audit_record_attr.txt revision 18c2aff776a775d34a4c9893a4c72e0434d68e36
# Two "#" are comments that are copied to audit_record_attr
# other comments are removed.
##
## Copyright 2006 Sun Microsystems, Inc. All rights reserved.
## Use is subject to license terms.
##
## CDDL HEADER START
##
## The contents of this file are subject to the terms of the
## Common Development and Distribution License (the "License").
## You may not use this file except in compliance with the License.
##
## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
## See the License for the specific language governing permissions
## and limitations under the License.
##
## When distributing Covered Code, include this CDDL HEADER in each
## file and include the License file at usr/src/OPENSOLARIS.LICENSE.
## If applicable, add the following below this CDDL HEADER, with the
## fields enclosed by brackets "[]" replaced with your own identifying
## information: Portions Copyright [yyyy] [name of copyright owner]
##
## CDDL HEADER END
##
## ident "%Z%%M% %I% %E% SMI"
##
# source file for describing audit records.
# This file is in two sections. The first is a list of attribute /
# value pairs used to provide short cuts in annotating the audit
# records. The second is for annotation for each audit record.
# first section: general attributes
# skipClass=<class name of items to skip if only in that class>
#skipClass=no # uncomment to filter unused events
# token name abbreviations
# token=alias:fullname -- short names for key tokens
token=arg:argument
token=attr:attribute
token=cmd:command
token=data:data
token=group:group
token=inaddr:ip_addr
token=inet:socket
token=ipc:ipc
token=newgroup:newgroups
token=path:path
token=privset:privilege
token=proc:process
token=text:text
token=tid:terminal_adr
token=uauth:use_of_privilege
token=zone:zonename
token=fmri:service_instance
token=head:header
token=subj:subject
token=ret:return
token=exit:exit
# note names -- certain notes show up repeatedly; collected here
message=ipc_perm:The ipc and ipc_perm tokens are not included if the message ID is not valid.
message=socket:The socket token for a bad socket is reported as "argument (1, "fd", socket descriptor)"
# basic record pattern ("insert" is where event-specific tokens
# are listed.)
kernel=head:insert:subj:[uauth]:ret
user=head:subj:insert:ret
# Second Section
# Annotation Section
#
# Most audit records need annotation beyond what is provided by
# the files audit_event and audit_class. At a minimum, a record
# is represented by a label and a format.
#
# label=record_id like AUE_ACCEPT
# format=token_alias
#
# there is no end line; a new label= end the preceding definition
# and starts the next.
#
# format values are a list of token names, separated by colons. The
# name is either one of the values described above (token=) or is
# a value to be taken literally. If a token name ends with a digit,
# the digit is an index into an array of comments. In the few cases
# where there are no tokens (other than header, subject, return/exit),
# use "format=kernel" or "format="user".
#
# comment is an array of strings separated by colons. If comments
# are listed on separate lines, the preceeding comment must end with
# a colon. The array starts at 1. (If the comment contains a colon,
# use ":" without the quotes.)
#
# case is used to generate alternate descriptions for a given
# record.
#
# AUE_ACCEPT illustrates the use of all the above. Note that
# case is not nested; ellipsis (...) is used to give the effect
# of nesting.
label=AUE_ACCEPT
#accept(2) failure
case=Invalid socket file descriptor
format=arg1
comment=1, file descriptor, "so"
#accept(2) non SOCK_STREAM socket
case=If the socket address is not part of the AF_INET family
format=arg1:arg2:arg3
comment=1, "so", file descriptor:
comment="family", so_family:
comment="type", so_type
case=If the socket address is part of the AF_INET family
case=...If there is no vnode for this file descriptor
format=[arg]1
comment=1, file descriptor, "Bad so"
#accept(2) SOCK_STREAM socket-not bound
case=...or if the socket is not bound
format=[arg]1:[inet]2
comment=1, file descriptor, "so":
comment=local/foreign address (0.0.0.0)
case=...or if the socket address length = 0
format=[arg]1:[inet]1
comment=1, file descriptor, "so":
comment=local/foreign address (0.0.0.0)
case=...or for all other conditions
format=inet1:[inet]1
comment=socket address
#accept(2) failure
# header
# au_to_arg32 "so",file descriptor
# subject
# return <errno != 0>
#
#accept(2) non SOCK_STREAM socket
# header
# au_to_arg32 "so", file descriptor
# au_to_arg32 "family", so_family
# au_to_arg32 "type", so_type
# subject
# return success
#
#accept(2) SOCK_STREAM socket-not bound
# header
# au_to_arg32 "so", file descriptor
# au_to_socket_ex local/foreign address (0.0.0.0)
# subject
# return success
#
#accept(2) SOCK_STREAM socket-bound
# header
# au_to_arg32 "so", file descriptor
# au_to_socket_ex
# subject
# return success
label=AUE_ACCESS
format=path1:[attr]
comment=may be truncated in failure case
# header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec
# attribute,100777,41416,staff,8388608,402255,0
# subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30
# return,success,0
# trailer,163
#
# header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec
# attribute,100000,root,other,8388608,402257,0
# subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30
# return,failure: Permission denied,-1
# trailer,163
#
# header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec
# subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30
# return,failure: No such file or directory,-1
# trailer,135
label=AUE_ACCT
case=Zero path
format=arg1
comment=1, 0, "accounting off"
case=Non-zero path
format=path1:[attr]2
comment=may be truncated in failure case:
comment=omitted if failure
label=AUE_ACLSET
syscall=acl
format=arg1:arg2:(0..n)[acl]3
comment=2, SETACL, "cmd":
comment=3, number of ACL entries, "nentries":
comment=Access Control List entries
label=AUE_ADJTIME
format=kernel
label=AUE_ASYNC_DAEMON
skip=Not used
label=AUE_ASYNC_DAEMON_EXIT
skip=Not used
label=AUE_AUDIT
skip=Not used. (Placeholder for the set AUE_AUDIT_*.)
label=AUE_AUDITON
skip=Not used. (Placeholder for the set AUE_AUDITON_*.)
label=AUE_AUDITON_GESTATE
skip=Not used
label=AUE_AUDITON_GETCAR
format=kernel
syscall=auditon: GETCAR
# header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec
# subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30
# return,success,0
# trailer,68
label=AUE_AUDITON_GETCLASS
format=kernel
syscall=auditon: GETCLASS
# header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec
# subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_AUDITON_GETCOND
format=kernel
syscall=auditon: GETCOND
# header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec
# subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_AUDITON_GETCWD
format=kernel
syscall=auditon: GETCWD
# header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec
# subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_AUDITON_GETKMASK
format=kernel
syscall=auditon: GETKMASK
# header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec
# subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_AUDITON_GETSTAT
format=kernel
syscall=auditon: A_GETSTAT
# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec
# subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_AUDITON_GPOLICY
format=kernel
syscall=auditon: GPOLICY
# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec
# subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_AUDITON_GQCTRL
format=kernel
syscall=auditon: GQCTRL
# header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec
# subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_AUDITON_GTERMID
skip=Not used.
label=AUE_AUDITON_SESTATE
skip=Not used.
