These audit records are created by system calls which are used by the kernel. The records are sorted alphabetically by system call. The description of each record includes:
The name of the system call
A man page reference (if appropriate)
The audit event number
The audit event name
The audit event class
The mask for the event class
The audit record structure
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ACCESS |
14 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-6 acct(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ACCT |
18 |
as |
0x00020000 |
Format (zero path): header-token argument-token (1, "accounting off", 0) [priv-token] (if privilege used or required) subject-token return-token Format (non-zero path): header-token path-token [attr-token] subject-token return-token |
Table B-7 adjtime(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ADJTIME |
50 |
as |
0x00000800 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B-8 audit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDIT |
211 |
no |
0x00000000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B-9 auditon(2) -- get current active root
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCAR |
224 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B-10 auditon(2) -- get event class
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCLASS |
231 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B-11 auditon(2) -- get audit state
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCOND |
229 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token
|
Table B-12 auditon(2) -- get current working directory
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCWD |
223 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B-13 auditon(2) -- get kernel mask
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETKMASK |
221 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token
|
Table B-14 auditon(2) -- get audit statistics
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETSTAT |
225 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B-15 auditon(2) -- GETPOLICY command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GPOLICY |
114 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B-16 auditon(2) -- get audit queue control parameters
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GQCTRL |
145 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B-17 auditon(2) -- set event class
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETCLASS |
232 |
aa |
0x00040000 |
Format: header-token [argument-token] (2, "setclass:ec_event", event number) [argument-token] (3, "setclass:ec_class", class mask) [priv-token] (if privilege used or required) subject-token return-token |
Table B-18 auditon(2) -- set audit state
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETCOND |
230 |
aa |
0x00040000 |
Format: header-token [argument-token] (3, "setcond", audit state) [priv-token] (if privilege used or required) subject-token return-token |
Table B-19 auditon(2) -- set kernel mask
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETKMASK |
222 |
aa |
0x00040000 |
Format: header-token [argument-token] (2, "setkmask:as_success", kernel mask) [argument-token] (2, "setkmask:as_failure", kernel mask) [priv-token] (if privilege used or required) subject-token return-token |
Table B-20 auditon(2) -- set mask per session ID
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETSMASK |
228 |
aa |
0x00040000 |
Format: header-token [argument-token] (3, "setsmask:as_success", session ID mask) [argument-token] (3, "setsmask:as_failure", session ID mask) [priv-token] (if privilege used or required) subject-token return-token |
Table B-21 auditon(2) -- reset audit statistics
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETSTAT |
226 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B-22 auditon(2) -- set mask per uid
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETUMASK |
227 |
aa |
0x00040000 |
Format: header-token [argument-token] (3, "setumask:as_success", audit ID mask) [argument-token] (3, "setumask:as_failure", audit ID mask) [priv-token] (if privilege used or required) subject-token return-token |
Table B-23 auditon(2) -- SETPOLICY command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SPOLICY |
147 |
aa |
0x00040000 |
Format: header-token [argument-token] (1, "policy", audit policy flags) [priv-token] (if privilege used or required) subject-token return-token |
Table B-24 auditon(2) -- set audit queue control parameters
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SQCTRL |
146 |
aa |
0x00040000 |
Format: header-token [argument-token] (3,"setqctrl:aq_hiwater",queue control param.) [argument-token] (3,"setqctrl:aq_lowater",queue control param.) [argument-token] (3,"setqctrl:aq_bufsz",queue control param.) [argument-token] (3,"setqctrl:aq_delay",queue control param.) [priv-token] (if privilege used or required) subject-token return-token |
Table B-25 auditpsa(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITPSA |
529 |
aa |
0x00040000 |
Format (valid file descriptor): header-token argument-token (1, "op", state) in_addr-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-26 auditstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITSTAT |
150 |
aa |
0x00040000 |
Format: header-token [argument-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B-27 auditsvc(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITSVC |
136 |
aa |
0x00040000 |
Format (valid file descriptor): header-token [path-token] [attr-token] [priv-token] (if privilege used or required) subject-token return-token Format (invalid file descriptor): header-token argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token return-token |
Table B-28 chdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHDIR |
8 |
pc |
0x00300000 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-29 chmod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHMOD |
10 |
fm |
0x00000008 |
