Appendix A Event-to-Class Mappings
This appendix lists audit events by audit class. See the file /etc/security/audit_event for a list of events by audit event number.
Audit Events Listed by Audit Class
The Trusted Solaris environment provides the audit classes listed alphabetically by Short Name in the following table. The classes are listed in the file /etc/security/audit_class.
Table A–1 Trusted Solaris Audit Classes (Default)|
Short Name |
Long Name |
Audit Mask |
List of Events per Class |
|---|---|---|---|
|
aa |
Audit administration | ||
|
ad |
Administrative | ||
|
ao |
Other administration | ||
|
all |
All classes | ||
|
ap |
Application | ||
|
as |
System-wide administration | ||
|
ax |
X server | ||
|
cl |
File close | ||
|
fa |
File attribute access | ||
|
fc |
File create | ||
|
fd |
File delete | ||
|
fm |
File attribute modify | ||
|
fn |
Fcntl | ||
|
fr |
File read | ||
|
fw |
File write | ||
|
il |
Internal label info |
0x00010000 |
Obsolete. |
|
io |
Ioctl | ||
|
ip |
Ipc | ||
|
lo |
Login or logout | ||
|
na |
Non-attribute | ||
|
no |
Invalid class | ||
|
nt |
Network | ||
|
ot |
Other | ||
|
pc |
Process |
No defined events. |
|
|
pm |
Process modify | ||
|
ps |
Process start/stop | ||
|
ss |
Change system state | ||
|
xa |
X - Allowed information flows | ||
|
xc |
X - Object create/destroy | ||
|
xl |
X - Client login/logout | ||
|
xp |
X - Privileged operations | ||
|
xs |
X - Operations that fail silently | ||
|
xx |
X - All X events |
See the individual X classes. |
For more information about the classes, see the audit_class(4) man page.
Events in Audit Class aa
The following table lists in alphabetical order the audit administration class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–2 Audit Administration Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
224 |
AUE_AUDITON_GETCAR | |
|
231 |
AUE_AUDITON_GETCLASS | |
|
229 |
AUE_AUDITON_GETCOND | |
|
223 |
AUE_AUDITON_GETCWD | |
|
221 |
AUE_AUDITON_GETKMASK | |
|
225 |
AUE_AUDITON_GETSTAT | |
|
141 |
AUE_AUDITON_GPOLICY | |
|
145 |
AUE_AUDITON_GQCTRL | |
|
139 |
AUE_AUDITON_GTERMID |
No longer supported. |
|
144 |
AUE_AUDITON_SESTATE |
No longer supported. |
|
232 |
AUE_AUDITON_SETCLASS | |
|
230 |
AUE_AUDITON_SETCOND | |
|
222 |
AUE_AUDITON_SETKMASK | |
|
228 |
AUE_AUDITON_SETSMASK | |
|
226 |
AUE_AUDITON_SETSTAT | |
|
227 |
AUE_AUDITON_SETUMASK | |
|
142 |
AUE_AUDITON_SPOLICY | |
|
146 |
AUE_AUDITON_SQCTRL | |
|
140 |
AUE_AUDITON_STERMID |
No longer supported. |
|
529 |
AUE_AUDITPSA | |
|
150 |
AUE_AUDITSTAT | |
|
136 |
AUE_AUDITSVC | |
|
530 |
AUE_FAUDITPSA | |
|
132 |
AUE_GETAUDIT | |
|
130 |
AUE_GETAUID | |
|
147 |
AUE_GETKERNSTATE |
No longer supported. |
|
149 |
AUE_GETPORTAUDIT | |
|
134 |
AUE_GETUSERAUDIT |
No longer supported. |
