The audit records produced by Trusted Solaris auditing software have a sequence of tokens. Certain tokens are optional within an audit record, according to the current audit policy. The group, sequence, and trailer tokens fall into this category. The administrator can determine if these are included in an audit record with the auditconfig command -getpolicy option.
These audit records are created by system calls which are used by the kernel. The records are sorted alphabetically by system call. The description of each record includes:
The name of the system call
A man page reference (if appropriate)
The audit event number
The audit event name
The audit event class
The mask for the event class
The audit record structure
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ACCESS |
14 |
fa |
0x00000004 |
Format: header-token path-token[attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–6 acct(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ACCT |
18 |
as |
0x00020000 |
Format (zero path): header-token argument-token (1, "accounting off", 0) [priv-token] (if privilege used or required) subject-token return-token Format (non-zero path): header-token path-token [attr-token] subject-token return-token |
Table B–7 adjtime(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ADJTIME |
50 |
as |
0x00000800 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–8 audit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDIT |
211 |
no |
0x00000000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–9 auditon(2) — get current active root
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCAR |
224 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–10 auditon(2) — get event class
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCLASS |
231 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–11 auditon(2) — get audit state
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCOND |
229 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token
|
Table B–12 auditon(2) — get current working directory
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCWD |
223 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–13 auditon(2) — get kernel mask
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETKMASK |
221 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token
|
Table B–14 auditon(2) — get audit statistics
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETSTAT |
225 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–15 auditon(2) — GETPOLICY command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GPOLICY |
114 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–16 auditon(2) — get audit queue control parameters
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GQCTRL |
145 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–17 auditon(2) — set event class
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETCLASS |
232 |
aa |
0x00040000 |
Format: header-token [argument-token] (2, "setclass:ec_event", event number) [argument-token] (3, "setclass:ec_class", class mask) [priv-token] (if privilege used or required) subject-token return-token |
Table B–18 auditon(2) — set audit state
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETCOND |
230 |
aa |
0x00040000 |
Format: header-token [argument-token] (3, "setcond", audit state) [priv-token] (if privilege used or required) subject-token return-token |
Table B–19 auditon(2) — set kernel mask
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETKMASK |
222 |
aa |
0x00040000 |
Format: header-token [argument-token] (2, "setkmask:as_success", kernel mask) [argument-token] (2, "setkmask:as_failure", kernel mask) [priv-token] (if privilege used or required) subject-token return-token |
Table B–20 auditon(2) — set mask per session ID
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETSMASK |
228 |
aa |
0x00040000 |
Format: header-token [argument-token] (3, "setsmask:as_success", session ID mask) [argument-token] (3, "setsmask:as_failure", session ID mask) [priv-token] (if privilege used or required) subject-token return-token |
Table B–21 auditon(2) — reset audit statistics
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETSTAT |
226 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–22 auditon(2) — set mask per uid
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETUMASK |
227 |
aa |
0x00040000 |
Format: header-token [argument-token] (3, "setumask:as_success", audit ID mask) [argument-token] (3, "setumask:as_failure", audit ID mask) [priv-token] (if privilege used or required) subject-token return-token |
Table B–23 auditon(2) — SETPOLICY command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SPOLICY |
147 |
aa |
0x00040000 |
Format: header-token [argument-token] (1, "policy", audit policy flags) [priv-token] (if privilege used or required) subject-token return-token |
Table B–24 auditon(2) — set audit queue control parameters
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SQCTRL |
146 |
aa |
0x00040000 |
Format: header-token [argument-token] (3,"setqctrl:aq_hiwater",queue control param.) [argument-token] (3,"setqctrl:aq_lowater",queue control param.) [argument-token] (3,"setqctrl:aq_bufsz",queue control param.) [argument-token] (3,"setqctrl:aq_delay",queue control param.) [priv-token] (if privilege used or required) subject-token return-token |
Table B–25 auditpsa(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITPSA |
529 |
aa |
0x00040000 |
Format (valid file descriptor): header-token argument-token (1, "op", state) in_addr-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–26 auditstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITSTAT |
150 |
aa |
0x00040000 |
Format: header-token [argument-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B–27 auditsvc(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITSVC |
136 |
aa |
0x00040000 |
Format (valid file descriptor): header-token [path-token] [attr-token] [priv-token] (if privilege used or required) subject-token return-token Format (invalid file descriptor): header-token argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token return-token |
Table B–28 chdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHDIR |
8 |
pm |
0x00200000 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–29 chmod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHMOD |
10 |
fm |
0x00000008 |
Format: header-token argument-token (2, "new file mode", mode) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–30 chown(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHOWN |
11 |
fm |
0x00000008 |
Format: header-token argument-token (2, "new file uid", uid) argument-token (3, "new file gid", gid) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–31 chroot(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHROOT |
24 |
pm |
0x00200000 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–32 chstate(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHSTATE |
538 |
as |
0x00000800 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–33 clock_settime(3R)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CLOCK_SETTIME |
513 |
as |
0x00000800 |
Format: header-token slabel-token return-token |
Table B–34 close(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CLOSE |
112 |
cl |
0x00000040 |
Format: <file system object> header-token argument-token (1, "fd", file descriptor) [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Also for files closed on process termination. The argument-token is only present with the close() system call. It may be removed in future releases. The path-token is present only with valid file descriptors. |
Table B–35 creat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CREAT |
4 |
fc |
0x00000010 |
Format header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–36 devpolicy(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_DRVPOLICY |
531 |
as |
0x00000800 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–37 enter prom, exit prom
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ENTERPROM |
153 |
na |
0x00000400 |
AUE_EXITPROM |
154 |
na |
0x00000400 |
Format: header-token text-token (addr, "monitor PROM"|"kadb") [priv-token] (if privilege used or required) subject-token return-token |
Table B–38 exec(2), execve(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_EXEC |
7 |
ps |
0x00100000 |
AUE_EXECVE |
23 |
ps |
0x00100000 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–39 exit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_EXIT |
1 |
pm |
0x00200000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–40 fauditpsa(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FAUDITPSA |
530 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–41 fchdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHDIR |
68 |
pc |
0x00300000 |
Format: header-token [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–42 fchmod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHMOD |
39 |
fm |
0x00000008 |
Format (valid file descriptor): header-token argument-token (2, "new file mode", mode) [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (invalid file descriptor): header-token argument-token (2, "new file mode", mode) argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–43 fchown(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHOWN |
38 |
fm |
0x00000008 |
Format (valid file descriptor): header-token argument-token (2, "new file uid", uid) argument-token (3, "new file gid", gid) [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (non-file descriptor): header-token argument-token (2, "new file uid", uid) argument-token (3, "new file gid", gid) argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–44 fchroot(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHROOT |
69 |
pm |
0x00200000 |
Format: header-token [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–45 fcntl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCNTL (cmd=F_GETLK, F_SETLK,F_SETLKW) |
30 |
fn |
0x40000000 |
Format (file descriptor): header-token argument-token (2, "cmd", cmd) path-token attr-token [priv-token] (if privilege used or required) subject-token return-token Format (bad file descriptor): header-token argument-token (2, "cmd", cmd) argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token return-token |
Table B–46 fgetsldname(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FGETSLDNAME |
532 |
fc |
0x00000010 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–47 fork(2), fork1(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FORK |
2 |
ps |
0x00100000 |
AUE_FORK1 |
241 |
ps |
0x00100000 |
Format: header-token [argument-token] (0, "child PID", pid) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token The fork() and fork1() return values are undefined since each audit record is produced at the point that the child process is spawned. |
Table B–48 fsetcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FSETCMWLABEL |
544 |
fm |
0x00000008 |
Format: header-token argument-token (3, “flag”, which parts of label to set) [slabel-token] (if slabel is being set) path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–49 fsetfattrflag(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FSETFATTRFLAG |
523 |
fm |
0x00000008 |
