SunSHIELD Basic Security Module Guide

Previous: Appendix B BSM Reference


Numbers and Symbols

	+ audit flag prefix ( ) ( )

	- audit flag prefix ( ) ( )

	\ ending file lines ( ) ( )

	# for comments in files ( ) ( ) ( )

	* in device_allocate file ( ) ( )

	^+ audit flag prefix ( ) ( )

	^- audit flag prefix ( ) ( )


A

	-a option of auditreduce command ( )

	access audit record ( )

	acct audit record ( )

	ad audit flag ( )

	adding devices ( )

	adjtime audit record ( )

	administering auditing
		See also audit records; audit tokens; audit trail
		audit administration account ( ) ( )
		audit classes
			auditconfig command options ( )
			changing definitions ( )
			flags and definitions ( ) ( )
			mapping events ( ) ( )
			overview ( ) ( )
			selecting for auditing ( )
		audit_control file
			audit_user file modification ( )
			overview ( ) ( )
			prefixes in flags line ( ) ( )
			problem with contents ( )
		audit events
			audit tokens ( )
			auditconfig command options ( ) ( )
			categories ( )
			event-to-system call translation table ( ) ( )
			including in audit trail ( )
			kernel events ( ) ( ) ( ) ( ) ( )
			mapping to classes ( ) ( )
			numbers ( )
			overview ( ) ( )
			record formats and ( )
			user-level events ( ) ( ) ( )
		audit files ( ) ( )
			auditreduce command ( ) ( )
			combining ( ) ( ) ( )
			copying login/logout messages to single file ( ) ( )
			directory locations ( ) ( ) ( )
			displaying in entirety ( )
			file token ( ) ( )
			managing size of ( )
			minimum free space for file systems ( )
			names ( ) ( )
			nonactive files marked not_terminated ( ) ( ) ( )
			order for opening ( )
			overview ( ) ( )
			permissions ( )
			printing ( )
			reducing ( ) ( ) ( )
			reducing storage-space requirements ( ) ( ) ( )
			switching to new file ( )
			time stamps ( )
		audit flags ( ) ( )
			audit_control file line ( )
			audit_user file ( ) ( )
			auditconfig command options ( )
			definitions ( ) ( )
			machine-wide ( ) ( )
			overview ( )
			policy flags ( )
			prefixes ( ) ( )
			process preselection mask ( )
			syntax ( ) ( )
		audit partitions ( ) ( )
		audit records ( ) ( )
		audit trail creation ( ) ( )
			audit daemon's role ( ) ( )
			audit_data file ( )
			directory suitability ( )
			managing audit file size ( )
			overview ( )
		audit trail overflow prevention ( ) ( )
		audit_user file audit fields ( ) ( )
		audit_warn script ( ) ( ) ( )
		auditreduce command ( ) ( ) ( ) ( )
			-a option ( )
			-b option ( )
			capabilities ( )
			cleaning not_terminated files ( ) ( ) ( )
			-d option ( )
			described ( ) ( ) ( ) ( )
			distributed systems ( )
			examples ( ) ( )
			-O option ( ) ( ) ( ) ( )
			options ( ) ( ) ( )
			time stamp use ( )
			without options ( ) ( )
		configuration
			audit trail overflow prevention ( ) ( )
			auditconfig command ( ) ( )
			overview ( ) ( )
			planning ( ) ( )
			setting audit policies ( )
		cost control ( ) ( )
			analysis ( )
			processing time ( )
			storage ( ) ( )
		efficiency ( ) ( )
		normal users ( )
		overview ( ) ( )
		process audit characteristics ( ) ( )
			audit ID ( )
			audit session ID ( )
			process preselection mask ( ) ( ) ( )
			terminal ID ( )
		startup ( )

	administrative audit class ( )

	all
		audit class ( )
		audit flag
			caution for using ( )
			described ( )
		in user audit fields ( )

	allhard string with audit_warn script ( ) ( )

	allocatable devices
		See device allocation

	allocate audit record
		allocate-list device failure ( )
		allocate-list device success ( )
		deallocate device ( )
		deallocate device failure ( )
		device allocate failure ( )
		device allocate success ( )

	allocate command
		See also device allocation
		how the allocate mechanism works ( ) ( )
		options ( )
		using ( ) ( )

	allocate error state ( ) ( )

	allocating devices
		See device allocation

	allsoft string with audit_warn script ( )

	always-audit flags
		described ( ) ( )
		process preselection mask ( )

	analysis ( ) ( )
		audit record format ( ) ( )
		auditing features ( ) ( )
		auditreduce command ( ) ( ) ( )
		costs ( )
		praudit command ( ) ( ) ( )
		tools ( ) ( )

	ap audit flag ( )

	application audit class ( )

	arbitrary token ( ) ( ) ( )