Format: header-token argument-token (2, "new file mode", mode) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-30 chown(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHOWN |
11 |
fm |
0x00000008 |
Format: header-token argument-token (2, "new file uid", uid) argument-token (3, "new file gid", gid) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-31 chroot(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHROOT |
24 |
pm |
0x00200000 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-32 chstate(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHSTATE |
538 |
as |
0x00000800 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-33 clock_settime(3R)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CLOCK_SETTIME |
513 |
as |
0x00000800 |
Format: header-token slabel-token return-token |
Table B-34 close(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CLOSE |
112 |
cl |
0x00000040 |
Format: <file system object> header-token argument-token (1, "fd", file descriptor) [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Also for files closed on process termination. The argument-token is only present with the close() system call. It may be removed in future releases. The path-token is present only with valid file descriptors. |
Table B-35 creat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CREAT |
4 |
fc |
0x00000010 |
Format header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-36 devpolicy(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_DRVPOLICY |
531 |
as |
0x00000800 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-37 enter prom, exit prom
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ENTERPROM |
153 |
na |
0x00000400 |
AUE_EXITPROM |
154 |
na |
0x00000400 |
Format: header-token text-token (addr, "monitor PROM"|"kadb") [priv-token] (if privilege used or required) subject-token return-token |
Table B-38 exec(2), execve(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_EXEC |
7 |
ps |
0x00100000 |
AUE_EXECVE |
23 |
ps |
0x00100000 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-39 exit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_EXIT |
1 |
pm |
0x00200000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B-40 fauditpsa(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FAUDITPSA |
530 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-41 fchdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHDIR |
68 |
pc |
0x00300000 |
Format: header-token [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-42 fchmod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHMOD |
39 |
fm |
0x00000008 |
Format (valid file descriptor): header-token argument-token (2, "new file mode", mode) [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (invalid file descriptor): header-token argument-token (2, "new file mode", mode) argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-43 fchown(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHOWN |
38 |
fm |
0x00000008 |
Format (valid file descriptor): header-token argument-token (2, "new file uid", uid) argument-token (3, "new file gid", gid) [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (non-file descriptor): header-token argument-token (2, "new file uid", uid) argument-token (3, "new file gid", gid) argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-44 fchroot(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHROOT |
69 |
pm |
0x00200000 |
Format: header-token [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-45 fcntl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCNTL (cmd=F_GETLK, F_SETLK,F_SETLKW) |
30 |
fn |
0x40000000 |
Format (file descriptor): header-token argument-token (2, "cmd", cmd) path-token attr-token [priv-token] (if privilege used or required) subject-token return-token Format (bad file descriptor): header-token argument-token (2, "cmd", cmd) argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token return-token |
Table B-46 fgetsldname(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FGETSLDNAME |
532 |
fc |
0x00000010 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-47 fork(2), fork1(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FORK |
2 |
ps |
0x00100000 |
AUE_FORK1 |
241 |
ps |
0x00100000 |
Format: header-token [argument-token] (0, "child PID", pid) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token The fork() and fork1() return values are undefined since each audit record is produced at the point that the child process is spawned. |
Table B-48 fsetcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FSETCMWLABEL |
544 |
fm |
0x00000008 |
Format: header-token argument-token (3, "flag", which parts of label to set) [slabel-token] (if slabel is being set) path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-49 fsetfattrflag(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FSETFATTRFLAG |
523 |
fm |
0x00000008 |
Format: header-token argument-token (2, "which", which flags to set) argument-token (3, "attrs", flag values) path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-50 fstatfs(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FSTATFS |
55 |
fa |
0x00000004 |
Format (file descriptor): header-token [path-token] [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (non-file descriptor): header-token argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-51 getaudit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETAUDIT |
132 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B-52 getauid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETAUID |
130 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B-53 getcmwfsrange(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETCMWFSRANGE |
545 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-54 getcmwlabel(2), fgetcmwlabel(2), lgetcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETCMWLABEL |
546 |
fa |
0x00000004 |
AUE_FGETCMWLABEL |
118 |
fa |
0x00000004 |
AUE_LGETCMWLABEL |