Format: header-token argument-token (2, "which", which flags to set) argument-token (3, "attrs", flag values) path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–50 fstatfs(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FSTATFS |
55 |
fa |
0x00000004 |
Format (file descriptor): header-token [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (non-file descriptor): header-token argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–51 getaudit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETAUDIT |
132 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–52 getaudit_addr(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETAUDIT_ADDR |
267 |
aa |
0x00000800 |
Format: header-token subject-token return-token |
Table B–53 getauid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETAUID |
130 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–54 getcmwfsrange(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETCMWFSRANGE |
545 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–55 getcmwlabel(2), fgetcmwlabel(2), lgetcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETCMWLABEL |
546 |
fa |
0x00000004 |
AUE_FGETCMWLABEL |
118 |
fa |
0x00000004 |
AUE_LGETCMWLABEL |
548 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–56 getdents(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETDENTS |
193 |
no |
0x00000000 |
Format: header-token path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B–57 getfpriv(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETFILEPRIV |
547 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–58 getmldadorn(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETMLDADORN |
554 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–59 getmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETMSG |
217 |
nt |
0x00000100 |
Format: header-token argument-token (1, "fd", file descriptor) argument-token (4, "pri", priority) [priv-token] (if privilege used or required) subject-token return-token |
Table B–60 getmsg(2) — accept, receive
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKACCEPT |
247 |
nt |
0x00000100 |
AUE_SOCKRECEIVE |
250 |
nt |
0x00000100 |
Format: header-token socket-inet-token argument-token (1, "fd", file descriptor) argument-token (4, "pri", priority) [priv-token] (if privilege used or required) subject-token return-token |
Table B–61 getmsgqcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETMSGQCMWLABEL |
514 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] (of the IPC) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–62 getpmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETPMSG |
219 |
nt |
0x00000100 |
Format: header-token argument-token (1, "fd", file descriptor) [priv-token] (if privilege used or required) subject-token return-token |
Table B–63 getportaudit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETPORTAUDIT |
149 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–64 getsemcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETSEMCMWLABEL |
515 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] (of the IPC) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the sem ID is invalid. |
Table B–65 getshmcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETSHMCMWLABEL |
516 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", semaphore ID) [argument-token] [ipc_perm-token] (of the IPC) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the shm ID is invalid. |
Table B–66 getsldname(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETSLDNAME |
555 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–67 ioctl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_IOCTL |
158 |
io |
0x20000000 |
Format (good file descriptor): header-token path-token [attr-token] argument-token (2, "cmd" ioctl cmd) argument-token (3, "arg" ioctl arg) [priv-token] (if privilege used or required) subject-token return-token Format (socket): header-token [socket-token] argument-token (2, "cmd" ioctl cmd) argument-token (3, "arg" ioctl arg) [priv-token] (if privilege used or required) subject-token return-token Format (non-file file descriptor): header-token argument-token (1, "fd", file descriptor) argument-token (2, "cmd" ioctl cmd) argument-token (3, "arg" ioctl arg) [priv-token] (if privilege used or required) subject-token return-token Format (bad file name): header-token argument-token (1, "no path: fd", file descriptor) argument-token (2, "cmd" ioctl cmd) argument-token (3, "arg" ioctl arg) [priv-token] (if privilege used or required) subject-token return-token |
Table B–68 kill(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_KILL |
15 |
pm |
0x00200000 |
Format (valid process): header-token argument-token (2, "signal", signo) [process-token] [slabel-token] (process) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (zero or negative process): header-token argument-token (2, "signal", signo) argument-token (1, "process", pid) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–69 lchown(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LCHOWN |
237 |
fm |
0x00000008 |
Format: header-token argument-token (2, "new file uid", uid) argument-token (3, "new file gid", gid) path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B–70 link(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LINK |
5 |
fc |
0x00000010 |
Format: header-token path-token (from path) [attr-token] (from path) [slabel-token] (from path) path-token (to path) [attr-token] (to path) [slabel-token] (to path) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–71 lstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LSTAT |
17 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B–72 lxstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LXSTAT |
236 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–73 memcntl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MEMCNTL |
238 |
ot |
0x80000000 |
Format: header-token argument-token (1, "base", base address) argument-token (2, "len", length) argument-token (3, "cmd", command) argument-token (4, "arg", command args) argument-token (5, "attr", command attributes) argument-token (6, "mask", 0) [priv-token] (if privilege used or required) subject-token return-token |
Table B–74 mkdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MKDIR |
47 |
fc |
0x00000010 |
Format: header-token argument-token (2, "mode", mode) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–75 mknod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MKNOD |
9 |
fc |
0x00000010 |
Format: header-token argument-token (2, "mode", mode) argument-token (3, "dev", dev) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–76 mldsetfattrflag(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MLDSETFATTRFLAG |
524 |
fm |
0x00000008 |
Format: header-token argument-token (2, “which”, which flags to set) argument-token (3, “attrs”, flag values) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–77 mmap(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MMAP |
210 |
no |
0x00000000 |
Format (valid file descriptor): header-token argument-token (1, "addr", segment address) argument-token (2, "len", segment length) [path-token] [attr-token] [priv-token] (if privilege used or required) subject-token return-token Format (invalid file descriptor): header-token argument-token (1, "addr", segment address) argument-token (2, "len", segment length) argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token return-token |
Table B–78 modctl(2) — bind module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODADDMAJ |
246 |
as |
0x00000800 |
Format: header-token [text-token] (driver major number) [text-token] (driver name) text-token (root dir.|"no rootdir") text-token (driver major number|"no drvname") argument-token (5, "", number of aliases) (0..n)[text-token] (aliases) [priv-token] (if privilege used or required) subject-token return-token |
Table B–79 modctl(2) — configure module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODCONFIG |
245 |
as |
0x00000800 |
Format: header-token text-token (root dir.|"no rootdir") text-token (driver major number|"no drvname") [priv-token] (if privilege used or required) subject-token return-token |
Table B–80 modctl(2) — load module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODLOAD |
243 |
as |
0x00020000 |
Format: header-token [text-token] (default path) text-token (filename path) [priv-token] (if privilege used or required) subject-token return-token |
Table B–81 modctl(2) — unload module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODUNLOAD |
244 |
as |
0x00020000 |
Format: header-token argument-token (1, "id", module ID) [priv-token] (if privilege used or required) subject-token return-token |
Table B–82 mount(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MOUNT |
62 |
ao |
0x00080000 |
Format (UNIX file system): header-token argument-token (3, "flags", flags) text-token (filesystem type) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (NFS file system): header-token argument-token (3, "flags", flags) text-token (filesystem type) text-token (host name) argument-token (3, "internal flags", flags) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–83 msgctl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL |
84 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [ipc-token] subject-token return-token The ipc and ipc_perm tokens are not included if the msg ID is not valid. |
Table B–84 msgctl(2) — IPC_RMID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL_RMID |
85 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–85 msgctl(2) — IPC_SET command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL_SET |
86 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] (of the IPC's old values) [slabel-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token subject-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–86 msgctl(2) — IPC_STAT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL_STAT |
87 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] (of the IPC) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–87 msgget(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGGET |
88 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg key", message key) argument-token (2, "msg flag", message flags) [ipc_perm-token] (of the IPC object) [slabel-token] [argument-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–88 msggetl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGGETL |
174 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg key", message key) argument-token (2, "msg flag", message flags) slabel-token (desired SL) [ipc_perm-token] (of the IPC object) [slabel-token] [argument-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–89 msgrcv(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGRCV |
89 |
ip |
0x00000200 |
AUE_MSGRCVL |
175 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–90 msgsnd(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGSND |
90 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–91 munmap(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MUNMAP |
214 |
cl |
0x00000040 |
Format: header-token argument-token (1, "addr", address of memory) argument-token (2, "len", memory segment size) [priv-token] (if privilege used or required) subject-token return-token |
Table B–92 old nice(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_NICE |
203 |
pc |
0x00300000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–93 open(2) — read
