1 # audit_record_attr.txt
2 # Two "#" are comments that are copied to audit_record_attr
3 # other comments are removed.
5 ## Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
9 ## The contents of this file are subject to the terms of the
10 ## Common Development and Distribution License (the "License").
11 ## You may not use this file except in compliance with the License.
13 ## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
14 ## or http://www.opensolaris.org/os/licensing.
15 ## See the License for the specific language governing permissions
16 ## and limitations under the License.
18 ## When distributing Covered Code, include this CDDL HEADER in each
19 ## file and include the License file at usr/src/OPENSOLARIS.LICENSE.
20 ## If applicable, add the following below this CDDL HEADER, with the
21 ## fields enclosed by brackets "[]" replaced with your own identifying
22 ## information: Portions Copyright [yyyy] [name of copyright owner]
28 # source file for describing audit records.
30 # This file is in two sections. The first is a list of attribute /
31 # value pairs used to provide short cuts in annotating the audit
32 # records. The second is for annotation for each audit record.
34 # first section: general attributes
36 # skipClass=<class name of items to skip if only in that class>
37 # skipClass=no # uncomment to filter unused events
39 # token name abbreviations
40 # token=alias:fullname -- short names for key tokens
47 token=exec_args:exec_arguments
48 token=exec_env:exec_environment
53 token=ipc_perm:ipc_perm
54 token=newgroup:newgroups
56 token=path_attr:attribute_path
57 token=privset:privilege
60 token=tid:terminal_adr
61 token=uauth:use_of_authorization
62 token=upriv:use_of_privilege
63 token=user:user_object
65 token=fmri:service_instance
66 token=label:mandatory_label
73 # note names -- certain notes show up repeatedly; collected here
75 # To achieve the maximum line length to be less than 80 characters, the
76 # note names (message=) can be defined as a multi line, each line except the
77 # last one finished with the backslash character.
79 message=ipc_perm:The ipc and ipc_perm tokens are not included if \
80 the message ID is not valid.
83 # basic record pattern ("insert" is where event-specific tokens
86 kernel=head:insert:subj:[upriv]:ret
87 user=head:subj:insert:ret
92 # Most audit records need annotation beyond what is provided by
93 # the files audit_event and audit_class. At a minimum, a record
94 # is represented by a label and a format.
96 # label=record_id like AUE_ACCEPT
99 # there is no end line; a new label= end the preceding definition
100 # and starts the next.
102 # format values are a list of token names, separated by colons. The
103 # name is either one of the values described above (token=) or is
104 # a value to be taken literally. If a token name ends with a digit,
105 # the digit is an index into an array of comments. In the few cases
106 # where there are no tokens (other than header, subject, return/exit),
107 # use "format=kernel" or "format="user".
109 # comment is an array of strings separated by colons. If comments
110 # are listed on separate lines (recommended due to better
111 # readability/sustainability of the file), the preceding comment
112 # must end with a colon. The array starts at 1. (If the comment
113 # contains a colon, use ":" without the quotes.)
115 # case is used to generate alternate descriptions for a given
118 # Constraints - the string length; bear in mind, that any annotation of
119 # primitives below longer than is specified, will be silently truncated
120 # to given/defined amount of characters in the auditrecord(1M) runtime:
122 # primitive <= max (non-truncated) string length
123 # case <= unlimited; if necessary, text continues on a new line
124 # comment <= unlimited; if necessary, text continues on a new line
126 # note <= unlimited; if necessary, text continues on a new line
131 # token <= 28 (full name)
133 # To achieve the maximum line length to be less than 80 characters, one can
134 # define the unlimited primitives as a multi line, each line except the
135 # last one finished with the backslash character. In addition to above
136 # mentioned, the "format=" record attribute follows the same rule.
139 # AUE_ACCEPT illustrates the use of all the above. Note that
140 # case is not nested; ellipsis (...) is used to give the effect
145 case=Invalid socket file descriptor
147 comment=1, file descriptor, "so"
148 #accept(2) non SOCK_STREAM socket
149 case=If the socket address is not part of the AF_INET family
150 format=arg1:arg2:arg3
151 comment=1, "so", file descriptor:
152 comment="family", so_family:
153 comment="type", so_type
154 case=If the socket address is part of the AF_INET family
155 case=...If there is no vnode for this file descriptor
157 comment=1, file descriptor, "Bad so"
158 #accept(2) SOCK_STREAM socket-not bound
159 case=...or if the socket is not bound
160 format=[arg]1:[inet]2
161 comment=1, file descriptor, "so":
162 comment=local/foreign address (0.0.0.0)
163 case=...or if the socket address length = 0
164 format=[arg]1:[inet]2
165 comment=1, file descriptor, "so":
166 comment=local/foreign address (0.0.0.0)
167 case=...or for all other conditions
169 comment=socket address
172 # au_to_arg32 "so",file descriptor
174 # return <errno != 0>
176 #accept(2) non SOCK_STREAM socket
178 # au_to_arg32 "so", file descriptor
179 # au_to_arg32 "family", so_family
180 # au_to_arg32 "type", so_type
184 #accept(2) SOCK_STREAM socket-not bound
186 # au_to_arg32 "so", file descriptor
187 # au_to_socket_ex local/foreign address (0.0.0.0)
191 #accept(2) SOCK_STREAM socket-bound
193 # au_to_arg32 "so", file descriptor
202 comment=may be truncated in failure case
203 # header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec
204 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ
205 # attribute,100777,41416,staff,8388608,402255,0
206 # subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30
210 # header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec
211 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail
212 # attribute,100000,root,other,8388608,402257,0
213 # subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30
214 # return,failure: Permission denied,-1
217 # header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec
218 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2
219 # subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30
220 # return,failure: No such file or directory,-1
226 comment=1, 0, "accounting off"
229 comment=may be truncated in failure case:
230 comment=omitted if failure
234 format=arg1:arg2:(0..n)[acl]3
235 comment=2, SETACL, "cmd":
236 comment=3, number of ACL entries, "nentries":
237 comment=Access Control List entries
242 label=AUE_ASYNC_DAEMON
245 label=AUE_ASYNC_DAEMON_EXIT
249 skip=Not used. (Placeholder for the set AUE_AUDIT_*.)
252 skip=Not used. (Placeholder for the set AUE_AUDITON_*.)