|
133 |
AUE_SETAUDIT | |
|
131 |
AUE_SETAUID | |
|
148 |
AUE_SETKERNSTATE |
No longer supported. |
|
135 |
AUE_SETUSERAUDIT |
No longer supported. |
|
9016 |
AUE_audit | |
|
9015 |
AUE_auditwrite | |
Events in Audit Class ad
The following table lists in alphabetical order the administrative class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–3 Administrative Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
267 |
AUE_GETAUDIT_ADDR | |
|
263 |
AUE_PROCESSOR_BIND | |
|
266 |
AUE_SETAUDIT_ADDR | |
|
268 |
AUE_UMOUNT2 | |
|
6166 |
AUE_init_solaris |
|
|
6167 |
AUE_uadmin_solaris |
|
|
6168 |
AUE_shutdown_solaris |
|
|
6169 |
AUE_poweroff_solaris |
|
|
6170 |
AUE_crontab_mod |
|
|
6207 |
AUE_create_user |
|
|
6208 |
AUE_modify_user |
|
|
6209 |
AUE_delete_user |
|
|
6210 |
AUE_disable_user |
|
|
6211 |
AUE_enable_user |
|
|
6220 |
AUE_smserverd |
|
|
6214 |
AUE_kadmind_auth |
|
|
6215 |
AUE_kadmind_unauth |
|
Events in Audit Class ao
The following table lists in alphabetical order the other administration class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–4 Administrative Other Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
61 |
AUE_EXPORTFS | |
|
62 |
AUE_MOUNT | |
|
115 |
AUE_NFSSVC_EXIT |
nfssvc(2) |
|
58 |
AUE_NFS_GETFH |
nfs_getfh(2) |
|
53 |
AUE_NFS_SVC |
nfs_svc(2) |
|
60 |
AUE_QUOTACTL | |
|
12 |
AUE_UMOUNT | |
|
56 |
AUE_UNMOUNT |
No longer supported. |
|
233 |
AUE_UTSSYS | |
|
6200 |
AUE_allocate_succ | |
|
6201 |
AUE_allocate_fail | |
|
6144 |
AUE_at_create | |
|
6145 |
AUE_at_delete | |
|
6146 |
AUE_at_perm | |
|
9034 |
AUE_automountd_mismatch | |
|
9033 |
AUE_automountd_mount | |
|
9029 |
AUE_chroot_cmd | |
|
6147 |
AUE_cron_invoke | |
|
6148 |
AUE_crontab_create | |
|
6149 |
AUE_crontab_delete | |
|
6150 |
AUE_crontab_perm | |
|
6202 |
AUE_deallocate_succ | |
|
6203 |
AUE_deallocate_fail | |
|
6181 |
AUE_filesystem_add | |
|
6182 |
AUE_filesystem_delete | |
|
6183 |
AUE_filesystem_modify | |
|
9031 |
AUE_fuser | |
|
6205 |
AUE_listdevice_succ | |
|
6206 |
AUE_listdevice_fail | |
|
9044 |
AUE_lp_cancel | |
|
9045 |
AUE_lp_status |
|
|
6184 |
AUE_network_add | |
|
6185 |
AUE_network_delete | |
|
6186 |
AUE_network_modify | |
|
6187 |
AUE_printer_add | |
|
6188 |
AUE_printer_delete | |
|
6189 |
AUE_printer_modify | |
|
6180 |
AUE_prof_cmd | |
|
6173 |
AUE_role_login | |
|
6190 |
AUE_scheduledjob_add | |
|
6191 |
AUE_scheduledjob_delete | |
|
6192 |
AUE_scheduledjob_modify | |
|
6193 |
AUE_serialport_add | |
|
6194 |
AUE_serialport_delete | |
|
6195 |
AUE_serialport_modify | |
|
9013 |
AUE_sendmail_deliver | |
|
9014 |
AUE_sendmail_defer | |
|
9012 |
AUE_sendmail_upgrade | |
|
9322 |
AUE_te_modsysfiles | |
|
6199 |
AUE_uauth | |
|
9024 |
AUE_uname_set | |
|
6196 |
AUE_usermgr_add | |