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_R |
72 |
fr |
0x00000001 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–94 open(2) — read,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RC |
73 |
fc,fr |
0x00000011 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–95 open(2) — read,trunc,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RTC |
75 |
fc,fd,fr |
0x00000031 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–96 open(2) — read,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RT |
74 |
fd,fr |
0x00000021 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–97 open(2) — read,write
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RW |
80 |
fr,fw |
0x00000003 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–98 open(2) — read,write,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RWC |
81 |
fr,fw,fc |
0x00000013 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–99 open(2) — read,write,trunc,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RWTC |
83 |
fr,fw,fc,fd |
0x00000033 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–100 open(2) — read,write,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RWT |
82 |
fr,fw,fd |
0x00000023 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–101 open(2) — write
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_W |
76 |
fw |
0x00000002 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–102 open(2) — write,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_WC |
77 |
fw,fc |
0x00000012 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–103 open(2) — write,trunc,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_WTC |
79 |
fw,fc,fd |
0x00000032 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–104 open(2) — write,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_WT |
78 |
fw,fd |
0x00000022 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–105 pathconf(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PATHCONF |
71 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–106 pipe(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PIPE |
185 |
no |
0x00000000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–107 preadl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PREADL |
527 |
no |
0x00000000 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–108 priocntl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PRIOCNTLSYS |
212 |
pm |
0x00200000 |
Format: header-token argument-token(1, "pc_version", priocntl version num.) argument-token (3,"cmd", command) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–109 processor_bind(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PROCESSOR_BIND |
263 |
ao |
0x00080000 |
Format: header-token slabel-token return-token |
Table B–110 privilege enable
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PRIVENABLE |
533 |
as |
0x00020000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–111 process dumped core
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CORE |
111 |
fc |
0x0000010 |
Format: header-token path-token [attr-token] argument-token (1, "signal", signal) [priv-token] (if privilege used or required) subject-token return-token |
Table B–112 putmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PUTMSG |
216 |
nt |
0x00000100 |
Format: header-token argument-token (1, "fd", file descriptor) argument-token (4, "pri", priority) [priv-token] (if privilege used or required) subject-token return-token |
Table B–113 putmsg(2) - connect, send
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKCONNECT |
248 |
nt |
0x00000100 |
AUE_SOCKSEND |
249 |
nt |
0x00000100 |
Format: header-token socket-inet-token argument-token (1, "fd", file descriptor) argument-token (4, "pri", priority) [priv-token] (if privilege used or required) subject-token return-token |
Table B–114 putpmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PUTPMSG |
218 |
nt |
0x00000100 |
Format: header-token argument-token (1, "fd", file descriptor) [priv-token] (if privilege used or required) subject-token return-token |
Table B–115 quotactl(7I)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_QUOTACTL |
60 |
ao |
0x00080000 |
Format: header-token subject-token return-token |
Table B–116 read(2), readl(2), readvl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_READ |
192 |
no |
0x00000000 |
AUE_READL |
558 |
|
|
AUE_READVL |
559 |
|
|
Format: header-token path-token) [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–117 readlink(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_READLINK |
22 |
fr |
0x00000001 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–118 recvmsg(3SOCKET)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_RECVMSG |
190 |
nt |
0x00000100 |
Format: header-token sock-inet-token argument-token (3, "flags", message flags) sock-inet-token (from address) subject-token return-token The sock_inet token for a bad socket is reported as: argument-token (1, "fd", socket descriptor) |
Table B–119 rename(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_RENAME |
42 |
fc,fd |
0x00000030 |
Format: header-token path-token (from name) [attr-token] (from name) [slabel-token] (from name) [path-token] (to name) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–120 rmdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_RMDIR |
48 |
fd |
0x00000020 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–121 semctl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL |
98 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [ipc-token] subject-token return-token The ipc and ipc_perm tokens are not included if the semaphore ID is not valid. |
Table B–122 semctl(2) — getall
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETALL |
105 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–123 semctl(2) — GETNCNT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETNCNT |
102 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–124 semctl(2) — GETPID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETPID |
103 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–125 semctl(2) — GETVAL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETVAL |
104 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–126 semctl(2) — GETZCNT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETZCNT |
106 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–127 semctl(2) — IPC_RMID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_RMID |
99 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–128 semctl(2) — IPC_SET command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_SET |
100 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] (of the IPC's old values) [slabel-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–129 semctl(2) — SETALL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_SETALL |
108 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–130 semctl(2) — SETVAL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_SETVAL |
107 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–131 semctl(2) — IPC_STAT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_STAT |
101 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–132 semget(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMGET |
109 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem key", semaphore key) argument-token (3, "sem flags", semaphore flags) [ipc_perm-token] [slabel-token] [argument-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–133 semgetl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMGETL |
177 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem key", semaphore key) argument-token (3, "sem flags", semaphore flags) slabel-token [ipc_perm-token] [slabel-token] [argument-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the system call failed. |
Table B–134 semop(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMOP |
110 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–135 sendmsg(3SOCKET)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SENDMSG |
188 |
nt |
0x00000100 |
Format: header-token sock-inet-token sock-inet-token (to address) argument-token (3, "flags", message flags) subject-token return-token The sock_inet token for a bad socket is reported as: argument-token (1, "fd", socket descriptor) |
Table B–136 sendto(3SOCKET)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SENDTO |
184 |
nt |
0x00000100 |
Format: header-token sock-inet-token argument-token (3, "len", message length) [argument-token] (4, "flags", flags) argument-token (6, "tolen", address length) sock-inet-token (to address) subject-token return-token The sock_inet token for a bad socket is reported as: argument-token (1, "fd", socket descriptor) |
Table B–137 setacl(1), setfacl(1)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ACLSET |
251 |
fm |
0x00000008 |
AUE_FACLSET |
252 |
fm |
0x00000008 |
Format: header-token argument-token (2,”cmd”, command) argument-token (3,”n_entries”, number of acl entries) acl-token … (token repeated “n_entries” times) path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B–138 setaudit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETAUDIT |
133 |
aa |
0x00040000 |
Format (valid program stack address): header-token argument-token (1, "setaudit:auid", audit user ID) argument-token (1, "setaudit:port", terminal ID) argument-token (1, "setaudit:machine", terminal ID) argument-token (1, "setaudit:as_success", preselection mask) argument-token (1, "setaudit:as_failure", preselection mask) argument-token (1, "setaudit:asid", audit session ID) [priv-token] (if privilege used or required) subject-token return-token Format (invalid program stack address): header-token subject-token return-token |
Table B–139 setaudit_addr(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETAUDIT_ADDR |
266 |
aa |
0x00000800 |
Format: header-token argument-token (1, "auid", audit user ID) argument-token (1, "port", terminal ID) argument-token (1, "type", machine address type) argument-token (1, "as_success", preselection mask) argument-token (1, "as_failure", preselection mask) argument-token (1, "asid", audit session ID) subject-token return-token |
Table B–140 setauid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETAUID |
131 |
aa |
0x00040000 |
Format: header-token argument-token (2, "setauid", audit user ID) [priv-token] (if privilege used or required) subject-token return-token |
Table B–141 setclearance(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETCLEARANCE |
542 |
fm |
0x00000008 |
Format: header-token clearance-token (specified) clearance-token (old) clearance-token (new) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–142 setcmwlabel(2), lsetcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETCMWLABEL |
549 |
fm |
0x00000008 |
AUE_LSETCMWLABEL |
525 |
fm |
0x00000008 |
Format: header-token argument-token (3, “flag”, which parts of label to set) [slabel-token] (if slabel is being set) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–143 setcmwplabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETCMWPLABEL |
541 |
fm |
0x00000008 |
