Appendix A Audit Record Descriptions
This appendix has two parts. The first part describes each component of an audit record structure and each audit token structure. The second part defines all of the audit records generated by the Basic Security Module by event description.
Audit Record Structure
An audit record is a sequence of audit tokens. Each token contains event information such as user ID, time, and date. A header token begins an audit record, and an optional trailer concludes the record. Other audit tokens contain audit-relevant information. Figure A-1 shows a typical audit record.
Figure A-1 Typical Audit Record
Audit Token Structure
Logically, each token has a token type identifier followed by data specific to the token. Each token type has its own format and structure. The current tokens are shown in Table A-1. The token scheme can be extended.
Table A-1 Basic Security Module Audit Tokens|
Token Name |
Description |
|---|---|
|
Access Control List information |
|
|
Data with format and type information |
|
|
System call argument value |
|
|
Vnode tokens |
|
|
Exec system call arguments |
|
|
Exec system call environment variables |
|
|
Program exit information |
|
|
Audit file information |
|
|
Process groups information (obsolete) |
|
|
Indicates start of record |
|
|
Internet address |
|
|
IP header information |
|
|
System V IPC information |
|
|
System V IPC object tokens |
|
|
Internet port address |
|
|
Process groups information |
|
|
Unstructured data (unspecified format) |
|
|
Path information (path) |
|
|
Process token information |
|
|
Status of system call |
|
|
Sequence number token |
|
|
Socket type and addresses |
|
|
Socket port and address |
|
|
Subject token information (same structure as process token) |
|
|
ASCII string |
|
|
Indicates end of record |
An audit record always contains a header token. The header token indicates where the audit record begins in the audit trail. Every audit record contains a subject token, except for audit records from some nonattributable events. In the case of attributable events, these two tokens refer to the values of the process that caused the event. In the case of asynchronous events, the process tokens refer to the system.
acl token
The acl token records information about ACLs. It consists of four fixed fields. The fixed fields are: a token ID that identifies this token as an acl token, a field that specifies the ACL type, an ACL ID field, and a field that lists the permissions associated with this ACL. The acl token appears as follows:
Figure A-2 acl Token Format
arbitrary Token
The arbitrary token encapsulates data for the audit trail. It consists of four fixed fields and an array of data. The fixed fields are: a token ID that identifies this token as an arbitrary token, a suggested format field (for example, hexadecimal), a size field that specifies the size of data encapsulated (for example, short), and a count field that gives the number of following items. The remainder of the token is composed of one or more items of the specified type. The arbitrary token appears as follows:
Figure A-3 arbitrary Token Format
The print format field can take the values shown in Table A-2.
Table A-2 arbitrary Token Print Format Field Values|
Value |
Action |
|---|---|
|
AUP_BINARY |
Print date in binary |
|
AUP_OCTAL |
Print date in octal |
|
AUP_DECIMAL |
Print date in decimal |
|
AUP_HEX |
Print date in hex |
|
AUP_STRING |
Print date as a string |
The item size field can take the values shown in Table A-3.
Table A-3 arbitrary Token Item Size Field Values|
Value |
Action |
|---|---|
|
AUR_BYTE |
Data is in units of bytes (1 byte) |
|
AUR_SHORT |
Data is in units of shorts (2 bytes) |
|
AUR_LONG |
Data is in units of longs (4 bytes) |
arg Token
The arg token contains system call argument information: the argument number of the system call, the augment value, and an optional descriptive text string. This token allows a 32-bit integer system-call argument in an audit record. The arg token has 5 fields: a token ID that identifies this token as an arg token, an argument ID that tells which system call argument the token refers to, the argument value, the length of a descriptive text string, and the text string. Figure A-4 shows the token form.
Figure A-4 arg Token Format
attr Token
The attr token contains information from the file vnode. This token has 7 fields: a token ID that identifies this as an attr token, the file access mode and type, the owner user ID, the owner group ID, the file system ID, the inode ID, and device ID the file might represent. See the statvfs(2) man page for further information about the file system ID and the device ID.
This token usually accompanies a path token and is produced during path searches. In the event of a path-search error, this token is not included as part of the audit record since there is no vnode available to obtain the necessary file information. Figure A-5 shows the attr token format.
Figure A-5 attr Token Format
exec_args Token
The exec_args token records the arguments to an exec system call. The exec_args record has two fixed fields: a token ID field that identifies this as an exec_args token, and a count that represents the number of arguments passed to the exec call. The remainder of the token is composed of zero or more null-terminated strings. Figure A-6 shows an exec_args token.
Figure A-6 exec_args Token Format
Note -
The exec_args token is output only when the audit policy argv is active. See "Setting Audit Policies" for more information.
exec_env Token
The exec_env token records the current environment variables to an exec system call. The exec_env record has two fixed fields: a token ID field that identifies this as an exec_env token, and a count that represents the number of arguments passed to the exec call. The remainder of the token is composed of zero or more null-terminated strings. Figure A-7 shows an exec_env token.
Figure A-7 exec_env Token Format
Note -
The exec_env token is output only when the audit policy arge is active. See "Setting Audit Policies" for more information.
exit Token
The exit token records the exit status of a program. The exit token contains the exit status of the program and a return value. The status field is the same as that passed to the exit system call. The return value field indicates a system error number or a return value to further describe the exit status. Figure A-8 shows an exit token.
Figure A-8 exit Token Format
file Token
The file token is a special token generated by the audit daemon to mark the beginning of a new audit trail file and the end of an old file as it is deactivated. The audit daemon builds a special audit record containing this token to "link" together successive audit files into one audit trail. The file token has four fields: a token ID that identifies this token as a file token, a time and date stamp that identifies the time the file was created or closed, a byte count of the file name including a null terminator, and a field holding the file null-terminated name. Figure A-9 shows a file token.
Figure A-9 file Token Format
groups Token (Obsolete)
This token has been replaced by the newgroups token, which provides the same type of information but requires less space. A description of the groups token is provided here for completeness, but the application designer should use the newgroups token. Notice that praudit does not distinguish between the two tokens, as both token IDs are labelled groups when ASCII style output is displayed.
The groups token records the groups entries from the process's credential. The groups token has two fixed fields: a token ID field that identifies this as a groups token, and a count that represents the number of groups contained in this audit record. The remainder of the token consists of zero or more group entries. Figure A-10 shows a groups token.
Figure A-10 groups Token Format
Note -
The groups token is output only when the audit policy group is active. See "The auditconfig Command" for more information.
header Token
The header token is special in that it marks the beginning of an audit record and combines with the trailer token to bracket all the other tokens in the record. The header token has six fields: a token ID field that identifies this as a header token, a byte count of the total length of the audit record, including both header and trailer, a version number that identifies the version of the audit record structure, the audit event ID that identifies the type of audit event the record represents, an event ID modifier that contains ancillary descriptive information concerning the type of the event, and the time and date the record was created. Figure A-11 shows a header token.
Figure A-11 header Token Format
The event modifier field has the following flags defined:
0x4000 PAD_NOTATTR nonattributable event 0x8000 PAD_FAILURE fail audit event |
in_addr Token
The in_addr token contains an Internet address. This 4-byte value is an Internet Protocol address. The token has two fields: a token ID that identifies this token as an in_addr token and an Internet address. Figure A-12 shows an in_addr token.
