1 # audit_record_attr.txt 2 # Two "#" are comments that are copied to audit_record_attr 3 # other comments are removed. 4 ## 5 ## Copyright 2008 Sun Microsystems, Inc. All rights reserved. 6 ## Use is subject to license terms. 7 ## 8 ## CDDL HEADER START 9 ## 10 ## The contents of this file are subject to the terms of the 11 ## Common Development and Distribution License (the "License"). 12 ## You may not use this file except in compliance with the License. 13 ## 14 ## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 15 ## or http://www.opensolaris.org/os/licensing. 16 ## See the License for the specific language governing permissions 17 ## and limitations under the License. 18 ## 19 ## When distributing Covered Code, include this CDDL HEADER in each 20 ## file and include the License file at usr/src/OPENSOLARIS.LICENSE. 21 ## If applicable, add the following below this CDDL HEADER, with the 22 ## fields enclosed by brackets "[]" replaced with your own identifying 23 ## information: Portions Copyright [yyyy] [name of copyright owner] 24 ## 25 ## CDDL HEADER END 26 ## 27 ## 28 29 # source file for describing audit records. 30 31 # This file is in two sections. The first is a list of attribute / 32 # value pairs used to provide short cuts in annotating the audit 33 # records. The second is for annotation for each audit record. 34 35 # first section: general attributes 36 37 # skipClass=<class name of items to skip if only in that class> 38 #skipClass=no # uncomment to filter unused events 39 40 # token name abbreviations 41 # token=alias:fullname -- short names for key tokens 42 43 token=arg:argument 44 token=attr:attribute 45 token=cmd:command 46 token=data:data 47 token=group:group 48 token=inaddr:ip_addr 49 token=inet:socket 50 token=ipc:ipc 51 token=newgroup:newgroups 52 token=path:path 53 token=privset:privilege 54 token=proc:process 55 token=text:text 56 token=tid:terminal_adr 57 token=uauth:use_of_authorization 58 token=upriv:use_of_privilege 59 token=zone:zonename 60 token=fmri:service_instance 61 token=label:mandatory_label 62 63 token=head:header 64 token=subj:subject 65 token=ret:return 66 token=exit:exit 67 68 # note names -- certain notes show up repeatedly; collected here 69 70 message=ipc_perm:The ipc and ipc_perm tokens are not included if the message ID is not valid. 71 72 message=socket:The socket token for a bad socket is reported as "argument (1, "fd", socket descriptor)" 73 74 # basic record pattern ("insert" is where event-specific tokens 75 # are listed.) 76 77 kernel=head:insert:subj:[upriv]:ret 78 user=head:subj:insert:ret 79 80 # Second Section 81 # Annotation Section 82 # 83 # Most audit records need annotation beyond what is provided by 84 # the files audit_event and audit_class. At a minimum, a record 85 # is represented by a label and a format. 86 # 87 # label=record_id like AUE_ACCEPT 88 # format=token_alias 89 # 90 # there is no end line; a new label= end the preceding definition 91 # and starts the next. 92 # 93 # format values are a list of token names, separated by colons. The 94 # name is either one of the values described above (token=) or is 95 # a value to be taken literally. If a token name ends with a digit, 96 # the digit is an index into an array of comments. In the few cases 97 # where there are no tokens (other than header, subject, return/exit), 98 # use "format=kernel" or "format="user". 99 # 100 # comment is an array of strings separated by colons. If comments 101 # are listed on separate lines, the preceeding comment must end with 102 # a colon. The array starts at 1. (If the comment contains a colon, 103 # use ":" without the quotes.) 104 # 105 # case is used to generate alternate descriptions for a given 106 # record. 107 # 108 # AUE_ACCEPT illustrates the use of all the above. Note that 109 # case is not nested; ellipsis (...) is used to give the effect 110 # of nesting. 111 112 label=AUE_ACCEPT 113 #accept(2) failure 114 case=Invalid socket file descriptor 115 format=arg1 116 comment=1, file descriptor, "so" 117 #accept(2) non SOCK_STREAM socket 118 case=If the socket address is not part of the AF_INET family 119 format=arg1:arg2:arg3 120 comment=1, "so", file descriptor: 121 comment="family", so_family: 122 comment="type", so_type 123 case=If the socket address is part of the AF_INET family 124 case=...If there is no vnode for this file descriptor 125 format=[arg]1 126 comment=1, file descriptor, "Bad so" 127 #accept(2) SOCK_STREAM socket-not bound 128 case=...or if the socket is not bound 129 format=[arg]1:[inet]2 130 comment=1, file descriptor, "so": 131 comment=local/foreign address (0.0.0.0) 132 case=...or if the socket address length = 0 133 format=[arg]1:[inet]2 134 comment=1, file descriptor, "so": 135 comment=local/foreign address (0.0.0.0) 136 case=...or for all other conditions 137 format=inet1:[inet]1 138 comment=socket address 139 #accept(2) failure 140 # header 141 # au_to_arg32 "so",file descriptor 142 # subject 143 # return <errno != 0> 144 # 145 #accept(2) non SOCK_STREAM socket 146 # header 147 # au_to_arg32 "so", file descriptor 148 # au_to_arg32 "family", so_family 149 # au_to_arg32 "type", so_type 150 # subject 151 # return success 152 # 153 #accept(2) SOCK_STREAM socket-not bound 154 # header 155 # au_to_arg32 "so", file descriptor 156 # au_to_socket_ex local/foreign address (0.0.0.0) 157 # subject 158 # return success 159 # 160 #accept(2) SOCK_STREAM socket-bound 161 # header 162 # au_to_arg32 "so", file descriptor 163 # au_to_socket_ex 164 # subject 165 # return success 166 167 168 169 label=AUE_ACCESS 170 format=path1:[attr] 171 comment=may be truncated in failure case 172 # header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec 173 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ 174 # attribute,100777,41416,staff,8388608,402255,0 175 # subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30 176 # return,success,0 177 # trailer,163 178 # 179 # header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec 180 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail 181 # attribute,100000,root,other,8388608,402257,0 182 # subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30 183 # return,failure: Permission denied,-1 184 # trailer,163 185 # 186 # header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec 187 # path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2 188 # subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30 189 # return,failure: No such file or directory,-1 190 # trailer,135 191 192 label=AUE_ACCT 193 case=Zero path 194 format=arg1 195 comment=1, 0, "accounting off" 196 case=Non-zero path 197 format=path1:[attr]2 198 comment=may be truncated in failure case: 199 comment=omitted if failure 200 201 label=AUE_ACLSET 202 syscall=acl 203 format=arg1:arg2:(0..n)[acl]3 204 comment=2, SETACL, "cmd": 205 comment=3, number of ACL entries, "nentries": 206 comment=Access Control List entries 207 208 label=AUE_ADJTIME 209 format=kernel 210 211 label=AUE_ASYNC_DAEMON 212 skip=Not used 213 214 label=AUE_ASYNC_DAEMON_EXIT 215 skip=Not used 216 217 label=AUE_AUDIT 218 skip=Not used. (Placeholder for the set AUE_AUDIT_*.) 