SunSHIELD Basic Security Module Guide

Kernel-Level Generated Audit Records

These audit records are created by system calls that are used by the kernel. The records are sorted alphabetically by system call. The description of each record includes:

The name of the system call
A man page reference (if appropriate)
The audit event number
The audit event name
The audit event class
The mask for the event class
The audit record structure

Table A-5 accept(2)

Event Name	Event ID	Event Class	Mask
`AUE_ACCEPT`	`33`	`nt`	0x00000100
Format (if the socket address is not part of the `AF_INET` family): `header-token` `arg-token` (1, "fd", file descriptor) `text-token` ("bad socket address") `text-token` ("bad peer address") `subject-token` `return-token` Format (if the socket address is part of the `AF_INET` family): `header-token` If there is no `vnode` for this file descriptor: [`arg-token`] (1, "Bad fd", file descriptor) or if the socket is not bound: [`arg-token` (1, "fd", file descriptor) `text-token`] ("socket not bound") or if the socket address length = 0: [`arg-token` (1, "fd", file descriptor) `text-token`] ("bad socket address") For all other conditions: [`socket-inet-token`] ("socket address") `socket-inet-token` ("socket address") `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_ACCEPT

33

nt

0x00000100

Format (if the socket address is not part of the AF_INET family):

  
header-token

  
arg-token                 (1, "fd", file descriptor)

  
text-token                 ("bad socket address")

  
text-token                 ("bad peer address")

  
subject-token

  
return-token

Format (if the socket address is part of the AF_INET family):

  
header-token

If there is no vnode for this file descriptor:

  [arg-token]               (1, "Bad fd", file descriptor)

or if the socket is not bound:

  [arg-token                (1, "fd", file descriptor)

  
text-token]               ("socket not bound")

or if the socket address length = 0:

  [arg-token                (1, "fd", file descriptor)

  
text-token]               ("bad socket address")

For all other conditions:

  [socket-inet-token]       ("socket address")

  
socket-inet-token         ("socket address")

  
subject-token

  
return-token

Table A-6 access(2)


Event Name	Event ID	Event Class	Mask
`AUE_ACCESS`	`14`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-7 acl(2) - SETACL command


Event Name	Event ID	Event Class	Mask
`AUE_ACLSET`	`251`	`fm`	0x00000008
Format: `header-token` `arg-token` (2, "cmd", SETACL) `arg-token` (3, "nentries", number of ACL entries) (0..n)[`acl-token`] (ACLs) `subject-token` `return-token`

Table A-8 acct(2)


Event Name	Event ID	Event Class	Mask
`AUE_ACCT`	`18`	`ad`	0x00000800
Format (zero path): `header-token` `argument-token` (1, "accounting off", 0) `subject-token` `return-token` Format (non-zero path): `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-9 adjtime(2)


Event Name	Event ID	Event Class	Mask
`AUE_ADJTIME`	`50`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-10 audit(2)


Event Name	Event ID	Event Class	Mask
`AUE_AUDIT`	`211`	`no`	0x00000000
Format: `header-token` `subject-token` `return-token`

Table A-11 auditon(2) - get car


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GETCAR`	`224`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-12 auditon(2) - get event class


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GETCLASS`	`231`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-13 auditon(2) - get audit state


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GETCOND`	`229`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-14 auditon(2) - get cwd


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GETCWD`	`223`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-15 auditon(2) - get kernal mask


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GETKMASK`	`221`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-16 auditon(2) - get audit statistics


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GETSTAT`	`225`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-17 auditon(2) - GPOLICY command


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GPOLICY`	`114`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-18 auditon(2) - GQCTRL command


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GQCTRL`	`145`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-19 auditon(2) - set event class


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SETCLASS`	`232`	`ad`	0x00000800
Format: `header-token` [`argument-token`] (2, "setclass:ec_event", event number) [`argument-token`] (3, "setclass:ec_class", class mask) `subject-token` `return-token`

Table A-20 auditon(2) - set audit state


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SETCOND`	`230`	`ad`	0x00000800
Format: `header-token` [`argument-token`] (3, "setcond", audit state) `subject-token` `return-token`

Table A-21 auditon(2) - set kernal mask


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SETKMASK`	`222`	`ad`	0x00000800
Format: `header-token` [`argument-token`] (2, "setkmask:as_success", kernel mask) [`argument-token`] (2, "setkmask:as_failure", kernel mask) `return-token`

Table A-22 auditon(2) - set mask per session ID


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SETSMASK`	`228`	`ad`	0x00000800
Format: `header-token` [`argument-token`] (3, "setsmask:as_success", session ID mask) [`argument-token`] (3, "setsmask:as_failure", session ID mask) `subject-token` `return-token`

Table A-23 auditon(2) - reset audit statistics


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SETSTAT`	`226`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-24 auditon(2) - set mask per uid


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SETUMASK`	`227`	`ad`	0x00000800
Format: `header-token` [`argument-token`] (3, "setumask:as_success", audit ID mask) [`argument-token`] (3, "setumask:as_failure", audit ID mask) `subject-token` `return-token`

Table A-25 auditon(2) - SPOLICY command


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SPOLICY`	`147`	`ad`	0x00000800
Format: `header-token` [`argument-token`] (1, "policy", audit policy flags) `subject-token` `return-token`

Table A-26 auditon(2) - SQCTRL command

Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SQCTRL`	`146`	`ad`	0x00000800
Format: `header-token` [`argument-token`] (3,"setqctrl:aq_hiwater", queue control param.) [`argument-token`] (3,"setqctrl:aq_lowater", queue control param.) [`argument-token`] (3,"setqctrl:aq_bufsz", queue control param.) [`argument-token`] (3,"setqctrl:aq_delay", queue control param.) `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_SQCTRL

146

ad

0x00000800

Format:

	
header-token

	[argument-token]      (3,"setqctrl:aq_hiwater", queue control param.)

