test

SunSHIELD Basic Security Module Guide

Audit Records

This section presents all of the audit records. The audit records generated by kernel events are described first (see "Kernel-Level Generated Audit Records"). The audit records generated by user-level eventes are described next (see "User-Level Generated Audit Records").

"Event-to-System Call Translation" includes two tables that include all possible audit events and identifies which kernel or user event created the audit event. Table A-173 maps audit events to system calls. Table A-174 maps audit events to an application or command.

General Audit Record Structure

The audit records produced by Basic Security Module have a sequence of tokens. Certain tokens are optional within an audit record, according to the current audit policy. The group, sequence, and trailer tokens fall into this category. The administrator can determine if these are included in an audit record with the auditconfig command -getpolicy option.

Kernel-Level Generated Audit Records

These audit records are created by system calls that are used by the kernel. The records are sorted alphabetically by system call. The description of each record includes:

Table A-5 access(2)

Event Name 

Event ID 

Event Class 

Mask 

AUE_ACCESS

14

fa

0x00000004 

 





Format: 




	header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-6  acct(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_ACCT





18





ad




0x00000800 















Format (zero path): 




	header-token







	argument-token      (1, "accounting off", 0)






	subject-token







	return-token











Format (non-zero path): 




	header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 


 


Table A-7  adjtime(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_ADJTIME





50





ad




0x00000800 















Format: 




	header-token







	subject-token







	return-token





 









 





Table A-8  audit(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDIT





211





no




0x00000000 















Format: 




	header-token







	subject-token







	return-token





 









 


 


Table A-9  auditon(2) - get car









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_GETCAR





224





ad




0x00000800 















Format: 




	header-token







	subject-token







	return-token


















 


 


Table A-10  auditon(2) - get event
class









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_GETCLASS





231





ad




0x00000800 















Format: 




	header-token







	subject-token







	return-token


















 


 


Table A-11  auditon(2) - get audit
state









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_GETCOND





229





ad




0x00000800 















Format: 




	
header-token







	
subject-token







	
return-token





 









 


 


Table A-12  auditon(2) - get cwd









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_GETCWD





223





ad




0x00000800 















Format: 




	
header-token







	
subject-token







	
return-token


















 

 



Table A-13  auditon(2) - get kernal
mask









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_GETKMASK





221





ad




0x00000800 















Format: 




	
header-token







	
subject-token







	
return-token





 









 


 


Table A-14  auditon(2) - get audit
statistics









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_GETSTAT





225





ad




0x00000800 















Format: 




	
header-token







	
subject-token







	
return-token


















 

 



Table A-15  auditon(2) - GPOLICY command









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_GPOLICY





114





ad




0x00000800 















Format: 




	
header-token







	
subject-token







	
return-token


















 


 


Table A-16  auditon(2) - GQCTRL command









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_GQCTRL





145





ad




0x00000800 















Format: 




	header-token







	subject-token







	return-token


















 


 


Table A-17  auditon(2) - set event
class









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_SETCLASS





232





ad




0x00000800 















Format: 




	header-token







	[argument-token]      (2, "setclass:ec_event", event number)






	[argument-token]      (3, "setclass:ec_class", class mask)






	
subject-token







	
return-token


















 


 


Table A-18  auditon(2) - set audit
state









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_SETCOND





230





ad




0x00000800 















Format: 




	
header-token







	[argument-token]      (3, "setcond", audit state)






	
subject-token







	return-token


















 


 


Table A-19  auditon(2) - set kernal
mask









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_SETKMASK





222





ad




0x00000800 















Format: 




	
header-token







	[argument-token]      (2, "setkmask:as_success", kernel mask)






	[argument-token]      (2, "setkmask:as_failure", kernel mask)






	
return-token


















 


 


Table A-20  auditon(2) - set mask
per session ID









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_SETSMASK





228





ad




0x00000800 















Format: 




	
header-token







	[argument-token]      (3, "setsmask:as_success", session ID mask)






	[argument-token]      (3, "setsmask:as_failure", session ID mask)






	
subject-token







	
return-token


















 


 


Table A-21  auditon(2) - reset audit
statistics









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_SETSTAT





226





ad




0x00000800 

















Format:






	
header-token







	subject-token







	return-token


















 


 


Table A-22  auditon(2) - set mask
per uid









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_SETUMASK





227





ad




0x00000800 















Format: 




	
header-token







	[argument-token]      (3, "setumask:as_success", audit ID mask)






	[argument-token]      (3, "setumask:as_failure", audit ID mask)






	
subject-token







	return-token


















 


 


Table A-23  auditon(2) - SPOLICY command









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_SPOLICY





147





ad




0x00000800 















Format: 




	
header-token







	[argument-token]      (1, "policy", audit policy flags)






	
subject-token







	return-token


















 


 


Table A-24  auditon(2) - SQCTRL command









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITON_SQCTRL





146





ad




0x00000800 















Format: 




	
header-token







	[argument-token]      (3,"setqctrl:aq_hiwater",queue control param.)






	[argument-token]      (3,"setqctrl:aq_lowater",queue control param.)






	[argument-token]      (3,"setqctrl:aq_bufsz",queue control param.)






