Contained Within
Find More Documentation
Featured Support Resources
|  Download this book in PDF
Audit Record Descriptions
A
- This appendix has two parts:
-
- A description of each part of an audit record.
- A definition of all audit records generated by the Basic Security Module by event description.
Audit Record Structure
- An audit record is a sequence of audit tokens. Each token contains event information such as user ID, time, and date. A header token begins an audit record, and an optional trailer concludes the record. Other audit tokens contain audit-relevant information. A typical audit record appears in Figure A-1:
Figure A-1
Audit Token Structure
- Logically, each token has a token type identifier followed by data specific to the token. Each token type has its own format and structure.The current tokens are shown in Table A-1 . The token scheme can be extended.
-
Table A-1 Basic Security Module audit tokens
-
-
arbitrary token - data with format and type information
arg token - system call argument value
attr token - vnode tokens
exec_arg token - exec system call arguments
exec_env token - exec system call environment variables
exit token - program exit information
file token - audit file information
groups token - process groups information (obsolete)
header token - indicates start of record
in_addr token - Internet address
ip token - IP header information
ipc token - System V IPC information
ipc_perm token - System V IPC object tokens
iport token - Internet port address
newgroups token - process groups information
opaque token - unstructured data (unspecified format)
path token - path information (path)
process token - process token information
return token - status of system call
seq token - sequence number token
socket token - socket type and addresses
1
subject token - subject token information
text token - ascii string
trailer token - indicates end of record
- An audit record always contains a header token and a trailer token. The header token indicates where the audit record begins in the audit trail. Every audit record contains a subject token2. In the case of attributable events, these two tokens refer to the values of the process that caused the event. In the case of asynchronous events, the process tokens refer to the system.
- 1. The subject and process token have the same token structure.
- 2. Except for audit records from some non-attributable events.
Arbitrary Token
- The arbitrary token encapsulates data for the audit trail. It consists of four fixed fields and an array of data. The fixed fields are: a token ID that identifies this token as an arbitrary token, a suggested format field (for example hexadecimal), a size field that specifies the size of data encapsulated (for example short), and a count field that gives the number of following items. The remainder of the token is composed of one or more items of the specified type. The arbitrary token appears as follows:
Figure A-2
- The print format field can take the following values:
- AUP_BINARY- print date in binary AUP_OCTAL- print data in octal AUP_DECIMAL- print data in decimal AUP_HEX- print data in hex
- AUP_STIRNG- print data as a string
- The item size field can take the following values:
- AUR_BYTE- data is in units of bytes (1 byte) AUR_SHORT- data is in units of shorts (2 bytes) AUR_LONG- data is in units of longs (4 bytes)
Arg Token
- The arg token contains system call argument information: the argument number of the system call, the augment value, and an optional descriptive text string. This token allows a 32 bit integer system call argument in an audit record. The arg token has 5 fields: a token ID that identifies this token as an arg token, an argument ID that tells which system call argument the token refers to, the argument value, the length of a descriptive text string, and the text string. Figure A-3 shows the token form:
Figure A-3
Attr Token
- The attr token contains information from the file vnode. This token has 7 fields: a token ID that identifies this as an attr token, the file access mode and type, the owner user ID, the owner group ID, the file system ID1, the i-node ID, and device ID the file might represent. This token usually accompanies a path token and is produced during path searches. In the event of a path-search error, this token is not included as part of the audit record since there is no vnode available to obtain the necessary file information. Figure A-4 shows the attr token form.
Figure A-4
- 1. Look in the stat(2V) man page for further information about the file system ID and device ID.
Exec_args Token
- The exec_args token records the arguments to an exec system call. The exec_args record has two fixed fields: a token ID field that identifies this as an exec_args token, and a count that represents the number of arguments passed to the exec call. The remainder of the token is composed of zero or more null-terminated strings. Figure A-5 shows an exec_args token.
Figure A-5
-
Note - The exec_args token is output only when the audit policy argv is acitve. See "Setting Audit Policies" on page 39 for more information.
Exec_env Token
- The exec_env token records the current environment variables to an exec system call. The exec_args record has two fixed fields: a token ID field that identifies this as an exec_args token, and a count that represents the number of arguments passed to the exec call. The remainder of the token is composed of zero or more null-terminated strings. Figure A-6 shows an exec_env token.
Figure A-6
-
Note - The exec_env token is output only when the audit policy arge is acitve. See "Setting Audit Policies" on page 39 for more information.
Exit Token
- The exit token records the exit status of a program. The exit token contains the exit status of the program and a return value. The status field is the same as that passed to the exit(2) system call. The return value field indicates a system error number or a return value to further describe the exit status. Figure A-7 shows an exit token.