Figure A-12 in_addr Token Format
ip Token
The ip token contains a copy of an Internet Protocol header but does not include any IP options. The IP options can be added by including more of the IP header in the token. The token has two fields: a token ID that identifies this as an ip token and a copy of the IP header (all 20 bytes). The IP header structure is defined in /usr/include/netinet/ip.h. Figure A-13 shows an ip token.
Figure A-13 ip Token Format
ipc Token
The ipc token contains the System V IPC message/semaphore/shared-memory handle used by the caller to identify a particular IPC object. This token has three fields: a token ID that identifies this as an ipc token, a type field that specifies the type of the IPC object, and the handle that identifies the IPC object. Figure A-14 shows an ipc token.
Figure A-14 ipc Token Format
Note -
The IPC object identifiers violate the context-free nature of the Solaris CMW audit tokens. No global "name" uniquely identifies IPC objects; instead, they are identified by their handles, which are valid only during the time the IPC objects are active. The identification should not be a problem since the System V IPC mechanisms are seldom used and they all share the same audit class.
The IPC object type field can have the values shown in Table A-4. The values are defined in /usr/include/bsm/audit.h.
Table A-4 IPC Object Type Field|
Name |
Value |
Description |
|---|---|---|
|
AU_IPC_MSG |
1 |
IPC message object |
|
AU_IPC_SEM |
2 |
IPC semaphore object |
|
AU_IPC_SHM |
3 |
IPC shared memory object |
ipc_perm Token
The ipc_perm token contains a copy of the System V IPC access information. This token is added to audit records generated by shared memory, semaphore, and message IPC events. The token has eight fields: a token ID that identifies this token as an ipc_perm token, the user ID of the IPC owner, the group ID of the IPC owner, the user ID of the IPC creator, the group ID of the IPC creator, the access modes of the IPC, the sequence number of the IPC, and the IPC key value. The values are taken from the ipc_perm structure associated with the IPC object. Figure A-15 shows an ipc_perm token format.
Figure A-15 ipc_perm Token Format
iport Token
The iport token contains the TCP (or UDP) port address. The token has two fields: a token ID that identifies this as an iport token and the TCP/UDP port address. Figure A-16 shows an iport token.
Figure A-16 iport Token Format
newgroups Token
This token is the replacement for the groups token. Notice that praudit does not distinguish between the two tokens, as both token IDs are labelled groups when ASCII output is displayed.
The newgroups token records the groups entries from the process's credential. The newgroups token has two fixed fields: a token ID field that identifies this as a newgroups token, and a count that represents the number of groups contained in this audit record. The remainder of the token is composed of zero or more group entries. Figure A-17 shows a newgroups token.
Figure A-17 newgroups Token Format
Note -
The newgroups token is output only when the audit policy group is active. See "The auditconfig Command" for more information.
opaque Token
The opaque token contains unformatted data as a sequence of bytes. The token has three fields: a token ID that identifies this as an opaque token, a byte count of the amount of data, and an array of byte data. Figure A-18 shows an opaque token.
Figure A-18 opaque Token Format
path Token
The path token contains access path information for an object. The token contains a token ID and the absolute path to the object based on the real root of the system. The path has the following structure: a byte count of the path length and the path. Figure A-19 shows a path token.
Figure A-19 path Token Format
process Token
The process token contains information describing a process as an object such as the recipient of a signal. The token has 9 fields: a token ID that identifies this token as a process token, the invariant audit ID, the effective user ID, the effective group ID, the real user ID, the real group ID, the process ID, the audit session ID, and a terminal ID. Figure A-20 shows a process token.
Figure A-20 process Token Format
The audit ID, user ID, group ID, process ID, and session ID are long instead of short.
Note -
The process token fields for the session ID, the real user ID, or the real group ID might be unavailable. The entry is then set to -1.
return Token
The return token contains the return status of the system call (u_error) and the process return value (u_rval1). The token has three fields: a token ID that identifies this token as a return token, the error status of the system call, and the system call return value. This token is always returned as part of kernel-generated audit records for system calls. The token indicates exit status and other return values in application auditing. Figure A-21 shows a return token.
Figure A-21 return Token Format
seq Token
The seq token (sequence token) is an optional token that contains an increasing sequence number. This token is for debugging. The token is added to each audit record when the AUDIT_SEQ policy is active. The seq token has 2 fields: a token ID that identifies this token as a seq token, and a 32-bit unsigned long field that contains the sequence number. The sequence number is incremented every time an audit record is generated and put onto the audit trail. Figure A-22 shows a seq token.
Figure A-22 seq Token Format
socket Token
The socket token contains information describing an Internet socket. The socket token has 6 fields: a token ID that identifies this token as a socket token, a socket type field that indicates the type of socket referenced (TCP/UDP/UNIX), the local port address, the local Internet address, the remote port address, and the remote Internet address. Figure A-23 shows a socket token.
Figure A-23 socket Token Format
socket-inet Token
The socket-inet token describes a socket connection to a local port, which is used to represent the socket information in the Internet namespace. The socket-inet token has 4 fields: a token ID that identifies this token as a socket-inet token, a socket family field that indicates the Internet family (AF_INET, AF_OSI, and so on), the address of the local port, and the address of the socket. Figure A-24 shows a socket-inet token.
Figure A-24 socket-inet Token Format
subject Token
The subject token describes a subject (process). The structure is the same as the process token. The token has 9 fields: an ID that identifies this as a subject token, the invariant audit ID, the effective user ID, the effective group ID, the real user ID, the real group ID, the process ID, the audit session ID, and a terminal ID. This token is always returned as part of kernel-generated audit records for system calls. Figure A-25 shows the token.
Figure A-25 subject Token Format
The audit ID, user ID, group ID, process ID, and session ID are long instead of short.
Note -
The subject token fields for the session ID, the real user ID, or the real group ID might be unavailable. The entry is then set to -1.
text Token
The text token contains a text string. The token has three fields: a token ID that identifies this token as a text token, the length of the text string, and the text string itself. Figure A-26shows a text token.
Figure A-26 text Token Format
trailer Token
The two tokens, header and trailer, are special in that they distinguish the endpoints of an audit record and bracket all the other tokens. A header token begins an audit record. A trailer token ends an audit record. It is an optional token that is added as the last token of each record only when the AUDIT_TRAIL audit policy has been set.
The trailer token is special in that it marks the termination of an audit record. Together with the header token, the trailer token delimits an audit record. The trailer token supports backward seeks of the audit trail. The trailer token has three fields: a token ID that identifies this token as a trailer token, a pad number to aid in marking the end of the record, and the total number of characters in the audit record, including both the header and trailer tokens. Figure A-27 shows a trailer token.
Figure A-27 trailer Token Format
The audit trail analysis software ensures that each record contains both header and trailer. In the case of a write error, as when a file system becomes full, an audit record can be incomplete and truncated. auditsvc, the system call responsible for writing data to the audit trail, attempts to put out complete audit records. See the auditsvc(2) man page. When file system space runs out, the call terminates without releasing the current audit record. When the call resumes, it can then repeat the truncated record.
Audit Records
This section presents all of the audit records. The audit records generated by kernel events are described first (see "Kernel-Level Generated Audit Records"). The audit records generated by user-level eventes are described next (see "User-Level Generated Audit Records").
"Event-to-System Call Translation" includes two tables that include all possible audit events and identifies which kernel or user event created the audit event. Table A-192 maps audit events to system calls. Table A-193 maps audit events to an application or command.
General Audit Record Structure
The audit records produced by Basic Security Module have a sequence of tokens. Certain tokens are optional within an audit record, according to the current audit policy. The group, sequence, and trailer tokens fall into this category. The administrator can determine if these are included in an audit record with the auditconfig command -getpolicy option.