|
6197 |
AUE_usermgr_delete | |
|
6198 |
AUE_usermgr_modify | |
Table A–5 Administrative Other Audit Events (Obsolete)
|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
9319 |
AUE_dm_add | |
|
9320 |
AUE_dm_del |
|
|
9321 |
AUE_dm_mod |
|
|
9307 |
AUE_gm_add_grp | |
|
9308 |
AUE_gm_del_grp |
|
|
9309 |
AUE_gm_mod_grp |
|
|
9310 |
AUE_hm_add_host | |
|
9311 |
AUE_hm_del_host |
|
|
9312 |
AUE_hm_mod_host |
|
|
9313 |
AUE_hm_set_def |
|
|
9009 |
AUE_pfsh_priv | |
|
9008 |
AUE_pfsh_trusted_nopriv |
|
|
9007 |
AUE_pfsh_trusted_priv |
|
|
9316 |
AUE_pm_add | |
|
9318 |
AUE_pm_del_prn |
|
|
9317 |
AUE_pm_mod_prn |
|
|
9306 |
AUE_pm_add_prof | |
|
9306 |
AUE_pm_del_prof | |
|
9305 |
AUE_pm_mod_prof | |
|
9315 |
AUE_sm_del_ser | |
|
9314 |
AUE_sm_mod_ser |
|
|
9302 |
AUE_um_add_user | |
|
9301 |
AUE_um_del_user |
|
|
9300 |
AUE_um_mod_user |
|
|
9303 |
AUE_um_set_def |
|
Events in Audit Class ap
The following table lists in alphabetical order the application class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–6 Application Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
9010 |
AUE_pfsh_nopriv | |
|
9035 |
AUE_sl_change | |
Events in Audit Class cl
The following table lists in alphabetical order the file close class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–7 File Close Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
112 |
AUE_CLOSE | |
|
213 |
AUE_MUNMAP | |
Events in Audit Class fa
The following table lists in alphabetical order the file attribute access class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–8 File Attribute Access Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
14 |
AUE_ACCESS | |
|
220 |
AUE_AUDITSYS |
Placeholder |
|
66 |
AUE_BSMSYS |
Placeholder |
|
543 |
AUE_FGETCMWLABEL | |
|
55 |
AUE_FSTATFS | |
|
545 |
AUE_GETCMWFSRANGE | |
|
546 |
AUE_GETCMWLABEL | |
|
547 |
AUE_GETFILEPRIV | |
|
554 |
AUE_GETMLDADORN | |
|
555 |
AUE_GETSLDNAME | |
|
548 |
AUE_LGETCMWLABEL | |
|
17 |
AUE_LSTAT | |
|
236 |
AUE_LXSTAT | |
|
556 |
AUE_MLDLSTAT |
Obsolete. |
|
557 |
AUE_MLDSTAT |
|
|
64 |
AUE_MSGSYS |
Placeholder |
|
3 |
AUE_OPEN |
Placeholder |
|
199 |
AUE_OSTAT |
No longer supported. |
|
71 |
AUE_PATHCONF | |
|
67 |
AUE_RFSSYS |
Placeholder |
|
63 |
AUE_SEMSYS |
Placeholder |
|
65 |
AUE_SHMSYS |
Placeholder |
|
16 |
AUE_STAT | |
|
54 |
AUE_STATFS |
|
|
234 |
AUE_STATVFS |
|
|
70 |
AUE_VPIXSYS |
Placeholder |
|
235 |
AUE_XSTAT | |
Events in Audit Class fc
The following table lists in alphabetical order the file create class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–9 File Create Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
111 |
AUE_CORE | |
|
4 |
AUE_CREAT | |
|
532 |
AUE_FGETSLDNAME | |
|
5 |
AUE_LINK | |
|
47 |
AUE_MKDIR | |
|
9 |
AUE_MKNOD | |