	[argument-token]      (3,"setqctrl:aq_delay",queue control param.)






	
subject-token







	return-token


















 


 


Table A-25  auditsvc(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_AUDITSVC





136





ad




0x00000800 















Format (valid file descriptor): 




	
header-token







	[path-token]






	[attr-token]






	
subject-token







	return-token











Format (not valid file descriptor): 




	
header-token







	
argument-token      (1, "no path: fd", fd)






	
subject-token







	return-token


















 


 


Table A-26  chdir(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_CHDIR





8





pc




0x00000080 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 


 


Table A-27  chmod(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_CHMOD





10





fm




0x00000008 















Format: 




	
header-token







	
argument-token      (2, "new file mode", mode)






	
path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-28  chown(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_CHOWN





11





fm




0x00000008 















Format: 




	
header-token







	
argument-token      (2, "new file uid", uid)






	
argument-token      (3, "new file gid", gid)






	
path-token







	[attr-token]






	subject-token







	return-token


















 


 


Table A-29  chroot(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_CHROOT





24





pc




0x00000080 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-30  close(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_CLOSE





112





cl




0x00000040 















Format: 




	<file system object>






	
header-token







	
argument-token      (1, "fd", file descriptor)






	[path-token]






	[attr-token]






	subject-token







	return-token


















 

 



Table A-31  creat(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_CREAT





4





fc




0x00000010 















Format 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-32  enter prom









Event Name 



Event ID 



Event Class 



Mask 












AUE_ENTERPROM





153





na




0x00000400 















Format: 




	
header-token







	
text-token      (addr, "monitor PROM"|"kadb")






	
subject-token







	return-token


















 

 



Table A-33  exec(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_EXEC





7





pc,ex




0x40000080 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-34  execve(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_EXECVE





23





pc,ex




0x40000080 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 


 


Table A-35  exit prom









Event Name 



Event ID 



Event Class 



Mask 












AUE_EXITPROM





154





na




0x00000400 















Format: 




	
header-token







	
text-token      (addr, "monitor PROM"|"kadb")






	
subject-token







	return-token


















 

 



Table A-36  exit(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_EXIT





1





pc




0x00000080 















Format: 




	
header-token







	subject-token







	return-token


















 

 



Table A-37  fchdir(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_FCHDIR





68





pc




0x00000080 















Format: 




	
header-token







	[path-token]






	[attr-token]






	subject-token







	return-token


















 


 


Table A-38  fchmod(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_FCHMOD





39





fm




0x00000008 















Format (valid file descriptor): 




	
header-token







	
argument-token      (2, "new file mode", mode)






	[path-token]






	[attr-token]






	subject-token







	return-token











Format (not valid file descriptor): 




	
header-token







	
argument-token      (2, "new file mode", mode)






	
argument-token      (1, "no path: fd", fd)






	
subject-token







	return-token


















 

 



Table A-39  fchown(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_FCHOWN





38





fm




0x00000008 















Format (valid file descriptor): 




	
header-token          (2, "new file uid", uid)






	
argument-token      (3, "new file gid", gid)






	[path-token]






	[attr-token]






	subject-token







	return-token











Format (non-file descriptor): 




	
header-token







	
argument-token      (2, "new file uid", uid)






	
argument-token      (3, "new file gid", gid)






	
argument-token      (1, "no path: fd", fd)






	
subject-token







	return-token


















 

 



Table A-40  fchroot(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_FCHROOT





69





pc




0x00000080 















Format: 




	
header-token







	[path-token]






	[attr-token]






	subject-token







	return-token


















 

 



Table A-41  fcntl(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_FCNTL (cmd=F_GETLK, F_SETLK, F_SETLKW)




30





fm




0x00000008 















Format (file descriptor): 




	
header-token







	
argument-token      (2, "cmd", cmd)






	
path-token







	attr-token







	subject-token







	return-token











Format (bad file descriptor): 




	
header-token







	
argument-token      (2, "cmd", cmd)






	
argument-token      (1, "no path: fd", fd)






	
subject-token







	return-token


















 

 



Table A-42  fork(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_FORK





2





pc




0x00000080 















Format: 




	
header-token







	[argument-token]      (0, "child PID", pid)






	
subject-token







	return-token













The fork() return values are undefined because the audit record
is produced at the point that the child process is spawned.

















 

 



Table A-43  fork1(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_FORK1





241





pc




0x00000080 















Format: 




	
header-token







	[argument-token]      (0, "child PID", pid)






	
subject-token







	return-token













The fork1() return values are undefined because the audit record
is produced at the point that the child process is spawned.

















 

 



Table A-44  fstatfs(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_FSTATFS





55





fa




0x00000004 















Format (file descriptor): 




	
header-token







	[path-token]






	[attr-token]






	subject-token







	return-token











Format (non-file descriptor): 




	
header-token







	
argument-token      (1, "no path: fd", fd)






	
subject-token







	return-token


















 

 



Table A-45  getaudit(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_GETAUDIT





132





ad




0x00000800 















Format: 




	
header-token







	subject-token







	return-token


















 

 



Table A-46  getauid(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_GETAUID





130





ad




0x00000800 















Format: 




	
header-token







	subject-token







	return-token


















 

 



Table A-47  getmsg(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_GETMSG





217





nt




0x00000100 















Format: 




	
header-token







	
argument-token      (1, "fd", file descriptor)






	
argument-token      (4, "pri", priority)






	
subject-token







	return-token


















 

 
 


Table A-48  getmsg - accept









Event Name 



Event ID 



Event Class 



Mask 












AUE_SOCKACCEPT





247





nt




0x00000100 















Format: 




	
header-token







	
socket-inet-token







	
argument-token      (1, "fd", file descriptor)






	
argument-token      (4, "pri", priority)






	
subject-token







	return-token


















 

 
 


Table A-49  getmsg - receive









Event Name 



Event ID 



Event Class 



Mask 












AUE_SOCKRECEIVE





250





nt




0x00000100 















Format: 




	
header-token







	socket-inet-token







	
argument-token      (1, "fd", file descriptor)






	
argument-token      (4, "pri", priority)






	
subject-token







	return-token


















 


 


Table A-50  getpmsg(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_GETPMSG





219





nt




0x00000100 















Format: 




	
header-token







	
argument-token      (1, "fd", file descriptor)






	
subject-token







	
return-token


















 


 


Table A-51  getportaudit(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_GETPORTAUDIT





149





ad




0x00000800 















Format: 




	
header-token







	
subject-token







	
return-token


















 

 