219 220 label=AUE_AUDITON 221 skip=Not used. (Placeholder for the set AUE_AUDITON_*.) 222 223 label=AUE_AUDITON_GESTATE 224 skip=Not used 225 226 label=AUE_AUDITON_GETCAR 227 format=kernel 228 syscall=auditon: GETCAR 229 # header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec 230 # subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30 231 # return,success,0 232 # trailer,68 233 234 label=AUE_AUDITON_GETCLASS 235 format=kernel 236 syscall=auditon: GETCLASS 237 # header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec 238 # subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1 239 # return,success,0 240 # trailer,68 241 242 label=AUE_AUDITON_GETCOND 243 format=kernel 244 syscall=auditon: GETCOND 245 # header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec 246 # subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1 247 # return,success,0 248 # trailer,68 249 250 label=AUE_AUDITON_GETCWD 251 format=kernel 252 syscall=auditon: GETCWD 253 # header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec 254 # subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1 255 # return,success,0 256 # trailer,68 257 258 label=AUE_AUDITON_GETKMASK 259 format=kernel 260 syscall=auditon: GETKMASK 261 # header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec 262 # subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1 263 # return,success,0 264 # trailer,68 265 266 label=AUE_AUDITON_GETSTAT 267 format=kernel 268 syscall=auditon: A_GETSTAT 269 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec 270 # subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1 271 # return,success,0 272 # trailer,68 273 274 label=AUE_AUDITON_GPOLICY 275 format=kernel 276 syscall=auditon: GPOLICY 277 # header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec 278 # subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1 279 # return,success,0 280 # trailer,68 281 282 label=AUE_AUDITON_GQCTRL 283 format=kernel 284 syscall=auditon: GQCTRL 285 # header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec 286 # subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1 287 # return,success,0 288 # trailer,68 289 290 291 label=AUE_AUDITON_GTERMID 292 skip=Not used. 293 294 label=AUE_AUDITON_SESTATE 295 skip=Not used. 296 297 label=AUE_AUDITON_SETCLASS 298 format=[arg]1:[arg]2 299 comment=2, "setclass:ec_event", event number: 300 comment=3, "setclass:ec_class", class mask 301 syscall=auditon: SETCLASS 302 # header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec 303 # argument,2,0x0,setclass:ec_event 304 # argument,3,0x0,setclass:ec_class 305 # subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1 306 # return,success,0 307 # trailer,120 308 309 label=AUE_AUDITON_SETCOND 310 format=[arg]1 311 comment=3, "setcond", audit state 312 syscall=auditon: SETCOND 313 314 label=AUE_AUDITON_SETKMASK 315 format=[arg]1:[arg]2 316 comment=2, "setkmask as_success", kernel mask: 317 comment=2, "setkmask as_failure", kernel mask 318 syscall=auditon: SETKMASK 319 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec 320 # argument,2,0x0,setkmask:as_success 321 # argument,2,0x0,setkmask:as_failure 322 # subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1 323 # return,success,0 324 # trailer,124 325 # header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec 326 # argument,2,0x0,setkmask:as_success 327 # argument,2,0x0,setkmask:as_failure 328 # subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1 329 # return,failure: Not owner,-1 330 # trailer,124 331 332 label=AUE_AUDITON_SETSMASK 333 format=[arg]1:[arg]2 334 comment=3, "setsmask:as_success", session ID mask: 335 comment=3, "setsmask:as_failure", session ID mask 336 syscall=auditon: SETSMASK 337 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec 338 # argument,3,0x400,setsmask:as_success 339 # argument,3,0x400,setsmask:as_failure 340 # subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1 341 # return,success,0 342 # trailer,124 343 # header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec 344 # argument,3,0x400,setsmask:as_success 345 # argument,3,0x400,setsmask:as_failure 346 # subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1 347 # return,failure: Not owner,-1 348 # trailer,124 349 350 label=AUE_AUDITON_SETSTAT 351 format=kernel 352 syscall=auditon: SETSTAT 353 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec 354 # subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1 355 # return,success,0 356 # trailer,68 357 # header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec 358 # subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1 359 # return,failure: Not owner,-1 360 # trailer,68 361 362 label=AUE_AUDITON_SETUMASK 363 format=[arg]1:[arg]2 364 comment=3, "setumask:as_success", audit ID mask: 365 comment=3, "setumask:as_failure", audit ID mask 366 syscall=auditon: SETUMASK 367 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec 368 # argument,3,0x400,setumask:as_success 369 # argument,3,0x400,setumask:as_failure 370 # subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1 371 # return,success,0 372 # trailer,124 373 # header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec 374 # argument,3,0x400,setumask:as_success 375 # argument,3,0x400,setumask:as_failure 376 # subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1 377 # return,failure: Not owner,-1 378 # trailer,124 379 380 label=AUE_AUDITON_SPOLICY 381 format=[arg]1 382 comment=1, audit policy flags, "setpolicy" 383 syscall=auditon: SPOLICY 384 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec 385 # argument,3,0x200,setpolicy 386 # subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1 387 # return,success,0 388 # trailer,86 389 # header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec 390 # argument,3,0x200,setpolicy 391 # subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1 392 # return,failure: Not owner,-1 393 # trailer,86 394 395 label=AUE_AUDITON_SQCTRL 396 format=[arg]1:[arg]2:[arg]3:[arg]4 397 comment=3, "setqctrl:aq_hiwater", queue control param.: 398 comment=3, "setqctrl:aq_lowater", queue control param.: 399 comment=3, "setqctrl:aq_bufsz", queue control param.: 400 comment=3, "setqctrl:aq_delay", queue control param. 401 syscall=auditon: SQCTRL 402 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec 403 # argument,3,0x64,setqctrl:aq_hiwater 404 # argument,3,0xa,setqctrl:aq_lowater 405 # argument,3,0x400,setqctrl:aq_bufsz 406 # argument,3,0x14,setqctrl:aq_delay 407 # subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1 408 # return,success,0 409 # trailer,176 410 # header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec 411 # argument,3,0x64,setqctrl:aq_hiwater 412 # argument,3,0xa,setqctrl:aq_lowater 413 # argument,3,0x400,setqctrl:aq_bufsz 414 # argument,3,0x14,setqctrl:aq_delay 415 # subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1 416 # return,failure: Not owner,-1 417 # trailer,176 418 419 label=AUE_AUDITON_STERMID 420 skip=Not used. 421 422 label=AUE_AUDITSTAT 423 skip=Not used. 424 425 label=AUE_AUDITSVC 426 skip=Not used. 427 428 label=AUE_AUDITSYS 429 skip=Not used. (Place holder for various auditing events.) 