|
73 |
AUE_OPEN_RC | |
|
75 |
AUE_OPEN_RTC | |
|
81 |
AUE_OPEN_RWC | |
|
83 |
AUE_OPEN_RWTC | |
|
77 |
AUE_OPEN_WC | |
|
79 |
AUE_OPEN_WTC | |
|
42 |
AUE_RENAME | |
|
48 |
AUE_RMDIR | |
|
21 |
AUE_SYMLINK | |
|
240 |
AUE_XMKNOD | |
Events in Audit Class fd
The following table lists in alphabetical order the file delete class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–10 File Delete Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
44 |
AUE_FTRUNCATE |
No longer supported. |
|
74 |
AUE_OPEN_RT | |
|
75 |
AUE_OPEN_RTC | |
|
82 |
AUE_OPEN_RWT | |
|
83 |
AUE_OPEN_RWTC | |
|
78 |
AUE_OPEN_WT | |
|
79 |
AUE_OPEN_WTC | |
|
42 |
AUE_RENAME | |
|
6 |
AUE_UNLINK | |
Events in Audit Class fm
The following table lists in alphabetical order the file attribute modify class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–11 File Attribute Modify Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
251 |
AUE_ACLSET | |
|
11 |
AUE_CHOWN | |
|
252 |
AUE_FACLSET | |
|
39 |
AUE_FCHMOD | |
|
38 |
AUE_FCHOWN | |
|
45 |
AUE_FLOCK |
Placeholder |
|
544 |
AUE_FSETCMWLABEL | |
|
523 |
AUE_FSETFATTRFLAG | |
|
158 |
AUE_IOCTL | |
|
237 |
AUE_LCHOWN | |
|
525 |
AUE_LSETCMWLABEL | |
|
19 |
AUE_MCTL |
No longer supported. |
|
524 |
AUE_MLDSETFATTRFLAG | |
|
542 |
AUE_SETCLEARANCE | |
|
549 |
AUE_SETCMWLABEL | |
|
541 |
AUE_SETCMWPLABEL | |
|
522 |
AUE_SETFATTRFLAG | |
|
550 |
AUE_SETFILEPRIV | |
|
551 |
AUE_SETPROCPRIV | |
|
202 |
AUE_UTIME | |
|
49 |
AUE_UTIMES |
|
|
552 |
AUE_WRITEL | |
|
553 |
AUE_WRITEVL |
|
|
9037 |
AUE_dtfile_copy | |
|
9038 |
AUE_dtfile_move | |
Events in Audit Class fn
The following table lists in alphabetical order the fcntl class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–12 Fcntl Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
30 |
AUE_FCNTL | |
Events in Audit Class fr
The following table lists in alphabetical order the file read class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–13 File Read Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
72 |
AUE_OPEN_R | |
|
73 |
AUE_OPEN_RC | |
|
74 |
AUE_OPEN_RT | |
|
75 |
AUE_OPEN_RTC | |
|
80 |
AUE_OPEN_RW | |
|
81 |
AUE_OPEN_RWC | |
|
82 |
AUE_OPEN_RWT | |
|
83 |
AUE_OPEN_RWTC | |
|
22 |
AUE_READLINK | |
Events in Audit Class fw
The following table lists in alphabetical order the file read class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–14 File Write Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
80 |
AUE_OPEN_RW | |
|
81 |
AUE_OPEN_RWC | |
|
82 |
AUE_OPEN_RWT | |
|
83 |
AUE_OPEN_RWTC | |
|
76 |
AUE_OPEN_W | |
|
77 |
AUE_OPEN_WC | |
|
78 |
AUE_OPEN_WT | |
|
79 |
AUE_OPEN_WTC | |
Events in Audit Class io
The following table lists the audit event in the ioctl class provided in the Trusted Solaris 8 4/01 release.
