SunSHIELD Basic Security Module Guide

Audit Records

This section presents all of the audit records. The audit records generated by kernel events are described first (see "Kernel-Level Generated Audit Records"). The audit records generated by user-level eventes are described next (see "User-Level Generated Audit Records").

"Event-to-System Call Translation" includes two tables that include all possible audit events and identifies which kernel or user event created the audit event. Table A-205 maps audit events to system calls. Table A-206 maps audit events to an application or command.

General Audit Record Structure

The audit records produced by Basic Security Module have a sequence of tokens. Certain tokens are optional within an audit record, according to the current audit policy. The group, sequence, and trailer tokens fall into this category. The administrator can determine if these are included in an audit record with the auditconfig command -getpolicy option.

Kernel-Level Generated Audit Records

These audit records are created by system calls that are used by the kernel. The records are sorted alphabetically by system call. The description of each record includes:

The name of the system call
A man page reference (if appropriate)
The audit event number
The audit event name
The audit event class
The mask for the event class
The audit record structure

Table A-5 accept(2)

Event Name	Event ID	Event Class	Mask
`AUE_ACCEPT`	`33`	`nt`	0x00000100
Format (if the socket address is not part of the `AF_INET` family): `header-token` `arg-token` (1, "fd", file descriptor) `text-token` ("bad socket address") `text-token` ("bad peer address") `subject-token` `return-token` Format (if the socket address is part of the `AF_INET` family): `header-token` If there is no `vnode` for this file descriptor: [`arg-token`] (1, "Bad fd", file descriptor) or if the socket is not bound: [`arg-token` (1, "fd", file descriptor) `text-token`] ("socket not bound") or if the socket address length = 0: [`arg-token` (1, "fd", file descriptor) `text-token`] ("bad socket address") For all other conditions: [`socket-inet-token`] ("socket address") `socket-inet-token` ("socket address") `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_ACCEPT

33

nt

0x00000100

Format (if the socket address is not part of the AF_INET family):

  
header-token

  
arg-token                 (1, "fd", file descriptor)

  
text-token                 ("bad socket address")

  
text-token                 ("bad peer address")

  
subject-token

  
return-token

Format (if the socket address is part of the AF_INET family):

  
header-token

If there is no vnode for this file descriptor:

  [arg-token]               (1, "Bad fd", file descriptor)

or if the socket is not bound:

  [arg-token                (1, "fd", file descriptor)

  
text-token]               ("socket not bound")

or if the socket address length = 0:

  [arg-token                (1, "fd", file descriptor)

  
text-token]               ("bad socket address")

For all other conditions:

  [socket-inet-token]       ("socket address")

  
socket-inet-token         ("socket address")

  
subject-token

  
return-token

Table A-6 access(2)


Event Name	Event ID	Event Class	Mask
`AUE_ACCESS`	`14`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-7 acl(2) - SETACL command


Event Name	Event ID	Event Class	Mask
`AUE_ACLSET`	`251`	`fm`	0x00000008
Format: `header-token` `arg-token` (2, "cmd", SETACL) `arg-token` (3, "nentries", number of ACL entries) (0..n)[`acl-token`] (ACLs) `subject-token` `return-token`

Table A-8 acct(2)


Event Name	Event ID	Event Class	Mask
`AUE_ACCT`	`18`	`ad`	0x00000800
Format (zero path): `header-token` `argument-token` (1, "accounting off", 0) `subject-token` `return-token` Format (non-zero path): `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-9 adjtime(2)


Event Name	Event ID	Event Class	Mask
`AUE_ADJTIME`	`50`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-10 audit(2)


Event Name	Event ID	Event Class	Mask
`AUE_AUDIT`	`211`	`no`	0x00000000
Format: `header-token` `subject-token` `return-token`

Table A-11 auditon(2) - get car


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GETCAR`	`224`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-12 auditon(2) - get event class


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GETCLASS`	`231`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-13 auditon(2) - get audit state


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GETCOND`	`229`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-14 auditon(2) - get cwd


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GETCWD`	`223`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-15 auditon(2) - get kernal mask


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GETKMASK`	`221`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-16 auditon(2) - get audit statistics


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GETSTAT`	`225`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-17 auditon(2) - GPOLICY command


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GPOLICY`	`114`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-18 auditon(2) - GQCTRL command


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_GQCTRL`	`145`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-19 auditon(2) - set event class


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SETCLASS`	`232`	`ad`	0x00000800
Format: `header-token` [`argument-token`] (2, "setclass:ec_event", event number) [`argument-token`] (3, "setclass:ec_class", class mask) `subject-token` `return-token`

Table A-20 auditon(2) - set audit state


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SETCOND`	`230`	`ad`	0x00000800
Format: `header-token` [`argument-token`] (3, "setcond", audit state) `subject-token` `return-token`

Table A-21 auditon(2) - set kernal mask


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SETKMASK`	`222`	`ad`	0x00000800
Format: `header-token` [`argument-token`] (2, "setkmask:as_success", kernel mask) [`argument-token`] (2, "setkmask:as_failure", kernel mask) `return-token`

Table A-22 auditon(2) - set mask per session ID


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SETSMASK`	`228`	`ad`	0x00000800
Format: `header-token` [`argument-token`] (3, "setsmask:as_success", session ID mask) [`argument-token`] (3, "setsmask:as_failure", session ID mask) `subject-token` `return-token`

Table A-23 auditon(2) - reset audit statistics


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SETSTAT`	`226`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-24 auditon(2) - set mask per uid


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SETUMASK`	`227`	`ad`	0x00000800
Format: `header-token` [`argument-token`] (3, "setumask:as_success", audit ID mask) [`argument-token`] (3, "setumask:as_failure", audit ID mask) `subject-token` `return-token`

Table A-25 auditon(2) - SPOLICY command


Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SPOLICY`	`147`	`ad`	0x00000800
Format: `header-token` [`argument-token`] (1, "policy", audit policy flags) `subject-token` `return-token`

Table A-26 auditon(2) - SQCTRL command

Event Name	Event ID	Event Class	Mask
`AUE_AUDITON_SQCTRL`	`146`	`ad`	0x00000800
Format: `header-token` [`argument-token`] (3,"setqctrl:aq_hiwater", queue control param.) [`argument-token`] (3,"setqctrl:aq_lowater", queue control param.) [`argument-token`] (3,"setqctrl:aq_bufsz", queue control param.) [`argument-token`] (3,"setqctrl:aq_delay", queue control param.) `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_AUDITON_SQCTRL

146

ad

0x00000800

Format:

	
header-token

	[argument-token]      (3,"setqctrl:aq_hiwater", queue control param.)

	[argument-token]      (3,"setqctrl:aq_lowater", queue control param.)

	[argument-token]      (3,"setqctrl:aq_bufsz", queue control param.)

	[argument-token]      (3,"setqctrl:aq_delay", queue control param.)

	
subject-token

	return-token

Table A-27 auditsvc(2)


Event Name	Event ID	Event Class	Mask
`AUE_AUDITSVC`	`136`	`ad`	0x00000800
Format (valid file descriptor): `header-token` [`path-token`] [`attr-token`] `subject-token` `return-token` Format (not valid file descriptor): `header-token` `argument-token` (1, "no path: fd", fd) `subject-token` `return-token`

Table A-28 bind(2)

Event Name	Event ID	Event Class	Mask
`AUE_BIND`	`34`	`nt`	0x00000100
Format: `header-token` If there is no vnode for this file descriptor: [`arg-token`] (1, "Bad fd", file descriptor) or if the socket is not of the `AF_INET` family: [`arg-token` (1, "fd", file descriptor) `text-token`] ("bad socket address") for all other conditions: [`arg-token` (1, "fd", file descriptor) `socket-inet-token`] ("socket address") `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_BIND

34

nt

0x00000100

Format:

  
header-token

If there is no vnode for this file descriptor:

  [arg-token]               (1, "Bad fd", file descriptor)

or if the socket is not of the AF_INET family:

  [arg-token                (1, "fd", file descriptor)

  
text-token]               ("bad socket address")

for all other conditions:

  [arg-token               (1, "fd", file descriptor)

  
socket-inet-token]      ("socket address")

  
subject-token

  
return-token

Table A-29 chdir(2)


Event Name	Event ID	Event Class	Mask
`AUE_CHDIR`	`8`	`pc`	0x00000080
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-30 chmod(2)


Event Name	Event ID	Event Class	Mask
`AUE_CHMOD`	`10`	`fm`	0x00000008
Format: `header-token` `argument-token` (2, "new file mode", mode) `path-token` [`attr-token`] `subject-token` `return-token`

Table A-31 chown(2)


Event Name	Event ID	Event Class	Mask
`AUE_CHOWN`	`11`	`fm`	0x00000008
Format: `header-token` `argument-token` (2, "new file uid", uid) `argument-token` (3, "new file gid", gid) `path-token` [`attr-token`] `subject-token` `return-token`

Table A-32 chroot(2)


Event Name	Event ID	Event Class	Mask
`AUE_CHROOT`	`24`	`pc`	0x00000080
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-33 close(2)


Event Name	Event ID	Event Class	Mask
`AUE_CLOSE`	`112`	`cl`	0x00000040
Format: <file system object> `header-token` `argument-token` (1, "fd", file descriptor) [`path-token`] [`attr-token`] `subject-token` `return-token`

Table A-34 connect(2)

Event Name	Event ID	Event Class	Mask
`AUE_CONNECT`	`32`	`nt`	0x00000100
Format (if the socket address is not part of the `AF_INET` family): `header-token` `arg-token` (1, "fd", file descriptor) `text-token` ("bad socket address") `text-token` ("bad peer address") `subject-token` `return-token` Format (if the socket address is part of the `AF_INET` family): `header-token` If there is no `vnode` for this file descriptor: [`arg-token`] (1, "Bad fd", file descriptor) or if the socket is not bound: [`arg-token` (1, "fd", file descriptor) `text-token`] ("socket not bound") or if the socket address length = 0: [`arg-token` (1, "fd", file descriptor) `text-token`] ("bad socket address") for all other conditions: [`socket-inet-token`] ("socket address") `socket-inet-token` ("socket address") `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_CONNECT

32

nt

0x00000100

Format (if the socket address is not part of the AF_INET family):

  
header-token

  
arg-token            (1, "fd", file descriptor)

  
text-token           ("bad socket address")

  
text-token           ("bad peer address")

  
subject-token

  
return-token

Format (if the socket address is part of the AF_INET family):

  
header-token

If there is no vnode for this file descriptor:

  [arg-token]          (1, "Bad fd", file descriptor)

or if the socket is not bound:

  [arg-token           (1, "fd", file descriptor)

  
text-token]           ("socket not bound")

or if the socket address length = 0:

  [arg-token           (1, "fd", file descriptor)

  
text-token]           ("bad socket address")

for all other conditions:

  [socket-inet-token]      ("socket address")

  
socket-inet-token        ("socket address")

  
subject-token

  
return-token

Table A-35 creat(2)


Event Name	Event ID	Event Class	Mask
`AUE_CREAT`	`4`	`fc`	0x00000010
Format `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-36 doorfs(2) - DOOR_BIND


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_BIND`	`260`	`ip`	0x00000200
Format: `header-token` `arg-token` (1, "door ID", door ID) `subject-token` `return-token`

Table A-37 doorfs(2) - DOOR_CALL


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_CALL`	`254`	`ip`	0x00000200
Format: `header-token` `arg-token` (1, "door ID", door ID) `process-token` (for process that owns the door) `subject-token` `return-token`

Table A-38 doorfs(2) - DOOR_CREATE


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_CREATE`	`256`	`ip`	0x00000200
Format: `header-token` `arg-token` (1, "door attr", door attributes) `subject-token` `return-token`

Table A-39 doorfs(2) - DOOR_CRED


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_CRED`	`259`	`ip`	0x00000200
Format: `header-token` `subject-token` `return-token`

Table A-40 doorfs(2) - DOOR_INFO


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_INFO`	`258`	`ip`	0x00000200
Format: `header-token` `subject-token` `return-token`

Table A-41 doorfs(2) - DOOR_RETURN


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_RETURN`	`255`	`ip`	0x00000200
Format: `header-token` `subject-token` `return-token`

Table A-42 doorfs(2) - DOOR_REVOKE


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_REVOKE`	`257`	`ip`	0x00000200
Format: `header-token` `arg-token` (1, "door ID", door ID) `subject-token` `return-token`

Table A-43 doorfs(2) - DOOR_UNBIND


Event Name	Event ID	Event Class	Mask
`AUE_DOORFS_DOOR_UNBIND`	`261`	`ip`	0x00000200
Format: `header-token` `arg-token` (1, "door ID", door ID) `subject-token` `return-token`

Table A-44 enter prom


Event Name	Event ID	Event Class	Mask
`AUE_ENTERPROM`	`153`	`na`	0x00000400
Format: `header-token` `text-token` (addr, "monitor PROM"\|"kadb") `subject-token` `return-token`

Table A-45 exec(2)


Event Name	Event ID	Event Class	Mask
`AUE_EXEC`	`7`	`pc,ex`	0x40000080
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-46 execve(2)


Event Name	Event ID	Event Class	Mask
`AUE_EXECVE`	`23`	`pc,ex`	0x40000080
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-47 exit prom


Event Name	Event ID	Event Class	Mask
`AUE_EXITPROM`	`154`	`na`	0x00000400
Format: `header-token` `text-token` (addr, "monitor PROM"\|"kadb") `subject-token` `return-token`

Table A-48 exit(2)


Event Name	Event ID	Event Class	Mask
`AUE_EXIT`	`1`	`pc`	0x00000080
Format: `header-token` `subject-token` `return-token`

Table A-49 facl(2) - SETACL command

Event Name	Event ID	Event Class	Mask
`AUE_FACLSET`	`252`	`fm`	0x00000008
Format (zero path): `header-token` `arg-token` (2, "cmd", SETACL) `arg-token` (3, "nentries", number of ACL entries) `arg-token` (1, "no path: fd", file descriptor) (0..n)[`acl-token`] (ACLs) `subject-token` `return-token` Format (non-zero path): `header-token` `arg-token` (2, "cmd", SETACL) `arg-token` (3, "nentries", number of ACL entries) `path-token` [`attr-token`] (0..n)[`acl-token`] (ACLs) `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_FACLSET

252

fm

0x00000008

Format (zero path):

  
header-token

  
arg-token              (2, "cmd", SETACL)

  
arg-token              (3, "nentries", number of ACL entries)

  
arg-token              (1, "no path: fd", file descriptor)

  (0..n)[acl-token]      (ACLs)

  
subject-token

  
return-token

Format (non-zero path):

  
header-token

  
arg-token              (2, "cmd", SETACL)

  
arg-token              (3, "nentries", number of ACL entries)

  
path-token

  [attr-token]

  (0..n)[acl-token]      (ACLs)

  
subject-token

  
return-token

Table A-50 fchdir(2)


Event Name	Event ID	Event Class	Mask
`AUE_FCHDIR`	`68`	`pc`	0x00000080
Format: `header-token` [`path-token`] [`attr-token`] `subject-token` `return-token`

Table A-51 fchmod(2)

Event Name	Event ID	Event Class	Mask
`AUE_FCHMOD`	`39`	`fm`	0x00000008
Format (valid file descriptor): `header-token` `argument-token` (2, "new file mode", mode) [`path-token`] [`attr-token`] `subject-token` `return-token` Format (not valid file descriptor): `header-token` `argument-token` (2, "new file mode", mode) `argument-token` (1, "no path: fd", fd) `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_FCHMOD

39

fm

0x00000008

Format (valid file descriptor):

	
header-token

	
argument-token      (2, "new file mode", mode)

	[path-token]

	[attr-token]

	subject-token

	return-token

Format (not valid file descriptor):

	
header-token

	
argument-token      (2, "new file mode", mode)

	
argument-token      (1, "no path: fd", fd)

	
subject-token

	return-token

Table A-52 fchown(2)