Kernel-Level Generated Audit Records
These audit records are created by system calls that are used by the kernel. The records are sorted alphabetically by system call. The description of each record includes:
-
The name of the system call
-
A man page reference (if appropriate)
-
The audit event number
-
The audit event name
-
The audit event class
-
The mask for the event class
-
The audit record structure
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_ACCEPT |
33 |
nt |
0x00000100 |
|
Format (if the socket address is not part of the AF_INET family):
header-token
arg-token (1, "fd", file descriptor)
text-token ("bad socket address")
text-token ("bad peer address")
subject-token
return-token
Format (if the socket address is part of the AF_INET family):
header-token If there is no vnode for this file descriptor:
[arg-token] (1, "Bad fd", file descriptor) or if the socket is not bound:
[arg-token (1, "fd", file descriptor)
text-token] ("socket not bound")
or if the socket address length = 0:
[arg-token (1, "fd", file descriptor)
text-token] ("bad socket address")
For all other conditions:
[socket-inet-token] ("socket address")
socket-inet-token ("socket address")
subject-token
return-token
|
|||
Table A-6 access(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_ACCESS |
14 |
fa |
0x00000004 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-7 acl(2) - SETACL command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_ACLSET |
251 |
fm |
0x00000008 |
|
Format:
header-token
arg-token (2, "cmd", SETACL)
arg-token (3, "nentries", number of ACL entries)
(0..n)[acl-token] (ACLs)
subject-token
return-token
|
|||
Table A-8 acct(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_ACCT |
18 |
ad |
0x00000800 |
|
Format (zero path):
header-token
argument-token (1, "accounting off", 0)
subject-token
return-token
Format (non-zero path):
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-9 adjtime(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_ADJTIME |
50 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-10 audit(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDIT |
211 |
no |
0x00000000 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-11 auditon(2) - get car
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_GETCAR |
224 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-12 auditon(2) - get event class
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_GETCLASS |
231 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-13 auditon(2) - get audit state
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_GETCOND |
229 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-14 auditon(2) - get cwd
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_GETCWD |
223 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-15 auditon(2) - get kernal mask
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_GETKMASK |
221 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-16 auditon(2) - get audit statistics
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_GETSTAT |
225 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-17 auditon(2) - GPOLICY command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_GPOLICY |
114 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-18 auditon(2) - GQCTRL command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_GQCTRL |
145 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-19 auditon(2) - set event class
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_SETCLASS |
232 |
ad |
0x00000800 |
|
Format:
header-token
[argument-token] (2, "setclass:ec_event", event number)
[argument-token] (3, "setclass:ec_class", class mask)
subject-token
return-token
|
|||
Table A-20 auditon(2) - set audit state
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_SETCOND |
230 |
ad |
0x00000800 |
|
Format:
header-token
[argument-token] (3, "setcond", audit state)
subject-token
return-token
|
|||
Table A-21 auditon(2) - set kernal mask
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_SETKMASK |
222 |
ad |
0x00000800 |
|
Format:
header-token
[argument-token] (2, "setkmask:as_success", kernel mask)
[argument-token] (2, "setkmask:as_failure", kernel mask)
return-token
|
|||
Table A-22 auditon(2) - set mask per session ID
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_SETSMASK |
228 |
ad |
0x00000800 |
|
Format:
header-token
[argument-token] (3, "setsmask:as_success", session ID mask)
[argument-token] (3, "setsmask:as_failure", session ID mask)
subject-token
return-token
|
|||
Table A-23 auditon(2) - reset audit statistics
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_SETSTAT |
226 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-24 auditon(2) - set mask per uid
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_SETUMASK |
227 |
ad |
0x00000800 |
|
Format:
header-token
[argument-token] (3, "setumask:as_success", audit ID mask)
[argument-token] (3, "setumask:as_failure", audit ID mask)
subject-token
return-token
|
|||
Table A-25 auditon(2) - SPOLICY command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_SPOLICY |
147 |
ad |
0x00000800 |
|
Format:
header-token
[argument-token] (1, "policy", audit policy flags)
subject-token
return-token
|
|||
Table A-26 auditon(2) - SQCTRL command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITON_SQCTRL |
146 |
ad |
0x00000800 |
|
Format:
header-token
[argument-token] (3,"setqctrl:aq_hiwater", queue control param.)
[argument-token] (3,"setqctrl:aq_lowater", queue control param.)
[argument-token] (3,"setqctrl:aq_bufsz", queue control param.)
[argument-token] (3,"setqctrl:aq_delay", queue control param.)
subject-token
return-token
|
|||
Table A-27 auditsvc(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_AUDITSVC |
136 |
ad |
0x00000800 |
|
Format (valid file descriptor):
header-token
[path-token]
[attr-token]
subject-token
return-token
Format (not valid file descriptor):
header-token
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
|||
Table A-28 bind(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_BIND |
34 |
nt |
0x00000100 |
|
Format:
header-token If there is no vnode for this file descriptor:
[arg-token] (1, "Bad fd", file descriptor) or if the socket is not of the AF_INET family:
[arg-token (1, "fd", file descriptor)
text-token] ("bad socket address")
for all other conditions:
[arg-token (1, "fd", file descriptor)
socket-inet-token] ("socket address")
subject-token
return-token
|
|||
Table A-29 chdir(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_CHDIR |
8 |
pc |
0x00000080 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-30 chmod(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_CHMOD |
10 |
fm |
0x00000008 |
|
Format:
header-token
argument-token (2, "new file mode", mode)
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-31 chown(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_CHOWN |
11 |
fm |
0x00000008 |
|
Format:
header-token
argument-token (2, "new file uid", uid)
argument-token (3, "new file gid", gid)
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-32 chroot(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_CHROOT |
24 |
pc |
0x00000080 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-33 close(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_CLOSE |
112 |
cl |
0x00000040 |
|
Format:
<file system object>
header-token
argument-token (1, "fd", file descriptor)
[path-token]
[attr-token]
subject-token
return-token
|
|||
Table A-34 connect(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_CONNECT |
32 |
nt |
0x00000100 |
|
Format (if the socket address is not part of the AF_INET family):
header-token
arg-token (1, "fd", file descriptor)
text-token ("bad socket address")
text-token ("bad peer address")
subject-token
return-token
Format (if the socket address is part of the AF_INET family):
header-token If there is no vnode for this file descriptor:
[arg-token] (1, "Bad fd", file descriptor) or if the socket is not bound:
[arg-token (1, "fd", file descriptor)
text-token] ("socket not bound")
or if the socket address length = 0:
[arg-token (1, "fd", file descriptor)
text-token] ("bad socket address")
for all other conditions:
[socket-inet-token] ("socket address")
socket-inet-token ("socket address")
subject-token
return-token
|
|||
Table A-35 creat(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_CREAT |
4 |
fc |
0x00000010 |
|
Format
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-36 doorfs(2) - DOOR_BIND
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_DOORFS_DOOR_BIND |
260 |
ip |
0x00000200 |
|
Format:
header-token
arg-token (1, "door ID", door ID)
subject-token
return-token
|
|||
Table A-37 doorfs(2) - DOOR_CALL
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_DOORFS_DOOR_CALL |
254 |
ip |
0x00000200 |
|
Format:
header-token
arg-token (1, "door ID", door ID)
process-token (for process that owns the door)
subject-token
return-token
|
|||
Table A-38 doorfs(2) - DOOR_CREATE
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_DOORFS_DOOR_CREATE |
256 |
ip |
0x00000200 |
|
Format:
header-token
arg-token (1, "door attr", door attributes)
subject-token
return-token
|
|||
Table A-39 doorfs(2) - DOOR_CRED
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_DOORFS_DOOR_CRED |
259 |
ip |
0x00000200 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-40 doorfs(2) - DOOR_INFO
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_DOORFS_DOOR_INFO |
258 |
ip |
0x00000200 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-41 doorfs(2) - DOOR_RETURN
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_DOORFS_DOOR_RETURN |
255 |
ip |
0x00000200 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-42 doorfs(2) - DOOR_REVOKE
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_DOORFS_DOOR_REVOKE |
257 |
ip |
0x00000200 |
|
Format:
header-token
arg-token (1, "door ID", door ID)
subject-token
return-token
|
|||
Table A-43 doorfs(2) - DOOR_UNBIND
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_DOORFS_DOOR_UNBIND |
261 |
ip |
0x00000200 |
|
Format:
header-token
arg-token (1, "door ID", door ID)
subject-token
return-token
|
|||
Table A-44 enter prom
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_ENTERPROM |
153 |
na |
0x00000400 |
|
Format:
header-token
text-token (addr, "monitor PROM"|"kadb")
subject-token
return-token
|
|||
Table A-45 exec(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_EXEC |
7 |
pc,ex |
0x40000080 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-46 execve(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_EXECVE |
23 |
pc,ex |
0x40000080 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-47 exit prom
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_EXITPROM |
154 |
na |
0x00000400 |
|
Format:
header-token
text-token (addr, "monitor PROM"|"kadb")
subject-token
return-token
|
|||
Table A-48 exit(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_EXIT |
1 |
pc |
0x00000080 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-49 facl(2) - SETACL command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_FACLSET |
252 |
fm |
0x00000008 |
|
Format (zero path):
header-token
arg-token (2, "cmd", SETACL)
arg-token (3, "nentries", number of ACL entries)
arg-token (1, "no path: fd", file descriptor)
(0..n)[acl-token] (ACLs)
subject-token
return-token
Format (non-zero path):
header-token
arg-token (2, "cmd", SETACL)
arg-token (3, "nentries", number of ACL entries)
path-token
[attr-token]
(0..n)[acl-token] (ACLs)
subject-token
return-token
|
|||
Table A-50 fchdir(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_FCHDIR |
68 |
pc |
0x00000080 |
|
Format:
header-token
[path-token]
[attr-token]
subject-token
return-token
|
|||
Table A-51 fchmod(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_FCHMOD |
39 |
fm |
0x00000008 |
|
Format (valid file descriptor):
header-token
argument-token (2, "new file mode", mode)
[path-token]
[attr-token]
subject-token
return-token
Format (not valid file descriptor):
header-token
argument-token (2, "new file mode", mode)
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
|||
Table A-52 fchown(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_FCHOWN |
38 |
fm |
0x00000008 |
|
Format (valid file descriptor):
header-token (2, "new file uid", uid)
argument-token (3, "new file gid", gid)
[path-token]
[attr-token]
subject-token
return-token
Format (non-file descriptor):
header-token
argument-token (2, "new file uid", uid)
argument-token (3, "new file gid", gid)
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
|||
Table A-53 fchroot(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_FCHROOT |
69 |
pc |
0x00000080 |
|
Format:
header-token
[path-token]
[attr-token]
subject-token
return-token
|
|||
Table A-54 fcntl(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_FCNTL (cmd=F_GETLK, F_SETLK, F_SETLKW) |
30 |
fm |
0x00000008 |
|
Format (file descriptor):
header-token
argument-token (2, "cmd", cmd)
path-token
attr-token
subject-token
return-token
Format (bad file descriptor):
header-token
argument-token (2, "cmd", cmd)
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
|||
Table A-55 fork(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_FORK |
2 |
pc |
0x00000080 |
|
Format:
header-token
[argument-token] (0, "child PID", pid)
subject-token
return-token
The fork() return values are undefined because the audit record is produced at the point that the child process is spawned.
|
|||
Table A-56 fork1(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_FORK1 |
241 |
pc |
0x00000080 |
|
Format:
header-token
[argument-token] (0, "child PID", pid)
subject-token
return-token
The fork1() return values are undefined because the audit record is produced at the point that the child process is spawned.
|
|||
Table A-57 fstatfs(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_FSTATFS |
55 |
fa |
0x00000004 |
|
Format (file descriptor):
header-token
[path-token]
[attr-token]
subject-token
return-token
Format (non-file descriptor):
header-token
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
|||
Table A-58 getaudit(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_GETAUDIT |
132 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-59 getauid(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_GETAUID |
130 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-60 getmsg(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_GETMSG |
217 |
nt |
0x00000100 |
|
Format:
header-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
|||
Table A-61 getmsg - accept
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SOCKACCEPT |
247 |
nt |
0x00000100 |
|
Format:
header-token
socket-inet-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
|||
Table A-62 getmsg - receive
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SOCKRECEIVE |
250 |
nt |
0x00000100 |
|
Format:
header-token
socket-inet-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
|||
Table A-63 getpmsg(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_GETPMSG |
219 |
nt |
0x00000100 |
|
Format:
header-token
argument-token (1, "fd", file descriptor)
subject-token
return-token
|
|||
Table A-64 getportaudit(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_GETPORTAUDIT |
149 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-65 inst_sync(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_INST_SYNC |
264 |
ad |
0x00000800 |
|
Format:
header-token
arg-token (2, "flags", flags value)
subject-token
return-token
|
|||
Table A-66 ioctl(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_IOCTL |
158 |
io |
0x20000000 |
|
Format (good file descriptor):
header-token
path-token
[attr-token]
argument-token (2, "cmd" ioctl cmd)
argument-token (3, "arg" ioctl arg)
subject-token
return-token
Format (socket):
header-token
[socket-token]
argument-token (2, "cmd" ioctl cmd)
argument-token (3, "arg" ioctl arg)
subject-token
return-token
Format (non-file file descriptor):
header-token
argument-token (1, "fd", file descriptor)
argument-token (2, "cmd", ioctl cmd)
argument-token (3, "arg", ioctl arg)
subject-token
return-token
Format (bad file name):
header-token
argument-token (1, "no path: fd", fd)
argument-token (2, "cmd", ioctl cmd)
argument-token (3, "arg", ioctl arg)
subject-token
return-token
|
|||
Table A-67 kill(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_KILL |
15 |
pc |
0x00000080 |
|
Format (valid process):
header-token
argument-token (2, "signal", signo)
[process-token]
subject-token
return-token
Format (zero or negative process):
header-token
argument-token (2, "signal", signo)
argument-token (1, "process", pid))
subject-token
return-token
|
|||
Table A-68 lchown(2)
|
Event ID |
Event Class |
Mask |
|
|---|---|---|---|
|
AUE_LCHOWN |
237 |
fm |
0x00000008 |
|
Format:
header-token
argument-token (2, "new file uid", uid)
argument-token (3, "new file gid", gid)
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-69 link(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_LINK |
5 |
fc |
0x00000010 |
|
Format:
header-token
path-token (from path)
[attr-token] (from path)
path-token (to path)
subject-token
return-token
|
|||
Table A-70 lstat(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_LSTAT |
17 |
fa |
0x00000004 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-71 lxstat(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_LXSTAT |
236 |
fa |
0x00000004 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-72 memcntl(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MEMCNTL |
238 |
ot |
0x80000000 |
|
Format:
header-token
argument-token (1, "base", base address)
argument-token (2, "len", length)
argument-token (3, "cmd", command)
argument-token (4, "arg", command args)
argument-token (5, "attr", command attributes)
argument-token (6, "mask", 0)
subject-token
return-token
|
|||
Table A-73 mkdir(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MKDIR |
47 |
fc |
0x00000010 |
|
Format:
header-token
argument-token (2, "mode", mode)
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-74 mknod(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MKNOD |
9 |
fc |
0x00000010 |
|
Format:
header-token
argument-token (2, "mode", mode)
argument-token (3, "dev", dev)
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-75 mmap(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MMAP |
210 |
no |
0x00000000 |
|
Format (valid file descriptor):
header-token
argument-token (1, "addr", segment address)
argument-token (2, "len", segment length)
[path-token]
[attr-token]
subject-token
return-token
Format (not valid file descriptor):
header-token
argument-token (1, "addr", segment address)
argument-token (2, "len", segment length)
argument-token (1, "no path: fd", fd)
subject-token
return-token
|
|||
Table A-76 modctl(2) - bind module
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MODADDMAJ |
246 |
ad |
0x00000800 |
|
Format:
header-token
[text-token] driver major number)
[text-token] (driver name)
text-token (root dir.|"no rootdir")
text-token (driver major number|"no drvname")
argument-token (5, "", number of aliases)
(0..n)[text-token] (aliases)
subject-token
return-token
|
|||
Table A-77 modctl(2) - configure module
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MODCONFIG |
245 |
ad |
0x00000800 |
|
Format:
header-token
text-token (root dir.|"no rootdir")
text-token (driver major number|"no drvname")
subject-token
return-token
|
|||
Table A-78 modctl(2) - load module
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MODLOAD |
243 |
ad |
0x00000800 |
|
Format:
header-token
[text-token] (default path)
text-token (filename path)
subject-token
return-token
|
|||
Table A-79 modctl(2) - unload module
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MODUNLOAD |
244 |
ad |
0x00000800 |
|
Format:
header-token
argument-token (1, "id", module ID)
subject-token
return-token
|
|||
Table A-80 mount(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MOUNT |
62 |
ad |
0x00000800 |
|
Format (UNIX file system):
header-token
argument-token (3, "flags", flags)
text-token (filesystem type)
path-token
[attr-token]
subject-token
return-token
Format (NFS file system):
header-token
argument-token (3, "flags", flags)
text-token (filesystem type)
text-token (host name)
argument-token (3, "internal flags", flags)
|
|||
Table A-81 msgctl(2) - IPC_RMID command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MSGCTL_RMID |
85 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "msg ID", message ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
|||
Table A-82 msgctl(2) - IPC_SET command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MSGCTL_SET |
86 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "msg ID", message ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
|||
Table A-83 msgctl(2) - IPC_STAT command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MSGCTL_STAT |
87 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "msg ID", message ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
|||
Table A-84 msgget(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MSGGET |
88 |
ip |
0x00000200 |
|
Format:
header-token
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
|||
Table A-85 msgrcv(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MSGRCV |
89 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "msg ID", message ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
|||
Table A-86 msgsnd(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MSGSND |
90 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "msg ID", message ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the msg ID is not valid.
|
|||
Table A-87 munmap(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_MUNMAP |
214 |
cl |
0x00000040 |
|
Format:
header-token
argument-token (1, "addr", address of memory)
argument-token (2, "len", memory segment size)
subject-token
return-token
|
|||
Table A-88 old nice(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_NICE |
203 |
pc |
0x00000080 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-89 open(2) - read
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_OPEN_R |
72 |
fr |
0x00000001 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-90 open(2) - read,creat
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_OPEN_RC |
73 |
fc,fr |
0x00000011 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-91 open(2) - read,creat,trunc
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_OPEN_RTC |
75 |
fc,fd,fr |
0x00000031 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-92 open(2) - read,trunc
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_OPEN_RT |
74 |
fd,fr |
0x00000021 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-93 open(2) - read,write
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_OPEN_RW |
80 |
fr,fw |
0x00000003 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-94 open(2) - read,write,creat
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_OPEN_RWC |
81 |
fr,fw,fc |
0x00000013 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-95 open(2) - read,write,create,trunc
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_OPEN_RWTC |
83 |
fr,fw,fc,fd |
0x00000033 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-96 open(2) - read,write,trunc
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_OPEN_RWT |
82 |
fr,fw,fd |
0x00000023 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-97 open(2) - write
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_OPEN_W |
76 |
fw |
0x00000002 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-98 open(2) - write,creat
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_OPEN_WC |
77 |
fw,fc |
0x00000012 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-99 open(2) - write,creat,trunc
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_OPEN_WTC |
79 |
fw,fc,fd |
0x00000032 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-100 open(2) - write,trunc
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_OPEN_WT |
78 |
fw,fd |
0x00000022 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-101 p_online(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_P_ONLINE |
262 |
ad |
0x00000800 |
|
header-token
arg-token (1, "processor ID", processor ID)
arg-token (2, "flags", flags value)
text-token (text form of flags value: P_ONLINE, P_OFFLINE, P_STATUS)
subject-token
return-token
|
|||
Table A-102 pathconf(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_PATHCONF |
71 |
fa |
0x00000004 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-103 pipe(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_PIPE |
185 |
no |
0x00000000 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-104 priocntlsys(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_PRIOCNTLSYS |
212 |
pc |
0x0000080 |
|
Format:
header-token
argument-token (1, "pc_version", priocntl version num.)
argument-token (3,"cmd", command)
subject-token
return-token
|
|||
Table A-105 process dumped core
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_CORE |
111 |
fc |
0x0000010 |
|
Format:
header-token
path-token
[attr-token]
argument-token (1, "signal", signal)
subject-token
return-token
|
|||
Table A-106 processor_bind(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_PROCESSOR_BIND |
263 |
ad |
0x00000800 |
|
Format (no processor bound):
header-token
arg-token (1, "ID type", type of ID)
arg-token (2, "ID", ID value)
text-token ("PBIND_NONE")
process-token (for process whose threads are bound to the processor)
subject-token
return-token
Format (with processor bound):
header-token
arg-token (1, "ID type", type of ID)
arg-token (2, "ID", ID value)
arg-token (3, "processor ID", processor ID)
process-token (for process whose threads are bound to the processor)
subject-token
return-token
|
|||
Table A-107 putmsg(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_PUTMSG |
216 |
nt |
0x00000100 |
|
Format:
header-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
|||
Table A-108 putmsg-connect
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SOCKCONNECT |
248 |
nt |
0x00000100 |
|
Format:
header-token
socket-inet-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
|||
Table A-109 putmsg-send
|
Event Name |
Event ID |
EventClass |
Mask |
|---|---|---|---|
|
AUE_SOCKSEND |
249 |
nt |
0x00000100 |
|
Format:
header-token
socket-inet-token
argument-token (1, "fd", file descriptor)
argument-token (4, "pri", priority)
subject-token
return-token
|
|||
Table A-110 putpmsg(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_PUTPMSG |
218 |
nt |
0x00000100 |
|
Format:
header-token
argument-token (1, "fd", file descriptor)
subject-token
return-token
|
|||
Table A-111 readlink(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_READLINK |
22 |
fr |
0x00000001 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-112 rename(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_RENAME |
42 |
fc,fd |
0x00000030 |
|
Format:
header-token
path-token (from name)
[attr-token] (from name)
[path-token] (to name)
subject-token
return-token
|
|||
Table A-113 rmdir(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_RMDIR |
48 |
fd |
0x00000020 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-114 semctl(2) - getall
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SEMCTL_GETALL |
105 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
|||
Table A-115 semctl(2) - GETNCNT command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SEMCTL_GETNCNT |
102 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
|||
Table A-116 semctl(2) - GETPID command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SEMCTL_GETPID |
103 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
|||
Table A-117 semctl(2) - GETVAL command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SEMCTL_GETVAL |
104 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
|||
Table A-118 semctl(2) - GETZCNT command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SEMCTL_GETZCNT |
106 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
|||
Table A-119 semctl(2) - IPC_RMID command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SEMCTL_RMID |
99 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
|||
Table A-120 semctl(2) - IPC_SET command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SEMCTL_SET |
100 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
|||
Table A-121 semctl(2) - SETALL command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SEMCTL_SETALL |
108 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
|||
Table A-122 semctl(2) - SETVAL command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SEMCTL_SETVAL |
107 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
|||
Table A-123 semctl(2) - IPC_STAT command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SEMCTL_STAT |
101 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
|
|||
Table A-124 semget(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SEMGET |
109 |
ip |
0x00000200 |
|
Format:
header-token
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the system call failed.
|
|||
Table A-125 semop(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SEMOP |
110 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "sem ID", semaphore ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the semaphore ID is not valid.
|
|||
Table A-126 setaudit(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SETAUDIT |
133 |
ad |
0x00000800 |
|
Format (valid program stack address):
header-token
argument-token (1, "setaudit:auid", audit user ID)
argument-token (1, "setaudit:port", terminal ID)
argument-token (1, "setaudit:machine", terminal ID)
argument-token (1, "setaudit:as_success", preselection mask)
argument-token (1, "setaudit:as_failure", preselection mask)
argument-token (1, "setaudit:asid", audit session ID)
subject-token
return-token
Format (not valid program stack address):
header-token
subject-token
return-token
|
|||
Table A-127 setauid(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SETAUID |
131 |
ad |
0x00000800 |
|
Format:
header-token
argument-token (2, "setauid", audit user ID)
subject-token
return-token
|
|||
Table A-128 setegid(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SETEGID |
214 |
pc |
0x00000080 |
|
Format:
header-token
argument-token (1, "gid", group ID)
subject-token
return-token
|
|||
Table A-129 seteuid(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SETEUID |
215 |
pc |
0x00000080 |
|
Format:
header-token
argument-token (1, "gid", user ID)
subject-token
return-token
|
|||
Table A-130 old setgid(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SETGID |
205 |
pc |
0x00000080 |
|
Format:
header-token
argument-token (1, "gid", group ID)
subject-token
return-token
|
|||
Table A-131 setgroups(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SETGROUPS |
26 |
pc |
0x00000080 |
|
Format:
header-token
[argument-token] (1, "setgroups", group ID)
subject-token
return-token
One argument-token for each group set.
|
|||
Table A-132 setpgrp(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SETPGRP |
27 |
pc |
0x00000080 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-133 setregid(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SETREGID |
41 |
pc |
0x00000080 |
|
Format:
header-token
arg-token (1, "rgid", real group ID)
arg-token (2, "egid", effective group ID)
subject-token
return-token
|
|||
Table A-134 setreuid(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SETREUID |
40 |
pc |
0x00000080 |
|
Format:
header-token
arg-token (1, "ruid", real user ID)
arg-token (2, "euid", effective user ID)
subject-token
return-token
|
|||
Table A-135 setrlimit(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SETRLIMIT |
51 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-136 old setuid(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_OSETUID |
200 |
pc |
0x00000080 |
|
Format:
header-token
argument-token (1, "uid", user ID)
subject-token
return-token
Because of a current bug in the audit software, this token is reported as AUE_OSETUID.
|
|||
Table A-137 shmat(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SHMAT |
96 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "shmid", shared memory ID)
argument-token (2, "shmaddr", shared mem addr)
[ipc-token]
[ipc_perm-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the shared memory segment ID is not valid.
|
|||
Table A-138 shmctl(2) - IPC_RMID command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SHMCTL_RMID |
92 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "shmid", shared memory ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the shared memory segment ID is not valid.
|
|||
Table A-139 shmctl(2) - IPC_SET command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SHMCTL_SET |
93 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "shmid", shared memory ID)
[ipc-token]
[ipc_perm-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the shared memory segment ID is not valid.
|
|||
Table A-140 shmctl(2) - IPC_STAT command
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SHMCTL_STAT |
94 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "shmid", shared memory ID)
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included if the shared memory segment ID is not valid.
|
|||
Table A-141 shmdt(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SHMDT |
97 |
ip |
0x00000200 |
|
Format:
header-token
argument-token (1, "shmaddr", shared mem addr)
subject-token
return-token
|
|||
Table A-142 shmget(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SHMGET |
95 |
ip |
0x00000200 |
|
Format:
header-token
arg-token (0, "shmid", shared memory ID)
[ipc_perm-token]
[ipc-token]
subject-token
return-token
The ipc and ipc_perm tokens are not included for failed events.
|
|||
Table A-143 shutdown(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SHUTDOWN |
46 |
nt |
0x00000100 |
|
Format (if the socket address is not part of the AF_INET family):
header-token
arg-token (1, "fd", file descriptor)
text-token] ("bad socket address")
text-token] ("bad peer address")
subject-token
return-token
Format (if the socket address is part of the AF_INET family):
header-token If there is no vnode for this file descriptor:
[arg-token] (1, "Bad fd", file descriptor) or if the socket is not bound:
[arg-token (1, "fd", file descriptor)
text-token] ("socket not bound")
or if the socket address length = 0:
[arg-token (1, "fd", file descriptor)
text-token] ("bad socket address")
for all other conditions:
[socket-inet-token] ("socket address")
socket-inet-token ("socket address")
subject-token
return-token
|
|||
Table A-144 stat(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_STAT |
16 |
fa |
0x00000004 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-145 statfs(2)
|
Event Name |
Event ID |
EventClass |
Mask |
|---|---|---|---|
|
AUE_STATFS |
54 |
fa |
0x00000004 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-146 statvfs(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_STATVFS |
234 |
fa |
0x00000004 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-147 stime(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_STIME |
201 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-148 symlink(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SYMLINK |
21 |
fc |
0x00000010 |
|
Format:
header-token
text-token (symbolic link string)
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-149 sysinfo(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SYSINFO |
39 |
ad |
0x00000800 |
|
Format:
header-token
argument-token (1, "cmd", command)
text-token (name)
subject-token
return-token
|
|||
Table A-150 system booted
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_SYSTEMBOOT |
113 |
na |
0x00000400 |
|
Format:
header-token
text-token ("booting kernel")
return-token
|
|||
Table A-151 umount(2) - old version
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_UMOUNT |
12 |
ad |
0x00000800 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-152 unlink(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_UNLINK |
6 |
fd |
0x00000020 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-153 old utime(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_UTIME |
202 |
fm |
0x00000008 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-154 utimes(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_UTIMES |
49 |
fm |
0x00000008 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-155 utssys(2) - fusers
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_UTSSYS |
233 |
ad |
0x00000800 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-156 vfork(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_VFORK |
25 |
pc |
0x00000080 |
|
Format:
header-token
argument-token (0, "child PID", pid)
subject-token
return-token
The fork return values are undefined because the audit record is produced at the point that the child process is spawned.
|
|||
Table A-157 vtrace(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_VTRACE |
36 |
pc |
0x00000080 |
|
Format:
header-token
subject-token
return-token
|
|||
Table A-158 xmknod(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_XMKNOD |
240 |
fc |
0x00000010 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
Table A-159 xstat(2)
|
Event Name |
Event ID |
Event Class |
Mask |
|---|---|---|---|
|
AUE_XSTAT |
235 |
fa |
0x00000004 |
|
Format:
header-token
path-token
[attr-token]
subject-token
return-token
|
|||
User-Level Generated Audit Records
These audit records are created by applications that operate outside the kernel. The records are sorted alphabetically by program. The description of each record includes:
-
The name of the program
-
A man page reference (if appropriate)
-
The audit event number
-
The audit event name
-
The audit record structure
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_allocate_succ |
/usr/sbin/allocate |
6200 |
ad |
0x00000800 |
|
Format:
header-token
text-token
path-token
subject-token
exit-token
|
||||
Table A-161 allocate-device failure
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_allocate_fail |
/usr/sbin/allocate |
6201 |
ad |
0x00000800 |
|
Format:
header-token
text-token
subject-token
exit-token
|
||||
Table A-162 deallocate-device success
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_deallocate_succ |
/usr/sbin/deallocate |
6202 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
newgroups-token
exit-token
|
||||
Table A-163 deallocate-device failure
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_deallocate_fail |
/usr/sbin/deallocate |
6203 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
newgroups-token
exit-token
|
||||
Table A-164 allocate-list devices success
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_listdevice_succ |
/usr/sbin/allocate |
6205 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
[group-token]
exit-token
|
||||
Table A-165 allocate-list devices failure
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_listdevice_fail |
/usr/sbin/allocate |
6206 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
[group-token]
exit-token
|
||||
Table A-166 at-create crontab
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_at_create |
/usr/bin/at |
6144 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
[group-token]
exit-token
|
||||
Table A-167 at-delete atjob (at or atrm)
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_at_delete |
/usr/bin/at |
6145 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
[group-token]
exit-token
|
||||
Table A-168 at-permission
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_at_perm |
/usr/bin/at |
6146 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
[group-token]
exit-token
|
||||
Table A-169 crontab-crontab created
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_crontab_create |
/usr/bin/crontab |
6148 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
[group-token]
exit-token
|
||||
Table A-170 crontab-crontab deleted
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_crontab_delete |
/usr/bin/crontab |
6149 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
[group-token]
exit-token
|
||||
Table A-171 cron-invoke atjob or crontab
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_cron_invoke |
/usr/bin/crontab |
6147 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
text-token (program)
text-token (shell)
text-token (cmd)
exit-token
|
||||
Table A-172 crontab-permission
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_crontab_perm |
/usr/bin/crontab |
6150 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
[group-token]
exit-token
|
||||
Table A-173 halt(1m)
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_halt_solaris |
/usr/sbin/halt |
6160 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
||||
Table A-174 inetd
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_inetd_connect |
/usr/sbin/inetd |
6151 |
na |
0x00000400 |
|
Format:
header-token
subject-token
text-token (service name)
in_addr-token
iport-token
return-token
|
||||
Table A-175 init(1m)
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_init_solaris |
/sbin/init; /usr/sbin/init; /usr/sbin/shutdown |
6166 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
text-token (init level)
return-token
|
||||
Table A-176 ftp access
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_ftpd |
/usr/sbin/in.ftpd |
6165 |
lo |
0x00001000 |
|
Format:
header-token
subject-token
text-token (error message, failure only)
return-token
|
||||
Table A-177 login - local
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_login |
/usr/sbin/login |
6152 |
lo |
0x00001000 |
|
Format:
header-token
subject-token
text-token (error message)
return-token
|
||||
Table A-178 login - rlogin
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_rlogin |
/usr/sbin/login |
6155 |
lo |
0x00001000 |
|
Format:
header-token
subject-token
text-token (error message)
return-token
|
||||
Table A-179 login - telnet
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_telnet |
/usr/sbin/login |
6154 |
lo |
0x00001000 |
|
Format:
header-token
subject-token
text-token (error message)
return-token
|
||||
Table A-180 logout
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_logout |
/usr/sbin/login |
6153 |
lo |
0x00001000 |
|
Format:
header-token
subject-token
text-token
return-token
|
||||
Table A-181 mount
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_mountd_mount |
/usr/lib/nfs/mountd |
6156 |
na |
0x00000400 |
|
Format:
header-token
arg-token
text-token (remote client hostname)
path-token (mount dir)
attribute-token
path-token
attribute-token
subject-token
return-token
|
||||
Table A-182 unmount
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_mountd_umount |
/usr/lib/nfs/mountd |
6157 |
na |
0x00000400 |
|
Format:
header-token
path-token (mount dir)
attribute-token
subject-token
return-token
|
||||
Table A-183 passwd
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_passwd |
/usr/bin/passwd |
6163 |
lo |
0x00001000 |
|
Format:
header-token
subject-token
text-token (error message)
return-token
|
||||
Table A-184 poweroff(1m)
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_poweroff_solaris |
/usr/sbin/poweroff |
6169 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
||||
Table A-185 reboot(1m)
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_reboot_solaris |
/usr/sbin/reboot |
6161 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
||||
Table A-186 rexd
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_rexd |
/usr/sbin/rpc.rexd |
6164 |
lo |
0x00001000 |
|
Format:
header-token
subject-token
text-token (error message, failure only)
text-token (hostname)
text-token (username)
text-token (command to be executed)
exit-token
|
||||
Table A-187 rexecd
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_rexecd |
/usr/sbin/in.rexecd |
6162 |
lo |
0x00001000 |
|
Format:
header-token
subject-token
text-token (error message, failure only)
text-token (hostname)
text-token (username)
text-token (command to be executed)
exit-token
|
||||
Table A-188 rsh access
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_rshd |
/usr/sbin/in.rshd |
6158 |
lo |
0x00001000 |
|
Format:
header-token
subject-token
text-token (command string)
text-token (local user)
text-token (remote user)
return-token
|
||||
Table A-189 shutdown(1b)
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_shutdown_solaris |
/usr/ucb/shutdown |
6168 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
return-token
|
||||
Table A-190 su
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_su |
/usr/bin/su |
6159 |
lo |
0x00001000 |
|
Format:
header-token
subject-token
text-token (error message)
return-token
|
||||
Table A-191 admin(1m)
|
Event Name |
Program |
Event ID |
Event Class |
Mask |
|---|---|---|---|---|
|
AUE_uadmin_solaris |
/sbin/uadmin; /usr/sbin/uadmin |
6167 |
ad |
0x00000800 |
|
Format:
header-token
subject-token
text-token (function)
text-token (argument)
return-token
|
||||
Event-to-System Call Translation
Table A-192 associates an audit event name with the system call or kernel event that created it. Table A-193 associates an audit event with the application or command that generated it.
Table A-192 Event-to-System Call Translation|
Audit Event |
System Call |
|---|---|
|
AUE_ACCEPT | |
|
AUE_ACCESS | |
|
AUE_ACLSET | |
|
AUE_ACCT | |
|
AUE_ADJTIME | |
|
AUE_AUDIT | |
|
AUE_AUDITON_GETCAR | |
|
AUE_AUDITON_GETCLASS | |
|
AUE_AUDITON_GETCOND | |
|
AUE_AUDITON_GETCWD | |
|
AUE_AUDITON_GETKMASK | |
|
AUE_AUDITON_GETSTAT | |
|
AUE_AUDITON_GPOLICY | |
|
AUE_AUDITON_GQCTRL | |
|
AUE_AUDITON_SETCLASS | |
|
AUE_AUDITON_SETCOND | |
|
AUE_AUDITON_SETKMASK | |
|
AUE_AUDITON_SETSMASK | |
|
AUE_AUDITON_SETSTAT | |
|
AUE_AUDITON_SETUMASK | |
|
AUE_AUDITON_SPOLICY | |
|
AUE_AUDITON_SQCTRL | |
|
AUE_AUDITSVC | |
|
AUE_BIND | |
|
AUE_CHDIR | |
|
AUE_CHMOD | |
|
AUE_CHOWN | |
|
AUE_CHROOT | |
|
AUE_CLOSE | |
|
AUE_CONNECT | |
|
AUE_CORE | |
|
AUE_CREAT | |
|
AUE_DOORFS_DOOR_BIND | |
|
AUE_DOORFS_DOOR_CALL | |
|
AUE_DOORFS_DOOR_CREATE | |
|
AUE_DOORFS_DOOR_CRED | |
|
AUE_DOORFS_DOOR_INFO | |
|
AUE_DOORFS_DOOR_RETURN | |
|
AUE_DOORFS_DOOR_REVOKE | |
|
AUE_DOORFS_DOOR_UNBIND | |
|
AUE_ENTERPROM | |
|
AUE_EXEC | |
|
AUE_EXECVE | |
|
AUE_EXIT | |
|
AUE_EXITPROM | |
|
AUE_FACLSET | |
|
AUE_FCHDIR | |
|
AUE_FCHMOD | |
|
AUE_FCHOWN | |
|
AUE_FCHROOT | |
|
AUE_FCNTL | |
|
AUE_FORK | |
|
AUE_FORK1 | |
|
AUE_FSTATFS | |
|
AUE_GETAUDIT | |
|
AUE_GETAUID | |
|
AUE_GETMSG | |
|
AUE_GETPMSG | |
|
AUE_GETPORTAUDIT | |
|
AUE_INST_SYNC | |
|
AUE_IOCTL | |
|
AUE_KILL | |
|
AUE_LCHOWN | |
|
AUE_LINK | |
|
AUE_LSTAT | |
|
AUE_LXSTAT | |
|
AUE_MEMCNTL | |
|
AUE_MKDIR | |
|
AUE_MKNOD | |
|
AUE_MMAP | |
|
AUE_MODADDMAJ | |
|
AUE_MODCONFIG | |
|
AUE_MODLOAD | |
|
AUE_MODUNLOAD | |
|
AUE_MOUNT | |
|
AUE_MSGCTL_RMID | |
|
AUE_MSGCTL_SET | |
|
AUE_MSGCTL_STAT | |
|
AUE_MSGGET | |
|
AUE_MSGRCV | |
|
AUE_MSGSND | |
|
AUE_MUNMAP | |
|
AUE_NICE | |
|
AUE_OPEN_R | |
|
AUE_OPEN_RC | |
|
AUE_OPEN_RT | |
|
AUE_OPEN_RTC | |
|
AUE_OPEN_RW | |
|
AUE_OPEN_RWC | |
|
AUE_OPEN_RWT | |
|
AUE_OPEN_RWTC | |
|
AUE_OPEN_W | |
|
AUE_OPEN_WC | |
|
AUE_OPEN_WT | |
|
AUE_OPEN_WTC | |
|
AUE_OSETUID | |
|
AUE_P_ONLINE | |
|
AUE_PATHCONF | |
|
AUE_PIPE | |
|
AUE_PRIOCNTLSYS | |
|
AUE_PROCESSOR_BIND | |
|
AUE_PUTMSG | |
|
AUE_PUTPMSG | |
|
AUE_READLINK | |
|
AUE_RENAME | |
|
AUE_RMDIR | |
|
AUE_SEMCTL_GETALL | |
|
AUE_SEMCTL_GETNCNT | |
|
AUE_SEMCTL_GETPID | |
|
AUE_SEMCTL_GETVAL | |
|
AUE_SEMCTL_GETZCNT | |
|
AUE_SEMCTL_RMID | |
|
AUE_SEMCTL_SET | |
|
AUE_SEMCTL_SETALL | |
|
AUE_SEMCTL_SETVAL | |
|
AUE_SEMCTL_STAT | |
|
AUE_SEMGET | |
|
AUE_SEMOP | |
|
AUE_SETAUDIT | |
|
AUE_SETAUID | |
|
AUE_SETEGID | |
|
AUE_SETEUID | |
|
AUE_SETGID | |
|
AUE_SETGROUPS | |
|
AUE_SETPGRP | |
|
AUE_SETREGID | |
|
AUE_SETREUID | |
|
AUE_SETRLIMIT | |
|
AUE_SETUID |
Reported as AUE_OSETUID, see Table A-136 |
|
AUE_SHMAT | |
|
AUE_SHMCTL_RMID | |
|
AUE_SHMCTL_SET | |
|
AUE_SHMCTL_STAT | |
|
AUE_SHMDT | |
|
AUE_SHMGET | |
|
AUE_SHUTDOWN | |
|
AUE_SOCKACCEPT | |
|
AUE_SOCKCONNECT | |
|
AUE_SOCKRECEIVE | |
|
AUE_SOCKSEND | |
|
AUE_STAT | |
|
AUE_STATFS | |
|
AUE_STATVFS | |
|
AUE_STIME | |
|
AUE_SYMLINK | |
|
AUE_SYSINFO | |
|
AUE_SYSTEMBOOT | |
|
AUE_UMOUNT | |
|
AUE_UNLINK | |
|
AUE_UTIME | |
|
AUE_UTIMES | |
|
AUE_UTSSYS | |
|
AUE_VFORK | |
|
AUE_VTRACE | |
|
AUE_XMKNOD | |
|
AUE_XSTAT |
Table A-193 Event-to-Command Translation
|
Audit Event |
Command |
|---|---|
|
AUE_allocate_succ | |
|
AUE_allocate_fail | |
|
AUE_deallocate_succ | |
|
AUE_deallocate_fail | |
|
AUE_listdevice_succ | |
|
AUE_listdevice_fail | |
|
AUE_at_create | |
|
AUE_at_delete | |
|
AUE_at_perm | |
|
AUE_crontab_create | |
|
AUE_crontab_delete | |
|
AUE_cron_invoke | |
|
AUE_crontab_perm | |
|
AUE_halt_solaris | |
|
AUE_inetd_connect | |
|
AUE_init_solaris | |
|
AUE_ftpd | |
|
AUE_login | |
|
AUE_rlogin | |
|
AUE_telnet | |
|
AUE_logout | |
|
AUE_mountd_mount | |
|
AUE_mountd_umount | |
|
AUE_passwd | |
|
AUE_poweroff_solaris | |
|
AUE_reboot_solaris | |
|
AUE_rexd | |
|
AUE_rexecd | |
|
AUE_rshd | |
|
AUE_shutdown_solaris | |
|
AUE_su | |
|
AUE_uadmin_solaris |
- © 2010, Oracle Corporation and/or its affiliates