	Archive tape drive clean script ( )

	arg token ( ) ( )

	arge policy
		exec_env token and ( )
		flag ( )

	argv policy
		exec_args token and ( )
		flag ( )

	asterisk (*) in device_allocate file ( ) ( )

	at audit record
		at-create crontab ( )
		at-delete atjob ( )
		at-permission ( )

	attr token ( ) ( )

	audio_clean script ( )

	audio devices, See device allocation, device-clean scripts ( )
		device-clean scripts ( )

	AUDIO_DRAIN ioctl system call ( )

	AUDIO_SETINFO ioctl system call ( )

	AUDIOGETREG ioctl system call ( )

	AUDIOSETREG ioctl system call ( )

	audit -n command ( )

	audit -s command
		preselection mask for existing processes ( )
		rereading audit files ( )
		resetting directory pointer ( ) ( )

	audit -t command ( )

	audit administration account ( ) ( )

	audit attributes
		See audit tokens

	audit audit record ( )

	audit classes
		auditconfig command options ( )
		changing definitions ( )
		flags and definitions ( ) ( )
		mapping events ( ) ( )
		overview ( ) ( )
		selecting for auditing ( )

	audit_control file
		audit daemon rereading after editing ( )
		audit_user file modification ( )
		dir: line
			described ( )
			examples ( ) ( )
			files subdirectory ( )
		examples ( ) ( )
		flags: line
			described ( )
			prefixes in ( ) ( )
			process preselection mask ( )
		minfree: line
			audit_warn condition ( )
			described ( )
		naflags: line ( )
		overview ( ) ( )
		prefixes in flags line ( ) ( )
		problem with contents ( )

	audit daemon
		audit_startup file ( )
		audit trail creation ( ) ( ) ( )
		audit_warn script
			conditions invoking ( ) ( )
			described ( ) ( ) ( )
			execution of ( )
		directories suitable to ( )
		enabling auditing ( )
		functions ( )
		order audit files are opened ( )
		rereading the audit_control file ( )
		terminating ( )

	audit_data file ( )

	audit_event file
		See also audit events
		audit event type ( )
		overview ( ) ( )

	audit events
		See also audit classes
		audit_event file
			audit event type ( )
			overview ( ) ( )
		categories ( )
		event-to-system call translation table ( ) ( )
		including in audit trail ( )
		kernel events
			audit tokens ( )
			auditconfig command options ( ) ( )
			described ( )
		mapping to classes ( ) ( )
		numbers ( )
		overview ( ) ( )
		record formats and ( )
		user-level events
			audit tokens ( )
			auditconfig command options ( )
			described ( )

	audit files
		See also audit trail; directories
		auditreduce command ( ) ( )
		combining ( ) ( ) ( )
		copying login/logout messages to single file ( ) ( )
		directory locations ( ) ( ) ( )
		displaying in entirety ( )
		file token ( ) ( )
		managing size of ( )
		minimum free space for file systems ( )
		names ( ) ( )
			closed files ( )
			form ( ) ( )
			still-active files ( ) ( )
			time stamps ( )
			use ( )
		nonactive files marked not_terminated ( ) ( ) ( )
		order for opening ( )
		overview ( ) ( )
		permissions ( )
		printing ( )
		reducing ( ) ( ) ( )
		reducing storage-space requirements ( ) ( ) ( )
		switching to new file ( )
		time stamps ( )

	audit flags ( ) ( )
		audit_control file line ( )
		audit_user file ( ) ( )
		auditconfig command options ( )
		definitions ( ) ( )
		machine-wide ( ) ( )
		overview ( )
		policy flags ( )
		prefixes ( ) ( )
		process preselection mask ( )
		syntax ( ) ( )

	audit ID ( ) ( ) ( )

	audit log files
		See audit files

	audit partitions ( ) ( )

	audit policies
		See also audit flags
		auditconfig options ( )
		setting ( )

	audit records
		See also audit tokens; specific audit records
		audit directories full ( ) ( ) ( ) ( )
		converting to human-readable format ( ) ( ) ( ) ( ) ( )
		displaying ( )
		format or structure ( ) ( ) ( ) ( )
		kernel-level generated ( ) ( )
		overview ( ) ( )
		policy flags ( )
		reducing audit files ( )
		selecting ( )
		self-contained records ( )
		tools ( ) ( )
		user-level generated ( ) ( )