Table A–15 Ioctl Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
158 |
AUE_IOCTL | |
Events in Audit Class ip
The following table lists in alphabetical order the ipc class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–16 IPC Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
260 |
AUE_DOORFS_DOOR_BIND |
doorfs(2) - DOOR_BIND |
|
254 |
AUE_DOORFS_DOOR_CALL |
doorfs(2) - DOOR_CALL |
|
256 |
AUE_DOORFS_DOOR_CREATE |
doorfs(2) - DOOR_CREATE |
|
258 |
AUE_DOORFS_DOOR_INFO |
doorfs(2) - DOOR_INFO |
|
255 |
AUE_DOORFS_DOOR_RETURN |
doorfs(2) - DOOR_RETURN |
|
257 |
AUE_DOORFS_DOOR_REVOKE |
doorfs(2) - DOOR_REVOKE |
|
259 |
AUE_DOORFS_DOOR_CRED |
doorfs(2) - DOOR_CRED |
|
261 |
AUE_DOORFS_DOOR_UNBIND |
doorfs(2) - DOOR_UNBIND |
|
514 |
AUE_GETMSGQCMWLABEL | |
|
515 |
AUE_GETSEMCMWLABEL | |
|
516 |
AUE_GETSHMCMWLABEL | |
|
84 |
AUE_MSGCTL |
Illegal command |
|
85 |
AUE_MSGCTL_RMID | |
|
86 |
AUE_MSGCTL_SET | |
|
87 |
AUE_MSGCTL_STAT | |
|
88 |
AUE_MSGGET | |
|
174 |
AUE_MSGGETL | |
|
89 |
AUE_MSGRCV | |
|
175 |
AUE_MSGRCVL | |
|
90 |
AUE_MSGSND | |
|
176 |
AUE_MSGSNDL |
Obsolete. |
|
98 |
AUE_SEMCTL |
Illegal command |
|
105 |
AUE_SEMCTL_GETALL | |
|
102 |
AUE_SEMCTL_GETNCNT | |
|
103 |
AUE_SEMCTL_GETPID | |
|
104 |
AUE_SEMCTL_GETVAL | |
|
106 |
AUE_SEMCTL_GETZCNT | |
|
99 |
AUE_SEMCTL_RMID | |
|
100 |
AUE_SEMCTL_SET | |
|
108 |
AUE_SEMCTL_SETALL | |
|
107 |
AUE_SEMCTL_SETVAL | |
|
101 |
AUE_SEMCTL_STAT | |
|
109 |
AUE_SEMGET | |
|
177 |
AUE_SEMGETL | |
|
110 |
AUE_SEMOP | |
|
517 |
AUE_SEMOPL |
Obsolete. |
|
96 |
AUE_SHMAT | |
|
91 |
AUE_SHMCTL |
Placeholder |
|
92 |
AUE_SHMCTL_RMID | |
|
93 |
AUE_SHMCTL_SET | |
|
94 |
AUE_SHMCTL_STAT | |
|
97 |
AUE_SHMDT | |
|
95 |
AUE_SHMGET | |
|
178 |
AUE_SHMGETL | |
Events in Audit Class lo
The following table lists in alphabetical order the login or logout class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–17 Login or Logout Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
6123 |
AUE_admin_authenticate | |
|
6165 |
AUE_ftpd | |
|
6152 |
AUE_login | |
|
6153 |
AUE_logout | |
|
6163 |
AUE_passwd | |
|
6164 |
AUE_rexd | |
|
6162 |
AUE_rexecd | |
|
6155 |
AUE_rlogin | |
|
6173 |
AUE_role_login | |
|
6158 |
AUE_rshd | |
|
6159 |
AUE_su | |
|
6154 |
AUE_telnet | |
Events in Audit Class na
The following table lists in alphabetical order the non-attribute class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–18 Non-attribute Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
153 |
AUE_ENTERPROM | |
|
154 |
AUE_EXITPROM |
|
|
113 |
AUE_SYSTEMBOOT | |
|
6151 |
AUE_inetd_connect | |
|
6156 |
AUE_mountd_mount | |
|
6157 |
AUE_mountd_umount | |
Events in Audit Class no
The following table lists in alphabetical order the invalid class class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–19 Invalid Class Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
211 |
AUE_AUDIT | |
|
209 |
AUE_DUP2 |
No longer supported. |
|
208 |
AUE_FSTAT | |
|
193 |
AUE_GETDENTS | |
|
13 |
AUE_JUNK |
|
|
194 |
AUE_LSEEK |
Placeholder |
|
518 |
AUE_MAC |
No longer supported. |
|
210 |
AUE_MMAP | |
|
242 |
AUE_MODCTL |
Placeholder |
|
197 |
AUE_NFS |
Placeholder |
|
0 |
AUE_NULL |
Indirect system call |
|
185 |
AUE_PIPE | |