label=AUE_AUDITON_SETCLASS
format=[arg]1:[arg]2
comment=2, "setclass:ec_event", event number:
comment=3, "setclass:ec_class", class mask
syscall=auditon: SETCLASS
# header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec
# argument,2,0x0,setclass:ec_event
# argument,3,0x0,setclass:ec_class
# subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1
# return,success,0
# trailer,120
label=AUE_AUDITON_SETCOND
format=[arg]1
comment=3, "setcond", audit state
syscall=auditon: SETCOND
label=AUE_AUDITON_SETKMASK
format=[arg]1:[arg]2
comment=2, "setkmask as_success", kernel mask:
comment=2, "setkmask as_failure", kernel mask
syscall=auditon: SETKMASK
# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec
# argument,2,0x0,setkmask:as_success
# argument,2,0x0,setkmask:as_failure
# subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1
# return,success,0
# trailer,124
# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec
# argument,2,0x0,setkmask:as_success
# argument,2,0x0,setkmask:as_failure
# subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,124
label=AUE_AUDITON_SETSMASK
format=[arg]1:[arg]2
comment=3, "setsmask:as_success", session ID mask:
comment=3, "setsmask:as_failure", session ID mask
syscall=auditon: SETSMASK
# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec
# argument,3,0x400,setsmask:as_success
# argument,3,0x400,setsmask:as_failure
# subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1
# return,success,0
# trailer,124
# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec
# argument,3,0x400,setsmask:as_success
# argument,3,0x400,setsmask:as_failure
# subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,124
label=AUE_AUDITON_SETSTAT
format=kernel
syscall=auditon: SETSTAT
# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec
# subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1
# return,success,0
# trailer,68
# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec
# subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,68
label=AUE_AUDITON_SETUMASK
format=[arg]1:[arg]2
comment=3, "setumask:as_success", audit ID mask:
comment=3, "setumask:as_failure", audit ID mask
syscall=auditon: SETUMASK
# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec
# argument,3,0x400,setumask:as_success
# argument,3,0x400,setumask:as_failure
# subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1
# return,success,0
# trailer,124
# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec
# argument,3,0x400,setumask:as_success
# argument,3,0x400,setumask:as_failure
# subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,124
label=AUE_AUDITON_SPOLICY
format=[arg]1
comment=1, audit policy flags, "setpolicy"
syscall=auditon: SPOLICY
# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec
# argument,3,0x200,setpolicy
# subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1
# return,success,0
# trailer,86
# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec
# argument,3,0x200,setpolicy
# subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,86
label=AUE_AUDITON_SQCTRL
format=[arg]1:[arg]2:[arg]3:[arg]4
comment=3, "setqctrl:aq_hiwater", queue control param.:
comment=3, "setqctrl:aq_lowater", queue control param.:
comment=3, "setqctrl:aq_bufsz", queue control param.:
comment=3, "setqctrl:aq_delay", queue control param.
syscall=auditon: SQCTRL
# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec
# argument,3,0x64,setqctrl:aq_hiwater
# argument,3,0xa,setqctrl:aq_lowater
# argument,3,0x400,setqctrl:aq_bufsz
# argument,3,0x14,setqctrl:aq_delay
# subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1
# return,success,0
# trailer,176
# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec
# argument,3,0x64,setqctrl:aq_hiwater
# argument,3,0xa,setqctrl:aq_lowater
# argument,3,0x400,setqctrl:aq_bufsz
# argument,3,0x14,setqctrl:aq_delay
# subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,176
label=AUE_AUDITON_STERMID
skip=Not used.
label=AUE_AUDITSTAT
skip=Not used.
label=AUE_AUDITSVC
# audit_event.c mismatch with old BSM manual
# audit_event.c code is used
# As documented:
# case=With a valid file descriptor
# format=[path]:[attr]
# case=With an invalid file descriptor
# format=arg1
# comment=1, fd, "no path fd"
# As implemented:
case=With a valid file descriptor
format=[path]:[attr]:[arg]1
comment=3, limit, "limit"
case=With an invalid file descriptor
format=[arg]1:[arg]2
comment=1, fd, "no path fd":
comment=3, limit, "limit"
# header,168,2,auditsvc(2),,Mon May 15 09:19:49 2000, + 9999915 msec
# attribute,100644,root,other,8388608,31279,0
# argument,3,0xa,limit
# subject,tuser10,root,other,root,other,4132,367,255 197121 tmach1
# return,failure: Device busy,-1
# trailer,168
# header,68,2,auditsvc(2),,Mon May 15 09:20:01 2000, + 409999984 msec
# subject,tuser10,tuser10,other,tuser10,other,4261,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,68
label=AUE_AUDITSYS
skip=Not used. (Place holder for various auditing events.)
label=AUE_BIND
# differs from documented version.
# cases "no vnode" and "not AF_INT" not confirmed
# family and type need argument number
case=Invalid socket handle
format=arg1
comment=1, file descriptor, "so"
case=If there is no vnode for this file descriptor
format=[arg]1
comment=1, file descriptor, "Bad fd"
case=or if the socket is not of the AF_INET family
format=[arg]1:[text]2
comment=1, file descriptor, "fd":
comment=bad socket address
case=or for all other conditions
format=arg1:[arg]2:[arg]3:inet4
comment=1, file descriptor, "so":
comment=1, socket family, "family":
comment=1, socket type, "type":
comment=socket address
label=AUE_BRANDSYS
# generic mechanism to allow user-space and kernel components of a brand
# to communicate. The interpretation of the arguments to the call is
# left entirely up to the brand.
format=arg1:arg2:arg3:arg4:arg5:arg6:arg7
comment=1, command, "cmd":
comment=2, command args, "arg":
comment=3, command args, "arg":
comment=4, command args, "arg":
comment=5, command args, "arg":
comment=6, command args, "arg":
comment=7, command args, "arg":
label=AUE_BSMSYS
skip=Not used.
label=AUE_CHDIR
format=path:[attr]
# header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec
# attribute,40777,root,other,8388608,231558,0
# subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1
# return,success,0
# trailer,151
# header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec
# attribute,40000,root,other,8388608,237646,0
# subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1
# return,failure: Permission denied,-1
# trailer,151
label=AUE_CHMOD
format=arg1:path:[attr]
comment=2, mode, "new file mode"
# header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec
# argument,2,0x1f8,new file mode
# attribute,100770,tuser10,other,8388608,243608,0
# subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1
# return,success,0
# trailer,173
# header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec
# argument,2,0x1f8,new file mode
# attribute,100600,root,other,8388608,243609,0
# subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,173
label=AUE_CHOWN
format=arg1:arg2
comment=2, uid, "new file uid":
comment=3, gid, "new file gid"
# header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec
# argument,2,0x271a,new file uid
# argument,3,0xffffffff,new file gid
# attribute,100644,tuser10,other,8388608,268406,0
# subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1
# return,success,0
# trailer,193
# header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec
# argument,2,0x271a,new file uid
# argument,3,0xffffffff,new file gid
# attribute,100644,root,other,8388608,268407,0
# subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,193
label=AUE_CHROOT
format=path:[attr]
# header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec
# path,/
# attribute,40755,root,root,8388608,2,0
# subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1
# return,success,0
# trailer,104
# header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec
# attribute,40777,tuser10,other,8388608,335110,0
# subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,152
label=AUE_CLOSE
format=arg1:[path]:[attr]
comment=1, file descriptor, "fd"
label=AUE_CONNECT
case=If the socket address is not part of the AF_INET family
format=arg1:text2:text3
comment=1, file descriptor, "so":
comment=bad socket address:
comment=bad peer address
case=If the socket address is part of the AF_INET family
case=...If there is no vnode for this file descriptor
format=[arg]1
comment=1, file descriptor, "bad fd"
case=...or if the socket is not bound
format=[arg]1:[text]2
comment=1, file descriptor, "fd":
comment=socket not bound
case=...or if the socket address length = 0
format=[arg]1:[text]2
comment=1, file descriptor, "fd":
comment=bad socket address
case=...or for all other conditions
format=[inet]1:inet1
comment=socket address
# can't match this to code in audit_event.c for the not inet case
label=AUE_CORE
syscall=none
title=process dumped core
see=none
format=path:[attr]:arg1
comment=1, signal, "signal"
# see uts/common/c2/audit.c
label=AUE_CREAT
format=path:[attr]
# does not match old BSM manual
# header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec
# attribute,100644,tuser10,other,8388608,49679,0
# subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1
# return,success,8
# trailer,151
# header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec
# path,/devices/pseudo/mm@0:null
# subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1
# return,success,8
# trailer,107
# header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec
# path,/obj_fail
# subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1
# return,failure: Permission denied,-1
# trailer,83
label=AUE_DOORFS
skip=Not used. (Place holder for set of door audit events.)