Format (setting flag == SETCL_ALL): header-token slabel-token (SL from input argument) slabel-token (original SL) argument-token (2, “flag”, value) slabel-token (new SL) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (setting flag == SETCL_SL): header-token slabel-token (SL from input argument) slabel-token (SL of subject before) argument-token (2, “flag”, value) slabel-token (SL of subject after) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (setting flag == SETCL_IL): header-token argument-token (2, “flag”, value) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–144 setegid(2), old setgid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETEGID |
214 |
pm |
0x00200000 |
AUE_SETGID |
205 |
pm |
0x00200000 |
Format: header-token argument-token (1, "gid", group ID) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–145 seteuid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETEUID |
215 |
pm |
0x00200000 |
Format: header-token argument-token (1, "gid", user ID) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–146 setfattrflag(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETFATTRFLAG |
522 |
fm |
0x00000008 |
Format: header-token argument-token (2, "which", which flags to set) argument-token (3, "attrs", flag values) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–147 setfpriv(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETFILEPRIV |
550 |
fm |
0x00000008 |
Format: header-token argument-token (4, "privilege type", privilege set type) privilege-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–148 setgroups(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETGROUPS |
26 |
pm |
0x00200000 |
Format: header-token [argument-token] (1, "setgroups", group ID) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token One argument-token for each group set. |
Table B–149 setpattr(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETPATTR |
526 |
ps |
0x00100000 |
Format: header-token argument-token (1, “type”, type of attribute to set) argument-token (2, “value”, value of attribute) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–150 setpgrp(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETPGRP |
27 |
pm |
0x00200000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–151 setppriv(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETPROCPRIV |
127 |
fm |
0x00000008 |
Format: header-token argument-token (3, “type”, privilege set type) argument-token (4, “op”, operation to perform) privilege-token (specified) privilege-token (old) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–152 setregid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETREGID |
41 |
pm |
0x00200000 |
Format: header-token argument-token (1, "rgid", real group ID) argument-token (1, "egid", effective group ID) [priv-token] (if privilege used or required) subject-token return-token |
Table B–153 setreuid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETREUID |
40 |
pm |
0x00200000 |
Format: header-token argument-token (1, "ruid", real user ID) argument-token (1, "euid", effective user ID) [priv-token] (if privilege used or required) subject-token return-token |
Table B–154 setrlimit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETRLIMIT |
51 |
as |
0x00020000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–155 setsockopt(3SOCKET)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETSOCKOPT |
35 |
nt |
0x00000100 |
Format: header-token sock-inet-token argument-token (2, "level", protocol level) [argument-token] (3, "optname", option name) argument-token (4, "val", option value) argument-token (5, "optlen", option length) subject-token return-token The sock_inet token for a non-socket operation is reported as: argument-token (1, "fd", file descriptor) |
Table B–156 old setuid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OSETUID |
200 |
pm |
0x00200000 |
Format: header-token argument-token (1, "uid", user ID) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–157 shmat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMAT |
96 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) argument-token (2, "shm adr", shared mem addr) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and slabel tokens are not included if the shared memory segment ID is invalid. |
Table B–158 shmctl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL |
91 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shmid", shared memory ID) [ipc-token] subject-token return-token The ipc and ipc_perm tokens are not included if the shared memory segment ID is not valid. |
Table B–159 shmctl(2) — IPC_RMID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL_RMID |
92 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and slabel tokens are not included if the shared memory segment ID is invalid. |
Table B–160 shmctl(2) — IPC_SET command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL_SET |
93 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) [argument-token] [ipc_perm-token] (of the IPC's old values) [slabel-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and slabel tokens are not included if the shared memory segment ID is invalid. |
Table B–161 shmctl(2) — IPC_STAT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL_STAT |
94 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and slabel tokens are not included if the shared memory segment ID is invalid. |
Table B–162 shmdt(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMDT |
97 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm adr", shared mem addr) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–163 shmget(2)
Event Name |
Event ID |
EventClass |
Mask |
---|---|---|---|
AUE_SHMGET |
95 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) argument-token (3, "shm flag", shared memory flags) [argument-token] [slabel-token] [ipc_perm-token] (of the IPC's old values) [slabel-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token subject-token The ipc, ipc_perm, and slabel tokens are not included for failed events. |
Table B–164 shmgetl(2)
Event Name |
Event ID |
EventClass |
Mask |
---|---|---|---|
AUE_SHMGETL |
178 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) argument-token (3, "shm flag", shared memory flags) slabel-token [ipc_perm-token] (of the IPC's old values) [slabel-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token subject-token The ipc, ipc_perm, and slabel tokens are not included for failed events. |
Table B–165 sockconfig()
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKCONFIG |
265 |
nt |
0x00000100 |
Format: header-token argument-token (1, "domain", socket domain) [argument-token] (2, "type", socket type) argument-token (3, "protocol", socket protocol) text-token subject-token return-token |
Table B–166 socket(3SOCKET)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKET |
183 |
nt |
0x00000100 |
Format: header-token argument-token (1, "domain", socket domain) [argument-token] (2, "type", socket type) argument-token (3, "protocol", socket protocol) subject-token return-token |
Table B–167 stat(2), statfs(2), statvfs(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_STAT |
16 |
fa |
0x00000004 |
AUE_STATFS |
54 |
fa |
0x00000004 |
AUE_STATVFS |
234 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–168 stime(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_STIME |
201 |
as |
0x00020000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–169 symlink(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SYMLINK |
21 |
fc |
0x00000010 |
Format: header-token text-token (symbolic link string) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–170 sysinfo(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SYSINFO |
39 |
as |
0x00020000 |
Format: header-token argument-token (1, "cmd", command) text-token (name) [priv-token] (if privilege used or required) subject-token return-token |
Table B–171 system booted
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SYSTEMBOOT |
113 |
na |
0x00000400 |
Format: header-token text-token ("booting kernel") return-token |
Table B–172 tnif(2), tnrh(2), tnrhtp(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_TNIF |
534 |
nt |
0x00000100 |
AUE_TNRH |
535 |
|
|
AUE_TNRHTP |
536 |
|
|
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–173 tokmapper(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_TOKMAPPER |
537 |
nt |
0x00000100 |
Format: header-token argument-token (1, “op”, state) in_addr-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–174 uadmin(2) - system freeze
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FREEZE |
539 |
ss |
0x00010000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–175 uadmin(2) - system reboot
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_REBOOT |
561 |
ss |
0x00010000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–176 uadmin(2) - system remount
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_REMOUNT |
540 |
as |
0x00020000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–177 uadmin(2) - system shutdown
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHUTDOWN |
560 |
ss |
0x00010000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–178 umount(2) — old version
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UMOUNT |
12 |
ao |
0x00080000 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–179 umount(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UMOUNT2 |
268 |
ao |
0x00080000 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–180 unlink(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UNLINK |
6 |
fd |
0x00000020 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–181 old utime(2), utimes(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UTIME |
202 |
fm |
0x00000008 |
AUE_UTIMES |
49 |
fm |
0x00000008 |
Format: header-token path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B–182 utssys(2) — fusers
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UTSSYS |
233 |
ao |
0x00080000 |
Format: header-token path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B–183 vfork(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_VFORK |
25 |
ps |
0x00100000 |
Format: header-token argument-token (0, "child PID", pid) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token The fork return values are undefined since the audit record is produced at the point that the child process is spawned. |
Table B–184 vtrace(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_VTRACE |
36 |
pm |
0x00200000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–185 write(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_WRITE |
195 |
no |
0x00000000 |
Format: header-token slabel-token (from label specified in syscall args) path-token) [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–186 writel(2), pwritel(2), writevl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PWRITEL |
528 |
no |
0x00000000 |
AUE_WRITEL |
552 |
fm |
0x00000008 |
AUE_WRITEVL |
553 |
fm |
0x00000008 |
Format: header-token slabel-token (from label specified in syscall args) path-token) [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–187 xmknod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_XMKNOD |
240 |
fc |
0x00000010 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–188 xstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_XSTAT |
235 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Pseudo-events do have their own audit record structure. They create audit records for the event that uses privilege. When the pseudo-event AUE_UPRIV is in a class that is being audited, any use of privilege will be audited, including uses of privilege for events that are otherwise not being audited.
