These audit records are created by system calls which are used by the kernel. The records are sorted alphabetically by system call. The description of each record includes:
The name of the system call
A man page reference (if appropriate)
The audit event number
The audit event name
The audit event class
The mask for the event class
The audit record structure
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ACCESS |
14 |
fa |
0x00000004 |
Format: header-token path-token[attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–6 acct(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ACCT |
18 |
as |
0x00020000 |
Format (zero path): header-token argument-token (1, "accounting off", 0) [priv-token] (if privilege used or required) subject-token return-token Format (non-zero path): header-token path-token [attr-token] subject-token return-token |
Table B–7 adjtime(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ADJTIME |
50 |
as |
0x00000800 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–8 audit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDIT |
211 |
no |
0x00000000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–9 auditon(2) — get current active root
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCAR |
224 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–10 auditon(2) — get event class
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCLASS |
231 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–11 auditon(2) — get audit state
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCOND |
229 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token
|
Table B–12 auditon(2) — get current working directory
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCWD |
223 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–13 auditon(2) — get kernel mask
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETKMASK |
221 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token
|
Table B–14 auditon(2) — get audit statistics
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETSTAT |
225 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–15 auditon(2) — GETPOLICY command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GPOLICY |
114 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–16 auditon(2) — get audit queue control parameters
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GQCTRL |
145 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–17 auditon(2) — set event class
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETCLASS |
232 |
aa |
0x00040000 |
Format: header-token [argument-token] (2, "setclass:ec_event", event number) [argument-token] (3, "setclass:ec_class", class mask) [priv-token] (if privilege used or required) subject-token return-token |
Table B–18 auditon(2) — set audit state
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETCOND |
230 |
aa |
0x00040000 |
Format: header-token [argument-token] (3, "setcond", audit state) [priv-token] (if privilege used or required) subject-token return-token |
Table B–19 auditon(2) — set kernel mask
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETKMASK |
222 |
aa |
0x00040000 |
Format: header-token [argument-token] (2, "setkmask:as_success", kernel mask) [argument-token] (2, "setkmask:as_failure", kernel mask) [priv-token] (if privilege used or required) subject-token return-token |
Table B–20 auditon(2) — set mask per session ID
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETSMASK |
228 |
aa |
0x00040000 |
Format: header-token [argument-token] (3, "setsmask:as_success", session ID mask) [argument-token] (3, "setsmask:as_failure", session ID mask) [priv-token] (if privilege used or required) subject-token return-token |
Table B–21 auditon(2) — reset audit statistics
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETSTAT |
226 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–22 auditon(2) — set mask per uid
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETUMASK |
227 |
aa |
0x00040000 |
Format: header-token [argument-token] (3, "setumask:as_success", audit ID mask) [argument-token] (3, "setumask:as_failure", audit ID mask) [priv-token] (if privilege used or required) subject-token return-token |
Table B–23 auditon(2) — SETPOLICY command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SPOLICY |
147 |
aa |
0x00040000 |
Format: header-token [argument-token] (1, "policy", audit policy flags) [priv-token] (if privilege used or required) subject-token return-token |
Table B–24 auditon(2) — set audit queue control parameters
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SQCTRL |
146 |
aa |
0x00040000 |
Format: header-token [argument-token] (3,"setqctrl:aq_hiwater",queue control param.) [argument-token] (3,"setqctrl:aq_lowater",queue control param.) [argument-token] (3,"setqctrl:aq_bufsz",queue control param.) [argument-token] (3,"setqctrl:aq_delay",queue control param.) [priv-token] (if privilege used or required) subject-token return-token |
Table B–25 auditpsa(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITPSA |
529 |
aa |
0x00040000 |
Format (valid file descriptor): header-token argument-token (1, "op", state) in_addr-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–26 auditstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITSTAT |
150 |
aa |
0x00040000 |
Format: header-token [argument-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B–27 auditsvc(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITSVC |
136 |
aa |
0x00040000 |