548 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-55 getdents(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETDENTS |
193 |
no |
0x00000000 |
Format: header-token path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B-56 getfpriv(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETFILEPRIV |
547 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-57 getmldadorn(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETMLDADORN |
554 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-58 getmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETMSG |
217 |
nt |
0x00000100 |
Format: header-token argument-token (1, "fd", file descriptor) argument-token (4, "pri", priority) [priv-token] (if privilege used or required) subject-token return-token |
Table B-59 getmsg(2) -- accept, receive
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKACCEPT |
247 |
nt |
0x00000100 |
AUE_SOCKRECEIVE |
250 |
nt |
0x00000100 |
Format: header-token socket-inet-token argument-token (1, "fd", file descriptor) argument-token (4, "pri", priority) [priv-token] (if privilege used or required) subject-token return-token |
Table B-60 getmsgqcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETMSGQCMWLABEL |
514 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] (of the IPC) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B-61 getpmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETPMSG |
219 |
nt |
0x00000100 |
Format: header-token argument-token (1, "fd", file descriptor) [priv-token] (if privilege used or required) subject-token return-token |
Table B-62 getportaudit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETPORTAUDIT |
149 |
aa |
0x00040000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B-63 getsemcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETSEMCMWLABEL |
515 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] (of the IPC) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the sem ID is invalid. |
Table B-64 getshmcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETSHMCMWLABEL |
516 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", semaphore ID) [argument-token] [ipc_perm-token] (of the IPC) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the shm ID is invalid. |
Table B-65 getsldname(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETSLDNAME |
555 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-66 ioctl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_IOCTL |
158 |
io |
0x20000000 |
Format (good file descriptor): header-token path-token [attr-token] argument-token (2, "cmd" ioctl cmd) argument-token (3, "arg" ioctl arg) [priv-token] (if privilege used or required) subject-token return-token Format (socket): header-token [socket-token] argument-token (2, "cmd" ioctl cmd) argument-token (3, "arg" ioctl arg) [priv-token] (if privilege used or required) subject-token return-token Format (non-file file descriptor): header-token argument-token (1, "fd", file descriptor) argument-token (2, "cmd" ioctl cmd) argument-token (3, "arg" ioctl arg) [priv-token] (if privilege used or required) subject-token return-token Format (bad file name): header-token argument-token (1, "no path: fd", file descriptor) argument-token (2, "cmd" ioctl cmd) argument-token (3, "arg" ioctl arg) [priv-token] (if privilege used or required) subject-token return-token |
Table B-67 kill(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_KILL |
15 |
pm |
0x00200000 |
Format (valid process): header-token argument-token (2, "signal", signo) [process-token] [slabel-token] (process) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (zero or negative process): header-token argument-token (2, "signal", signo) argument-token (1, "process", pid) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-68 lchown(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LCHOWN |
237 |
fm |
0x00000008 |
Format: header-token argument-token (2, "new file uid", uid) argument-token (3, "new file gid", gid) path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B-69 link(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LINK |
5 |
fc |
0x00000010 |
Format: header-token path-token (from path) [attr-token] (from path) [slabel-token] (from path) path-token (to path) [attr-token] (to path) [slabel-token] (to path) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-70 lstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LSTAT |
17 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B-71 lxstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LXSTAT |
236 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-72 memcntl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MEMCNTL |
238 |
ot |
0x80000000 |
Format: header-token argument-token (1, "base", base address) argument-token (2, "len", length) argument-token (3, "cmd", command) argument-token (4, "arg", command args) argument-token (5, "attr", command attributes) argument-token (6, "mask", 0) [priv-token] (if privilege used or required) subject-token return-token |
Table B-73 mkdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MKDIR |
47 |
fc |
0x00000010 |
Format: header-token argument-token (2, "mode", mode) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-74 mknod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MKNOD |
9 |
fc |
0x00000010 |
Format: header-token argument-token (2, "mode", mode) argument-token (3, "dev", dev) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-75 mldsetfattrflag(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MLDSETFATTRFLAG |
524 |
fm |
0x00000008 |
Format: header-token argument-token (2, "which", which flags to set) argument-token (3, "attrs", flag values) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-76 mmap(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MMAP |
210 |
no |
0x00000000 |