|
527 |
AUE_PREADL | |
|
528 |
AUE_PWRITEL | |
|
192 |
AUE_READ | |
|
558 |
AUE_READL |
|
|
198 |
AUE_READV |
Placeholder |
|
559 |
AUE_READVL | |
|
189 |
AUE_RECV |
Placeholder |
|
187 |
AUE_SEND |
Placeholder |
|
186 |
AUE_SOCKETPAIR |
Placeholder |
|
521 |
AUE_UPRIV | |
|
195 |
AUE_WRITE | |
|
196 |
AUE_WRITEV |
Placeholder |
Events in Audit Class nt
The following table lists in alphabetical order the network class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–20 Network Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
33 |
AUE_ACCEPT |
No longer supported. |
|
34 |
AUE_BIND |
No longer supported. |
|
32 |
AUE_CONNECT |
No longer supported. |
|
217 |
AUE_GETMSG | |
|
219 |
AUE_GETPMSG | |
|
173 |
AUE_ONESIDE |
No longer supported. |
|
216 |
AUE_PUTMSG | |
|
218 |
AUE_PUTPMSG | |
|
191 |
AUE_RECVFROM |
Format unavailable. |
|
190 |
AUE_RECVMSG | |
|
188 |
AUE_SENDMSG | |
|
184 |
AUE_SENDTO | |
|
35 |
AUE_SETSOCKOPT | |
|
247 |
AUE_SOCKACCEPT | |
|
248 |
AUE_SOCKCONNECT | |
|
183 |
AUE_SOCKET | |
|
250 |
AUE_SOCKRECEIVE | |
|
249 |
AUE_SOCKSEND | |
|
534 |
AUE_TNIF | |
|
535 |
AUE_TNRH |
|
|
536 |
AUE_TNRHTP |
|
|
537 |
AUE_TOKMAPPER | |
Events in Audit Class ot
The following table lists in alphabetical order the other class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–21 Other Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
238 |
AUE_MEMCNTL | |
Events in Audit Class pm
The following table lists in alphabetical order the process modify class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–22 Process Modify Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
8 |
AUE_CHDIR | |
|
24 |
AUE_CHROOT | |
|
1 |
AUE_EXIT | |
|
68 |
AUE_FCHDIR | |
|
69 |
AUE_FCHROOT | |
|
15 |
AUE_KILL | |
|
52 |
AUE_KILLPG |
No longer supported. |
|
203 |
AUE_NICE | |
|
204 |
AUE_OSETPGRP |
No information. |
|
200 |
AUE_OSETUID |
No longer supported. |
|
212 |
AUE_PRIOCNTLSYS | |
|
214 |
AUE_SETEGID | |
|
215 |
AUE_SETEUID | |
|
526 |
AUE_SETPATTR | |
|
205 |
AUE_SETGID | |
|
26 |
AUE_SETGROUPS | |
|
27 |
AUE_SETPGRP | |
|
31 |
AUE_SETPRIORITY |
No longer supported. |
|
41 |
AUE_SETREGID | |
|
40 |
AUE_SETREUID | |
|
200 |
AUE_SETUID - event name is AUE_OSETUID | |
|
36 |
AUE_VTRACE | |
Events in Audit Class ps
The following table lists in alphabetical order the process start/stop class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–23 Process Start/Stop Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
7 |
AUE_EXEC | |
|
23 |
AUE_EXECVE |
|
|
2 |
AUE_FORK | |
|
241 |
AUE_FORK1 |
|
|
526 |
AUE_SETPATTR | |
|
25 |
AUE_VFORK | |
|
9027 |
AUE_psradm | |
Events in Audit Class as
The following table lists in alphabetical order the system-wide administration class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–24 System-wide Administration Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
18 |
AUE_ACCT | |
|
50 |
AUE_ADJTIME | |
|
57 |
AUE_ASYNC_DAEMON |
|
|
114 |
AUE_ASYNC_DAEMON_EXIT |
|
|
538 |
AUE_CHSTATE | |
|
513 |
AUE_CLOCK_SETTIME | |
|
531 |
AUE_DRVPOLICY | |
|
264 |
AUE_INST_SYNC |
|
|
246 |
AUE_MODADDMAJ | |
|
245 |
AUE_MODCONFIG | |
|
243 |
AUE_MODLOAD | |
|
244 |
AUE_MODUNLOAD | |
|
533 |
AUE_PRIVENABLE | |
|
540 |
AUE_REMOUNT | |