Format (valid file descriptor): header-token [path-token] [attr-token] [priv-token] (if privilege used or required) subject-token return-token Format (invalid file descriptor): header-token argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token return-token |
Table B–28 chdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHDIR |
8 |
pm |
0x00200000 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–29 chmod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHMOD |
10 |
fm |
0x00000008 |
Format: header-token argument-token (2, "new file mode", mode) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–30 chown(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHOWN |
11 |
fm |
0x00000008 |
Format: header-token argument-token (2, "new file uid", uid) argument-token (3, "new file gid", gid) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–31 chroot(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHROOT |
24 |
pm |
0x00200000 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–32 chstate(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHSTATE |
538 |
as |
0x00000800 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–33 clock_settime(3R)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CLOCK_SETTIME |
513 |
as |
0x00000800 |
Format: header-token slabel-token return-token |
Table B–34 close(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CLOSE |
112 |
cl |
0x00000040 |
Format: <file system object> header-token argument-token (1, "fd", file descriptor) [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Also for files closed on process termination. The argument-token is only present with the close() system call. It may be removed in future releases. The path-token is present only with valid file descriptors. |
Table B–35 creat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CREAT |
4 |
fc |
0x00000010 |
Format header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–36 devpolicy(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_DRVPOLICY |
531 |
as |
0x00000800 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–37 enter prom, exit prom
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ENTERPROM |
153 |
na |
0x00000400 |
AUE_EXITPROM |
154 |
na |
0x00000400 |
Format: header-token text-token (addr, "monitor PROM"|"kadb") [priv-token] (if privilege used or required) subject-token return-token |
Table B–38 exec(2), execve(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_EXEC |
7 |
ps |
0x00100000 |
AUE_EXECVE |
23 |
ps |
0x00100000 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–39 exit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_EXIT |
1 |
pm |
0x00200000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–40 fauditpsa(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FAUDITPSA |
530 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–41 fchdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHDIR |
68 |
pc |
0x00300000 |
Format: header-token [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–42 fchmod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHMOD |
39 |
fm |
0x00000008 |
Format (valid file descriptor): header-token argument-token (2, "new file mode", mode) [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (invalid file descriptor): header-token argument-token (2, "new file mode", mode) argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–43 fchown(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHOWN |
38 |
fm |
0x00000008 |
Format (valid file descriptor): header-token argument-token (2, "new file uid", uid) argument-token (3, "new file gid", gid) [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (non-file descriptor): header-token argument-token (2, "new file uid", uid) argument-token (3, "new file gid", gid) argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–44 fchroot(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHROOT |
69 |
pm |
0x00200000 |
Format: header-token [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–45 fcntl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCNTL (cmd=F_GETLK, F_SETLK,F_SETLKW) |
30 |
fn |
0x40000000 |
Format (file descriptor): header-token argument-token (2, "cmd", cmd) path-token attr-token [priv-token] (if privilege used or required) subject-token return-token Format (bad file descriptor): header-token argument-token (2, "cmd", cmd) argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token return-token |
Table B–46 fgetsldname(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FGETSLDNAME |
532 |
fc |
0x00000010 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–47 fork(2), fork1(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FORK |
2 |
ps |
0x00100000 |
AUE_FORK1 |
241 |
ps |
0x00100000 |
Format: header-token [argument-token] (0, "child PID", pid) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token The fork() and fork1() return values are undefined since each audit record is produced at the point that the child process is spawned. |
Table B–48 fsetcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FSETCMWLABEL |
544 |
fm |
0x00000008 |
Format: header-token argument-token (3, “flag”, which parts of label to set) [slabel-token] (if slabel is being set) path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–49 fsetfattrflag(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FSETFATTRFLAG |
523 |
fm |
0x00000008 |
Format: header-token argument-token (2, "which", which flags to set) argument-token (3, "attrs", flag values) path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–50 fstatfs(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FSTATFS |
55 |
fa |
0x00000004 |