	[argument-token]      (3,"setqctrl:aq_lowater", queue control param.)

	[argument-token]      (3,"setqctrl:aq_bufsz", queue control param.)

	[argument-token]      (3,"setqctrl:aq_delay", queue control param.)

	
subject-token

	return-token

Table A-27 auditsvc(2)


Event Name	Event ID	Event Class	Mask
`AUE_AUDITSVC`	`136`	`ad`	0x00000800
Format (valid file descriptor): `header-token` [`path-token`] [`attr-token`] `subject-token` `return-token` Format (not valid file descriptor): `header-token` `argument-token` (1, "no path: fd", fd) `subject-token` `return-token`

Table A-28 bind(2)

Event Name	Event ID	Event Class	Mask
`AUE_BIND`	`34`	`nt`	0x00000100
Format: `header-token` If there is no vnode for this file descriptor: [`arg-token`] (1, "Bad fd", file descriptor) or if the socket is not of the `AF_INET` family: [`arg-token` (1, "fd", file descriptor) `text-token`] ("bad socket address") for all other conditions: [`arg-token` (1, "fd", file descriptor) `socket-inet-token`] ("socket address") `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_BIND

34

nt

0x00000100

Format:

  
header-token

If there is no vnode for this file descriptor:

  [arg-token]               (1, "Bad fd", file descriptor)

or if the socket is not of the AF_INET family:

  [arg-token                (1, "fd", file descriptor)

  
text-token]               ("bad socket address")

for all other conditions:

  [arg-token               (1, "fd", file descriptor)

  
socket-inet-token]      ("socket address")

  
subject-token

  
return-token

Table A-29 chdir(2)


Event Name	Event ID	Event Class	Mask
`AUE_CHDIR`	`8`	`pc`	0x00000080
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-30 chmod(2)


Event Name	Event ID	Event Class	Mask
`AUE_CHMOD`	`10`	`fm`	0x00000008
Format: `header-token` `argument-token` (2, "new file mode", mode) `path-token` [`attr-token`] `subject-token` `return-token`

Table A-31 chown(2)


Event Name	Event ID	Event Class	Mask
`AUE_CHOWN`	`11`	`fm`	0x00000008
Format: `header-token` `argument-token` (2, "new file uid", uid) `argument-token` (3, "new file gid", gid) `path-token` [`attr-token`] `subject-token` `return-token`

Table A-32 chroot(2)


Event Name	Event ID	Event Class	Mask
`AUE_CHROOT`	`24`	`pc`	0x00000080
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-33 close(2)


Event Name	Event ID	Event Class	Mask
`AUE_CLOSE`	`112`	`cl`	0x00000040
Format: <file system object> `header-token` `argument-token` (1, "fd", file descriptor) [`path-token`] [`attr-token`] `subject-token` `return-token`

Table A-34 connect(2)

Event Name	Event ID	Event Class	Mask
`AUE_CONNECT`	`32`	`nt`	0x00000100
Format (if the socket address is not part of the `AF_INET` family): `header-token` `arg-token` (1, "fd", file descriptor) `text-token` ("bad socket address") `text-token` ("bad peer address") `subject-token` `return-token` Format (if the socket address is part of the `AF_INET` family): `header-token` If there is no `vnode` for this file descriptor: [`arg-token`] (1, "Bad fd", file descriptor) or if the socket is not bound: [`arg-token` (1, "fd", file descriptor) `text-token`] ("socket not bound") or if the socket address length = 0: [`arg-token` (1, "fd", file descriptor) `text-token`] ("bad socket address") for all other conditions: [`socket-inet-token`] ("socket address") `socket-inet-token` ("socket address") `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_CONNECT

32

nt

0x00000100

Format (if the socket address is not part of the AF_INET family):

  
header-token

  
arg-token            (1, "fd", file descriptor)

  
text-token           ("bad socket address")

  
text-token           ("bad peer address")

  
subject-token

  
return-token

Format (if the socket address is part of the AF_INET family):

  
header-token

If there is no vnode for this file descriptor:

  [arg-token]          (1, "Bad fd", file descriptor)

or if the socket is not bound:

  [arg-token           (1, "fd", file descriptor)

  
text-token]           ("socket not bound")

or if the socket address length = 0:

  [arg-token           (1, "fd", file descriptor)

  
text-token]           ("bad socket address")

for all other conditions:

  [socket-inet-token]      ("socket address")

  
socket-inet-token        ("socket address")

  
subject-token

  
return-token

Table A-35 creat(2)


