This section presents all of the audit records. The audit records generated by kernel events are described first (see "Kernel-Level Generated Audit Records"). The audit records generated by user-level eventes are described next (see "User-Level Generated Audit Records").
"Event-to-System Call Translation" includes two tables that include all possible audit events and identifies which kernel or user event created the audit event. Table A-173 maps audit events to system calls. Table A-174 maps audit events to an application or command.
The audit records produced by Basic Security Module have a sequence of tokens. Certain tokens are optional within an audit record, according to the current audit policy. The group, sequence, and trailer tokens fall into this category. The administrator can determine if these are included in an audit record with the auditconfig command -getpolicy option.
These audit records are created by system calls that are used by the kernel. The records are sorted alphabetically by system call. The description of each record includes:
The name of the system call
A man page reference (if appropriate)
The audit event number
The audit event name
The audit event class
The mask for the event class
The audit record structure
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ACCESS |
14 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-6 acct(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ACCT |
18 |
ad |
0x00000800 |
Format (zero path):
header-token
argument-token (1, "accounting off", 0)
subject-token
return-token
Format (non-zero path):
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-7 adjtime(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ADJTIME |
50 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-8 audit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDIT |
211 |
no |
0x00000000 |
Format:
header-token
subject-token
return-token
|
Table A-9 auditon(2) - get car
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCAR |
224 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-10 auditon(2) - get event class
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCLASS |
231 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-11 auditon(2) - get audit state
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCOND |
229 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-12 auditon(2) - get cwd
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETCWD |
223 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-13 auditon(2) - get kernal mask
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETKMASK |
221 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-14 auditon(2) - get audit statistics
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GETSTAT |
225 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-15 auditon(2) - GPOLICY command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GPOLICY |
114 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-16 auditon(2) - GQCTRL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_GQCTRL |
145 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-17 auditon(2) - set event class
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETCLASS |
232 |
ad |
0x00000800 |
Format:
header-token
[argument-token] (2, "setclass:ec_event", event number)
[argument-token] (3, "setclass:ec_class", class mask)
subject-token
return-token
|
Table A-18 auditon(2) - set audit state
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETCOND |
230 |
ad |
0x00000800 |
Format:
header-token
[argument-token] (3, "setcond", audit state)
subject-token
return-token
|
Table A-19 auditon(2) - set kernal mask
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETKMASK |
222 |
ad |
0x00000800 |
Format:
header-token
[argument-token] (2, "setkmask:as_success", kernel mask)
[argument-token] (2, "setkmask:as_failure", kernel mask)
return-token
|
Table A-20 auditon(2) - set mask per session ID
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETSMASK |
228 |
ad |
0x00000800 |
Format:
header-token
[argument-token] (3, "setsmask:as_success", session ID mask)
[argument-token] (3, "setsmask:as_failure", session ID mask)
subject-token
return-token
|
Table A-21 auditon(2) - reset audit statistics
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETSTAT |
226 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-22 auditon(2) - set mask per uid
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SETUMASK |
227 |
ad |
0x00000800 |
Format:
header-token
[argument-token] (3, "setumask:as_success", audit ID mask)
[argument-token] (3, "setumask:as_failure", audit ID mask)
subject-token
return-token
|
Table A-23 auditon(2) - SPOLICY command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SPOLICY |
147 |
ad |
0x00000800 |
Format:
header-token
[argument-token] (1, "policy", audit policy flags)
subject-token
return-token
|
Table A-24 auditon(2) - SQCTRL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITON_SQCTRL |
146 |
ad |
0x00000800 |
Format:
header-token
[argument-token] (3,"setqctrl:aq_hiwater",queue control param.)
[argument-token] (3,"setqctrl:aq_lowater",queue control param.)
[argument-token] (3,"setqctrl:aq_bufsz",queue control param.)