Format (file descriptor): header-token [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (non-file descriptor): header-token argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–51 getaudit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETAUDIT |
132 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–52 getaudit_addr(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETAUDIT_ADDR |
267 |
aa |
0x00000800 |
Format: header-token subject-token return-token |
Table B–53 getauid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETAUID |
130 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–54 getcmwfsrange(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETCMWFSRANGE |
545 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–55 getcmwlabel(2), fgetcmwlabel(2), lgetcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETCMWLABEL |
546 |
fa |
0x00000004 |
AUE_FGETCMWLABEL |
118 |
fa |
0x00000004 |
AUE_LGETCMWLABEL |
548 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–56 getdents(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETDENTS |
193 |
no |
0x00000000 |
Format: header-token path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B–57 getfpriv(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETFILEPRIV |
547 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–58 getmldadorn(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETMLDADORN |
554 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–59 getmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETMSG |
217 |
nt |
0x00000100 |
Format: header-token argument-token (1, "fd", file descriptor) argument-token (4, "pri", priority) [priv-token] (if privilege used or required) subject-token return-token |
Table B–60 getmsg(2) — accept, receive
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKACCEPT |
247 |
nt |
0x00000100 |
AUE_SOCKRECEIVE |
250 |
nt |
0x00000100 |
Format: header-token socket-inet-token argument-token (1, "fd", file descriptor) argument-token (4, "pri", priority) [priv-token] (if privilege used or required) subject-token return-token |
Table B–61 getmsgqcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETMSGQCMWLABEL |
514 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] (of the IPC) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–62 getpmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETPMSG |
219 |
nt |
0x00000100 |
Format: header-token argument-token (1, "fd", file descriptor) [priv-token] (if privilege used or required) subject-token return-token |
Table B–63 getportaudit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETPORTAUDIT |
149 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–64 getsemcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETSEMCMWLABEL |
515 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] (of the IPC) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the sem ID is invalid. |
Table B–65 getshmcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETSHMCMWLABEL |
516 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", semaphore ID) [argument-token] [ipc_perm-token] (of the IPC) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the shm ID is invalid. |
Table B–66 getsldname(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETSLDNAME |
555 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–67 ioctl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_IOCTL |
158 |
io |
0x20000000 |
Format (good file descriptor): header-token path-token [attr-token] argument-token (2, "cmd" ioctl cmd) argument-token (3, "arg" ioctl arg) [priv-token] (if privilege used or required) subject-token return-token Format (socket): header-token [socket-token] argument-token (2, "cmd" ioctl cmd) argument-token (3, "arg" ioctl arg) [priv-token] (if privilege used or required) subject-token return-token Format (non-file file descriptor): header-token argument-token (1, "fd", file descriptor) argument-token (2, "cmd" ioctl cmd) argument-token (3, "arg" ioctl arg) [priv-token] (if privilege used or required) subject-token return-token Format (bad file name): header-token argument-token (1, "no path: fd", file descriptor) argument-token (2, "cmd" ioctl cmd) argument-token (3, "arg" ioctl arg) [priv-token] (if privilege used or required) subject-token return-token |
Table B–68 kill(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_KILL |
15 |
pm |
0x00200000 |
Format (valid process): header-token argument-token (2, "signal", signo) [process-token] [slabel-token] (process) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (zero or negative process): header-token argument-token (2, "signal", signo) argument-token (1, "process", pid) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–69 lchown(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LCHOWN |
237 |
fm |
0x00000008 |
Format: header-token argument-token (2, "new file uid", uid) argument-token (3, "new file gid", gid) path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B–70 link(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LINK |
5 |
fc |
0x00000010 |
Format: header-token path-token (from path) [attr-token] (from path) [slabel-token] (from path) path-token (to path) [attr-token] (to path) [slabel-token] (to path) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–71 lstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LSTAT |
17 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B–72 lxstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LXSTAT |
236 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–73 memcntl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MEMCNTL |
238 |
ot |
0x80000000 |