Event Name	Event ID	Event Class	Mask
`AUE_FCHOWN`	`38`	`fm`	0x00000008
Format (valid file descriptor): `header-token` (2, "new file uid", uid) `argument-token` (3, "new file gid", gid) [`path-token`] [`attr-token`] `subject-token` `return-token` Format (non-file descriptor): `header-token` `argument-token` (2, "new file uid", uid) `argument-token` (3, "new file gid", gid) `argument-token` (1, "no path: fd", fd) `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_FCHOWN

38

fm

0x00000008

Format (valid file descriptor):

	
header-token          (2, "new file uid", uid)

	
argument-token      (3, "new file gid", gid)

	[path-token]

	[attr-token]

	subject-token

	return-token

Format (non-file descriptor):

	
header-token

	
argument-token      (2, "new file uid", uid)

	
argument-token      (3, "new file gid", gid)

	
argument-token      (1, "no path: fd", fd)

	
subject-token

	return-token

Table A-53 fchroot(2)


Event Name	Event ID	Event Class	Mask
`AUE_FCHROOT`	`69`	`pc`	0x00000080
Format: `header-token` [`path-token`] [`attr-token`] `subject-token` `return-token`

Table A-54 fcntl(2)

Event Name	Event ID	Event Class	Mask
`AUE_FCNTL` (cmd=`F_GETLK`, `F_SETLK`, `F_SETLKW`)	`30`	`fm`	0x00000008
Format (file descriptor): `header-token` `argument-token` (2, "cmd", cmd) `path-token` `attr-token` `subject-token` `return-token` Format (bad file descriptor): `header-token` `argument-token` (2, "cmd", cmd) `argument-token` (1, "no path: fd", fd) `subject-token` `return-token`

Event Name

Event ID

Event Class

Mask

AUE_FCNTL (cmd=F_GETLK, F_SETLK, F_SETLKW)

30

fm

0x00000008

Format (file descriptor):

	
header-token

	
argument-token      (2, "cmd", cmd)

	
path-token

	attr-token

	subject-token

	return-token

Format (bad file descriptor):

	
header-token

	
argument-token      (2, "cmd", cmd)

	
argument-token      (1, "no path: fd", fd)

	
subject-token

	return-token

Table A-55 fork(2)

Event Name

Event ID

Event Class

Mask

AUE_FORK

2

pc

0x00000080

Format:

	
header-token

	[argument-token]      (0, "child PID", pid)

	
subject-token

	return-token

The fork() return values are undefined because the audit record
is produced at the point that the child process is spawned.

Table A-56 fork1(2)

Event Name

Event ID

Event Class

Mask

AUE_FORK1

241

pc

0x00000080

Format:

	
header-token

	[argument-token]      (0, "child PID", pid)

	
subject-token

	return-token

The fork1() return values are undefined because the audit record
is produced at the point that the child process is spawned.

Table A-57 fstatfs(2)


Event Name	Event ID	Event Class	Mask
`AUE_FSTATFS`	`55`	`fa`	0x00000004
Format (file descriptor): `header-token` [`path-token`] [`attr-token`] `subject-token` `return-token` Format (non-file descriptor): `header-token` `argument-token` (1, "no path: fd", fd) `subject-token` `return-token`

Table A-58 getaudit(2)


Event Name	Event ID	Event Class	Mask
`AUE_GETAUDIT`	`132`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-59 getaudit_addr()


Event Name	Event ID	Event Class	Mask
`AUE_GETAUDIT_ADDR`	`267`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-60 getauid(2)


Event Name	Event ID	Event Class	Mask
`AUE_GETAUID`	`130`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-61 getmsg(2)


Event Name	Event ID	Event Class	Mask
`AUE_GETMSG`	`217`	`nt`	0x00000100
Format: `header-token` `argument-token` (1, "fd", file descriptor) `argument-token` (4, "pri", priority) `subject-token` `return-token`

Table A-62 getmsg - accept


Event Name	Event ID	Event Class	Mask
`AUE_SOCKACCEPT`	`247`	`nt`	0x00000100
Format: `header-token` `socket-inet-token` `argument-token` (1, "fd", file descriptor) `argument-token` (4, "pri", priority) `subject-token` `return-token`

Table A-63 getmsg - receive


Event Name	Event ID	Event Class	Mask
`AUE_SOCKRECEIVE`	`250`	`nt`	0x00000100
Format: `header-token` `socket-inet-token` `argument-token` (1, "fd", file descriptor) `argument-token` (4, "pri", priority) `subject-token` `return-token`

Table A-64 getpmsg(2)


Event Name	Event ID	Event Class	Mask
`AUE_GETPMSG`	`219`	`nt`	0x00000100
Format: `header-token` `argument-token` (1, "fd", file descriptor) `subject-token` `return-token`

Table A-65 getportaudit(2)


Event Name	Event ID	Event Class	Mask
`AUE_GETPORTAUDIT`	`149`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-66 inst_sync(2)


Event Name	Event ID	Event Class	Mask
`AUE_INST_SYNC`	`264`	`ad`	0x00000800
Format: `header-token` `arg-token` (2, "flags", flags value) `subject-token` `return-token`

Table A-67 ioctl(2)

Event Name

Event ID

Event Class

Mask

AUE_IOCTL

158

io

0x20000000

Format (good file descriptor):

	
header-token

	
path-token

	[attr-token]

	
argument-token      (2, "cmd" ioctl cmd)

	
argument-token      (3, "arg" ioctl arg)

	
subject-token

	return-token

Format (socket):

	
header-token

	[socket-token]

	
argument-token      (2, "cmd" ioctl cmd)

	argument-token      (3, "arg" ioctl arg)

	
subject-token

	return-token

Format (non-file file descriptor):

	
header-token

	argument-token      (1, "fd", file descriptor)

	
argument-token      (2, "cmd", ioctl cmd)

	
argument-token      (3, "arg", ioctl arg)

	
subject-token

	return-token

Format (bad file name):

	
header-token

	argument-token      (1, "no path: fd", fd)

	
argument-token      (2, "cmd", ioctl cmd)

	
argument-token      (3, "arg", ioctl arg)

	
subject-token

	return-token

Table A-68 kill(2)

Event Name

Event ID

Event Class

Mask

AUE_KILL

15

pc

0x00000080

Format (valid process):

	
header-token

	argument-token      (2, "signal", signo)

	[process-token]

	
subject-token

	return-token

Format (zero or negative process):

	
header-token

	argument-token      (2, "signal", signo)

	
argument-token      (1, "process", pid))

	
subject-token

	return-token

Table A-69 lchown(2)


Event Name	Event ID	Event Class	Mask
`AUE_LCHOWN`	`237`	`fm`	0x00000008
Format: `header-token` `argument-token` (2, "new file uid", uid) `argument-token` (3, "new file gid", gid) `path-token` [`attr-token`] `subject-token` `return-token`

Table A-70 link(2)


Event Name	Event ID	Event Class	Mask
`AUE_LINK`	`5`	`fc`	0x00000010
Format: `header-token` `path-token` (from path) [`attr-token`] (from path) `path-token` (to path) `subject-token` `return-token`

Table A-71 lstat(2)


Event Name	Event ID	Event Class	Mask
`AUE_LSTAT`	`17`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-72 lxstat(2)


Event Name	Event ID	Event Class	Mask
`AUE_LXSTAT`	`236`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-73 memcntl(2)

Event Name

Event ID

Event Class

Mask

AUE_MEMCNTL

238

ot

0x80000000

Format:

	
header-token

	argument-token      (1, "base", base address)

	
argument-token      (2, "len", length)

	
argument-token      (3, "cmd", command)

	
argument-token      (4, "arg", command args)

	
argument-token      (5, "attr", command attributes)

	
argument-token      (6, "mask", 0)

	
subject-token

	return-token

Table A-74 mkdir(2)


Event Name	Event ID	Event Class	Mask
`AUE_MKDIR`	`47`	`fc`	0x00000010
Format: `header-token` `argument-token` (2, "mode", mode) `path-token` [`attr-token`] `subject-token` `return-token`

Table A-75 mknod(2)