Event Name	Event ID	Event Class	Mask
`AUE_CREAT`	`4`	`fc`	0x00000010
Format `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-36 doorfs(2) - DOOR_BIND


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_BIND`	`260`	`ip`	0x00000200
Format: `header-token` `arg-token` (1, "door ID", door ID) `subject-token` `return-token`

Table A-37 doorfs(2) - DOOR_CALL


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_CALL`	`254`	`ip`	0x00000200
Format: `header-token` `arg-token` (1, "door ID", door ID) `process-token` (for process that owns the door) `subject-token` `return-token`

Table A-38 doorfs(2) - DOOR_CREATE


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_CREATE`	`256`	`ip`	0x00000200
Format: `header-token` `arg-token` (1, "door attr", door attributes) `subject-token` `return-token`

Table A-39 doorfs(2) - DOOR_CRED


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_CRED`	`259`	`ip`	0x00000200
Format: `header-token` `subject-token` `return-token`

Table A-40 doorfs(2) - DOOR_INFO


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_INFO`	`258`	`ip`	0x00000200
Format: `header-token` `subject-token` `return-token`

Table A-41 doorfs(2) - DOOR_RETURN


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_RETURN`	`255`	`ip`	0x00000200
Format: `header-token` `subject-token` `return-token`

Table A-42 doorfs(2) - DOOR_REVOKE


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_REVOKE`	`257`	`ip`	0x00000200
Format: `header-token` `arg-token` (1, "door ID", door ID) `subject-token` `return-token`

Table A-43 doorfs(2) - DOOR_UNBIND


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_UNBIND`	`261`	`ip`	0x00000200
Format: `header-token` `arg-token` (1, "door ID", door ID) `subject-token` `return-token`

Table A-44 enter prom


Event Name	Event ID	Event Class	Mask
`AUE_ENTERPROM`	`153`	`na`	0x00000400
Format: `header-token` `text-token` (addr, "monitor PROM"\|"kadb") `subject-token` `return-token`

Table A-45 exec(2)


Event Name	Event ID	Event Class	Mask
`AUE_EXEC`	`7`	`pc,ex`	0x40000080
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-46 execve(2)


Event Name	Event ID	Event Class	Mask
`AUE_EXECVE`	`23`	`pc,ex`	0x40000080
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-47 exit prom


Event Name	Event ID	Event Class	Mask
`AUE_EXITPROM`	`154`	`na`	0x00000400
Format: `header-token` `text-token` (addr, "monitor PROM"\|"kadb") `subject-token` `return-token`

Table A-48 exit(2)


Event Name	Event ID	Event Class	Mask
`AUE_EXIT`	`1`	`pc`	0x00000080
Format: `header-token` `subject-token` `return-token`

Table A-49 facl(2) - SETACL command

Event Name	Event ID	Event Class	Mask
`AUE_FACLSET`	`252`	`fm`	0x00000008
Format (zero path): `header-token` `arg-token` (2, "cmd", SETACL) `arg-token` (3, "nentries", number of ACL entries) `arg-token` (1, "no path: fd", file descriptor) (0..n)[`acl-token`] (ACLs) `subject-token` `return-token` Format (non-zero path): `header-token` `arg-token` (2, "cmd", SETACL) `arg-token` (3, "nentries", number of ACL entries) `path-token` [`attr-token`] (0..n)[`acl-token`] (ACLs) `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_FACLSET

252

fm

0x00000008

Format (zero path):

  
header-token

  
arg-token              (2, "cmd", SETACL)

  
arg-token              (3, "nentries", number of ACL entries)

  
arg-token              (1, "no path: fd", file descriptor)

  (0..n)[acl-token]      (ACLs)

  
subject-token

  
return-token

Format (non-zero path):

  
header-token

  
arg-token              (2, "cmd", SETACL)

  
arg-token              (3, "nentries", number of ACL entries)

  
path-token

  [attr-token]

  (0..n)[acl-token]      (ACLs)

  
subject-token

  
return-token

Table A-50 fchdir(2)


Event Name	Event ID	Event Class	Mask
`AUE_FCHDIR`	`68`	`pc`	0x00000080
Format: `header-token` [`path-token`] [`attr-token`] `subject-token` `return-token`

Table A-51 fchmod(2)

Event Name	Event ID	Event Class	Mask
`AUE_FCHMOD`	`39`	`fm`	0x00000008
Format (valid file descriptor): `header-token` `argument-token` (2, "new file mode", mode) [`path-token`] [`attr-token`] `subject-token` `return-token` Format (not valid file descriptor): `header-token` `argument-token` (2, "new file mode", mode) `argument-token` (1, "no path: fd", fd) `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_FCHMOD

39

fm

0x00000008

Format (valid file descriptor):

	
header-token

	
argument-token      (2, "new file mode", mode)

	[path-token]

	[attr-token]

	subject-token

	return-token

Format (not valid file descriptor):

	
header-token

	
argument-token      (2, "new file mode", mode)

	
argument-token      (1, "no path: fd", fd)

	
subject-token

	return-token

Table A-52 fchown(2)