Format: header-token argument-token (1, "base", base address) argument-token (2, "len", length) argument-token (3, "cmd", command) argument-token (4, "arg", command args) argument-token (5, "attr", command attributes) argument-token (6, "mask", 0) [priv-token] (if privilege used or required) subject-token return-token |
Table B–74 mkdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MKDIR |
47 |
fc |
0x00000010 |
Format: header-token argument-token (2, "mode", mode) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–75 mknod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MKNOD |
9 |
fc |
0x00000010 |
Format: header-token argument-token (2, "mode", mode) argument-token (3, "dev", dev) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–76 mldsetfattrflag(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MLDSETFATTRFLAG |
524 |
fm |
0x00000008 |
Format: header-token argument-token (2, “which”, which flags to set) argument-token (3, “attrs”, flag values) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–77 mmap(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MMAP |
210 |
no |
0x00000000 |
Format (valid file descriptor): header-token argument-token (1, "addr", segment address) argument-token (2, "len", segment length) [path-token] [attr-token] [priv-token] (if privilege used or required) subject-token return-token Format (invalid file descriptor): header-token argument-token (1, "addr", segment address) argument-token (2, "len", segment length) argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token return-token |
Table B–78 modctl(2) — bind module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODADDMAJ |
246 |
as |
0x00000800 |
Format: header-token [text-token] (driver major number) [text-token] (driver name) text-token (root dir.|"no rootdir") text-token (driver major number|"no drvname") argument-token (5, "", number of aliases) (0..n)[text-token] (aliases) [priv-token] (if privilege used or required) subject-token return-token |
Table B–79 modctl(2) — configure module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODCONFIG |
245 |
as |
0x00000800 |
Format: header-token text-token (root dir.|"no rootdir") text-token (driver major number|"no drvname") [priv-token] (if privilege used or required) subject-token return-token |
Table B–80 modctl(2) — load module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODLOAD |
243 |
as |
0x00020000 |
Format: header-token [text-token] (default path) text-token (filename path) [priv-token] (if privilege used or required) subject-token return-token |
Table B–81 modctl(2) — unload module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODUNLOAD |
244 |
as |
0x00020000 |
Format: header-token argument-token (1, "id", module ID) [priv-token] (if privilege used or required) subject-token return-token |
Table B–82 mount(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MOUNT |
62 |
ao |
0x00080000 |
Format (UNIX file system): header-token argument-token (3, "flags", flags) text-token (filesystem type) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (NFS file system): header-token argument-token (3, "flags", flags) text-token (filesystem type) text-token (host name) argument-token (3, "internal flags", flags) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–83 msgctl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL |
84 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [ipc-token] subject-token return-token The ipc and ipc_perm tokens are not included if the msg ID is not valid. |
Table B–84 msgctl(2) — IPC_RMID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL_RMID |
85 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–85 msgctl(2) — IPC_SET command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL_SET |
86 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] (of the IPC's old values) [slabel-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token subject-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–86 msgctl(2) — IPC_STAT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL_STAT |
87 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] (of the IPC) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–87 msgget(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGGET |
88 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg key", message key) argument-token (2, "msg flag", message flags) [ipc_perm-token] (of the IPC object) [slabel-token] [argument-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–88 msggetl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGGETL |
174 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg key", message key) argument-token (2, "msg flag", message flags) slabel-token (desired SL) [ipc_perm-token] (of the IPC object) [slabel-token] [argument-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–89 msgrcv(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGRCV |
89 |
ip |
0x00000200 |
AUE_MSGRCVL |
175 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–90 msgsnd(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGSND |
90 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B–91 munmap(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MUNMAP |
214 |
cl |
0x00000040 |
Format: header-token argument-token (1, "addr", address of memory) argument-token (2, "len", memory segment size) [priv-token] (if privilege used or required) subject-token return-token |
Table B–92 old nice(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_NICE |
203 |
pc |
0x00300000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–93 open(2) — read
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_R |