Event Name	Event ID	Event Class	Mask
`AUE_MKNOD`	`9`	`fc`	0x00000010
Format: `header-token` `argument-token` (2, "mode", mode) `argument-token` (3, "dev", dev) `path-token` [`attr-token`] `subject-token` `return-token`

Table A-76 mmap(2)

Event Name

Event ID

Event Class

Mask

AUE_MMAP

210

no

0x00000000

Format (valid file descriptor):

	
header-token

	
argument-token      (1, "addr", segment address)

	
argument-token      (2, "len", segment length)

	[path-token]

	[attr-token]

	
subject-token

	return-token

Format (not valid file descriptor):

	
header-token

	argument-token      (1, "addr", segment address)

	
argument-token      (2, "len", segment length)

	
argument-token      (1, "no path: fd", fd)

	
subject-token

	return-token

Table A-77 modctl(2) - bind module

Event Name

Event ID

Event Class

Mask

AUE_MODADDMAJ

246

ad

0x00000800

Format:

	header-token

	[text-token]      driver major number)

	[text-token]      (driver name)

	
text-token        (root dir.|"no rootdir")

	
text-token        (driver major number|"no drvname")

	
argument-token        (5, "", number of aliases)

	(0..n)[text-token]      (aliases)

	
subject-token

	return-token

Table A-78 modctl(2) - configure module


Event Name	Event ID	Event Class	Mask
`AUE_MODCONFIG`	`245`	`ad`	0x00000800
Format: `header-token` `text-token` (root dir.\|"no rootdir") `text-token` (driver major number\|"no drvname") `subject-token` `return-token`

Table A-79 modctl(2) - load module


Event Name	Event ID	Event Class	Mask
`AUE_MODLOAD`	`243`	`ad`	0x00000800
Format: `header-token` [`text-token`] (default path) `text-token` (filename path) `subject-token` `return-token`

Table A-80 modctl(2) - unload module


Event Name	Event ID	Event Class	Mask
`AUE_MODUNLOAD`	`244`	`ad`	0x00000800
Format: `header-token` `argument-token` (1, "id", module ID) `subject-token` `return-token`

Table A-81 mount(2)

Event Name

Event ID

Event Class

Mask

AUE_MOUNT

62

ad

0x00000800

Format (UNIX file system):

	
header-token

	
argument-token      (3, "flags", flags)

	
text-token             (filesystem type)

	
path-token

	[attr-token]

	subject-token

	return-token

Format (NFS file system):

	
header-token

	
argument-token      (3, "flags", flags)

	
text-token             (filesystem type)

	
text-token             (host name)

	
argument-token      (3, "internal flags", flags)

Table A-82 msgctl(2)


Event Name	Event ID	Event Class	Mask
`AUE_MSGCTL`	`84`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "msg ID", message ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the msg ID is not valid.

Table A-83 msgctl(2) - IPC_RMID command


Event Name	Event ID	Event Class	Mask
`AUE_MSGCTL_RMID`	`85`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "msg ID", message ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the msg ID is not valid.

Table A-84 msgctl(2) - IPC_SET command


Event Name	Event ID	Event Class	Mask
`AUE_MSGCTL_SET`	`86`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "msg ID", message ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the msg ID is not valid.

Table A-85 msgctl(2) - IPC_STAT command


Event Name	Event ID	Event Class	Mask
`AUE_MSGCTL_STAT`	`87`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "msg ID", message ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the msg ID is not valid.

Table A-86 msgget(2)


Event Name	Event ID	Event Class	Mask
`AUE_MSGGET`	`88`	`ip`	0x00000200
Format: `header-token` [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the msg ID is not valid.

Table A-87 msgrcv(2)


Event Name	Event ID	Event Class	Mask
`AUE_MSGRCV`	`89`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "msg ID", message ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the msg ID is not valid.

Table A-88 msgsnd(2)


Event Name	Event ID	Event Class	Mask
`AUE_MSGSND`	`90`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "msg ID", message ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the msg ID is not valid.

Table A-89 munmap(2)


Event Name	Event ID	Event Class	Mask
`AUE_MUNMAP`	`214`	`cl`	0x00000040
Format: `header-token` `argument-token` (1, "addr", address of memory) `argument-token` (2, "len", memory segment size) `subject-token` `return-token`

Table A-90 old nice(2)


Event Name	Event ID	Event Class	Mask
`AUE_NICE`	`203`	`pc`	0x00000080
Format: `header-token` `subject-token` `return-token`

Table A-91 open(2) - read


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_R`	`72`	`fr`	0x00000001
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-92 open(2) - read,creat


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_RC`	`73`	`fc,fr`	0x00000011
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-93 open(2) - read,creat,trunc


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_RTC`	`75`	`fc,fd,fr`	0x00000031
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-94 open(2) - read,trunc


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_RT`	`74`	`fd,fr`	0x00000021
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-95 open(2) - read,write


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_RW`	`80`	`fr,fw`	0x00000003
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-96 open(2) - read,write,creat


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_RWC`	`81`	`fr,fw,fc`	0x00000013
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-97 open(2) - read,write,create,trunc


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_RWTC`	`83`	`fr,fw,fc,fd`	0x00000033
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-98 open(2) - read,write,trunc


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_RWT`	`82`	`fr,fw,fd`	0x00000023
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-99 open(2) - write


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_W`	`76`	`fw`	0x00000002
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-100 open(2) - write,creat


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_WC`	`77`	`fw,fc`	0x00000012
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-101 open(2) - write,creat,trunc


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_WTC`	`79`	`fw,fc,fd`	0x00000032
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-102 open(2) - write,trunc


Event Name	Event ID	Event Class	Mask
`AUE_OPEN_WT`	`78`	`fw,fd`	0x00000022
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-103 p_online(2)

Event Name

Event ID

Event Class

Mask

AUE_P_ONLINE

262

ad

0x00000800

  
header-token

  
arg-token           (1, "processor ID", processor ID)

  
arg-token           (2, "flags", flags value)

  
text-token           (text form of flags value: P_ONLINE, P_OFFLINE, P_STATUS)

  
subject-token

  
return-token

Table A-104 pathconf(2)


Event Name	Event ID	Event Class	Mask
`AUE_PATHCONF`	`71`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-105 pipe(2)


Event Name	Event ID	Event Class	Mask
`AUE_PIPE`	`185`	`no`	0x00000000
Format: `header-token` `subject-token` `return-token`

Table A-106 priocntlsys(2)


Event Name	Event ID	Event Class	Mask
`AUE_PRIOCNTLSYS`	`212`	`pc`	0x0000080
Format: `header-token` `argument-token` (1, "pc_version", `priocntl` version num.) `argument-token` (3,"cmd", command) `subject-token` `return-token`

Table A-107 process dumped core


Event Name	Event ID	Event Class	Mask
`AUE_CORE`	`111`	`fc`	0x0000010
Format: `header-token` `path-token` [`attr-token`] `argument-token` (1, "signal", signal) `subject-token` `return-token`

Table A-108 processor_bind(2)

Event Name

Event ID

Event Class

Mask

AUE_PROCESSOR_BIND

263

ad

0x00000800

Format (no processor bound):

  
header-token

  
arg-token             (1, "ID type", type of ID)

  
arg-token             (2, "ID", ID value)

  
text-token             ("PBIND_NONE")

  
process-token        (for process whose threads are bound to the processor)

  
subject-token

  
return-token

Format (with processor bound):

  
header-token

  
arg-token             (1, "ID type", type of ID)

  
arg-token             (2, "ID", ID value)

  
arg-token             (3, "processor ID", processor ID)

  
process-token        (for process whose threads are bound to the processor)

  
subject-token

  
return-token

Table A-109 putmsg(2)


Event Name	Event ID	Event Class	Mask
`AUE_PUTMSG`	`216`	`nt`	0x00000100
Format: `header-token` `argument-token` (1, "fd", file descriptor) `argument-token` (4, "pri", priority) `subject-token` `return-token`

Table A-110 putmsg-connect


Event Name	Event ID	Event Class	Mask
`AUE_SOCKCONNECT`	`248`	`nt`	0x00000100
Format: `header-token` `socket-inet-token` `argument-token` (1, "fd", file descriptor) `argument-token` (4, "pri", priority) `subject-token` `return-token`