Figure A-7
File Token
- The file token is a special token generated by the audit daemon to mark the beginning of a new audit trail file and the end of an old file as it is deactivated. The audit daemon builds a special audit record containing this token to "link" together successive audit files into one audit trail. The file token has four fields; a token ID that identifies this token as a file token, a time and date stamp that identifies the time the file was created or closed, a byte count of the file name including a null terminator, and a field holding the file null terminated name. Figure A-8 shows a file token.
Figure A-8
Groups Token (obsolete)
- This token has been replaced by the newgroups token, which provides the same type of information, but requires less space. A description of the groups token is provided here for completeness, but the application designer should
- use the newgroups token. Note that praudit does not disinguish between the two tokens as both token ids are labelled "groups" when ascii style output is displayed.
- The groups token records the groups entries from the process's credential. The groups token has two fixed fields: a token ID field that identifies this as a groups token, and a count that represents the number of groups contained in this audit record. The remainder of the token is composed of zero or more group entries. Figure A-9 shows a groups token:
Figure A-9
-
Note - The groups token is output only when the audit policy group is active. See "The auditconfig Command" on page 37 for more information.
Header Token
- The header token is special in that it marks the beginning of an audit record and combines with the trailer token to bracket all the other tokens in the record. The header token has six fields: a token ID field that identifies this as a header token, a byte count of the total length of the audit record including both header and trailer, a version number that identifies the version of the audit record structure, the audit event ID that identifies the type of audit event the
- record represents, an event ID modifier that contains ancillary descriptive information concerning the type of the event, and the time and date the record was created. Figure A-10 shows a header token.
Figure A-10
- The event modifier field has the following flags defined:
-
0x4000 PAD_NOTATTR non-attributable event
0x8000 PAD_FAILURE fail audit event (1)
|
In_addr Token
- The in_addr token contains an internet address. This 4 byte value is an Internet Protocol address. The token has two fields: a token ID that identifies this token as an in_addr token, and an internet address. Figure A-11 shows an in_addr token.
Figure A-11
Ip Token
- The ip token contains a copy of an Internet Protocol header but does not include any IP options1. The token has two fields: a token ID that identifies this as an ip token and a copy of the IP header (all 20 bytes). The IP header structure is defined in /usr/include/netinet/ip.h. Figure A-12 shows an ip token.
Figure A-12
IPC Token
- The ipc token contains the System V IPC message/semaphore/shared-memory handle used by the caller to identify a particular IPC object2. This token has three fields: a token ID that identifies this as an ipc token, a type field that specifies the type of the IPC object, and the handle that identifies the IPC object. Figure A-13 shows an ipc token.
Figure A-13
- 1. The IP options may be added by including more of the IP header in the token.
- 2. The IPC object identifiers violate the context free nature of the SunOS CMW audit tokens. No global "name" uniquely identifies IPC objects; instead they are identified by their handle, which is valid only during the time the IPC object is active. The identification should not be a problem since the System V IPC mechanisms are seldom used and they all share the same audit class.
- 1 The ipc type field may have the following values :
-
| AU_IPC_MSG | 1 | IPC message object |
| AU_IPC_SEM | 2 | IPC semaphore object |
| AU_IPC_SHM | 3 | IPC shared memory object |
Ipc_perm Token
- The ipc_perm token contains a copy of the System V IPC access information. This token is added to audit records generated by shared memory, semaphore, and message IPC events. The token has eight fields2: a token ID that identifies this token as an ipc_perm token, the user ID of the IPC owner, the group ID of the IPC owner, the user ID of the IPC creator, the group ID of the IPC creator, the access modes of the IPC, the sequence number of the IPC, and the IPC key value. Figure A-14 shows an ipc_perm token.pc_perm token format
Figure A-14
- 1. These values are defined in <bsm/audit.h>
- 2. The values are taken from the ipc_perm structure associated with the IPC object.
Iport Token
- The iport token contains the TCP (or UDP) port address. The token has two fields: a token ID that identifies this as an iport token and the TCP/UDP port address. Figure A-15 shows an iport token.
Figure A-15
Newgroups Token
- This token is the replacement for the groups token. Note that praudit does not disinguish between the two tokens as both token ids are labelled "groups" when ascii style output is displayed.
- The newgroups token records the groups entries from the process's credential. The newgroups token has two fixed fields: a token ID field that identifies this as a newgroups token, and a count that represents the number of groups contained in this audit record. The remainder of the token is composed of zero or more group entries. Figure A-16 shows a newgroups token:
Figure A-16
-
Note - The newgroups token is output only when the audit policy group is active. See "The auditconfig Command" on page 37 for more information.
