These audit records are created by system calls that are used by the kernel. The records are sorted alphabetically by system call. The description of each record includes:
The name of the system call
A man page reference (if appropriate)
The audit event number
The audit event name
The audit event class
The mask for the event class
The audit record structure
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ACCESS |
14 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-6 acct(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ACCT |
18 |
ad |
0x00000800 |
Format (zero path):
header-token
argument-token (1, "accounting off", 0)
subject-token
return-token
Format (non-zero path):
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-7 adjtime(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ADJTIME |
50 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-8 audit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDIT |
211 |
no |
0x00000000 |
Format:
header-token
subject-token
return-token
|
Table A-9 auditon(2) - get car
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCAR |
224 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-10 auditon(2) - get event class
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCLASS |
231 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-11 auditon(2) - get audit state
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCOND |
229 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-12 auditon(2) - get cwd
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCWD |
223 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-13 auditon(2) - get kernal mask
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETKMASK |
221 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-14 auditon(2) - get audit statistics
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETSTAT |
225 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-15 auditon(2) - GPOLICY command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GPOLICY |
114 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-16 auditon(2) - GQCTRL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GQCTRL |
145 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-17 auditon(2) - set event class
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETCLASS |
232 |
ad |
0x00000800 |
Format:
header-token
[argument-token] (2, "setclass:ec_event", event number)
[argument-token] (3, "setclass:ec_class", class mask)
subject-token
return-token
|
Table A-18 auditon(2) - set audit state
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETCOND |
230 |
ad |
0x00000800 |
Format:
header-token
[argument-token] (3, "setcond", audit state)
subject-token
return-token
|
Table A-19 auditon(2) - set kernal mask
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETKMASK |
222 |
ad |
0x00000800 |
Format:
header-token
[argument-token] (2, "setkmask:as_success", kernel mask)
[argument-token] (2, "setkmask:as_failure", kernel mask)
return-token
|
Table A-20 auditon(2) - set mask per session ID
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETSMASK |
228 |
ad |
0x00000800 |
Format:
header-token
[argument-token] (3, "setsmask:as_success", session ID mask)
[argument-token] (3, "setsmask:as_failure", session ID mask)
subject-token
return-token
|
Table A-21 auditon(2) - reset audit statistics
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETSTAT |
226 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-22 auditon(2) - set mask per uid
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETUMASK |
227 |
ad |
0x00000800 |
Format:
header-token
[argument-token] (3, "setumask:as_success", audit ID mask)
[argument-token] (3, "setumask:as_failure", audit ID mask)
subject-token
return-token
|
Table A-23 auditon(2) - SPOLICY command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SPOLICY |
147 |
ad |
0x00000800 |
Format:
header-token
[argument-token] (1, "policy", audit policy flags)
subject-token
return-token
|
Table A-24 auditon(2) - SQCTRL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SQCTRL |
146 |
ad |
0x00000800 |
Format:
header-token
[argument-token] (3,"setqctrl:aq_hiwater",queue control param.)
[argument-token] (3,"setqctrl:aq_lowater",queue control param.)
[argument-token] (3,"setqctrl:aq_bufsz",queue control param.)
[argument-token] (3,"setqctrl:aq_delay",queue control param.)