[argument-token] (3,"setqctrl:aq_delay",queue control param.)
subject-token
return-token
|
Table A-25 auditsvc(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_AUDITSVC |
136 |
ad |
0x00000800 |
Format (valid file descriptor):
header-token
[path-token]
[attr-token]
subject-token
return-token
Format (not valid file descriptor):
header-token
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
Table A-26 chdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHDIR |
8 |
pc |
0x00000080 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-27 chmod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHMOD |
10 |
fm |
0x00000008 |
Format:
header-token
argument-token (2, "new file mode", mode)
path-token
[attr-token]
subject-token
return-token
|
Table A-28 chown(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHOWN |
11 |
fm |
0x00000008 |
Format:
header-token
argument-token (2, "new file uid", uid)
argument-token (3, "new file gid", gid)
path-token
[attr-token]
subject-token
return-token
|
Table A-29 chroot(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CHROOT |
24 |
pc |
0x00000080 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-30 close(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CLOSE |
112 |
cl |
0x00000040 |
Format:
<file system object>
header-token
argument-token (1, "fd", file descriptor)
[path-token]
[attr-token]
subject-token
return-token
|
Table A-31 creat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CREAT |
4 |
fc |
0x00000010 |
Format
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-32 enter prom
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_ENTERPROM |
153 |
na |
0x00000400 |
Format:
header-token
text-token (addr, "monitor PROM"|"kadb")
subject-token
return-token
|
Table A-33 exec(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_EXEC |
7 |
pc,ex |
0x40000080 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-34 execve(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_EXECVE |
23 |
pc,ex |
0x40000080 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-35 exit prom
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_EXITPROM |
154 |
na |
0x00000400 |
Format:
header-token
text-token (addr, "monitor PROM"|"kadb")
subject-token
return-token
|
Table A-36 exit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_EXIT |
1 |
pc |
0x00000080 |
Format:
header-token
subject-token
return-token
|
Table A-37 fchdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHDIR |
68 |
pc |
0x00000080 |
Format:
header-token
[path-token]
[attr-token]
subject-token
return-token
|
Table A-38 fchmod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHMOD |
39 |
fm |
0x00000008 |
Format (valid file descriptor):
header-token
argument-token (2, "new file mode", mode)
[path-token]
[attr-token]
subject-token
return-token
Format (not valid file descriptor):
header-token
argument-token (2, "new file mode", mode)
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
Table A-39 fchown(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHOWN |
38 |
fm |
0x00000008 |
Format (valid file descriptor):
header-token (2, "new file uid", uid)
argument-token (3, "new file gid", gid)
[path-token]
[attr-token]
subject-token
return-token
Format (non-file descriptor):
header-token
argument-token (2, "new file uid", uid)
argument-token (3, "new file gid", gid)
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
Table A-40 fchroot(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCHROOT |
69 |
pc |
0x00000080 |
Format:
header-token
[path-token]
[attr-token]
subject-token
return-token
|
Table A-41 fcntl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FCNTL (cmd=F_GETLK, F_SETLK, F_SETLKW) |
30 |
fm |
0x00000008 |
Format (file descriptor):
header-token
argument-token (2, "cmd", cmd)
path-token
attr-token
subject-token
return-token
Format (bad file descriptor):
header-token
argument-token (2, "cmd", cmd)
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
Table A-42 fork(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FORK |
2 |
pc |
0x00000080 |
Format:
header-token
[argument-token] (0, "child PID", pid)
subject-token
return-token
The fork() return values are undefined because the audit record is produced at the point that the child process is spawned.
|
Table A-43 fork1(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FORK1 |
241 |
pc |
0x00000080 |
Format:
header-token
[argument-token] (0, "child PID", pid)
subject-token
return-token
The fork1() return values are undefined because the audit record is produced at the point that the child process is spawned.