Table B–189 Use of privilege
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UPRIV |
521 |
no |
0x00000000 |
These audit records are created by X windows calls and use of the X server. The records are sorted alphabetically by protocol; where possible, records with identical structure are listed together. The description of each record includes:
The name of the protocol
The audit event number
The audit event name
The audit record structure
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_ClientConnect |
Client connection to Xserver |
9101 |
xl |
0x08000000 |
Format: header-token subject-token newgroups-token slabel-token xclient-token inaddr-token (IP address of client) iport-token (port on server) return-token |
Table B–191 XClientDisconnect
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_ClientDisconnect |
Client logout from Xserver |
9102 |
xl |
0x08000000 |
Format: header-token subject-token newgroups-token slabel-token xclient-token return-token |
Table B–192 X Server Protocols - window operations
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_ChangeSaveSet |
Change the saved set |
9108 |
xp |
0x10000000 |
AUE_ChangeWindowAttributes |
Change window attributes |
9104 |
|
|
AUE_CirculateWindow |
Circulate the window |
9115 |
|
|
AUE_ConfigureWindow |
Configure the window |
9114 |
|
|
AUE_CreateWindow |
Create window |
9103 |
|
|
AUE_DestroySubwindows |
Destroy subwindows |
9107 |
|
|
AUE_DestroyWindow |
Destroy window |
9106 |
|
|
AUE_GetGeometry |
Get window geometry |
9116 |
|
|
AUE_GetWindowAttributes |
Get window attributes |
9105 |
|
|
AUE_MapSubwindows |
Map the subwindows |
9111 |
|
|
AUE_MapWindow |
Map the window |
9110 |
|
|
AUE_QueryTree |
Query window tree |
9117 |
|
|
AUE_ReparentWindow |
Reparent the window |
9109 |
|
|
AUE_UnmapSubwindows |
Unmap the subwindows |
9113 |
|
|
AUE_UnmapWindow |
Unmap the window |
9112 |
|
|
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xwindow-token return-token |
Table B–193 X Server Protocols - window properties
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_ChangeProperty |
Change window property |
9120 |
xc |
0x20000000 |
AUE_DeleteProperty |
Delete window property |
9121 |
xc |
0x20000000 |
AUE_GetProperty |
Get window property |
9122 |
xp |
0x10000000 |
AUE_ListProperties |
List window properties |
9123 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xwindow-token xproperty-token return-token |
Table B–194 XGetAtomName, XInternAtom
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_GetAtomName |
Get atom name |
9119 |
xs |
0x80000000 |
AUE_InternAtom |
Fetch atom |
9118 |
xs |
0x80000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xatom-token (atom string) return-token |
Table B–195 XConvertSelection, XGetSelectionOwner, XSetSelectionOwner
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_ConvertSelection |
Convert selection |
9126 |
xs |
0x80000000 |
AUE_GetSelectionOwner |
Get selection owner |
9125 |
xs |
0x80000000 |
AUE_SetSelectionOwner |
Set selection owner |
9124 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xclient-token return-token |
Table B–196 XGrabButton
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_GrabButton |
Grab window button |
9130 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xwindow-token (grabbing window id) [xwindow-token] (current device focus) xcursor-token return-token |
Table B–197 XGrabPointer, XUngrabPointer, XUngrabButton
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_GrabPointer |
Grab pointer |
9128 |
xs |
0x80000000 |
AUE_UngrabButton |
Release window button |
9131 |
xs |
0x80000000 |
AUE_UngrabPointer |
Release pointer |
9129 |
xs |
0x80000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xwindow-token (grabbing window id) [xwindow-token] (current device focus) xcursor-token return-token |
Table B–198 XChangeActivePointerGrab
Event Name |
Message | Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_ChangeActivePointerGrab |
Change active pointer grab |
9132 |
xs |
0x80000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xcursor-token return-token |
Table B–199 XGrabKey, XUngrabKeyboard
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_GrabKey |
Grab key |
9135 |
xs |
0x80000000 |
AUE_UngrabKeyboard |
Release keyboard |
9134 |
xs |
0x80000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xwindow-token return-token |
Table B–200 XGrabKeyboard, XUngrabKey
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_GrabKeyboard |
Grab keyboard |
9133 |
xp |
0x10000000 |
AUE_UngrabKey |
Release key |
9135 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xwindow-token return-token |
Table B–201 XGrabServer, XUngrabServer
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_GrabServer |
Grab the server |
9137 |
xa |
0x40000000 |
AUE_UngrabServer |
Release the server |
9138 |
xa |
0x40000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xclient-token return-token |
Table B–202 XQueryPointer
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_QueryPointer |
Query pointer |
9139 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xwindow-token (querying window id) [xwindow-token] (pointer's window id) return-token |
Table B–203 XGetMotionEvents, XSendEvent
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_GetMotionEvents |
Get motion events |
9140 |
xp |
0x10000000 |
AUE_SendEvent |
Send window event |
9127 |
xs |
0x80000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xwindow-token return-token |
Table B–204 XTranslateCoords, XWarpPointer
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_TranslateCoords |
Translate coordinates |
9141 |
xp |
0x10000000 |
AUE_WarpPointer |
Warp the pointer |
9142 |
xs |
0x80000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xwindow-token (source window id) [xwindow-token] (destination window id) return-token |
Table B–205 XGetInputFocus, XSetInputFocus
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_GetInputFocus |
Get input focus |
9144 |
xs |
0x80000000 |
AUE_SetInputFocus |
Set input focus |
9143 |
xs |
0x80000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xwindow-token return-token |
Table B–206 XQueryKeymap
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_QueryKeymap |
Query keymap |
9145 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xclient-token return-token |
Table B–207 XSetFontPath
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_SetFontPath |
Set font path |
9146 |
xa |
0x40000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) [xwindow-token] xfont-token return-token |
Table B–208 XChangeGC
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_ChangeGC |
Change graphical context |
9148 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xfont-token xpixmap-token xgc-token return-token |
Table B–209 XCopyGC
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_CopyGC |
Copy graphical context |
9149 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xgc-token (source gc ID) [xgc-token] (destination gc ID) return-token |
Table B–210 XFreeGC, XSetClipRectangles, XSetDashes
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_FreeGC |
Free graphical context |
9152 |
xc |
0x20000000 |
AUE_SetClipRectangles |
Set clip rectangles |
9151 |
xp |
0x10000000 |
AUE_SetDashes |
Set dashes |
9150 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) [xpixmap-token] [xfont-token] [xgc-token] return-token |
Table B–211 XClearArea
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_ClearArea |
Clear area |
9153 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xwindow-token return-token |
Table B–212 XCopyArea, XCopyPlane
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_CopyArea |
Copy area |
9154 |
xs |
0x80000000 |
AUE_CopyPlane |
Copy plane |
9155 |
xs |
0x80000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xpixmap-token (source pixmap ID) xpixmap-token (destination pixmap ID) xgc-token return-token |
Table B–213 XFillPolygon, XPolyArc, XPolyFillArc, XPolyFillRectangle, XPolyLine, XPolyPoint, XPolyRectangle, XPolySegment
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_FillPolygon |
Fill polygon |
9161 |
xp |
0x10000000 |
AUE_PolyArc |
Polyarc |
9160 |
xp |
0x10000000 |
AUE_PolyFillArc |
Fill polyarc |
9163 |
xp |
0x10000000 |
AUE_PolyFillRectangle |
Fill polyrectangle |
9162 |
xp |
0x10000000 |
AUE_PolyLine |
Polyline |
9157 |
xp |
0x10000000 |
AUE_PolyPoint |
Polypoint |
9156 |
xp |
0x10000000 |
AUE_PolyRectangle |
Polyrectangle |
9159 |
xs |
0x80000000 |
AUE_PolySegment |
Polysegment |
9158 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xwindow-token xpixmap-token xgc-token return-token |
Table B–214 XGetImage, XImageText8, XImageText16, XPolyText8, XPolyText16, XPutImage
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_GetImage |
Get image |
9165 |
xs |
0x80000000 |
AUE_ImageText8 |
Imagetext (8-bit) |
9168 |
xp |
0x10000000 |
AUE_ImageText16 |
Imagetext (16-bit) |
9169 |
xp |
0x10000000 |
AUE_PolyText8 |
Polytext (8-bit) |
9166 |
xp |
0x10000000 |
AUE_PolyText16 |
Polytext (16-bit) |
9167 |
xp |
0x10000000 |
AUE_PutImage |
Put image |
9164 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xwindow-token xpixmap-token xgc-token return-token |
Table B–215 XCreateColormap
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_CreateColormap |
Create colormap |
9170 |
xc |
0x20000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xwindow-token return-token |
Table B–216 XAllocColor, XAllocColorCells, XAllocColorPlanes, XAllocNamedColor, XFreeColors
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_AllocColor |
Allocate color |
9176 |
xc |
0x20000000 |
AUE_AllocColorCells |
Allocate color cells |
9178 |
|
|
AUE_AllocColorPlanes |
Allocate color planes |
9179 |
|
|
AUE_AllocNamedColor |
Allocate named color |
9177 |
|
|
AUE_FreeColors |
Free colors |
9180 |
|
|
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xcolormap-token return-token |
Table B–217 XCopyColormapAndFree, XFreeColormap, XInstallColormap, XListInstalledColormap, XUninstallColormap
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_CopyColormapAndFree |
Copy and free colormap |
9172 |
xp |
0x10000000 |
AUE_FreeColormap |
Free colormap |
9171 |
xp |
0x10000000 |
AUE_InstallColormap |
Install colormap |
9173 |
xa |
0x40000000 |
AUE_ListInstalledColormap |
List installed colormap |
9175 |
xs |
0x80000000 |
AUE_UninstallColormap |
Uninstall colormap |
9174 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xcolormap-token return-token |
Table B–218 XLookupColor, XQueryColors, XStoreColors, XStoreNamedColor
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_LookupColor |
Look up colors |
9184 |
xp |
0x10000000 |
AUE_QueryColors |
Query colors |
9183 |
xp |
0x10000000 |
AUE_StoreColors |
Store colors |
9181 |
xp |
0x10000000 |
AUE_StoreNamedColor |
Store named colors |
9182 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xcolormap-token return-token |
Table B–219 XCreateCursor
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_CreateCursor |
Create cursor |
9185 |
xc |
0x20000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xpixmap-token (source pixmap ID) xpixmap-token (mask pixmap ID) xcursor-token return-token |
Table B–220 XCreateGlyphCursor
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_CreateGlyphCursor |
Create glyph cursor |
9186 |
xc |
0x20000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xfont-token (source font ID) xfont-token (mask font ID) xcursor-token return-token |
Table B–221 XFreeCursor, XRecolorCursor
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_FreeCursor |
Free cursor |
9187 |
xc |
0x20000000 |
AUE_RecolorCursor |
Recolor cursor |
9188 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xcursor-token return-token |
Table B–222 XFreePixmap
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_FreePixmap |
Free pixmap |
9147 |
xc |
0x20000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xpixmap-token return-token |
Table B–223 XBell, XChangeKeyboardControl, XChangeKeyboardMapping, XChangePointerControl
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_Bell |
Bell |
9193 |
xs |
0x80000000 |
AUE_ChangeKeyboardControl |
Change keyboard control |
9190 |
|
|
AUE_ChangeKeyboardMapping |
Change keyboard mapping |
9189 |
|
|
AUE_ChangePointerControl |
Change pointer control |
9192 |
|
|
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xclient-token return-token |
Table B–224 XForceScreenSaver, XSetScreenSaver
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_ForceScreenSaver |
Cover screen |
9199 |
xp |
0x10000000 |
AUE_SetScreenSaver |
Set screensaver |
9193 |
|
|
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xclient-token return-token |
Table B–225 XSetCloseDownMode
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_SetCloseDownMode |
Set closedown mode |
9196 |
xs |
0x80000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xclient-token return-token |
Table B–226 XChangeHosts, XKillClient, XSetAccessControl
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_ChangeHosts |
Change hosts |
9194 |
xa |
0x40000000 |
AUE_KillClient |
Kill client |
9197 |
xc |
0x20000000 |
AUE_SetAccessControl |
Set access control |
9195 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xclient-token return-token |
Table B–227 XRotateProperties
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_RotateProperties |
Rotate properties |
9198 |
xp |
0x10000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xwindow-token xproperty-token return-token |
Table B–228 XSetModifierMapping, XSetPointerMapping
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_SetModifierMapping |
Set modifier mapping |
9201 |
xs |
0x80000000 |
AUE_SetPointerMapping |
Set pointer mapping |
9200 |
xs |
0x80000000 |
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xclient-token return-token |
Table B–229 X Server Extensions
Event Name |
Message |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_XExtensions |
X extension protocols |
9202 |
xp |
|
Format: header-token subject-token newgroups-token slabel-token [priv-token] (if privilege used or required) xclient-token return-token |
The AUE_XExtensions audit record format is used when auditing extensions to the X11 library, such as XTSOLMakeTPWindow.
These audit records are created by programs that operate outside the kernel. The records are sorted alphabetically by program. The description of each record includes:
The name of the program
A man page reference (if appropriate)
The audit event number
The audit event name
The audit record structure
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_add_drv |
/usr/sbin/add_drv |
9018 |
as |
0x00020000 |
Format: header-token subject-token groups-token slabel-token return-token exec_args-token (command-line arguments) text-token (driver name) text-token (base directory) text-token (class name) text-token (aliases) |
Table B–231 Admin Editor Action - Modify System Files
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_te_modsysfiles |
trusted editor |
9322 |
ao |
0x00080000 |
Format: header-token path-token (filename) text-token (changes) host-token return-token subject-token slabel-token |
Table B–232 allocate(1) - device success
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_allocate_succ |
/usr/sbin/allocate |
6200 |
ao |
0x00080000 |
Format: header-token subject-token [slabel-token] (subject) newgroups-token exit-token |
Table B–233 allocate(1) - device failure
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_allocate_fail |
/usr/sbin/allocate |
6201 |
ao |
0x00080000 |
Format: header-token subject-token [slabel-token] (subject) newgroups-token exit-token |
Table B–234 allocate(1) - list devices success
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_listdevice_succ |
/usr/sbin/allocate |
6205 |
ao |
0x00080000 |
Format: header-token subject-token [slabel-token] (subject) newgroups-token exit-token |
Table B–235 allocate(1) - list devices failure
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_listdevice_fail |
/usr/sbin/allocate |
6206 |
ao |
0x00080000 |
Format: header-token subject-token [slabel-token] (subject) newgroups-token exit-token |
Table B–236 at(1) - create atjob
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_at_create |
/usr/bin/at |
6144 |
ao |
0x00080000 |
Format: header-token subject-token return-token exec_args-token text-token (user name) text-token (job queue) |
Table B–237 at(1) - delete atjob file (at or atrm)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_at_delete |
/usr/bin/at /usr/bin/atrm |
6145 |
ao |
0x00080000 |
Format: header-token subject-token return-token exec_args-token text-token (user name) text-token (job queue) |
Table B–238 at(1) - permission
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_at_perm |
/usr/bin/at |
6146 |
ao |
0x00080000 |
Format: header-token subject-token [group-token] exit-token |
Table B–239 auditd(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_audit |
/usr/sbin/audit |
9016 |
aa |
0x00040000 |
Format: header-token text-token (“new audit file” | “reread audit_control” | “terminate auditd” | “unknown option”) return-token subject-token slabel-token |
Table B–240 auditwrite(3TSOL)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_auditwrite |
auditwrite() |
9015 |
aa |
0x00040000 |
Format: header-token text-token (error description) subject-token return-token |
Table B–241 automountd(1M) – mismatch
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_automountd_mismatch |
/usr/lib/fs/autofs/automount |
9034 |
ao |
0x00080000 |
Format: header-token path-token (mount dir) slabel-token (auto* file slabel) slabel-token (remote host template slabel) text-token (remote host server) return-token |
Table B–242 automountd(1M) – mount
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_automountd_mount |
/usr/lib/fs/autofs/automount |
9033 |
ao |
0x00080000 |
Format: header-token subject-token slabel-token (subject slabel) path-token (mount dir) return-token host-token (machine name) |
Table B–243 chroot(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_chroot |
/usr/sbin/chroot |
9029 |
ao |
0x00080000 |
Format: header-token subject-token groups-token slabel-token return-token exec_args-token (command-line arguments) path-token (new root directory) path-token (command to execute) |
Table B–244 crontab(1) - crontab created
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_crontab_create |
/usr/bin/crontab |
6148 |
ao |
0x00080000 |
Format: header-token subject-token return-token exec_args-token text-token (user name) |
Table B–245 crontab(1) - crontab deleted
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_crontab_delete |
/usr/bin/crontab |
6149 |
ao |
0x00080000 |
Format: header-token subject-token return-token exec_args-token text-token (user name) |
Table B–246 crontab(1) - invoke atjob or crontab
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_cron_invoke |
/usr/bin/crontab |
6147 |
ao |
0x00080000 |
Format: header-token subject-token return-token exec_args-token text-token (user name) text-token (one of: at-job; batch-job, crontab-job, queue-job #; or unknown job type #) text-token (cron command or at job name) |
Table B–247 crontab(1) - modify
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_crontab_mod |
/usr/bin/crontab |