72 |
fr |
0x00000001 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–94 open(2) — read,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RC |
73 |
fc,fr |
0x00000011 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–95 open(2) — read,trunc,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RTC |
75 |
fc,fd,fr |
0x00000031 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–96 open(2) — read,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RT |
74 |
fd,fr |
0x00000021 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–97 open(2) — read,write
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RW |
80 |
fr,fw |
0x00000003 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–98 open(2) — read,write,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RWC |
81 |
fr,fw,fc |
0x00000013 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–99 open(2) — read,write,trunc,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RWTC |
83 |
fr,fw,fc,fd |
0x00000033 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–100 open(2) — read,write,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RWT |
82 |
fr,fw,fd |
0x00000023 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–101 open(2) — write
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_W |
76 |
fw |
0x00000002 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–102 open(2) — write,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_WC |
77 |
fw,fc |
0x00000012 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–103 open(2) — write,trunc,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_WTC |
79 |
fw,fc,fd |
0x00000032 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–104 open(2) — write,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_WT |
78 |
fw,fd |
0x00000022 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–105 pathconf(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PATHCONF |
71 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–106 pipe(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PIPE |
185 |
no |
0x00000000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–107 preadl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PREADL |
527 |
no |
0x00000000 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–108 priocntl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PRIOCNTLSYS |
212 |
pm |
0x00200000 |
Format: header-token argument-token(1, "pc_version", priocntl version num.) argument-token (3,"cmd", command) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–109 processor_bind(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PROCESSOR_BIND |
263 |
ao |
0x00080000 |
Format: header-token slabel-token return-token |
Table B–110 privilege enable
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PRIVENABLE |
533 |
as |
0x00020000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–111 process dumped core
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CORE |
111 |
fc |
0x0000010 |
Format: header-token path-token [attr-token] argument-token (1, "signal", signal) [priv-token] (if privilege used or required) subject-token return-token |
Table B–112 putmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PUTMSG |
216 |
nt |
0x00000100 |
Format: header-token argument-token (1, "fd", file descriptor) argument-token (4, "pri", priority) [priv-token] (if privilege used or required) subject-token return-token |
Table B–113 putmsg(2) - connect, send
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKCONNECT |
248 |
nt |
0x00000100 |
AUE_SOCKSEND |
249 |
nt |
0x00000100 |
Format: header-token socket-inet-token argument-token (1, "fd", file descriptor) argument-token (4, "pri", priority) [priv-token] (if privilege used or required) subject-token return-token |
Table B–114 putpmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PUTPMSG |
218 |
nt |
0x00000100 |
Format: header-token argument-token (1, "fd", file descriptor) [priv-token] (if privilege used or required) subject-token return-token |
Table B–115 quotactl(7I)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_QUOTACTL |
60 |
ao |
0x00080000 |
Format: header-token subject-token return-token |
Table B–116 read(2), readl(2), readvl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_READ |
192 |
no |
0x00000000 |
AUE_READL |
558 |
|
|
AUE_READVL |
559 |
|
|
Format: header-token path-token) [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–117 readlink(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_READLINK |
22 |
fr |
0x00000001 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–118 recvmsg(3SOCKET)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_RECVMSG |
190 |
nt |
0x00000100 |
Format: header-token sock-inet-token argument-token (3, "flags", message flags) sock-inet-token (from address) subject-token return-token The sock_inet token for a bad socket is reported as: argument-token (1, "fd", socket descriptor) |
Table B–119 rename(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_RENAME |
42 |
fc,fd |
0x00000030 |
Format: header-token path-token (from name) [attr-token] (from name) [slabel-token] (from name) [path-token] (to name) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–120 rmdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_RMDIR |
48 |
fd |
0x00000020 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–121 semctl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL |
98 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [ipc-token] subject-token return-token The ipc and ipc_perm tokens are not included if the semaphore ID is not valid. |
Table B–122 semctl(2) — getall