Table A-111 putmsg-send


Event Name	Event ID	EventClass	Mask
`AUE_SOCKSEND`	`249`	`nt`	0x00000100
Format: `header-token` `socket-inet-token` `argument-token` (1, "fd", file descriptor) `argument-token` (4, "pri", priority) `subject-token` `return-token`

Table A-112 putpmsg(2)


Event Name	Event ID	Event Class	Mask
`AUE_PUTPMSG`	`218`	`nt`	0x00000100
Format: `header-token` `argument-token` (1, "fd", file descriptor) `subject-token` `return-token`

Table A-113 readlink(2)


Event Name	Event ID	Event Class	Mask
`AUE_READLINK`	`22`	`fr`	0x00000001
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-114 recvfrom(3SOCKET)

Event Name

Event ID

Event Class

Mask

AUE_RECVFROM

191

nt

0x00000100

Format:

  
header-token

  
sock-inet-token

  
argument-token           (3, "len", message length)

  [argument-token]         (4, "flags", flags)

  
sock-inet-token            (from address)

  
argument-token           (6, "tolen", address length)

  
subject-token

  
return-token

The sock_inet token for a bad socket is reported as:
    argument-token           (1, "fd", socket descriptor)

Table A-115 recvmsg(3SOCKET)

Event Name

Event ID

Event Class

Mask

AUE_RECVMSG

190

nt

0x00000100

Format:

  
header-token

  
sock-inet-token

  
argument-token           (3, "flags", message flags)

  
sock-inet-token            (from address)

  
subject-token

  
return-token

The sock_inet token for a bad socket is reported as:
    argument-token           (1, "fd", socket descriptor)

Table A-116 rename(2)


Event Name	Event ID	Event Class	Mask
`AUE_RENAME`	`42`	`fc,fd`	0x00000030
Format: `header-token` `path-token` (from name) [`attr-token`] (from name) [`path-token`] (to name) `subject-token` `return-token`

Table A-117 rmdir(2)


Event Name	Event ID	Event Class	Mask
`AUE_RMDIR`	`48`	`fd`	0x00000020
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-118 semctl(2)


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL`	`98`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-119 semctl(2) - getall


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_GETALL`	`105`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-120 semctl(2) - GETNCNT command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_GETNCNT`	`102`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-121 semctl(2) - GETPID command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_GETPID`	`103`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-122 semctl(2) - GETVAL command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_GETVAL`	`104`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-123 semctl(2) - GETZCNT command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_GETZCNT`	`106`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-124 semctl(2) - IPC_RMID command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_RMID`	`99`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-125 semctl(2) - IPC_SET command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_SET`	`100`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-126 semctl(2) - SETALL command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_SETALL`	`108`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-127 semctl(2) - SETVAL command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_SETVAL`	`107`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-128 semctl(2) - IPC_STAT command


Event Name	Event ID	Event Class	Mask
`AUE_SEMCTL_STAT`	`101`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token`

Table A-129 semget(2)


Event Name	Event ID	Event Class	Mask
`AUE_SEMGET`	`109`	`ip`	0x00000200
Format: `header-token` [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the system call failed.

Table A-130 semop(2)


Event Name	Event ID	Event Class	Mask
`AUE_SEMOP`	`110`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "sem ID", semaphore ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the semaphore ID is not valid.

Table A-131 sendmsg(3N)

Event Name

Event ID

Event Class

Mask

AUE_SENDMSG

188

nt

0x00000100

Format:

  
header-token

  
sock-inet-token

  
sock-inet-token            (to address)

  
argument-token           (3, "flags", message flags)

  
subject-token

  
return-token

The sock_inet token for a bad socket is reported as:
    argument-token           (1, "fd", socket descriptor)

Table A-132 sendto(3N)

Event Name

Event ID

Event Class

Mask

AUE_SENDTO

184

nt

0x00000100

Format:

  
header-token

  
sock-inet-token

  
argument-token           (3, "len", message length)

  [argument-token]         (4, "flags", flags)

  
argument-token           (6, "tolen", address length)

  
sock-inet-token            (to address)

  
subject-token

  
return-token

The sock_inet token for a bad socket is reported as:
    argument-token           (1, "fd", socket descriptor)

Table A-133 setaudit(2)

Event Name

Event ID

Event Class

Mask

AUE_SETAUDIT

133

ad

0x00000800

Format (valid program stack address):

	
header-token

	
argument-token      (1, "setaudit:auid", audit user ID)

	
argument-token      (1, "setaudit:port", terminal ID)

	
argument-token      (1, "setaudit:machine", terminal ID)

	
argument-token      (1, "setaudit:as_success", preselection mask)

	
argument-token      (1, "setaudit:as_failure", preselection mask)

	
argument-token      (1, "setaudit:asid", audit session ID)

	
subject-token

	return-token

Format (not valid program stack address):

	
header-token

	subject-token

	return-token

Table A-134 setaudit_addr()

Event Name

Event ID

Event Class

Mask

AUE_SETAUDIT_ADDR

266

ad

0x00000800

Format:

	
header-token

	
argument-token      (1, "auid", audit user ID)

	
argument-token      (1, "port", terminal ID)

	
argument-token      (1, "type", machine address type)

	
argument-token      (1, "as_success", preselection mask)

	
argument-token      (1, "as_failure", preselection mask)

	
argument-token      (1, "asid", audit session ID)

	
subject-token

	return-token

Table A-135 setauid(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETAUID`	`131`	`ad`	0x00000800
Format: `header-token` `argument-token` (2, "setauid", audit user ID) `subject-token` `return-token`

Table A-136 setegid(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETEGID`	`214`	`pc`	0x00000080
Format: `header-token` `argument-token` (1, "gid", group ID) `subject-token` `return-token`

Table A-137 seteuid(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETEUID`	`215`	`pc`	0x00000080
Format: `header-token` `argument-token` (1, "gid", user ID) `subject-token` `return-token`

Table A-138 old setgid(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETGID`	`205`	`pc`	0x00000080
Format: `header-token` `argument-token` (1, "gid", group ID) `subject-token` `return-token`

Table A-139 setgroups(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETGROUPS`	`26`	`pc`	0x00000080
Format: `header-token` [`argument-token`] (1, "setgroups", group ID) `subject-token` `return-token` One `argument-token` for each group set.

Table A-140 setpgrp(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETPGRP`	`27`	`pc`	0x00000080
Format: `header-token` `subject-token` `return-token`

Table A-141 setregid(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETREGID`	`41`	`pc`	0x00000080
Format: `header-token` `arg-token` (1, "rgid", real group ID) `arg-token` (2, "egid", effective group ID) `subject-token` `return-token`

Table A-142 setreuid(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETREUID`	`40`	`pc`	0x00000080
Format: `header-token` `arg-token` (1, "ruid", real user ID) `arg-token` (2, "euid", effective user ID) `subject-token` `return-token`

Table A-143 setrlimit(2)


Event Name	Event ID	Event Class	Mask
`AUE_SETRLIMIT`	`51`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-144 setsockopt(3SOCKET)

Event Name

Event ID

Event Class

Mask

AUE_SETSOCKOPT

35

nt

0x00000100

Format:

  
header-token

  
sock-inet-token

  
argument-token           (2, "level", protocol level)

  [argument-token]         (3, "optname", option name)

  
argument-token           (4, "val", option value)

  
argument-token           (5, "optlen", option length)

  
subject-token

  
return-token

The sock_inet token for a non-socket operation is reported as:
    argument-token           (1, "fd", file descriptor)

Table A-145 old setuid(2)


Event Name	Event ID	Event Class	Mask
`AUE_OSETUID`	`200`	`pc`	0x00000080
Format: `header-token` `argument-token` (1, "uid", user ID) `subject-token` `return-token` Because of a current bug in the audit software, this token is reported as `AUE_OSETUID`.