subject-token
return-token
|
Table A-25 auditsvc(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITSVC |
136 |
ad |
0x00000800 |
Format (valid file descriptor):
header-token
[path-token]
[attr-token]
subject-token
return-token
Format (not valid file descriptor):
header-token
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
Table A-26 chdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHDIR |
8 |
pc |
0x00000080 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-27 chmod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHMOD |
10 |
fm |
0x00000008 |
Format:
header-token
argument-token (2, "new file mode", mode)
path-token
[attr-token]
subject-token
return-token
|
Table A-28 chown(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHOWN |
11 |
fm |
0x00000008 |
Format:
header-token
argument-token (2, "new file uid", uid)
argument-token (3, "new file gid", gid)
path-token
[attr-token]
subject-token
return-token
|
Table A-29 chroot(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHROOT |
24 |
pc |
0x00000080 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-30 close(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CLOSE |
112 |
cl |
0x00000040 |
Format:
<file system object>
header-token
argument-token (1, "fd", file descriptor)
[path-token]
[attr-token]
subject-token
return-token
|
Table A-31 creat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CREAT |
4 |
fc |
0x00000010 |
Format
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-32 enter prom
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ENTERPROM |
153 |
na |
0x00000400 |
Format:
header-token
text-token (addr, "monitor PROM"|"kadb")
subject-token
return-token
|
Table A-33 exec(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_EXEC |
7 |
pc,ex |
0x40000080 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-34 execve(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_EXECVE |
23 |
pc,ex |
0x40000080 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-35 exit prom
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_EXITPROM |
154 |
na |
0x00000400 |
Format:
header-token
text-token (addr, "monitor PROM"|"kadb")
subject-token
return-token
|
Table A-36 exit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_EXIT |
1 |
pc |
0x00000080 |
Format:
header-token
subject-token
return-token
|
Table A-37 fchdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHDIR |
68 |
pc |
0x00000080 |
Format:
header-token
[path-token]
[attr-token]
subject-token
return-token
|
Table A-38 fchmod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHMOD |
39 |
fm |
0x00000008 |
Format (valid file descriptor):
header-token
argument-token (2, "new file mode", mode)
[path-token]
[attr-token]
subject-token
return-token
Format (not valid file descriptor):
header-token
argument-token (2, "new file mode", mode)
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
Table A-39 fchown(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHOWN |
38 |
fm |
0x00000008 |
Format (valid file descriptor):
header-token (2, "new file uid", uid)
argument-token (3, "new file gid", gid)
[path-token]
[attr-token]
subject-token
return-token
Format (non-file descriptor):
header-token
argument-token (2, "new file uid", uid)
argument-token (3, "new file gid", gid)
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
Table A-40 fchroot(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHROOT |
69 |
pc |
0x00000080 |
Format:
header-token
[path-token]
[attr-token]
subject-token
return-token
|
Table A-41 fcntl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCNTL (cmd=F_GETLK, F_SETLK, F_SETLKW) |
30 |
fm |
0x00000008 |
Format (file descriptor):
header-token
argument-token (2, "cmd", cmd)
path-token
attr-token
subject-token
return-token
Format (bad file descriptor):
header-token
argument-token (2, "cmd", cmd)
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
Table A-42 fork(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FORK |
2 |
pc |
0x00000080 |
Format:
header-token
[argument-token] (0, "child PID", pid)
subject-token
return-token
The fork() return values are undefined because the audit record is produced at the point that the child process is spawned.
|
Table A-43 fork1(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FORK1 |
241 |
pc |
0x00000080 |
Format:
header-token
[argument-token] (0, "child PID", pid)
subject-token
return-token
The fork1() return values are undefined because the audit record is produced at the point that the child process is spawned.
|
Table A-44 fstatfs(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FSTATFS |
55 |
fa |
0x00000004 |
Format (file descriptor):
header-token
[path-token]
[attr-token]
subject-token
return-token
Format (non-file descriptor):
header-token
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
Table A-45 getaudit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETAUDIT |
132 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-46 getauid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETAUID |
130 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-47 getmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETMSG |
217 |
nt |
0x00000100 |
Format:
header-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
Table A-48 getmsg - accept
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKACCEPT |
247 |
nt |
0x00000100 |
Format:
header-token
socket-inet-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
Table A-49 getmsg - receive
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKRECEIVE |
250 |
nt |
0x00000100 |
Format:
header-token
socket-inet-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
Table A-50 getpmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETPMSG |
219 |
nt |
0x00000100 |
Format:
header-token
argument-token (1, "fd", file descriptor)
subject-token
return-token
|
Table A-51 getportaudit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETPORTAUDIT |
149 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-52 ioctl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_IOCTL |
158 |
io |
0x20000000 |
Format (good file descriptor):
header-token
path-token
[attr-token]
argument-token (2, "cmd" ioctl cmd)
argument-token (3, "arg" ioctl arg)
subject-token
return-token
Format (socket):
header-token
[socket-token]
argument-token (2, "cmd" ioctl cmd)
argument-token (3, "arg" ioctl arg)
subject-token
return-token
Format (non-file file descriptor):
header-token
argument-token (1, "fd", file descriptor)
argument-token (2, "cmd", ioctl cmd)
argument-token (3, "arg", ioctl arg)
subject-token
return-token
Format (bad file name):
header-token
argument-token (1, "no path: fd", fd)
argument-token (2, "cmd", ioctl cmd)
argument-token (3, "arg", ioctl arg)
subject-token
return-token
|
Table A-53 kill(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_KILL |
15 |
pc |
0x00000080 |
Format (valid process):
header-token
argument-token (2, "signal", signo)
[process-token]
subject-token
return-token
Format (zero or negative process):
header-token
argument-token (2, "signal", signo)
argument-token (1, "process", pid))
subject-token
return-token
|
Table A-54 lchown(2)
Event ID |
Event Class |
Mask |
|
---|---|---|---|
AUE_LCHOWN |
237 |
fm |
0x00000008 |
Format:
header-token
argument-token (2, "new file uid", uid)
argument-token (3, "new file gid", gid)
path-token
[attr-token]
subject-token
return-token
|
Table A-55 link(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LINK |
5 |
fc |
0x00000010 |
Format:
header-token
path-token (from path)
[attr-token] (from path)
path-token (to path)
subject-token
return-token
|
Table A-56 lstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LSTAT |
17 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-57 lxstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LXSTAT |
236 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-58 memcntl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MEMCNTL |
238 |
ot |
0x80000000 |
Format:
header-token
argument-token (1, "base", base address)
argument-token (2, "len", length)
argument-token (3, "cmd", command)
argument-token (4, "arg", command args
argument-token (5, "attr", command attributes)
argument-token (6, "mask", 0)
subject-token
return-token
|
Table A-59 mkdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MKDIR |
47 |
fc |
0x00000010 |
Format:
header-token
argument-token (2, "mode", mode)
path-token
[attr-token]
subject-token
return-token
|
Table A-60 mknod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MKNOD |
9 |
fc |
0x00000010 |
Format:
header-token
argument-token (2, "mode", mode)
argument-token (3, "dev", dev)
path-token
[attr-token]
subject-token
return-token
|
Table A-61 mmap(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MMAP |
210 |
no |
0x00000000 |
Format (valid file descriptor):
header-token
argument-token (1, "addr", segment address)
argument-token (2, "len", segment length)
[path-token]
[attr-token]
subject-token
return-token
Format (not valid file descriptor):
header-token
argument-token (1, "addr", segment address)
argument-token (2, "len", segment length)
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
Table A-62 modctl(2) - bind module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODADDMAJ |
246 |
ad |
0x00000800 |
Format:
header-token
[text-token] driver major number)
[text-token] (driver name)
text-token (root dir.|"no rootdir")
text-token (driver major number|"no drvname")
argument-token (5, "", number of aliases)
(0..n)[text-token] (aliases)
subject-token
return-token
|
Table A-63 modctl(2) - configure module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODCONFIG |
245 |
ad |
0x00000800 |
Format:
header-token
text-token (root dir.|"no rootdir")
text-token (driver major number|"no drvname")
subject-token
return-token
|
Table A-64 modctl(2) - load module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODLOAD |
243 |
ad |
0x00000800 |
Format:
header-token
[text-token] (default path)
text-token (filename path)
subject-token
return-token
|
Table A-65 modctl(2) - unload module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODUNLOAD |
244 |
ad |
0x00000800 |
Format:
header-token
argument-token (1, "id", module ID)
subject-token
return-token
|
Table A-66 mount(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MOUNT |
62 |
ad |
0x00000800 |
Format (UNIX file system):
header-token
argument-token (3, "flags", flags)
text-token (filesystem type)
path-token
[attr-token]
subject-token
return-token
Format (NFS file system):
header-token
argument-token (3, "flags", flags)
text-token (filesystem type)
text-token (host name)
argument-token (3, "internal flags", flags)
|
Table A-67 msgctl(2) - IPC_RMID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL_RMID |
85 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "msg ID", message ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
Table A-68 msgctl(2) - IPC_SET command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL_SET |
86 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "msg ID", message ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
Table A-69 msgctl(2) - IPC_STAT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL_STAT |
87 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "msg ID", message ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
Table A-70 msgget(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGGET |
88 |
ip |
0x00000200 |
Format:
header-token
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
Table A-71 msgrcv(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGRCV |
89 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "msg ID", message ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
Table A-72 msgsnd(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGSND |
90 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "msg ID", message ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