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETALL |
105 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–123 semctl(2) — GETNCNT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETNCNT |
102 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–124 semctl(2) — GETPID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETPID |
103 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–125 semctl(2) — GETVAL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETVAL |
104 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–126 semctl(2) — GETZCNT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETZCNT |
106 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–127 semctl(2) — IPC_RMID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_RMID |
99 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–128 semctl(2) — IPC_SET command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_SET |
100 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] (of the IPC's old values) [slabel-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–129 semctl(2) — SETALL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_SETALL |
108 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–130 semctl(2) — SETVAL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_SETVAL |
107 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–131 semctl(2) — IPC_STAT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_STAT |
101 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–132 semget(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMGET |
109 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem key", semaphore key) argument-token (3, "sem flags", semaphore flags) [ipc_perm-token] [slabel-token] [argument-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–133 semgetl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMGETL |
177 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem key", semaphore key) argument-token (3, "sem flags", semaphore flags) slabel-token [ipc_perm-token] [slabel-token] [argument-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the system call failed. |
Table B–134 semop(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMOP |
110 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B–135 sendmsg(3SOCKET)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SENDMSG |
188 |
nt |
0x00000100 |
Format: header-token sock-inet-token sock-inet-token (to address) argument-token (3, "flags", message flags) subject-token return-token The sock_inet token for a bad socket is reported as: argument-token (1, "fd", socket descriptor) |
Table B–136 sendto(3SOCKET)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SENDTO |
184 |
nt |
0x00000100 |
Format: header-token sock-inet-token argument-token (3, "len", message length) [argument-token] (4, "flags", flags) argument-token (6, "tolen", address length) sock-inet-token (to address) subject-token return-token The sock_inet token for a bad socket is reported as: argument-token (1, "fd", socket descriptor) |
Table B–137 setacl(1), setfacl(1)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ACLSET |
251 |
fm |
0x00000008 |
AUE_FACLSET |
252 |
fm |
0x00000008 |
Format: header-token argument-token (2,”cmd”, command) argument-token (3,”n_entries”, number of acl entries) acl-token … (token repeated “n_entries” times) path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B–138 setaudit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETAUDIT |
133 |
aa |
0x00040000 |
Format (valid program stack address): header-token argument-token (1, "setaudit:auid", audit user ID) argument-token (1, "setaudit:port", terminal ID) argument-token (1, "setaudit:machine", terminal ID) argument-token (1, "setaudit:as_success", preselection mask) argument-token (1, "setaudit:as_failure", preselection mask) argument-token (1, "setaudit:asid", audit session ID) [priv-token] (if privilege used or required) subject-token return-token Format (invalid program stack address): header-token subject-token return-token |
Table B–139 setaudit_addr(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETAUDIT_ADDR |
266 |
aa |
0x00000800 |
Format: header-token argument-token (1, "auid", audit user ID) argument-token (1, "port", terminal ID) argument-token (1, "type", machine address type) argument-token (1, "as_success", preselection mask) argument-token (1, "as_failure", preselection mask) argument-token (1, "asid", audit session ID) subject-token return-token |
Table B–140 setauid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETAUID |
131 |
aa |
0x00040000 |
Format: header-token argument-token (2, "setauid", audit user ID) [priv-token] (if privilege used or required) subject-token return-token |
Table B–141 setclearance(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETCLEARANCE |
542 |
fm |
0x00000008 |
Format: header-token clearance-token (specified) clearance-token (old) clearance-token (new) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–142 setcmwlabel(2), lsetcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETCMWLABEL |
549 |
fm |
0x00000008 |
AUE_LSETCMWLABEL |
525 |
fm |
0x00000008 |
Format: header-token argument-token (3, “flag”, which parts of label to set) [slabel-token] (if slabel is being set) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–143 setcmwplabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETCMWPLABEL |
541 |
fm |
0x00000008 |