Event Name	Event ID	Event Class	Mask
`AUE_FCHOWN`	`38`	`fm`	0x00000008
Format (valid file descriptor): `header-token` (2, "new file uid", uid) `argument-token` (3, "new file gid", gid) [`path-token`] [`attr-token`] `subject-token` `return-token` Format (non-file descriptor): `header-token` `argument-token` (2, "new file uid", uid) `argument-token` (3, "new file gid", gid) `argument-token` (1, "no path: fd", fd) `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_FCHOWN

38

fm

0x00000008

Format (valid file descriptor):

	
header-token          (2, "new file uid", uid)

	
argument-token      (3, "new file gid", gid)

	[path-token]

	[attr-token]

	subject-token

	return-token

Format (non-file descriptor):

	
header-token

	
argument-token      (2, "new file uid", uid)

	
argument-token      (3, "new file gid", gid)

	
argument-token      (1, "no path: fd", fd)

	
subject-token

	return-token

Table A-53 fchroot(2)


Event Name	Event ID	Event Class	Mask
`AUE_FCHROOT`	`69`	`pc`	0x00000080
Format: `header-token` [`path-token`] [`attr-token`] `subject-token` `return-token`

Table A-54 fcntl(2)

Event Name	Event ID	Event Class	Mask
`AUE_FCNTL` (cmd=`F_GETLK`, `F_SETLK`, `F_SETLKW`)	`30`	`fm`	0x00000008
Format (file descriptor): `header-token` `argument-token` (2, "cmd", cmd) `path-token` `attr-token` `subject-token` `return-token` Format (bad file descriptor): `header-token` `argument-token` (2, "cmd", cmd) `argument-token` (1, "no path: fd", fd) `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_FCNTL (cmd=F_GETLK, F_SETLK, F_SETLKW)

30

fm

0x00000008

Format (file descriptor):

	
header-token

	
argument-token      (2, "cmd", cmd)

	
path-token

	attr-token

	subject-token

	return-token

Format (bad file descriptor):

	
header-token

	
argument-token      (2, "cmd", cmd)

	
argument-token      (1, "no path: fd", fd)

	
subject-token

	return-token

Table A-55 fork(2)

Event Name

Event ID

Event Class

Mask

AUE_FORK

2

pc

0x00000080

Format:

	
header-token

	[argument-token]      (0, "child PID", pid)

	
subject-token

	return-token

The fork() return values are undefined because the audit record
is produced at the point that the child process is spawned.

Table A-56 fork1(2)

Event Name

Event ID

Event Class

Mask

AUE_FORK1

241

pc

0x00000080

Format:

	
header-token

	[argument-token]      (0, "child PID", pid)

	
subject-token

	return-token

The fork1() return values are undefined because the audit record
is produced at the point that the child process is spawned.

Table A-57 fstatfs(2)


Event Name	Event ID	Event Class	Mask
`AUE_FSTATFS`	`55`	`fa`	0x00000004
Format (file descriptor): `header-token` [`path-token`] [`attr-token`] `subject-token` `return-token` Format (non-file descriptor): `header-token` `argument-token` (1, "no path: fd", fd) `subject-token` `return-token`

Table A-58 getaudit(2)


Event Name	Event ID	Event Class	Mask
`AUE_GETAUDIT`	`132`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-59 getauid(2)


Event Name	Event ID	Event Class	Mask
`AUE_GETAUID`	`130`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-60 getmsg(2)


Event Name	Event ID	Event Class	Mask
`AUE_GETMSG`	`217`	`nt`	0x00000100
Format: `header-token` `argument-token` (1, "fd", file descriptor) `argument-token` (4, "pri", priority) `subject-token` `return-token`

Table A-61 getmsg - accept


Event Name	Event ID	Event Class	Mask
`AUE_SOCKACCEPT`	`247`	`nt`	0x00000100
Format: `header-token` `socket-inet-token` `argument-token` (1, "fd", file descriptor) `argument-token` (4, "pri", priority) `subject-token` `return-token`

Table A-62 getmsg - receive


Event Name	Event ID	Event Class	Mask
`AUE_SOCKRECEIVE`	`250`	`nt`	0x00000100
Format: `header-token` `socket-inet-token` `argument-token` (1, "fd", file descriptor) `argument-token` (4, "pri", priority) `subject-token` `return-token`

Table A-63 getpmsg(2)


Event Name	Event ID	Event Class	Mask
`AUE_GETPMSG`	`219`	`nt`	0x00000100
Format: `header-token` `argument-token` (1, "fd", file descriptor) `subject-token` `return-token`

Table A-64 getportaudit(2)


Event Name	Event ID	Event Class	Mask
`AUE_GETPORTAUDIT`	`149`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-65 inst_sync(2)


Event Name	Event ID	Event Class	Mask
`AUE_INST_SYNC`	`264`	`ad`	0x00000800
Format: `header-token` `arg-token` (2, "flags", flags value) `subject-token` `return-token`

Table A-66 ioctl(2)