	audit server mount-point path names ( )

	audit session ID ( ) ( )

	audit_startup file ( )

	audit threshold ( )

	audit tokens
		arbitrary token ( ) ( ) ( )
		arg token ( ) ( )
		attr token ( ) ( )
		audit record format ( ) ( ) ( ) ( )
		described ( )
		exec_args token ( )
		exec_env token ( )
		exit token ( ) ( )
		file token ( ) ( )
		groups token ( ) ( ) ( )
		header token ( ) ( ) ( ) ( ) ( )
		in_addr token ( ) ( )
		ip token ( ) ( )
		ipc_perm token ( ) ( )
		ipc token ( ) ( ) ( )
		iport token ( ) ( )
		newgroups token ( )
		opaque token ( ) ( )
		order in audit record ( )
		path token ( ) ( )
		policy flags ( )
		process token ( ) ( )
		return token ( ) ( )
		seq token ( ) ( )
		socket-inet token ( )
		socket token ( ) ( )
		subject token ( ) ( )
		table of ( )
		text token ( ) ( )
		trailer token ( ) ( ) ( )
		types ( ) ( )

	audit trail
		See also audit files, audit records; audit tokens
		analysis ( ) ( )
			audit record format ( ) ( )
			auditing features ( ) ( )
			auditreduce command ( ) ( ) ( )
			costs ( )
			praudit command ( ) ( ) ( )
			tools ( ) ( )
		creating ( ) ( ) ( )
			audit daemon's role ( ) ( ) ( )
			audit_data file ( )
			directory suitability ( )
			managing audit file size ( )
			overview ( )
		directory locations ( ) ( ) ( )
		events included ( )
		merging all files ( ) ( )
		monitoring in real time ( )
		overflow prevention ( ) ( )

	audit_user file
		prefixes for flags ( ) ( )
		process preselection mask ( )
		user audit fields ( ) ( )

	audit_warn script ( ) ( )
		allhard string ( ) ( )
		allsoft string ( )
		audit daemon execution of ( )
		auditsvc string ( )
		conditions invoking ( ) ( )
		described ( ) ( ) ( )
		ebusy string ( )
		hard string ( )
		postsigterm string ( )
		soft string ( )
		tmpfile string ( )

	auditconfig command
		audit flags as arguments ( )
		options ( ) ( )
		prefixes for flags ( ) ( )
		reducing storage-space requirements ( )

	auditd daemon
		audit_startup file ( )
		audit trail creation ( ) ( ) ( )
		audit_warn script
			conditions invoking ( ) ( )
			described ( ) ( ) ( )
			execution of ( )
		directories suitable to ( )
		enabling auditing ( )
		functions ( )
		order audit files are opened ( )
		rereading the audit_control file ( )
		terminating ( )

	auditing
		See administering auditing; audit trail

	auditon audit record
		A_GETCAR command ( )
		A_GETCLASS command ( )
		A_GETCOND command ( )
		A_GETCWD command ( )
		A_GETKMASK command ( )
		A_GETSTAT command ( )
		A_GPOLICY command ( )
		A_GQCTRL command ( )
		A_SETCLASS command ( )
		A_SETCOND command ( )
		A_SETKMASK command ( )
		A_SETSMASK command ( )
		A_SETSTAT command ( )
		A_SETUMASK command ( )
		A_SPOLICY command ( )
		A_SQCTRL command ( )

	auditreduce command ( ) ( )
		-a option ( )
		-b option ( )
		capabilities ( )
		cleaning not_terminated files ( ) ( ) ( )
		-d option ( )
		described ( ) ( ) ( ) ( )
		distributed systems ( )
		examples ( ) ( )
		-m option ( )
		-O option ( ) ( ) ( ) ( )
		options ( ) ( ) ( )
		time stamp use ( )
		without options ( ) ( )

	auditsvc
		audit record ( )
		system call
			fails ( ) ( )

	AUE_... names ( ) ( )
		event-to-system call translation table ( ) ( )

	automatically enabling auditing ( )


B

	-b option of auditreduce command ( )

	backslash (\) ending file lines ( ) ( )

	Basic Security Module (BSM)
		client-server relationships ( )
		disabling ( )
		enabling ( ) ( )
		installing ( ) ( )
		packages ( )

	binary audit record format ( )

	BSM
		See Basic Security Module (BSM)

	bsmconv script
		devicemaps file creation ( )
		enabling BSM ( ) ( )

	bsmunconv script ( )


C

	C2 TCSEC features ( )

	carat (^) in audit flag prefixes ( ) ( )

	cartridge tape drives
		See tape drives

	CD-ROM drives
		See also device allocation
		device-clean scripts ( ) ( )

	change password audit record ( )

	chdir audit record ( )

	-chkconf option of auditconfig command ( )

	chmod audit record ( )

	chown audit record ( )

	chroot audit record ( )

	cl audit flag ( )

	classes
		auditconfig command options ( )
		changing definitions ( )
		flags and definitions ( ) ( )
		mapping events ( ) ( )
		overview ( ) ( )
		selecting for auditing ( )

	clean scripts
		See device-clean scripts

	cleaning not_terminated files ( ) ( ) ( )

	clients, enabling BSM for ( )

	close audit record ( )

	cnt policy ( ) ( )
		flag ( )

	combining audit files ( )
		auditreduce command ( ) ( )

	commands
		See also specific commands
		device-allocation utilities ( ) ( )

	comments
		device_allocate file ( )
		device_maps file ( )

	-conf option of auditconfig command ( )

	configuring
		audit trail overflow prevention ( ) ( )
		auditconfig command ( ) ( )
		overview ( ) ( )
		planning ( ) ( )
		setting audit policies ( )

	converting audit records to human-readable format ( ) ( ) ( ) ( ) ( )

	copying login/logout messages to single file ( ) ( )

	cost control ( ) ( )
		analysis ( )
		processing time ( )
		storage ( ) ( )

	creat audit record ( )

	creating the audit trail ( ) ( )
		audit daemon's role ( ) ( )
		audit_data file ( )
		directory suitability ( )
		managing audit file size ( )
		overview ( )

	cron job ( )

	crontab audit record
		cron-invoke atjob or crontab ( )
		crontab-crontab created ( )
		crontab-crontab deleted ( )
		crontab-permission ( )


D

	-d option
		auditreduce command ( )
		praudit command ( )

	daemon, audit
		See audit daemon

	date-time auditreduce command options ( )

	deallocate command
		allocate error state ( ) ( )
		described ( ) ( )
		device-clean scripts and ( )
		using ( )

	debugging sequence number ( ) ( )

	defaults
		audit policies ( )
		audit_startup file ( )
		machine-wide ( )
		praudit output format ( ) ( )
			header token ( )

	device_allocate file
		format ( ) ( )
		overview ( ) ( )

	device allocation ( ) ( )
		adding devices ( )
		allocatable devices ( ) ( ) ( )
		allocate command
			how the allocate mechanism works ( ) ( )
			options ( )
			using ( ) ( )
		allocate error state ( ) ( )
		allocating a device ( ) ( )
		components of the allocation mechanism ( )
		deallocate command
			allocate error state ( ) ( )
			described ( ) ( )
			device-clean scripts and ( )
			using ( )
		device_allocate file ( ) ( )
		device-clean scripts ( ) ( )
			adding devices ( )
			audio devices ( )
			CD-ROM drives ( ) ( )
			described ( )
			diskette drives ( ) ( )
			options ( )
			tape drives ( ) ( )
			writing new scripts ( )
		device_maps file ( ) ( )
		list_devices command ( ) ( )
		lock file setup ( ) ( )
		managing devices ( )
		reallocating ( )
		risks associated with device use ( ) ( )
		using device allocations ( ) ( )
		utilities ( ) ( )

	device-clean scripts
		adding devices ( )
		audio devices ( )
		CD-ROM drives ( ) ( )
		described ( )
		diskette drives ( ) ( )
		options ( )
		tape drives ( ) ( )
		writing new scripts ( )

	device_maps file
		format ( ) ( )
		overview ( )

	devices
		See also device allocation
		adding ( )
		lock files ( ) ( )
		managing ( )

	dir: line in audit_control file
		described ( )
		example ( ) ( )
		for files subdirectory ( )

	directories
		audit_control file definitions ( )
		audit daemon pointer ( ) ( )
		audit directories full ( ) ( ) ( ) ( )
		audit directory locations ( ) ( ) ( )
		audit partitions ( ) ( )
		diskfull machines ( ) ( )
		files subdirectory ( )
		mounting audit directories ( )
		permissions ( )
		suitable to audit daemon ( )

	disabling BSM ( )

	disk-space requirements ( ) ( )

	diskette drives
		See also device allocation
		device-clean scripts ( ) ( )

	diskfull machines' audit directory ( ) ( )

	diskless clients, enabling BSM for ( )

	displaying
		audit log in entirety ( )
		audit records ( )

	distributed systems' auditreduce command use ( )

	dminfo command ( )

	drives
		See device allocation


E

	ebusy string and audit_warn script ( )

	efficiency ( ) ( )

	eject command ( )

	enabling
		auditing ( )
		BSM ( ) ( )

	ending
		disabling BSM ( )
		signal received during auditing shutdown ( )
		terminating audit daemon ( )

	enter prom audit record ( )

	errors
		allocate error state ( ) ( )
		audit directories full ( ) ( ) ( ) ( )
		internal errors ( )

	/etc/security/audit/bsmconv script
		devicemaps file creation ( )
		enabling BSM ( ) ( )

	/etc/security/audit/bsmunconv script ( )

	/etc/security/audit_control file
		See audit_control file

	/etc/security/audit_data file ( )

	/etc/security/audit directory ( ) ( )

	/etc/security/audit_event file
		See also audit events
		audit event type ( )
		overview ( ) ( )

	/etc/security/audit_startup file ( )

	/etc/security/audit_warn script ( ) ( ) ( )

	/etc/security/dev lock files ( ) ( )

	/etc/security directory ( ) ( )

	event modifier field flags (header token) ( )

	event numbers ( )

	events
		See also audit classes
		categories ( )
		event-to-system call translation table ( ) ( )
		including in audit trail ( )
		kernel events
			audit tokens ( )
			auditconfig command options ( ) ( )
			described ( )
		mapping to classes ( ) ( )
		numbers ( )
		overview ( ) ( )
		record formats and ( )
		user-level events
			audit tokens ( )
			auditconfig command options ( )
			described ( )

	ex audit flag ( )

	exec_args token ( )

	exec audit class ( )

	exec audit record ( )

	exec_env token ( )

	execve audit record ( )

	exit audit record ( )

	exit prom audit record ( )

	exit token ( ) ( )

	export list ( )


F

	-F option
		allocate command ( )
		deallocate command ( )
		st_clean script ( )

	fa audit flag ( )

	failure
		audit flag prefix ( ) ( )
		turning off audit flags for ( ) ( )

	fc audit flag ( )

	fchdir audit record ( )

	fchmod audit record ( )

	fchown audit record ( )

	fchroot audit record ( )

	fcntl audit record ( )

	fd audit flag ( )

	fd_clean script ( )

	file_attr_acc audit class ( )

	file_attr_mod audit class ( )

	file_close audit class ( )

	file_creation audit class ( )

	file_deletion audit class ( )

	file_read audit class ( )

	file systems
		See audit files; directories

	file token ( ) ( )

	file vnode token ( ) ( )

	file_write audit class ( )

	files, audit
		See audit files

	files, lock ( ) ( )

	files subdirectory ( )

	flags ( ) ( )
		audit_control file line ( )
		audit_user file ( ) ( )
		auditconfig command options ( )
		definitions ( ) ( )
		machine-wide ( ) ( )
		overview ( )
		policy flags ( )
		prefixes ( ) ( )
		process preselection mask ( )
		syntax ( ) ( )

	flags: line in audit_control file
		described ( )
		prefixes in ( ) ( )
		process preselection mask ( )

	fm audit flag ( )

	forced cleanup ( )

	fork1 audit record ( )

	fork audit record ( )

	fr audit flag ( )

	fstatfs audit record ( )

	ftpd login audit record ( )

	fw audit flag ( )


G

	getaudit audit record ( )

	getauid audit record ( )

	-getclass option of auditconfig command ( )

	-getcond option of auditconfig command ( )

	getmsg audit record ( )
		socket accept ( )
		socket receive ( )

	-getpinfo option of auditconfig command ( )

	getpmsg audit record ( )

	-getpolicy option of auditconfig command ( )

	getportaudit audit record ( )

	graphics tablets
		See device allocation

	group policy
		flag ( )
		groups token ( ) ( ) ( )
		newgroups token ( )

	groups token ( ) ( ) ( )


H

	halt: machine halt audit record ( )

	hard-disk-space requirements ( ) ( )

	hard string with audit_warn script ( )

	header token
		described ( ) ( ) ( )
		event-modifier field flags ( )
		fields ( )
		format ( )
		order in audit record ( ) ( )
		praudit display ( )

	human-readable audit record format
		See also audit tokens
		converting audit records to ( ) ( ) ( ) ( ) ( )
		described ( ) ( )


I

	-I option
		deallocate command ( )
		st_clean script ( )

	IDs
		audit ( ) ( ) ( )
		audit session ( ) ( )
		audit user ( )
		auditconfig command options ( )
		terminal ( )

	in_addr token ( ) ( )

	in.ftpd audit record ( )

	in.rexecd audit record ( )

	in.rshd: rshd access denials/grants audit record ( )

	inetd: inetd service request audit record ( )

	init: init service request audit record ( )

	installing BSM ( ) ( )

	Internet-related tokens
		in_addr token ( ) ( )
		ip token ( ) ( )
		iport token ( ) ( )
		socket-inet token ( )
		socket token ( ) ( )

	io audit flag ( )

	ioctl: ioctl to special devices audit record ( )

	ioctl audit class ( )

	ioctl system calls ( ) ( )

	ip audit flag ( )

	ip token ( ) ( )

	ipc audit class ( )

	ipc_perm token ( ) ( )

	ipc token ( ) ( ) ( )

	ipc type field values (ipc token) ( )

	iport token ( ) ( )

	item size field values (arbitrary token) ( )


K

	kernel events
		See also audit events
		audit records ( ) ( )
		audit tokens ( )
		auditconfig command options ( ) ( )
		described ( )

	kill audit record ( )


L

	-l option, praudit command ( )

	lchown audit record ( )

	link audit record ( )

	list_devices command ( ) ( )

	lo audit flag ( )

	lock files
		how the allocate mechanism works ( ) ( )
		setting up ( )

	log files
		See audit files

	login audit record
		logout ( )
		rlogin ( )
		telnet login ( )
		terminal login ( )

	login_logout audit class ( )

	login/logout messages, copying to single file ( ) ( )

	-lsevent option of auditconfig command ( )

	-lspolicy option of auditconfig command ( ) ( )

	lstat audit record ( )

	lxstat audit record ( )


M

	-m option of auditreduce command ( )

	machine halt audit record ( )

	machine reboot audit record ( )

	managing devices ( )

	mappings, class ( ) ( )

	mask, process preselection
		auditconfig command options ( )
		described ( )
		machine-wide ( )
		reducing storage costs ( ) ( )

	memcntl audit record ( )

	minfree: line in audit_control file
		audit_warn condition ( ) ( )
		described ( )
		determining space needed ( )

	minus (-) audit flag prefix ( ) ( )

	mkdir audit record ( )

	mknod audit record ( )

	mmap audit record ( )

	modctl audit record
		MODADDMAJBIND command ( )
		MODCONFIG command ( )
		MODLOAD command ( )
		MODUNLOAD command ( )

	modems
		See device allocation

	monitoring audit trail in real time ( )

	mount audit record ( )

	mountd audit record
		NFS mount request ( )
		NFS unmount request ( )

	mounting audit directories ( )

	msgctl audit record
		IPC_RMID command ( )
		IPC_SET command ( )
		IPC_STAT command ( )

	msgget audit record ( )

	msgrcv audit record ( )

	msgsnd audit record ( )

	mt command, device-cleanup option ( )

	munmap audit record ( )


N

	na audit flag ( )

	naflags: line in audit_control file ( )

	names
		audit classes ( ) ( )
		audit files
			closed files ( )
			form ( ) ( )
			still-active files ( ) ( )
			time stamps ( )
			use ( )
		audit flags ( ) ( )
		device names
			device_allocate file ( )
			device_maps file ( )
		IDs
			audit ( ) ( )
			audit session ( ) ( )
			auditconfig command options ( )
			terminal ( )
		kernel events ( )
		mount-point path names on audit servers ( )
		user-level events ( )

	network audit class ( )

	never-audit flags ( ) ( )

	newgroups token ( )

	NFS mount request audit record ( )

	NFS unmount request audit record ( )

	nice audit record ( )

	no audit flag ( )

	no_class audit class ( )

	non_attrib audit class ( )

	nonattributable flags in audit_control file ( )

	normal users, auditing ( )

	not_terminated files, cleaning ( ) ( ) ( )

	nt audit flag ( )

	null audit class ( )

	numbers, event ( )


O

	-O option of auditreduce command ( ) ( ) ( ) ( )

	object-reuse requirement ( ) ( ) ( )
		device-clean scripts
			adding devices ( )
			audio devices ( )
			CD-ROM drives ( ) ( )
			described ( )
			diskette drives ( ) ( )
			tape drives ( ) ( )
			writing new scripts ( ) ( )

	opaque token ( ) ( )

	open audit record
		read ( )
		read, create ( )
		read, create, truncate ( )
		read, truncate ( )
		read, write ( )
		read, write, create ( )
		read, write, create, truncate ( )
		read, write, truncate ( )
		write ( )
		write, create ( )
		write, create, truncate ( )
		write, truncate ( )

	ot audit flag ( )

	other audit class ( )

	overflow prevention for audit trail ( ) ( )


P

	partitions, audit ( ) ( )

	passwd audit record ( )

	path policy flag ( )

	path token ( ) ( )

	pathconf audit record ( )

	pc audit flag ( )

	permissions for audit file systems ( )

	pipe audit record ( )

	plus (+) audit flag prefix ( ) ( )

	policies
		See also audit flags
		auditconfig options ( )
		setting ( )

	postsigterm string and audit_warn script ( )

	pound sign (#) for comments in files ( ) ( )

	poweroff audit record ( )

	praudit command
		See also audit tokens
		converting audit records to human-readable format ( ) ( )
		described ( )
		human-readable format ( ) ( )
		output formats ( ) ( )
		piping auditreduce output to ( )
		using ( ) ( )

	prefixes in audit flags ( ) ( )

	preselection mask
		auditconfig command options ( )
		described ( )
		machine-wide ( )
		reducing storage costs ( ) ( )

	primary audit directory ( ) ( )

	print format field values (arbitrary token) ( )

	printing audit log ( )

	priocntlsys audit record ( )

	process audit characteristics ( ) ( )
		audit ID ( )
		audit session ID ( )
		process preselection mask ( ) ( ) ( )
		terminal ID ( )

	process audit class ( )

	process dumped core audit record ( )

	process groups tokens
		groups token ( ) ( ) ( )
		newgroups token ( )

	process preselection mask
		auditconfig command options ( )
		described ( )
		reducing storage costs ( ) ( )

	process token ( ) ( )

	processing time costs ( )

	putmsg audit record ( )
		socket connect ( )
		socket send ( )

	putpmsg audit record ( )


R

	-r praudit output format ( ) ( )
		header token ( )

	raw praudit output format ( ) ( )
		header token ( )

	readlink audit record ( )

	reallocating devices ( )

	reboot: machine reboot audit record ( )

	records
		See audit records

	reducing audit files ( )
		auditreduce command ( ) ( )
		storage-space requirements ( ) ( ) ( )

	rename audit record ( )

	return token ( ) ( )

	rewoffl option of mt command ( )

	risks associated with device use ( ) ( )

	rmdir audit record ( )

	rpc.rexd audit record ( )

	rshd access denials/grants audit record ( )


S

	-S option of st_clean script ( )

	-s praudit output format ( )
		header token ( )

	/sbin/init audit record ( )

	SCSI devices
		See also device allocation
		st_clean script ( )

	secondary audit directory ( ) ( )

	security risks associated with device use ( ) ( )

	selecting audit records ( )

	semctl audit record
		GETALL command ( )
		GETNCNT command ( )
		GETPID command ( )
		GETVAL command ( )
		GETZCNT command ( )
		IPC_RMID command ( )
		IPC_SET command ( )
		IPC_STAT command ( )
		SETALL command ( )
		SETVAL command ( )

	semget audit record ( )

	semop audit record ( )

	seq policy flag ( )

	seq token ( ) ( )

	servers, enabling BSM for clients ( )

	session ID ( ) ( )

	setaudit audit record ( )

	setauid audit record ( )

	-setclass option of auditconfig command ( )

	-setcond option of auditconfig command ( )

	setegid audit record ( )

	seteuid audit record ( )

	setgid audit record ( )

	setgroups audit record ( )

	setpgrp audit record ( )

	-setpmask option of auditconfig command ( )

	-setpolicy option of auditconfig command ( ) ( )

	setrlimit audit record ( )

	-setsmask option of auditconfig command ( )

	setuid audit record ( )

	-setumask option of auditconfig command ( )

	SHIELD Basic Security Module
		See Basic Security Module (BSM)

	shmat audit record ( )

	shmctl audit record
		IPC_RMID command ( )
		IPC_SET command ( )
		IPC_STAT command ( )

	shmdt audit record ( )

	shmget audit record ( )

	short praudit output format ( )
		header token ( )

	shutdown audit record ( )

	shutting down
		See terminating

	signal received during auditing shutdown ( )

	size
		managing audit files ( )
		reducing audit files ( )
			auditreduce command ( ) ( )
			storage-space requirements ( ) ( ) ( )

	socket accept audit record ( )

	socket connect audit record ( )

	socket-inet token ( )

	socket receive audit record ( )

	socket send audit record ( )

	socket token ( ) ( )

	soft limit
		audit_warn condition ( )
		determining space needed ( )
		minfree: line described ( )

	soft string with audit_warn script ( )

	Solaris SHIELD Basic Security Module
		See Basic Security Module (BSM)

	sr_clean script ( )

	st_clean script for tape drives ( ) ( )

	standard cleanup ( )

	starting
		See enabling

	stat audit record ( )

	statfs audit record ( )

	statvfs audit record ( )

	stime audit record ( )

	storage costs ( ) ( )

	storage overflow prevention ( ) ( )

	su audit record ( )

	subject token ( ) ( )

	success
		audit flag prefix ( ) ( )
		turning off audit flags for ( )

	SUNWcar package ( )

	SUNWcsr package ( )

	SUNWcsu package ( )

	SUNWhea package ( )

	SUNWman package ( )

	symlink audit record ( )

	sysinfo audit record ( )

	system booted audit record ( )

	system calls
		arg token ( ) ( )
		auditsvc fails ( ) ( )
		close ( )
		event numbers ( )
		event-to-system call translation table ( ) ( )
		exec_args token ( )
		exec_env token ( )
		ioctl ( ) ( )
		return token ( ) ( )

	System V IPC
		ipc audit class ( )
		ipc_perm token ( ) ( )
		ipc token ( ) ( ) ( )


T

	tail command ( )

	tape drives
		See also device allocation
		device-clean scripts ( )
		risks associated with use ( ) ( )
		st_clean script ( )

	TCP address ( ) ( )

	TCSEC (Trusted Computer System Evaluation Criteria) C2 features ( )

	temporary file cannot be used ( )

	terminal ID ( )

	terminals
		See device allocation

	terminating
		audit daemon ( )
		signal received during auditing shutdown ( )

	text token ( ) ( )

	time-date auditreduce command options ( )

	time stamps in audit files ( )

	tmpfile string and audit_warn script ( )

	tokens
		See audit tokens

	trail
		See audit trail

	trail policy flag ( )

	trailer token
		described ( ) ( )
		fields ( )
		format ( )
		order in audit record ( ) ( )
		praudit display ( )

	Trusted Computer System Evaluation Criteria (TCSEC) C2 features ( )


U

	-U option
		allocate command ( )
		list_devices command ( )

	uadmin audit record ( )

	UDP address ( ) ( )

	umount: old version audit record ( )

	unlink audit record ( )

	user audit fields ( ) ( )

	user ID (audit ID) ( ) ( ) ( )

	user-level events
		See also audit events
		audit records ( ) ( )
		audit tokens ( )
		auditconfig command options ( )
		described ( )

	/usr/sbin/uadmin audit record ( )

	/usr/bin/at audit record
		at-create crontab ( )
		at-delete atjob ( )
		at-permission ( )

	/usr/bin/crontab audit record
		cron-invoke atjob or crontab ( )
		crontab-crontab created ( )
		crontab-crontab deleted ( )
		crontab-permission ( )

	/usr/bin/login audit record
		logout ( )
		rlogin ( )
		telnet login ( )
		terminal login ( )

	/usr/bin/passwd: change password audit record ( )

	/usr/bin/su audit record ( )

	/usr/lib/nfs/mountd audit record
		NFS mount request ( )
		NFS unmount request ( )

	/usr/sbin/allocate audit record
		allocate-list device failure ( )
		allocate-list device success ( )
		deallocate device failure ( )
		deallocate device ( )
		device allocate failure ( )
		device allocate success ( )

	/usr/sbin/auditd daemon
		See audit daemon

	/usr/sbin/halt audit record ( )

	/usr/sbin/in.ftpd audit record ( )

	/usr/sbin/in.rexecd audit record ( )

	/usr/sbin/in.rshd audit record ( )

	/usr/sbin/inetd audit record ( )

	/usr/sbin/init audit record ( )

	/usr/sbin/poweroff audit record ( )

	/usr/sbin/reboot audit record ( )

	/usr/sbin/rpc.rexd audit record ( )

	/usr/sbin/shutdown audit record ( )

	/usr/ucb/shutdown audit record ( )

	utilities
		device allocation ( ) ( )

	utime audit record ( )

	utimes audit record ( )

	utssys - fusers audit record ( )


V

	vfork audit record ( )

	viewing
		See displaying

	vnode token ( ) ( )

	vtrace audit record ( )


W

	writing new device-clean scripts ( )


X

	xmknod audit record ( )

	xstat audit record ( )

	Xylogics tape drive clean script ( )

Previous: Appendix B BSM Reference