Opaque Token
- The opaque token contains unformatted data as a sequence of bytes. The token has three fields: a token ID that identifies this as an opaque token, a byte count of the amount of data, and an array of byte data. Figure A-17 shows an opaque token.
Figure A-17
Path Token
- The path token contains access path information for an object. The token contains a token ID and the absolute path to the object based on the real root of the system. The path has the following structure: a byte count of the path length and the path. Figure A-18 shows a path token.
Figure A-18
Process Token
- The process token contains information describing a process as an object such as the recipient of a signal. The token has 9 fields: a token ID that identifies this token as a process token, the invariant audit ID, the effective user ID, the effective group ID, the real user ID, the real group ID, the process ID, the audit session ID, and a terminal ID. Figure A-19 shows a process token1
Figure A-19
- Note that process token fields for the session ID, the real user ID, or the real group ID may be unavailable. The entry is then set to -1.
Return Token
- The return token contains the return status of the system call (u_error) and the process return value (u_rval1). The token has three fields: a token ID that identifies this token as a return token, the error status of the system call, and
- 1. The audit ID, user ID, group ID, process ID, and session ID are long instead of short in order to prepare for SVR4 sizes.
- the system call return value. This token is always returned as part of kernel-generated audit records for system calls. The token indicates exit status and other return values in application auditing. Figure A-20 shows a return token.
Figure A-20
Seq Token
- The seq token (sequence token) is an optional token that contains an increasing sequence number. This token is for debugging. The token is added to each audit record when the AUDIT_SEQ policy is active. The seq token has 2 fields: a token ID that identifies this token as a seq token; and a 32 bit unsigned long field that contains the sequence number. The sequence number is incremented every time an audit record is generated and put onto the audit trail for addition to the audit trail. Figure A-21 shows a seq token.
Figure A-21
Socket Token
- The socket token contains information describing an Internet socket. The socket token has 6 fields: a token ID that identifies this token as a socket token, a socket type field that indicates the type of socket referenced (TCP/UDP/UNIX), the local port address, the local Internet address, the
- remote port address, and the remote Internet address. The socket type is taken from the designated socket and the port and Internet addresses are taken from the socket's inpcb control structure. Figure A-22 shows a socket token.
Figure A-22
Subject Token
-
1
- The subject token describes a subject (process). The token has 9 fields: an ID that identifies this as a subject token, the invariant audit ID, the effective user ID, the effective group ID, the real user ID, the real group ID, the process ID, the audit session ID, and a terminal ID. This token is always returned as part of kernel generated audit records for system calls. Figure A-23 shows the token2
Figure A-23
- Note that subject token fields for the session ID, the real user ID, or the real group ID may be unavailable. The entry is then set to a -1
- 1. The subject token has the same structure as a process token.
- 2. The audit ID, user ID, group ID, process ID, and session ID are long instead of short to prepare for SVR4 sizes.
Text Token
- The text token contains a text string. The token has three fields: a token ID that identifies this token as a text token, the length of the text string, and the text string itself. Figure A-24 shows a text token.
Figure A-24
Trailer Token
- The two tokens, header and trailer, are special in that they distinguish the endpoints of an audit record and bracket all the other tokens. A header token begins an audit record. A trailer token ends an audit record. It is an optional token that is added as the last token of each record only when the AUDIT_TRAIL audit policy has been set.
- The trailer token is special in that it marks the termination of an audit record. Together with the header token, the trailer token delimits an audit record. The trailer token supports backward seeks of the audit trail. The trailer token has three fields: a token ID that identifies this token as a trailer token, a pad number to aid in marking the end of the record, and the total number of characters in the audit record including both the header and trailer tokens. Figure A-25 shows a trailer token.
Figure A-25
- The audit trail analysis software ensures that each record contains both header and trailer. In the case of a write error, as when a file system becomes full, an audit record can be incomplete and truncated. auditsvc(2), the system call responsible for writing data to the audit trail, attempts to put out complete
- audit records. If file system space has run out, the call terminates without releasing the current audit record. When the call resumes, it can then repeat the truncated record.
Audit Records
General Audit Record Structure
- The audit records produced by Basic Security Module have a sequence of tokens. Certain tokens are optional within an audit record according to the current audit policy. The group, sequence and trailer tokens fall into this category. The administrator can determine if these are included in an audit record with the auditconfig(1M) command -getpolicy option.