|
Table A-44 fstatfs(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_FSTATFS |
55 |
fa |
0x00000004 |
Format (file descriptor):
header-token
[path-token]
[attr-token]
subject-token
return-token
Format (non-file descriptor):
header-token
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
Table A-45 getaudit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETAUDIT |
132 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-46 getauid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETAUID |
130 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-47 getmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETMSG |
217 |
nt |
0x00000100 |
Format:
header-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
Table A-48 getmsg - accept
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKACCEPT |
247 |
nt |
0x00000100 |
Format:
header-token
socket-inet-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
Table A-49 getmsg - receive
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKRECEIVE |
250 |
nt |
0x00000100 |
Format:
header-token
socket-inet-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
Table A-50 getpmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETPMSG |
219 |
nt |
0x00000100 |
Format:
header-token
argument-token (1, "fd", file descriptor)
subject-token
return-token
|
Table A-51 getportaudit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_GETPORTAUDIT |
149 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-52 ioctl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_IOCTL |
158 |
io |
0x20000000 |
Format (good file descriptor):
header-token
path-token
[attr-token]
argument-token (2, "cmd" ioctl cmd)
argument-token (3, "arg" ioctl arg)
subject-token
return-token
Format (socket):
header-token
[socket-token]
argument-token (2, "cmd" ioctl cmd)
argument-token (3, "arg" ioctl arg)
subject-token
return-token
Format (non-file file descriptor):
header-token
argument-token (1, "fd", file descriptor)
argument-token (2, "cmd", ioctl cmd)
argument-token (3, "arg", ioctl arg)
subject-token
return-token
Format (bad file name):
header-token
argument-token (1, "no path: fd", fd)
argument-token (2, "cmd", ioctl cmd)
argument-token (3, "arg", ioctl arg)
subject-token
return-token
|
Table A-53 kill(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_KILL |
15 |
pc |
0x00000080 |
Format (valid process):
header-token
argument-token (2, "signal", signo)
[process-token]
subject-token
return-token
Format (zero or negative process):
header-token
argument-token (2, "signal", signo)
argument-token (1, "process", pid))
subject-token
return-token
|
Table A-54 lchown(2)
Event ID |
Event Class |
Mask |
|
---|---|---|---|
AUE_LCHOWN |
237 |
fm |
0x00000008 |
Format:
header-token
argument-token (2, "new file uid", uid)
argument-token (3, "new file gid", gid)
path-token
[attr-token]
subject-token
return-token
|
Table A-55 link(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LINK |
5 |
fc |
0x00000010 |
Format:
header-token
path-token (from path)
[attr-token] (from path)
path-token (to path)
subject-token
return-token
|
Table A-56 lstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LSTAT |
17 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-57 lxstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_LXSTAT |
236 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-58 memcntl(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MEMCNTL |
238 |
ot |
0x80000000 |
Format:
header-token
argument-token (1, "base", base address)
argument-token (2, "len", length)
argument-token (3, "cmd", command)
argument-token (4, "arg", command args
argument-token (5, "attr", command attributes)
argument-token (6, "mask", 0)
subject-token
return-token
|
Table A-59 mkdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MKDIR |
47 |
fc |
0x00000010 |
Format:
header-token
argument-token (2, "mode", mode)
path-token
[attr-token]
subject-token
return-token
|
Table A-60 mknod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MKNOD |
9 |
fc |
0x00000010 |
Format:
header-token
argument-token (2, "mode", mode)
argument-token (3, "dev", dev)
path-token
[attr-token]
subject-token
return-token
|
Table A-61 mmap(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MMAP |
210 |
no |
0x00000000 |
Format (valid file descriptor):
header-token
argument-token (1, "addr", segment address)
argument-token (2, "len", segment length)
[path-token]
[attr-token]
subject-token
return-token
Format (not valid file descriptor):
header-token
argument-token (1, "addr", segment address)
argument-token (2, "len", segment length)
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
Table A-62 modctl(2) - bind module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODADDMAJ |
246 |
ad |
0x00000800 |
Format:
header-token
[text-token] driver major number)
[text-token] (driver name)
text-token (root dir.|"no rootdir")
text-token (driver major number|"no drvname")
argument-token (5, "", number of aliases)
(0..n)[text-token] (aliases)
subject-token
return-token
|
Table A-63 modctl(2) - configure module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODCONFIG |
245 |
ad |
0x00000800 |
Format:
header-token
text-token (root dir.|"no rootdir")
text-token (driver major number|"no drvname")
subject-token
return-token
|
Table A-64 modctl(2) - load module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODLOAD |
243 |
ad |
0x00000800 |
Format:
header-token
[text-token] (default path)
text-token (filename path)
subject-token
return-token
|
Table A-65 modctl(2) - unload module
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MODUNLOAD |
244 |
ad |
0x00000800 |
Format:
header-token
argument-token (1, "id", module ID)
subject-token
return-token
|
Table A-66 mount(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MOUNT |
62 |
ad |
0x00000800 |
Format (UNIX file system):
header-token
argument-token (3, "flags", flags)
text-token (filesystem type)
path-token
[attr-token]
subject-token
return-token
Format (NFS file system):
header-token
argument-token (3, "flags", flags)
text-token (filesystem type)
text-token (host name)
argument-token (3, "internal flags", flags)
|
Table A-67 msgctl(2) - IPC_RMID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL_RMID |
85 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "msg ID", message ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
Table A-68 msgctl(2) - IPC_SET command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL_SET |
86 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "msg ID", message ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
Table A-69 msgctl(2) - IPC_STAT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGCTL_STAT |