Table A-52  ioctl(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_IOCTL





158





io




0x20000000 















Format (good file descriptor): 




	
header-token







	
path-token







	[attr-token]






	
argument-token      (2, "cmd" ioctl cmd)






	
argument-token      (3, "arg" ioctl arg)






	
subject-token







	return-token











Format (socket): 




	
header-token







	[socket-token]






	
argument-token      (2, "cmd" ioctl cmd)






	argument-token      (3, "arg" ioctl arg)






	
subject-token







	return-token











Format (non-file file descriptor): 




	
header-token







	argument-token      (1, "fd", file descriptor)






	
argument-token      (2, "cmd", ioctl cmd)






	
argument-token      (3, "arg", ioctl arg)






	
subject-token







	return-token











Format (bad file name): 




	
header-token







	argument-token      (1, "no path: fd", fd)






	
argument-token      (2, "cmd", ioctl cmd)






	
argument-token      (3, "arg", ioctl arg)






	
subject-token







	return-token


















 

 



Table A-53  kill(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_KILL





15





pc




0x00000080 















Format (valid process): 




	
header-token







	argument-token      (2, "signal", signo)






	[process-token]






	
subject-token







	return-token











Format (zero or negative process): 




	
header-token







	argument-token      (2, "signal", signo)






	
argument-token      (1, "process", pid))






	
subject-token







	return-token


















 


Table A-54  lchown(2)









Event Name




Event ID 



Event Class 



Mask 












AUE_LCHOWN





237





fm




0x00000008 















Format: 




	
header-token







	
argument-token      (2, "new file uid", uid)






	
argument-token      (3, "new file gid", gid)






	
path-token







	[attr-token]






	
subject-token







	
return-token


















 

 



Table A-55  link(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_LINK





5





fc




0x00000010 















Format: 




	
header-token







	path-token      (from path)






	[attr-token]     (from path)






	
path-token      (to path)






	subject-token







	return-token


















 

 



Table A-56  lstat(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_LSTAT





17





fa




0x00000004 















Format: 




	
header-token







	path-token







	[attr-token]






	
subject-token







	return-token


















 

 



Table A-57  lxstat(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_LXSTAT





236





fa




0x00000004 















Format: 




	
header-token







	path-token







	[attr-token]






	
subject-token







	return-token


















 

 



Table A-58  memcntl(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_MEMCNTL





238





ot




0x80000000 















Format: 




	
header-token







	argument-token      (1, "base", base address)






	
argument-token      (2, "len", length)






	
argument-token      (3, "cmd", command)






	
argument-token      (4, "arg", command args






	
argument-token      (5, "attr", command attributes)






	
argument-token      (6, "mask", 0)






	
subject-token







	return-token


















 

 



Table A-59  mkdir(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_MKDIR





47





fc




0x00000010 















Format: 




	
header-token







	argument-token      (2, "mode", mode)






	
path-token







	[attr-token]






	
subject-token







	return-token


















 

 



Table A-60  mknod(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_MKNOD





9





fc




0x00000010 















Format: 




	
header-token







	argument-token      (2, "mode", mode)






	
argument-token      (3, "dev", dev)






	
path-token







	[attr-token]






	
subject-token







	return-token


















 

 



Table A-61  mmap(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_MMAP





210





no




0x00000000 















Format (valid file descriptor): 




	
header-token







	
argument-token      (1, "addr", segment address)






	
argument-token      (2, "len", segment length)






	[path-token]






	[attr-token]






	
subject-token







	return-token











Format (not valid file descriptor): 




	
header-token







	argument-token      (1, "addr", segment address)






	
argument-token      (2, "len", segment length)






	
argument-token      (1, "no path: fd", fd)






	
subject-token







	return-token


















 


 


Table A-62  modctl(2) - bind module









Event Name 



Event ID 



Event Class 



Mask 












AUE_MODADDMAJ





246





ad




0x00000800 















Format: 




	header-token







	[text-token]      driver major number)






	[text-token]      (driver name)






	
text-token        (root dir.|"no rootdir")






	
text-token        (driver major number|"no drvname")






	
argument-token        (5, "", number of aliases)






	(0..n)[text-token]      (aliases)






	
subject-token







	return-token


















 


  


Table A-63  modctl(2) - configure
module









Event Name 



Event ID 



Event Class 



Mask 












AUE_MODCONFIG





245





ad




0x00000800 















Format: 




	
header-token







	text-token      (root dir.|"no rootdir")






	
text-token      (driver major number|"no drvname")






	
subject-token







	return-token


















 

 



Table A-64  modctl(2) - load module









Event Name 



Event ID 



Event Class 



Mask 












AUE_MODLOAD





243





ad




0x00000800 















Format: 




	
header-token







	[text-token]      (default path)






	
text-token        (filename path)






	
subject-token







	return-token


















 

 



Table A-65  modctl(2) - unload module









Event Name 



Event ID 



Event Class 



Mask 












AUE_MODUNLOAD





244





ad




0x00000800 















Format: 




	
header-token







	argument-token      (1, "id", module ID)






	
subject-token







	return-token


















 

 



Table A-66  mount(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_MOUNT





62





ad




0x00000800 















Format (UNIX file system): 




	
header-token







	
argument-token      (3, "flags", flags)






	
text-token             (filesystem type)






	
path-token







	[attr-token]






	subject-token







	return-token











Format (NFS file system): 




	
header-token







	
argument-token      (3, "flags", flags)






	
text-token             (filesystem type)






	
text-token             (host name)






	
argument-token      (3, "internal flags", flags)

















 

 



Table A-67  msgctl(2) - IPC_RMID command









Event Name 



Event ID 



Event Class 



Mask 












AUE_MSGCTL_RMID





85





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "msg ID", message ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the msg ID is
not valid.

















 

 



Table A-68  msgctl(2) - IPC_SET command









Event Name 



Event ID 



Event Class 



Mask 












AUE_MSGCTL_SET





86





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "msg ID", message ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the msg ID is
not valid.

















 

 



Table A-69  msgctl(2) - IPC_STAT command









Event Name 



Event ID 



Event Class 



Mask 












AUE_MSGCTL_STAT





87





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "msg ID", message ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the msg ID is
not valid.

