254 label=AUE_AUDITON_GESTATE
257 label=AUE_AUDITON_GETAMASK
259 syscall=auditon: GETAMASK
261 label=AUE_AUDITON_GETCAR
263 syscall=auditon: GETCAR
264 # header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec
265 # subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30
269 label=AUE_AUDITON_GETCLASS
271 syscall=auditon: GETCLASS
272 # header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec
273 # subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1
277 label=AUE_AUDITON_GETCOND
279 syscall=auditon: GETCOND
280 # header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec
281 # subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1
285 label=AUE_AUDITON_GETCWD
287 syscall=auditon: GETCWD
288 # header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec
289 # subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1
293 label=AUE_AUDITON_GETKMASK
295 syscall=auditon: GETKMASK
296 # header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec
297 # subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1
301 label=AUE_AUDITON_GETSTAT
303 syscall=auditon: A_GETSTAT
304 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec
305 # subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1
309 label=AUE_AUDITON_GPOLICY
311 syscall=auditon: GPOLICY
312 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec
313 # subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1
317 label=AUE_AUDITON_GQCTRL
319 syscall=auditon: GQCTRL
320 # header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec
321 # subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1
326 label=AUE_AUDITON_GTERMID
329 label=AUE_AUDITON_SESTATE
332 label=AUE_AUDITON_SETAMASK
334 comment=2, "setamask as_success", user default audit preselection mask:
335 comment=2, "setamask as_failure", user default audit preselection mask
336 syscall=auditon: SETAMASK
338 label=AUE_AUDITON_SETCLASS
340 comment=2, "setclass:ec_event", event number:
341 comment=3, "setclass:ec_class", class mask
342 syscall=auditon: SETCLASS
343 # header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec
344 # argument,2,0x0,setclass:ec_event
345 # argument,3,0x0,setclass:ec_class
346 # subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1
350 label=AUE_AUDITON_SETCOND
352 comment=3, "setcond", audit state
353 syscall=auditon: SETCOND
355 label=AUE_AUDITON_SETKMASK
357 comment=2, "setkmask as_success", kernel non-attributable mask:
358 comment=2, "setkmask as_failure", kernel non-attributable mask
359 syscall=auditon: SETKMASK
360 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec
361 # argument,2,0x0,setkmask:as_success
362 # argument,2,0x0,setkmask:as_failure
363 # subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1
366 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec
367 # argument,2,0x0,setkmask:as_success
368 # argument,2,0x0,setkmask:as_failure
369 # subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1
370 # return,failure: Not owner,-1
373 label=AUE_AUDITON_SETSMASK
375 comment=3, "setsmask:as_success", session ID mask:
376 comment=3, "setsmask:as_failure", session ID mask
377 syscall=auditon: SETSMASK
378 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec
379 # argument,3,0x400,setsmask:as_success
380 # argument,3,0x400,setsmask:as_failure
381 # subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1
384 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec
385 # argument,3,0x400,setsmask:as_success
386 # argument,3,0x400,setsmask:as_failure
387 # subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1
388 # return,failure: Not owner,-1
391 label=AUE_AUDITON_SETSTAT
393 syscall=auditon: SETSTAT
394 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec
395 # subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1
398 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec
399 # subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1
400 # return,failure: Not owner,-1
403 label=AUE_AUDITON_SETUMASK
405 comment=3, "setumask:as_success", audit ID mask:
406 comment=3, "setumask:as_failure", audit ID mask
407 syscall=auditon: SETUMASK
408 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec
409 # argument,3,0x400,setumask:as_success
410 # argument,3,0x400,setumask:as_failure
411 # subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1
414 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec
415 # argument,3,0x400,setumask:as_success
416 # argument,3,0x400,setumask:as_failure
417 # subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1
418 # return,failure: Not owner,-1
421 label=AUE_AUDITON_SPOLICY
423 comment=1, audit policy flags, "setpolicy"
424 syscall=auditon: SPOLICY
425 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec
426 # argument,3,0x200,setpolicy
427 # subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1
430 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec
431 # argument,3,0x200,setpolicy
432 # subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1
433 # return,failure: Not owner,-1
436 label=AUE_AUDITON_SQCTRL
437 format=[arg]1:[arg]2:[arg]3:[arg]4
438 comment=3, "setqctrl:aq_hiwater", queue control param.:
439 comment=3, "setqctrl:aq_lowater", queue control param.:
440 comment=3, "setqctrl:aq_bufsz", queue control param.:
441 comment=3, "setqctrl:aq_delay", queue control param.
442 syscall=auditon: SQCTRL
443 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec
444 # argument,3,0x64,setqctrl:aq_hiwater
445 # argument,3,0xa,setqctrl:aq_lowater
446 # argument,3,0x400,setqctrl:aq_bufsz
447 # argument,3,0x14,setqctrl:aq_delay
448 # subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1
451 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec
452 # argument,3,0x64,setqctrl:aq_hiwater
453 # argument,3,0xa,setqctrl:aq_lowater
454 # argument,3,0x400,setqctrl:aq_bufsz
455 # argument,3,0x14,setqctrl:aq_delay
456 # subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1
457 # return,failure: Not owner,-1
460 label=AUE_AUDITON_STERMID
470 skip=Not used. (Place holder for various auditing events.)
473 # differs from documented version.
474 # cases "no vnode" not fully confirmed
475 # family and type need argument number
476 case=Invalid socket handle
478 comment=1, file descriptor, "so"
479 case=If there is no vnode for this file descriptor
480 case=or if the socket is not of the AF_INET family
481 format=arg1:arg2:arg3
482 comment=1, file descriptor, "so":
483 comment=1, socket family, "family":
484 comment=1, socket type, "type"
485 case=or for all other conditions
487 comment=1, file descriptor, "so":
488 comment=socket address
491 # generic mechanism to allow user-space and kernel components of a brand
492 # to communicate. The interpretation of the arguments to the call is
493 # left entirely up to the brand.
494 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7
495 comment=1, command, "cmd":
496 comment=2, command args, "arg":
497 comment=3, command args, "arg":
498 comment=4, command args, "arg":
499 comment=5, command args, "arg":
500 comment=6, command args, "arg":
501 comment=7, command args, "arg"
508 # header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec
509 # path,/export/home/CC_final/icenine/arv/chdir/obj_succ
510 # attribute,40777,root,other,8388608,231558,0
511 # subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1
514 # header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec
515 # path,/export/home/CC_final/icenine/arv/chdir/obj_fail
516 # attribute,40000,root,other,8388608,237646,0
517 # subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1
518 # return,failure: Permission denied,-1
522 format=arg1:path:[attr]
523 comment=2, mode, "new file mode"
524 # header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec
525 # argument,2,0x1f8,new file mode
526 # path,/export/home/CC_final/icenine/arv/chmod/obj_succ
527 # attribute,100770,tuser10,other,8388608,243608,0
528 # subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1
531 # header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec
532 # argument,2,0x1f8,new file mode
533 # path,/export/home/CC_final/icenine/arv/chmod/obj_fail
534 # attribute,100600,root,other,8388608,243609,0
535 # subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1
536 # return,failure: Not owner,-1
541 comment=2, uid, "new file uid":
542 comment=3, gid, "new file gid"
543 # header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec
544 # argument,2,0x271a,new file uid
545 # argument,3,0xffffffff,new file gid
546 # path,/export/home/CC_final/icenine/arv/chown/obj_succ
547 # attribute,100644,tuser10,other,8388608,268406,0
548 # subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1
551 # header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec
552 # argument,2,0x271a,new file uid
553 # argument,3,0xffffffff,new file gid
554 # path,/export/home/CC_final/icenine/arv/chown/obj_fail
555 # attribute,100644,root,other,8388608,268407,0
556 # subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1
557 # return,failure: Not owner,-1
562 # header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec
564 # attribute,40755,root,root,8388608,2,0
565 # subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1
568 # header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec
569 # path,/export/home/CC_final/icenine/arv/chroot/obj_fail
570 # attribute,40777,tuser10,other,8388608,335110,0
571 # subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1
572 # return,failure: Not owner,-1
575 label=AUE_CLOCK_SETTIME
579 format=arg1:[path]:[attr]
580 comment=1, file descriptor, "fd"
583 case=Adding KSSL entry.