87 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "msg ID", message ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
Table A-70 msgget(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGGET |
88 |
ip |
0x00000200 |
Format:
header-token
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
Table A-71 msgrcv(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGRCV |
89 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "msg ID", message ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
Table A-72 msgsnd(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MSGSND |
90 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "msg ID", message ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
Table A-73 munmap(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_MUNMAP |
214 |
cl |
0x00000040 |
Format:
header-token
argument-token (1, "addr", address of memory)
argument-token (2, "len", memory segment size)
subject-token
return-token
|
Table A-74 old nice(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_NICE |
203 |
pc |
0x00000080 |
Format:
header-token
subject-token
return-token
|
Table A-75 open(2) - read
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_R |
72 |
fr |
0x00000001 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-76 open(2) - read,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RC |
73 |
fc,fr |
0x00000011 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-77 open(2) - read,creat,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RTC |
75 |
fc,fd,fr |
0x00000031 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-78 open(2) - read,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RT |
74 |
fd,fr |
0x00000021 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-79 open(2) - read,write
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RW |
80 |
fr,fw |
0x00000003 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-80 open(2) - read,write,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RWC |
81 |
fr,fw,fc |
0x00000013 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-81 open(2) - read,write,create,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RWTC |
83 |
fr,fw,fc,fd |
0x00000033 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-82 open(2) - read,write,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_RWT |
82 |
fr,fw,fd |
0x00000023 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-83 open(2) - write
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_W |
76 |
fw |
0x00000002 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-84 open(2) - write,creat
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_WC |
77 |
fw,fc |
0x00000012 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-85 open(2) - write,creat,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_WTC |
79 |
fw,fc,fd |
0x00000032 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-86 open(2) - write,trunc
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OPEN_WT |
78 |
fw,fd |
0x00000022 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-87 pathconf(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PATHCONF |
71 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-88 pipe(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PIPE |
185 |
no |
0x00000000 |
Format:
header-token
subject-token
return-token
|
Table A-89 priocntlsys(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PRIOCNTLSYS |
212 |
pc |
0x0000080 |
Format:
header-token
argument-token (1, "pc_version", priocntl version num.)
argument-token (3,"cmd", command)
subject-token
return-token
|
Table A-90 process dumped core
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_CORE |
111 |
fc |
0x0000010 |
Format:
header-token
path-token
[attr-token]
argument-token (1, "signal", signal)
subject-token
return-token
|
Table A-91 putmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PUTMSG |
216 |
nt |
0x00000100 |
Format:
header-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
Table A-92 putmsg-connect
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SOCKCONNECT |
248 |
nt |
0x00000100 |
Format:
header-token
socket-inet-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
Table A-93 putmsg-send
Event Name |
Event ID |
EventClass |
Mask |
---|---|---|---|
AUE_SOCKSEND |
249 |
nt |
0x00000100 |
Format:
header-token
socket-inet-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
Table A-94 putpmsg(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_PUTPMSG |
218 |
nt |
0x00000100 |
Format:
header-token
argument-token (1, "fd", file descriptor)
subject-token
return-token
|
Table A-95 readlink(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_READLINK |
22 |
fr |
0x00000001 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-96 rename(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_RENAME |
42 |
fc,fd |
0x00000030 |
Format:
header-token
path-token (from name)
[attr-token] (from name)
[path-token] (to name)
subject-token
return-token
|
Table A-97 rmdir(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_RMDIR |
48 |
fd |
0x00000020 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-98 semctl(2) - getall
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETALL |
105 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-99 semctl(2) - GETNCNT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETNCNT |
102 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-100 semctl(2) - GETPID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETPID |
103 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-101 semctl(2) - GETVAL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETVAL |
104 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-102 semctl(2) - GETZCNT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_GETZCNT |
106 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-103 semctl(2) - IPC_RMID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_RMID |
99 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-104 semctl(2) - IPC_SET command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_SET |
100 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-105 semctl(2) - SETALL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_SETALL |
108 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-106 semctl(2) - SETVAL command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_SETVAL |
107 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-107 semctl(2) - IPC_STAT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMCTL_STAT |
101 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
|
Table A-108 semget(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMGET |
109 |
ip |
0x00000200 |
Format:
header-token
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the system call failed.