Kernel-level generated Audit Records
-
-
access(2)
system call access(2)
event-ID 14 AUE_ACCESS
event class fa 0x00000004
audit record
header token
path token
[attr token]
subject token
return token
acct(2)
system call acct(2)
event-ID 18 AUE_ACCT
event class ad 0x00000800
audit record
<path non-zero>
header token
path token
[attr token]
subject token
return token
<path zero>
header token
argument token (1,"accounting off", 0)
subject token
return token
-
-
adjtime(2)
system call adjtime(2)
event-ID 50 AUE_ADJTIME
event class ad 0x00000800
audit record
header token
subject token
return token
chdir(2)
system call chdir(2)
event-ID 8 AUE_CHDIR
event class pc 0x00000080
audit record
header token
path token
[attr token]
subject token
return token
chmod(2)
system call chmod(2)
event-ID 10 AUE_CHMOD
event class fm 0x00000008
audit record
header token
argument token (2,"new file mode", mode)
path token
[attr token]
subject token
return token
chown(2)
system call chown(2)
event-ID 11 AUE_CHOWN
event class fm 0x00000008
audit record
header token
argument token (2,"new file uid", uid)
argument token (3,"new file gid", gid)
path token
[attr token]
subject token
return token
-
-
chroot(2)
system call chroot(2)
event-ID 24 AUE_CHROOT
event class pc 0x00000080
audit record
header token
path token
[attr token]
subject token
return token
close(2)
1
system call close(2)
event-ID 112 AUE_CLOSE
event class cl 0x00000040
audit record
<file system object>
header token
argument token
2
(1,"fd",file descriptor)
3
[path token]
4
[attr token]
subject token
return token
creat(2)
system call creat(2)
event-ID 4 AUE_CREAT
event class fc 0x00000010
audit record
header token
path token
[attr token]
subject token
return token
- 1. Also for files closed on process termination.
- 2. Only present with close(2) system call.
- 3. This token may be removed in future releases.
- 4. Only with valid file descriptors.
-
-
exec(2)
system call exec(2)
event-ID 7 AUE_EXEC
event class pc,ex 0x40000080
audit record
header token
path token
[attr token]
subject token
return token
execve(2)
system call execve(2)
event-ID 23 AUE_EXECVE
event class pc,ex 0x40000080
audit record
header token
path token
[attr token]
subject token
return token
exit(2)
system call exit(2)
event-ID 1 AUE_EXIT
event class pc 0x00000080
audit record
header token
subject token
return token
fchdir(2)
system call fchdir(2)
event-ID 68 AUE_FCHDIR
event class pc 0x00000080
audit record
header token
[path token]
[attr token]
subject token
return token
-
-
fchmod(2)
system call fchmod(2)
event-ID 39 AUE_FCHMOD
event class fm 0x00000008
audit record
<valid file descriptor>
header token
argument token (2,"new file mode", mode)
[path token]
[attr token]
subject token
return token
<invalid file descriptor>
header token
argument token (2,"new file mode", mode)
argument token (1, "no path: fd",fd)
subject token
return token
fchown(2)
system call fchown(2)
event-ID 38 AUE_FCHOWN
event class fm 0x00000008
audit record
<valid file descriptor>
header token
argument token (2,"new file uid",uid)
argument token (3,"new file gid",gid)
[path token]
[attr token]
subject token
return token
<non-file descriptor)
header token
argument token (2,"new file uid",uid)
argument token (3,"new file gid",gid)
argument token (1,"no path: fd",fd)
subject token
return token
-
-
fchroot(2)
system call fchroot(2)
event-ID 69 AUE_FCHROOT
event class pc 0x00000080
audit record
header token
[path token]
[attr token]
subject token
return token
fcntl(2)
system call fcntl(2)
event-ID 30 AUE_FCNTL (cmd=F_GETLK, F_SETLK, F_SETLKW,
F_RGETLK,F_RSETLK,F_RSETLKW)
event class fm 0x00000008
audit record
<bad file descriptor>
header token
argument token (2,"cmd",cmd)
argument token (1,"no path: fd",fd)
subject token
return token
<file descriptor>
header token
argument token (2,"cmd",cmd)
path token
attr token
subject token
return token
fork(2)
1
system call fork(2)
event-ID 2 AUE_FORK
event class pc (0x00000080)
audit record
header token
[argument token]
subject token
return token
- 1. Note that the fork return values are undefined since the audit record is produced at the point that the child process is spawned.