6170 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table B–248 crontab(1) - permission
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_crontab_perm |
/usr/bin/crontab |
6150 |
ao |
0x00080000 |
Format: header-token subject-token [group-token] exit-token |
Table B–249 dbmgr (Obsolete)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_dm_add |
9319 |
ao |
0x00080000 |
|
AUE_dm_del |
9320 |
|
|
|
AUE_dm_mod |
|
9321 |
|
|
Format: header-token text-token (database info) text-token (database type) text-token (error message) return-token subject-token slabel-token |
Table B–250 deallocate(1) - device success
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_deallocate_succ |
/usr/sbin/deallocate |
6202 |
ao |
0x00080000 |
Format: header-token subject-token [slabel-token] (subject) newgroups-token exit-token |
Table B–251 deallocate(1) — device failure
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_deallocate_fail |
/usr/sbin/deallocate |
6203 |
ao |
0x00080000 |
Format: header-token subject-token [slabel-token] (subject) newgroups-token exit-token |
Table B–252 dispadmin(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_dispadmin |
/usr/sbin/dispadmin |
9025 |
as |
0x00020000 |
Format: header-token subject-token groups-token slabel-token return-token exec_args-token (command-line arguments) text-token (scheduler class) path-token (input file) |
Table B–253 dtfile(1) - copy and move
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_dtfile_copy |
/usr/dt/bin/dtfile |
9037 |
fm |
0x00000008 |
AUE_dtfile_move |
|
9038 |
|
|
Format: header-token return-token path-token (target path) slabel-token (slabel of target) path-token (source path) slabel-token (slabel of source) host-token |
Table B–254 eeprom(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_eeprom |
/usr/sbin/eeprom |
9032 |
as |
0x00020000 |
Format: header-token return-token path-token (prom device) text-token (variable=old value) text-token (variable=new value) |
Table B–255 fuser(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_fuser |
/usr/sbin/fuser |
9031 |
ao |
0x00080000 |
Format: header-token subject-token groups-token slabel-token return-token exec_args-token (command-line arguments) path-token (file name) arg-token (1, “PID”, process-id) |
Table B–256 groupmgr (Obsolete)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_gm_add_grp |
|
9307 |
ao |
0x00080000 |
AUE_gm_del_grp |
9308 |
ao |
0x00080000 |
|
AUE_gm_mod_grp |
|
9309 |
ao |
0x00080000 |
Format: header-token text-token (group info) text-token (error message) return-token subject-token slabel-token |
Table B–257 halt(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_halt_solaris |
/usr/sbin/halt |
6160 |
ss |
0x00010000 |
Format: header-token subject-token slabel-token return-token |
Table B–258 hostmgr (Obsolete)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_hm_add_host |
|
9310 |
ao |
0x00080000 |
AUE_hm_del_host |
9311 |
|
|
|
AUE_hm_mod_host |
|
9312 |
|
|
AUE_hm_set_def |
|
9313 |
|
|
Format: header-token text-token (host info) text-token (error message) return-token subject-token slabel-token |
Table B–259 inetd(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_inetd_connect |
/usr/sbin/inetd |
6151 |
na |
0x00000400 |
Format: header-token subject-token text-token (service name) ip-address-token ip-port-token return-token |
Table B–260 in.ftpd(1M) - ftp access
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_ftpd |
/usr/sbin/in.ftpd |
6165 |
lo |
0x00001000 |
Format: header-token subject-token text-token (error message, failure only) return-token |
Table B–261 installf(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_installf |
/usr/sbin/installf |
9042 |
as |
0x00020000 |
Format: header-token return-token argument-token (package name) subject-token slabel-token |
Table B–262 login(1) — local
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_login |
/usr/bin/login |
6152 |
lo |
0x00001000 |
Format: header-token text-token text-token (message - success or failure) subject-token return-token |
Table B–263 login(1) — rlogin
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_rlogin |
/usr/bin/login |
6155 |
lo |
0x00001000 |
Format: header-token subject-token text-token (error message) return-token |
Table B–264 login(1) — telnet
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_telnet |
/usr/bin/login |
6154 |
lo |
0x00001000 |
Format: header-token subject-token text-token (error message) return-token |
Table B–265 logout(1)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_logout |
/usr/bin/login |
6153 |
lo |
0x00001000 |
Format: header-token subject-token text-token return-token |
Table B–266 lpadmin(1M) - authorization
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_uauth |
/usr/lib/lpadmin |
6196 |
ao |
0x00000800 |
Format: header-token text-token (authorization used) return-token text-token (admin command line) subject-token slabel-token host-token |
Table B–267 lpsched(1M) - authorization
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_uauth |
/usr/lib/lpsched |
6196 |
ad |
0x00000800 |
Format: header-token text-token (“ print without banners | print without labels |print a PostScript file”) return-token text-token (hostname/jobnumber-filenumber) slabel-token (label of print job) subject-token slabel-token host-token |
Table B–268 lpsched(1M) - privilege
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_lp_cancel |
/usr/lib/lpsched |
9044 |
ao |
0x00080000 |
AUE_lp_status |
9045 |
|
|
|
Format: header-token return-token privilege-token text-token (hostname/jobnumber-filenumber) slabel-token (print job label) subject-token slabel-token host-token (error message) |
Table B–269 modload(1M), modunload(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_modload |
/usr/sbin/modload |
9020 |
as |
0x00020000 |
AUE_modunload |
/usr/sbin/modunload |
9021 |
|
|
Format: header-token subject-token groups-token slabel-token return-token exec_args-token (command-line arguments) text-token (module pathname) |
Table B–270 mountd(1M) – NFS mount
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_mountd_mount |
/usr/lib/nfs/mountd |
6156 |
na |
0x00000400 |
Format: header-token argument-token slabel-token (subject slabel) text-token (remote client hostname) path-token (mount dir) slabel-token (slabel of the directory) text-token (error message, failure only) attribute-token subject-token return-token |
Table B–271 mountd(1M) – NFS unmount
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_mountd_umount |
/usr/lib/nfs/mountd |
6157 |
na |
0x00000400 |
Format: header-token slabel-token (subject slabel) text-token (remote client hostname) path-token (mount dir) slabel-token (slabel of the directory) text-token (error message, failure only) attribute-token subject-token return-token |
Table B–272 passwd(1)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_passwd |
/usr/bin/passwd |
6163 |
lo |
0x00001000 |
Format: header-token subject-token text-token (error message) return-token |
Table B–273 pfexec(1)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_prof_cmd |
/usr/bin/pfexec |
6180 |
ao |
0x00080000 |
Format: header-token subject-token slabel-token clearance-token path-token (for pfexec) path-token (for invoking command) cmd-token process-token clearance-token slabel-token privilege-token return-token |
Table B–274 pbind(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_pbind |
/usr/sbin/pbind |
9026 |
as |
0x00020000 |
Format: header-token subject-token groups-token slabel-token return-token exec_args-token (command-line arguments) text-token (action: “BIND” | “UNBIND”) arg-token (1, “CPU”, processor id) arg-token (2, ”PID”, process-id) |
Table B–275 pfsh — Obsolete
Event Names |
Program |
Event IDs |
Event Class |
Mask |
---|---|---|---|---|
AUE_pfsh_trusted_priv |
/usr/bin/pfsh |
9007 |
ao |
0x00080000 |
AUE_pfsh_trusted_nopriv |
|
9008 |
|
|
AUE_pfsh_priv |
|
9009 |
|
|
AUE_pfsh_nopriv |
|
9010 |
ap |
0x00004000 |
Format: header-token path-token (of the executable) exec_args-token path-token (of current directory) privilege-token return-token exec_env-token (if AUDIT_ARGE is on) subject-token slabel-token |
Table B–276 pkgadd(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_pkginstall |
/usr/sbin/pkgadd |
9040 |
as |
0x00020000 |
Format: header-token return-token argument-token (package name) subject-token slabel-token |
Table B–277 pkgrm(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_pkgremove |
/usr/sbin/pkgrm |
9041 |
as |
0x00020000 |
Format: header-token return-token argument-token (package name) subject-token slabel-token |
Table B–278 Print Manager
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_printer_add |
|
6187 |
ad |
0x00000800 |
AUE_printer_delete |
6188 |
|
|
|
AUE_printer_delete |
|
6189 |
|
|
Format: header-token text-token (printer info) text-token (error message) return-token subject-token slabel-token |
Table B–279 printmgr (Obsolete)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_pm_add_prn |
|
9316 |
ao |
0x00080000 |
AUE_pm_del_prn |
9318 |
ao |
0x00080000 |
|
AUE_pm_mod_prn |
|
9317 |
ao |
0x00080000 |
Format: header-token text-token (printer info) text-token (error message) return-token subject-token slabel-token |
Table B–280 profmgr - add profile (Obsolete)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_pm_add_prof |
|
9306 |
ao |
0x00080000 |
Format: header-token text-token (new profile info) text-token (error message) return-token subject-token slabel-token See Table B–303 for the current Rights profile audit records. |
Table B–281 profmgr - delete profile (Obsolete)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_pm_del_prof |
|
9304 |
ao |