Format (setting flag == SETCL_ALL): header-token slabel-token (SL from input argument) slabel-token (original SL) argument-token (2, “flag”, value) slabel-token (new SL) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (setting flag == SETCL_SL): header-token slabel-token (SL from input argument) slabel-token (SL of subject before) argument-token (2, “flag”, value) slabel-token (SL of subject after) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (setting flag == SETCL_IL): header-token argument-token (2, “flag”, value) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–144 setegid(2), old setgid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETEGID |
214 |
pm |
0x00200000 |
AUE_SETGID |
205 |
pm |
0x00200000 |
Format: header-token argument-token (1, "gid", group ID) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–145 seteuid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETEUID |
215 |
pm |
0x00200000 |
Format: header-token argument-token (1, "gid", user ID) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–146 setfattrflag(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETFATTRFLAG |
522 |
fm |
0x00000008 |
Format: header-token argument-token (2, "which", which flags to set) argument-token (3, "attrs", flag values) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–147 setfpriv(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETFILEPRIV |
550 |
fm |
0x00000008 |
Format: header-token argument-token (4, "privilege type", privilege set type) privilege-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–148 setgroups(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETGROUPS |
26 |
pm |
0x00200000 |
Format: header-token [argument-token] (1, "setgroups", group ID) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token One argument-token for each group set. |
Table B–149 setpattr(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETPATTR |
526 |
ps |
0x00100000 |
Format: header-token argument-token (1, “type”, type of attribute to set) argument-token (2, “value”, value of attribute) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–150 setpgrp(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETPGRP |
27 |
pm |
0x00200000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–151 setppriv(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETPROCPRIV |
127 |
fm |
0x00000008 |
Format: header-token argument-token (3, “type”, privilege set type) argument-token (4, “op”, operation to perform) privilege-token (specified) privilege-token (old) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–152 setregid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETREGID |
41 |
pm |
0x00200000 |
Format: header-token argument-token (1, "rgid", real group ID) argument-token (1, "egid", effective group ID) [priv-token] (if privilege used or required) subject-token return-token |
Table B–153 setreuid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETREUID |
40 |
pm |
0x00200000 |
Format: header-token argument-token (1, "ruid", real user ID) argument-token (1, "euid", effective user ID) [priv-token] (if privilege used or required) subject-token return-token |
Table B–154 setrlimit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETRLIMIT |
51 |
as |
0x00020000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–155 setsockopt(3SOCKET)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETSOCKOPT |
35 |
nt |
0x00000100 |
Format: header-token sock-inet-token argument-token (2, "level", protocol level) [argument-token] (3, "optname", option name) argument-token (4, "val", option value) argument-token (5, "optlen", option length) subject-token return-token The sock_inet token for a non-socket operation is reported as: argument-token (1, "fd", file descriptor) |
Table B–156 old setuid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OSETUID |
200 |
pm |
0x00200000 |
Format: header-token argument-token (1, "uid", user ID) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–157 shmat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMAT |
96 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) argument-token (2, "shm adr", shared mem addr) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and slabel tokens are not included if the shared memory segment ID is invalid. |
Table B–158 shmctl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL |
91 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shmid", shared memory ID) [ipc-token] subject-token return-token The ipc and ipc_perm tokens are not included if the shared memory segment ID is not valid. |
Table B–159 shmctl(2) — IPC_RMID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL_RMID |
92 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and slabel tokens are not included if the shared memory segment ID is invalid. |
Table B–160 shmctl(2) — IPC_SET command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL_SET |
93 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) [argument-token] [ipc_perm-token] (of the IPC's old values) [slabel-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and slabel tokens are not included if the shared memory segment ID is invalid. |
Table B–161 shmctl(2) — IPC_STAT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL_STAT |
94 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and slabel tokens are not included if the shared memory segment ID is invalid. |
Table B–162 shmdt(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMDT |
97 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm adr", shared mem addr) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–163 shmget(2)
Event Name |
Event ID |
EventClass |
Mask |
---|---|---|---|
AUE_SHMGET |