-
-
fstat(2)
system call fstat(2)
event-ID 208 AUE_FSTAT
event class no (0x00000000)
audit record
header token
subject token
[path token]
[attr token]
subject token
return token
fstatfs(2)
system call fstatfs(2)
event-ID 55 AUE_FSTATFS
event class fa (0x00000004)
audit record
<file descriptor>
header token
[path token]
[attr token]
subject token
return token
<non-file descriptor>
header token
argument token (1,"no path: fd",fd)
subject token
return token
ioctl to special devices
system call ioctl(2)
event-ID 158 AUE_IOCTL
event class io (0x20000000)
audit record
<good file descriptor>
header token
path token
[attr token]
argument token (2,"cmd" ioctl cmd)
argument token (3,"arg" ioctl arg)
subject token
return token
-
-
<socket>
header token
[socket token]
argument token (2,"cmd" ioctl cmd)
argument token (3,"arg" ioctl arg)
subject token
return token
<non-file file descriptor>
header token
argument token (1,"fd", file descriptor)
argument token (2,"cmd", ioctl cmd)
argument token (3,"arg", ioctl arg)
subject token
return token
<bad file name>
header token
argument token (1,"no path: fd", fd)
argument token (2,"cmd", ioctl cmd)
argument token (3,"arg", ioctl arg)
subject token
return token
kill(2)
system call kill(2)
event-ID 15 AUE_KILL
event class pc (0x00000080)
audit record
header token
argument token (2,"signal",signo)
[process token]
subject token
return token
<zero or negative process>
header token
argument token (2,"signal",signo)
argument token (1,"process",pid))
subject token
return token
-
-
link(2)
system call link(2)
event-ID 5 AUE_LINK
event class fc (0x00000010)
audit record
header token
path token (from path)
[attr token] (from path)
path token (to path)
subject token
return token
lstat(2)
system call lstat(2)
event-ID 17 AUE_LSTAT
event class fa (0x00000004)
audit record
header token
path token
[attr token]
subject token
return token
mkdir(2)
system call mkdir(2)
event-ID 47 AUE_MKDIR
event class fc (0x00000010)
audit record
header token
argument token (2,"mode",mode)
path token
[attr token]
subject token
return token
-
-
mknod(2)
system call mknod(2)
event-ID 9 AUE_MKNOD
event class fc (0x00000010)
audit record
header token
argument token (2,"mode",mode)
argument token (3,"dev",dev)
path token
[attr token]
subject token
return token
mmap(2)
system call mmap(2)
event-ID 210 AUE_MMAP
event class no (0x00000000)
audit record
<valid file descriptor>
header token
argument token (1,"addr",segment address)
argument token (2,"len",segment length)
[path token]
[attr token]
subject token
return token
<invalid file descriptor>
header token
argument token (1,"addr",segment address)
argument token (2,"len",segment length)
argument token (1,"no path: fd",fd)
subject token
return token
-
-
mount(2)
system call mount(2)
event-ID 62 AUE_MOUNT
event class ad (0x00000800)
audit record
<unix filesystem>
header token
argument token (3,"flags",flags)
text token (filesystem type)
path token
[attr token]
subject token
return token
<nfs filesystem>
header token
argument token (3,"flags",flags)
text token (filesystem type)
text token (host name)
argument token (3,"internal flags",flags)
msgctl(2): IPC_RMID command
system call msgctl(2) - rmid
event-ID 85 AUE_MSGCTL_RMID
event class ip (0x00000200)
audit record
header token
argument token (1,"msg ID",message ID)
[ipc token]
1
subject token
return token
- 1. The ipc and ipc_perm tokens are not included if the msg ID is invalid.
-
-
msgctl(2): IPC_SET command
system call msgctl(2)
event-ID 86 AUE_MSGCTL_SET
event class ip (0x00000200)
audit record
header token
argument token (1,"msg ID",message ID)
[ipc token]
1
subject token
return token
msgctl(2): IPC_STAT command
system call msgctl(2)
event-ID 87 AUE_MSGCTL_STAT
event class ip (0x00000200)
audit record
header token
argument token (1,"msg ID",message ID)
[ipc token]
2
subject token
return token
msgget(2)
system call msgget(2)
event-ID 88 AUE_MSGGET
event class ip (0x00000200)
audit record
header token
[ipc token]
3
subject token
return token
- 1. The ipc and ipc_perm tokens are not included if the msg ID is invalid.
- 2. The ipc and ipc_perm tokens are not included if the msg ID is invalid.
- 3. The ipc and ipc_perm tokens are not included if the msg ID is invalid.