label=AUE_DOORFS_DOOR_BIND
# audit_event.c shows no output.
# as documented:
# format=arg1
# comment=1, door ID, "door ID"
# as implemented:
format=kernel
syscall=doorfs: DOOR_BIND
label=AUE_DOORFS_DOOR_CALL
format=arg1:proc2
comment=1, door ID, "door ID":
comment=for process that owns the door
syscall=doorfs: DOOR_CALL
label=AUE_DOORFS_DOOR_CREATE
format=arg1
comment=1, door attributes, "door attr"
syscall=doorfs: DOOR_CREATE
label=AUE_DOORFS_DOOR_CRED
format=kernel
syscall=doorfs: DOOR_CRED
label=AUE_DOORFS_DOOR_INFO
format=kernel
syscall=doorfs: DOOR_INFO
label=AUE_DOORFS_DOOR_RETURN
format=kernel
syscall=doorfs: DOOR_RETURN
label=AUE_DOORFS_DOOR_REVOKE
format=arg1
comment=1, door ID, "door ID"
syscall=doorfs: DOOR_REVOKE
label=AUE_DOORFS_DOOR_UNBIND
format=arg1
comment=1, door ID, "door ID"
syscall=doorfs: DOOR_UNBIND
label=AUE_DUP2
skip=Not used.
label=AUE_ENTERPROM
title=enter prom
syscall=none
format=head:text1:ret
comment="kmdb"
# header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00
# text,kmdb
# return,success,0
label=AUE_EXEC
format=path:[attr]1:[exec_arg]2:[exec_env]3
comment=omitted on error:
comment=output if argv policy is set:
comment=output if arge policy is set
label=AUE_EXECVE
format=path:[attr]1:[exec_arg]2:[exec_env]3
comment=omitted on error:
comment=output if argv policy is set:
comment=output if arge policy is set
# header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec
# path,/devices/pseudo/mm@0:null
# subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1
# return,success,8
# trailer,107
# header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec
# path,/usr/bin/pig
# subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1
# return,failure: No such file or directory,-1
# trailer,86
label=AUE_EXIT
format=[text]1
comment=event aborted
label=AUE_EXITPROM
title=exit prom
syscall=none
format=head:text1:ret
comment="kmdb"
# header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00
# text,kmdb
# return,success,0
label=AUE_EXPORTFS
skip=Not used.
label=AUE_FACLSET
syscall=facl
case=Invalid file descriptor
format=arg1:arg2
comment=2, SETACL, "cmd":
comment=3, number of ACL entries, "nentries":
case=Zero path
format=arg1:arg2:arg3:(0..n)[acl]4
comment=2, SETACL, "cmd":
comment=3, number of ACL entries, "nentries":
comment=1, file descriptor, "no path fd":
comment=ACLs
case=Non-zero path
format=arg1:arg2:path:[attr]:(0..n)[acl]3
comment=2, SETACL, "cmd":
comment=3, number of ACL entries, "nentries":
comment=ACLs
# old BSM manual misses a case; see audit_event.c
label=AUE_FCHDIR
format=[path]:[attr]
# header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec
# attribute,40777,tuser10,other,8388608,207662,0
# subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1
# return,success,0
# trailer,150
# header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec
# subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1
# return,failure: Permission denied,-1
# trailer,68
label=AUE_FCHMOD
case=With a valid file descriptor
format=arg1:path:[attr]
comment=2, mode, "new file mode":
case=With an invalid file descriptor
format=arg1:[arg]2
comment=2, mode, "new file mode":
comment=1, file descriptor, "no path fd"
# header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec
# argument,2,0x1a4,new file mode
# attribute,100644,tuser10,other,7602240,26092,0
# subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1
# return,success,0
# trailer,168
# header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec
# argument,2,0x1a4,new file mode
# subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1
# return,failure: Bad file number,-1
# trailer,90
# header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec
# argument,2,0x1a4,new file mode
# attribute,100644,root,other,7602240,26093,0
# subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1
# return,failure: Not owner,-1
# trailer,168
label=AUE_FCHOWN
case=With a valid file descriptor
format=arg1:arg2:[path]:[attr]
comment=2, uid, "new file uid":
comment=3, gid, "new file gid"
case=With an invalid file descriptor
format=arg1:arg2:[arg]3:[attr]
comment=2, uid, "new file uid":
comment=3, gid, "new file gid":
comment=1, file descriptor, "no path fd"
label=AUE_FCHOWNAT
see=openat(2)
case=With a valid file descriptor
format=arg1:arg2:[path]:[attr]
comment=2, uid, "new file uid":
comment=3, gid, "new file gid"
case=With an invalid file descriptor
format=arg1:arg2:[arg]3:[attr]
comment=2, uid, "new file uid":
comment=3, gid, "new file gid":
comment=1, file descriptor, "no path fd"
# not verified
label=AUE_FCHROOT
format=[path]:[attr]
# Not verified
label=AUE_FCNTL
case=With a valid file descriptor
format=arg1:path:attr
comment=2, command, "cmd"
case=With an invalid file descriptor
format=arg1:arg2
comment=2, command, "cmd":
comment=1, file descriptor, "no path fd"
label=AUE_FLOCK
skip=Not used.
label=AUE_FORK
format=[arg]1
comment=0, pid, "child PID"
note=The fork(2) return values are undefined because the audit record
note=is produced at the point that the child process is spawned.
# see audit.c
label=AUE_FORK1
format=[arg]1
comment=0, pid, "child PID"
note=The fork1(2) return values are undefined because the audit record
note=is produced at the point that the child process is spawned.
# see audit.c
label=AUE_FSAT
skip=Not used. (Placeholder for AUE_*AT records)
#openat AUE_OPENAT_{W,RW,R} appended with CT as needed
#openat64 AUE_OPENAT_{W,RW,R} appended with CT as needed
#fstatat64 AUE_FSTATAT
#fstat AUE_FSTATAT
#chownat AUE_FCHOWNAT
#unlinkat AUE_UNLINKAT
#futimesat AUE_FUTIMESAT
#renameat AUE_RENAMEAT
label=AUE_FSTAT
skip=Not used.
label=AUE_FSTATAT
# No information.
# see=openat(2)
label=AUE_FSTATFS
case=With a valid file descriptor
format=[path]:[attr]
case=With an invalid file descriptor
format=arg1
comment=1, file descriptor, "no path fd"
label=AUE_FTRUNCATE
skip=Not used.
label=AUE_FUTIMESAT
# No information
# see=openat(2)
label=AUE_GETAUDIT
format=kernel
# header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec
# subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1
# return,success,0
# trailer,68
# header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec
# subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_GETAUDIT_ADDR
format=kernel
# header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec
# subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2
# return,success,0
label=AUE_GETAUID
format=kernel
# header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec
# subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1
# return,success,0
# trailer,68
# header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec
# subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,68
label=AUE_GETDENTS
skip=Not used.
#Not security relevant
label=AUE_GETKERNSTATE
skip=Not used.
label=AUE_GETMSG
format=arg1:arg2
comment=1, file descriptor, "fd":
comment=4, priority, "pri"
label=AUE_GETPMSG
format=arg1
comment=1, file descriptor, "fd"
label=AUE_GETPORTAUDIT
format=kernel
label=AUE_GETUSERAUDIT
skip=Not used.
label=AUE_INST_SYNC
format=arg1
comment=2, flags value, "flags"
# ok, but audit_event should show ad instead of as
#See 4381430 and its dup 4381450 (the latter says "ad" is correct)
label=AUE_IOCTL
case=With an invalid file descriptor
format=arg1:arg2:arg3
comment=1, file descriptor, "fd":
comment=2, command, "cmd":
comment=3, arg, "arg"
case=With a valid file descriptor
format=path:[attr]:arg1:arg2
comment=2, ioctl cmd, "cmd":
comment=3, ioctl arg, "arg"
case=Socket
format=[socket]:arg1:arg2
comment=2, ioctl cmd, "cmd":
comment=3, ioctl arg, "arg"
case=Non-file file descriptor
format=arg1:arg2:arg3
comment=1, file descriptor, "fd":
comment=2, ioctl cmd, "cmd":
comment=3, ioctl arg, "arg"
case=Bad file name
format=arg1:arg2:arg3
comment=1, file descriptor, "no path: fd":
comment=2, ioctl cmd, "cmd":
comment=3, ioctl arg, "arg"
# old BSM manual misses a case
label=AUE_JUNK
skip=Not used.
label=AUE_KILL
case=Valid process
format=arg1:[proc]
comment=2, signo, "signal"
case=Zero or negative process
format=arg1:arg2
comment=2, signo, "signal":
comment=1, pid, "process"
label=AUE_KILLPG
skip=Not used.
label=AUE_LCHOWN
format=arg1:arg2:path:[attr]
comment=2, uid, "new file uid":
comment=3, gid, "new file gid"
# failed verify against audit_event.c -- path and attr not there
label=AUE_LINK
format=path1:[attr]2:path3
comment=from path:from path:to path
# Not verified
label=AUE_LSEEK
skip=Not used.
label=AUE_LSTAT
format=path:[attr]
# not verified
label=AUE_LXSTAT
skip=Not used.