Table A-146 shmat(2)

Event Name

Event ID

Event Class

Mask

AUE_SHMAT

96

ip

0x00000200

Format:

	
header-token

	
argument-token      (1, "shmid", shared memory ID)

	
argument-token      (2, "shmaddr", shared mem addr)

	[ipc-token]

	[ipc_perm-token]

	subject-token

	return-token

The ipc and ipc_perm tokens are not included if the shared memory
segment ID is not valid.

Table A-147 shmctl(2)


Event Name	Event ID	Event Class	Mask
`AUE_SHMCTL`	`91`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "shmid", shared memory ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the shared memory segment ID is not valid.

Table A-148 shmctl(2) - IPC_RMID command


Event Name	Event ID	Event Class	Mask
`AUE_SHMCTL_RMID`	`92`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "shmid", shared memory ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the shared memory segment ID is not valid.

Table A-149 shmctl(2) - IPC_SET command

Event Name

Event ID

Event Class

Mask

AUE_SHMCTL_SET

93

ip

0x00000200

Format:

	
header-token

	
argument-token      (1, "shmid", shared memory ID)

	[ipc-token]

	[ipc_perm-token]

	subject-token

	return-token

The ipc and ipc_perm tokens are not included if the shared memory
segment ID is not valid.

Table A-150 shmctl(2) - IPC_STAT command


Event Name	Event ID	Event Class	Mask
`AUE_SHMCTL_STAT`	`94`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "shmid", shared memory ID) [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included if the shared memory segment ID is not valid.

Table A-151 shmdt(2)


Event Name	Event ID	Event Class	Mask
`AUE_SHMDT`	`97`	`ip`	0x00000200
Format: `header-token` `argument-token` (1, "shmaddr", shared mem addr) `subject-token` `return-token`

Table A-152 shmget(2)


Event Name	Event ID	Event Class	Mask
`AUE_SHMGET`	`95`	`ip`	0x00000200
Format: `header-token` `arg-token` (0, "shmid", shared memory ID) [`ipc_perm-token`] [`ipc-token`] `subject-token` `return-token` The `ipc` and `ipc_perm` tokens are not included for failed events.

Table A-153 shutdown(2)

Event Name

Event ID

Event Class

Mask

AUE_SHUTDOWN

46

nt

0x00000100

Format (if the socket address is not part of the AF_INET family):

  
header-token

  
arg-token               (1, "fd", file descriptor)

  
text-token]             ("bad socket address")

  
text-token]             ("bad peer address")

  
subject-token

  
return-token

Format (if the socket address is part of the AF_INET family):

  
header-token

If there is no vnode for this file descriptor:

  [arg-token]             (1, "Bad fd", file descriptor)

or if the socket is not bound:

  [arg-token               (1, "fd", file descriptor)

  
text-token]              ("socket not bound")

or if the socket address length = 0:

  [arg-token               (1, "fd", file descriptor)

  
text-token]             ("bad socket address")

for all other conditions:

  [socket-inet-token]            ("socket address")

  
socket-inet-token              ("socket address")

  
subject-token

  
return-token

Table A-154 sockconfig()


Event Name	Event ID	Event Class	Mask
`AUE_SOCKCONFIG`	`183`	`nt`	0x00000100
Format: `header-token` `argument-token` (1, "domain", socket domain) [`argument-token`] (2, "type", socket type) `argument-token` (3, "protocol", socket protocol) `text-token` `subject-token` `return-token`

Table A-155 socket(3socket)


Event Name	Event ID	Event Class	Mask
`AUE_SOCKET`	`183`	`nt`	0x00000100
Format: `header-token` `argument-token` (1, "domain", socket domain) [`argument-token`] (2, "type", socket type) `argument-token` (3, "protocol", socket protocol) `subject-token` `return-token`

Table A-156 stat(2)


Event Name	Event ID	Event Class	Mask
`AUE_STAT`	`16`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-157 statfs(2)


Event Name	Event ID	EventClass	Mask
`AUE_STATFS`	`54`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-158 statvfs(2)


Event Name	Event ID	Event Class	Mask
`AUE_STATVFS`	`234`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-159 stime(2)


Event Name	Event ID	Event Class	Mask
`AUE_STIME`	`201`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-160 symlink(2)


Event Name	Event ID	Event Class	Mask
`AUE_SYMLINK`	`21`	`fc`	0x00000010
Format: `header-token` `text-token` (symbolic link string) `path-token` [`attr-token`] `subject-token` `return-token`

Table A-161 sysinfo(2)


Event Name	Event ID	Event Class	Mask
`AUE_SYSINFO`	`39`	`ad`	0x00000800
Format: `header-token` `argument-token` (1, "cmd", command) `text-token` (name) `subject-token` `return-token`

Table A-162 system booted


Event Name	Event ID	Event Class	Mask
`AUE_SYSTEMBOOT`	`113`	`na`	0x00000400
Format: `header-token` `text-token` ("booting kernel") `return-token`

Table A-163 umount(2) - old version


Event Name	Event ID	Event Class	Mask
`AUE_UMOUNT`	`12`	`ad`	0x00000800
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-164 unlink(2)


Event Name	Event ID	Event Class	Mask
`AUE_UNLINK`	`6`	`fd`	0x00000020
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-165 old utime(2)


Event Name	Event ID	Event Class	Mask
`AUE_UTIME`	`202`	`fm`	0x00000008
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-166 utimes(2)


Event Name	Event ID	Event Class	Mask
`AUE_UTIMES`	`49`	`fm`	0x00000008
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-167 utssys(2) - fusers


Event Name	Event ID	Event Class	Mask
`AUE_UTSSYS`	`233`	`ad`	0x00000800
Format: `header-token` `path-token` `[attr-token]` `subject-token` `return-token`

Table A-168 vfork(2)

Event Name

Event ID

Event Class

Mask

AUE_VFORK

25

pc

0x00000080

Format:

	
header-token

	
argument-token      (0, "child PID", pid)

	
subject-token

	return-token

The fork return values are undefined because the audit record is
produced at the point that the child process is spawned.

Table A-169 vtrace(2)


Event Name	Event ID	Event Class	Mask
`AUE_VTRACE`	`36`	`pc`	0x00000080
Format: `header-token` `subject-token` `return-token`

Table A-170 xmknod(2)


Event Name	Event ID	Event Class	Mask
`AUE_XMKNOD`	`240`	`fc`	0x00000010
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

Table A-171 xstat(2)


Event Name	Event ID	Event Class	Mask
`AUE_XSTAT`	`235`	`fa`	0x00000004
Format: `header-token` `path-token` [`attr-token`] `subject-token` `return-token`

User-Level Generated Audit Records

These audit records are created by applications that operate outside the kernel. The records are sorted alphabetically by program. The description of each record includes:

The name of the program
A man page reference (if appropriate)
The audit event number
The audit event name
The audit record structure

Table A-172 allocate-device success


Event Name	Program	Event ID	Event Class	Mask
`AUE_allocate_succ`	`/usr/sbin/allocate`	`6200`	`ad`	0x00000800
Format: `header-token` `text-token` `path-token` `subject-token` `exit-token`

Table A-173 allocate-device failure


Event Name	Program	Event ID	Event Class	Mask
`AUE_allocate_fail`	`/usr/sbin/allocate`	`6201`	`ad`	0x00000800
Format: `header-token` `text-token` `subject-token` `exit-token`

Table A-174 deallocate-device success


Event Name	Program	Event ID	Event Class	Mask
`AUE_deallocate_succ`	`/usr/sbin/deallocate`	`6202`	`ad`	0x00000800
Format: `header-token` `subject-token` `newgroups-token` `exit-token`

Table A-175 deallocate-device failure


Event Name	Program	Event ID	Event Class	Mask
`AUE_deallocate_fail`	`/usr/sbin/deallocate`	`6203`	`ad`	0x00000800
Format: `header-token` `subject-token` `newgroups-token` `exit-token`

Table A-176 allocate-list devices success


Event Name	Program	Event ID	Event Class	Mask
`AUE_listdevice_succ`	`/usr/sbin/allocate`	`6205`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-177 allocate-list devices failure


Event Name	Program	Event ID	Event Class	Mask
`AUE_listdevice_fail`	`/usr/sbin/allocate`	`6206`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-178 at-create crontab