 

 



Table A-70  msgget(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_MSGGET





88





ip




0x00000200 















Format: 




	
header-token







	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the msg ID is
not valid.

















 

 



Table A-71  msgrcv(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_MSGRCV





89





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "msg ID", message ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the msg ID is
not valid.

















 

 



Table A-72  msgsnd(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_MSGSND





90





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "msg ID", message ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the msg ID is
not valid.

















 

 



Table A-73  munmap(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_MUNMAP





214





cl




0x00000040 















Format: 




	
header-token







	
argument-token      (1, "addr", address of memory)






	
argument-token      (2, "len", memory segment size)






	
subject-token







	return-token


















 

 



Table A-74  old nice(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_NICE





203





pc




0x00000080 















Format: 




	
header-token







	subject-token







	return-token


















 

 



Table A-75  open(2) - read









Event Name 



Event ID 



Event Class 



Mask 












AUE_OPEN_R





72





fr




0x00000001 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-76  open(2) - read,creat









Event Name 



Event ID 



Event Class 



Mask 












AUE_OPEN_RC





73





fc,fr




0x00000011 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-77  open(2) - read,creat,trunc









Event Name 



Event ID 



Event Class 



Mask 












AUE_OPEN_RTC





75





fc,fd,fr




0x00000031 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

	 



Table A-78  open(2) - read,trunc









Event Name 



Event ID 



Event Class 



Mask 












AUE_OPEN_RT





74





fd,fr




0x00000021 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-79  open(2) - read,write









Event Name 



Event ID 



Event Class 



Mask 












AUE_OPEN_RW





80





fr,fw




0x00000003 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 


 


Table A-80  open(2) - read,write,creat









Event Name 



Event ID 



Event Class 



Mask 












AUE_OPEN_RWC





81





fr,fw,fc




0x00000013 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 


 


Table A-81  open(2) - read,write,create,trunc









Event Name 



Event ID 



Event Class 



Mask 












AUE_OPEN_RWTC





83





fr,fw,fc,fd




0x00000033 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 


 


Table A-82  open(2) - read,write,trunc









Event Name 



Event ID 



Event Class 



Mask 












AUE_OPEN_RWT





82





fr,fw,fd




0x00000023 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 


 


Table A-83  open(2) - write









Event Name 



Event ID 



Event Class 



Mask 












AUE_OPEN_W





76





fw




0x00000002 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 


 


Table A-84  open(2) - write,creat









Event Name 



Event ID 



Event Class 



Mask 












AUE_OPEN_WC





77





fw,fc




0x00000012 















Format: 




	header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-85  open(2) - write,creat,trunc









Event Name 



Event ID 



Event Class 



Mask 












AUE_OPEN_WTC





79





fw,fc,fd




0x00000032 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-86  open(2) - write,trunc









Event Name 



Event ID 



Event Class 



Mask 












AUE_OPEN_WT





78





fw,fd




0x00000022 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 


 


Table A-87  pathconf(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_PATHCONF





71





fa




0x00000004 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 


 


Table A-88  pipe(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_PIPE





185





no




0x00000000 















Format: 




	
header-token







	subject-token







	return-token


















 


 


Table A-89  priocntlsys(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_PRIOCNTLSYS





212





pc




0x0000080 















Format: 




	
header-token







	
argument-token      (1, "pc_version", priocntl version num.)






	
argument-token      (3,"cmd", command)






	
subject-token







	return-token


















 

 



Table A-90  process dumped core









Event Name 



Event ID 



Event Class 



Mask 












AUE_CORE





111





fc




0x0000010 















Format: 




	
header-token







	path-token







	[attr-token]






	
argument-token      (1, "signal", signal)






	
subject-token







	return-token


















 

 



Table A-91  putmsg(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_PUTMSG





216





nt




0x00000100 















Format: 




	
header-token







	
argument-token      (1, "fd", file descriptor)






	
argument-token      (4, "pri", priority)






	
subject-token







	return-token


















 

 
 


Table A-92  putmsg-connect









Event Name 



Event ID 



Event Class 



Mask 












AUE_SOCKCONNECT





248





nt




0x00000100 















Format: 




	
header-token







	socket-inet-token







	
argument-token      (1, "fd", file descriptor)






	
argument-token      (4, "pri", priority)






	
subject-token







	return-token


















 

 
 


Table A-93  putmsg-send









Event Name 



Event ID 



EventClass 



Mask 












AUE_SOCKSEND





249





nt




0x00000100 















Format: 




	
header-token







	
socket-inet-token







	
argument-token      (1, "fd", file descriptor)






	
argument-token      (4, "pri", priority)






	
subject-token







	return-token


















 

 



Table A-94  putpmsg(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_PUTPMSG





218





nt




0x00000100 















Format: 




	
header-token







	
argument-token      (1, "fd", file descriptor)






	
subject-token







	return-token


















 

 



Table A-95  readlink(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_READLINK





22





fr




0x00000001 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-96  rename(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_RENAME





42





fc,fd




0x00000030 















Format: 




	
header-token







	
path-token       (from name)






	[attr-token]      (from name)






	[path-token]     (to name)






	
subject-token







	
return-token


















 


 


Table A-97  rmdir(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_RMDIR





48





fd




0x00000020 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-98  semctl(2) - getall









Event Name 



Event ID 



Event Class 



Mask 












AUE_SEMCTL_GETALL





105





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "sem ID", semaphore ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the semaphore ID
is not valid.

















 

 



Table A-99  semctl(2) - GETNCNT command









Event Name 



Event ID 



Event Class 



Mask 












AUE_SEMCTL_GETNCNT





102





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "sem ID", semaphore ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the semaphore ID
is not valid.

















 

 



Table A-100  semctl(2) - GETPID command









Event Name 



Event ID 



Event Class 



Mask 












AUE_SEMCTL_GETPID





103





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "sem ID", semaphore ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the semaphore
ID is not valid.

















 

 



Table A-101  semctl(2) - GETVAL command









Event Name 



Event ID 



Event Class 



Mask 












AUE_SEMCTL_GETVAL





104





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "sem ID", semaphore ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the semaphore ID
is not valid.

