584 format=text1:inaddr2:text3:text4
585 comment=opcode, KSSL_ADD_ENTRY:
586 comment=local IP address:
587 comment=SSL port number:
588 comment=proxy port number
589 case=Deleting KSSL entry.
590 format=text1:inaddr2:text3
591 comment=opcode, KSSL_DELETE_ENTRY:
592 comment=local IP address:
593 comment=SSL port number
596 # cases "no vnode" not fully confirmed
597 case=If there is no vnode for this file descriptor
598 case=If the socket address is not part of the AF_INET family
599 format=arg1:arg2:arg3
600 comment=1, file descriptor, "so":
601 comment=1, socket family, "family":
602 comment=1, socket type, "type"
603 case=If the socket address is part of the AF_INET family
605 comment=1, file descriptor, "so":
606 comment=socket address
610 title=process dumped core
612 format=path:[attr]:arg1
613 comment=1, signal, "signal"
614 # see uts/common/c2/audit.c
617 # obsolete - see open(2)
619 # does not match old BSM manual
620 # header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec
621 # path,/export/home/CC_final/icenine/arv/creat/obj_succ
622 # attribute,100644,tuser10,other,8388608,49679,0
623 # subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1
626 # header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec
627 # path,/devices/pseudo/mm@0:null
628 # subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1
631 # header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec
633 # subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1
634 # return,failure: Permission denied,-1
638 title=kernel cryptographic framework
639 format=text1:(0..n)[text]2
640 comment=cryptoadm command/operation:
641 comment=mechanism list
644 skip=Not used. (Place holder for set of door audit events.)
646 label=AUE_DOORFS_DOOR_BIND
648 syscall=doorfs: DOOR_BIND
650 label=AUE_DOORFS_DOOR_CALL
652 comment=1, door ID, "door ID":
653 comment=for process that owns the door
654 syscall=doorfs: DOOR_CALL
656 label=AUE_DOORFS_DOOR_CREATE
658 comment=1, door attributes, "door attr"
659 syscall=doorfs: DOOR_CREATE
661 label=AUE_DOORFS_DOOR_CRED
663 syscall=doorfs: DOOR_CRED
665 label=AUE_DOORFS_DOOR_INFO
667 syscall=doorfs: DOOR_INFO
669 label=AUE_DOORFS_DOOR_RETURN
671 syscall=doorfs: DOOR_RETURN
673 label=AUE_DOORFS_DOOR_REVOKE
675 comment=1, door ID, "door ID"
676 syscall=doorfs: DOOR_REVOKE
678 label=AUE_DOORFS_DOOR_UNBIND
680 syscall=doorfs: DOOR_UNBIND
688 format=head:text1:ret
690 # header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00
695 # obsolete - see execve(2)
696 format=path:[attr]1:[exec_args]2:[exec_env]3
697 comment=omitted on error:
698 comment=output if argv policy is set:
699 comment=output if arge policy is set
702 format=path:[attr]1:[exec_args]2:[exec_env]3
703 comment=omitted on error:
704 comment=output if argv policy is set:
705 comment=output if arge policy is set
706 # header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec
707 # path,/devices/pseudo/mm@0:null
708 # subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1
711 # header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec
713 # subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1
714 # return,failure: No such file or directory,-1
718 format=path1:path2:[privileges]3:[privileges]3:[proc]4:exec_args:[exec_env]5
719 comment=pathname of the executable:
720 comment=pathname of working directory:
721 comment=privileges if the limit or inheritable set are changed:
722 comment=process if ruid, euid, rgid or egid is changed:
723 comment=output if arge policy is set
726 format=exec_args1:[text]2
727 comment=command args:
728 comment=error message (failure only)
732 comment=1, exit status, "exit status":
733 comment=event aborted
738 format=head:text1:ret
740 # header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00
754 case=Invalid file descriptor
756 comment=2, SETACL, "cmd":
757 comment=3, number of ACL entries, "nentries"
759 format=arg1:arg2:arg3:[attr]:(0..n)[acl]4
760 comment=2, SETACL, "cmd":
761 comment=3, number of ACL entries, "nentries":
762 comment=1, file descriptor, "no path: fd":
765 format=arg1:arg2:path:[attr]:(0..n)[acl]3
766 comment=2, SETACL, "cmd":
767 comment=3, number of ACL entries, "nentries":
772 # header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec
773 # path,/export/home/CC_final/icenine/arv/fchdir/obj_succ
774 # attribute,40777,tuser10,other,8388608,207662,0
775 # subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1
778 # header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec
779 # subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1
780 # return,failure: Permission denied,-1
784 case=With a valid file descriptor and path
785 format=arg1:path:[attr]
786 comment=2, mode, "new file mode"
787 case=With a valid file descriptor and invalid path
788 format=arg1:[arg]2:[attr]
789 comment=2, mode, "new file mode":
790 comment=1, file descriptor, "no path: fd"
791 case=With an invalid file descriptor
793 comment=2, mode, "new file mode"
794 # header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec
795 # argument,2,0x1a4,new file mode
796 # path,/export/home/CC/icenine/arv/fchmod/obj_succ
797 # attribute,100644,tuser10,other,7602240,26092,0
798 # subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1
801 # header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec
802 # argument,2,0x1a4,new file mode
803 # subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1
804 # return,failure: Bad file number,-1
806 # header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec
807 # argument,2,0x1a4,new file mode
808 # path,/export/home/CC/icenine/arv/fchmod/obj_fail
809 # attribute,100644,root,other,7602240,26093,0
810 # subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1
811 # return,failure: Not owner,-1
815 case=With a valid file descriptor
816 format=arg1:arg2:[path]:[attr]
817 comment=2, uid, "new file uid":
818 comment=3, gid, "new file gid"
819 case=With an invalid file descriptor
820 format=arg1:arg2:[arg]3:[attr]
821 comment=2, uid, "new file uid":
822 comment=3, gid, "new file gid":
823 comment=1, file descriptor, "no path fd"
828 case=With a valid absolute/relative file path
830 case=With an file path eq. NULL and valid file descriptor
835 # fchroot -> chdirec -> audit_chdirec
838 case=With a valid file descriptor
839 format=arg1:[arg]2:path:attr
840 comment=2, command, "cmd":
841 comment=3, flags, "flags"
842 case=With an invalid file descriptor
843 format=arg1:[arg]2:arg3
844 comment=2, command, "cmd":
845 comment=3, flags, "flags":
846 comment=1, file descriptor, "no path fd"
847 note=Flags are included only when cmd is F_SETFL.
854 comment=0, pid, "child PID"
855 note=The forkall(2) return values are undefined because the audit record
856 note=is produced at the point that the child process is spawned.
861 comment=0, pid, "child PID"
862 note=The fork1(2) return values are undefined because the audit record
863 note=is produced at the point that the child process is spawned.