|
Table A-109 semop(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SEMOP |
110 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
Table A-110 setaudit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETAUDIT |
133 |
ad |
0x00000800 |
Format (valid program stack address):
header-token
argument-token (1, "setaudit:auid", audit user ID)
argument-token (1, "setaudit:port", terminal ID)
argument-token (1, "setaudit:machine", terminal ID)
argument-token (1, "setaudit:as_success", preselection mask)
argument-token (1, "setaudit:as_failure", preselection mask)
argument-token (1, "setaudit:asid", audit session ID)
subject-token
return-token
Format (not valid program stack address):
header-token
subject-token
return-token
|
Table A-111 setauid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETAUID |
131 |
ad |
0x00000800 |
Format:
header-token
argument-token (2, "setauid", audit user ID)
subject-token
return-token
|
Table A-112 setegid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETEGID |
214 |
pc |
0x00000080 |
Format:
header-token
argument-token (1, "gid", group ID)
subject-token
return-token
|
Table A-113 seteuid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETEUID |
215 |
pc |
0x00000080 |
Format:
header-token
argument-token (1, "gid", user ID)
subject-token
return-token
|
Table A-114 old setgid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETGID |
205 |
pc |
0x00000080 |
Format:
header-token
argument-token (1, "gid", group ID)
subject-token
return-token
|
Table A-115 setgroups(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETGROUPS |
26 |
pc |
0x00000080 |
Format:
header-token
[argument-token] (1, "setgroups", group ID)
subject-token
return-token
One argument-token for each group set.
|
Table A-116 setpgrp(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETPGRP |
27 |
pc |
0x00000080 |
Format:
header-token
subject-token
return-token
|
Table A-117 setrlimit(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SETRLIMIT |
51 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-118 old setuid(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_OSETUID |
200 |
pc |
0x00000080 |
Format:
header-token
argument-token (1, "uid", user ID)
subject-token
return-token
Because of a current bug in the audit software, this token is reported as AUE_OSETUID.
|
Table A-119 shmat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMAT |
96 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "shmid", shared memory ID)
argument-token (2, "shmaddr", shared mem addr)
[ipc-token]
[ipc_perm-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the shared memory segment ID is not valid.
|
Table A-120 shmctl(2) - IPC_RMID command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL_RMID |
92 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "shmid", shared memory ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the shared memory segment ID is not valid.
|
Table A-121 shmctl(2) - IPC_SET command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL_SET |
93 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "shmid", shared memory ID)
[ipc-token]
[ipc_perm-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the shared memory segment ID is not valid.
|
Table A-122 shmctl(2) - IPC_STAT command
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMCTL_STAT |
94 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "shmid", shared memory ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the shared memory segment ID is not valid.
|
Table A-123 shmdt(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SHMDT |
97 |
ip |
0x00000200 |
Format:
header-token
argument-token (1, "shmaddr", shared mem addr)
subject-token
return-token
|
Table A-124 shmget(2)
Event Name |
Event ID |
EventClass |
Mask |
---|---|---|---|
AUE_SHMGET |
95 |
ip |
0x00000200 |
Format:
header-token
argument-token (0, "shmid", shared memory ID)
[ipc-token]
[ipc_perm-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included for failed events.