 

 



Table A-102  semctl(2) - GETZCNT command









Event Name 



Event ID 



Event Class 



Mask 












AUE_SEMCTL_GETZCNT





106





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "sem ID", semaphore ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the semaphore
ID is not valid.

















 

 



Table A-103  semctl(2) - IPC_RMID command









Event Name 



Event ID 



Event Class 



Mask 












AUE_SEMCTL_RMID





99





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "sem ID", semaphore ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the semaphore ID
is not valid.

















 

 



Table A-104  semctl(2) - IPC_SET command









Event Name 



Event ID 



Event Class 



Mask 












AUE_SEMCTL_SET





100





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "sem ID", semaphore ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the semaphore
ID is not valid.

















 

 



Table A-105  semctl(2) - SETALL command









Event Name 



Event ID 



Event Class 



Mask 












AUE_SEMCTL_SETALL





108





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "sem ID", semaphore ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the semaphore ID
is not valid.

















 

 



Table A-106  semctl(2) - SETVAL command









Event Name 



Event ID 



Event Class 



Mask 












AUE_SEMCTL_SETVAL





107





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "sem ID", semaphore ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the semaphore
ID is not valid.

















 

 



Table A-107  semctl(2) - IPC_STAT command









Event Name 



Event ID 



Event Class 



Mask 












AUE_SEMCTL_STAT





101





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "sem ID", semaphore ID)






	[ipc-token]






	subject-token







	return-token


















 

 



Table A-108  semget(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_SEMGET





109





ip




0x00000200 















Format: 




	
header-token







	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the system call
failed.

















 

 



Table A-109  semop(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_SEMOP





110





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "sem ID", semaphore ID)






	[ipc-token]






	
subject-token







	return-token













The ipc and ipc_perm tokens are not included if the semaphore ID
is not valid.

















 

 



Table A-110  setaudit(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_SETAUDIT





133





ad




0x00000800 















Format (valid program stack address): 




	
header-token







	
argument-token      (1, "setaudit:auid", audit user ID)






	
argument-token      (1, "setaudit:port", terminal ID)






	
argument-token      (1, "setaudit:machine", terminal ID)






	
argument-token      (1, "setaudit:as_success", preselection mask)






	
argument-token      (1, "setaudit:as_failure", preselection mask)






	
argument-token      (1, "setaudit:asid", audit session ID)






	
subject-token







	return-token











Format (not valid program stack address): 




	
header-token







	subject-token







	return-token


















 

 



Table A-111  setauid(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_SETAUID





131





ad




0x00000800 















Format: 




	
header-token







	
argument-token      (2, "setauid", audit user ID)






	
subject-token







	return-token


















 


 


Table A-112  setegid(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_SETEGID





214





pc




0x00000080 















Format: 




	
header-token







	
argument-token      (1, "gid", group ID)






	
subject-token







	return-token


















 


 


Table A-113  seteuid(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_SETEUID





215





pc




0x00000080 















Format: 




	
header-token







	
argument-token      (1, "gid", user ID)






	
subject-token







	return-token


















 


 


Table A-114  old setgid(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_SETGID





205





pc




0x00000080 















Format: 




	
header-token







	
argument-token      (1, "gid", group ID)






	
subject-token







	return-token


















 


 


Table A-115  setgroups(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_SETGROUPS





26





pc




0x00000080 















Format: 




	
header-token







	[argument-token]      (1, "setgroups", group ID)






	
subject-token







	return-token













One argument-token for each group set.

















 


 


Table A-116  setpgrp(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_SETPGRP





27





pc




0x00000080 















Format: 




	
header-token







	subject-token







	return-token


















 


 


Table A-117  setrlimit(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_SETRLIMIT





51





ad




0x00000800 















Format: 




	
header-token







	subject-token







	return-token


















 

 



Table A-118  old setuid(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_OSETUID





200





pc




0x00000080 















Format: 




	
header-token







	
argument-token      (1, "uid", user ID)






	
subject-token







	return-token













Because of a current bug in the audit software, this token is
reported as AUE_OSETUID.

















 

 



Table A-119  shmat(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_SHMAT





96





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "shmid", shared memory ID)






	
argument-token      (2, "shmaddr", shared mem addr)






	[ipc-token]






	[ipc_perm-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the shared memory
segment ID is not valid.

















 


 


Table A-120  shmctl(2) - IPC_RMID command









Event Name 



Event ID 



Event Class 



Mask 












AUE_SHMCTL_RMID





92





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "shmid", shared memory ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the shared
memory segment ID is not valid.

















 

 



Table A-121  shmctl(2) - IPC_SET command









Event Name 



Event ID 



Event Class 



Mask 












AUE_SHMCTL_SET





93





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "shmid", shared memory ID)






	[ipc-token]






	[ipc_perm-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the shared memory
segment ID is not valid.

















 

 



Table A-122  shmctl(2) - IPC_STAT command









Event Name 



Event ID 



Event Class 



Mask 












AUE_SHMCTL_STAT





94





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "shmid", shared memory ID)






	[ipc-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included if the shared
memory segment ID is not valid.

















 


 


Table A-123  shmdt(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_SHMDT





97





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (1, "shmaddr", shared mem addr)






	
subject-token







	return-token


















 


 


Table A-124  shmget(2)









Event Name 



Event ID 



EventClass 



Mask 












AUE_SHMGET





95





ip




0x00000200 















Format: 




	
header-token







	
argument-token      (0, "shmid", shared memory ID)






	[ipc-token]






	[ipc_perm-token]






	subject-token







	return-token













The ipc and ipc_perm tokens are not included for failed events.

