430 431 label=AUE_BIND 432 # differs from documented version. 433 # cases "no vnode" and "not AF_INT" not confirmed 434 # family and type need argument number 435 436 case=Invalid socket handle 437 format=arg1 438 comment=1, file descriptor, "so" 439 case=If there is no vnode for this file descriptor 440 format=[arg]1 441 comment=1, file descriptor, "Bad fd" 442 case=or if the socket is not of the AF_INET family 443 format=[arg]1:[text]2 444 comment=1, file descriptor, "fd": 445 comment=bad socket address 446 case=or for all other conditions 447 format=arg1:[arg]2:[arg]3:inet4 448 comment=1, file descriptor, "so": 449 comment=1, socket family, "family": 450 comment=1, socket type, "type": 451 comment=socket address 452 453 label=AUE_BRANDSYS 454 # generic mechanism to allow user-space and kernel components of a brand 455 # to communicate. The interpretation of the arguments to the call is 456 # left entirely up to the brand. 457 format=arg1:arg2:arg3:arg4:arg5:arg6:arg7 458 comment=1, command, "cmd": 459 comment=2, command args, "arg": 460 comment=3, command args, "arg": 461 comment=4, command args, "arg": 462 comment=5, command args, "arg": 463 comment=6, command args, "arg": 464 comment=7, command args, "arg": 465 466 label=AUE_BSMSYS 467 skip=Not used. 468 469 label=AUE_CHDIR 470 format=path:[attr] 471 # header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec 472 # path,/export/home/CC_final/icenine/arv/chdir/obj_succ 473 # attribute,40777,root,other,8388608,231558,0 474 # subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1 475 # return,success,0 476 # trailer,151 477 # header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec 478 # path,/export/home/CC_final/icenine/arv/chdir/obj_fail 479 # attribute,40000,root,other,8388608,237646,0 480 # subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1 481 # return,failure: Permission denied,-1 482 # trailer,151 483 484 label=AUE_CHMOD 485 format=arg1:path:[attr] 486 comment=2, mode, "new file mode" 487 # header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec 488 # argument,2,0x1f8,new file mode 489 # path,/export/home/CC_final/icenine/arv/chmod/obj_succ 490 # attribute,100770,tuser10,other,8388608,243608,0 491 # subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1 492 # return,success,0 493 # trailer,173 494 # header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec 495 # argument,2,0x1f8,new file mode 496 # path,/export/home/CC_final/icenine/arv/chmod/obj_fail 497 # attribute,100600,root,other,8388608,243609,0 498 # subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1 499 # return,failure: Not owner,-1 500 # trailer,173 501 502 label=AUE_CHOWN 503 format=arg1:arg2 504 comment=2, uid, "new file uid": 505 comment=3, gid, "new file gid" 506 # header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec 507 # argument,2,0x271a,new file uid 508 # argument,3,0xffffffff,new file gid 509 # path,/export/home/CC_final/icenine/arv/chown/obj_succ 510 # attribute,100644,tuser10,other,8388608,268406,0 511 # subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1 512 # return,success,0 513 # trailer,193 514 # header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec 515 # argument,2,0x271a,new file uid 516 # argument,3,0xffffffff,new file gid 517 # path,/export/home/CC_final/icenine/arv/chown/obj_fail 518 # attribute,100644,root,other,8388608,268407,0 519 # subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1 520 # return,failure: Not owner,-1 521 # trailer,193 522 523 label=AUE_CHROOT 524 format=path:[attr] 525 # header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec 526 # path,/ 527 # attribute,40755,root,root,8388608,2,0 528 # subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1 529 # return,success,0 530 # trailer,104 531 # header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec 532 # path,/export/home/CC_final/icenine/arv/chroot/obj_fail 533 # attribute,40777,tuser10,other,8388608,335110,0 534 # subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1 535 # return,failure: Not owner,-1 536 # trailer,152 537 538 label=AUE_CLOSE 539 format=arg1:[path]:[attr] 540 comment=1, file descriptor, "fd" 541 542 label=AUE_CONNECT 543 case=If the socket address is not part of the AF_INET family 544 format=arg1:text2:text3 545 comment=1, file descriptor, "so": 546 comment=bad socket address: 547 comment=bad peer address 548 case=If the socket address is part of the AF_INET family 549 case=...If there is no vnode for this file descriptor 550 format=[arg]1 551 comment=1, file descriptor, "bad fd" 552 case=...or if the socket is not bound 553 format=[arg]1:[text]2 554 comment=1, file descriptor, "fd": 555 comment=socket not bound 556 case=...or if the socket address length = 0 557 format=[arg]1:[text]2 558 comment=1, file descriptor, "fd": 559 comment=bad socket address 560 case=...or for all other conditions 561 format=[inet]1:inet1 562 comment=socket address 563 # can't match this to code in audit_event.c for the not inet case 564 565 label=AUE_CORE 566 syscall=none 567 title=process dumped core 568 see=none 569 format=path:[attr]:arg1 570 comment=1, signal, "signal" 571 # see uts/common/c2/audit.c 572 573 label=AUE_CREAT 574 format=path:[attr] 575 # does not match old BSM manual 576 # header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec 577 # path,/export/home/CC_final/icenine/arv/creat/obj_succ 578 # attribute,100644,tuser10,other,8388608,49679,0 579 # subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1 580 # return,success,8 581 # trailer,151 582 # header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec 583 # path,/devices/pseudo/mm@0:null 584 # subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1 585 # return,success,8 586 # trailer,107 587 # header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec 588 # path,/obj_fail 589 # subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1 590 # return,failure: Permission denied,-1 591 # trailer,83 592 593 label=AUE_DOORFS 594 skip=Not used. (Place holder for set of door audit events.) 595 596 label=AUE_DOORFS_DOOR_BIND 597 # audit_event.c shows no output. 