Event Name

Event ID

Event Class

Mask

AUE_IOCTL

158

io

0x20000000

Format (good file descriptor):

	
header-token

	
path-token

	[attr-token]

	
argument-token      (2, "cmd" ioctl cmd)

	
argument-token      (3, "arg" ioctl arg)

	
subject-token

	return-token

Format (socket):

	
header-token

	[socket-token]

	
argument-token      (2, "cmd" ioctl cmd)

	argument-token      (3, "arg" ioctl arg)

	
subject-token

	return-token

Format (non-file file descriptor):

	
header-token

	argument-token      (1, "fd", file descriptor)

	
argument-token      (2, "cmd", ioctl cmd)

	
argument-token      (3, "arg", ioctl arg)

	
subject-token

	return-token

Format (bad file name):

	
header-token

	argument-token      (1, "no path: fd", fd)

	
argument-token      (2, "cmd", ioctl cmd)

	
argument-token      (3, "arg", ioctl arg)

	
subject-token

	return-token

Table A-67 kill(2)

Event Name

Event ID

Event Class

Mask

AUE_KILL

15

pc

0x00000080

Format (valid process):

	
header-token

	argument-token      (2, "signal", signo)

	[process-token]

	
subject-token

	return-token

Format (zero or negative process):

	
header-token

	argument-token      (2, "signal", signo)

	
argument-token      (1, "process", pid))

	
subject-token

	return-token

Table A-68 lchown(2)


Event Name	Event ID	Event Class	Mask
`AUE_LCHOWN`	`237`	`fm`	0x00000008
Format: `header-token` `argument-token` (2, "new file uid", uid) `argument-token` (3, "new file gid", gid) `path-token` [`attr-token`] `subject-token` `return-token`

Table A-69 link(2)


Event Name	Event ID	Event Class	Mask
`AUE_LINK`	`5`	`fc`	0x00000010
Format: `header-token` `path-token` (from path) [`attr-token`] (from path) `path-token` (to path) `subject-token` `return-token`

Table A-70 lstat(2)


Event Name	Event ID	Event Class	Mask
`AUE_LSTAT`	`17`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-71 lxstat(2)


Event Name	Event ID	Event Class	Mask
`AUE_LXSTAT`	`236`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-72 memcntl(2)

Event Name

Event ID

Event Class

Mask

AUE_MEMCNTL

238

ot

0x80000000

Format:

	
header-token

	argument-token      (1, "base", base address)

	
argument-token      (2, "len", length)

	
argument-token      (3, "cmd", command)

	
argument-token      (4, "arg", command args)

	
argument-token      (5, "attr", command attributes)

	
argument-token      (6, "mask", 0)

	
subject-token

	return-token

Table A-73 mkdir(2)


Event Name	Event ID	Event Class	Mask
`AUE_MKDIR`	`47`	`fc`	0x00000010
Format: `header-token` `argument-token` (2, "mode", mode) `path-token` [`attr-token`] `subject-token` `return-token`

Table A-74 mknod(2)


Event Name	Event ID	Event Class	Mask
`AUE_MKNOD`	`9`	`fc`	0x00000010
Format: `header-token` `argument-token` (2, "mode", mode) `argument-token` (3, "dev", dev) `path-token` [`attr-token`] `subject-token` `return-token`

Table A-75 mmap(2)

Event Name

Event ID

Event Class

Mask

AUE_MMAP

210

no

0x00000000

Format (valid file descriptor):

	
header-token

	
argument-token      (1, "addr", segment address)

	
argument-token      (2, "len", segment length)

	[path-token]

	[attr-token]

	
subject-token

	return-token

Format (not valid file descriptor):

	
header-token

	argument-token      (1, "addr", segment address)

	
argument-token      (2, "len", segment length)

	
argument-token      (1, "no path: fd", fd)

	
subject-token

	return-token

Table A-76 modctl(2) - bind module

Event Name

Event ID

Event Class

Mask

AUE_MODADDMAJ

246

ad

0x00000800

Format:

	header-token

	[text-token]      driver major number)

	[text-token]      (driver name)

	
text-token        (root dir.|"no rootdir")

	
text-token        (driver major number|"no drvname")

	
argument-token        (5, "", number of aliases)

	(0..n)[text-token]      (aliases)

	
subject-token

	return-token

Table A-77 modctl(2) - configure module


Event Name	Event ID	Event Class	Mask
`AUE_MODCONFIG`	`245`	`ad`	0x00000800
Format: `header-token` `text-token` (root dir.\|"no rootdir") `text-token` (driver major number\|"no drvname") `subject-token` `return-token`

Table A-78 modctl(2) - load module


Event Name	Event ID	Event Class	Mask
`AUE_MODLOAD`	`243`	`ad`	0x00000800
Format: `header-token` [`text-token`] (default path) `text-token` (filename path) `subject-token` `return-token`

Table A-79 modctl(2) - unload module


Event Name	Event ID	Event Class	Mask
`AUE_MODUNLOAD`	`244`	`ad`	0x00000800
Format: `header-token` `argument-token` (1, "id", module ID) `subject-token` `return-token`

Table A-80 mount(2)

Event Name

Event ID

Event Class

Mask

AUE_MOUNT

62

ad

0x00000800

Format (UNIX file system):

	
header-token

	
argument-token      (3, "flags", flags)

	
text-token             (filesystem type)

	
path-token

	[attr-token]

	subject-token

	return-token

Format (NFS file system):

	
header-token

	
argument-token      (3, "flags", flags)

	
text-token             (filesystem type)

	
text-token             (host name)

	
argument-token      (3, "internal flags", flags)

Table A-81 msgctl(2) - IPC_RMID command


Event Name	Event ID	Event Class	Mask
`AUE_MSGCTL_RMID`	`85`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "msg ID", message ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the msg ID is not valid.