|
Table A-125 stat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_STAT |
16 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-126 statfs(2)
Event Name |
Event ID |
EventClass |
Mask |
---|---|---|---|
AUE_STATFS |
54 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-127 statvfs(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_STATVFS |
234 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-128 stime(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_STIME |
201 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-129 symlink(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SYMLINK |
21 |
fc |
0x00000010 |
Format:
header-token
text-token (symbolic link string)
path-token
[attr-token]
subject-token
return-token
|
Table A-130 sysinfo(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SYSINFO |
39 |
ad |
0x00000800 |
Format:
header-token
argument-token (1, "cmd", command)
text-token (name)
subject-token
return-token
|
Table A-131 system booted
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_SYSTEMBOOT |
113 |
na |
0x00000400 |
Format:
header-token
text-token ("booting kernel")
return-token
|
Table A-132 umount(2) - old version
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UMOUNT |
12 |
ad |
0x00000800 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-133 unlink(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UNLINK |
6 |
fd |
0x00000020 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-134 old utime(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UTIME |
202 |
fm |
0x00000008 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-135 utimes(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UTIMES |
49 |
fm |
0x00000008 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-136 utssys(2) - fusers
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_UTSSYS |
233 |
ad |
0x00000800 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-137 vfork(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_VFORK |
25 |
pc |
0x00000080 |
Format:
header-token
argument-token (0, "child PID", pid)
subject-token
return-token
The fork return values are undefined because the audit record is produced at the point that the child process is spawned.
|
Table A-138 vtrace(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_VTRACE |
36 |
pc |
0x00000080 |
Format:
header-token
subject-token
return-token
|
Table A-139 xmknod(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_XMKNOD |
240 |
fc |
0x00000010 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
Table A-140 xstat(2)
Event Name |
Event ID |
Event Class |
Mask |
---|---|---|---|
AUE_XSTAT |
235 |
fa |
0x00000004 |
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
These audit records are created by applications that operate outside the kernel. The records are sorted alphabetically by program. The description of each record includes:
The name of the program
A man page reference (if appropriate)
The audit event number
The audit event name
The audit record structure
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_allocate_succ |
/usr/sbin/allocate |
6200 |
ad |
0x00000800 |
Format:
header-token
subject-token
newgroups-token
exit-token
|
Table A-142 allocate-device failure
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_allocate_fail |
/usr/sbin/allocate |
6201 |
ad |
0x00000800 |
Format:
header-token
subject-token
newgroups-token
exit-token
|
Table A-143 deallocate-device success
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_allocate_succ |
/usr/sbin/allocate |
6202 |
ad |
0x00000800 |
Format:
header-token
subject-token
newgroups-token
exit-token
|
Table A-144 deallocate-device failure
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_allocate_fail |
/usr/sbin/allocate |
6203 |
ad |
0x00000800 |
Format:
header-token
subject-token
newgroups-token
exit-token
|
Table A-145 allocate-list devices success
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_listdevice_succ |
/usr/sbin/allocate |
6205 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-146 allocate-list devices failure
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_listdevice_fail |
/usr/sbin/allocate |
6206 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-147 at-create crontab
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_at_create |