|
59 |
AUE_SETDOMAINNAME |
|
|
29 |
AUE_SETHOSTNAME |
|
|
51 |
AUE_SETRLIMIT | |
|
37 |
AUE_SETTIMEOFDAY |
|
|
201 |
AUE_STIME | |
|
28 |
AUE_SWAPON |
swapon(2) |
|
239 |
AUE_SYSINFO | |
|
9018 |
AUE_add_drv | |
|
9025 |
AUE_dispadmin | |
|
9032 |
AUE_eeprom | |
|
9042 |
AUE_installf | |
|
9020 |
AUE_modload | |
|
9021 |
AUE_modunload | |
|
9026 |
AUE_pbind | |
|
9040 |
AUE_pkginstall | |
|
9041 |
AUE_pkgremove | |
|
9027 |
AUE_psradm | |
|
9019 |
AUE_rem_drv | |
|
9043 |
AUE_removef | |
|
9022 |
AUE_setuname | |
|
9030 |
AUE_swap | |
|
9024 |
AUE_uname_set | |
Events in Audit Class ss
The following table lists in alphabetical order the change system state class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–25 Change System State Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
539 |
AUE_FREEZE | |
|
561 |
AUE_REBOOT | |
|
560 |
AUE_SHUTDOWN | |
|
6160 |
AUE_halt_solaris | |
|
6161 |
AUE_reboot_solaris | |
|
9028 |
AUE_run_level_change | |
|
9023 |
AUE_uadmin_cmd | |
Events in Audit Class ax
The following table lists in alphabetical order the ax class of audit events provided in the Trusted Solaris 8 4/01 release.
Table A–26 X Server Audit Events - Remainder (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
9039 |
AUE_sel_mgr_xfer | |
Events in Audit Class xa
The following table lists in alphabetical order the xa class of audit events provided in the Trusted Solaris 8 4/01 release. This class contains X protocols that use "default" client privileges to succeed. These privileges are listed in the file /usr/openwin/server/tsol/config.privs. The security administrator can remove privileges from this file.
Table A–27 X - Allowed Information Flows Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
9194 |
AUE_ChangeHosts | |
|
9137 |
AUE_GrabServer | |
|
9183 |
AUE_InstallColormap | |
|
9146 |
AUE_SetFontPath | |
|
9138 |
AUE_UngrabServer | |
Events in Audit Class xc
The following table lists lists in alphabetical order the xc class of audit events provided in the Trusted Solaris 8 4/01 release. This class contains audit events about the creation and destruction of X server object.
Table A–28 X - Object Create/Destroy Operations Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
9176 |
AUE_AllocColor | |
|
9178 |
AUE_AllocColorCells |
|
|
9179 |
AUE_AllocColorPlanes |
|
|
9177 |
AUE_AllocNamedColor |
|
|
9120 |
AUE_ChangeProperty | |
|
9170 |
AUE_CreateColormap | |
|
9185 |
AUE_CreateCursor | |
|
9186 |
AUE_CreateGlyphCursor | |
|
9103 |
AUE_CreateWindow | |
|
9121 |
AUE_DeleteProperty | |
|
9107 |
AUE_DestroySubwindows | |
|
9106 |
AUE_DestroyWindow |
|
|
9171 |
AUE_FreeColormap | |
|
9180 |
AUE_FreeColors | |
|
9187 |
AUE_FreeCursor | |
|
9152 |
AUE_FreeGC | |
|
9147 |
AUE_FreePixmap | |
|
9197 |
AUE_KillClient | |
Events in Audit Class xl
The following table lists in alphabetical order the xl audit events provided in the Trusted Solaris 8 4/01 release.
Table A–29 X - Client Login/Logout Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
9101 |
AUE_ClientConnect | |
|
9102 |
AUE_ClientDisConnect | |
Events in Audit Class xp
The following table lists in alphabetical order the xp audit events provided in the Trusted Solaris 8 4/01 release.