Table A-82 msgctl(2) - IPC_SET command


Event Name	Event ID	Event Class	Mask
`AUE_MSGCTL_SET`	`86`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "msg ID", message ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the msg ID is not valid.

Table A-83 msgctl(2) - IPC_STAT command


Event Name	Event ID	Event Class	Mask
`AUE_MSGCTL_STAT`	`87`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "msg ID", message ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the msg ID is not valid.

Table A-84 msgget(2)


Event Name	Event ID	Event Class	Mask
`AUE_MSGGET`	`88`	`ip`	0x00000200
Format: `header-token` [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the msg ID is not valid.

Table A-85 msgrcv(2)


Event Name	Event ID	Event Class	Mask
`AUE_MSGRCV`	`89`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "msg ID", message ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the msg ID is not valid.

Table A-86 msgsnd(2)


Event Name	Event ID	Event Class	Mask
`AUE_MSGSND`	`90`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "msg ID", message ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the msg ID is not valid.

Table A-87 munmap(2)


Event Name	Event ID	Event Class	Mask
`AUE_MUNMAP`	`214`	`cl`	0x00000040
Format: `header-token` `argument-token` (1, "addr", address of memory) `argument-token` (2, "len", memory segment size) `subject-token` `return-token`

Table A-88 old nice(2)


Event Name	Event ID	Event Class	Mask
`AUE_NICE`	`203`	`pc`	0x00000080
Format: `header-token` `subject-token` `return-token`

Table A-89 open(2) - read


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_R`	`72`	`fr`	0x00000001
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-90 open(2) - read,creat


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_RC`	`73`	`fc,fr`	0x00000011
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-91 open(2) - read,creat,trunc


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_RTC`	`75`	`fc,fd,fr`	0x00000031
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-92 open(2) - read,trunc


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_RT`	`74`	`fd,fr`	0x00000021
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-93 open(2) - read,write


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_RW`	`80`	`fr,fw`	0x00000003
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-94 open(2) - read,write,creat


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_RWC`	`81`	`fr,fw,fc`	0x00000013
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-95 open(2) - read,write,create,trunc


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_RWTC`	`83`	`fr,fw,fc,fd`	0x00000033
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-96 open(2) - read,write,trunc


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_RWT`	`82`	`fr,fw,fd`	0x00000023
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-97 open(2) - write


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_W`	`76`	`fw`	0x00000002
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-98 open(2) - write,creat


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_WC`	`77`	`fw,fc`	0x00000012
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-99 open(2) - write,creat,trunc


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_WTC`	`79`	`fw,fc,fd`	0x00000032
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-100 open(2) - write,trunc


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_WT`	`78`	`fw,fd`	0x00000022
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-101 p_online(2)

Event Name

Event ID

Event Class

Mask

AUE_P_ONLINE

262

ad

0x00000800

  
header-token

  
arg-token           (1, "processor ID", processor ID)

  
arg-token           (2, "flags", flags value)

  
text-token           (text form of flags value: P_ONLINE, P_OFFLINE, P_STATUS)

  
subject-token

  
return-token

Table A-102 pathconf(2)


Event Name	Event ID	Event Class	Mask
`AUE_PATHCONF`	`71`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-103 pipe(2)


Event Name	Event ID	Event Class	Mask
`AUE_PIPE`	`185`	`no`	0x00000000
Format: `header-token` `subject-token` `return-token`

Table A-104 priocntlsys(2)


Event Name	Event ID	Event Class	Mask
`AUE_PRIOCNTLSYS`	`212`	`pc`	0x0000080
Format: `header-token` `argument-token` (1, "pc_version", `priocntl` version num.) `argument-token` (3,"cmd", command) `subject-token` `return-token`

Table A-105 process dumped core


Event Name	Event ID	Event Class	Mask
`AUE_CORE`	`111`	`fc`	0x0000010
Format: `header-token` `path-token` [`attr-token`] `argument-token` (1, "signal", signal) `subject-token` `return-token`

Table A-106 processor_bind(2)

Event Name

Event ID

Event Class

Mask

AUE_PROCESSOR_BIND

263

ad

0x00000800

Format (no processor bound):

  
header-token

  
arg-token             (1, "ID type", type of ID)

  
arg-token             (2, "ID", ID value)

  
text-token             ("PBIND_NONE")

  
process-token        (for process whose threads are bound to the processor)

  
subject-token

  
return-token

Format (with processor bound):

  
header-token

  
arg-token             (1, "ID type", type of ID)

  
arg-token             (2, "ID", ID value)

  
arg-token             (3, "processor ID", processor ID)

  
process-token        (for process whose threads are bound to the processor)

  
subject-token

  
return-token

Table A-107 putmsg(2)


Event Name	Event ID	Event Class	Mask
`AUE_PUTMSG`	`216`	`nt`	0x00000100
Format: `header-token` `argument-token` (1, "fd", file descriptor) `argument-token` (4, "pri", priority) `subject-token` `return-token`