0x00080000 |
Format: header-token text-token (profile info) text-token (error message) return-token subject-token slabel-token See Table B–303 for the current Rights profile audit records. |
Table B–282 profmgr - modify profile (Obsolete)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_pm_mod_prof |
|
9305 |
ao |
0x00080000 |
Format: header-token text-token (old profile info) text-token (new profile info) text-token (error message) return-token subject-token slabel-token See Table B–303 for the current Rights profile audit records. |
Table B–283 psradm(1m)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_psradm |
/usr/sbin/psradm |
9027 |
ps |
0x00100000 |
Format: header-token subject-token groups-token slabel-token return-token exec_args-token (command-line arguments) text-token (action: “ON” | “OFF”) arg-token (1, ”PID”, processor id) |
Table B–284 reboot(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_reboot_solaris |
/usr/sbin/reboot |
6161 |
ss |
0x00010000 |
Format: header-token subject-token return-token |
Table B–285 removef(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_removef |
/usr/sbin/removef |
9043 |
as |
0x00020000 |
Format: header-token return-token argument-token (package name) subject-token slabel-token |
Table B–286 rpc.rexd(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_rexd |
/usr/sbin/rpc.rexd |
6164 |
lo |
0x00001000 |
Format: header-token subject-token text-token (error message, failure only) text-token (hostname) text-token (username) text-token (command to be executed) exit-token |
Table B–287 in.rexecd(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_rexecd |
/usr/sbin/in.rexecd |
6162 |
lo |
0x00001000 |
Format: header-token subject-token text-token (error message, failure only) text-token (hostname) text-token (username) text-token (command to be executed) exit-token |
Table B–288 in.rshd(1M) - rsh access
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_rshd |
/usr/sbin/in.rshd |
6158 |
lo |
0x00001000 |
Format: header-token subject-token text-token (command string) text-token (local user) text-token (remote user) return-token |
Table B–289 rem_drv(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_rem_drv |
/usr/sbin/rem_drv |
9019 |
as |
0x00020000 |
Format: header-token subject-token groups-token slabel-token return-token exec_args-token (command-line arguments) text-token (driver name) [text-token] (base directory) |
Table B–290 init(1M) - run level change
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_run_level_change |
/usr/sbin/init |
9024 |
ss |
0x00010000 |
Format: header-token text-token (new run level) subject-token slabel-token (if slabel policy on) return-token |
Table B–291 role login
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_role_login |
|
6173 |
lo |
0x00001000 |
Format: header-token subject-token slabel-token (if slabel policy on) return-token host-token |
Table B–292 Selection Manager Transfer
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_sel_mgr_xfer |
|
9039 |
ax |
0x00002000 |
Format: header-token subject-token slabel-token return-token |
Table B–293 sendmail(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_sendmail_deliver AUE_sendmail_defer |
/usr/lib/sendmail |
9013 9014 |
ao |
0x00080000 |
Format: header-token text-token (message about status) text-token (to) text-token (message ID) text-token (from) text-token (from host) text-token (to user) text-token (to host) return-token slabel-token |
Table B–294 sendmail(1M) - upgrade
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_sendmail_upgrade |
/usr/lib/sendmail |
9012 |
ao |
0x00080000 |
Format: header-token text-token (message ID) slabel-token (old label) slabel-token (new label) subject-token slabel-token |
Table B–295 serialmgr (Obsolete)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_sm_del_ser |
|
9315 |
ao |
0x00080000 |
AUE_sm_mod_ser |
9314 |
|
|
|
Format: header-token text-token (port info) text-token (error message) return-token subject-token slabel-token |
Table B–296 setuname(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_setuname |
/usr/bin/setuname |
9022 |
as |
0x00020000 |
Format: header-token subject-token groups-token slabel-token return-token exec_args-token(command-line arguments) text-token (action: “ADD” | “DELETE”) path-token (swapname) |
Table B–297 share(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_EXPORTFS |
/usr/lib/fs.d/nfs/share |
61 |
ao |
0x00080000 |
Format: header-token subject-token slabel-token (subject slabel) path-token (export directory) slabel-token (slabel of the directory) text-token (export options) return-token |
Table B–298 Solaris Management Console - authentication
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_admin_authenticate |
SMC — authentication
|
6123 |
ao |
0x00080000 |
Format: header-token subject-token slabel-token return-token host-token |
Table B–299 Solaris Management Console - Computers and Networks
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_network_add |
SMC Computers and Networks |
6184 |
ao |
0x00080000 |
AUE_network_delete |
6185 |
|
|
|
AUE_network_modify |
|
6186 |
|
|
Format: header-token subject-token slabel-token text-token (a file, such as: hosts, tnrhtp, tnrhdb, networks, tnidb) text-token (name service) uauth-token text-token (attributes in key-value pair format) return-token host-token |
Table B–300 Solaris Management Console - Mounts and Shares
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_filesystem_add |
SMC Mounts and Shares |
6181 |
ao |
0x00080000 |
AUE_filesystem_delete |
6182 |
|
|
|
AUE_filesystem_modify |
|
6183 |
|
|
Format: header-token subject-token slabel-token text-token (SMC object) text-token (name service) uauth-token text-token (attributes in key-value pair format) return-token host-token |
Table B–301 Solaris Management Console - Serial Ports
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_serialport_add |
SMC Serial Ports |
6193 |
ao |
0x00080000 |
AUE_serialport_delete |
6194 |
|
|
|
AUE_serialport_modify |
|
6195 |
|
|
Format: header-token subject-token slabel-token text-token (SMC object) text-token (name service) uauth-token text-token (attributes in key-value pair format) return-token host-token |
Table B–302 Solaris Management Console - Scheduled Jobs
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_scheduledjob_add |
SMC Scheduled Jobs |
6190 |
ao |
0x00080000 |
AUE_scheduledjob_delete |
6191 |
|
|
|
AUE_scheduledjob_modify |
|
6192 |
|
|
Format: header-token subject-token slabel-token text-token (SMC object) text-token (name service) [uauth-token] (when required) text-token (attributes in key-value pair format) return-token host-token |
Table B–303 Solaris Management Console - User Accounts and Rights
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_usermgr_add |
SMC User Accounts |
6196 |
ad |
0x00000800 |
AUE_usermgr_delete |
6197 |
|
|
|
AUE_usermgr_modify |
|
6198 |
|
|
Format: header-token subject-token slabel-token text-token (SMC object) [text-token] (domain name) text-token (name service) uauth-token text-token (attributes in key-value pair format) return-token host-token Adding a user generates three records, one for each SMC object. |
Table B–304 Workspace Label Change
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_sl_change |
|
9035 |
ap |
0x00004000 |
Format: header-token subject-token slabel-token (original SL) slabel-token (new SL) return-token host-token |
Table B–305 su(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_su |
/usr/bin/su |
6159 |
lo |
0x00001000 |
Format: header-token subject-token text-token (error message) return-token |
Table B–306 swap(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_swap |
/usr/sbin/swap |
9030 |
as |
0x00020000 |
Format: header-token subject-token groups-token slabel-token return-token exec_args-token text-token (new node name | “*none*”) text-token (new systemname | “*none*”) |
Table B–307 uadmin(1M)
Event Name | Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_uadmin_cmd |
/usr/sbin/uadmin |
9023 |
ss |
0x00010000 |
Format: header-token subject-token groups-token slabel-token return-token exec_args-token (command-line arguments) argument-token (1, “cmd”, command code) argument-token (2, “fcn”, function code) |
Table B–308 uauth - Use of Authorization
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_uauth |
use of authorization |
6199 |
ao |
0x00080000 |
(See Table B–267 for use of authorization with printing) Format: header-token subject-token slabel-token uauth-token text-token (SMC object) return-token host-token |
Table B–309 uautho (Obsolete)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_uauth |
use of authorization |
9017 |
ao |
0x00080000 |
Format: header-token text-token (user name) text-token (authorization) subject-token return-token |
Table B–310 usermgr (Obsolete)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_um_add_user |
|
9302 |
ao |
0x00080000 |
AUE_um_del_user |
9301 |
|
|
|
AUE_um_mod_user |
|
9300 |
|
|
AUE_um_set_def |
|
9303 |
|
|
Format: header-token text-token (user info) text-token (error message) return-token subject-token slabel-token |
Table B–311 uname(1)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_uname_set |
/usr/bin/uname |
9024 |
as |
0x00020000 |
Format: header-token subject-token groups-token slabel-token return-token exec_args-token (command-line arguments) text-token (new node name) |
Table B–312 unshare(1M)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_exportfs |
/usr/lib/fs.d/nfs/share |
|
na |
0x00000400 |
Format: header-token subject-token slabel-token (subject slabel) path-token (export directory) return-token |