598 # as documented: 599 # format=arg1 600 # comment=1, door ID, "door ID" 601 # as implemented: 602 format=kernel 603 syscall=doorfs: DOOR_BIND 604 605 label=AUE_DOORFS_DOOR_CALL 606 format=arg1:proc2 607 comment=1, door ID, "door ID": 608 comment=for process that owns the door 609 syscall=doorfs: DOOR_CALL 610 611 label=AUE_DOORFS_DOOR_CREATE 612 format=arg1 613 comment=1, door attributes, "door attr" 614 syscall=doorfs: DOOR_CREATE 615 616 label=AUE_DOORFS_DOOR_CRED 617 format=kernel 618 syscall=doorfs: DOOR_CRED 619 620 label=AUE_DOORFS_DOOR_INFO 621 format=kernel 622 syscall=doorfs: DOOR_INFO 623 624 label=AUE_DOORFS_DOOR_RETURN 625 format=kernel 626 syscall=doorfs: DOOR_RETURN 627 628 label=AUE_DOORFS_DOOR_REVOKE 629 format=arg1 630 comment=1, door ID, "door ID" 631 syscall=doorfs: DOOR_REVOKE 632 633 label=AUE_DOORFS_DOOR_UNBIND 634 format=arg1 635 comment=1, door ID, "door ID" 636 syscall=doorfs: DOOR_UNBIND 637 638 label=AUE_DUP2 639 skip=Not used. 640 641 label=AUE_ENTERPROM 642 title=enter prom 643 syscall=none 644 format=head:text1:ret 645 comment="kmdb" 646 # header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00 647 # text,kmdb 648 # return,success,0 649 650 label=AUE_EXEC 651 format=path:[attr]1:[exec_arg]2:[exec_env]3 652 comment=omitted on error: 653 comment=output if argv policy is set: 654 comment=output if arge policy is set 655 656 label=AUE_EXECVE 657 format=path:[attr]1:[exec_arg]2:[exec_env]3 658 comment=omitted on error: 659 comment=output if argv policy is set: 660 comment=output if arge policy is set 661 # header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec 662 # path,/devices/pseudo/mm@0:null 663 # subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1 664 # return,success,8 665 # trailer,107 666 # header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec 667 # path,/usr/bin/pig 668 # subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1 669 # return,failure: No such file or directory,-1 670 # trailer,86 671 672 label=AUE_EXIT 673 format=[text]1 674 comment=event aborted 675 676 label=AUE_EXITPROM 677 title=exit prom 678 syscall=none 679 format=head:text1:ret 680 comment="kmdb" 681 # header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00 682 # text,kmdb 683 # return,success,0 684 685 label=AUE_EXPORTFS 686 skip=Not used. 687 688 label=AUE_FACLSET 689 syscall=facl 690 case=Invalid file descriptor 691 format=arg1:arg2 692 comment=2, SETACL, "cmd": 693 comment=3, number of ACL entries, "nentries": 694 case=Zero path 695 format=arg1:arg2:arg3:(0..n)[acl]4 696 comment=2, SETACL, "cmd": 697 comment=3, number of ACL entries, "nentries": 698 comment=1, file descriptor, "no path fd": 699 comment=ACLs 700 case=Non-zero path 701 format=arg1:arg2:path:[attr]:(0..n)[acl]3 702 comment=2, SETACL, "cmd": 703 comment=3, number of ACL entries, "nentries": 704 comment=ACLs 705 # old BSM manual misses a case; see audit_event.c 706 707 label=AUE_FCHDIR 708 format=[path]:[attr] 709 # header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec 710 # path,/export/home/CC_final/icenine/arv/fchdir/obj_succ 711 # attribute,40777,tuser10,other,8388608,207662,0 712 # subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1 713 # return,success,0 714 # trailer,150 715 # header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec 716 # subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1 717 # return,failure: Permission denied,-1 718 # trailer,68 719 720 label=AUE_FCHMOD 721 case=With a valid file descriptor 722 format=arg1:path:[attr] 723 comment=2, mode, "new file mode": 724 case=With an invalid file descriptor 725 format=arg1:[arg]2 726 comment=2, mode, "new file mode": 727 comment=1, file descriptor, "no path fd" 728 # header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec 729 # argument,2,0x1a4,new file mode 730 # path,/export/home/CC/icenine/arv/fchmod/obj_succ 731 # attribute,100644,tuser10,other,7602240,26092,0 732 # subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1 733 # return,success,0 734 # trailer,168 735 # header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec 736 # argument,2,0x1a4,new file mode 737 # subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1 738 # return,failure: Bad file number,-1 739 # trailer,90 740 # header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec 741 # argument,2,0x1a4,new file mode 742 # path,/export/home/CC/icenine/arv/fchmod/obj_fail 743 # attribute,100644,root,other,7602240,26093,0 744 # subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1 745 # return,failure: Not owner,-1 746 # trailer,168 747 748 label=AUE_FCHOWN 749 case=With a valid file descriptor 750 format=arg1:arg2:[path]:[attr] 751 comment=2, uid, "new file uid": 752 comment=3, gid, "new file gid" 753 case=With an invalid file descriptor 754 format=arg1:arg2:[arg]3:[attr] 755 comment=2, uid, "new file uid": 756 comment=3, gid, "new file gid": 757 comment=1, file descriptor, "no path fd" 758 759 label=AUE_FCHOWNAT 760 see=openat(2) 761 case=With a valid file descriptor 762 format=arg1:arg2:[path]:[attr] 763 comment=2, uid, "new file uid": 764 comment=3, gid, "new file gid" 765 case=With an invalid file descriptor 766 format=arg1:arg2:[arg]3:[attr] 767 comment=2, uid, "new file uid": 768 comment=3, gid, "new file gid": 769 comment=1, file descriptor, "no path fd" 770 # not verified 771 772 label=AUE_FCHROOT 773 format=[path]:[attr] 774 # Not verified 775 776 label=AUE_FCNTL 777 case=With a valid file descriptor 778 format=arg1:path:attr 779 comment=2, command, "cmd" 780 case=With an invalid file descriptor 781 format=arg1:arg2 782 comment=2, command, "cmd": 783 comment=1, file descriptor, "no path fd" 784 785 label=AUE_FLOCK 786 skip=Not used. 787 788 label=AUE_FORKALL 789 format=[arg]1 790 comment=0, pid, "child PID" 791 note=The forkall(2) return values are undefined because the audit record 792 note=is produced at the point that the child process is spawned. 793 # see audit.c 794 795 label=AUE_FORK1 796 format=[arg]1 797 comment=0, pid, "child PID" 798 note=The fork1(2) return values are undefined because the audit record 799 note=is produced at the point that the child process is spawned. 800 # see audit.c 801 802 label=AUE_FSAT 803 skip=Not used. (Placeholder for AUE_*AT records) 804 #openat AUE_OPENAT_{W,RW,R} appended with CT as needed 805 #openat64 AUE_OPENAT_{W,RW,R} appended with CT as needed 806 #fstatat64 AUE_FSTATAT 807 #fstat AUE_FSTATAT 808 #chownat AUE_FCHOWNAT 809 #unlinkat AUE_UNLINKAT 810 #futimesat AUE_FUTIMESAT 811 #renameat AUE_RENAMEAT 812 813 label=AUE_FSTAT 814 skip=Not used. 815 816 label=AUE_FSTATAT 817 # No information. 818 # see=openat(2) 819 820 label=AUE_FSTATFS 821 case=With a valid file descriptor 822 format=[path]:[attr] 823 case=With an invalid file descriptor 824 format=arg1 825 comment=1, file descriptor, "no path fd" 826 827 label=AUE_FTRUNCATE 828 skip=Not used. 829 830 label=AUE_FUTIMESAT 831 # No information 832 # see=openat(2) 833 834 label=AUE_GETAUDIT 835 format=kernel 836 # header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec 837 # subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1 838 # return,success,0 839 # trailer,68 840 # header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec 841 # subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1 842 # return,success,0 843 # trailer,68 844 845 label=AUE_GETAUDIT_ADDR 846 format=kernel 847 # header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec 848 # subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2 849 # return,success,0 850 851 label=AUE_GETAUID 852 format=kernel 853 # header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec 854 # subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1 855 # return,success,0 856 # trailer,68 857 # header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec 858 # subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1 859 # return,failure: Not owner,-1 860 # trailer,68 861 862 label=AUE_GETDENTS 863 skip=Not used. 864 #Not security relevant 865 866 label=AUE_GETKERNSTATE 867 skip=Not used. 868 869 label=AUE_GETMSG 870 format=arg1:arg2 871 comment=1, file