 

 



Table A-125  stat(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_STAT





16





fa




0x00000004 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 


 


Table A-126  statfs(2)









Event Name 



Event ID 



EventClass 



Mask 












AUE_STATFS





54





fa




0x00000004 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-127  statvfs(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_STATVFS





234





fa




0x00000004 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 


 


Table A-128  stime(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_STIME





201





ad




0x00000800 















Format: 




	
header-token







	subject-token







	return-token


















 

 



Table A-129  symlink(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_SYMLINK





21





fc




0x00000010 















Format: 




	
header-token







	
text-token      (symbolic link string)






	
path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-130  sysinfo(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_SYSINFO





39





ad




0x00000800 















Format: 




	
header-token







	
argument-token      (1, "cmd", command)






	
text-token             (name)






	
subject-token







	return-token


















 

 



Table A-131  system booted









Event Name 



Event ID 



Event Class 



Mask 












AUE_SYSTEMBOOT





113





na




0x00000400 















Format: 




	
header-token







	
text-token      ("booting kernel")






	
return-token


















 

 



Table A-132  umount(2) - old version









Event Name 



Event ID 



Event Class 



Mask 












AUE_UMOUNT





12





ad




0x00000800 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-133  unlink(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_UNLINK





6





fd




0x00000020 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-134  old utime(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_UTIME





202





fm




0x00000008 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 
 


Table A-135  utimes(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_UTIMES





49





fm




0x00000008 















Format: 




	
header-token







	
path-token







	[attr-token]






	
subject-token







	return-token


















 

 



Table A-136  utssys(2) - fusers









Event Name 



Event ID 



Event Class 



Mask 












AUE_UTSSYS





233





ad




0x00000800 















Format: 




	
header-token







	path-token







	[attr-token]







	subject-token







	return-token




















 

 



Table A-137  vfork(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_VFORK





25





pc




0x00000080 















Format: 




	
header-token







	
argument-token      (0, "child PID", pid)






	
subject-token







	return-token













The fork return values are undefined because the audit record is
produced at the point that the child process is spawned.

















 

 



Table A-138  vtrace(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_VTRACE





36





pc




0x00000080 















Format: 




	
header-token







	subject-token







	
return-token


















 

 



Table A-139  xmknod(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_XMKNOD





240





fc




0x00000010 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 

 



Table A-140  xstat(2)









Event Name 



Event ID 



Event Class 



Mask 












AUE_XSTAT





235





fa




0x00000004 















Format: 




	
header-token







	path-token







	[attr-token]






	subject-token







	return-token


















 


User-Level Generated Audit
Records


These audit records are created by applications that operate outside the kernel.
The records are sorted alphabetically by program. The description of each record includes:



 
 


Table A-141  allocate-device success









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_allocate_succ





/usr/sbin/allocate





6200





ad




0x00000800 















Format: 




	
header-token







	subject-token







	newgroups-token







	exit-token


















 

 
 


Table A-142  allocate-device failure









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_allocate_fail





/usr/sbin/allocate





6201





ad




0x00000800 















Format: 




	
header-token







	subject-token







	newgroups-token







	exit-token


















 

 
 


Table A-143  deallocate-device success









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_allocate_succ





/usr/sbin/allocate





6202





ad




0x00000800 















Format: 




	
header-token







	subject-token







	newgroups-token







	exit-token


















 

 
 


Table A-144  deallocate-device failure









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_allocate_fail





/usr/sbin/allocate





6203





ad




0x00000800 















Format: 




	
header-token







	subject-token







	newgroups-token







	exit-token


















 

 
 


Table A-145  allocate-list devices success









Event Name 



Program 



Event ID 



Event Class 



Mask 












AUE_listdevice_succ





/usr/sbin/allocate





6205





ad




0x00000800 















Format: 




	
header-token







	subject-token







	[group-token]






	exit-token


















 

 
 


Table A-146  allocate-list devices failure









Event Name 



Program 



Event ID 



Event Class 



Mask 












AUE_listdevice_fail





/usr/sbin/allocate





6206





ad




0x00000800 















Format: 




	
header-token







	
subject-token







	[group-token]






	exit-token


















 

 
 


Table A-147  at-create crontab









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_at_create





/usr/bin/at





6144





ad




0x00000800 















Format: 




	
header-token







	subject-token







	[group-token]






	exit-token


















 

 
 


Table A-148  at-delete atjob (at or atrm)









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_at_delete





/usr/bin/at





6145





ad




0x00000800 















Format: 




	
header-token







	subject-token







	[group-token]






	exit-token


















 

 
 


Table A-149  at-permission









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_at_perm





/usr/bin/at





6146





ad




0x00000800 















Format: 




	
header-token







	subject-token







	[group-token]






	exit-token


















 

 
 


Table A-150  crontab-crontab created









Event Name 



Program 



Event ID 



Event Class 



Mask 












AUE_crontab_create





/usr/bin/crontab





6148





ad




0x00000800 















Format: 




	
header-token







	subject-token







	[group-token]






	exit-token


















 

 
 


Table A-151  crontab-crontab deleted









Event Name 



Program 



Event ID 



Event Class 



Mask 












AUE_crontab_delete





/usr/bin/crontab





6149





ad




0x00000800 















Format: 




	
header-token







	subject-token







	[group-token]






	exit-token


















 

 
 


Table A-152  cron-invoke atjob or crontab









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_cron_invoke





/usr/bin/crontab





6147





ad




0x00000800 















Format: 




	
header-token







	subject-token







	
text-token      (program)






	
text-token      (shell)






	
text-token      (cmd)






	
exit-token


















 

 
 


Table A-153  crontab-permission









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_crontab_perm





/usr/bin/crontab





6150





ad




0x00000800 















Format: 




	
header-token







	subject-token







	[group-token]






	exit-token


















 

 
  


Table A-154  halt(1m)









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_halt_solaris





/usr/sbin/halt





6160





ad




0x00000800 















Format: 




	
header-token







	subject-token







	return-token


















 

 
 


Table A-155  inetd









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_inetd_connect





/usr/sbin/inetd





6151





na




0x00000400 















Format: 




	
header-token







	subject-token







	
text-token      (service name)






	
return-token


















 

 
   


Table A-156  init(1m)