-
-
msgrcv(2)
system call msgrcv(2)
event-ID 89 AUE_MSGRCV
event class ip (0x00000200)
audit record
header token
argument token (1,"msg ID",message ID)
[ipc token]
1
subject token
return token
msgsnd(2)
system call msgsnd(2)
event-ID 90 AUE_MSGSND
event class ip (0x00000200)
audit record
header token
argument token (1,"msg ID",message ID)
[ipc token]
2
subject token
return token
munmap(2)
system call munmap(2)
event 214 AUE_MUNMAP
class cl (0x00000040)
audit record
header token
argument token (1,"addr",address of memory)
argument token (2,"len",memory segment size)
subject token
return token
- 1. The ipc and ipc_perm tokens are not included if the msg ID is invalid.
- 2. The ipc and ipc_perm tokens are not included if the msg ID is invalid.
-
-
open(2): read
system call open(2)
event-ID 72 AUE_OPEN_R
event class fr (0x00000001)
audit record
header token
path token
[attr token]
subject token
return token
open(2): read,create
system call open(2)
event-ID 73 AUE_OPEN_RC
event class fc,fr (0x00000011)
audit record
header token
path token
[attr token]
subject token
return token
open(2): read,create,truncate
system call open(2)
event-ID 75 AUE_OPEN_RTC
event class fc,fd,fr (0x00000031)
audit record
header token
path token
[attr token]
subject token
return token
open(2): read,truncate
system call open(2)
event-ID 74 AUE_OPEN_RT
event class fd,fr (0x00000021)
audit record
header token
path token
[attr token]
subject token
return token
-
-
open(2): read,write
system call open(2)
event-ID 80 AUE_OPEN_RW
event class fr,fw (0x00000003)
audit record
header token
path token
[attr token]
subject token
return token
open(2): read,write,create
system call open(2)
event-ID 81 AUE_OPEN_RWC
event class fr,fw,fc (0x00000013)
audit record
header token
path token
[attr token]
subject token
return token
open(2): read,write,create,truncate
system call open(2)
event-ID 83 AUE_OPEN_RWTC
event class fr,fw,fc,fd 0x00000033
audit record
header token
path token
[attr token]
subject token
return token
open(2): read,write,truncate
system call open(2)
event-ID 82 AUE_OPEN_RWT
event class fr,fw,fd (0x00000023)
audit record
header token
path token
[attr token]
subject token
return token
-
-
open(2): write
system call open(2)
event-ID 76 AUE_OPEN_W
event class fw (0x00000002)
audit record
header token
path token
[attr token]
subject token
return token
open(2): write,create
system call open(2)
event-ID 77 AUE_OPEN_WC
event class fw,fc (0x00000012)
audit record
header token
path token
[attr token]
subject token
return token
open(2): write,create,truncate
system call open(2)
event-ID 79 AUE_OPEN_WTC
event class fw,fc,fd (0x00000032)
audit record
header token
path token
[attr token]
subject token
return token
open(2): write,truncate
system call open(2)
event-ID 78 AUE_OPEN_WT
event class fw,fd (0x00000022)
audit record
header token
path token
[attr token]
subject token
return token
-
-
pathconf(2)
system call pathconf(2)
event-ID 71 AUE_PATHCONF
event class fa (0x00000004)
audit record
header token
path token
[attr token]
subject token
return token
pipe(2)
system call pipe(2)
event-ID 185 AUE_PIPE
event class no (0x00000000)
audit record
header token
subject token
return token
process dumped core
system call ---
event-ID 111 AUE_CORE
event class 0x00000010
audit record
header token
path token
[attr token]
argument token (1,"signal",signal)
subject token
return token
readlink(2)
system call readlink(2)
event-ID 22 AUE_READLINK
event class fr (0x00000001)
audit record
header token
path token
[attr token]
subject token
return token
-
-
rename(2)
system call rename(2)
event-ID 42 AUE_RENAME
event class fc,ds (0x00000030)
audit record
header token
path token (from name)
[attr token] (from name)
[path token] (to name)
subject token
return token
rmdir(2)
system call rmdir(2)
event-ID 48 AUE_RMDIR
event class fd (0x00000020)
audit record
header token
path token
[attr token]
subject token
return token
semctl(2): GETALL command
system call semctl(2)
event-ID 105 AUE_SEMCTL_GETALL
event class ip (0x00000200)
audit record
header token
argument token (1,"sem ID", semaphore ID)
[ipc token]
1
subject token
return token
- 1. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
-
-
semctl(2): GETNCNT command
system call semctl(2)
event-ID 102 AUE_SEMCTL_GETNCNT
event class ip (0x00000200)
audit record
header token
argument token (1,"sem ID", semaphore ID)
[ipc token]
1
subject token