descriptor, "fd": 872 comment=4, priority, "pri" 873 874 label=AUE_GETPMSG 875 format=arg1 876 comment=1, file descriptor, "fd" 877 878 label=AUE_GETPORTAUDIT 879 format=kernel 880 881 label=AUE_GETUSERAUDIT 882 skip=Not used. 883 884 label=AUE_INST_SYNC 885 format=arg1 886 comment=2, flags value, "flags" 887 # ok, but audit_event should show ad instead of as 888 #See 4381430 and its dup 4381450 (the latter says "ad" is correct) 889 890 label=AUE_IOCTL 891 case=With an invalid file descriptor 892 format=arg1:arg2:arg3 893 comment=1, file descriptor, "fd": 894 comment=2, command, "cmd": 895 comment=3, arg, "arg" 896 case=With a valid file descriptor 897 format=path:[attr]:arg1:arg2 898 comment=2, ioctl cmd, "cmd": 899 comment=3, ioctl arg, "arg" 900 case=Socket 901 format=[socket]:arg1:arg2 902 comment=2, ioctl cmd, "cmd": 903 comment=3, ioctl arg, "arg" 904 case=Non-file file descriptor 905 format=arg1:arg2:arg3 906 comment=1, file descriptor, "fd": 907 comment=2, ioctl cmd, "cmd": 908 comment=3, ioctl arg, "arg" 909 case=Bad file name 910 format=arg1:arg2:arg3 911 comment=1, file descriptor, "no path: fd": 912 comment=2, ioctl cmd, "cmd": 913 comment=3, ioctl arg, "arg" 914 # old BSM manual misses a case 915 916 label=AUE_JUNK 917 skip=Not used. 918 919 label=AUE_KILL 920 case=Valid process 921 format=arg1:[proc] 922 comment=2, signo, "signal" 923 case=Zero or negative process 924 format=arg1:arg2 925 comment=2, signo, "signal": 926 comment=1, pid, "process" 927 928 label=AUE_KILLPG 929 skip=Not used. 930 931 label=AUE_LCHOWN 932 format=arg1:arg2:path:[attr] 933 comment=2, uid, "new file uid": 934 comment=3, gid, "new file gid" 935 # failed verify against audit_event.c -- path and attr not there 936 937 label=AUE_LINK 938 format=path1:[attr]2:path3 939 comment=from path: 940 comment=from path: 941 comment=to path 942 # Not verified 943 944 label=AUE_LSEEK 945 skip=Not used. 946 947 label=AUE_LSTAT 948 format=path:[attr] 949 # not verified 950 951 label=AUE_LXSTAT 952 skip=Not used. 953 # AUE_LXSTAT now maps to AUE_LSTAT 954 955 label=AUE_MCTL 956 skip=Not used. 957 958 label=AUE_MEMCNTL 959 format=arg1:arg2:arg3:arg4:arg5:arg6 960 comment=1, base address, "base": 961 comment=2, length, "len": 962 comment=3, command, "cmd": 963 comment=4, command args, "arg": 964 comment=5, command attributes, "attr": 965 comment=6, 0, "mask" 966 967 label=AUE_MKDIR 968 format=arg1:path 969 comment=2, mode, "mode" 970 #audit_event.c shows no attr token 971 # format=arg1:path:[attr] 972 973 label=AUE_MKNOD 974 format=arg1:arg2:path:[attr] 975 comment=2, mode, "mode": 976 comment=3, dev, "dev" 977 # not verified 978 979 label=AUE_MMAP 980 case=With a valid file descriptor 981 format=arg1:arg2:[path]:[attr] 982 comment=1, segment address, "addr": 983 comment=2, segment address, "len" 984 case=With an invalid file descriptor 985 format=arg1:arg2:arg3 986 comment=1, segment address, "addr": 987 comment=2, segment address, "len": 988 comment=1, file descriptor, "no path: fd" 989 # format may have changed in S9, current format not verified 990 # class is no, not usually printed 991 992 label=AUE_MODADDMAJ 993 title=modctl: bind module 994 syscall=modctl 995 format=[text]1:[text]2:text3:text4:arg5:(0..n)[text]6 996 comment=driver major number: 997 comment=driver name: 998 comment=root directory or "no rootdir": 999 comment=driver major number or "no drvname": 1000 comment=5, number of aliases, "": 1001 comment=aliases 1002 # NOT verified against audit_event.c -- 3rd text arg does not exist 1003 1004 label=AUE_MODCONFIG 1005 syscall=modctl 1006 title=modctl: configure module 1007 format=text1:text2 1008 comment=root directory or "no rootdir": 1009 comment=driver major number or "no drvname" 1010 # NOT verified against audit_event.c -- first text arg does not exist 1011 1012 label=AUE_MODCTL 1013 format=kernel 1014 1015 label=AUE_MODLOAD 1016 syscall=modctl 1017 title=modctl: load module 1018 format=[text]1:text2 1019 comment=default path: 1020 comment=filename path 1021 1022 label=AUE_MODUNLOAD 1023 syscall=modctl 1024 title=modctl: unload module 1025 format=arg1 1026 comment=1, module ID, "id" 1027 1028 label=AUE_MOUNT 1029 case=UNIX file system 1030 format=arg1:text2:path:[attr]:[path]:[attr] 1031 comment=3, flags, "flags": 1032 comment=filesystem type 1033 case=NFS file system 1034 format=arg1:text2:text3:arg4:path:[attr] 1035 comment=3, flags, "flags": 1036 comment=filesystem type: 1037 comment=host name: 1038 comment=3, flags, "internal flags" 1039 # unix example: 1040 # header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec 1041 # argument,3,0x104,flags 1042 # text,ufs 1043 # path,/var2 1044 # attribute,40755,root,root,32,12160,0 1045 # path,/devices/pci@1f,4000/scsi@3/sd@0,0:e 1046 # attribute,60640,root,sys,32,231268,137438953476 1047 # subject,abc,root,other,root,other,1726,1715,255 66049 ohboy 1048 # return,success,4290707268 1049 # ^^^^^^^^^^ <- bugid 4333559 1050 1051 label=AUE_MSGCTL 1052 format=arg1:[ipc] 1053 comment=1, message ID, "msg ID" 1054 note=ipc_perm 1055 # audit_event.c shows no IPC token 1056 1057 label=AUE_MSGCTL_RMID 1058 format=arg1:[ipc] 1059 comment=1, message ID, "msg ID" 1060 note=ipc_perm 1061 syscall=msgctl: IPC_RMID 1062 # audit_event.c shows no IPC token 1063 1064 label=AUE_MSGCTL_SET 1065 format=arg1:[ipc] 1066 comment=1, message ID, "msg ID" 1067 note=ipc_perm 1068 syscall=msgctl: IPC_SET 1069 # audit_event.c shows no IPC token 1070 1071 label=AUE_MSGCTL_STAT 1072 format=arg1:[ipc] 1073 comment=1, message ID, "msg ID" 1074 note=ipc_perm 1075 syscall=msgctl: IPC_STAT 1076 # audit_event.c shows no IPC token 1077 1078 label=AUE_MSGGET 1079 format=arg1:[ipc] 1080 comment=1, message key, "msg key" 1081 note=ipc_perm 1082 # audit_event.c shows no IPC token 1083 1084 label=AUE_MSGGETL 1085 skip=Not used. 1086 1087 label=AUE_MSGRCV 1088 format=arg1:[ipc] 1089 comment=1, message ID, "msg ID" 1090 note=ipc_perm 1091 # audit_event.c shows no IPC token 1092 1093 label=AUE_MSGRCVL 1094 skip=Not used. 1095 1096 label=AUE_MSGSND 1097 format=arg1:[ipc] 1098 comment=1, message ID, "msg ID" 1099 note=ipc_perm 1100 # audit_event.c shows no IPC token 1101 1102 label=AUE_MSGSNDL 1103 skip=Not used. 1104 1105 label=AUE_MSGSYS 1106 skip=Not used. (Placeholder for AUE_MSG* events.) 1107 1108 label=AUE_MUNMAP 1109 format=arg1:arg2 1110 comment=1, address of memory, "addr": 1111 comment=2, memory segment size, "len" 1112 1113 label=AUE_NFS 1114 skip=Not used. 1115 1116 label=AUE_NFSSVC_EXIT 1117 skip=Not used. 1118 1119 label=AUE_NFS_GETFH 1120 skip=Not used. 1121 1122 label=AUE_NFS_SVC 1123 skip=Not used. 1124 1125 label=AUE_NICE 1126 format=kernel 1127 1128 label=AUE_NULL 1129 skip=Not used. (placeholder) 1130 # used internal to audit_event.c for minimal audit 1131 1132 label=AUE_ONESIDE 1133 skip=Not used. 1134 1135 label=AUE_OPEN 1136 skip=Not used. (placeholder for AUE_OPEN_*). 