Format (valid file descriptor): header-token argument-token (1, "addr", segment address) argument-token (2, "len", segment length) [path-token] [attr-token] [priv-token] (if privilege used or required) subject-token return-token Format (invalid file descriptor): header-token argument-token (1, "addr", segment address) argument-token (2, "len", segment length) argument-token (1, "no path: fd", file descriptor) [priv-token] (if privilege used or required) subject-token return-token |
Table B-77 modctl(2) -- bind module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODADDMAJ |
246 |
as |
0x00000800 |
Format: header-token [text-token] (driver major number) [text-token] (driver name) text-token (root dir.|"no rootdir") text-token (driver major number|"no drvname") argument-token (5, "", number of aliases) (0..n)[text-token] (aliases) [priv-token] (if privilege used or required) subject-token return-token |
Table B-78 modctl(2) -- configure module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODCONFIG |
245 |
as |
0x00000800 |
Format: header-token text-token (root dir.|"no rootdir") text-token (driver major number|"no drvname") [priv-token] (if privilege used or required) subject-token return-token |
Table B-79 modctl(2) -- load module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODLOAD |
243 |
as |
0x00020000 |
Format: header-token [text-token] (default path) text-token (filename path) [priv-token] (if privilege used or required) subject-token return-token |
Table B-80 modctl(2) -- unload module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODUNLOAD |
244 |
as |
0x00020000 |
Format: header-token argument-token (1, "id", module ID) [priv-token] (if privilege used or required) subject-token return-token |
Table B-81 mount(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MOUNT |
62 |
ao |
0x00080000 |
Format (UNIX file system): header-token argument-token (3, "flags", flags) text-token (filesystem type) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (NFS file system): header-token argument-token (3, "flags", flags) text-token (filesystem type) text-token (host name) argument-token (3, "internal flags", flags) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-82 msgctl(2) -- IPC_RMID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL_RMID |
85 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid.
|
Table B-83 msgctl(2) -- IPC_SET command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL_SET |
86 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] (of the IPC's old values) [slabel-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token subject-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B-84 msgctl(2) -- IPC_STAT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL_STAT |
87 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] (of the IPC) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B-85 msgget(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGGET |
88 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg key", message key) argument-token (2, "msg flag", message flags) [ipc_perm-token] (of the IPC object) [slabel-token] [argument-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B-86 msggetl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGGETL |
174 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg key", message key) argument-token (2, "msg flag", message flags) slabel-token (desired SL) [ipc_perm-token] (of the IPC object) [slabel-token] [argument-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B-87 msgrcv(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGRCV |
89 |
ip |
0x00000200 |
AUE_MSGRCVL |
175 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B-88 msgsnd(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGSND |
90 |
ip |
0x00000200 |
Format: header-token argument-token (1, "msg ID", message ID) [argument-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the msg ID is invalid. |
Table B-89 munmap(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MUNMAP |
214 |
cl |
0x00000040 |
Format: header-token argument-token (1, "addr", address of memory) argument-token (2, "len", memory segment size) [priv-token] (if privilege used or required) subject-token return-token |
Table B-90 old nice(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_NICE |
203 |
pc |
0x00300000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-91 open(2) -- read
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_R |
72 |
fr |
0x00000001 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-92 open(2) -- read,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RC |
73 |
fc,fr |
0x00000011 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-93 open(2) -- read,trunc,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RTC |
75 |
fc,fd,fr |
0x00000031 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-94 open(2) -- read,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RT |
74 |
fd,fr |
0x00000021 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-95 open(2) -- read,write
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RW |
80 |
fr,fw |
0x00000003 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-96 open(2) -- read,write,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RWC |
81 |
fr,fw,fc |
0x00000013 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-97 open(2) -- read,write,trunc,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RWTC |
83 |
fr,fw,fc,fd |
0x00000033 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-98 open(2) -- read,write,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RWT |
82 |
fr,fw,fd |
0x00000023 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-99 open(2) -- write
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_W |
76 |
fw |
0x00000002 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-100 open(2) -- write,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_WC |
77 |
fw,fc |
0x00000012 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-101 open(2) -- write,trunc,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_WTC |
79 |
fw,fc,fd |
