SunSHIELD Basic Security Module Guide

User-Level Generated Audit Records

These audit records are created by applications that operate outside the kernel. The records are sorted alphabetically by program. The description of each record includes:

The name of the program
A man page reference (if appropriate)
The audit event number
The audit event name
The audit record structure

Table A-160 allocate-device success


Event Name	Program	Event ID	Event Class	Mask
`AUE_allocate_succ`	`/usr/sbin/allocate`	`6200`	`ad`	0x00000800
Format: `header-token` `text-token` `path-token` `subject-token` `exit-token`

Table A-161 allocate-device failure


Event Name	Program	Event ID	Event Class	Mask
`AUE_allocate_fail`	`/usr/sbin/allocate`	`6201`	`ad`	0x00000800
Format: `header-token` `text-token` `subject-token` `exit-token`

Table A-162 deallocate-device success


Event Name	Program	Event ID	Event Class	Mask
`AUE_deallocate_succ`	`/usr/sbin/deallocate`	`6202`	`ad`	0x00000800
Format: `header-token` `subject-token` `newgroups-token` `exit-token`

Table A-163 deallocate-device failure


Event Name	Program	Event ID	Event Class	Mask
`AUE_deallocate_fail`	`/usr/sbin/deallocate`	`6203`	`ad`	0x00000800
Format: `header-token` `subject-token` `newgroups-token` `exit-token`

Table A-164 allocate-list devices success


Event Name	Program	Event ID	Event Class	Mask
`AUE_listdevice_succ`	`/usr/sbin/allocate`	`6205`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-165 allocate-list devices failure


Event Name	Program	Event ID	Event Class	Mask
`AUE_listdevice_fail`	`/usr/sbin/allocate`	`6206`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-166 at-create crontab


Event Name	Program	Event ID	Event Class	Mask
`AUE_at_create`	`/usr/bin/at`	`6144`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-167 at-delete atjob (at or atrm)


Event Name	Program	Event ID	Event Class	Mask
`AUE_at_delete`	`/usr/bin/at`	`6145`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-168 at-permission


Event Name	Program	Event ID	Event Class	Mask
`AUE_at_perm`	`/usr/bin/at`	`6146`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-169 crontab-crontab created


Event Name	Program	Event ID	Event Class	Mask
`AUE_crontab_create`	`/usr/bin/crontab`	`6148`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-170 crontab-crontab deleted


Event Name	Program	Event ID	Event Class	Mask
`AUE_crontab_delete`	`/usr/bin/crontab`	`6149`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-171 cron-invoke atjob or crontab


Event Name	Program	Event ID	Event Class	Mask
`AUE_cron_invoke`	`/usr/bin/crontab`	`6147`	`ad`	0x00000800
Format: `header-token` `subject-token` `text-token` (program) `text-token` (shell) `text-token` (cmd) `exit-token`

Table A-172 crontab-permission


Event Name	Program	Event ID	Event Class	Mask
`AUE_crontab_perm`	`/usr/bin/crontab`	`6150`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-173 halt(1m)


Event Name	Program	Event ID	Event Class	Mask
`AUE_halt_solaris`	`/usr/sbin/halt`	`6160`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-174 inetd


Event Name	Program	Event ID	Event Class	Mask
`AUE_inetd_connect`	`/usr/sbin/inetd`	`6151`	`na`	0x00000400
Format: `header-token` `subject-token` `text-token` (service name) `in_addr-token` `iport-token` `return-token`

Table A-175 init(1m)


Event Name	Program	Event ID	Event Class	Mask
`AUE_init_solaris`	`/sbin/init`; `/usr/sbin/init`; `/usr/sbin/shutdown`	`6166`	`ad`	0x00000800
Format: `header-token` `subject-token` `text-token` (init level) `return-token`

Table A-176 ftp access


Event Name	Program	Event ID	Event Class	Mask
`AUE_ftpd`	`/usr/sbin/in.ftpd`	`6165`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message, failure only) `return-token`

Table A-177 login - local


Event Name	Program	Event ID	Event Class	Mask
`AUE_login`	`/usr/sbin/login`	`6152`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message) `return-token`

Table A-178 login - rlogin


Event Name	Program	Event ID	Event Class	Mask
`AUE_rlogin`	`/usr/sbin/login`	`6155`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message) `return-token`

Table A-179 login - telnet


Event Name	Program	Event ID	Event Class	Mask
`AUE_telnet`	`/usr/sbin/login`	`6154`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message) `return-token`

Table A-180 logout


Event Name	Program	Event ID	Event Class	Mask
`AUE_logout`	`/usr/sbin/login`	`6153`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` `return-token`

Table A-181 mount


Event Name	Program	Event ID	Event Class	Mask
`AUE_mountd_mount`	`/usr/lib/nfs/mountd`	`6156`	`na`	0x00000400
Format: `header-token` `arg-token` `text-token` (remote client hostname) `path-token` (mount dir) `attribute-token` `path-token` `attribute-token` `subject-token` `return-token`

Table A-182 unmount


Event Name	Program	Event ID	Event Class	Mask
`AUE_mountd_umount`	`/usr/lib/nfs/mountd`	`6157`	`na`	0x00000400
Format: `header-token` `path-token` (mount dir) `attribute-token` `subject-token` `return-token`

Table A-183 passwd


Event Name	Program	Event ID	Event Class	Mask
`AUE_passwd`	`/usr/bin/passwd`	`6163`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message) `return-token`

Table A-184 poweroff(1m)


Event Name	Program	Event ID	Event Class	Mask
`AUE_poweroff_solaris`	`/usr/sbin/poweroff`	`6169`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-185 reboot(1m)


Event Name	Program	Event ID	Event Class	Mask
`AUE_reboot_solaris`	`/usr/sbin/reboot`	`6161`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-186 rexd


Event Name	Program	Event ID	Event Class	Mask
`AUE_rexd`	`/usr/sbin/rpc.rexd`	`6164`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message, failure only) `text-token` (hostname) `text-token` (username) `text-token` (command to be executed) `exit-token`

Table A-187 rexecd


Event Name	Program	Event ID	Event Class	Mask
`AUE_rexecd`	`/usr/sbin/in.rexecd`	`6162`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message, failure only) `text-token` (hostname) `text-token` (username) `text-token` (command to be executed) `exit-token`

Table A-188 rsh access


Event Name	Program	Event ID	Event Class	Mask
`AUE_rshd`	`/usr/sbin/in.rshd`	`6158`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (command string) `text-token` (local user) `text-token` (remote user) `return-token`

Table A-189 shutdown(1b)


Event Name	Program	Event ID	Event Class	Mask
`AUE_shutdown_solaris`	`/usr/ucb/shutdown`	`6168`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-190 su


Event Name	Program	Event ID	Event Class	Mask
`AUE_su`	`/usr/bin/su`	`6159`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message) `return-token`

Table A-191 admin(1m)


Event Name	Program	Event ID	Event Class	Mask
`AUE_uadmin_solaris`	`/sbin/uadmin`; `/usr/sbin/uadmin`	`6167`	`ad`	0x00000800
Format: `header-token` `subject-token` `text-token` (function) `text-token` (argument) `return-token`