Table A-108 putmsg-connect


Event Name	Event ID	Event Class	Mask
`AUE_SOCKCONNECT`	`248`	`nt`	0x00000100
Format: `header-token` `socket-inet-token` `argument-token` (1, "fd", file descriptor) `argument-token` (4, "pri", priority) `subject-token` `return-token`

Table A-109 putmsg-send


Event Name	Event ID	EventClass	Mask
`AUE_SOCKSEND`	`249`	`nt`	0x00000100
Format: `header-token` `socket-inet-token` `argument-token` (1, "fd", file descriptor) `argument-token` (4, "pri", priority) `subject-token` `return-token`

Table A-110 putpmsg(2)


Event Name	Event ID	Event Class	Mask
`AUE_PUTPMSG`	`218`	`nt`	0x00000100
Format: `header-token` `argument-token` (1, "fd", file descriptor) `subject-token` `return-token`

Table A-111 readlink(2)


Event Name	Event ID	Event Class	Mask
`AUE_READLINK`	`22`	`fr`	0x00000001
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-112 rename(2)


Event Name	Event ID	Event Class	Mask
`AUE_RENAME`	`42`	`fc,fd`	0x00000030
Format: `header-token` `path-token` (from name) [`attr-token`] (from name) [`path-token`] (to name) `subject-token` `return-token`

Table A-113 rmdir(2)


Event Name	Event ID	Event Class	Mask
`AUE_RMDIR`	`48`	`fd`	0x00000020
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-114 semctl(2) - getall


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_GETALL`	`105`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-115 semctl(2) - GETNCNT command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_GETNCNT`	`102`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-116 semctl(2) - GETPID command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_GETPID`	`103`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-117 semctl(2) - GETVAL command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_GETVAL`	`104`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-118 semctl(2) - GETZCNT command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_GETZCNT`	`106`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-119 semctl(2) - IPC_RMID command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_RMID`	`99`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-120 semctl(2) - IPC_SET command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_SET`	`100`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-121 semctl(2) - SETALL command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_SETALL`	`108`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-122 semctl(2) - SETVAL command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_SETVAL`	`107`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-123 semctl(2) - IPC_STAT command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_STAT`	`101`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token`

Table A-124 semget(2)


Event Name	Event ID	Event Class	Mask
`AUE_SEMGET`	`109`	`ip`	0x00000200
Format: `header-token` [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the system call failed.

Table A-125 semop(2)


Event Name	Event ID	Event Class	Mask
`AUE_SEMOP`	`110`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-126 setaudit(2)

Event Name

Event ID

Event Class

Mask

AUE_SETAUDIT

133

ad

0x00000800

Format (valid program stack address):

	
header-token

	
argument-token      (1, "setaudit:auid", audit user ID)

	
argument-token      (1, "setaudit:port", terminal ID)

	
argument-token      (1, "setaudit:machine", terminal ID)

	
argument-token      (1, "setaudit:as_success", preselection mask)

	
argument-token      (1, "setaudit:as_failure", preselection mask)

	
argument-token      (1, "setaudit:asid", audit session ID)

	
subject-token

	return-token

Format (not valid program stack address):

	
header-token

	subject-token

	return-token

Table A-127 setauid(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETAUID`	`131`	`ad`	0x00000800
Format: `header-token` `argument-token` (2, "setauid", audit user ID) `subject-token` `return-token`

Table A-128 setegid(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETEGID`	`214`	`pc`	0x00000080
Format: `header-token` `argument-token` (1, "gid", group ID) `subject-token` `return-token`

Table A-129 seteuid(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETEUID`	`215`	`pc`	0x00000080
Format: `header-token` `argument-token` (1, "gid", user ID) `subject-token` `return-token`

Table A-130 old setgid(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETGID`	`205`	`pc`	0x00000080
Format: `header-token` `argument-token` (1, "gid", group ID) `subject-token` `return-token`

Table A-131 setgroups(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETGROUPS`	`26`	`pc`	0x00000080
Format: `header-token` [`argument-token`] (1, "setgroups", group ID) `subject-token` `return-token` One `argument-token` for each group set.

Table A-132 setpgrp(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETPGRP`	`27`	`pc`	0x00000080
Format: `header-token` `subject-token` `return-token`

Table A-133 setregid(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETREGID`	`41`	`pc`	0x00000080
Format: `header-token` `arg-token` (1, "rgid", real group ID) `arg-token` (2, "egid", effective group ID) `subject-token` `return-token`

Table A-134 setreuid(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETREUID`	`40`	`pc`	0x00000080
Format: `header-token` `arg-token` (1, "ruid", real user ID) `arg-token` (2, "euid", effective user ID) `subject-token` `return-token`

Table A-135 setrlimit(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETRLIMIT`	`51`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-136 old setuid(2)


Event Name	Event ID	Event Class	Mask
`AUE_OSETUID`	`200`	`pc`	0x00000080
Format: `header-token` `argument-token` (1, "uid", user ID) `subject-token` `return-token` Because of a current bug in the audit software, this token is reported as `AUE_OSETUID`.

Table A-137 shmat(2)

Event Name

Event ID

Event Class

Mask

AUE_SHMAT

96

ip

0x00000200

Format:

	
header-token

	
argument-token      (1, "shmid", shared memory ID)

	
argument-token      (2, "shmaddr", shared mem addr)

	[ipc-token]

	[ipc_perm-token]

	subject-token

	return-token

The ipc and ipc_perm tokens are not included if the shared memory
segment ID is not valid.