Event Name	Program	Event ID	Event Class	Mask
`AUE_at_create`	`/usr/bin/at`	`6144`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-179 at-delete atjob (at or atrm)


Event Name	Program	Event ID	Event Class	Mask
`AUE_at_delete`	`/usr/bin/at`	`6145`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-180 at-permission


Event Name	Program	Event ID	Event Class	Mask
`AUE_at_perm`	`/usr/bin/at`	`6146`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-181 crontab-crontab created


Event Name	Program	Event ID	Event Class	Mask
`AUE_crontab_create`	`/usr/bin/crontab`	`6148`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-182 crontab-crontab deleted


Event Name	Program	Event ID	Event Class	Mask
`AUE_crontab_delete`	`/usr/bin/crontab`	`6149`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-183 cron-invoke atjob or crontab


Event Name	Program	Event ID	Event Class	Mask
`AUE_cron_invoke`	`/usr/bin/crontab`	`6147`	`ad`	0x00000800
Format: `header-token` `text-token` (either: at-job; batch-job, crontab-job, queue-job #; or unknown job type #) `text-token` (cron command) `subject-token` [`group-token`] `exit-token`

Table A-184 crontab-modify


Event Name	Program	Event ID	Event Class	Mask
`AUE_crontab_mod`	`/usr/bin/crontab`	`6170`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-185 crontab-permission


Event Name	Program	Event ID	Event Class	Mask
`AUE_crontab_perm`	`/usr/bin/crontab`	`6150`	`ad`	0x00000800
Format: `header-token` `subject-token` [`group-token`] `exit-token`

Table A-186 halt(1m)


Event Name	Program	Event ID	Event Class	Mask
`AUE_halt_solaris`	`/usr/sbin/halt`	`6160`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-187 inetd


Event Name	Program	Event ID	Event Class	Mask
`AUE_inetd_connect`	`/usr/sbin/inetd`	`6151`	`na`	0x00000400
Format: `header-token` `subject-token` `text-token` (service name) `in_addr-token` `iport-token` `return-token`

Table A-188 init(1m)


Event Name	Program	Event ID	Event Class	Mask
`AUE_init_solaris`	`/sbin/init`; `/usr/sbin/init`; `/usr/sbin/shutdown`	`6166`	`ad`	0x00000800
Format: `header-token` `subject-token` `text-token` (init level) `return-token`

Table A-189 ftp access


Event Name	Program	Event ID	Event Class	Mask
`AUE_ftpd`	`/usr/sbin/in.ftpd`	`6165`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message, failure only) `return-token`

Table A-190 login - local


Event Name	Program	Event ID	Event Class	Mask
`AUE_login`	`/usr/sbin/login`	`6152`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message) `return-token`

Table A-191 login - rlogin


Event Name	Program	Event ID	Event Class	Mask
`AUE_rlogin`	`/usr/sbin/login`	`6155`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message) `return-token`

Table A-192 login - telnet


Event Name	Program	Event ID	Event Class	Mask
`AUE_telnet`	`/usr/sbin/login`	`6154`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message) `return-token`

Table A-193 logout


Event Name	Program	Event ID	Event Class	Mask
`AUE_logout`	`/usr/sbin/login`	`6153`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` `return-token`

Table A-194 mount


Event Name	Program	Event ID	Event Class	Mask
`AUE_mountd_mount`	`/usr/lib/nfs/mountd`	`6156`	`na`	0x00000400
Format: `header-token` `arg-token` `text-token` (remote client hostname) `path-token` (mount dir) `attribute-token` `path-token` `attribute-token` `subject-token` `return-token`

Table A-195 unmount


Event Name	Program	Event ID	Event Class	Mask
`AUE_mountd_umount`	`/usr/lib/nfs/mountd`	`6157`	`na`	0x00000400
Format: `header-token` `path-token` (mount dir) `attribute-token` `subject-token` `return-token`

Table A-196 passwd


Event Name	Program	Event ID	Event Class	Mask
`AUE_passwd`	`/usr/bin/passwd`	`6163`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message) `return-token`

Table A-197 poweroff(1m)


Event Name	Program	Event ID	Event Class	Mask
`AUE_poweroff_solaris`	`/usr/sbin/poweroff`	`6169`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-198 reboot(1m)


Event Name	Program	Event ID	Event Class	Mask
`AUE_reboot_solaris`	`/usr/sbin/reboot`	`6161`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-199 rexd


Event Name	Program	Event ID	Event Class	Mask
`AUE_rexd`	`/usr/sbin/rpc.rexd`	`6164`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message, failure only) `text-token` (hostname) `text-token` (username) `text-token` (command to be executed) `exit-token`

Table A-200 rexecd


Event Name	Program	Event ID	Event Class	Mask
`AUE_rexecd`	`/usr/sbin/in.rexecd`	`6162`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message, failure only) `text-token` (hostname) `text-token` (username) `text-token` (command to be executed) `exit-token`

Table A-201 rsh access


Event Name	Program	Event ID	Event Class	Mask
`AUE_rshd`	`/usr/sbin/in.rshd`	`6158`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (command string) `text-token` (local user) `text-token` (remote user) `return-token`

Table A-202 shutdown(1b)


Event Name	Program	Event ID	Event Class	Mask
`AUE_shutdown_solaris`	`/usr/ucb/shutdown`	`6168`	`ad`	0x00000800
Format: `header-token` `subject-token` `return-token`

Table A-203 su


Event Name	Program	Event ID	Event Class	Mask
`AUE_su`	`/usr/bin/su`	`6159`	`lo`	0x00001000
Format: `header-token` `subject-token` `text-token` (error message) `return-token`

Table A-204 admin(1m)


Event Name	Program	Event ID	Event Class	Mask
`AUE_uadmin_solaris`	`/sbin/uadmin`; `/usr/sbin/uadmin`	`6167`	`ad`	0x00000800
Format: `header-token` `subject-token` `text-token` (function) `text-token` (argument) `return-token`

Event-to-System Call Translation

Table A-205 associates an audit event name with the system call or kernel event that created it. Table A-206 associates an audit event with the application or command that generated it.

Table A-205 Event-to-System Call Translation


Audit Event	System Call
`AUE_ACCEPT`	Table A-5
`AUE_ACCESS`	Table A-6
`AUE_ACLSET`	Table A-7
`AUE_ACCT`	Table A-8
`AUE_ADJTIME`	Table A-9
`AUE_AUDIT`	Table A-10
`AUE_AUDITON_GETCAR`	Table A-11
`AUE_AUDITON_GETCLASS`	Table A-12
`AUE_AUDITON_GETCOND`	Table A-13
`AUE_AUDITON_GETCWD`	Table A-14
`AUE_AUDITON_GETKMASK`	Table A-15
`AUE_AUDITON_GETSTAT`	Table A-16
`AUE_AUDITON_GPOLICY`	Table A-17
`AUE_AUDITON_GQCTRL`	Table A-18
`AUE_AUDITON_SETCLASS`	Table A-19
`AUE_AUDITON_SETCOND`	Table A-20
`AUE_AUDITON_SETKMASK`	Table A-21
`AUE_AUDITON_SETSMASK`	Table A-22
`AUE_AUDITON_SETSTAT`	Table A-23
`AUE_AUDITON_SETUMASK`	Table A-24
`AUE_AUDITON_SPOLICY`	Table A-25
`AUE_AUDITON_SQCTRL`	Table A-26
`AUE_AUDITSVC`	Table A-27
`AUE_BIND`	Table A-28
`AUE_CHDIR`	Table A-29
`AUE_CHMOD`	Table A-30
`AUE_CHOWN`	Table A-31
`AUE_CHROOT`	Table A-32
`AUE_CLOSE`	Table A-33
`AUE_CONNECT`	Table A-34
`AUE_CORE`	Table A-107
`AUE_CREAT`	Table A-35
`AUE_DOORFS_DOOR_BIND`	Table A-36
`AUE_DOORFS_DOOR_CALL`	Table A-37
`AUE_DOORFS_DOOR_CREATE`	Table A-38
`AUE_DOORFS_DOOR_CRED`	Table A-39
`AUE_DOORFS_DOOR_INFO`	Table A-40
`AUE_DOORFS_DOOR_RETURN`	Table A-41
`AUE_DOORFS_DOOR_REVOKE`	Table A-42
`AUE_DOORFS_DOOR_UNBIND`	Table A-43
`AUE_ENTERPROM`	Table A-44
`AUE_EXEC`	Table A-45
`AUE_EXECVE`	Table A-46
`AUE_EXIT`	Table A-48
`AUE_EXITPROM`	Table A-47
`AUE_FACLSET`	Table A-49
`AUE_FCHDIR`	Table A-50
`AUE_FCHMOD`	Table A-51
`AUE_FCHOWN`	Table A-52
`AUE_FCHROOT`	Table A-53
`AUE_FCNTL`	Table A-54
`AUE_FORK`	Table A-55
`AUE_FORK1`	Table A-56
`AUE_FSTATFS`	Table A-57
`AUE_GETAUDIT`	Table A-58
`AUE_GETAUID`	Table A-60
`AUE_GETMSG`	Table A-61
`AUE_GETPMSG`	Table A-64
`AUE_GETPORTAUDIT`	Table A-65
`AUE_INST_SYNC`	Table A-66
`AUE_IOCTL`	Table A-67
`AUE_KILL`	Table A-68
`AUE_LCHOWN`	Table A-69
`AUE_LINK`	Table A-70
`AUE_LSTAT`	Table A-71
`AUE_LXSTAT`	Table A-72
`AUE_MEMCNTL`	Table A-73
`AUE_MKDIR`	Table A-74
`AUE_MKNOD`	Table A-75
`AUE_MMAP`	Table A-76
`AUE_MODADDMAJ`	Table A-77
`AUE_MODCONFIG`	Table A-78
`AUE_MODLOAD`	Table A-79
`AUE_MODUNLOAD`	Table A-80
`AUE_MOUNT`	Table A-81
`AUE_MSGCTL`	Table A-82
`AUE_MSGCTL_RMID`	Table A-83
`AUE_MSGCTL_SET`	Table A-84
`AUE_MSGCTL_STAT`	Table A-85
`AUE_MSGGET`	Table A-86
`AUE_MSGRCV`	Table A-87
`AUE_MSGSND`	Table A-88
`AUE_MUNMAP`	Table A-89
`AUE_NICE`	Table A-90
`AUE_OPEN_R`	Table A-91
`AUE_OPEN_RC`	Table A-92
`AUE_OPEN_RT`	Table A-94
`AUE_OPEN_RTC`	Table A-93
`AUE_OPEN_RW`	Table A-95
`AUE_OPEN_RWC`	Table A-96
`AUE_OPEN_RWT`	Table A-98
`AUE_OPEN_RWTC`	Table A-97
`AUE_OPEN_W`	Table A-99
`AUE_OPEN_WC`	Table A-100
`AUE_OPEN_WT`	Table A-102
`AUE_OPEN_WTC`	Table A-101
`AUE_OSETUID`	Table A-145
`AUE_P_ONLINE`	Table A-103
`AUE_PATHCONF`	Table A-104
`AUE_PIPE`	Table A-105
`AUE_PRIOCNTLSYS`	Table A-106
`AUE_PROCESSOR_BIND`	Table A-108
`AUE_PUTMSG`	Table A-109
`AUE_PUTPMSG`	Table A-112
`AUE_READLINK`	Table A-113
`AUE_RECVFROM`	Table A-114
`AUE_RECVMSG`	Table A-115
`AUE_RENAME`	Table A-116
`AUE_RMDIR`	Table A-117
`AUE_SEMCTL`	Table A-118
`AUE_SEMCTL_GETALL`	Table A-119
`AUE_SEMCTL_GETNCNT`	Table A-120
`AUE_SEMCTL_GETPID`	Table A-121
`AUE_SEMCTL_GETVAL`	Table A-122
`AUE_SEMCTL_GETZCNT`	Table A-123
`AUE_SEMCTL_RMID`	Table A-124
`AUE_SEMCTL_SET`	Table A-125
`AUE_SEMCTL_SETALL`	Table A-126
`AUE_SEMCTL_SETVAL`	Table A-127
`AUE_SEMCTL_STAT`	Table A-128
`AUE_SEMGET`	Table A-129
`AUE_SEMOP`	Table A-130
`AUE_SENDMSG`	Table A-131
`AUE_SENDTO`	Table A-132
`AUE_SETAUDIT`	Table A-133
`AUE_SETAUDIT_ADDR`	Table A-134
`AUE_SETAUID`	Table A-135
`AUE_SETEGID`	Table A-136
`AUE_SETEUID`	Table A-137
`AUE_SETGID`	Table A-138
`AUE_SETGROUPS`	Table A-139
`AUE_SETPGRP`	Table A-140
`AUE_SETREGID`	Table A-141
`AUE_SETREUID`	Table A-142
`AUE_SETRLIMIT`	Table A-143
`AUE_SETSOCKOPT`	Table A-144
`AUE_SETUID`	Reported as `AUE_OSETUID`, see Table A-145
`AUE_SHMAT`	Table A-146
`AUE_SHMCTL`	Table A-147
`AUE_SHMCTL_RMID`	Table A-148
`AUE_SHMCTL_SET`	Table A-149
`AUE_SHMCTL_STAT`	Table A-150
`AUE_SHMDT`	Table A-151
`AUE_SHMGET`	Table A-152
`AUE_SHUTDOWN`	Table A-153
`AUE_SOCKACCEPT`	Table A-62
`AUE_SOCKCONFIG`	Table A-154
`AUE_SOCKCONNECT`	Table A-110
`AUE_SOCKET`	Table A-155
`AUE_SOCKRECEIVE`	Table A-63
`AUE_SOCKSEND`	Table A-111
`AUE_STAT`	Table A-156
`AUE_STATFS`	Table A-157
`AUE_STATVFS`	Table A-158
`AUE_STIME`	Table A-159
`AUE_SYMLINK`	Table A-160
`AUE_SYSINFO`	Table A-161
`AUE_SYSTEMBOOT`	Table A-162
`AUE_UMOUNT`	Table A-163
`AUE_UNLINK`	Table A-164
`AUE_UTIME`	Table A-165
`AUE_UTIMES`	Table A-166
`AUE_UTSSYS`	Table A-167
`AUE_VFORK`	Table A-168
`AUE_VTRACE`	Table A-169
`AUE_XMKNOD`	Table A-170
`AUE_XSTAT`	Table A-171

Table A-206 Event-to-Command Translation


Audit Event	Command
`AUE_allocate_succ`	Table A-172
`AUE_allocate_fail`	Table A-173
`AUE_deallocate_succ`	Table A-174
`AUE_deallocate_fail`	Table A-175
`AUE_listdevice_succ`	Table A-176
`AUE_listdevice_fail`	Table A-177
`AUE_at_create`	Table A-178
`AUE_at_delete`	Table A-179
`AUE_at_perm`	Table A-180
`AUE_crontab_create`	Table A-181
`AUE_crontab_delete`	Table A-182
`AUE_cron_invoke`	Table A-183
`AUE_crontab_mod`	Table A-184
`AUE_crontab_perm`	Table A-185
`AUE_halt_solaris`	Table A-186
`AUE_inetd_connect`	Table A-187
`AUE_init_solaris`	Table A-188
`AUE_ftpd`	Table A-189
`AUE_login`	Table A-190
`AUE_rlogin`	Table A-191
`AUE_telnet`	Table A-192
`AUE_logout`	Table A-193
`AUE_mountd_mount`	Table A-194
`AUE_mountd_umount`	Table A-195
`AUE_passwd`	Table A-196
`AUE_poweroff_solaris`	Table A-197
`AUE_reboot_solaris`	Table A-198
`AUE_rexd`	Table A-199
`AUE_rexecd`	Table A-200
`AUE_rshd`	Table A-201
`AUE_shutdown_solaris`	Table A-202
`AUE_su`	Table A-203
`AUE_uadmin_solaris`	Table A-204