These audit records are created by applications that operate outside the kernel. The records are sorted alphabetically by program. The description of each record includes:
The name of the program
A man page reference (if appropriate)
The audit event number
The audit event name
The audit record structure
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_allocate_succ |
/usr/sbin/allocate |
6200 |
ad |
0x00000800 |
Format:
header-token
text-token
path-token
subject-token
exit-token
|
Table A-161 allocate-device failure
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_allocate_fail |
/usr/sbin/allocate |
6201 |
ad |
0x00000800 |
Format:
header-token
text-token
subject-token
exit-token
|
Table A-162 deallocate-device success
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_deallocate_succ |
/usr/sbin/deallocate |
6202 |
ad |
0x00000800 |
Format:
header-token
subject-token
newgroups-token
exit-token
|
Table A-163 deallocate-device failure
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_deallocate_fail |
/usr/sbin/deallocate |
6203 |
ad |
0x00000800 |
Format:
header-token
subject-token
newgroups-token
exit-token
|
Table A-164 allocate-list devices success
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_listdevice_succ |
/usr/sbin/allocate |
6205 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-165 allocate-list devices failure
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_listdevice_fail |
/usr/sbin/allocate |
6206 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-166 at-create crontab
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_at_create |
/usr/bin/at |
6144 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-167 at-delete atjob (at or atrm)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_at_delete |
/usr/bin/at |
6145 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-168 at-permission
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_at_perm |
/usr/bin/at |
6146 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-169 crontab-crontab created
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_crontab_create |
/usr/bin/crontab |
6148 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-170 crontab-crontab deleted
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_crontab_delete |
/usr/bin/crontab |
6149 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-171 cron-invoke atjob or crontab
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_cron_invoke |
/usr/bin/crontab |
6147 |
ad |
0x00000800 |
Format:
header-token
subject-token
text-token (program)
text-token (shell)
text-token (cmd)
exit-token
|
Table A-172 crontab-permission
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_crontab_perm |
/usr/bin/crontab |
6150 |
ad |
0x00000800 |
Format:
header-token
subject-token
[group-token]
exit-token
|
Table A-173 halt(1m)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_halt_solaris |
/usr/sbin/halt |
6160 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-174 inetd
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_inetd_connect |
/usr/sbin/inetd |
6151 |
na |
0x00000400 |
Format:
header-token
subject-token
text-token (service name)
in_addr-token
iport-token
return-token
|
Table A-175 init(1m)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_init_solaris |
/sbin/init; /usr/sbin/init; /usr/sbin/shutdown |
6166 |
ad |
0x00000800 |
Format:
header-token
subject-token
text-token (init level)
return-token
|
Table A-176 ftp access
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_ftpd |
/usr/sbin/in.ftpd |
6165 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (error message, failure only)
return-token
|
Table A-177 login - local
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_login |
/usr/sbin/login |
6152 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (error message)
return-token
|
Table A-178 login - rlogin
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_rlogin |
/usr/sbin/login |
6155 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (error message)
return-token
|
Table A-179 login - telnet
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_telnet |
/usr/sbin/login |
6154 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (error message)
return-token
|
Table A-180 logout
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_logout |
/usr/sbin/login |
6153 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token
return-token
|
Table A-181 mount
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_mountd_mount |
/usr/lib/nfs/mountd |
6156 |
na |
0x00000400 |
Format:
header-token
arg-token
text-token (remote client hostname)
path-token (mount dir)
attribute-token
path-token
attribute-token
subject-token
return-token
|
Table A-182 unmount
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_mountd_umount |
/usr/lib/nfs/mountd |
6157 |
na |
0x00000400 |
Format:
header-token
path-token (mount dir)
attribute-token
subject-token
return-token
|
Table A-183 passwd
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_passwd |
/usr/bin/passwd |
6163 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (error message)
return-token
|
Table A-184 poweroff(1m)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_poweroff_solaris |
/usr/sbin/poweroff |
6169 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-185 reboot(1m)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_reboot_solaris |
/usr/sbin/reboot |
6161 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-186 rexd
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_rexd |
/usr/sbin/rpc.rexd |
6164 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (error message, failure only)
text-token (hostname)
text-token (username)
text-token (command to be executed)
exit-token
|
Table A-187 rexecd
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_rexecd |
/usr/sbin/in.rexecd |
6162 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (error message, failure only)
text-token (hostname)
text-token (username)
text-token (command to be executed)
exit-token
|
Table A-188 rsh access
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_rshd |
/usr/sbin/in.rshd |
6158 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (command string)
text-token (local user)
text-token (remote user)
return-token
|
Table A-189 shutdown(1b)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_shutdown_solaris |
/usr/ucb/shutdown |
6168 |
ad |
0x00000800 |
Format:
header-token
subject-token
return-token
|
Table A-190 su
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_su |
/usr/bin/su |
6159 |
lo |
0x00001000 |
Format:
header-token
subject-token
text-token (error message)
return-token
|
Table A-191 admin(1m)
Event Name |
Program |
Event ID |
Event Class |
Mask |
---|---|---|---|---|
AUE_uadmin_solaris |
/sbin/uadmin; /usr/sbin/uadmin |
6167 |
ad |
0x00000800 |
Format:
header-token
subject-token
text-token (function)
text-token (argument)
return-token
|