# AUE_LXSTAT now maps to AUE_LSTAT
label=AUE_MCTL
skip=Not used.
label=AUE_MEMCNTL
format=arg1:arg2:arg3:arg4:arg5:arg6
comment=1, base address, "base":
comment=2, length, "len":
comment=3, command, "cmd":
comment=4, command args, "arg":
comment=5, command attributes, "attr":
comment=6, 0, "mask"
label=AUE_MKDIR
format=arg1:path
comment=2, mode, "mode"
#audit_event.c shows no attr token
# format=arg1:path:[attr]
label=AUE_MKNOD
format=arg1:arg2:path:[attr]
comment=2, mode, "mode":
comment=3, dev, "dev"
# not verified
label=AUE_MMAP
case=With a valid file descriptor
format=arg1:arg2:[path]:[attr]
comment=1, segment address, "addr":
comment=2, segment address, "len"
case=With an invalid file descriptor
format=arg1;arg2:arg3
comment=1, segment address, "addr":
comment=2, segment address, "len":
comment=1, file descriptor, "no path: fd"
# format may have changed in S9, current format not verified
# class is no, not usually printed
label=AUE_MODADDMAJ
title=modctl: bind module
syscall=modctl
format=[text]1:[text]2:text3:text4:arg5:(0..n)[text]6
comment=driver major number:
comment=driver name:
comment=root directory or "no rootdir":
comment=driver major number or "no drvname":
comment=5, number of aliases, "":
comment=aliases
# NOT verified against audit_event.c -- 3rd text arg does not exist
label=AUE_MODCONFIG
syscall=modctl
title=modctl: configure module
format=text1:text2
comment=root directory or "no rootdir":
comment=driver major number or "no drvname"
# NOT verified against audit_event.c -- first text arg does not exist
label=AUE_MODCTL
format=kernel
label=AUE_MODLOAD
syscall=modctl
title=modctl: load module
format=[text]1:text2
comment=default path:
comment=filename path
label=AUE_MODUNLOAD
syscall=modctl
title=modctl: unload module
format=arg1
comment=1, module ID, "id"
label=AUE_MOUNT
case=UNIX file system
format=arg1:text2:path:[attr]:[path]:[attr]
comment=3, flags, "flags":
comment=filesystem type
case=NFS file system
format=arg1:text2:text3:arg4:path:[attr]
comment=3, flags, "flags":
comment=filesystem type:
comment=host name:
comment=3, flags, "internal flags"
# unix example:
# header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec
# argument,3,0x104,flags
# text,ufs
# path,/var2
# attribute,40755,root,root,32,12160,0
# path,/devices/pci@1f,4000/scsi@3/sd@0,0:e
# attribute,60640,root,sys,32,231268,137438953476
# subject,abc,root,other,root,other,1726,1715,255 66049 ohboy
# return,success,4290707268
# ^^^^^^^^^^ <- bugid 4333559
label=AUE_MSGCTL
format=arg1:[ipc]
comment=1, message ID, "msg ID"
note=ipc_perm
# audit_event.c shows no IPC token
label=AUE_MSGCTL_RMID
format=arg1:[ipc]
comment=1, message ID, "msg ID"
note=ipc_perm
syscall=msgctl: IPC_RMID
# audit_event.c shows no IPC token
label=AUE_MSGCTL_SET
format=arg1:[ipc]
comment=1, message ID, "msg ID"
note=ipc_perm
syscall=msgctl: IPC_SET
# audit_event.c shows no IPC token
label=AUE_MSGCTL_STAT
format=arg1:[ipc]
comment=1, message ID, "msg ID"
note=ipc_perm
syscall=msgctl: IPC_STAT
# audit_event.c shows no IPC token
label=AUE_MSGGET
format=arg1:[ipc]
comment=1, message key, "msg key"
note=ipc_perm
# audit_event.c shows no IPC token
label=AUE_MSGGETL
skip=Not used.
label=AUE_MSGRCV
format=arg1:[ipc]
comment=1, message ID, "msg ID"
note=ipc_perm
# audit_event.c shows no IPC token
label=AUE_MSGRCVL
skip=Not used.
label=AUE_MSGSND
format=arg1:[ipc]
comment=1, message ID, "msg ID"
note=ipc_perm
# audit_event.c shows no IPC token
label=AUE_MSGSNDL
skip=Not used.
label=AUE_MSGSYS
skip=Not used. (Placeholder for AUE_MSG* events.)
label=AUE_MUNMAP
format=arg1:arg2
comment=1, address of memory, "addr":
comment=2, memory segment size, "len"
label=AUE_NFS
skip=Not used.
label=AUE_NFSSVC_EXIT
skip=Not used.
label=AUE_NFS_GETFH
skip=Not used.
label=AUE_NFS_SVC
skip=Not used.
label=AUE_NICE
format=kernel
label=AUE_NULL
skip=Not used. (placeholder)
# used internal to audit_event.c for minimal audit
label=AUE_ONESIDE
skip=Not used.
label=AUE_OPEN
skip=Not used. (placeholder for AUE_OPEN_*).
label=AUE_OPEN_R
format=path:[attr]
see=open(2) - read
label=AUE_OPENAT_R
format=path:[attr]
see=openat(2)
# not verified
label=AUE_OPEN_RC
format=path:[attr]
see=open(2) - read,creat
label=AUE_OPENAT_RC
see=openat(2)
format=path:[attr]
# not verified
label=AUE_OPEN_RT
format=path:[attr]
see=open(2) - read,trunc
label=AUE_OPENAT_RT
see=openat(2)
format=path:[attr]
# not verified
label=AUE_OPEN_RTC
format=path:[attr]
see=open(2) - read,trunc,creat
label=AUE_OPENAT_RTC
see=openat(2)
format=path:[attr]
# not verified
label=AUE_OPEN_RW
format=path:[attr]
see=open(2) - read,write
label=AUE_OPENAT_RW
see=openat(2)
format=path:[attr]
# not verified
label=AUE_OPEN_RWC
format=path:[attr]
see=open(2) - read,write,creat
label=AUE_OPENAT_RWC
see=openat(2)
format=path:[attr]
# not verified
label=AUE_OPEN_RWT
format=path:[attr]
see=open(2) - read,write,trunc
label=AUE_OPENAT_RWT
see=openat(2)
format=path:[attr]
# not verified
label=AUE_OPEN_RWTC
format=path:[attr]
see=open(2) - read,write,trunc,creat
label=AUE_OPENAT_RWTC
see=openat(2)
format=path:[attr]
# not verified
label=AUE_OPEN_W
format=path:[attr]
see=open(2) - write
label=AUE_OPENAT_W
see=openat(2)
format=path:[attr]
# not verified
label=AUE_OPEN_WC
format=path:[attr]
see=open(2) - write,creat
label=AUE_OPENAT_WC
see=openat(2)
format=path:[attr]
# not verified
label=AUE_OPEN_WT
format=path:[attr]
see=open(2) - write,trunc
label=AUE_OPENAT_WT
see=openat(2)
format=path:[attr]
# not verified
label=AUE_OPEN_WTC
format=path:[attr]
see=open(2) - write,trunc,creat
label=AUE_OPENAT_WTC
see=openat(2)
format=path:[attr]
# not verified
label=AUE_OSETPGRP
skip=Not used.
label=AUE_OSETUID
skip=Not used.