0x00000032 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-102 open(2) -- write,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_WT |
78 |
fw,fd |
0x00000022 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-103 pathconf(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PATHCONF |
71 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-104 pipe(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PIPE |
185 |
no |
0x00000000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-105 preadl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PREADL |
527 |
no |
0x00000000 |
Format: header-token path-token [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-106 priocntl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PRIOCNTLSYS |
212 |
pm |
0x00200000 |
Format: header-token argument-token (1, "pc_version", priocntl version num.) argument-token (3,"cmd", command) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-107 privilege enable
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PRIVENABLE |
533 |
as |
0x00020000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-108 process dumped core
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CORE |
111 |
fc |
0x0000010 |
Format: header-token path-token [attr-token] argument-token (1, "signal", signal) [priv-token] (if privilege used or required) subject-token return-token |
Table B-109 putmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PUTMSG |
216 |
nt |
0x00000100 |
Format: header-token argument-token (1, "fd", file descriptor) argument-token (4, "pri", priority) [priv-token] (if privilege used or required) subject-token return-token |
Table B-110 putmsg(2) - connect, send
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKCONNECT |
248 |
nt |
0x00000100 |
AUE_SOCKSEND |
249 |
nt |
0x00000100 |
Format: header-token socket-inet-token argument-token (1, "fd", file descriptor) argument-token (4, "pri", priority) [priv-token] (if privilege used or required) subject-token return-token |
Table B-111 putpmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PUTPMSG |
218 |
nt |
0x00000100 |
Format: header-token argument-token (1, "fd", file descriptor) [priv-token] (if privilege used or required) subject-token return-token |
Table B-112 read(2), readl(2), readvl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_READ |
192 |
no |
0x00000000 |
AUE_READL |
558 |
|
|
AUE_READVL |
559 |
|
|
Format: header-token path-token) [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-113 readlink(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_READLINK |
22 |
fr |
0x00000001 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-114 rename(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_RENAME |
42 |
fc,fd |
0x00000030 |
Format: header-token path-token (from name) [attr-token] (from name) [slabel-token] (from name) [path-token] (to name) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-115 rmdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_RMDIR |
48 |
fd |
0x00000020 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-116 semctl(2) -- getall
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETALL |
105 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B-117 semctl(2) -- GETNCNT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETNCNT |
102 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B-118 semctl(2) -- GETPID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETPID |
103 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B-119 semctl(2) -- GETVAL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETVAL |
104 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B-120 semctl(2) -- GETZCNT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETZCNT |
106 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B-121 semctl(2) -- IPC_RMID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_RMID |
99 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B-122 semctl(2) -- IPC_SET command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_SET |
100 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] (of the IPC's old values) [slabel-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B-123 semctl(2) -- SETALL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_SETALL |
108 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B-124 semctl(2) -- SETVAL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_SETVAL |
107 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B-125 semctl(2) -- IPC_STAT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_STAT |
101 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-126 semget(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMGET |
109 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem key", semaphore key) argument-token (3, "sem flags", semaphore flags) [ipc_perm-token] [slabel-token] [argument-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B-127 semgetl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMGETL |
177 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem key", semaphore key) argument-token (3, "sem flags", semaphore flags) slabel-token [ipc_perm-token] [slabel-token] [argument-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the system call failed. |
Table B-128 semop(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMOP |
110 |
ip |
0x00000200 |
Format: header-token argument-token (1, "sem ID", semaphore ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and the slabel of the ipc tokens are not included if the semaphore ID is invalid. |
Table B-129 setacl(1), setfacl(1)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ACLSET |
251 |
fm |
0x00000008 |
AUE_FACLSET |
252 |
fm |
0x00000008 |
Format: header-token argument-token (2,"cmd", command) argument-token (3,"n_entries", number of acl entries) acl-token ... (token repeated "n_entries" times) path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B-130 setaudit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETAUDIT |
133 |
aa |
0x00040000 |