1137 1138 label=AUE_OPEN_R 1139 format=path:[attr] 1140 see=open(2) - read 1141 1142 label=AUE_OPENAT_R 1143 format=path:[attr] 1144 see=openat(2) 1145 # not verified 1146 1147 label=AUE_OPEN_RC 1148 format=path:[attr] 1149 see=open(2) - read,creat 1150 1151 label=AUE_OPENAT_RC 1152 see=openat(2) 1153 format=path:[attr] 1154 # not verified 1155 1156 label=AUE_OPEN_RT 1157 format=path:[attr] 1158 see=open(2) - read,trunc 1159 1160 label=AUE_OPENAT_RT 1161 see=openat(2) 1162 format=path:[attr] 1163 # not verified 1164 1165 label=AUE_OPEN_RTC 1166 format=path:[attr] 1167 see=open(2) - read,trunc,creat 1168 1169 label=AUE_OPENAT_RTC 1170 see=openat(2) 1171 format=path:[attr] 1172 # not verified 1173 1174 label=AUE_OPEN_RW 1175 format=path:[attr] 1176 see=open(2) - read,write 1177 1178 label=AUE_OPENAT_RW 1179 see=openat(2) 1180 format=path:[attr] 1181 # not verified 1182 1183 label=AUE_OPEN_RWC 1184 format=path:[attr] 1185 see=open(2) - read,write,creat 1186 1187 label=AUE_OPENAT_RWC 1188 see=openat(2) 1189 format=path:[attr] 1190 # not verified 1191 1192 label=AUE_OPEN_RWT 1193 format=path:[attr] 1194 see=open(2) - read,write,trunc 1195 1196 label=AUE_OPENAT_RWT 1197 see=openat(2) 1198 format=path:[attr] 1199 # not verified 1200 1201 label=AUE_OPEN_RWTC 1202 format=path:[attr] 1203 see=open(2) - read,write,trunc,creat 1204 1205 label=AUE_OPENAT_RWTC 1206 see=openat(2) 1207 format=path:[attr] 1208 # not verified 1209 1210 label=AUE_OPEN_W 1211 format=path:[attr] 1212 see=open(2) - write 1213 1214 label=AUE_OPENAT_W 1215 see=openat(2) 1216 format=path:[attr] 1217 # not verified 1218 1219 label=AUE_OPEN_WC 1220 format=path:[attr] 1221 see=open(2) - write,creat 1222 1223 label=AUE_OPENAT_WC 1224 see=openat(2) 1225 format=path:[attr] 1226 # not verified 1227 1228 label=AUE_OPEN_WT 1229 format=path:[attr] 1230 see=open(2) - write,trunc 1231 1232 label=AUE_OPENAT_WT 1233 see=openat(2) 1234 format=path:[attr] 1235 # not verified 1236 1237 label=AUE_OPEN_WTC 1238 format=path:[attr] 1239 see=open(2) - write,trunc,creat 1240 1241 label=AUE_OPENAT_WTC 1242 see=openat(2) 1243 format=path:[attr] 1244 # not verified 1245 1246 label=AUE_OSETPGRP 1247 skip=Not used. 1248 1249 label=AUE_OSETUID 1250 skip=Not used. 1251 syscall=old setuid 1252 # probably not generated. 1253 # not referenced anywhere, including audit_kevents.h 1254 # and AUE_OSETUID is not defined anywhere 1255 1256 label=AUE_OSTAT 1257 skip=Not used. 1258 1259 label=AUE_PATHCONF 1260 format=path:[attr] 1261 # not verified 1262 1263 label=AUE_PIPE 1264 format=kernel 1265 # class is no, not usually printed 1266 1267 label=AUE_PRIOCNTLSYS 1268 syscall=priocntl 1269 see=priocntl(2) 1270 format=arg1:arg2 1271 comment=1, priocntl version number, "pc_version": 1272 comment=3, command, "cmd" 1273 1274 label=AUE_PROCESSOR_BIND 1275 case=No threads bound to the processor 1276 format=arg1:arg2:text3:[proc] 1277 comment=1, type of ID, "ID type": 1278 comment=2, ID value, "ID": 1279 comment="PBIND_NONE" 1280 case=With processor bound 1281 format=arg1:arg2:arg3:[proc] 1282 comment=1, type of ID, "ID type": 1283 comment=2, ID value, "ID": 1284 comment=3, processor ID, "processor_id" 1285 1286 1287 label=AUE_PUTMSG 1288 format=arg1:arg2 1289 comment=1, file descriptor, "fd": 1290 comment=4, priority, "pri" 1291 1292 label=AUE_PUTPMSG 1293 see=putmsg(2) 1294 # old BSM doc mismatch against audit_event.c 1295 # documented: 1296 # format=arg1 1297 # comment=1, file descriptor, "fd" 1298 # implemented: 1299 format=arg1:arg2:arg3 1300 comment=1, file descriptor, "fd": 1301 comment=4, priority, "pri": 1302 comment=5, flags, "flags" 1303 1304 label=AUE_P_ONLINE 1305 format=arg1:arg2:text3 1306 comment=1, processor ID, "processor ID": 1307 comment=2, flags value, "flags": 1308 comment=text form of flags. Values: P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS 1309 1310 label=AUE_QUOTACTL 1311 skip=Not used. 1312 1313 label=AUE_READ 1314 skip=Not used. (Placeholder for AUE_READ_* events) 1315 1316 label=AUE_READL 1317 skip=Not used. (Obsolete) 1318 1319 label=AUE_READLINK 1320 format=path:[attr] 1321 # see audit_read.c 1322 1323 label=AUE_READV 1324 skip=Not used (obsolete) 1325 # detritus from CMS 1326 1327 label=AUE_READVL 1328 skip=Not used (obsolete) 1329 # detritus from CMS 1330 1331 label=AUE_REBOOT 1332 skip=Not used. 1333 1334 label=AUE_RECV 1335 format=arg1:[arg]2:[arg]3:[inet] 1336 comment=1, file descriptor, "so": 1337 comment=1, family, "family": 1338 comment=1, type, "type" 1339 1340 label=AUE_RECVFROM 1341 format=inet:arg1:[arg2]:inet3:arg4 1342 comment=3, message length, "len": 1343 comment=4, flags, "flags": 1344 comment=from address: 1345 comment=6, address length, "tolen" 1346 note=The socket token for a bad socket is reported as "argument 1347 note=token (1, socket descriptor, "fd")" 1348 1349 label=AUE_RECVMSG 1350 format=inet:arg1:inet2:arg3 1351 comment=4, flags, "flags": 1352 comment=from address: 1353 comment=6, address length, "tolen" 1354 note=The socket token for a bad socket is reported as 'argument 1355 note=token (1, "fd", socket descriptor)' 1356 1357 label=AUE_RENAME 1358 format=path1:[attr]1:[path]2 1359 comment=from name: 1360 comment=to name 1361 # not verified 1362 1363 label=AUE_RENAMEAT 1364 # see openat(2) 1365 format=path1:[attr]1:[path]2 1366 comment=from name: 1367 comment=to name 1368 # not verified 1369 1370 label=AUE_RFSSYS 1371 skip=Not used. 1372 # apparently replaced 1373 1374 label=AUE_RMDIR 1375 format=path:[attr] 1376 # Not verified 1377 1378 label=AUE_SEMCTL 1379 format=arg1:[ipc] 1380 comment=1, semaphore ID, "sem ID" 1381 note=ipc_perm 1382 # can't find where ipc token is generated, if at all 1383 1384 label=AUE_SEMCTL_GETALL 1385 format=arg1:[ipc] 1386 comment=1, semaphore ID, "sem ID" 1387 note=ipc_perm 1388 syscall=semctl: GETALL 1389 # can't find where ipc token is generated, if at all 1390 1391 label=AUE_SEMCTL_GETNCNT 1392 format=arg1:[ipc] 1393 comment=1, semaphore ID, "sem ID" 1394 note=ipc_perm 1395 syscall=semctl: GETNCNT 1396 # can't find where ipc token is generated, if at all 1397 1398 label=AUE_SEMCTL_GETPID 1399 format=arg1:[ipc] 1400 comment=1, semaphore ID, "sem ID" 1401 note=ipc_perm 1402 syscall=semctl: GETPID 1403 # can't find where ipc token is generated, if at all 1404 1405 label=AUE_SEMCTL_GETVAL 1406 format=arg1:[ipc] 1407 comment=1, semaphore ID, "sem ID" 1408 note=ipc_perm 1409 syscall=semctl: GETVAL 1410 # can't find where ipc token is generated, if at all 1411 1412 label=AUE_SEMCTL_GETZCNT 1413 format=arg1:[ipc] 1414 comment=1, semaphore ID, "sem ID" 1415 note=ipc_perm 1416 syscall=semctl: GETZCNT 1417 # can't find where ipc token is generated, if at all 1418 1419 label=AUE_SEMCTL_RMID 1420 format=arg1:[ipc] 1421 comment=1, semaphore ID, "sem ID" 1422 note=ipc_perm 1423 syscall=semctl: IPC_RMID 1424 # can't find where ipc token is generated, if at all 1425 1426 label=AUE_SEMCTL_SET 1427 format=arg1:[ipc] 1428 comment=1, semaphore ID, "sem ID" 1429 note=ipc_perm 1430 syscall=semctl: IPC_SET 1431 # can't find where ipc token is generated, if at all 1432 1433 label=AUE_SEMCTL_SETALL 1434 format=arg1:[ipc] 1435 comment=1, semaphore ID, "sem ID" 1436 note=ipc_perm 1437 syscall=semctl: SETALL 1438 # can't find where ipc token is generated, if at all 1439 1440 label=AUE_SEMCTL_SETVAL 1441 format=arg1:[ipc] 1442 comment=1, semaphore ID, "sem ID" 1443 note=ipc_perm 1444 syscall=semctl: SETVAL 1445 # can't find where ipc token is generated, if at all 1446 1447 label=AUE_SEMCTL_STAT 1448 format=arg1:[ipc] 1449 comment=1, semaphore ID, "sem ID" 1450 note=ipc_perm 1451 syscall=semctl: IPC_STAT 1452 # can't find where ipc token is generated, if at all 1453 1454 label=AUE_SEMGET 1455 format=arg1:[ipc] 1456 comment=1, semaphore ID, "sem ID" 1457 note=ipc_perm 1458 syscall=semctl: SETVAL 1459 # audit_event.c does not match old BSM manual 1460 # can't find where ipc token is generated, if at all 1461 1462 label=AUE_SEMGETL 1463 skip=Not used. 1464 1465 label=AUE_SEMOP 1466 format=arg1:[ipc] 1467 comment=1, semaphore ID, "sem ID" 1468 note=ipc_perm 1469 1470 label=AUE_SEMSYS 1471 skip=Not used. (place holder) -- defaults to a semget variant 1472 1473 label=AUE_SEND 1474 format=kernel 1475 # not clear from audit_event.c 1476 1477 label=AUE_SENDMSG 1478 case=If invalid file descriptor 1479 format=arg1:arg2 1480 comment=1, file descriptor, "so": 1481 comment=3, flags, "flags" 1482 case=If valid file descriptor 1483 case=...and socket is AF_UNIX 1484 format=path1:arg2:[arg]3:[arg]4:[arg]5 1485 comment=if no path, will be argument: 1, "nopath: fd", file descriptor: 1486 comment=1, file descriptor, "so": 1487 comment=1, family, "family": 1488 comment=1, type, "type": 1489 comment=3, message flags, "flags" 1490 case=...and socket is AF_INET or AF_INET6 1491 format=arg1:[arg]2:[arg]3:[arg]4 1492 comment=1, file descriptor, "so": 1493 comment=1, family, "family": 1494 comment=1, type, "type": 1495 comment=3, message flags, "flags" 1496 # audit_event.c doesn't match doc, use audit_event.c 1497 1498 label=AUE_SENDTO 1499 case=If invalid file descriptor 1500 format=arg1:arg2 1501 comment=1, file descriptor, "so": 1502 comment=3, flags, "flags" 1503 case=If valid file descriptor 1504 case=...and socket is AF_UNIX 1505 format=path1:arg2:[arg]3:[arg]4:[arg]5 1506 comment=if no path, will be argument: 1, file descriptor, "nopath: fd": 1507 comment=1, file descriptor, "so": 1508 comment=1, family, "family": 1509 comment=1, type, "type": 1510 comment=3, message flags, "flags" 1511 case=...and socket is AF_INET or AF_INET6 1512 format=arg1:[arg]2:[arg]3:[arg]4 1513 comment=1, file descriptor, "so": 1514 comment=1, family, "family": 1515 comment=1, type, "type": 1516 comment=3, message flags, "flags" 1517 # audit_event.c doesn't match doc, use audit_event.c 1518 1519 label=AUE_SETAUDIT 1520 case=With a valid program stack address 1521 format=arg1:arg2:arg3:arg4:arg5:arg6 1522 comment=1, audit user ID, "setaudit:auid": 1523 comment=1, terminal ID, "setaudit:port": 1524 comment=1, terminal ID, "setaudit:machine": 1525 comment=1, preselection mask, "setaudit:as_success": 1526 comment=1, preselection mask, "setaudit:as_failure": 1527 comment=1, audit session ID, "setaudit:asid" 1528 case=With an invalid program stack address 1529 format=kernel 1530 # header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec 1531 # argument,1,0x271a,setaudit:auid 1532 # argument,1,0x3ff0201,setaudit:port 1533 # argument,1,0x8192591e,setaudit:machine 1534 # argument,1,0x400,setaudit:as_success 1535 # argument,1,0x400,setaudit:as_failure 1536 # argument,1,0x16f,setaudit:asid 1537 # subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1 1538 # return,success,0 1539 # trailer,215 1540 # header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec 1541 # argument,1,0x271a,setaudit:auid 1542 # argument,1,0x3ff0201,setaudit:port 1543 # argument,1,0x8192591e,setaudit:machine 1544 # argument,1,0x400,setaudit:as_success 1545 # argument,1,0x400,setaudit:as_failure 1546 # argument,1,0x16f,setaudit:asid 1547 # subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1 1548 # return,success,0 1549 # trailer,215 1550 1551 label=AUE_SETAUDIT_ADDR 1552 case=With a valid program stack address 1553 format=arg1:arg2:arg3:ip address4:arg5:arg6:arg7 1554 comment=1, audit user ID, "auid": 1555 comment=1, terminal ID, "port": 1556 comment=1, type, "type": 1557 comment=1, terminal ID, "ip address": 1558 comment=1, preselection mask, "as_success": 1559 comment=1, preselection mask, "as_failure": 1560 comment=1, audit session ID, "asid" 1561 case=With an invalid program stack address 1562 format=kernel 1563 # header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec 1564 # argument,1,0x15fa7,auid 1565 # argument,1,0x0,port 1566 # argument,1,0x4,type 1567 # ip address,tmach2 1568 # argument,1,0x9c00,as_success 1569 # argument,1,0x9c00,as_failure 1570 # argument,1,0x1f1,asid 1571 # subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2 1572 # return,success,0 1573 1574 label=AUE_SETAUID 1575 format=arg1 1576 comment=2, audit user ID, "setauid" 1577 1578 label=AUE_SETDOMAINNAME 1579 skip=Not used. (See AUE_SYSINFO) 1580 # See AUE_SYSINFO with SI_SET_SRPC_DOMAIN 1581 1582 label=AUE_SETEGID 1583 format=arg1 1584 comment=1, group ID, "gid" 1585 1586 label=AUE_SETEUID 1587 format=arg1 1588 comment=1, user ID, "euid" 1589 1590 label=AUE_SETGID 1591 format=arg1 1592 comment=1, group ID, "gid" 1593 1594 label=AUE_SETGROUPS 1595 case=If no groups in list 1596 format=[arg]1 1597 comment=1, 0, "setgroups" 1598 case=If 1 or more groups in list 1599 format=(1..n)arg1 1600 comment=1, gid, "setgroups" 1601 # mismatch with audit_event.c; use audit_event.c 1602 # if too many gids listed, no tokens are generated 1603 1604 label=AUE_SETHOSTNAME 1605 skip=Not used. (See AUE_SYSINFO) 1606 # See sysinfo call with command SI_SET_HOSTNAME 1607 1608 label=AUE_SETKERNSTATE 1609 skip=Not used. 1610 1611 label=AUE_SETPGRP 1612 format=[proc]:[arg]1 1613 comment=2, pgrp, "pgrp" 1614 # audit_event shows more tokens than documented 1615 1616 label=AUE_SETPRIORITY 1617 skip=Not used. 1618 1619 label=AUE_SETPPRIV 1620 case=operation privileges off 1621 format=arg1:privset2 1622 comment=setppriv operation: 1623 comment=privileges actually switched off 1624 case=operation privileges on 1625 format=arg1:privset2 1626 comment=setppriv operation: 1627 comment=privileges actually switched on 1628 case=operation privileges off 1629 format=arg1:privset:privset 1630 comment=setppriv operation: 1631 comment=privileges before privset: 1632 comment=privileges after privset 1633 #header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec 1634 #argument,2,0x2,op 1635 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1636 #privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session 1637 #subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0 1638 #return,success,0 1639 1640 label=AUE_SETREGID 1641 format=arg1:arg2 1642 comment=1, real group ID, "rgid": 1643 comment=2, effective group ID, "egid" 1644 1645 label=AUE_SETREUID 1646 format=arg1:arg2 1647 comment=1, real user ID, "ruid": 1648 comment=2, effective user ID, "euid" 1649 1650 label=AUE_SETRLIMIT 1651 format=kernel 1652 # header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec 1653 # subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2 1654 # return,success,0 1655 1656 label=AUE_SETSOCKOPT 1657 case=Invalid file descriptor 1658 format=arg1:arg2 1659 comment=1, file descriptor, "so": 1660 comment=3, flags, "flags" 1661 case=Valid file descriptor 1662 