syscall=old setuid
# probably not generated.
# not referenced anywhere, including audit_kevents.h
# and AUE_OSETUID is not defined anywhere
label=AUE_OSTAT
skip=Not used.
label=AUE_PATHCONF
format=path:[attr]
# not verified
label=AUE_PIPE
format=kernel
# class is no, not usually printed
label=AUE_PRIOCNTLSYS
syscall=priocntl
see=priocntl(2)
format=arg1:arg2
comment=1, priocntl version number, "pc_version":
comment=3, command, "cmd"
label=AUE_PROCESSOR_BIND
case=No threads bound to the processor
format=arg1:arg2:text3:[proc]
comment=1, type of ID, "ID type":
comment=2, ID value, "ID":
comment="PBIND_NONE"
case=With processor bound
format=arg1:arg2:arg3:{proc]
comment=1, type of ID, "ID type":
comment=2, ID value, "ID":
comment=3, processor ID, "processor_id"
label=AUE_PUTMSG
format=arg1:arg2
comment=1, file descriptor, "fd":
comment=4, priority, "pri"
label=AUE_PUTPMSG
see=putmsg(2)
# old BSM doc mismatch against audit_event.c
# documented:
# format=arg1
# comment=1, file descriptor, "fd"
# implemented:
format=arg1:arg2:arg3
comment=1, file descriptor, "fd":
comment=4, priority, "pri":
comment=5, flags, "flags"
label=AUE_P_ONLINE
format=arg1:arg2:text3
comment=1, processor ID, "processor ID":
comment=2, flags value, "flags":
comment=text form of flags. Values: P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS
label=AUE_QUOTACTL
skip=Not used.
label=AUE_READ
skip=Not used. (Placeholder for AUE_READ_* events)
label=AUE_READL
skip=Not used. (Obsolete)
label=AUE_READLINK
format=path:[attr]
# see audit_read.c
label=AUE_READV
skip=Not used (obsolete)
# detritus from CMS
label=AUE_READVL
skip=Not used (obsolete)
# detritus from CMS
label=AUE_REBOOT
skip=Not used.
label=AUE_RECV
format=arg1:[arg]2:[arg]3:[inet]
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type"
label=AUE_RECVFROM
format=inet:arg1:[arg2]:inet3:arg4
comment=3, message length, "len":
comment=4, flags, "flags":
comment=from address:
comment=6, address length, "tolen"
note=The socket token for a bad socket is reported as "argument
note=token (1, socket descriptor, "fd")"
label=AUE_RECVMSG
format=inet:arg1:inet2:arg3
comment=4, flags, "flags":
comment=from address:
comment=6, address length, "tolen"
note=The socket token for a bad socket is reported as 'argument
note=token (1, "fd", socket descriptor)'
label=AUE_RENAME
format=path1:[attr]1:[path]2
comment=from name:to name:
# not verified
label=AUE_RENAMEAT
see openat(2)
format=path1:[attr]1:[path]2
comment=from name:to name:
# not verified
label=AUE_RFSSYS
skip=Not used.
# apparently replaced
label=AUE_RMDIR
format=path:[attr]
# Not verified
label=AUE_SEMCTL
format=arg1:[ipc]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
# can't find where ipc token is generated, if at all
label=AUE_SEMCTL_GETALL
format=arg1:[ipc]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: GETALL
# can't find where ipc token is generated, if at all
label=AUE_SEMCTL_GETNCNT
format=arg1:[ipc]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: GETNCNT
# can't find where ipc token is generated, if at all
label=AUE_SEMCTL_GETPID
format=arg1:[ipc]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: GETPID
# can't find where ipc token is generated, if at all
label=AUE_SEMCTL_GETVAL
format=arg1:[ipc]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: GETVAL
# can't find where ipc token is generated, if at all
label=AUE_SEMCTL_GETZCNT
format=arg1:[ipc]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: GETZCNT
# can't find where ipc token is generated, if at all
label=AUE_SEMCTL_RMID
format=arg1:[ipc]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: IPC_RMID
# can't find where ipc token is generated, if at all
label=AUE_SEMCTL_SET
format=arg1:[ipc]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: IPC_SET
# can't find where ipc token is generated, if at all
label=AUE_SEMCTL_SETALL
format=arg1:[ipc]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: SETALL
# can't find where ipc token is generated, if at all
label=AUE_SEMCTL_SETVAL
format=arg1:[ipc]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: SETVAL
# can't find where ipc token is generated, if at all
label=AUE_SEMCTL_STAT
format=arg1:[ipc]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: IPC_STAT
# can't find where ipc token is generated, if at all
label=AUE_SEMGET
format=arg1:[ipc]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: SETVAL
# audit_event.c does not match old BSM manual
# can't find where ipc token is generated, if at all
label=AUE_SEMGETL
skip=Not used.
label=AUE_SEMOP
format=arg1:[ipc]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
label=AUE_SEMSYS
skip=Not used. (place holder) -- defaults to a semget variant
label=AUE_SEND
format=kernel
# not clear from audit_event.c
label=AUE_SENDMSG
case=If invalid file descriptor
format=arg1:arg2
comment=1, file descriptor, "so":
comment=3, flags, "flags"
case=If valid file descriptor
case=...and socket is AF_UNIX
format=path1:arg2:[arg]3:[arg]4:[arg]5
comment=if no path, will be argument: 1, "nopath: fd", file descriptor:
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type":
comment=3, message flags, "flags"
case=...and socket is AF_INET or AF_INET6
format=arg1:[arg]2:[arg]3:[arg]4
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type":
comment=3, message flags, "flags"
# audit_event.c doesn't match doc, use audit_event.c
label=AUE_SENDTO
case=If invalid file descriptor
format=arg1:arg2
comment=1, file descriptor, "so":
comment=3, flags, "flags"
case=If valid file descriptor
case=...and socket is AF_UNIX
format=path1:arg2:[arg]3:[arg]4:[arg]5
comment=if no path, will be argument: 1, file descriptor, "nopath: fd":
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type":
comment=3, message flags, "flags"
case=...and socket is AF_INET or AF_INET6
format=arg1:[arg]2:[arg]3:[arg]4
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type":
comment=3, message flags, "flags"
# audit_event.c doesn't match doc, use audit_event.c
label=AUE_SETAUDIT
case=With a valid program stack address
format=arg1:arg2:arg3:arg4:arg5:arg6
comment=1, audit user ID, "setaudit:auid":
comment=1, terminal ID, "setaudit:port":
comment=1, terminal ID, "setaudit:machine":
comment=1, preselection mask, "setaudit:as_success":
comment=1, preselection mask, "setaudit:as_failure":
comment=1, audit session ID, "setaudit:asid"
case=With an invalid program stack address
format=kernel
# header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec
# argument,1,0x271a,setaudit:auid
# argument,1,0x3ff0201,setaudit:port
# argument,1,0x8192591e,setaudit:machine
# argument,1,0x400,setaudit:as_success
# argument,1,0x400,setaudit:as_failure
# argument,1,0x16f,setaudit:asid
# subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1
# return,success,0
# trailer,215
# header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec
# argument,1,0x271a,setaudit:auid
# argument,1,0x3ff0201,setaudit:port
# argument,1,0x8192591e,setaudit:machine
# argument,1,0x400,setaudit:as_success
# argument,1,0x400,setaudit:as_failure
# argument,1,0x16f,setaudit:asid
# subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1
# return,success,0
# trailer,215
label=AUE_SETAUDIT_ADDR
case=With a valid program stack address
format=arg1:arg2:arg3:ip address4:arg5:arg6:arg7
comment=1, audit user ID, "auid":
comment=1, terminal ID, "port":
comment=1, type, "type":
comment=1, terminal ID, "ip address":
comment=1, preselection mask, "as_success":
comment=1, preselection mask, "as_failure":
comment=1, audit session ID, "asid"
case=With an invalid program stack address
format=kernel
# header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec
# argument,1,0x15fa7,auid
# argument,1,0x0,port
# argument,1,0x4,type
# ip address,tmach2
# argument,1,0x9c00,as_success
# argument,1,0x9c00,as_failure
# argument,1,0x1f1,asid
# subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2
# return,success,0
label=AUE_SETAUID
format=arg1
comment=2, audit user ID, "setauid"
label=AUE_SETDOMAINNAME
skip=Not used. (See AUE_SYSINFO)
# See AUE_SYSINFO with SI_SET_SRPC_DOMAIN
label=AUE_SETEGID
format=arg1
comment=1, group ID, "gid"
label=AUE_SETEUID
format=arg1
comment=1, user ID, "euid"
label=AUE_SETGID
format=arg1
comment=1, group ID, "gid"
label=AUE_SETGROUPS
case=If no groups in list
format=[arg]1
comment=1, 0, "setgroups"
case=If 1 or more groups in list
format=(1..n)arg1
comment=1, gid, "setgroups"
# mismatch with audit_event.c; use audit_event.c
# if too many gids listed, no tokens are generated
label=AUE_SETHOSTNAME
skip=Not used. (See AUE_SYSINFO)
# See sysinfo call with command SI_SET_HOSTNAME
label=AUE_SETKERNSTATE
skip=Not used.