/usr/bin/at |
6144 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-148 at-delete atjob (at or atrm)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_at_delete |
/usr/bin/at |
6145 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-149 at-permission
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_at_perm |
/usr/bin/at |
6146 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-150 crontab-crontab created
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_crontab_create |
/usr/bin/crontab |
6148 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-151 crontab-crontab deleted
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_crontab_delete |
/usr/bin/crontab |
6149 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-152 cron-invoke atjob or crontab
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_cron_invoke |
/usr/bin/crontab |
6147 |
ad |
0x00000800 |
Format:
header-token
subject-token
text-token (program)
text-token (shell)
text-token (cmd)
exit-token
|
Table A-153 crontab-permission
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_crontab_perm |
/usr/bin/crontab |
6150 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-154 halt(1m)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_halt_solaris |
/usr/sbin/halt |
6160 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-155 inetd
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_inetd_connect |
/usr/sbin/inetd |
6151 |
na |
0x00000400 |
Format:
header-token
subject-token
text-token (service name)
return-token
|
Table A-156 init(1m)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_init_solaris |
/sbin/init; /usr/sbin/init; /usr/sbin/shutdown |
6166 |
ad |
0x00000800 |
Format:
header-token
subject-token
text-token (init level)
return-token
|
Table A-157 ftp access
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_ftpd |
/usr/sbin/in.ftpd |
6165 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (error message, failure only)
return-token
|
Table A-158 login - local
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_login |
/usr/sbin/login |
6152 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (error message)
return-token
|
Table A-159 login - rlogin
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_rlogin |
/usr/sbin/login |
6155 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (error message)
return-token
|
Table A-160 login - telnet
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_telnet |
/usr/sbin/login |
6154 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (error message)
return-token
|
Table A-161 logout
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_logout |
/usr/sbin/login |
6153 |
lo |
0x00001000 |
Format:
header-token
subject-token
return-token
|
Table A-162 mount
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_mountd_mount |
/usr/lib/nfs/mountd |
6156 |
na |
0x00000400 |
Format:
header-token
subject-token
text-token (remote client hostname)
path-token (mount dir)
text-token (error message, failure only)
return-token
|
Table A-163 unmount
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_mountd_umount |
/usr/lib/nfs/mountd |
6157 |
na |
0x00000400 |
Format:
header-token
subject-token
text-token (remote client hostname)
path-token (mount dir)
text-token (error message, failure only)
return-token
|
Table A-164 passwd
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_passwd |
/usr/bin/passwd |
6163 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (error message)
return-token
|
Table A-165 poweroff(1m)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_poweroff_solaris |
/usr/sbin/poweroff |
6169 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-166 reboot(1m)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_reboot_solaris |
/usr/sbin/reboot |
6161 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-167 rexd
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_rexd |
/usr/sbin/rpc.rexd |
6164 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (error message, failure only)
text-token (hostname)
text-token (username)
text-token (command to be executed)
exit-token
|
Table A-168 rexecd
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_rexecd |
/usr/sbin/in.rexecd |
6162 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (error message, failure only)