case=...and socket is AF_UNIX 1663 format=path1:arg2:[arg]3:[arg]4:arg5:arg6:arg7:data8:inet 1664 comment=if no path, will be argument: 1, "nopath: fd", file descriptor: 1665 comment=1, file descriptor, "so": 1666 comment=1, family, "family": 1667 comment=1, type, "type": 1668 comment=2, protocol level, "level": 1669 comment=3, option name, "optname": 1670 comment=5, option length, "optlen": 1671 comment=option data 1672 case=...and socket is AF_INET or AF_INET6 1673 format=arg1:[arg]2:[arg]3:arg4:arg5:arg6:data7:inet 1674 comment=1, file descriptor, "so": 1675 comment=1, family, "family": 1676 comment=1, type, "type": 1677 comment=2, protocol level, "level": 1678 comment=3, option name, "optname": 1679 comment=5, option length, "optlen": 1680 comment=option data 1681 # document misses some tokens; this matches audit_event.c 1682 1683 label=AUE_SETTIMEOFDAY 1684 skip=Not used. 1685 1686 label=AUE_SETUSERAUDIT 1687 skip=Not used. 1688 1689 label=AUE_SHMAT 1690 format=arg1:arg2:[ipc]:[ipc_perm] 1691 comment=1, shared memory ID, "shm ID": 1692 comment=2, shared mem addr, "shmaddr" 1693 note=ipc_perm 1694 # audit_event.c does not show ipc and ipc_perm 1695 1696 label=AUE_SHMCTL 1697 format=arg1:[ipc] 1698 comment=1, shared memory ID, "shm ID" 1699 note=ipc_perm 1700 # verified against audit_event.c EXCEPT for ipc token 1701 1702 label=AUE_SHMCTL_RMID 1703 format=arg1:[ipc]:ipc_perm 1704 comment=1, shared memory ID, "shm ID": 1705 note=ipc_perm 1706 syscall=semctl: IPC_RMID 1707 # verified against audit_event.c except for ipc 1708 1709 label=AUE_SHMCTL_SET 1710 format=arg1:[ipc]:[ipc_perm] 1711 comment=1, shared memory ID, "shm ID": 1712 note=ipc_perm 1713 syscall=semctl: IPC_SET 1714 # verified against audit_event.c except for ipc 1715 1716 label=AUE_SHMCTL_STAT 1717 format=arg1:[ipc] 1718 comment=1, shared memory ID, "shm ID": 1719 note=ipc_perm 1720 syscall=semctl: IPC_STAT 1721 # verified against audit_event.c except for ipc 1722 1723 label=AUE_SHMDT 1724 format=arg1 1725 comment=1, shared memory address, "shm adr" 1726 1727 label=AUE_SHMGET 1728 format=arg1:[ipc_perm]:[ipc] 1729 comment=0, shared memory key, "shm key" 1730 note=ipc_perm 1731 # does not match audit_event.c; used audit_event.c 1732 1733 label=AUE_SHMGETL 1734 skip=Not used. 1735 1736 label=AUE_SHMSYS 1737 skip=Not used. (Placeholder for shmget and shmctl*) 1738 1739 label=AUE_SHUTDOWN 1740 case=If the socket address is invalid 1741 format=[arg]1:[text]2:[text]3 1742 comment=1, file descriptor, "fd": 1743 comment=bad socket address: 1744 comment=bad peer address 1745 case=If the socket address is part of the AF_INET family 1746 case=..with zero file descriptor 1747 format=arg1:[arg]2:[arg]3:[arg]4 1748 comment=1, file descriptor, "so": 1749 comment=1, family, "family": 1750 comment=1, type, "type": 1751 comment=2, how shutdown code, "how" 1752 case=...with non-zero file descriptor 1753 format=arg1:arg2:inet 1754 comment=1, file descriptor, "so": 1755 comment=2, how shutdown code, "how" 1756 case=If the socket address is AF_UNIX 1757 case=...with zero file descriptor 1758 format=path1:arg2:[arg]3:[arg]4:[arg]5 1759 comment=If error: argument: 1, "no path: fd", file descriptor: 1760 comment=1, file descriptor, "so": 1761 comment=1, family, "family": 1762 comment=1, type, "type": 1763 comment=2, how shutdown code, "how" 1764 case=...with non-zero file descriptor 1765 format=path1:arg2:arg3:inet 1766 comment=If error: argument: 1, file descriptor, "no path: fd": 1767 comment=1, file descriptor, "so": 1768 comment=2, how shutdown code, "how" 1769 #old BSM manual wrong; used audit_event.c 1770 1771 label=AUE_SOCKACCEPT 1772 syscall=getmsg: socket accept 1773 format=inet:arg1:[path]:attr:arg2 1774 comment=1, file descriptor, "fd": 1775 comment=4, priority, "pri" 1776 # see putmsg and getmsg for record format 1777 # See audit.c for inet token and audit_start.c for other reference 1778 1779 label=AUE_SOCKCONFIG 1780 format=arg1:arg2:arg3:[path]4 1781 comment=1, domain address, "domain": 1782 comment=2, type, "type": 1783 comment=3, protocol, "protocol": 1784 comment=If no path:argument -- 3, 0, "devpath" 1785 1786 label=AUE_SOCKCONNECT 1787 syscall=putmsg: socket connect 1788 format=inet:arg1:[path]:attr:arg2 1789 comment=1, file descriptor, "fd": 1790 comment=4, priority, "pri" 1791 # same as AUE_SOCKACCEPT 1792 1793 label=AUE_SOCKET 1794 format=arg1:[arg]2:arg3 1795 comment=1, socket domain, "domain": 1796 comment=2, socket type, "type": 1797 comment=3, socket protocol, "protocol" 1798 1799 label=AUE_SOCKETPAIR 1800 skip=Not used. 1801 # unreferenced 1802 1803 label=AUE_SOCKRECEIVE 1804 syscall=getmsg 1805 format=inet:arg1:[path]:attr:arg 1806 comment=1, file descriptor, "fd": 1807 comment=4, priority, "pri" 1808 # see AUE_SOCKACCEPT 1809 1810 label=AUE_SOCKSEND 1811 syscall=putmsg 1812 format=inet:arg1:[path]:attr:arg 1813 comment=1, file descriptor, "fd": 1814 comment=4, priority, "pri" 1815 # see AUE_SOCKACCEPT 1816 1817 label=AUE_STAT 1818 format=path:[attr] 1819 # Not verified 1820 1821 label=AUE_STATFS 1822 format=path:[attr] 1823 # Not verified 1824 1825 label=AUE_STATVFS 1826 format=path:[attr] 1827 # Not verified 1828 1829 label=AUE_STIME 1830 format=kernel 1831 1832 label=AUE_SWAPON 1833 skip=Not used. 1834 1835 label=AUE_SYMLINK 1836 format=text1:path:[attr] 1837 comment=symbolic link string 1838 # does not match audit_event.c (can't find where path 1839 # is generated 1840 1841 label=AUE_SYSINFO 1842 format=arg1:[text]2 1843 comment=1, command, "cmd": 1844 comment=name 1845 # header,85,2,sysinfo(2),,Thu Nov 08 15:02:07 2001, + 0 msec 1846 # argument,1,0x202,cmd 1847 # subject,tuser1,tuser1,staff,tuser1,staff,9662,497,0 0 tmach2 1848 # return,success,85 1849 1850 label=AUE_SYSTEMBOOT 1851 title=system booted 1852 syscall=none 1853 format=head:text1 1854 comment="booting kernel" 1855 # see audit_start.c and audit_io.c 1856 # no subject or return / exit token 1857 # header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec 1858 # text,booting kernel 1859 1860 label=AUE_TRUNCATE 1861 skip=Not used. 1862 1863 label=AUE_UMOUNT 1864 syscall=umount: old version 1865 format=path:[attr] 1866 # Not verified 1867 1868 label=AUE_UMOUNT2 1869 syscall=umount2 1870 format=path:arg1:[path]:[attr] 1871 comment=2, mflag value, "flags" 1872 1873 label=AUE_UNLINK 1874 format=path:[attr] 1875 #header,137,2,unlink(2),fe,test1,Mon Oct 6 13:36:42 PDT 2003, + 848 msec 1876 #path,/usr/bin/ls 1877 #attribute,100555,root,bin,32,953,0 1878 #subject,tuser,tuser,staff,tuser,staff,467,445,198 197121 test0 1879 #use of privilege,failed use of priv,ALL 1880 #return,failure: Permission denied,-1 1881 1882 label=AUE_UNLINKAT 1883 see=openat(2) 1884 format=path:[attr] 1885 # Not verified 1886 1887 label=AUE_UNMOUNT 1888 skip=Not used. 1889 1890 label=AUE_UTIME 1891 format=path:[attr] 1892 # Not verified 1893 1894 label=AUE_UTIMES 1895 format=path:[attr] 1896 # Not verified 1897 1898 label=AUE_UTSSYS 1899 skip=Not used. 1900 # source of documented format not determined 1901 # no such system call. utssys seems to be a dummy for uname, 1902 # ustat (actual system call) and fusers (no such call).