return token
semctl(2): GETPID command
system call semctl(2)
event-ID 103 AUE_SEMCTL_GETPID
event class ip (0x00000200)
audit record
header token
argument token (1,"sem ID", semaphore ID)
[ipc token]
2
subject token
return token
semctl(2): GETVAL command
system call semctl(2)
event-ID 104 AUE_SEMCTL_GETVAL
event class ip (0x00000200)
audit record
header token
argument token (1,"sem ID", semaphore ID)
[ipc token]
3
subject token
return token
- 1. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
- 2. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
- 3. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
-
-
semctl(2): GETZCNT command
system call semctl(2)
event-ID 106 AUE_SEMCTL_GETZCNT
event class ip (0x00000200)
audit record
header token
argument token (1,"sem ID", semaphore ID)
[ipc token]
1
subject token
return token
semctl(2): IPC_RMID command
system call semctl(2)
event-ID 99 AUE_SEMCTL_RMID
event class ip (x00000200)
audit record
header token
argument token (1,"sem ID", semaphore ID)
[ipc token]
2
subject token
return token
semctl(2): IPC_SET command
system call semctl(2)
event-ID 100 AUE_SEMCTL_SET
event class ip (0x00000200)
audit record
header token
argument token (1,"sem ID", semaphore ID)
[ipc token]
3
subject token
return token
- 1. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
- 2. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
- 3. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
-
-
semctl(2): SETALL command
system call semctl(2)
event-ID 108 AUE_SEMCTL_SETALL
event class ip (0x00000200)
audit record
header token
argument token (1,"sem ID", semaphore ID)
[ipc token]
1
subject token
return token
semctl(2): SETVAL command
system call semctl(2)
event-ID 107 AUE_SEMCTL_SETVAL
event class ip (0x00000200)
audit record
header token
argument token (1,"sem ID", semaphore ID)
[ipc token]
2
subject token
return token
semctl(2): IPC_STAT command
system call semctl(2)
event-ID 101 AUE_SEMCTL_STAT
event class ip (0x00000200)
audit record
header token
argument token (1,"sem ID", semaphore ID)
[ipc token]
subject token
return token
- 1. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
- 2. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
-
-
semget(2)
system call semget(2)
event-ID 109 AUE_SEMGET
event class ip (0x00000200)
audit record
header token
[ipc token]
1
subject token
return token
semop(2)
system call semop(2)
event-ID 110 AUE_SEMOP
event class ip (0x00000200)
audit record
header token
argument token (1,"sem ID", semaphore ID)
[ipc token]
2
subject token
return token
setgroups(2)
system call setgroups(2)
event-ID 26 AUE_SETGROUPS
event class pc (0x00000080)
audit record
header token
[argument token] (1,"setgroups",group ID)
3
subject token
return token
- 1. The ipc and ipc_perm tokens are not included if the system call failed.
- 2. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
- 3. One token for each group set.
-
-
setpgrp(2)
system call setpgrp(2)
event-ID 27 AUE_SETPGRP
event class pc (0x00000080)
audit record
header token
subject token
return token
setrlimit(2)
system call setrlimit(2)
event-ID 51 AUE_SETRLIMIT
event class ad (0x00000800)
audit record
header token
subject token
return token
shmat(2)
system call shmat(2)
event-ID 96 AUE_SHMAT
event class ip (0x00000200)
audit record
header token
argument token (1,"shmid",shared memory ID)
argument token (2,"shmaddr",shared mem addr)
[ipc token]
1
[ipc_perm token]
subject token
return token
- 1. The ipc and ipc_perm tokens are not included if the shared memory segment ID is invalid.
-
-
shmctl(2) IPC_RMID command
system call shmctl(2)
event-ID 92 AUE_SHMCTL_RMID
event class ip (0x00000200)
audit record
header token
argument token (1,"shmid",shared memory ID)
[ipc token]
1
subject token
return token
shmctl(2): IPC_SET command
system call shmctl(2)
event-ID 93 AUE_SHMCTL_SET
event class ip (0x00000200)
audit record
header token
argument token (1,"shmid",shared memory ID)
[ipc token]
2
[ipc_perm token]
subject token
return token
shmctl(2): IPC_STAT command
system call shmctl(2)
event-ID 94 AUE_SHMCTL_STAT
event class ip (0x00000200)
audit record
header token
argument token (1,"shmid",shared memory ID)
[ipc token]
3
subject token
return token
- 1. The ipc and ipc_perm tokens are not included if the shared memory segment ID is invalid.
- 2. The ipc and ipc_perm tokens are not included if the shared memory segment ID is invalid.