text-token (hostname)
text-token (username)
text-token (command to be executed)
exit-token
|
Table A-169 rsh access
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_rshd |
/usr/sbin/in.rshd |
6158 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (command string)
text-token (local user)
text-token (remote user)
return-token
|
Table A-170 shutdown(1b)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_shutdown_solaris |
/usr/ucb/shutdown |
6168 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-171 su
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_su |
/usr/bin/su |
6159 |
lo |
0x00001000 |
Format:
header-token
text-token (error message)
subject-token
return-token
|
Table A-172 admin(1m)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_uadmin_solaris |
/sbin/uadmin; /usr/sbin/uadmin |
6167 |
ad |
0x00000800 |
Format:
header-token
subject-token
text-token (function)
text-token (argument)
return-token
|
Table A-173 associates an audit event name with the system call or kernel event that created it. Table A-174 associates an audit event with the application or command that generated it.
Table A-173 Event-to-System Call Translation
Audit Event |
System Call |
---|---|
AUE_ACCESS | |
AUE_ACCT | |
AUE_ADJTIME | |
AUE_AUDIT | |
AUE_AUDITON_GETCAR | |
AUE_AUDITON_GETCLASS | |
AUE_AUDITON_GETCOND | |
AUE_AUDITON_GETCWD | |
AUE_AUDITON_GETKMASK | |
AUE_AUDITON_GETSTAT | |
AUE_AUDITON_GPOLICY | |
AUE_AUDITON_GQCTRL | |
AUE_AUDITON_SETCLASS | |
AUE_AUDITON_SETCOND | |
AUE_AUDITON_SETKMASK | |
AUE_AUDITON_SETSMASK | |
AUE_AUDITON_SETSTAT | |
AUE_AUDITON_SETUMASK | |
AUE_AUDITON_SPOLICY | |
AUE_AUDITON_SQCTRL | |
AUE_AUDITSVC | |
AUE_CHDIR | |
AUE_CHMOD | |
AUE_CHOWN | |
AUE_CHROOT | |
AUE_CLOSE | |
AUE_CORE | |
AUE_CREAT | |
AUE_ENTERPROM | |
AUE_EXEC | |
AUE_EXECVE | |
AUE_EXIT | |
AUE_EXITPROM | |
AUE_FCHDIR | |
AUE_FCHMOD | |
AUE_FCHOWN | |
AUE_FCHROOT | |
AUE_FCNTL | |
AUE_FORK | |
AUE_FORK1 | |
AUE_FSTATFS | |
AUE_GETAUDIT | |
AUE_GETAUID | |
AUE_GETMSG | |
AUE_GETPMSG | |
AUE_GETPORTAUDIT | |
AUE_IOCTL | |
AUE_KILL | |
AUE_LCHOWN | |
AUE_LINK | |
AUE_LSTAT | |
AUE_LXSTAT | |
AUE_MEMCNTL | |
AUE_MKDIR | |
AUE_MKNOD | |
AUE_MMAP | |
AUE_MODADDMAJ | |
AUE_MODCONFIG | |
AUE_MODLOAD | |
AUE_MODUNLOAD | |
AUE_MOUNT | |
AUE_MSGCTL_RMID | |
AUE_MSGCTL_SET | |
AUE_MSGCTL_STAT | |
AUE_MSGGET | |
AUE_MSGRCV | |
AUE_MSGSND | |
AUE_MUNMAP | |
AUE_NICE | |
AUE_OPEN_R | |
AUE_OPEN_RC | |
AUE_OPEN_RT | |
AUE_OPEN_RTC | |
AUE_OPEN_RW | |
AUE_OPEN_RWC | |
AUE_OPEN_RWT | |
AUE_OPEN_RWTC | |
AUE_OPEN_W | |
AUE_OPEN_WC | |
AUE_OPEN_WT | |
AUE_OPEN_WTC | |
AUE_OSETUID | |
AUE_PATHCONF | |
AUE_PIPE | |
AUE_PRIOCNTLSYS | |
AUE_PUTMSG | |
AUE_PUTPMSG | |
AUE_READLINK | |
AUE_RENAME | |
AUE_RMDIR | |
AUE_SEMCTL_GETALL | |
AUE_SEMCTL_GETNCNT | |
AUE_SEMCTL_GETPID | |
AUE_SEMCTL_GETVAL | |
AUE_SEMCTL_GETZCNT | |
AUE_SEMCTL_RMID | |
AUE_SEMCTL_SET | |
AUE_SEMCTL_SETALL | |
AUE_SEMCTL_SETVAL | |
AUE_SEMCTL_STAT | |
AUE_SEMGET | |
AUE_SEMOP | |
AUE_SETAUDIT | |
AUE_SETAUID | |
AUE_SETEGID | |
AUE_SETEUID | |
AUE_SETGID | |
AUE_SETGROUPS | |
AUE_SETPGRP | |
AUE_SETRLIMIT | |
AUE_SETUID |
Reported as AUE_OSETUID, see Table A-118 |
AUE_SHMAT | |
AUE_SHMCTL_RMID | |
AUE_SHMCTL_SET | |
AUE_SHMCTL_STAT | |
AUE_SHMDT | |
AUE_SHMGET | |
AUE_SOCKACCEPT | |
AUE_SOCKCONNECT | |
AUE_SOCKRECEIVE | |
AUE_SOCKSEND | |
AUE_STAT | |
AUE_STATFS | |
AUE_STATVFS | |
AUE_STIME | |
AUE_SYMLINK | |
AUE_SYSINFO | |
AUE_SYSTEMBOOT | |
AUE_UMOUNT | |
AUE_UNLINK | |
AUE_UTIME | |
AUE_UTIMES | |
AUE_UTSSYS | |
AUE_VFORK | |
AUE_VTRACE | |
AUE_XMKNOD | |
AUE_XSTAT |
Table A-174 Event-to-Command Translation
Audit Event |
Command |
---|---|
AUE_allocate_succ | |
AUE_allocate_fail | |
AUE_deallocate_succ | |
AUE_deallocate_fail | |
AUE_listdevice_succ | |
AUE_listdevice_fail | |
AUE_at_create | |
AUE_at_delete | |
AUE_at_perm | |
AUE_crontab_create | |
AUE_crontab_delete | |
AUE_cron_invoke | |
AUE_crontab_perm | |
AUE_halt_solaris | |
AUE_inetd_connect | |
AUE_init_solaris | |
AUE_ftpd | |
AUE_login | |
AUE_rlogin | |
AUE_telnet | |
AUE_logout | |
AUE_mountd_mount | |
AUE_mountd_umount | |
AUE_passwd | |
AUE_poweroff_solaris | |
AUE_reboot_solaris | |
AUE_rexd | |
AUE_rexecd | |
AUE_rshd | |
AUE_shutdown_solaris | |
AUE_su | |
AUE_uadmin_solaris |