Format (valid program stack address): header-token argument-token (1, "setaudit:auid", audit user ID) argument-token (1, "setaudit:port", terminal ID) argument-token (1, "setaudit:machine", terminal ID) argument-token (1, "setaudit:as_success", preselection mask) argument-token (1, "setaudit:as_failure", preselection mask) argument-token (1, "setaudit:asid", audit session ID) [priv-token] (if privilege used or required) subject-token return-token Format (invalid program stack address): header-token subject-token return-token |
Table B-131 setauid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETAUID |
131 |
aa |
0x00040000 |
Format: header-token argument-token (2, "setauid", audit user ID) [priv-token] (if privilege used or required) subject-token return-token |
Table B-132 setclearance(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETCLEARANCE |
542 |
fm |
0x00000008 |
Format: header-token clearance-token (specified) clearance-token (old) clearance-token (new) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-133 setcmwlabel(2), lsetcmwlabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETCMWLABEL |
549 |
fm |
0x00000008 |
AUE_LSETCMWLABEL |
525 |
fm |
0x00000008 |
Format: header-token argument-token (3, "flag", which parts of label to set) [slabel-token] (if slabel is being set) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-134 setcmwplabel(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETCMWPLABEL |
541 |
fm |
0x00000008 |
Format (setting flag == SETCL_ALL): header-token slabel-token (SL from input argument) slabel-token (original SL) argument-token (2, "flag", value) slabel-token (new SL) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (setting flag == SETCL_SL): header-token slabel-token (SL from input argument) slabel-token (SL of subject before) argument-token (2, "flag", value) slabel-token (SL of subject after) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Format (setting flag == SETCL_IL): header-token argument-token (2, "flag", value) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-135 setegid(2), old setgid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETEGID |
214 |
pm |
0x00200000 |
AUE_SETGID |
205 |
pm |
0x00200000 |
Format: header-token argument-token (1, "gid", group ID) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-136 seteuid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETEUID |
215 |
pm |
0x00200000 |
Format: header-token argument-token (1, "gid", user ID) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-137 setfattrflag(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETFATTRFLAG |
522 |
fm |
0x00000008 |
Format: header-token argument-token (2, "which", which flags to set) argument-token (3, "attrs", flag values) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-138 setfpriv(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETFILEPRIV |
550 |
fm |
0x00000008 |
Format: header-token argument-token (4, "privilege type", privilege set type) privilege-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-139 setgroups(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETGROUPS |
26 |
pm |
0x00200000 |
Format: header-token [argument-token] (1, "setgroups", group ID) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token One argument-token for each group set. |
Table B-140 setpattr(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETPATTR |
526 |
ps |
0x00100000 |
Format: header-token argument-token (1, "type", type of attribute to set) argument-token (2, "value", value of attribute) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-141 setpgrp(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETPGRP |
27 |
pm |
0x00200000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-142 setppriv(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETPROCPRIV |
127 |
fm |
0x00000008 |
Format: header-token argument-token (3, "type", privilege set type) argument-token (4, "op", operation to perform) privilege-token (specified) privilege-token (old) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-143 setregid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETREGID |
41 |
pm |
0x00200000 |
Format: header-token argument-token (1, "rgid", real group ID) argument-token (1, "egid", effective group ID) [priv-token] (if privilege used or required) subject-token return-token |
Table B-144 setreuid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETREUID |
40 |
pm |
0x00200000 |
Format: header-token argument-token (1, "ruid", real user ID) argument-token (1, "euid", effective user ID) [priv-token] (if privilege used or required) subject-token return-token |
Table B-145 setrlimit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETRLIMIT |
51 |
as |
0x00020000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-146 old setuid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OSETUID |
200 |
pm |
0x00200000 |
Format: header-token argument-token (1, "uid", user ID) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token Due to a current bug in the audit software, this token is reported as AUE_OSETUID. |
Table B-147 shmat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMAT |
96 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) argument-token (2, "shm adr", shared mem addr) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and slabel tokens are not included if the shared memory segment ID is invalid. |
Table B-148 shmctl(2) -- IPC_RMID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL_RMID |
92 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and slabel tokens are not included if the shared memory segment ID is invalid. |
Table B-149 shmctl(2) -- IPC_SET command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL_SET |
93 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) [argument-token] [ipc_perm-token] (of the IPC's old values) [slabel-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and slabel tokens are not included if the shared memory segment ID is invalid. |