Table A-73 munmap(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MUNMAP |
214 |
cl |
0x00000040 |
Format:
header-token
argument-token (1, "addr", address of memory)
argument-token (2, "len", memory segment size)
subject-token
return-token
|
Table A-74 old nice(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_NICE |
203 |
pc |
0x00000080 |
Format:
header-token
subject-token
return-token
|
Table A-75 open(2) - read
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_R |
72 |
fr |
0x00000001 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-76 open(2) - read,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RC |
73 |
fc,fr |
0x00000011 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-77 open(2) - read,creat,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RTC |
75 |
fc,fd,fr |
0x00000031 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-78 open(2) - read,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RT |
74 |
fd,fr |
0x00000021 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-79 open(2) - read,write
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RW |
80 |
fr,fw |
0x00000003 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-80 open(2) - read,write,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RWC |
81 |
fr,fw,fc |
0x00000013 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-81 open(2) - read,write,create,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RWTC |
83 |
fr,fw,fc,fd |
0x00000033 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-82 open(2) - read,write,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RWT |
82 |
fr,fw,fd |
0x00000023 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-83 open(2) - write
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_W |
76 |
fw |
0x00000002 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-84 open(2) - write,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_WC |
77 |
fw,fc |
0x00000012 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-85 open(2) - write,creat,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_WTC |
79 |
fw,fc,fd |
0x00000032 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-86 open(2) - write,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_WT |
78 |
fw,fd |
0x00000022 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-87 pathconf(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PATHCONF |
71 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-88 pipe(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PIPE |
185 |
no |
0x00000000 |
Format:
header-token
subject-token
return-token
|
Table A-89 priocntlsys(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PRIOCNTLSYS |
212 |
pc |
0x0000080 |
Format:
header-token
argument-token (1, "pc_version", priocntl version num.)
argument-token (3,"cmd", command)
subject-token
return-token
|
Table A-90 process dumped core
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CORE |
111 |
fc |
0x0000010 |
Format:
header-token
path-token
[attr-token]
argument-token (1, "signal", signal)
subject-token
return-token
|
Table A-91 putmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PUTMSG |
216 |
nt |
0x00000100 |
Format:
header-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
Table A-92 putmsg-connect
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKCONNECT |
248 |
nt |
0x00000100 |
Format:
header-token
socket-inet-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
Table A-93 putmsg-send
Event Name |
Event ID |
EventClass |
Mask |
---|---|---|---|
AUE_SOCKSEND |
249 |
nt |
0x00000100 |
Format:
header-token
socket-inet-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
Table A-94 putpmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PUTPMSG |
218 |
nt |
0x00000100 |
Format:
header-token
argument-token (1, "fd", file descriptor)
subject-token
return-token
|
Table A-95 readlink(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_READLINK |
22 |
fr |
0x00000001 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-96 rename(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_RENAME |
42 |
fc,fd |
0x00000030 |
Format:
header-token
path-token (from name)
[attr-token] (from name)
[path-token] (to name)
subject-token
return-token
|
Table A-97 rmdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_RMDIR |
48 |
fd |
0x00000020 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-98 semctl(2) - getall
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETALL |
105 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-99 semctl(2) - GETNCNT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETNCNT |
102 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-100 semctl(2) - GETPID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETPID |
103 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-101 semctl(2) - GETVAL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETVAL |
104 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-102 semctl(2) - GETZCNT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETZCNT |
106 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-103 semctl(2) - IPC_RMID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_RMID |
99 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-104 semctl(2) - IPC_SET command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_SET |
100 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-105 semctl(2) - SETALL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_SETALL |
108 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-106 semctl(2) - SETVAL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_SETVAL |
107 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-107 semctl(2) - IPC_STAT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_STAT |
101 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
|
Table A-108 semget(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMGET |
109 |
ip |
0x00000200 |
Format:
header-token
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the system call failed.