- 3. The ipc and ipc_perm tokens are not included if the shared memory segment ID is invalid.
-
-
shmdt(2)
system call shmdt(2)
event-ID 97 AUE_SHMDT
event class ip (0x00000200)
audit record
header token
argument token (1,"shmaddr",shared mem addr)
subject token
return token
shmget(2)
system call shmget(2)
event-ID 95 AUE_SHMGET
event class ip (0x00000200)
audit record
header token
argument token (0,"shm ID",shared memory ID)
[ipc token]
1
[ipc_perm token]
subject token
return token
stat(2)
system call stat(2)
event-ID 16 AUE_STAT
event class fa (0x00000004)
audit record
header token
path token
[attr token]
subject token
return token
- 1. The ipc and ipc_perm tokens are not included for failed events.
-
-
statfs(2)
system call statfs(2)
event-ID 54 AUE_STATFS
event class fa (0x00000004)
audit record
header token
path token
[attr token]
subject token
return token
symlink(2)
system call symlink(2)
event-ID 21 AUE_SYMLINK
event class fc (0x00000010)
audit record
header token
text token (symbolic link string)
path token
[attr token]
subject token
return token
system: booted
system call non-attributable event
event-ID 113 AUE_SYSTEMBOOT
event class na (0x00000400)
audit record
header token
text token ("booting kernel")
return token
umount(2): old version
system call umount(2)
event-ID 12 AUE_UMOUNT
event class ad (0x00000800)
audit record
header token
path token
[attr token]
subject token
return token
-
-
unlink(2)
system call unlink(2)
event-ID 6 AUE_UNLINK
event class fd (0x00000020)
audit record
header token
path token
[attr token]
subject token
return token
utimes(2)
system call utimes(2)
event-ID 49 AUE_UTIMES
event class fm (0x00000008)
audit record
header token
path token
[attr token]
subject token
return token
vfork(2)
1
system call vfork(2)
event-ID 25 AUE_VFORK
event class pc (0x00000080)
audit record
header token
argument token (0,"child PID",pid)
subject token
return token
vtrace(2)
system call vtrace(2)
event-ID 36 AUE_VTRACE
event class pc (0x00000080)
audit record
header token
subject token
return token
- 1. Note that the fork return values are undefined since the audit record is produced at the point that the child process is spawned.
User-level generated Audit Records
-
-
/usr/sbin/allocate: device allocate success
event AUE_allocate_succ
audit record
header token
subject token
newgroups token
exit token
/usr/sbin/allocate: device allocate failure
event AUE_allocate_fail
audit record
header token
subject token
newgroups token
exit token
/usr/sbin/allocate: deallocate device
evemt AUE_deallocate_succ
audit record
header token
subject token
newgroups token
exit token
/usr/sbin/allocate: deallocate device failure
event AUE_deallocate_fail
audit record
header token
subject token
newgroups token
exit token
/usr/sbin/halt: machine halt
event AUE_halt_solaris
audit record
header token
subject token
return token
-
-
/usr/sbin/inetd: inetd service request
event AUE_inetd_connect
audit record
header token
subject token
text token (service name)
return token
/usr/sbin/in.ftpd: ftpd login
event AUE_ftpd
audit record
header token
subject token
text token (error message, failure only)
return token
/usr/bin/login: terminal login
event AUE_login
audit record
header token
subject token
text token (error message)
return token
/usr/bin/login: rlogin
event AUE_rlogin
audit record
header token
subject token
text token (error message)
return token
/usr/bin/login: telnet login
event AUE_telnet
audit record
header token
subject token
text token (error message)
return token
-
-
/usr/bin/login: logout
event AUE_logout
audit record
header token
subject token
return token
/usr/lib/nfs/mountd: NFS mount request
event AUE_mountd_mount
audit record
header token
subject token
text token (remote client hostname)
path token (mount dir)
text token (error message, failure only)
return token
/usr/lib/nfs/mountd: NFS unmount request
event AUE_mountd_umount
audit record
header token
subject token
text token (remote client hostname)
path token (mount dir)
text token (error message, failure only)
return token
/usr/bin/passwd: change password
event AUE_passwd
audit record
header token
subject token
text token (error message)
return token
/usr/sbin/reboot: machine reboot
event AUE_reboot_solaris
audit record
header token
subject token
return token
-
-
/usr/sbin/in.rshd: rshd access denials/grants
event AUE_rshd
audit record
header token
subject token
text token (command string)
text token (local user)
text token (remote user)
return token
/usr/bin/su: su
event AUE_su
audit record
header token
text token (error message)
subject token
return token
|
|