868 skip=Not used. (Placeholder for AUE_*AT records)
878 case=With a valid file descriptor
880 case=With an invalid file descriptor
882 comment=1, file descriptor, "no path fd"
888 syscall=utssys: UTS_FUSERS
897 # header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec
898 # subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1
901 # header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec
902 # subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1
906 label=AUE_GETAUDIT_ADDR
908 # header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec
909 # subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2
914 # header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec
915 # subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1
918 # header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec
919 # subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1
920 # return,failure: Not owner,-1
925 #Not security relevant
927 label=AUE_GETKERNSTATE
931 case=With a valid file descriptor
932 format=arg1:[path]:attr:arg2
933 comment=1, file descriptor, "fd":
934 comment=4, priority, "pri"
935 case=With an invalid file descriptor
937 comment=1, file descriptor, "fd":
938 comment=4, priority, "pri"
941 case=With a valid file descriptor
942 format=arg1:[path]:attr
943 comment=1, file descriptor, "fd"
944 case=With an invalid file descriptor
946 comment=1, file descriptor, "fd"
948 label=AUE_GETPORTAUDIT
951 label=AUE_GETUSERAUDIT
956 comment=2, flags value, "flags"
959 case=With an invalid file descriptor
960 format=arg1:arg2:arg3
961 comment=1, file descriptor, "fd":
962 comment=2, command, "cmd":
963 comment=3, arg, "arg"
964 case=With a valid file descriptor
965 format=path:[attr]:arg1:arg2
966 comment=2, ioctl cmd, "cmd":
967 comment=3, ioctl arg, "arg"
968 case=Non-file file descriptor
969 format=arg1:arg2:arg3
970 comment=1, file descriptor, "fd":
971 comment=2, ioctl cmd, "cmd":
972 comment=3, ioctl arg, "arg"
974 format=arg1:arg2:arg3
975 comment=1, file descriptor, "no path: fd":
976 comment=2, ioctl cmd, "cmd":
977 comment=3, ioctl arg, "arg"
978 # old BSM manual misses a case
986 comment=2, signo, "signal"
987 case=Zero or negative process
989 comment=2, signo, "signal":
990 comment=1, pid, "process"
996 format=arg1:arg2:path:[attr]
997 comment=2, uid, "new file uid":
998 comment=3, gid, "new file gid"
1001 format=path1:[attr]:path2
1019 format=arg1:arg2:arg3:arg4:arg5:arg6
1020 comment=1, base address, "base":
1021 comment=2, length, "len":
1022 comment=3, command, "cmd":
1023 comment=4, command args, "arg":
1024 comment=5, command attributes, "attr":
1025 comment=6, 0, "mask"
1028 format=arg1:path:[attr]
1029 comment=2, mode, "mode"
1032 format=arg1:arg2:path:[attr]
1033 comment=2, mode, "mode":
1034 comment=3, dev, "dev"
1037 case=With a valid file descriptor
1038 format=arg1:arg2:[path]3:[attr]
1039 comment=1, segment address, "addr":
1040 comment=2, segment address, "len":
1041 comment=if no path, then argument: \
1042 1, "nopath: fd", file descriptor
1043 case=With an invalid file descriptor
1044 format=arg1:arg2:arg3
1045 comment=1, segment address, "addr":
1046 comment=2, segment address, "len":
1047 comment=1, file descriptor, "no path: fd"
1050 title=modctl: bind module
1052 format=[text]1:[text]2:text3:arg4:(0..n)[text]5
1053 comment=driver major number:
1054 comment=driver name:
1055 comment=driver major number or "no drvname":
1056 comment=5, number of aliases, "":
1059 label=AUE_MODADDPRIV
1066 skip=Not used. (placeholder)
1068 label=AUE_MODDEVPLCY
1070 title=modctl: set device policy
1071 case=If unknown minor name/pattern
1072 format=arg1:arg2:arg3:arg4:arg5
1073 comment=2, "major", major number:
1074 comment=2, "lomin", low minor number, if known:
1075 comment=2, "himin", hi minor number, if known:
1076 comment=privileges required for reading:
1077 comment=privileges required for writing
1079 format=arg1:text2:arg3:arg4
1080 comment=2, "major", major number:
1081 comment=minor name/pattern:
1082 comment=privileges required for reading:
1083 comment=privileges required for writing
1087 title=modctl: load module
1088 format=[text]1:text2
1089 comment=default path:
1090 comment=filename path
1094 title=modctl: unload module
1096 comment=1, module ID, "id"
1099 case=UNIX file system
1100 format=arg1:text2:path:[attr]
1101 comment=3, flags, "flags":
1102 comment=filesystem type
1103 case=NFS file system
1104 format=arg1:text2:text3:arg4:path:[attr]
1105 comment=3, flags, "flags":
1106 comment=filesystem type:
1108 comment=3, flags, "internal flags"
1110 # header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec
1111 # argument,3,0x104,flags
1114 # attribute,40755,root,root,32,12160,0
1115 # path,/devices/pci@1f,4000/scsi@3/sd@0,0:e
1116 # attribute,60640,root,sys,32,231268,137438953476
1117 # subject,abc,root,other,root,other,1726,1715,255 66049 ohboy
1118 # return,success,4290707268
1119 # ^^^^^^^^^^ <- bugid 4333559
1122 format=arg1:[ipc]:[ipc_perm]
1123 comment=1, message ID, "msg ID"
1125 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1127 label=AUE_MSGCTL_RMID
1128 format=arg1:[ipc]:[ipc_perm]
1129 comment=1, message ID, "msg ID"
1131 syscall=msgctl: IPC_RMID
1132 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1134 label=AUE_MSGCTL_SET
1135 format=arg1:[ipc]:[ipc_perm]
1136 comment=1, message ID, "msg ID"
1138 syscall=msgctl: IPC_SET
1139 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1141 label=AUE_MSGCTL_STAT
1142 format=arg1:[ipc]:[ipc_perm]
1143 comment=1, message ID, "msg ID"
1145 syscall=msgctl: IPC_STAT
1146 # ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
1150 comment=1, message key, "msg key"
1158 format=arg1:[ipc]:[ipc_perm]
1159 comment=1, message ID, "msg ID"
1162 # ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc
1168 format=arg1:[ipc]:[ipc_perm]
1169 comment=1, message ID, "msg ID"
1172 # ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc
1178 skip=Not used. (Placeholder for AUE_MSG* events.)
1182 comment=1, address of memory, "addr":
1183 comment=2, memory segment size, "len"
1188 label=AUE_NFSSVC_EXIT
1201 skip=Not used. (placeholder)
1202 # used internal to audit_event.c for minimal audit
1204 label=AUE_NTP_ADJTIME
1211 skip=Not used. (placeholder for AUE_OPEN_*).
1214 format=path:[path_attr]:[attr]
1219 format=path:[path_attr]:[attr]
1223 format=path:[path_attr]:[attr]
1224 see=open(2) - read,creat
1229 format=path:[path_attr]:[attr]
1232 format=path:[path_attr]:[attr]
1233 see=open(2) - read,trunc
1238 format=path:[path_attr]:[attr]
1241 format=path:[path_attr]:[attr]
1242 see=open(2) - read,trunc,creat
1244 label=AUE_OPENAT_RTC
1247 format=path:[path_attr]:[attr]
1250 format=path:[path_attr]:[attr]
1251 see=open(2) - read,write
1256 format=path:[path_attr]:[attr]
1257 # aui_fsat(): fm & O_RDWR
1260 format=path:[path_attr]:[attr]
1261 see=open(2) - read,write,creat
1263 label=AUE_OPENAT_RWC
1266 format=path:[path_attr]:[attr]
1269 format=path:[path_attr]:[attr]
1270 see=open(2) - read,write,trunc
1272 label=AUE_OPENAT_RWT
1275 format=path:[path_attr]:[attr]
1278 format=path:[path_attr]:[attr]
1279 see=open(2) - read,write,trunc,creat
1281 label=AUE_OPENAT_RWTC
1284 format=path:[path_attr]:[attr]
1287 format=path:[path_attr]:[attr]
1292 format=path:[path_attr]:[attr]
1295 format=path:[path_attr]:[attr]
1296 see=open(2) - write,creat
1300 format=path:[path_attr]:[attr]
1303 format=path:[path_attr]:[attr]
1304 see=open(2) - write,trunc
1308 format=path:[path_attr]:[attr]
1311 format=path:[path_attr]:[attr]
1312 see=open(2) - write,trunc,creat
1314 label=AUE_OPENAT_WTC
1316 format=path:[path_attr]:[attr]
1319 format=path:[path_attr]:[attr]
1320 see=open(2) - search
1323 format=path:[path_attr]:[attr]
1338 # class is no, not usually printed
1341 skip=Not used (placeholder for AUE_PORTFS_*).