label=AUE_SETPGRP
format=[proc]:[arg]1
comment=2, pgrp, "pgrp"
# audit_event shows more tokens than documented
label=AUE_SETPRIORITY
skip=Not used.
label=AUE_SETPPRIV
case=operation privileges off
format=arg1,privset2
comment=setppriv operation:
comment=privileges actually switched off
case=operation privileges on
format=arg1,privset2
comment=setppriv operation:
comment=privileges actually switched on
case=operation privileges off
format=arg1,privset,privset
comment=setppriv operation:
comment=privileges before privset:
comment=privileges after privset
#header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec
#argument,2,0x2,op
#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
#subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0
#return,success,0
label=AUE_SETREGID
format=arg1:arg2
comment=1, real group ID, "rgid":
comment=2, effective group ID, "egid"
label=AUE_SETREUID
format=arg1:arg2
comment=1, real user ID, "ruid":
comment=2, effective user ID, "euid"
label=AUE_SETRLIMIT
format=kernel
# header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec
# subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2
# return,success,0
label=AUE_SETSOCKOPT
case=Invalid file descriptor
format=arg1:arg2
comment=1, file descriptor, "so":
comment=3, flags, "flags"
case=Valid file descriptor
case=...and socket is AF_UNIX
format=path1:arg2:[arg]3:[arg]4:arg5:arg6:arg7:data8:inet
comment=if no path, will be argument: 1, "nopath: fd", file descriptor:
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type":
comment=2, protocol level, "level":
comment=3, option name, "optname":
comment=5, option length, "optlen":
comment=option data
case=...and socket is AF_INET or AF_INET6
format=arg1:[arg]2:[arg]3:arg4:arg5:arg6:data7:inet
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type":
comment=2, protocol level, "level":
comment=3, option name, "optname":
comment=5, option length, "optlen":
comment=option data
# document misses some tokens; this matches audit_event.c
label=AUE_SETTIMEOFDAY
skip=Not used.
label=AUE_SETUSERAUDIT
skip=Not used.
label=AUE_SHMAT
format=arg1:arg2:[ipc]:[ipc_perm]
comment=1, shared memory ID, "shm ID":
comment=2, shared mem addr, "shmaddr"
note=ipc_perm
# audit_event.c does not show ipc and ipc_perm
label=AUE_SHMCTL
format=arg1:[ipc]
comment=1, shared memory ID, "shm ID"
note=ipc_perm
# verified against audit_event.c EXCEPT for ipc token
label=AUE_SHMCTL_RMID
format=arg1:[ipc]:ipc_perm
comment=1, shared memory ID, "shm ID":
note=ipc_perm
syscall=semctl: IPC_RMID
# verified against audit_event.c except for ipc
label=AUE_SHMCTL_SET
format=arg1:[ipc]:[ipc_perm]
comment=1, shared memory ID, "shm ID":
note=ipc_perm
syscall=semctl: IPC_SET
# verified against audit_event.c except for ipc
label=AUE_SHMCTL_STAT
format=arg1:[ipc]
comment=1, shared memory ID, "shm ID":
note=ipc_perm
syscall=semctl: IPC_STAT
# verified against audit_event.c except for ipc
label=AUE_SHMDT
format=arg1
comment=1, shared memory address, "shm adr"
label=AUE_SHMGET
format=arg1:[ipc_perm]:[ipc]
comment=0, shared memory key, "shm key"
note=ipc_perm
# does not match audit_event.c; used audit_event.c
label=AUE_SHMGETL
skip=Not used.
label=AUE_SHMSYS
skip=Not used. (Placeholder for shmget and shmctl*)
label=AUE_SHUTDOWN
case=If the socket address is invalid
format=[arg]1:[text]2:[text]3
comment=1, file descriptor, "fd":
comment=bad socket address:bad peer address
case=If the socket address is part of the AF_INET family
case=..with zero file descriptor
format=arg1:[arg]2:[arg]3:[arg]4
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type":
comment=2, how shutdown code, "how"
case=...with non-zero file descriptor
format=arg1,arg2,inet
comment=1, file descriptor, "so":
comment=2, how shutdown code, "how"
case=If the socket address is AF_UNIX
case=...with zero file descriptor
format=path1:arg2:[arg]3:[arg]4:[arg]5
comment=If error: argument: 1, "no path: fd", file descriptor:
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type":
comment=2, how shutdown code, "how"
case=...with non-zero file descriptor
format=path1:arg2:arg3:inet
comment=If error: argument: 1, file descriptor, "no path: fd":
comment=1, file descriptor, "so":
comment=2, how shutdown code, "how"
#old BSM manual wrong; used audit_event.c
label=AUE_SOCKACCEPT
syscall=getmsg: socket accept
format=inet:arg1:[path]:attr:arg2
comment=1, file descriptor, "fd":
comment=4, priority, "pri"
# see putmsg and getmsg for record format
# See audit.c for inet token and audit_start.c for other reference
label=AUE_SOCKCONFIG
format=arg1:arg2:arg3:[path]4
comment=1, domain address, "domain":
comment=2, type, "type":
comment=3, protocol, "protocol":
comment=If no path:argument -- 3, 0, "devpath"
label=AUE_SOCKCONNECT
syscall=putmsg: socket connect
format=inet:arg1:[path]:attr:arg2
comment=1, file descriptor, "fd":
comment=4, priority, "pri"
# same as AUE_SOCKACCEPT
label=AUE_SOCKET
format=arg1:[arg]2:arg3
comment=1, socket domain, "domain":
comment=2, socket type, "type":
comment=3, socket protocol, "protocol"
label=AUE_SOCKETPAIR
skip=Not used.
# unreferenced
label=AUE_SOCKRECEIVE
syscall=getmsg
format=inet:arg1:[path]:attr:arg
comment=1, file descriptor, "fd":
comment=4, priority, "pri"
# see AUE_SOCKACCEPT
label=AUE_SOCKSEND
syscall=putmsg
format=inet:arg1:[path]:attr:arg
comment=1, file descriptor, "fd":
comment=4, priority, "pri"
# see AUE_SOCKACCEPT
label=AUE_STAT
format=path:[attr]
# Not verified
label=AUE_STATFS
format=path:[attr]
# Not verified
label=AUE_STATVFS
format=path:[attr]
# Not verified
label=AUE_STIME
format=kernel
label=AUE_SWAPON
skip=Not used.
label=AUE_SYMLINK
format=text1:path:[attr]
comment=symbolic link string
# does not match audit_event.c (can't find where path
# is generated
label=AUE_SYSINFO
format=arg1:[text]2
comment=1, command, "cmd":name
# header,85,2,sysinfo(2),,Thu Nov 08 15:02:07 2001, + 0 msec
# argument,1,0x202,cmd
# subject,tuser1,tuser1,staff,tuser1,staff,9662,497,0 0 tmach2
# return,success,85
label=AUE_SYSTEMBOOT
title=system booted
syscall=none
format=head:text1
comment="booting kernel"
# see audit_start.c and audit_io.c
# no subject or return / exit token
# header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec
# text,booting kernel
label=AUE_TRUNCATE
skip=Not used.
label=AUE_UMOUNT
syscall=umount: old version
format=path:[attr]
# Not verified
label=AUE_UMOUNT2
syscall=umount2
format=path:arg1:[path]:[attr]
comment=2, mflag value, "flags"
label=AUE_UNLINK
format=path:[attr]
#header,137,2,unlink(2),fe,test1,Mon Oct 6 13:36:42 PDT 2003, + 848 msec
#path,/usr/bin/ls
#attribute,100555,root,bin,32,953,0
#subject,tuser,tuser,staff,tuser,staff,467,445,198 197121 test0
#use of privilege,failed use of priv,ALL
#return,failure: Permission denied,-1
label=AUE_UNLINKAT
see=openat(2)
format=path:[attr]
# Not verified
label=AUE_UNMOUNT
skip=Not used.
label=AUE_UTIME
format=path:[attr]
# Not verified
label=AUE_UTIMES
format=path:[attr]
# Not verified
label=AUE_UTSSYS
skip=Not used.