Table B-150 shmctl(2) -- IPC_STAT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL_STAT |
94 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) [argument-token] [ipc_perm-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token The ipc, ipc_perm, and slabel tokens are not included if the shared memory segment ID is invalid. |
Table B-151 shmdt(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMDT |
97 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm adr", shared mem addr) [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-152 shmget(2)
Event Name |
Event ID |
EventClass |
Mask |
---|---|---|---|
AUE_SHMGET |
95 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) argument-token (3, "shm flag", shared memory flags) [argument-token] [slabel-token] [ipc_perm-token] (of the IPC's old values) [slabel-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token subject-token The ipc, ipc_perm, and slabel tokens are not included for failed events. |
Table B-153 shmgetl(2)
Event Name |
Event ID |
EventClass |
Mask |
---|---|---|---|
AUE_SHMGETL |
178 |
ip |
0x00000200 |
Format: header-token argument-token (1, "shm ID", shared memory ID) argument-token (3, "shm flag", shared memory flags) slabel-token [ipc_perm-token] (of the IPC's old values) [slabel-token] [ipc_perm-token] (of the IPC's new values) [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token subject-token The ipc, ipc_perm, and slabel tokens are not included for failed events. |
Table B-154 stat(2), statfs(2), statvfs(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_STAT |
16 |
fa |
0x00000004 |
AUE_STATFS |
54 |
fa |
0x00000004 |
AUE_STATVFS |
234 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-155 stime(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_STIME |
201 |
as |
0x00020000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B-156 symlink(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SYMLINK |
21 |
fc |
0x00000010 |
Format: header-token text-token (symbolic link string) path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-157 sysinfo(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SYSINFO |
39 |
as |
0x00020000 |
Format: header-token argument-token (1, "cmd", command) text-token (name) [priv-token] (if privilege used or required) subject-token return-token |
Table B-158 system booted
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SYSTEMBOOT |
113 |
na |
0x00000400 |
Format: header-token text-token ("booting kernel") return-token |
Table B-159 tnif(2), tnrh(2), tnrhtp(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_TNIF |
534 |
nt |
0x00000100 |
AUE_TNRH |
535 |
|
|
AUE_TNRHTP |
536 |
|
|
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-160 tokmapper(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_TOKMAPPER |
537 |
nt |
0x00000100 |
Format: header-token argument-token (1, "op", state) in_addr-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-161 uadmin(2) - system freeze
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FREEZE |
539 |
ss |
0x00010000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-162 uadmin(2) - system reboot
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_REBOOT |
561 |
ss |
0x00010000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-163 uadmin(2) - system remount
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_REMOUNT |
540 |
as |
0x00020000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-164 uadmin(2) - system shutdown
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHUTDOWN |
560 |
ss |
0x00010000 |
Format: header-token [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-165 umount(2) -- old version
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UMOUNT |
12 |
ao |
0x00080000 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-166 unlink(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UNLINK |
6 |
fd |
0x00000020 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-167 old utime(2), utimes(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UTIME |
202 |
fm |
0x00000008 |
AUE_UTIMES |
49 |
fm |
0x00000008 |
Format: header-token path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B-168 utssys(2) -- fusers
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UTSSYS |
233 |
ao |
0x00080000 |
Format: header-token path-token [attr-token] [priv-token] (if privilege used or required) subject-token return-token |
Table B-169 vfork(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_VFORK |
25 |
ps |
0x00100000 |
Format: header-token argument-token (0, "child PID", pid) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token The fork return values are undefined since the audit record is produced at the point that the child process is spawned. |
Table B-170 vtrace(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_VTRACE |
36 |
pm |
0x00200000 |
Format: header-token [priv-token] (if privilege used or required) subject-token return-token |
Table B-171 write(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_WRITE |
195 |
no |
0x00000000 |
Format: header-token slabel-token (from label specified in syscall args) path-token) [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-172 writel(2), pwritel(2), writevl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PWRITEL |
528 |
no |
0x00000000 |
AUE_WRITEL |
552 |
fm |
0x00000008 |
AUE_WRITEVL |
553 |
fm |
0x00000008 |
Format: header-token slabel-token (from label specified in syscall args) path-token) [attr-token] [slabel-token] [priv-token] (if privilege used or required) subject-token slabel-token return-token |
Table B-173 xmknod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_XMKNOD |
240 |
fc |
0x00000010 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |
Table B-174 xstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_XSTAT |
235 |
fa |
0x00000004 |
Format: header-token path-token [attr-token] [slabel-token] (object) [priv-token] (if privilege used or required) subject-token slabel-token (subject) return-token |