Table A–30 X - Privileged Audit Events (Default)|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
9148 |
AUE_ChangeGc | |
|
9120 |
AUE_ChangeProperty | |
|
9108 |
AUE_ChangeSaveSet | |
|
9104 |
AUE_ChangeWindowAttributes |
|
|
9115 |
AUE_CirculateWindow |
|
|
9114 |
AUE_ConfigureWindow |
|
|
9172 |
AUE_CopyColormapAndFree | |
|
9149 |
AUE_CopyGC | |
|
9161 |
AUE_FillPolygon | |
|
9199 |
AUE_ForceScreenSaver | |
|
9116 |
AUE_GetGeometry | |
|
9140 |
AUE_GetMotionEvents | |
|
9122 |
AUE_GetProperty | |
|
9105 |
AUE_GetWindowAttributes | |
|
9130 |
AUE_GrabButton | |
|
9135 |
AUE_GrabKey | |
|
9133 |
AUE_GrabKeyboard | |
|
9128 |
AUE_GrabPointer | |
|
9168 |
AUE_ImageText8 | |
|
9169 |
AUE_ImageText16 |
|
|
9173 |
AUE_InstallColormap | |
|
9123 |
AUE_ListProperties | |
|
9184 |
AUE_LookupColor | |
|
9111 |
AUE_MapSubwindows | |
|
9110 |
AUE_MapWindow |
|
|
9160 |
AUE_PolyArc | |
|
9163 |
AUE_PolyFillArc |
|
|
9162 |
AUE_PolyFillRectangle |
|
|
9157 |
AUE_PolyLine |
|
|
9156 |
AUE_PolyPoint |
|
|
9158 |
AUE_PolySegment |
|
|
9166 |
AUE_PolyText8 | |
|
9167 |
AUE_PolyText16 |
|
|
9164 |
AUE_PutImage |
|
|
9183 |
AUE_QueryColors | |
|
9145 |
AUE_QueryKeymap | |
|
9139 |
AUE_QueryPointer | |
|
9117 |
AUE_QueryTree | |
|
9188 |
AUE_RecolorCursor | |
|
9109 |
AUE_ReparentWindow | |
|
9198 |
AUE_RotateProperties | |
|
9195 |
AUE_SetAccessControl | |
|
9151 |
AUE_SetClipRectangles | |
|
9150 |
AUE_SetDashes |
|
|
9193 |
AUE_SetScreenSaver | |
|
9124 |
AUE_SetSelectionOwner | |
|
9181 |
AUE_StoreColors | |
|
9182 |
AUE_StoreNamedColor |
|
|
9141 |
AUE_TranslateCoords | |
|
9136 |
AUE_UngrabKey | |
|
9174 |
AUE_UninstallColormap | |
|
9113 |
AUE_UnmapSubwindows | |
|
9112 |
AUE_UnmapWindow |
|
|
9202 |
AUE_XExtensions | |
Events in Audit Class xs
The following table lists in alphabetical order the xs audit events provided in the Trusted Solaris 8 4/01 release.
Note –
These events should be audited for success only, not for failure.
Table A–31 X - Fail Silently Audit Events (Default)
|
Audit Event Number and Event |
Where Described |
|
|---|---|---|
|
9193 |
AUE_Bell | |
|
9132 |
AUE_ChangeActivePointerGrab | |
|
9190 |
AUE_ChangeKeyboardControl | |
|
9189 |
AUE_ChangeKeyboardMapping |
|
|
9192 |
AUE_ChangePointerControl |
|
|
9126 |
AUE_ConvertSelection | |
|
9154 |
AUE_CopyArea | |
|
9155 |
AUE_CopyPlane |
|
|
9119 |
AUE_GetAtomName | |
|
9165 |
AUE_GetImage | |
|
9144 |
AUE_GetInputFocus | |
|
9125 |
AUE_GetSelectionOwner | |
|
9128 |
AUE_GrabPointer | |
|
9118 |
AUE_InternAtom | |
|
9175 |
AUE_ListInstalledColormap | |
|
9159 |
AUE_PolyRectangle | |
|
9127 |
AUE_SendEvent | |
|
9196 |
AUE_SetCloseDownMode | |
|
9143 |
AUE_SetInputFocus | |
|
9201 |
AUE_SetModifierMapping | |
|
9200 |
AUE_SetPointerMapping |
|
|
9124 |
AUE_SetSelectionOwner | |
|
9134 |
AUE_UngrabKeyboard | |
|
9129 |
AUE_UngrabPointer | |
|
9131 |
AUE_UngrabButton |
|
|
9142 |
AUE_WarpPointer | |
- © 2010, Oracle Corporation and/or its affiliates