1344 skip=Not used (placeholder for AUE_PORTFS_*).
1346 label=AUE_PORTFS_ASSOCIATE
1348 see=port_associate(3C)
1349 case=Port association via PORT_SOURCE_FILE
1351 comment=name of the file/directory to be watched
1353 label=AUE_PORTFS_DISSOCIATE
1355 see=port_dissociate(3C)
1356 case=Port disassociation via PORT_SOURCE_FILE
1359 label=AUE_PRIOCNTLSYS
1363 comment=1, priocntl version number, "pc_version":
1364 comment=3, command, "cmd"
1366 label=AUE_PROCESSOR_BIND
1367 case=No LWP/thread bound to the processor
1368 format=arg1:arg2:text3:[proc]
1369 comment=1, type of ID, "ID type":
1370 comment=2, ID value, "ID":
1371 comment="PBIND_NONE"
1372 case=With processor bound
1373 format=arg1:arg2:arg3:[proc]
1374 comment=1, type of ID, "ID type":
1375 comment=2, ID value, "ID":
1376 comment=3, processor ID, "processor_id"
1380 format=arg1:[path]:[attr]:arg2
1381 comment=1, file descriptor, "fd":
1382 comment=4, priority, "pri"
1386 format=arg1:[path]:[attr]:arg2:arg3
1387 comment=1, file descriptor, "fd":
1388 comment=4, priority, "pri":
1389 comment=5, flags, "flags"
1392 format=arg1:arg2:text3
1393 comment=1, processor ID, "processor ID":
1394 comment=2, flags value, "flags":
1395 comment=text form of flags. Values: \
1396 P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS
1402 skip=Not used. (Placeholder for AUE_READ_* events)
1405 skip=Not used. (Obsolete)
1411 skip=Not used (obsolete)
1415 skip=Not used (obsolete)
1422 case=If address family is AF_INET or AF_INET6
1423 format=[arg]1:[inet]
1424 comment=1, file descriptor, "so"
1425 case=If address family is AF_UNIX and path is defined
1426 format=[path]1:[attr]
1427 comment=1, file descriptor, "so"
1428 case=If address family is AF_UNIX and path is NULL
1429 format=[path]1:[attr]
1430 comment=1, file descriptor, "no path: fd"
1431 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1432 format=[arg]1:[arg]2:[arg]3
1433 comment=1, file descriptor, "so":
1434 comment=1, family, "family":
1435 comment=1, type, "type"
1436 # associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237])
1439 format=inet:arg1:[arg]2:inet3:arg4
1440 comment=3, message length, "len":
1441 comment=4, flags, "flags":
1442 comment=from address:
1443 comment=6, address length, "tolen"
1444 note=The socket token for a bad socket is reported as "argument
1445 note=token (1, socket descriptor, "fd")"
1448 case=If invalid file descriptor
1450 comment=1, file descriptor, "so":
1451 comment=3, flags, "flags"
1452 case=If valid file descriptor and socket is AF_UNIX and no path
1454 comment=1, file descriptor, "no path: fd"
1455 case=If valid file descriptor and socket is AF_UNIX and path defined
1457 case=If valid file descriptor and socket is AF_INET or AF_INET6
1458 case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM
1459 format=arg1:arg2:inet
1460 comment=1, file descriptor, "so":
1461 comment=2, flags, "flags"
1462 case=.. if socket type is unknown
1463 format=arg1:arg2:arg3:arg4
1464 comment=1, file descriptor, "so":
1465 comment=1, family, "family":
1466 comment=1, type, "type":
1467 comment=3, flags, "flags"
1470 format=path1:[attr]1:[path]2
1476 format=path1:[attr]1:[path]2
1482 # apparently replaced
1488 format=arg1:[ipc]:[ipc_perm]
1489 comment=1, semaphore ID, "sem ID"
1491 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1493 label=AUE_SEMCTL_GETALL
1494 format=arg1:[ipc]:[ipc_perm]
1495 comment=1, semaphore ID, "sem ID"
1497 syscall=semctl: GETALL
1498 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1500 label=AUE_SEMCTL_GETNCNT
1501 format=arg1:[ipc]:[ipc_perm]
1502 comment=1, semaphore ID, "sem ID"
1504 syscall=semctl: GETNCNT
1505 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1507 label=AUE_SEMCTL_GETPID
1508 format=arg1:[ipc]:[ipc_perm]
1509 comment=1, semaphore ID, "sem ID"
1511 syscall=semctl: GETPID
1512 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1514 label=AUE_SEMCTL_GETVAL
1515 format=arg1:[ipc]:[ipc_perm]
1516 comment=1, semaphore ID, "sem ID"
1518 syscall=semctl: GETVAL
1519 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1521 label=AUE_SEMCTL_GETZCNT
1522 format=arg1:[ipc]:[ipc_perm]
1523 comment=1, semaphore ID, "sem ID"
1525 syscall=semctl: GETZCNT
1526 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1528 label=AUE_SEMCTL_RMID
1529 format=arg1:[ipc]:[ipc_perm]
1530 comment=1, semaphore ID, "sem ID"
1532 syscall=semctl: IPC_RMID
1533 # ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1535 label=AUE_SEMCTL_SET
1536 format=arg1:[ipc]:[ipc_perm]
1537 comment=1, semaphore ID, "sem ID"
1539 syscall=semctl: IPC_SET
1540 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1542 label=AUE_SEMCTL_SETALL
1543 format=arg1:[ipc]:[ipc_perm]
1544 comment=1, semaphore ID, "sem ID"
1546 syscall=semctl: SETALL
1547 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1549 label=AUE_SEMCTL_SETVAL
1550 format=arg1:[ipc]:[ipc_perm]
1551 comment=1, semaphore ID, "sem ID"
1553 syscall=semctl: SETVAL
1554 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1556 label=AUE_SEMCTL_STAT
1557 format=arg1:[ipc]:[ipc_perm]
1558 comment=1, semaphore ID, "sem ID"
1560 syscall=semctl: IPC_STAT
1561 # ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
1564 format=arg1:[ipc_perm]:ipc
1565 comment=1, semaphore ID, "sem key"
1567 syscall=semctl: SETVAL
1568 # ipc_perm token: semget -> audit_ipcget
1574 format=arg1:[ipc]:[ipc_perm]
1575 comment=1, semaphore ID, "sem ID"
1577 # ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc
1580 skip=Not used. (place holder) -- defaults to a semget variant
1583 case=If address family is AF_INET or AF_INET6
1584 format=[arg]1:[inet]
1585 comment=1, file descriptor, "so"
1586 case=If address family is AF_UNIX and path is defined
1587 format=[path]1:[attr]
1588 comment=1, file descriptor, "so"
1589 case=If address family is AF_UNIX and path is NULL
1590 format=[path]1:[attr]
1591 comment=1, file descriptor, "no path: fd"
1592 case=If address family is other than AF_UNIX, AF_INET, AF_INET6
1593 format=[arg]1:[arg]2:[arg]3
1594 comment=1, file descriptor, "so":
1595 comment=1, family, "family":
1596 comment=1, type, "type"
1597 # associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240])
1600 case=If invalid file descriptor
1602 comment=1, file descriptor, "so":
1603 comment=3, flags, "flags"
1604 case=If valid file descriptor
1605 case=...and address family is AF_UNIX and path is defined