# source of documented format not determined
# no such system call. utssys seems to be a dummy for uname,
# ustat (actual system call) and fusers (no such call).
label=AUE_VFORK
format=arg1
comment=0, pid, "child PID"
note=The vfork(2) return values are undefined because the audit record is
note=produced at the point that the child process is spawned.
label=AUE_VPIXSYS
skip=Not used.
label=AUE_VTRACE
format=kernel
label=AUE_WRITE
format=path1:attr
comment=if no path, argument -- "1, file descriptor, "no path: fd"
note:An audit record is generated for write only once per file close.
label=AUE_WRITEV
skip=Not used. (obsolete)
# audit_event should use "no" instead of "sl"
label=AUE_WRITEL
skip=Not used. (obsolete)
# audit_event should use "no" instead of "sl"
label=AUE_WRITEVL
skip=Not used. (obsolete)
label=AUE_XMKNOD
skip=Not used. xmknod() generates AUE_MKNOD
label=AUE_XSTAT
skip=Not Used. xstat() generates AUE_STAT.
label=AUE_admin_authenticate
program=admin (various)
see=SMC, WBEM, or AdminSuite
title=Admin Server Authentication
format=[text]1
comment="successful login" or error message
# see aue_mgrs.c
# header,61,2,admin login,,Tue Oct 23 12:45:22 2001, + 187 msec
# subject,tuser1,tuser1,emacs,tuser1,emacs,23400,3451581082,24 7 tmach2
# return,success,0
label=AUE_allocate_fail
program=/usr/sbin/allocate
title=allocate: allocate-device failure
format=(0..n)[text]1
comment=command line arguments
# see audit_allocate.c
label=AUE_allocate_succ
program=/usr/sbin/allocate
title=allocate: allocate-device success
format=(0..n)[text]1
comment=command line arguments
# see audit_allocate.c
label=AUE_at_create
program=/usr/bin/at
title=at: at-create crontab
format=user
# Not verified
label=AUE_at_delete
program=/usr/bin/at
title=at: at-delete atjob (at or atrm)
format=text1:path
comment=""ancillary file:" filename or "bad format of at-job name"
label=AUE_at_perm
skip=Not used.
# not referenced outside uevents.h
label=AUE_create_user
program=administration: create user
format=text1:text2:text3:text4:text5:text6:text7:text8:text9:text10:text11:text12:text13:text14
comment=uid:
comment=user name:
comment=primary gid:
comment=secondary gids; blank if none:
comment=login shell:
comment=password type:
comment=min change:
comment=max change:
comment=max inactive:
comment=expiration date:
comment=warning:
comment=path:
comment=server:
comment=permissions
# Obsolete, last used by AdminSuite 3.0; SMC uses new records types
label=AUE_cron_invoke
program=/usr/sbin/cron
title=cron: cron-invoke at or cron
format=text1:[text]2:[text3]:text4
comment="at-job", "batch-job", "crontab-job", "queue-job", or "unknown job type":
comment="bad user" name or "user <name> account expired":
comment=shell:
comment=cmd
# See audit_cron.c
# header,116,2,cron-invoke,,Thu Nov 08 15:14:01 2001, + 713 msec
# subject,tuser1,tuser1,staff,tuser1,staff,9689,12289,0 0 tmach2
# text,crontab-job
# text,/home/tuser1/bin/filterPOP -timeoff
# return,success,0
label=AUE_crontab_create
program=/usr/bin/crontab
title=crontab: crontab created
format=[text]1:path
comment=crontab content
# See audit_crontab.c
label=AUE_crontab_delete
program=/usr/bin/crontab
title=crontab: crontab delete
format=path
# See audit_crontab.c
label=AUE_crontab_mod
program=/usr/bin/crontab
title=crontab: crontab modify
format=[text]1:path
comment=crontab diffs
# See audit_crontab.c
label=AUE_crontab_perm
skip=Not used.
label=AUE_deallocate_fail
program=/usr/sbin/deallocate
title=deallocate-device failure
format=(0..n)[text]1
comment=command line arguments
# See audit_allocate.c
label=AUE_deallocate_succ
program=/usr/sbin/deallocate
title=deallocate-device success
format=(0..n)[text]1
comment=command line arguments
# See audit_allocate.c
label=AUE_delete_user
program=administration: delete user
format=text1
comment=uid
# Obsolete, last used by AdminSuite 3.0; SMC uses new records types
label=AUE_disable_user
program=administration: disable user
format=text1
comment=uid
# Obsolete, last used by AdminSuite 3.0; SMC uses new records types
label=AUE_enable_user
program=administration: enable user
format=text1
comment=uid
# Obsolete, last used by AdminSuite 3.0; SMC uses new records types
label=AUE_ftpd
program=/usr/sbin/in.ftpd
title=in.ftpd
format=[text]1
comment=error message
# See audit_ftpd
label=AUE_ftpd_logout
program=/usr/sbin/in.ftpd
title=in.ftpd
format=text
# See audit_ftpd
label=AUE_filesystem_add
program=SMC server
see=
title=SMC: filesystem add
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=initial values
label=AUE_filesystem_modify
program=SMC server
see=
title=SMC: filesystem modify
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=changed values
label=AUE_filesystem_delete
program=SMC server
see=
title=SMC: filesystem delete
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=deleted values
label=AUE_halt_solaris
program=/usr/sbin/halt
title=halt
format=user
# See audit_halt.c
label=AUE_inetd_connect
program=/usr/sbin/inetd
title=inetd
format=text1:tid2:cmd3:privset
comment=service name:client address:inetd command
label=AUE_inetd_ratelimit
program=/usr/sbin/inetd
title=inetd
format=text1:text2
comment=service name:limit value
label=AUE_inetd_copylimit
program=/usr/sbin/inetd
title=inetd
format=text1:text2
comment=service name:limit value
label=AUE_inetd_failrate
program=/usr/sbin/inetd
title=inetd
format=text1:text2
comment=service name:limit value, interval
label=AUE_init_solaris
title=init
see=init(1M)
format=text1
comment=init level or zone name
# See cmd/init/init.c
label=AUE_kadmind_auth
format=text1:text2:text3
comment=Op: <requested information>:
comment=Arg: <argument for Op>:
comment=Client: <client principal name>
# See audit_kadmin.c / common_audit()
label=AUE_kadmind_unauth
format=text1:text2:text3
comment=Op: <requested information>:
comment=Arg: <argument for Op>:
comment=Client: <client principal name>
# See audit_kadmin.c / common_audit()
label=AUE_krb5kdc_as_req
format=text1:text2
comment=Client: <client principal name>:
comment=Service: <requested service name>
# See audit_krb5kdc.c / common_audit()
label=AUE_krb5kdc_tgs_req
format=text1:text2
comment=Client: <client principal name>:
comment=Service: <requested service name>
# See audit_krb5kdc.c / common_audit()
label=AUE_krb5kdc_tgs_req_alt_tgt
format=text1:text2
comment=Client: <client principal name>:
comment=Service: <requested service name>
# See audit_krb5kdc.c / common_audit()
label=AUE_krb5kdc_tgs_req_2ndtktmm
format=text1:text2
comment=Client: <client principal name>:
comment=Service: <requested service name>
# See audit_krb5kdc.c / common_audit()
label=AUE_listdevice_fail
title=allocate-list devices failure
program=/usr/sbin/allocate
format=(0..n)[text]1
comment=command line arguments
# See audit_allocate.c
label=AUE_listdevice_succ
title=allocate-list devices success
program=/usr/sbin/allocate
format=(0..n)[text]1
comment=command line arguments
# See audit_allocate.c
label=AUE_login
title=terminal login
program=/usr/sbin/login;/usr/dt/bin/dtlogin
see=login(1);dtlogin
format=text1
comment=error message or "successful login"
label=AUE_logout
title=login: logout
program=various
see=login(1)
format=text1
comment="logout" username
label=AUE_modify_user
program=administration: modify user
format=text1:text2:text3:text4:text5:text6:text7:text8:text9:text10:text11:text12:text13:text14