Table A-138 shmctl(2) - IPC_RMID command


Event Name	Event ID	Event Class	Mask
`AUE_SHMCTL_RMID`	`92`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "shmid", shared memory ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the shared memory segment ID is not valid.

Table A-139 shmctl(2) - IPC_SET command

Event Name

Event ID

Event Class

Mask

AUE_SHMCTL_SET

93

ip

0x00000200

Format:

	
header-token

	
argument-token      (1, "shmid", shared memory ID)

	[ipc-token]

	[ipc_perm-token]

	subject-token

	return-token

The ipc and ipc_perm tokens are not included if the shared memory
segment ID is not valid.

Table A-140 shmctl(2) - IPC_STAT command


Event Name	Event ID	Event Class	Mask
`AUE_SHMCTL_STAT`	`94`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "shmid", shared memory ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the shared memory segment ID is not valid.

Table A-141 shmdt(2)


Event Name	Event ID	Event Class	Mask
`AUE_SHMDT`	`97`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "shmaddr", shared mem addr) `subject-token` `return-token`

Table A-142 shmget(2)


Event Name	Event ID	Event Class	Mask
`AUE_SHMGET`	`95`	`ip`	0x00000200
Format: `header-token` `arg-token` (0, "shmid", shared memory ID) [`ipc_perm-token`] [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included for failed events.

Table A-143 shutdown(2)

Event Name

Event ID

Event Class

Mask

AUE_SHUTDOWN

46

nt

0x00000100

Format (if the socket address is not part of the AF_INET family):

  
header-token

  
arg-token               (1, "fd", file descriptor)

  
text-token]             ("bad socket address")

  
text-token]             ("bad peer address")

  
subject-token

  
return-token

Format (if the socket address is part of the AF_INET family):

  
header-token

If there is no vnode for this file descriptor:

  [arg-token]             (1, "Bad fd", file descriptor)

or if the socket is not bound:

  [arg-token               (1, "fd", file descriptor)

  
text-token]              ("socket not bound")

or if the socket address length = 0:

  [arg-token               (1, "fd", file descriptor)

  
text-token]             ("bad socket address")

for all other conditions:

  [socket-inet-token]            ("socket address")

  
socket-inet-token              ("socket address")

  
subject-token

  
return-token

Table A-144 stat(2)


Event Name	Event ID	Event Class	Mask
`AUE_STAT`	`16`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-145 statfs(2)


Event Name	Event ID	EventClass	Mask
`AUE_STATFS`	`54`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-146 statvfs(2)


Event Name	Event ID	Event Class	Mask
`AUE_STATVFS`	`234`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-147 stime(2)


Event Name	Event ID	Event Class	Mask
`AUE_STIME`	`201`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-148 symlink(2)


Event Name	Event ID	Event Class	Mask
`AUE_SYMLINK`	`21`	`fc`	0x00000010
Format: `header-token` `text-token` (symbolic link string) `path-token` [`attr-token`] `subject-token` `return-token`

Table A-149 sysinfo(2)


Event Name	Event ID	Event Class	Mask
`AUE_SYSINFO`	`39`	`ad`	0x00000800
Format: `header-token` `argument-token` (1, "cmd", command) `text-token` (name) `subject-token` `return-token`

Table A-150 system booted


Event Name	Event ID	Event Class	Mask
`AUE_SYSTEMBOOT`	`113`	`na`	0x00000400
Format: `header-token` `text-token` ("booting kernel") `return-token`

Table A-151 umount(2) - old version


Event Name	Event ID	Event Class	Mask
`AUE_UMOUNT`	`12`	`ad`	0x00000800
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-152 unlink(2)


Event Name	Event ID	Event Class	Mask
`AUE_UNLINK`	`6`	`fd`	0x00000020
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-153 old utime(2)


Event Name	Event ID	Event Class	Mask
`AUE_UTIME`	`202`	`fm`	0x00000008
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-154 utimes(2)


Event Name	Event ID	Event Class	Mask
`AUE_UTIMES`	`49`	`fm`	0x00000008
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-155 utssys(2) - fusers


Event Name	Event ID	Event Class	Mask
`AUE_UTSSYS`	`233`	`ad`	0x00000800
Format: `header-token` `path-token` `[attr-token]` `subject-token` `return-token`

Table A-156 vfork(2)

Event Name

Event ID

Event Class

Mask

AUE_VFORK

25

pc

0x00000080

Format:

	
header-token

	
argument-token      (0, "child PID", pid)

	
subject-token

	return-token

The fork return values are undefined because the audit record is
produced at the point that the child process is spawned.

Table A-157 vtrace(2)


Event Name	Event ID	Event Class	Mask
`AUE_VTRACE`	`36`	`pc`	0x00000080
Format: `header-token` `subject-token` `return-token`

Table A-158 xmknod(2)


Event Name	Event ID	Event Class	Mask
`AUE_XMKNOD`	`240`	`fc`	0x00000010
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-159 xstat(2)


Event Name	Event ID	Event Class	Mask
`AUE_XSTAT`	`235`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`