|
Table A-109 semop(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMOP |
110 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-110 setaudit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETAUDIT |
133 |
ad |
0x00000800 |
Format (valid program stack address):
header-token
argument-token (1, "setaudit:auid", audit user ID)
argument-token (1, "setaudit:port", terminal ID)
argument-token (1, "setaudit:machine", terminal ID)
argument-token (1, "setaudit:as_success", preselection mask)
argument-token (1, "setaudit:as_failure", preselection mask)
argument-token (1, "setaudit:asid", audit session ID)
subject-token
return-token
Format (not valid program stack address):
header-token
subject-token
return-token
|
Table A-111 setauid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETAUID |
131 |
ad |
0x00000800 |
Format:
header-token
argument-token (2, "setauid", audit user ID)
subject-token
return-token
|
Table A-112 setegid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETEGID |
214 |
pc |
0x00000080 |
Format:
header-token
argument-token (1, "gid", group ID)
subject-token
return-token
|
Table A-113 seteuid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETEUID |
215 |
pc |
0x00000080 |
Format:
header-token
argument-token (1, "gid", user ID)
subject-token
return-token
|
Table A-114 old setgid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETGID |
205 |
pc |
0x00000080 |
Format:
header-token
argument-token (1, "gid", group ID)
subject-token
return-token
|
Table A-115 setgroups(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETGROUPS |
26 |
pc |
0x00000080 |
Format:
header-token
[argument-token] (1, "setgroups", group ID)
subject-token
return-token
One argument-token for each group set.
|
Table A-116 setpgrp(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETPGRP |
27 |
pc |
0x00000080 |
Format:
header-token
subject-token
return-token
|
Table A-117 setrlimit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETRLIMIT |
51 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-118 old setuid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OSETUID |
200 |
pc |
0x00000080 |
Format:
header-token
argument-token (1, "uid", user ID)
subject-token
return-token
Because of a current bug in the audit software, this token is reported as AUE_OSETUID.
|
Table A-119 shmat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMAT |
96 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "shmid", shared memory ID)
argument-token (2, "shmaddr", shared mem addr)
[ipc-token]
[ipc_perm-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the shared memory segment ID is not valid.
|
Table A-120 shmctl(2) - IPC_RMID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL_RMID |
92 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "shmid", shared memory ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the shared memory segment ID is not valid.
|
Table A-121 shmctl(2) - IPC_SET command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL_SET |
93 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "shmid", shared memory ID)
[ipc-token]
[ipc_perm-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the shared memory segment ID is not valid.
|
Table A-122 shmctl(2) - IPC_STAT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL_STAT |
94 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "shmid", shared memory ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the shared memory segment ID is not valid.
|
Table A-123 shmdt(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMDT |
97 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "shmaddr", shared mem addr)
subject-token
return-token
|
Table A-124 shmget(2)
Event Name |
Event ID |
EventClass |
Mask |
---|---|---|---|
AUE_SHMGET |
95 |
ip |
0x00000200 |
Format:
header-token
argument-token (0, "shmid", shared memory ID)
[ipc-token]
[ipc_perm-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included for failed events.
|
Table A-125 stat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_STAT |
16 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-126 statfs(2)
Event Name |
Event ID |
EventClass |
Mask |
---|---|---|---|
AUE_STATFS |
54 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-127 statvfs(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_STATVFS |
234 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-128 stime(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_STIME |
201 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-129 symlink(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SYMLINK |
21 |
fc |
0x00000010 |
Format:
header-token
text-token (symbolic link string)
path-token
[attr-token]
subject-token
return-token
|
Table A-130 sysinfo(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SYSINFO |
39 |
ad |
0x00000800 |
Format:
header-token
argument-token (1, "cmd", command)
text-token (name)
subject-token
return-token
|
Table A-131 system booted
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SYSTEMBOOT |
113 |
na |
0x00000400 |
Format:
header-token
text-token ("booting kernel")
return-token
|
Table A-132 umount(2) - old version
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UMOUNT |
12 |
ad |
0x00000800 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-133 unlink(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UNLINK |
6 |
fd |
0x00000020 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-134 old utime(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UTIME |
202 |
fm |
0x00000008 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-135 utimes(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UTIMES |
49 |
fm |
0x00000008 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-136 utssys(2) - fusers
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UTSSYS |
233 |
ad |
0x00000800 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-137 vfork(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_VFORK |
25 |
pc |
0x00000080 |
Format:
header-token
argument-token (0, "child PID", pid)
subject-token
return-token
The fork return values are undefined because the audit record is produced at the point that the child process is spawned.
|
Table A-138 vtrace(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_VTRACE |
36 |
pc |
0x00000080 |
Format:
header-token
subject-token
return-token
|
Table A-139 xmknod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_XMKNOD |
240 |
fc |
0x00000010 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-140 xstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_XSTAT |
235 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|