comment=uid:
comment=user name:
comment=primary gid:
comment=secondary gids; blank if none:
comment=login shell:
comment=password type:
comment=min change:
comment=max change:
comment=max inactive:
comment=expiration date:
comment=warning:
comment=path:
comment=server:
comment=permissions
# Obsolete, last used by AdminSuite 3.0; SMC uses new records types
label=AUE_mountd_mount
title=mountd: NFS mount
program=/usr/lib/nfs/mountd
see:mountd(1M)
format=text1:path2
comment=remote client hostname:mount dir
# See audit_mountd.c; old BSM manual is way off
label=AUE_mountd_umount
title=mountd: NFS unmount
program=/usr/lib/nfs/mountd
format=path1
comment=mount dir
# See audit_mountd.c; old BSM manual is way off
label=AUE_network_add
program=SMC server
see=
title=SMC: network add
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=initial values
label=AUE_network_modify
program=SMC server
see=
title=SMC: network modify
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=changed values
label=AUE_network_delete
program=SMC server
see=
title=SMC: network delete
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=deleted values
label=AUE_newgrp_login
program=newgrp
format=text1
comment=Group id
label=AUE_passwd
program=/usr/bin/passwd
title=passwd
format=text1
comment=success/fail message
# See audit_passwd.c
label=AUE_printer_add
see=
program=SMC server
title=SMC: printer add
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=initial values
label=AUE_printer_modify
see=
program=SMC server
title=SMC: printer modify
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=changed values
label=AUE_printer_delete
program=SMC server
see=
title=SMC: printer delete
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=deleted values
label=AUE_poweroff_solaris
program=/usr/sbin/poweroff
title=poweroff
format=user
# See audit_halt.c
label=AUE_prof_cmd
program=/usr/bin/pfexec
see=pfexec(1)
title=pfexec
format=[newgroup]:path1:path2:cmd:process:[privset]:[privset]
comment=working directory:
comment=command pathname
#header,164,2,profile command,,tmach1,Thu Oct 2 13:22:12 PDT 2003, + 914 msec
#subject,testuser1,root,staff,testuser1,staff,2821,3890428265,0 25 tmach2
#path,/usr/include/security
#path,/usr/sbin
#cmd,argcnt,0,envcnt,0,
#process,root,root,root,root,root,2821,3890428265,0 25 tmach2
#privilege,Limit,none
#return,success,0
#sequence,16972
#trailer,164
label=AUE_reboot_solaris
program=/usr/sbin/reboot
title=reboot
format=user
# See audit_reboot.c
# header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec
# subject,tuser1,root,other,root,other,10422,497,0 0 tmach2
# return,success,0
label=AUE_rexd
program=/usr/sbin/rpc.rexd
title=rpc.rexd
format=[text]1:text2:text3:[text]4:text5
comment=error message (failure only):
comment="Remote execution requested by:" hostname:
comment="Username:" username:
comment="User id:" user ID (failure only):
comment="Command line:" command attempted
# See audit_rexd.c
label=AUE_rexecd
program=/usr/sbin/rpc.rexecd
title=rpc.rexecd
format=[text]1:text2:text3:text4
comment=error message (failure only):
comment="Remote execution requested by:" hostname:
comment="Username:" username:
comment="Command line:" command attempted
# See audit_rexecd.c
label=AUE_rlogin
title=rlogin
program=/usr/sbin/login
see=login(1) - rlogin
format=[text]1
comment=success/fail message
label=AUE_role_login
program=SMC server;/usr/bin/su
title=RBAC: role login
format=[text]1
comment=error message
label=AUE_role_logout
program=/usr/bin/su
title=su
see=su(1M)
format=user
label=AUE_rshd
program=/usr/sbin/in.rshd
title=in.rshd
format=text1:text2:text3:[text]4
comment="cmd" command:
comment="remote user" remote user:
comment="local user" local user:
comment=failure message
# See audit_rshd.c
label=AUE_scheduledjob_add
program=SMC server
see=
title=SMC: scheduled job add
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=initial values
label=AUE_scheduledjob_modify
see=
program=SMC server
title=SMC: scheduled job modify
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=changed values
label=AUE_scheduledjob_delete
program=SMC server
see=
title=SMC: scheduled job delete
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=deleted values
label=AUE_screenlock
program=desktop screen lock
format=user
label=AUE_screenunlock
program=desktop screen unlock
format=user
label=AUE_serialport_add
program=SMC server
see=
title=SMC: serial port add
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=initial values
label=AUE_serialport_modify
program=SMC server
see=
title=SMC: serial port modify
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=changed values
label=AUE_serialport_delete
program=SMC server
see=
title=SMC: serial port add
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=deleted values
label=AUE_shutdown_solaris
title=shutdown
program=/usr/ucb/shutdown
format=user
# See audit_shutdown.c
label=AUE_smserverd
program=/usr/lib/smedia/rpc.smserverd
format=[text]1,[text]2
comment=state change:
comment=vid, pid, major/minor device
# see usr/src/cmd/smserverd
# code shows a third token, path, but it isn't implemented.
label=AUE_ssh
program=/usr/lib/ssh/sshd
format=[text]1
comment=error message
# header,61,2,login - ssh,,Tue Oct 23 12:45:30 2001, + 143 msec
# subject,tuser57,tuser57,staff,tuser57,staff,23408,296727403,0 0 0.0.0.0
# return,success,0
label=AUE_su
program=/usr/bin/su
title=su
see=su(1M)
format=[text]1
comment="user name" of failed new user/role
label=AUE_su_logout
program=/usr/bin/su
title=su
see=su(1M)
format=user
label=AUE_telnet
title=telnet login
program=/usr/sbin/login
see=login(1) - telnet
format=[text]1
comment=success/fail message
label=AUE_uadmin_solaris
title=uadmin
program=/sbin/uadmin;/usr/sbin/uadmin
format=text1:text2
comment=function code:argument code
# See audit_uadmin.c
label=AUE_uauth
program=SMC server
see=
title=SMC: Use of Authorization
format=text1:text2
comment=authorization used:
comment=object name
label=AUE_usermgr_add
see=
program=SMC server
title=SMC: User Manager add
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=initial values
# header,137,2,add user/user attributes,,Tue Oct 23 12:45:26 2001, + 725 msec
# subject,tuser1,tuser1,emacs,tuser1,emacs,23404,2926062642,0 0 0.0.0.0
# text,passwd.h
# text,NIS-
# use of authorization,phony role
# text,A long list of attribute / value pairs
# return,success,0
label=AUE_usermgr_modify
program=SMC server
see=
title=SMC: User Manager modify
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=changed values
label=AUE_usermgr_delete
program=SMC server
see=
title=SMC: User Manager delete
format=text1:[text]2:text3:uauth:text4
comment=object name:
comment=domain:
comment=name_service:
comment=deleted values
label=AUE_zone_state
format=text1:zone2
comment=New zone state:zone name
label=AUE_attach
program=hald
format=uauth1:text2:text3:[text4]
comment=authorization used:mount point:device:options
label=AUE_detach
program=hald
format=uauth1:text2:text3:[text4]
comment=authorization used:mount point:device:options
label=AUE_remove
program=hald
format=uauth1:[text2]:text3
comment=authorization used:mount point:device
label=AUE_pool_import
program=hald
format=uauth1:text2:text3
comment=authorization used:pool:device
label=AUE_pool_export
program=hald
format=uauth1:text2:text3
comment=authorization used:pool:device