL, "cmd":
      comment=3, number of ACL entries, "nentries":
      comment=1, file descriptor, "no path&colon; fd":
      comment=ACLs
  case=Non-zero path
    format=arg1:arg2:path:[attr]:(0..n)[acl]3
      comment=2, SETACL, "cmd":
      comment=3, number of ACL entries, "nentries":
      comment=ACLs

label=AUE_FCHDIR
  format=[path]:[attr]
#       header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec
#       path,/export/home/CC_final/icenine/arv/fchdir/obj_succ
#       attribute,40777,tuser10,other,8388608,207662,0
#       subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1
#       return,success,0
#       trailer,150
#       header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec
#       subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1
#       return,failure: Permission denied,-1
#       trailer,68

label=AUE_FCHMOD
  case=With a valid file descriptor and path
    format=arg1:path:[attr]
      comment=2, mode, "new file mode"
  case=With a valid file descriptor and invalid path
    format=arg1:[arg]2:[attr]
      comment=2, mode, "new file mode":
      comment=1, file descriptor, "no path&colon; fd"
  case=With an invalid file descriptor
    format=arg1
      comment=2, mode, "new file mode"
#       header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec
#       argument,2,0x1a4,new file mode
#       path,/export/home/CC/icenine/arv/fchmod/obj_succ
#       attribute,100644,tuser10,other,7602240,26092,0
#       subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1
#       return,success,0
#       trailer,168
#       header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec
#       argument,2,0x1a4,new file mode
#       subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1
#       return,failure: Bad file number,-1
#       trailer,90
#       header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec
#       argument,2,0x1a4,new file mode
#       path,/export/home/CC/icenine/arv/fchmod/obj_fail
#       attribute,100644,root,other,7602240,26093,0
#       subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1
#       return,failure: Not owner,-1
#       trailer,168

label=AUE_FCHOWN
  case=With a valid file descriptor
    format=arg1:arg2:[path]:[attr]
      comment=2, uid, "new file uid":
      comment=3, gid, "new file gid"
  case=With an invalid file descriptor
    format=arg1:arg2:[arg]3:[attr]
       comment=2, uid, "new file uid":
       comment=3, gid, "new file gid":
       comment=1, file descriptor, "no path fd"

label=AUE_FCHOWNAT
# obsolete
  see=openat(2)
  case=With a valid absolute/relative file path 
    format=path:[attr]
  case=With an file path eq. NULL and valid file descriptor
    format=kernel

label=AUE_FCHROOT
  format=[path]:[attr]
# fchroot -> chdirec -> audit_chdirec

label=AUE_FCNTL
  case=With a valid file descriptor
    format=arg1:[arg]2:path:attr
      comment=2, command, "cmd":
      comment=3, flags, "flags"
  case=With an invalid file descriptor
    format=arg1:[arg]2:arg3
      comment=2, command, "cmd":
      comment=3, flags, "flags":
      comment=1, file descriptor, "no path fd"
  note=Flags are included only when cmd is F_SETFL.

label=AUE_FLOCK
  skip=Not used.

label=AUE_FORKALL
  format=[arg]1
    comment=0, pid, "child PID"
  note=The forkall(2) return values are undefined because the audit record 
  note=is produced at the point that the child process is spawned.
# see audit.c

label=AUE_FORK1
  format=[arg]1
    comment=0, pid, "child PID"
  note=The fork1(2) return values are undefined because the audit record 
  note=is produced at the point that the child process is spawned.
# see audit.c

label=AUE_FSAT
# obsolete
  skip=Not used.  (Placeholder for AUE_*AT records)

label=AUE_FSTAT
  skip=Not used.

label=AUE_FSTATAT
# obsolete
  format=path:[attr]

label=AUE_FSTATFS
  case=With a valid file descriptor
    format=[path]:[attr]
  case=With an invalid file descriptor
    format=arg1
      comment=1, file descriptor, "no path fd"

label=AUE_FTRUNCATE
  skip=Not used.

label=AUE_FUSERS
  syscall=utssys: UTS_FUSERS
  format=path:attr

label=AUE_FUTIMESAT
# obsolete
  format=[path]:[attr]

label=AUE_GETAUDIT
  format=kernel
#       header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec
#       subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1
#       return,success,0
#       trailer,68
#       header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec
#       subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1
#       return,success,0
#       trailer,68

label=AUE_GETAUDIT_ADDR
  format=kernel
#       header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec
#       subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2
#       return,success,0

label=AUE_GETAUID
  format=kernel
#       header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec
#       subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1
#       return,success,0
#       trailer,68
#       header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec
#       subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1
#       return,failure: Not owner,-1
#       trailer,68

label=AUE_GETDENTS
  skip=Not used.
#Not security relevant

label=AUE_GETKERNSTATE
  skip=Not used.

label=AUE_GETMSG
  case=With a valid file descriptor
  format=arg1:[path]:attr:arg2
    comment=1, file descriptor, "fd":
    comment=4, priority, "pri"
  case=With an invalid file descriptor
  format=arg1:arg2
    comment=1, file descriptor, "fd":
    comment=4, priority, "pri"

label=AUE_GETPMSG
  case=With a valid file descriptor
  format=arg1:[path]:attr
    comment=1, file descriptor, "fd"
  case=With an invalid file descriptor
  format=arg1
    comment=1, file descriptor, "fd"

label=AUE_GETPORTAUDIT
  format=Not used.

label=AUE_GETUSERAUDIT
  skip=Not used.

label=AUE_INST_SYNC
  format=arg1
    comment=2, flags value, "flags"

label=AUE_IOCTL
  case=With an invalid file descriptor
    format=arg1:arg2:arg3
      comment=1, file descriptor, "fd":
      comment=2, command, "cmd":
      comment=3, arg, "arg"
  case=With a valid file descriptor
    format=path:[attr]:arg1:arg2
      comment=2, ioctl cmd, "cmd":
      comment=3, ioctl arg, "arg"
  case=Non-file file descriptor
    format=arg1:arg2:arg3
      comment=1, file descriptor, "fd":
      comment=2, ioctl cmd, "cmd":
      comment=3, ioctl arg, "arg"
  case=Bad file name
    format=arg1:arg2:arg3
      comment=1, file descriptor, "no path&colon; fd":
      comment=2, ioctl cmd, "cmd":
      comment=3, ioctl arg, "arg"
# old BSM manual misses a case

label=AUE_JUNK
  skip=Not used.

label=AUE_KILL
  case=Valid process
    format=arg1:[proc]
      comment=2, signo, "signal"
  case=Zero or negative process
    format=arg1:arg2
      comment=2, signo, "signal":
      comment=1, pid, "process"

label=AUE_KILLPG
  skip=Not used.

label=AUE_LCHOWN
  format=arg1:arg2:path:[attr]
    comment=2, uid, "new file uid":
    comment=3, gid, "new file gid"

label=AUE_LINK
  format=path1:[attr]:path2
     comment=from path:
     comment=to path

label=AUE_LSEEK
  skip=Not used.

label=AUE_LSTAT
  format=path:[attr]

label=AUE_LXSTAT
# obsolete
  skip=Not used.

label=AUE_MCTL
  skip=Not used.

label=AUE_MEMCNTL
  format=arg1:arg2:arg3:arg4:arg5:arg6
    comment=1, base address, "base":
    comment=2, length, "len":
    comment=3, command, "cmd":
    comment=4, command args, "arg":
    comment=5, command attributes, "attr":
    comment=6, 0, "mask"

label=AUE_MKDIR
  format=arg1:path:[attr]
    comment=2, mode, "mode"

label=AUE_MKNOD
  format=arg1:arg2:path:[attr]
    comment=2, mode, "mode":
    comment=3, dev, "dev"

label=AUE_MMAP
  case=With a valid file descriptor
    format=arg1:arg2:[path]3:[attr]
      comment=1, segment address, "addr":
      comment=2, segment address, "len":
      comment=if no path, then argument&colon; \
        1, "nopath&colon; fd", file descriptor
  case=With an invalid file descriptor
    format=arg1:arg2:arg3
      comment=1, segment address, "addr":
      comment=2, segment address, "len":
      comment=1, file descriptor, "no path&colon; fd"

label=AUE_MODADDMAJ
  title=modctl: bind module
  syscall=modctl
  format=[text]1:[text]2:text3:arg4:(0..n)[text]5
    comment=driver major number:
    comment=driver name:
    comment=driver major number or "no drvname":
    comment=5, number of aliases, "":
    comment=aliases

label=AUE_MODADDPRIV
  format=kernel

label=AUE_MODCONFIG
  skip=Not used.

label=AUE_MODCTL
  skip=Not used. (placeholder)

label=AUE_MODDEVPLCY
  syscall=modctl
  title=modctl: set device policy
  case=If unknown minor name/pattern
    format=arg1:arg2:arg3:arg4:arg5
      comment=2, "major", major number:
      comment=2, "lomin", low minor number, if known:
      comment=2, "himin", hi minor number, if known:
      comment=privileges required for reading:
      comment=privileges required for writing
  case=else
    format=arg1:text2:arg3:arg4
      comment=2, "major", major number:
      comment=minor name/pattern:
      comment=privileges required for reading:
      comment=privileges required for writing

label=AUE_MODLOAD
  syscall=modctl
  title=modctl: load module
  format=[text]1:text2
    comment=default path:
    comment=filename path

label=AUE_MODUNLOAD
  syscall=modctl
  title=modctl: unload module
  format=arg1
    comment=1, module ID, "id"

label=AUE_MOUNT
  case=UNIX file system
    format=arg1:text2:path:[attr]
      comment=3, flags, "flags":
      comment=filesystem type
  case=NFS file system
    format=arg1:text2:text3:arg4:path:[attr]
      comment=3, flags, "flags":
      comment=filesystem type:
      comment=host name:
      comment=3, flags, "internal flags"
# unix example:
#       header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec
#       argument,3,0x104,flags
#       text,ufs
#       path,/var2
#       attribute,40755,root,root,32,12160,0
#       path,/devices/pci@1f,4000/scsi@3/sd@0,0:e
#       attribute,60640,root,sys,32,231268,137438953476
#       subject,abc,root,other,root,other,1726,1715,255 66049 ohboy
#       return,success,4290707268
#                      ^^^^^^^^^^         <- bugid 4333559

label=AUE_MSGCTL
  format=arg1:[ipc]:[ipc_perm]
    comment=1, message ID, "msg ID"
  note=ipc_perm
# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc

label=AUE_MSGCTL_RMID
  format=arg1:[ipc]:[ipc_perm]
    comment=1, message ID, "msg ID"
  note=ipc_perm
  syscall=msgctl: IPC_RMID
# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc

label=AUE_MSGCTL_SET
  format=arg1:[ipc]:[ipc_perm]
    comment=1, message ID, "msg ID"
  note=ipc_perm
  syscall=msgctl: IPC_SET
# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc

label=AUE_MSGCTL_STAT
  format=arg1:[ipc]:[ipc_perm]
    comment=1, message ID, "msg ID"
  note=ipc_perm
  syscall=msgctl: IPC_STAT
# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc

label=AUE_MSGGET
  format=arg1:ipc
    comment=1, message key, "msg key"
  note=ipc_perm
  syscall=msgget

label=AUE_MSGGETL
  skip=Not used.

label=AUE_MSGRCV
  format=arg1:[ipc]:[ipc_perm]
    comment=1, message ID, "msg ID"
  note=ipc_perm
  syscall=msgrcv
# ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc

label=AUE_MSGRCVL
  skip=Not used.

label=AUE_MSGSND
  format=arg1:[ipc]:[ipc_perm]
    comment=1, message ID, "msg ID"
  note=ipc_perm
  syscall=msgsnd
# ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc

label=AUE_MSGSNDL
  skip=Not used.

label=AUE_MSGSYS
skip=Not used.  (Placeholder for AUE_MSG* events.)

label=AUE_MUNMAP
  format=arg1:arg2
    comment=1, address of memory, "addr":
    comment=2, memory segment size, "len"

label=AUE_NFS
  skip=Not used.

label=AUE_NFSSVC_EXIT
  skip=Not used.

label=AUE_NFS_GETFH
  skip=Not used.

label=AUE_NFS_SVC
  skip=Not used.

label=AUE_NICE
  format=kernel

label=AUE_NULL
  skip=Not used.  (placeholder)
# used internal to audit_event.c for minimal audit

label=AUE_NTP_ADJTIME
  format=kernel

label=AUE_ONESIDE
  skip=Not used.

label=AUE_OPEN
  skip=Not used.  (placeholder for AUE_OPEN_*).

label=AUE_OPEN_R
  format=path:[path_attr]:[attr]
  see=open(2) - read

label=AUE_OPENAT_R
# obsolete
  format=path:[path_attr]:[attr]
  see=openat(2)

label=AUE_OPEN_RC
  format=path:[path_attr]:[attr]
  see=open(2) - read,creat

label=AUE_OPENAT_RC
# obsolete
  see=openat(2)
  format=path:[path_attr]:[attr]

label=AUE_OPEN_RT
  format=path:[path_attr]:[attr]
  see=open(2) - read,trunc

label=AUE_OPENAT_RT
# obsolete
  see=openat(2)
  format=path:[path_attr]:[attr]

label=AUE_OPEN_RTC
  format=path:[path_attr]:[attr]
  see=open(2) - read,trunc,creat

label=AUE_OPENAT_RTC
# obsolete
  see=openat(2)
  format=path:[path_attr]:[attr]

label=AUE_OPEN_RW
  format=path:[path_attr]:[attr]
  see=open(2) - read,write

label=AUE_OPENAT_RW
# obsolete
  see=openat(2)
  format=path:[path_attr]:[attr]
# aui_fsat(): fm & O_RDWR 

label=AUE_OPEN_RWC
  format=path:[path_attr]:[attr]
  see=open(2) - read,write,creat

label=AUE_OPENAT_RWC
# obsolete
  see=openat(2)
  format=path:[path_attr]:[attr]

label=AUE_OPEN_RWT
  format=path:[path_attr]:[attr]
  see=open(2) - read,write,trunc

label=AUE_OPENAT_RWT
# obsolete
  see=openat(2)
  format=path:[path_attr]:[attr]

label=AUE_OPEN_RWTC
  format=path:[path_attr]:[attr]
  see=open(2) - read,write,trunc,creat

label=AUE_OPENAT_RWTC
# obsolete
  see=openat(2)
  format=path:[path_attr]:[attr]

label=AUE_OPEN_W
  format=path:[path_attr]:[attr]
  see=open(2) - write

label=AUE_OPENAT_W
  see=openat(2)
  format=path:[path_attr]:[attr]

label=AUE_OPEN_WC
  format=path:[path_attr]:[attr]
  see=open(2) - write,creat

label=AUE_OPENAT_WC
  see=openat(2)
  format=path:[path_attr]:[attr]

label=AUE_OPEN_WT
  format=path:[path_attr]:[attr]
  see=open(2) - write,trunc

label=AUE_OPENAT_WT
  see=openat(2)
  format=path:[path_attr]:[attr]

label=AUE_OPEN_WTC
  format=path:[path_attr]:[attr]
  see=open(2) - write,trunc,creat

label=AUE_OPENAT_WTC
  see=openat(2)
  format=path:[path_attr]:[attr]

label=AUE_OPEN_S
  format=path:[path_attr]:[attr]
  see=open(2) - search

label=AUE_OPEN_E
  format=path:[path_attr]:[attr]
  see=open(2) - exec

label=AUE_OSETPGRP
  skip=Not used.

label=AUE_OSTAT
# obsolete
  skip=Not used.

label=AUE_PATHCONF
  format=path:[attr]

label=AUE_PIPE
format=kernel
# class is no, not usually printed

label=AUE_PORTFS
  skip=Not used (placeholder for AUE_PORTFS_*).

label=AUE_PORTFS
  skip=Not used (placeholder for AUE_PORTFS_*).

label=AUE_PORTFS_ASSOCIATE
  syscall=portfs
  see=port_associate(3C)
  case=Port association via PORT_SOURCE_FILE
  format=[path]1:attr
    comment=name of the file/directory to be watched

label=AUE_PORTFS_DISSOCIATE
  syscall=portfs
  see=port_dissociate(3C)
  case=Port disassociation via PORT_SOURCE_FILE
  format=kernel

label=AUE_PRIOCNTLSYS
  syscall=priocntl
  see=priocntl(2)
  format=arg1:arg2
    comment=1, priocntl version number, "pc_version":
    comment=3, command, "cmd"

label=AUE_PROCESSOR_BIND
  case=No LWP/thread bound to the processor
    format=arg1:arg2:text3:[proc]
      comment=1, type of ID, "ID type":
      comment=2, ID value, "ID":
      comment="PBIND_NONE"
  case=With processor bound
    format=arg1:arg2:arg3:[proc]
      comment=1, type of ID, "ID type":
      comment=2, ID value, "ID":
      comment=3, processor ID, "processor_id"

label=AUE_PUTMSG
  see=putmsg(2)
  format=arg1:[path]:[attr]:arg2
    comment=1, file descriptor, "fd":
    comment=4, priority, "pri"

label=AUE_PUTPMSG
  see=putpmsg(2)
  format=arg1:[path]:[attr]:arg2:arg3
    comment=1, file descriptor, "fd":
    comment=4, priority, "pri":   
    comment=5, flags, "flags"

label=AUE_P_ONLINE
  format=arg1:arg2:text3
    comment=1, processor ID, "processor ID":
    comment=2, flags value, "flags":
    comment=text form of flags.  Values&colon;  \
      P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS

label=AUE_QUOTACTL
  skip=Not used.

label=AUE_READ
  skip=Not used.  (Placeholder for AUE_READ_* events)

label=AUE_READL
  skip=Not used. (Obsolete)

label=AUE_READLINK
  format=path:[attr]

label=AUE_READV
  skip=Not used (obsolete)
# detritus from CMS

label=AUE_READVL
  skip=Not used (obsolete)
# detritus from CMS

label=AUE_REBOOT
  skip=Not used.

label=AUE_RECV
  case=If address family is AF_INET or AF_INET6
    format=[arg]1:[inet]
      comment=1, file descriptor, "so"
  case=If address family is AF_UNIX and path is defined
    format=[path]1:[attr]
      comment=1, file descriptor, "so"
  case=If address family is AF_UNIX and path is NULL
    format=[path]1:[attr]
      comment=1, file descriptor, "no path&colon; fd"
  case=If address family is other than AF_UNIX, AF_INET, AF_INET6
    format=[arg]1:[arg]2:[arg]3
      comment=1, file descriptor, "so":
      comment=1, family, "family":
      comment=1, type, "type"
# associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237])

label=AUE_RECVFROM
  format=inet:arg1:[arg]2:inet3:arg4
    comment=3, message length, "len":
    comment=4, flags, "flags":
    comment=from address:
    comment=6, address length, "tolen"
  note=The socket token for a bad socket is reported as "argument 
  note=token (1, socket descriptor, "fd")"

label=AUE_RECVMSG
  case=If invalid file descriptor
    format=arg1:arg2
      comment=1, file descriptor, "so":
      comment=3, flags, "flags"
  case=If valid file descriptor and socket is AF_UNIX and no path
  format=arg1:[attr]
    comment=1, file descriptor, "no path&colon; fd"
  case=If valid file descriptor and socket is AF_UNIX and path defined
  format=path:attr
  case=If valid file descriptor and socket is AF_INET or AF_INET6
  case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM
  format=arg1:arg2:inet
    comment=1, file descriptor, "so":
    comment=2, flags, "flags"
  case=.. if socket type is unknown
  format=arg1:arg2:arg3:arg4
    comment=1, file descriptor, "so":
    comment=1, family, "family":
    comment=1, type, "type":
    comment=3, flags, "flags"

label=AUE_RENAME
  format=path1:[attr]1:[path]2
  comment=from name:
  comment=to name

label=AUE_RENAMEAT
# obsolete
  format=path1:[attr]1:[path]2
  comment=from name:
  comment=to name

label=AUE_RFSSYS
  skip=Not used.
# apparently replaced

label=AUE_RMDIR
  format=path:[attr]

label=AUE_SEMCTL
  format=arg1:[ipc]:[ipc_perm]
    comment=1, semaphore ID, "sem ID"
  note=ipc_perm
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc

label=AUE_SEMCTL_GETALL
  format=arg1:[ipc]:[ipc_perm]
    comment=1, semaphore ID, "sem ID"
  note=ipc_perm
  syscall=semctl: GETALL
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc

label=AUE_SEMCTL_GETNCNT
  format=arg1:[ipc]:[ipc_perm]
    comment=1, semaphore ID, "sem ID"
  note=ipc_perm
  syscall=semctl: GETNCNT
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc

label=AUE_SEMCTL_GETPID
  format=arg1:[ipc]:[ipc_perm]
    comment=1, semaphore ID, "sem ID"
  note=ipc_perm
  syscall=semctl: GETPID
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc

label=AUE_SEMCTL_GETVAL
  format=arg1:[ipc]:[ipc_perm]
    comment=1, semaphore ID, "sem ID"
  note=ipc_perm
  syscall=semctl: GETVAL
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc

label=AUE_SEMCTL_GETZCNT
  format=arg1:[ipc]:[ipc_perm]
    comment=1, semaphore ID, "sem ID"
  note=ipc_perm
  syscall=semctl: GETZCNT
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc

label=AUE_SEMCTL_RMID
  format=arg1:[ipc]:[ipc_perm]
    comment=1, semaphore ID, "sem ID"
  note=ipc_perm
  syscall=semctl: IPC_RMID
# ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc

label=AUE_SEMCTL_SET
  format=arg1:[ipc]:[ipc_perm]
    comment=1, semaphore ID, "sem ID"
  note=ipc_perm
  syscall=semctl: IPC_SET
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc

label=AUE_SEMCTL_SETALL
  format=arg1:[ipc]:[ipc_perm]
    comment=1, semaphore ID, "sem ID"
  note=ipc_perm
  syscall=semctl: SETALL
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc

label=AUE_SEMCTL_SETVAL
  format=arg1:[ipc]:[ipc_perm]
    comment=1, semaphore ID, "sem ID"
  note=ipc_perm
  syscall=semctl: SETVAL
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc

label=AUE_SEMCTL_STAT
  format=arg1:[ipc]:[ipc_perm]
    comment=1, semaphore ID, "sem ID"
  note=ipc_perm
  syscall=semctl: IPC_STAT
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc

label=AUE_SEMGET
  format=arg1:[ipc_perm]:ipc
    comment=1, semaphore ID, "sem key"
  note=ipc_perm
  syscall=semctl: SETVAL
# ipc_perm token: semget -> audit_ipcget

label=AUE_SEMGETL
  skip=Not used.

label=AUE_SEMOP
  format=arg1:[ipc]:[ipc_perm]
    comment=1, semaphore ID, "sem ID"
  note=ipc_perm
# ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc

label=AUE_SEMSYS
  skip=Not used.  (place holder) -- defaults to a semget variant

label=AUE_SEND
  case=If address family is AF_INET or AF_INET6
    format=[arg]1:[inet]
      comment=1, file descriptor, "so"
  case=If address family is AF_UNIX and path is defined
    format=[path]1:[attr]
      comment=1, file descriptor, "so"
  case=If address family is AF_UNIX and path is NULL
    format=[path]1:[attr]
      comment=1, file descriptor, "no path&colon; fd"
  case=If address family is other than AF_UNIX, AF_INET, AF_INET6
    format=[arg]1:[arg]2:[arg]3
      comment=1, file descriptor, "so":
      comment=1, family, "family":
      comment=1, type, "type"
# associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240])

label=AUE_SENDMSG
  case=If invalid file descriptor
    format=arg1:arg2
      comment=1, file descriptor, "so":
      comment=3, flags, "flags"
  case=If valid file descriptor
  case=...and address family is AF_UNIX and path is defined
    format=path:attr
  case=...and address family is AF_UNIX and path is NULL
    format=path1:attr
      comment=1, file descriptor, "nopath&colon; fd"
  case=...and address family is AF_INET or AF_INET6, \
    socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
    format=arg1:arg2:inet
      comment=1, file descriptor, "so":
      comment=3, flags, "flags"
  case=...and unknown address family or address family AF_INET or AF_INET6 \
    and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
    format=arg1:arg2:arg3:arg4
      comment=1, file descriptor, "so":
      comment=1, family, "family":
      comment=1, type, "type":
      comment=1, flags, "flags"

label=AUE_SENDTO
  case=If invalid file descriptor
    format=arg1:arg2
      comment=1, file descriptor, "so":
      comment=3, flags, "flags"
  case=If valid file descriptor
  case=...and socket is AF_UNIX and path is defined
    format=path:attr
  case=...and address family is AF_UNIX and path is NULL
    format=path1:attr
      comment=1, file descriptor, "nopath&colon; fd"
  case=...and address family is AF_INET or AF_INET6
    format=arg1:arg2:inet
      comment=1, file descriptor, "so":
      comment=3, flags, "flags"
  case=...and unknown address family
    format=arg1:arg2:arg3:arg4
      comment=1, file descriptor, "so":
      comment=1, family, "family":
      comment=1, type, "type":
      comment=1, flags, "flags"

label=AUE_SETAUDIT
  case=With a valid program stack address
    format=arg1:arg2:arg3:arg4:arg5:arg6
      comment=1, audit user ID, "setaudit&colon;auid":
      comment=1, terminal ID, "setaudit&colon;port":
      comment=1, terminal ID, "setaudit&colon;machine":
      comment=1, preselection mask, "setaudit&colon;as_success":
      comment=1, preselection mask, "setaudit&colon;as_failure":
      comment=1, audit session ID, "setaudit&colon;asid"
  case=With an invalid program stack address
    format=kernel
#       header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec
#       argument,1,0x271a,setaudit:auid
#       argument,1,0x3ff0201,setaudit:port
#       argument,1,0x8192591e,setaudit:machine
#       argument,1,0x400,setaudit:as_success
#       argument,1,0x400,setaudit:as_failure
#       argument,1,0x16f,setaudit:asid
#       subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1
#       return,success,0
#       trailer,215
#       header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec
#       argument,1,0x271a,setaudit:auid
#       argument,1,0x3ff0201,setaudit:port
#       argument,1,0x8192591e,setaudit:machine
#       argument,1,0x400,setaudit:as_success
#       argument,1,0x400,setaudit:as_failure
#       argument,1,0x16f,setaudit:asid
#       subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1
#       return,success,0
#       trailer,215

label=AUE_SETAUDIT_ADDR
  case=With a valid program stack address
    format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7
      comment=1, audit user ID, "auid":
      comment=1, terminal ID, "port":
      comment=1, type, "type":
      comment=1, terminal ID, "ip address":
      comment=1, preselection mask, "as_success":
      comment=1, preselection mask, "as_failure":
      comment=1, audit session ID, "asid"
  case=With an invalid program stack address
    format=kernel
#       header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec
#       argument,1,0x15fa7,auid
#       argument,1,0x0,port
#       argument,1,0x4,type
#       ip address,tmach2
#       argument,1,0x9c00,as_success
#       argument,1,0x9c00,as_failure
#       argument,1,0x1f1,asid
#       subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2
#       return,success,0

label=AUE_SETAUID
  format=arg1
    comment=2, audit user ID, "setauid"

label=AUE_SETDOMAINNAME
  skip=Not used.  (See AUE_SYSINFO)
# See AUE_SYSINFO with SI_SET_SRPC_DOMAIN

label=AUE_SETEGID
  format=arg1
    comment=1, group ID, "gid"

label=AUE_SETEUID
  format=arg1
    comment=1, user ID, "euid"

label=AUE_SETGID
  format=arg1
    comment=1, group ID, "gid"

label=AUE_SETGROUPS
  note=If more than NGROUPS_MAX_DEFAULT groups listed,
  note=no tokens are generated.
  case=If no groups in list
    format=[arg]1
      comment=1, 0, "setgroups"
  case=If 1 or more groups in list
    format=(1..n)arg1
      comment=1, gid, "setgroups"

label=AUE_SETHOSTNAME
  skip=Not used.  (See AUE_SYSINFO)
# See sysinfo call with command SI_SET_HOSTNAME

label=AUE_SETKERNSTATE
  skip=Not used.

label=AUE_SETPGID
  format=[proc]:[arg]1
  comment=2, pgid, "pgid"

label=AUE_SETPGRP
  format=kernel

label=AUE_SETPRIORITY
  skip=Not used.

label=AUE_SETPPRIV
  case=operation privileges off
  format=arg1:privset2
    comment=setppriv operation:
    comment=privileges actually switched off
  case=operation privileges on
  format=arg1:privset2
    comment=setppriv operation:
    comment=privileges actually switched on
  case=operation privileges off
  format=arg1:privset2:privset3
    comment=setppriv operation:
    comment=privileges before privset:
    comment=privileges after privset
#header,220,2,settppriv(2),,test1,Mon Oct  6 10:09:05 PDT 2003, + 753 msec
#argument,2,0x2,op
#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
#subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0
#return,success,0

label=AUE_SETREGID
  format=arg1:arg2
    comment=1, real group ID, "rgid":
    comment=2, effective group ID, "egid"

label=AUE_SETREUID
  format=arg1:arg2
    comment=1, real user ID, "ruid":
    comment=2, effective user ID, "euid"

label=AUE_SETRLIMIT
  format=kernel
#       header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec
#       subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2
#       return,success,0

label=AUE_SETSID
  format=kernel

label=AUE_SETSOCKOPT
  case=Invalid file descriptor
    format=arg1:arg2
      comment=1, file descriptor, "so":
      comment=2, level, "level"
  case=Valid file descriptor
  case=...and socket is AF_UNIX
    format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8
      comment=if no path, will be argument&colon; 1, "nopath&colon; fd", \
        file descriptor:
      comment=1, file descriptor, "so":
      comment=1, family, "family":
      comment=1, type, "type":
      comment=2, protocol level, "level":
      comment=3, option name, "optname":
      comment=5, option length, "optlen":
      comment=option data
  case=...and socket is AF_INET or AF_INET6
    format=arg1:arg2:arg3:[arg]4:[data]5:inet
      comment=1, file descriptor, "so":
      comment=2, protocol level, "level":
      comment=3, option name, "optname":
      comment=5, option length, "optlen":
      comment=option data
  case=...and socket adddress family is unknown
    format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7
      comment=1, file descriptor, "so":
      comment=1, family, "family":
      comment=1, type, "type":
      comment=2, protocol level, "level":
      comment=3, option name, "optname":
      comment=5, option length, "optlen":
      comment=option data

label=AUE_SETTIMEOFDAY
  skip=Not used.

label=AUE_SETUID
  syscall=setuid
  format=arg1
    comment=1, "uid" to be set

label=AUE_SETUSERAUDIT
  skip=Not used.

label=AUE_SHMAT
  format=arg1:arg2:[ipc]:[ipc_perm]
    comment=1, shared memory ID, "shm ID":
    comment=2, shared mem addr, "shm addr"
  note=ipc_perm
# ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc

label=AUE_SHMCTL
  format=arg1:[ipc]:[ipc_perm]
    comment=1, shared memory ID, "shm ID"
  note=ipc_perm
# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc

label=AUE_SHMCTL_RMID
  format=arg1:[ipc]:[ipc_perm]
  comment=1, shared memory ID, "shm ID"
  note=ipc_perm
  syscall=semctl:  IPC_RMID
# ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc

label=AUE_SHMCTL_SET
  format=arg1:[ipc]:[ipc_perm]
    comment=1, shared memory ID, "shm ID"
  note=ipc_perm
  syscall=semctl:  IPC_SET
# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc

label=AUE_SHMCTL_STAT
  format=arg1:[ipc]:[ipc_perm]
    comment=1, shared memory ID, "shm ID"
  note=ipc_perm
  syscall=semctl:  IPC_STAT
# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc

label=AUE_SHMDT
  format=arg1
    comment=1, shared memory address, "shm adr"

label=AUE_SHMGET
  format=arg1:[ipc_perm]:[ipc]
    comment=0, shared memory key, "shm key"
  note=ipc_perm
# ipc_perm: shmget -> audit_ipcget

label=AUE_SHMGETL
  skip=Not used.

label=AUE_SHMSYS
  skip=Not used.  (Placeholder for shmget and shmctl*)

label=AUE_SHUTDOWN
  case=If the socket address is invalid
    format=[arg]1:[text]2:[text]3
      comment=1, file descriptor, "fd":
      comment=bad socket address:
      comment=bad peer address
  case=If the socket address is part of the AF_INET family
    case=..with zero file descriptor
      format=arg1:[arg]2:[arg]3:[arg]4
        comment=1, file descriptor, "so":
        comment=1, family, "family":
        comment=1, type, "type":
        comment=2, how shutdown code, "how"
    case=...with non-zero file descriptor
      format=arg1:arg2:inet
        comment=1, file descriptor, "so":
        comment=2, how shutdown code, "how"
  case=If the socket address is AF_UNIX
    case=...with zero file descriptor
      format=path1:arg2:[arg]3:[arg]4:[arg]5
        comment=If error&colon; argument&colon; \
          1, "no path&colon; fd", file descriptor:
        comment=1, file descriptor, "so":
        comment=1, family, "family":
        comment=1, type, "type":
        comment=2, how shutdown code, "how"
    case=...with non-zero file descriptor
      format=path1:arg2:arg3:inet
        comment=If error&colon; argument&colon; \
          1, file descriptor, "no path&colon; fd":
        comment=1, file descriptor, "so":
        comment=2, how shutdown code, "how"
#old BSM manual wrong; used audit_event.c

label=AUE_SOCKACCEPT
  syscall=getmsg:  socket accept
  format=inet:arg1:[path]:attr:arg2
    comment=1, file descriptor, "fd":
    comment=4, priority, "pri"
# see putmsg and getmsg for record format
# See audit.c for inet token and audit_start.c for other reference

label=AUE_SOCKCONFIG
  format=arg1:arg2:arg3:[path]4
    comment=1, domain address, "domain":
    comment=2, type, "type":
    comment=3, protocol, "protocol":
    comment=If no path&colon;argument -- 3, 0, "devpath"

label=AUE_SOCKCONNECT
  syscall=putmsg:  socket connect
  format=inet:arg1:[path]:attr:arg2
    comment=1, file descriptor, "fd":
    comment=4, priority, "pri"
# same as AUE_SOCKACCEPT

label=AUE_SOCKET
  format=arg1:[arg]2:arg3
    comment=1, socket domain, "domain":
    comment=2, socket type, "type":
    comment=3, socket protocol, "protocol"

label=AUE_SOCKETPAIR
  skip=Not used.
# unreferenced

label=AUE_SOCKRECEIVE
  syscall=getmsg
  format=inet:arg1:[path]:attr:arg2
    comment=1, file descriptor, "fd":
    comment=4, priority, "pri"
# see AUE_SOCKACCEPT

label=AUE_SOCKSEND
syscall=putmsg
  format=inet:arg1:[path]:attr:arg2
    comment=1, file descriptor, "fd":
    comment=4, priority, "pri"
# see AUE_SOCKACCEPT

label=AUE_STAT
  format=path:[attr]

label=AUE_STATFS
  format=path:[attr]

label=AUE_STATVFS
  format=path:[attr]

label=AUE_STIME
  format=kernel

label=AUE_SWAPON
  skip=Not used.

label=AUE_SYMLINK
  format=path:text1:[attr]
    comment=symbolic link string 

label=AUE_SYSINFO
  note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands
  note=are currently audited.
  format=arg1:[text]2
    comment=1, command, "cmd":
    comment=name

label=AUE_SYSTEMBOOT
  title=system booted
  syscall=none
  format=head:text1
    comment="booting kernel"
# see audit_start.c and audit_io.c
# no subject or return / exit token
#       header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec
#       text,booting kernel

label=AUE_TRUNCATE
  skip=Not used.

label=AUE_UMOUNT
  syscall=umount: old version
  note=Implemented as call of the newer umount2(2).
  format=path:arg1:[path]:[attr]
    comment=2, mflag value = 0, "flags"

label=AUE_UMOUNT2
  syscall=umount2
  format=path:arg1:[path]:[attr]
    comment=2, mflag value, "flags"

label=AUE_UNLINK
  format=path:[attr]

label=AUE_UNLINKAT
# obsolete
  see=openat(2)
  format=path:[attr]

label=AUE_UNMOUNT
  skip=Not used.

label=AUE_UTIME
# obsolete
  format=path:[attr]

label=AUE_UTIMES
  see=futimens(2)
  format=path:[attr]

label=AUE_VFORK
  format=arg1
    comment=0, pid, "child PID"
  note=The vfork(2) return values are undefined because the audit record is 
  note=produced at the point that the child process is spawned.

label=AUE_VPIXSYS
  skip=Not used.

label=AUE_VTRACE
  skip=Not used.

label=AUE_WRITE
  format=path1:attr
    comment=if no path, argument -- "1, file descriptor, "no path: fd"
  note:An audit record is generated for write only once per file close.

label=AUE_WRITEV
  skip=Not used. (obsolete)

label=AUE_XMKNOD
# obsolete
  skip=Not used.

label=AUE_XSTAT
# obsolete
  skip=Not Used.

label=AUE_PF_POLICY_ADDRULE
  title=Add IPsec policy rule
  see=
  syscall=none
  format=arg1:arg2:[zone]3:[text]4
  comment=Operation applied to active policy (1 is active, 0 is inactive):
  comment=Operation applied to global policy (1 is global, 0 is tunnel):
  comment=affected zone:
  comment=Name of target tunnel

label=AUE_PF_POLICY_DELRULE
  title=Delete IPsec policy rule
  see=
  syscall=none
  format=arg1:arg2:[zone]3:[text]4
  comment=Operation applied to active policy (1 is active, 0 is inactive):
  comment=Operation applied to global policy (1 is global, 0 is tunnel):
  comment=affected zone:
  comment=Name of target tunnel

label=AUE_PF_POLICY_CLONE
  title=Clone IPsec policy
  see=
  syscall=none
  format=arg1:arg2:[zone]3:[text]4
  comment=Operation applied to active policy (1 is active, 0 is inactive):
  comment=Operation applied to global policy (1 is global, 0 is tunnel):
  comment=affected zone:
  comment=Name of target tunnel

label=AUE_PF_POLICY_FLIP
  title=Flip IPsec policy
  see=
  syscall=none
  format=arg1:arg2:[zone]3:[text]4
  comment=Operation applied to active policy (1 is active, 0 is inactive):
  comment=Operation applied to global policy (1 is global, 0 is tunnel):
  comment=affected zone:
  comment=Name of target tunnel

label=AUE_PF_POLICY_FLUSH
  title=Flip IPsec policy rules
  see=
  syscall=none
  format=arg1:arg2:[zone]3:[text]4
  comment=Operation applied to active policy (1 is active, 0 is inactive):
  comment=Operation applied to global policy (1 is global, 0 is tunnel):
  comment=affected zone:
  comment=Name of target tunnel

label=AUE_PF_POLICY_ALGS
  title=Update IPsec algorithms
  see=
  syscall=none
  format=arg1:arg2:[zone]3:[text]4
  comment=Operation applied to active policy (1 is active, 0 is inactive):
  comment=Operation applied to global policy (1 is global, 0 is tunnel):
  comment=affected zone:
  comment=Name of target tunnel

label=AUE_allocate_fail
  program=/usr/sbin/allocate
  title=allocate: allocate-device failure
  format=(0..n)[text]1
    comment=command line arguments
# see audit_allocate.c

label=AUE_allocate_succ
  program=/usr/sbin/allocate
  title=allocate: allocate-device success
  format=(0..n)[text]1
    comment=command line arguments
# see audit_allocate.c

label=AUE_at_create
  program=/usr/bin/at
  title=at: at-create crontab
  format=path

label=AUE_at_delete
  program=/usr/bin/at
  title=at: at-delete atjob (at or atrm)
  format=text1:path
  comment="ancillary file&colon;" filename or "bad format of at-job name"

label=AUE_at_perm
  skip=Not used.
# not referenced outside uevents.h

label=AUE_create_user
  skip=Not used.

label=AUE_cron_invoke
  program=/usr/sbin/cron
  title=cron: cron-invoke at or cron
  case=If issue with account find
  format=text1
    comment="bad user" name or "user <name> account expired"
  case=else
  format=text1:text2
    comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \
      or "unknown job type (<job_type_id>)":
    comment=command

label=AUE_crontab_create
  program=/usr/bin/crontab
  title=crontab: crontab created
  format=path
# See audit_crontab.c

label=AUE_crontab_delete
  program=/usr/bin/crontab
  title=crontab: crontab delete
  format=path
# See audit_crontab.c

label=AUE_crontab_mod
  program=/usr/bin/crontab
  title=crontab:  crontab modify
  format=path
# See audit_crontab.c

label=AUE_crontab_perm
  skip=Not used.

label=AUE_deallocate_fail
  program=/usr/sbin/deallocate
  title=deallocate-device failure
  format=(0..n)[text]1
    comment=command line arguments
# See audit_allocate.c

label=AUE_deallocate_succ
  program=/usr/sbin/deallocate
  title=deallocate-device success
  format=(0..n)[text]1
    comment=command line arguments
# See audit_allocate.c

label=AUE_delete_user
  skip=Not used.

label=AUE_disable_user
  skip=Not used.

label=AUE_enable_user
  skip=Not used.

label=AUE_ftpd
  program=/usr/sbin/in.ftpd
  title=in.ftpd
  format=[text]1
    comment=error message
# See audit_ftpd

label=AUE_ftpd_logout
  program=/usr/sbin/in.ftpd
  title=in.ftpd
  format=user
# See audit_ftpd

label=AUE_halt_solaris
  program=/usr/sbin/halt
  title=halt
  format=user
# See audit_halt.c

label=AUE_kadmind_auth
  format=text1:text2:text3
    comment=Op&colon; <requested information>:
    comment=Arg&colon; <argument for Op>:
    comment=Client&colon; <client principal name>
# See audit_kadmin.c / common_audit()

label=AUE_kadmind_unauth
  format=text1:text2:text3
    comment=Op&colon; <requested information>:
    comment=Arg&colon; <argument for Op>:
    comment=Client&colon; <client principal name>
# See audit_kadmin.c / common_audit()

label=AUE_krb5kdc_as_req
  format=text1:text2
    comment=Client&colon; <client principal name>:
    comment=Service&colon; <requested service name>
# See audit_krb5kdc.c / common_audit()

label=AUE_krb5kdc_tgs_req
  format=text1:text2
    comment=Client&colon; <client principal name>:
    comment=Service&colon; <requested service name>
# See audit_krb5kdc.c / common_audit()

label=AUE_krb5kdc_tgs_req_alt_tgt
  format=text1:text2
    comment=Client&colon; <client principal name>:
    comment=Service&colon; <requested service name>
# See audit_krb5kdc.c / common_audit()

label=AUE_krb5kdc_tgs_req_2ndtktmm
  format=text1:text2
    comment=Client&colon; <client principal name>:
    comment=Service&colon; <requested service name>
# See audit_krb5kdc.c / common_audit()

label=AUE_listdevice_fail
  title=allocate-list devices failure
  program=/usr/sbin/allocate
  format=(0..n)[text]1
    comment=command line arguments
# See audit_allocate.c

label=AUE_listdevice_succ
  title=allocate-list devices success
  program=/usr/sbin/allocate
  format=(0..n)[text]1
    comment=command line arguments
# See audit_allocate.c

label=AUE_modify_user
  skip=Not used.

label=AUE_mountd_mount
  title=mountd: NFS mount
  program=/usr/lib/nfs/mountd
  see=mountd(1M)
  format=text1:path2
    comment=remote client hostname:
    comment=mount dir
# See audit_mountd.c

label=AUE_mountd_umount
  title=mountd: NFS unmount
  program=/usr/lib/nfs/mountd
  format=text1:path2
  comment=remote client hostname:
  comment=mount dir
# See audit_mountd.c

label=AUE_poweroff_solaris
  program=/usr/sbin/poweroff
  title=poweroff
  format=user
# See audit_halt.c

label=AUE_reboot_solaris
  program=/usr/sbin/reboot
  title=reboot
  format=user
# See audit_reboot.c
#       header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec
#       subject,tuser1,root,other,root,other,10422,497,0 0 tmach2
#       return,success,0

label=AUE_rexd
  program=/usr/sbin/rpc.rexd
  title=rpc.rexd
  format=[text]1:text2:text3:[text]4:[text]5
    comment=error message (failure only):
    comment="Remote execution requested by&colon;" hostname:
    comment="Username&colon;" username:
    comment="User id&colon;" user ID (failure only):
    comment="Command line&colon;" command attempted
# See audit_rexd.c

label=AUE_rexecd
  program=/usr/sbin/rpc.rexecd
  title=rpc.rexecd
  format=[text]1:text2:text3:text4
    comment=error message (failure only):
    comment="Remote execution requested by&colon;" hostname:
    comment="Username&colon;" username:
    comment="Command line&colon;" command attempted
# See audit_rexecd.c

label=AUE_rshd
  program=/usr/sbin/in.rshd
  title=in.rshd
  format=text1:text2:[text]3:[text]4
    comment="cmd" command:
    comment="remote user" remote user:
    comment="local user" local user:
    comment=failure message
# See audit_rshd.c

label=AUE_shutdown_solaris
  title=shutdown
  program=/usr/ucb/shutdown
  format=user
# See audit_shutdown.c

label=AUE_smserverd
  program=/usr/lib/smedia/rpc.smserverd
  format=[text]1:[text]2
    comment=state change:
    comment=vid, pid, major/minor device
# see usr/src/cmd/smserverd
# code shows a third token, path, but it isn't implemented.

label=AUE_uadmin_solaris
  title=uadmin (obsolete)
  program=
  see=
  format=text1:text2
  comment=function code:
  comment=argument code
# not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml

label=AUE_LABELSYS_TNRH
  title=config Trusted Network remote host cache
  see=tnrh(2)
  syscall=labelsys: TSOL_TNRH
  case=With the flush command (cmd=3)
    format=arg1
      comment=1, command, "cmd"
  case=With the load (cmd=1) and delete (cmd=2) commands
    format=arg1:inaddr2:arg3
      comment=1, command, "cmd":
      comment=ip address of host:
      comment=2, prefix length, "prefix len"

label=AUE_LABELSYS_TNRHTP
  title=config Trusted Network remote host template
  see=tnrhtp(2)
  syscall=labelsys: TSOL_TNRHTP
  case=With the flush command (cmd=3)
    format=arg1
      comment=1, command, "cmd"
  case=With the load (cmd=1) and delete (cmd=2) commands
    format=arg1:text2
      comment=1, command, "cmd":
      comment=name of template

label=AUE_LABELSYS_TNMLP
  title=config Trusted Network multi-level port entry
  see=tnmlp(2)
  syscall=labelsys: TSOL_TNMLP
  case=With the flush command (cmd=3)
    format=arg1:text2
      comment=1, command, "cmd":
      comment="shared", or name of zone
  case=With the load (cmd=1) and delete (cmd=2) commands
    format=arg1:text2:arg3:arg4:[arg]5
      comment=1, command, "cmd":
      comment="shared", or name of zone:
      comment=2, protocol number, "proto num":
      comment=2, starting mlp port number, "mlp_port":
      comment=2, ending mlp port number, "mlp_port_upper"