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_init_solaris





/sbin/init; /usr/sbin/init; /usr/sbin/shutdown





6166





ad




0x00000800 















Format: 




	
header-token







	subject-token







	
text-token      (init level)






	
return-token


















 


   


Table A-157  ftp access









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_ftpd





/usr/sbin/in.ftpd





6165





lo




0x00001000 















Format: 




	
header-token







	subject-token







	
text-token      (error message, failure only)






	
return-token


















 

 
 


Table A-158  login - local









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_login





/usr/sbin/login





6152





lo




0x00001000 















Format: 




	
header-token







	subject-token







	
text-token      (error message)






	
return-token


















 

 
 


Table A-159  login - rlogin









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_rlogin





/usr/sbin/login





6155





lo




0x00001000 















Format: 




	
header-token







	subject-token







	
text-token      (error message)






	
return-token


















 

 
 


Table A-160  login - telnet









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_telnet





/usr/sbin/login





6154





lo




0x00001000 















Format: 




	
header-token







	subject-token







	
text-token      (error message)






	
return-token


















 

 
 


Table A-161  logout









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_logout





/usr/sbin/login





6153





lo




0x00001000 















Format: 




	
header-token







	subject-token







	return-token


















 

 
  


Table A-162  mount









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_mountd_mount





/usr/lib/nfs/mountd





6156





na




0x00000400 















Format: 




	
header-token







	subject-token







	
text-token      (remote client hostname)






	
path-token     (mount dir)






	
text-token      (error message, failure only)






	
return-token


















 

 
  


Table A-163  unmount









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_mountd_umount





/usr/lib/nfs/mountd





6157





na




0x00000400 















Format: 




	
header-token







	subject-token







	
text-token      (remote client hostname)






	
path-token     (mount dir)






	
text-token      (error message, failure only)






	
return-token


















 

 
  


Table A-164  passwd









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_passwd





/usr/bin/passwd





6163





lo




0x00001000 















Format: 




	
header-token







	subject-token







	
text-token      (error message)






	
return-token


















 

 
 


Table A-165  poweroff(1m)









Event Name 



Program 



Event ID 



Event Class 



Mask 












AUE_poweroff_solaris





/usr/sbin/poweroff





6169





ad




0x00000800 















Format: 




	
header-token







	subject-token







	
return-token


















 

 
  


Table A-166  reboot(1m)









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_reboot_solaris





/usr/sbin/reboot





6161





ad




0x00000800 















Format: 




	
header-token







	subject-token







	return-token


















 

 
 


Table A-167  rexd









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_rexd





/usr/sbin/rpc.rexd





6164





lo




0x00001000 















Format: 




	
header-token







	subject-token







	
text-token      (error message, failure only)






	
text-token      (hostname)






	
text-token      (username)






	
text-token      (command to be executed)






	
exit-token


















 

 
 


Table A-168  rexecd









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_rexecd





/usr/sbin/in.rexecd





6162





lo




0x00001000 















Format: 




	
header-token







	subject-token







	
text-token      (error message, failure only)






	
text-token      (hostname)






	
text-token      (username)






	
text-token      (command to be executed)






	
exit-token


















 

 
  


Table A-169  rsh access









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_rshd





/usr/sbin/in.rshd





6158





lo




0x00001000 















Format: 




	
header-token







	subject-token







	
text-token      (command string)






	
text-token      (local user)






	
text-token      (remote user)






	
return-token


















 

 
 


Table A-170  shutdown(1b)









Event Name 



Program 



Event ID 



Event Class 



Mask 












AUE_shutdown_solaris





/usr/ucb/shutdown





6168





ad




0x00000800 















Format: 




	
header-token







	subject-token







	
return-token


















 

 
 


Table A-171  su









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_su





/usr/bin/su





6159





lo




0x00001000 















Format: 




	
header-token







	
text-token      (error message)






	
subject-token







	return-token


















 

 
 


Table A-172  admin(1m)









Event Name 



Program 



Event
ID 



Event Class 



Mask 












AUE_uadmin_solaris





/sbin/uadmin; /usr/sbin/uadmin





6167





ad




0x00000800 















Format: 




	
header-token







	
subject-token







	
text-token      (function)






	
text-token      (argument)






	return-token


















 

Event-to-System Call Translation



Table A-173 associates an audit event name with the system call
or kernel event that created it. Table A-174 associates an audit event
with the application or command that generated it. 

Table A-173  Event-to-System Call Translation 









Audit Event 



System Call 












AUE_ACCESS





Table A-5











AUE_ACCT





Table A-6











AUE_ADJTIME





Table A-7











AUE_AUDIT





Table A-8











AUE_AUDITON_GETCAR





Table A-9











AUE_AUDITON_GETCLASS





Table A-10











AUE_AUDITON_GETCOND





Table A-11











AUE_AUDITON_GETCWD





Table A-12











AUE_AUDITON_GETKMASK





Table A-13











AUE_AUDITON_GETSTAT





Table A-14











AUE_AUDITON_GPOLICY





Table A-15











AUE_AUDITON_GQCTRL





Table A-16











AUE_AUDITON_SETCLASS





Table A-17











AUE_AUDITON_SETCOND





Table A-18











AUE_AUDITON_SETKMASK





Table A-19











AUE_AUDITON_SETSMASK





Table A-20











AUE_AUDITON_SETSTAT





Table A-21











AUE_AUDITON_SETUMASK





Table A-22











AUE_AUDITON_SPOLICY





Table A-23











AUE_AUDITON_SQCTRL





Table A-24











AUE_AUDITSVC





Table A-25











AUE_CHDIR





Table A-26











AUE_CHMOD





Table A-27











AUE_CHOWN





Table A-28











AUE_CHROOT





Table A-29











AUE_CLOSE





Table A-30











AUE_CORE





Table A-90











AUE_CREAT





Table A-31











AUE_ENTERPROM





Table A-32











AUE_EXEC





Table A-33











AUE_EXECVE





Table A-34











AUE_EXIT





Table A-36











AUE_EXITPROM





Table A-35











AUE_FCHDIR





Table A-37











AUE_FCHMOD





Table A-38











AUE_FCHOWN





Table A-39











AUE_FCHROOT





Table A-40











AUE_FCNTL





Table A-41











AUE_FORK





Table A-42











AUE_FORK1





Table A-43











AUE_FSTATFS





Table A-44











AUE_GETAUDIT





Table A-45











AUE_GETAUID





Table A-46











AUE_GETMSG





Table A-47











AUE_GETPMSG





Table A-50











AUE_GETPORTAUDIT





Table A-51











AUE_IOCTL





Table A-52











AUE_KILL





Table A-53











AUE_LCHOWN





Table A-54











AUE_LINK





Table A-55











AUE_LSTAT





Table A-56











AUE_LXSTAT





Table A-57











AUE_MEMCNTL





Table A-58











AUE_MKDIR





Table A-59











AUE_MKNOD





Table A-60











AUE_MMAP





Table A-61











AUE_MODADDMAJ





Table A-62











AUE_MODCONFIG





Table A-63











AUE_MODLOAD





Table A-64











AUE_MODUNLOAD





Table A-65











AUE_MOUNT





Table A-66











AUE_MSGCTL_RMID





Table A-67











AUE_MSGCTL_SET





Table A-68











AUE_MSGCTL_STAT





Table A-69











AUE_MSGGET





Table A-70











AUE_MSGRCV





Table A-71











AUE_MSGSND





Table A-72











AUE_MUNMAP





Table A-73











AUE_NICE





Table A-74











AUE_OPEN_R





Table A-75











AUE_OPEN_RC





Table A-76











AUE_OPEN_RT





Table A-78











AUE_OPEN_RTC





Table A-77











AUE_OPEN_RW





Table A-79











AUE_OPEN_RWC





Table A-80











AUE_OPEN_RWT





Table A-82











AUE_OPEN_RWTC





Table A-81











AUE_OPEN_W





Table A-83











AUE_OPEN_WC





Table A-84











AUE_OPEN_WT





Table A-86











AUE_OPEN_WTC





Table A-85











AUE_OSETUID





Table A-118











AUE_PATHCONF





Table A-87











AUE_PIPE





Table A-88











AUE_PRIOCNTLSYS





Table A-89











AUE_PUTMSG





Table A-91











AUE_PUTPMSG





Table A-94











AUE_READLINK





Table A-95











AUE_RENAME





Table A-96











AUE_RMDIR





Table A-97











AUE_SEMCTL_GETALL





Table A-98











AUE_SEMCTL_GETNCNT





Table A-99











AUE_SEMCTL_GETPID





Table A-100











AUE_SEMCTL_GETVAL





Table A-101











AUE_SEMCTL_GETZCNT





Table A-102











AUE_SEMCTL_RMID





Table A-103











AUE_SEMCTL_SET





Table A-104











AUE_SEMCTL_SETALL





Table A-105











AUE_SEMCTL_SETVAL





Table A-106











AUE_SEMCTL_STAT





Table A-107











AUE_SEMGET





Table A-108











AUE_SEMOP





Table A-109











AUE_SETAUDIT





Table A-110











AUE_SETAUID





Table A-111











AUE_SETEGID





Table A-112











AUE_SETEUID





Table A-113











AUE_SETGID





Table A-114











AUE_SETGROUPS





Table A-115











AUE_SETPGRP





Table A-116











AUE_SETRLIMIT





Table A-117











AUE_SETUID




Reported as AUE_OSETUID, see Table A-118











AUE_SHMAT





Table A-119











AUE_SHMCTL_RMID





Table A-120











AUE_SHMCTL_SET





Table A-121











AUE_SHMCTL_STAT





Table A-122











AUE_SHMDT





Table A-123











AUE_SHMGET





Table A-124











AUE_SOCKACCEPT





Table A-48











AUE_SOCKCONNECT





Table A-92











AUE_SOCKRECEIVE





Table A-49











AUE_SOCKSEND





Table A-93











AUE_STAT





Table A-125











AUE_STATFS





Table A-126











AUE_STATVFS





Table A-127











AUE_STIME





Table A-128











AUE_SYMLINK





Table A-129











AUE_SYSINFO





Table A-130











AUE_SYSTEMBOOT





Table A-131











AUE_UMOUNT





Table A-132











AUE_UNLINK





Table A-133











AUE_UTIME





Table A-134











AUE_UTIMES





Table A-135











AUE_UTSSYS





Table A-136











AUE_VFORK





Table A-137











AUE_VTRACE





Table A-138











AUE_XMKNOD





Table A-139











AUE_XSTAT





Table A-140










 


    


Table A-174  Event-to-Command Translation 









Audit Event 



Command 












AUE_allocate_succ





Table A-141











AUE_allocate_fail





Table A-142











AUE_deallocate_succ





Table A-143











AUE_deallocate_fail





Table A-144











AUE_listdevice_succ





Table A-145











AUE_listdevice_fail





Table A-146











AUE_at_create





Table A-147











AUE_at_delete





Table A-148











AUE_at_perm





Table A-149











AUE_crontab_create





Table A-150











AUE_crontab_delete





Table A-151











AUE_cron_invoke





Table A-152











AUE_crontab_perm





Table A-153











AUE_halt_solaris





Table A-154











AUE_inetd_connect





Table A-155











AUE_init_solaris





Table A-156











AUE_ftpd





Table A-157











AUE_login





Table A-158











AUE_rlogin





Table A-159











AUE_telnet





Table A-160











AUE_logout





Table A-161











AUE_mountd_mount





Table A-162











AUE_mountd_umount





Table A-163











AUE_passwd





Table A-164











AUE_poweroff_solaris





Table A-165











AUE_reboot_solaris





Table A-166











AUE_rexd





Table A-167











AUE_rexecd





Table A-168











AUE_rshd





Table A-169











AUE_shutdown_solaris





Table A-170











AUE_su





Table A-171











AUE_uadmin_solaris





Table A-172