1607 case=...and address family is AF_UNIX and path is NULL
1609 comment=1, file descriptor, "nopath: fd"
1610 case=...and address family is AF_INET or AF_INET6, \
1611 socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1612 format=arg1:arg2:inet
1613 comment=1, file descriptor, "so":
1614 comment=3, flags, "flags"
1615 case=...and unknown address family or address family AF_INET or AF_INET6 \
1616 and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
1617 format=arg1:arg2:arg3:arg4
1618 comment=1, file descriptor, "so":
1619 comment=1, family, "family":
1620 comment=1, type, "type":
1621 comment=1, flags, "flags"
1624 case=If invalid file descriptor
1626 comment=1, file descriptor, "so":
1627 comment=3, flags, "flags"
1628 case=If valid file descriptor
1629 case=...and socket is AF_UNIX and path is defined
1631 case=...and address family is AF_UNIX and path is NULL
1633 comment=1, file descriptor, "nopath: fd"
1634 case=...and address family is AF_INET or AF_INET6
1635 format=arg1:arg2:inet
1636 comment=1, file descriptor, "so":
1637 comment=3, flags, "flags"
1638 case=...and unknown address family
1639 format=arg1:arg2:arg3:arg4
1640 comment=1, file descriptor, "so":
1641 comment=1, family, "family":
1642 comment=1, type, "type":
1643 comment=1, flags, "flags"
1646 case=With a valid program stack address
1647 format=arg1:arg2:arg3:arg4:arg5:arg6
1648 comment=1, audit user ID, "setaudit:auid":
1649 comment=1, terminal ID, "setaudit:port":
1650 comment=1, terminal ID, "setaudit:machine":
1651 comment=1, preselection mask, "setaudit:as_success":
1652 comment=1, preselection mask, "setaudit:as_failure":
1653 comment=1, audit session ID, "setaudit:asid"
1654 case=With an invalid program stack address
1656 # header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec
1657 # argument,1,0x271a,setaudit:auid
1658 # argument,1,0x3ff0201,setaudit:port
1659 # argument,1,0x8192591e,setaudit:machine
1660 # argument,1,0x400,setaudit:as_success
1661 # argument,1,0x400,setaudit:as_failure
1662 # argument,1,0x16f,setaudit:asid
1663 # subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1
1666 # header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec
1667 # argument,1,0x271a,setaudit:auid
1668 # argument,1,0x3ff0201,setaudit:port
1669 # argument,1,0x8192591e,setaudit:machine
1670 # argument,1,0x400,setaudit:as_success
1671 # argument,1,0x400,setaudit:as_failure
1672 # argument,1,0x16f,setaudit:asid
1673 # subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1
1677 label=AUE_SETAUDIT_ADDR
1678 case=With a valid program stack address
1679 format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7
1680 comment=1, audit user ID, "auid":
1681 comment=1, terminal ID, "port":
1682 comment=1, type, "type":
1683 comment=1, terminal ID, "ip address":
1684 comment=1, preselection mask, "as_success":
1685 comment=1, preselection mask, "as_failure":
1686 comment=1, audit session ID, "asid"
1687 case=With an invalid program stack address
1689 # header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec
1690 # argument,1,0x15fa7,auid
1691 # argument,1,0x0,port
1692 # argument,1,0x4,type
1694 # argument,1,0x9c00,as_success
1695 # argument,1,0x9c00,as_failure
1696 # argument,1,0x1f1,asid
1697 # subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2
1702 comment=2, audit user ID, "setauid"
1704 label=AUE_SETDOMAINNAME
1705 skip=Not used. (See AUE_SYSINFO)
1706 # See AUE_SYSINFO with SI_SET_SRPC_DOMAIN
1710 comment=1, group ID, "gid"
1714 comment=1, user ID, "euid"
1718 comment=1, group ID, "gid"
1721 note=If more than NGROUPS_MAX_DEFAULT groups listed,
1722 note=no tokens are generated.
1723 case=If no groups in list
1725 comment=1, 0, "setgroups"
1726 case=If 1 or more groups in list
1728 comment=1, gid, "setgroups"
1730 label=AUE_SETHOSTNAME
1731 skip=Not used. (See AUE_SYSINFO)
1732 # See sysinfo call with command SI_SET_HOSTNAME
1734 label=AUE_SETKERNSTATE
1738 format=[proc]:[arg]1
1739 comment=2, pgid, "pgid"
1744 label=AUE_SETPRIORITY
1748 case=operation privileges off
1749 format=arg1:privset2
1750 comment=setppriv operation:
1751 comment=privileges actually switched off
1752 case=operation privileges on
1753 format=arg1:privset2
1754 comment=setppriv operation:
1755 comment=privileges actually switched on
1756 case=operation privileges off
1757 format=arg1:privset2:privset3
1758 comment=setppriv operation:
1759 comment=privileges before privset:
1760 comment=privileges after privset
1761 #header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec
1763 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1764 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
1765 #subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0
1770 comment=1, real group ID, "rgid":
1771 comment=2, effective group ID, "egid"
1775 comment=1, real user ID, "ruid":
1776 comment=2, effective user ID, "euid"
1780 # header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec
1781 # subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2
1787 label=AUE_SETSOCKOPT
1788 case=Invalid file descriptor
1790 comment=1, file descriptor, "so":
1791 comment=2, level, "level"
1792 case=Valid file descriptor
1793 case=...and socket is AF_UNIX
1794 format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8
1795 comment=if no path, will be argument: 1, "nopath: fd", \
1797 comment=1, file descriptor, "so":
1798 comment=1, family, "family":
1799 comment=1, type, "type":
1800 comment=2, protocol level, "level":
1801 comment=3, option name, "optname":
1802 comment=5, option length, "optlen":
1804 case=...and socket is AF_INET or AF_INET6
1805 format=arg1:arg2:arg3:[arg]4:[data]5:inet
1806 comment=1, file descriptor, "so":
1807 comment=2, protocol level, "level":
1808 comment=3, option name, "optname":
1809 comment=5, option length, "optlen":
1811 case=...and socket adddress family is unknown
1812 format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7
1813 comment=1, file descriptor, "so":
1814 comment=1, family, "family":
1815 comment=1, type, "type":
1816 comment=2, protocol level, "level":
1817 comment=3, option name, "optname":
1818 comment=5, option length, "optlen":
1821 label=AUE_SETTIMEOFDAY
1827 comment=1, "uid" to be set
1829 label=AUE_SETUSERAUDIT
1833 format=arg1:arg2:[ipc]:[ipc_perm]
1834 comment=1, shared memory ID, "shm ID":
1835 comment=2, shared mem addr, "shm addr"
1837 # ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc
1840 format=arg1:[ipc]:[ipc_perm]
1841 comment=1, shared memory ID, "shm ID"
1843 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1845 label=AUE_SHMCTL_RMID
1846 format=arg1:[ipc]:[ipc_perm]
1847 comment=1, shared memory ID, "shm ID"
1849 syscall=semctl: IPC_RMID
1850 # ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc
1852 label=AUE_SHMCTL_SET
1853 format=arg1:[ipc]:[ipc_perm]
1854 comment=1, shared memory ID, "shm ID"
1856 syscall=semctl: IPC_SET
1857 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1859 label=AUE_SHMCTL_STAT
1860 format=arg1:[ipc]:[ipc_perm]
1861 comment=1, shared memory ID, "shm ID"
1863 syscall=semctl: IPC_STAT
1864 # ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
1868 comment=1, shared memory address, "shm adr"
1871 format=arg1:[ipc_perm]:[ipc]
1872 comment=0, shared memory key, "shm key"
1874 # ipc_perm: shmget -> audit_ipcget
1880 skip=Not used. (Placeholder for shmget and shmctl*)
1883 case=If the socket address is invalid
1884 format=[arg]1:[text]2:[text]3
1885 comment=1, file descriptor, "fd":
1886 comment=bad socket address:
1887 comment=bad peer address
1888 case=If the socket address is part of the AF_INET family
1889 case=..with zero file descriptor
1890 format=arg1:[arg]2:[arg]3:[arg]4
1891 comment=1, file descriptor, "so":
1892 comment=1, family, "family":
1893 comment=1, type, "type":
1894 comment=2, how shutdown code, "how"
1895 case=...with non-zero file descriptor
1896 format=arg1:arg2:inet
1897 comment=1, file descriptor, "so":
1898 comment=2, how shutdown code, "how"
1899 case=If the socket address is AF_UNIX
1900 case=...with zero file descriptor
1901 format=path1:arg2:[arg]3:[arg]4:[arg]5
1902 comment=If error: argument: \
1903 1, "no path: fd", file descriptor:
1904 comment=1, file descriptor, "so":
1905 comment=1, family, "family":
1906 comment=1, type, "type":
1907 comment=2, how shutdown code, "how"
1908 case=...with non-zero file descriptor
1909 format=path1:arg2:arg3:inet
1910 comment=If error: argument: \
1911 1, file descriptor, "no path: fd":
1912 comment=1, file descriptor, "so":
1913 comment=2, how shutdown code, "how"
1914 #old BSM manual wrong; used audit_event.c
1916 label=AUE_SOCKACCEPT
1917 syscall=getmsg: socket accept
1918 format=inet:arg1:[path]:attr:arg2
1919 comment=1, file descriptor, "fd":
1920 comment=4, priority, "pri"
1921 # see putmsg and getmsg for record format
1922 # See audit.c for inet token and audit_start.c for other reference
1924 label=AUE_SOCKCONFIG
1925 format=arg1:arg2:arg3:[path]4
1926 comment=1, domain address, "domain":
1927 comment=2, type, "type":
1928 comment=3, protocol, "protocol":
1929 comment=If no path:argument -- 3, 0, "devpath"
1931 label=AUE_SOCKCONNECT
1932 syscall=putmsg: socket connect
1933 format=inet:arg1:[path]:attr:arg2
1934 comment=1, file descriptor, "fd":
1935 comment=4, priority, "pri"
1936 # same as AUE_SOCKACCEPT
1939 format=arg1:[arg]2:arg3
1940 comment=1, socket domain, "domain":
1941 comment=2, socket type, "type":
1942 comment=3, socket protocol, "protocol"
1944 label=AUE_SOCKETPAIR
1948 label=AUE_SOCKRECEIVE
1950 format=inet:arg1:[path]:attr:arg2
1951 comment=1, file descriptor, "fd":
1952 comment=4, priority, "pri"
1953 # see AUE_SOCKACCEPT
1957 format=inet:arg1:[path]:attr:arg2
1958 comment=1, file descriptor, "fd":
1959 comment=4, priority, "pri"
1960 # see AUE_SOCKACCEPT
1978 format=path:text1:[attr]
1979 comment=symbolic link string
1982 note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands
1983 note=are currently audited.
1985 comment=1, command, "cmd":
1988 label=AUE_SYSTEMBOOT
1992 comment="booting kernel"
1993 # see audit_start.c and audit_io.c
1994 # no subject or return / exit token
1995 # header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec
1996 # text,booting kernel
2002 syscall=umount: old version
2003 note=Implemented as call of the newer umount2(2).
2004 format=path:arg1:[path]:[attr]
2005 comment=2, mflag value = 0, "flags"
2009 format=path:arg1:[path]:[attr]
2010 comment=2, mflag value, "flags"
2033 comment=0, pid, "child PID"
2034 note=The vfork(2) return values are undefined because the audit record is
2035 note=produced at the point that the child process is spawned.
2045 comment=if no path, argument -- "1, file descriptor, "no path: fd"
2046 note:An audit record is generated for write only once per file close.
2049 skip=Not used. (obsolete)
2059 label=AUE_PF_POLICY_ADDRULE
2060 title=Add IPsec policy rule
2063 format=arg1:arg2:[zone]3:[text]4
2064 comment=Operation applied to active policy (1 is active, 0 is inactive):
2065 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2066 comment=affected zone:
2067 comment=Name of target tunnel
2069 label=AUE_PF_POLICY_DELRULE
2070 title=Delete IPsec policy rule
2073 format=arg1:arg2:[zone]3:[text]4
2074 comment=Operation applied to active policy (1 is active, 0 is inactive):
2075 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2076 comment=affected zone:
2077 comment=Name of target tunnel
2079 label=AUE_PF_POLICY_CLONE
2080 title=Clone IPsec policy
2083 format=arg1:arg2:[zone]3:[text]4
2084 comment=Operation applied to active policy (1 is active, 0 is inactive):
2085 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2086 comment=affected zone:
2087 comment=Name of target tunnel
2089 label=AUE_PF_POLICY_FLIP
2090 title=Flip IPsec policy
2093 format=arg1:arg2:[zone]3:[text]4
2094 comment=Operation applied to active policy (1 is active, 0 is inactive):
2095 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2096 comment=affected zone:
2097 comment=Name of target tunnel
2099 label=AUE_PF_POLICY_FLUSH
2100 title=Flip IPsec policy rules
2103 format=arg1:arg2:[zone]3:[text]4
2104 comment=Operation applied to active policy (1 is active, 0 is inactive):
2105 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2106 comment=affected zone:
2107 comment=Name of target tunnel
2109 label=AUE_PF_POLICY_ALGS
2110 title=Update IPsec algorithms
2113 format=arg1:arg2:[zone]3:[text]4
2114 comment=Operation applied to active policy (1 is active, 0 is inactive):
2115 comment=Operation applied to global policy (1 is global, 0 is tunnel):
2116 comment=affected zone:
2117 comment=Name of target tunnel
2119 label=AUE_allocate_fail
2120 program=/usr/sbin/allocate
2121 title=allocate: allocate-device failure
2122 format=(0..n)[text]1
2123 comment=command line arguments
2124 # see audit_allocate.c
2126 label=AUE_allocate_succ
2127 program=/usr/sbin/allocate
2128 title=allocate: allocate-device success
2129 format=(0..n)[text]1
2130 comment=command line arguments
2131 # see audit_allocate.c
2135 title=at: at-create crontab
2140 title=at: at-delete atjob (at or atrm)
2142 comment="ancillary file:" filename or "bad format of at-job name"
2146 # not referenced outside uevents.h
2148 label=AUE_create_user
2151 label=AUE_cron_invoke
2152 program=/usr/sbin/cron
2153 title=cron: cron-invoke at or cron
2154 case=If issue with account find
2156 comment="bad user" name or "user <name> account expired"
2159 comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \
2160 or "unknown job type (<job_type_id>)":
2163 label=AUE_crontab_create
2164 program=/usr/bin/crontab
2165 title=crontab: crontab created
2167 # See audit_crontab.c
2169 label=AUE_crontab_delete
2170 program=/usr/bin/crontab
2171 title=crontab: crontab delete
2173 # See audit_crontab.c
2175 label=AUE_crontab_mod
2176 program=/usr/bin/crontab
2177 title=crontab: crontab modify
2179 # See audit_crontab.c
2181 label=AUE_crontab_perm
2184 label=AUE_deallocate_fail
2185 program=/usr/sbin/deallocate
2186 title=deallocate-device failure
2187 format=(0..n)[text]1
2188 comment=command line arguments
2189 # See audit_allocate.c
2191 label=AUE_deallocate_succ
2192 program=/usr/sbin/deallocate
2193 title=deallocate-device success
2194 format=(0..n)[text]1
2195 comment=command line arguments
2196 # See audit_allocate.c
2198 label=AUE_delete_user
2201 label=AUE_disable_user
2204 label=AUE_enable_user
2208 program=/usr/sbin/in.ftpd
2211 comment=error message
2214 label=AUE_ftpd_logout
2215 program=/usr/sbin/in.ftpd
2220 label=AUE_halt_solaris
2221 program=/usr/sbin/halt
2226 label=AUE_kadmind_auth
2227 format=text1:text2:text3
2228 comment=Op: <requested information>:
2229 comment=Arg: <argument for Op>:
2230 comment=Client: <client principal name>
2231 # See audit_kadmin.c / common_audit()
2233 label=AUE_kadmind_unauth
2234 format=text1:text2:text3
2235 comment=Op: <requested information>:
2236 comment=Arg: <argument for Op>:
2237 comment=Client: <client principal name>
2238 # See audit_kadmin.c / common_audit()
2240 label=AUE_krb5kdc_as_req
2242 comment=Client: <client principal name>:
2243 comment=Service: <requested service name>
2244 # See audit_krb5kdc.c / common_audit()
2246 label=AUE_krb5kdc_tgs_req
2248 comment=Client: <client principal name>:
2249 comment=Service: <requested service name>
2250 # See audit_krb5kdc.c / common_audit()
2252 label=AUE_krb5kdc_tgs_req_alt_tgt
2254 comment=Client: <client principal name>:
2255 comment=Service: <requested service name>
2256 # See audit_krb5kdc.c / common_audit()
2258 label=AUE_krb5kdc_tgs_req_2ndtktmm
2260 comment=Client: <client principal name>:
2261 comment=Service: <requested service name>
2262 # See audit_krb5kdc.c / common_audit()
2264 label=AUE_listdevice_fail
2265 title=allocate-list devices failure
2266 program=/usr/sbin/allocate
2267 format=(0..n)[text]1
2268 comment=command line arguments
2269 # See audit_allocate.c
2271 label=AUE_listdevice_succ
2272 title=allocate-list devices success
2273 program=/usr/sbin/allocate
2274 format=(0..n)[text]1
2275 comment=command line arguments
2276 # See audit_allocate.c
2278 label=AUE_modify_user
2281 label=AUE_mountd_mount
2282 title=mountd: NFS mount
2283 program=/usr/lib/nfs/mountd
2286 comment=remote client hostname:
2288 # See audit_mountd.c
2290 label=AUE_mountd_umount
2291 title=mountd: NFS unmount
2292 program=/usr/lib/nfs/mountd
2294 comment=remote client hostname:
2296 # See audit_mountd.c
2298 label=AUE_poweroff_solaris
2299 program=/usr/sbin/poweroff
2304 label=AUE_reboot_solaris
2305 program=/usr/sbin/reboot
2308 # See audit_reboot.c
2309 # header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec
2310 # subject,tuser1,root,other,root,other,10422,497,0 0 tmach2
2314 program=/usr/sbin/rpc.rexd
2316 format=[text]1:text2:text3:[text]4:[text]5
2317 comment=error message (failure only):
2318 comment="Remote execution requested by:" hostname:
2319 comment="Username:" username:
2320 comment="User id:" user ID (failure only):
2321 comment="Command line:" command attempted
2325 program=/usr/sbin/rpc.rexecd
2327 format=[text]1:text2:text3:text4
2328 comment=error message (failure only):
2329 comment="Remote execution requested by:" hostname:
2330 comment="Username:" username:
2331 comment="Command line:" command attempted
2332 # See audit_rexecd.c
2335 program=/usr/sbin/in.rshd
2337 format=text1:text2:[text]3:[text]4
2338 comment="cmd" command:
2339 comment="remote user" remote user:
2340 comment="local user" local user:
2341 comment=failure message
2344 label=AUE_shutdown_solaris
2346 program=/usr/ucb/shutdown
2348 # See audit_shutdown.c
2351 program=/usr/lib/smedia/rpc.smserverd
2352 format=[text]1:[text]2
2353 comment=state change:
2354 comment=vid, pid, major/minor device
2355 # see usr/src/cmd/smserverd
2356 # code shows a third token, path, but it isn't implemented.
2358 label=AUE_uadmin_solaris
2359 title=uadmin (obsolete)
2363 comment=function code:
2364 comment=argument code
2365 # not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml
2367 label=AUE_LABELSYS_TNRH
2368 title=config Trusted Network remote host cache
2370 syscall=labelsys: TSOL_TNRH
2371 case=With the flush command (cmd=3)
2373 comment=1, command, "cmd"
2374 case=With the load (cmd=1) and delete (cmd=2) commands
2375 format=arg1:inaddr2:arg3
2376 comment=1, command, "cmd":
2377 comment=ip address of host:
2378 comment=2, prefix length, "prefix len"
2380 label=AUE_LABELSYS_TNRHTP
2381 title=config Trusted Network remote host template
2383 syscall=labelsys: TSOL_TNRHTP
2384 case=With the flush command (cmd=3)
2386 comment=1, command, "cmd"
2387 case=With the load (cmd=1) and delete (cmd=2) commands
2389 comment=1, command, "cmd":
2390 comment=name of template
2392 label=AUE_LABELSYS_TNMLP
2393 title=config Trusted Network multi-level port entry
2395 syscall=labelsys: TSOL_TNMLP
2396 case=With the flush command (cmd=3)
2398 comment=1, command, "cmd":
2399 comment="shared", or name of zone
2400 case=With the load (cmd=1) and delete (cmd=2) commands
2401 format=arg1:text2:arg3:arg4:[arg]5
2402 comment=1, command, "cmd":
2403 comment="shared", or name of zone:
2404 comment=2, protocol number, "proto num":
2405 comment=2, starting mlp port number, "mlp_port":
2406 comment=2, ending mlp port number, "mlp_port_upper"