95 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) argument-token (3, "shm flag", shared memory flags) [argument-token] [slabel-token] [ipc_perm-token] (of the IPC's old values) [slabel-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token subject-token The ipc, ipc_perm, and slabel tokens are not included for failed events. |
Table B–164 shmgetl(2)
Event Name |
Event ID |
EventClass |
Mask |
---|---|---|---|
AUE_SHMGETL |
178 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) argument-token (3, "shm flag", shared memory flags) slabel-token [ipc_perm-token] (of the IPC's old values) [slabel-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token subject-token The ipc, ipc_perm, and slabel tokens are not included for failed events. |
Table B–165 sockconfig()
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKCONFIG |
265 |
nt |
0x00000100 |
Format: header-token argument-token (1, "domain", socket domain) [argument-token] (2, "type", socket type) argument-token (3, "protocol", socket protocol) text-token subject-token return-token |
Table B–166 socket(3SOCKET)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKET |
183 |
nt |
0x00000100 |
Format: header-token argument-token (1, "domain", socket domain) [argument-token] (2, "type", socket type) argument-token (3, "protocol", socket protocol) subject-token return-token |
Table B–167 stat(2), statfs(2), statvfs(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_STAT |
16 |
fa |
0x00000004 |
AUE_STATFS |
54 |
fa |
0x00000004 |
AUE_STATVFS |
234 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–168 stime(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_STIME |
201 |
as |
0x00020000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–169 symlink(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SYMLINK |
21 |
fc |
0x00000010 |
Format: header-token text-token (symbolic link string) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–170 sysinfo(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SYSINFO |
39 |
as |
0x00020000 |
Format: header-token argument-token (1, "cmd", command) text-token (name) [priv-token] (if privilege used or required) subject-token return-token |
Table B–171 system booted
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SYSTEMBOOT |
113 |
na |
0x00000400 |
Format: header-token text-token ("booting kernel") return-token |
Table B–172 tnif(2), tnrh(2), tnrhtp(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_TNIF |
534 |
nt |
0x00000100 |
AUE_TNRH |
535 |
|
|
AUE_TNRHTP |
536 |
|
|
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–173 tokmapper(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_TOKMAPPER |
537 |
nt |
0x00000100 |
Format: header-token argument-token (1, “op”, state) in_addr-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–174 uadmin(2) - system freeze
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FREEZE |
539 |
ss |
0x00010000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–175 uadmin(2) - system reboot
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_REBOOT |
561 |
ss |
0x00010000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–176 uadmin(2) - system remount
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_REMOUNT |
540 |
as |
0x00020000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–177 uadmin(2) - system shutdown
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHUTDOWN |
560 |
ss |
0x00010000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–178 umount(2) — old version
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UMOUNT |
12 |
ao |
0x00080000 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–179 umount(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UMOUNT2 |
268 |
ao |
0x00080000 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–180 unlink(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UNLINK |
6 |
fd |
0x00000020 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–181 old utime(2), utimes(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UTIME |
202 |
fm |
0x00000008 |
AUE_UTIMES |
49 |
fm |
0x00000008 |
Format: header-token path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B–182 utssys(2) — fusers
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UTSSYS |
233 |
ao |
0x00080000 |
Format: header-token path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B–183 vfork(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_VFORK |
25 |
ps |
0x00100000 |
Format: header-token argument-token (0, "child PID", pid) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token The fork return values are undefined since the audit record is produced at the point that the child process is spawned. |
Table B–184 vtrace(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_VTRACE |
36 |
pm |
0x00200000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B–185 write(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_WRITE |
195 |
no |
0x00000000 |
Format: header-token slabel-token (from label specified in syscall args) path-token) [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–186 writel(2), pwritel(2), writevl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PWRITEL |
528 |
no |
0x00000000 |
AUE_WRITEL |
552 |
fm |
0x00000008 |
AUE_WRITEVL |
553 |
fm |
0x00000008 |
Format: header-token slabel-token (from label specified in syscall args) path-token) [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B–187 xmknod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_XMKNOD |
240 |
fc |
0x00000010 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B–188 xstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_XSTAT |
235 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |