Contenues dans
Trouver plus de documentation
Ressources d'assistance comprises
|  Télécharger cet ouvrage au format PDF
Audit Record Descriptions
A
- This appendix has two parts. The first part describes each part of an audit record structure and each audit token structure. The second part defines all of the audit records generated by the Basic Security Module by event description.
-
Audit Record Structure
- An audit record is a sequence of audit tokens. Each token contains event information such as user ID, time, and date. A header token begins an audit record, and an optional trailer concludes the record. Other audit tokens contain audit-relevant information. Figure A-1 shows a typical audit record.
Figure A-1
Audit Token Structure
- Logically, each token has a token type identifier followed by data specific to the token. Each token type has its own format and structure. The current tokens are shown inTable A-1. The token scheme can be extended.
-
Table A-1
| Token Name | Description |
|
| arbitrary | Data with format and type information |
| arg | System call argument value |
| attr | Vnode tokens |
| exec_args | Exec system call arguments |
| exec_env | Exec system call environment variables |
| exit | Program exit information |
| file | Audit file information |
| groups | Process groups information (obsolete) |
| header | Indicates start of record |
| in_addr | Internet address |
-
Table A-1 (Continued)
| Token Name | Description |
|
| ip | IP header information |
| ipc | System V IPC information |
| ipc_perm | System V IPC object tokens |
| iport | Internet port address |
| newgroups | Process groups information |
| opaque | Unstructured data (unspecified format) |
| path | Path information (path) |
| process | Process token information |
| return | Status of system call |
| seq | Sequence number token |
| socket | Socket type and addresses |
| socket-inet | Socket port and address |
| subject | Subject token information (same structure as process token) |
| text | ASCII string |
| trailer | Indicates end of record |
- An audit record always contains a header token and a trailer token. The header token indicates where the audit record begins in the audit trail. Every audit record contains a subject token, except for audit records from some nonattributable events. In the case of attributable events, these two tokens refer to the values of the process that caused the event. In the case of asynchronous events, the process tokens refer to the system.
arbitrary Token
- The arbitrary token encapsulates data for the audit trail. It consists of four fixed fields and an array of data. The fixed fields are: a token ID that identifies this token as an arbitrary token, a suggested format field (for example hexadecimal), a size field that specifies the size of data encapsulated (for
- example, short), and a count field that gives the number of following items. The remainder of the token is composed of one or more items of the specified type. The arbitrary token appears as follows:
Figure A-2 arbitrary
- The print format field can take the values shown in Table A-2.
-
Table A-2 arbitrary
| Value | Action |
|
| AUP_BINARY | Print date in binary |
| AUP_OCTAL | Print date in octal |
| AUP_DECIMAL | Print date in decimal |
| AUP_HEX | Print date in hex |
| AUP_STRING | Print date as a string |
- The item size field can take the values shown in Table A-3.
-
Table A-3 arbitrary
| Value | Action |
|
| AUR_BYTE | Data is in units of bytes (1 byte) |
| AUR_SHORT | Data is in units of shorts (2 bytes) |
| AUR_LONG | Data is in units of longs (4 bytes) |
arg Token
- The arg token contains system call argument information: the argument number of the system call, the augment value, and an optional descriptive text string. This token allows a 32-bit integer system-call argument in an audit record. The arg token has 5 fields: a token ID that identifies this token as an arg token, an argument ID that tells which system call argument the token refers to, the argument value, the length of a descriptive text string, and the text string. Figure A-3 shows the token form.
Figure A-3 arg
attr Token
- The attr token contains information from the file vnode. This token has 7 fields: a token ID that identifies this as an attr token, the file access mode and type, the owner user ID, the owner group ID, the file system ID, the inode ID, and device ID the file might represent. See the statvfs(2) man page for further information about the file system ID and the device ID. This token usually accompanies a path token and is produced during path searches. In the event of a path-search error, this token is not included as part of the audit record since there is no vnode available to obtain the necessary file information. Figure A-4 shows the attr token format.
Figure A-4 attr
exec_args Token
- The exec_args token records the arguments to an exec system call. The exec_args record has two fixed fields: a token ID field that identifies this as an exec_args token, and a count that represents the number of arguments passed to the exec call. The remainder of the token is composed of zero or more null-terminated strings. Figure A-5 shows an exec_args token.
Figure A-5 exec_args
-
Note - The exec_args token is output only when the audit policy argv is active. See "Setting Audit Policies" on page 39 for more information.
exec_env Token
- The exec_env token records the current environment variables to an exec system call. The exec_env record has two fixed fields: a token ID field that identifies this as an exec_env token, and a count that represents the number of arguments passed to the exec call. The remainder of the token is composed of zero or more null-terminated strings. Figure A-6 shows an exec_env token.
Figure A-6 exec_env
-
Note - The exec_env token is output only when the audit policy arge is active. See "Setting Audit Policies" on page 39 for more information.
exit Token
- The exit token records the exit status of a program. The exit token contains the exit status of the program and a return value. The status field is the same as that passed to the exit system call. The return value field indicates a system error number or a return value to further describe the exit status. Figure A-7 shows an exit token.
Figure A-7 exit
file Token
- The file token is a special token generated by the audit daemon to mark the beginning of a new audit trail file and the end of an old file as it is deactivated. The audit daemon builds a special audit record containing this token to "link" together successive audit files into one audit trail. The file token has four fields: a token ID that identifies this token as a file token, a time and date stamp that identifies the time the file was created or closed, a byte count of the file name including a null terminator, and a field holding the file null-terminated name. Figure A-8 shows a file token.
Figure A-8 file
groups Token (Obsolete)
- This token has been replaced by the newgroups token, which provides the same type of information but requires less space. A description of the groups token is provided here for completeness, but the application designer should use the newgroups token. Note that praudit does not distinguish between the two tokens as both token IDs are labelled groups when ASCII style output is displayed.
- The groups token records the groups entries from the process's credential. The groups token has two fixed fields: a token ID field that identifies this as a groups token and a count that represents the number of groups contained in this audit record. The remainder of the token is composed of zero or more group entries. Figure A-9 shows a groups token.
Figure A-9 groups
-
Note - The groups token is output only when the audit policy group is active. See "The auditconfig Command" on page 37 for more information.
header Token
- The header token is special in that it marks the beginning of an audit record and combines with the trailer token to bracket all the other tokens in the record. The header token has six fields: a token ID field that identifies this as a header token, a byte count of the total length of the audit record including both header and trailer, a version number that identifies the version of the audit record structure, the audit event ID that identifies the type of audit event
- the record represents, an event ID modifier that contains ancillary descriptive information concerning the type of the event, and the time and date the record was created. Figure A-10 shows a header token.
Figure A-10 header
- The event modifier field has the following flags defined:
-
0x4000 PAD_NOTATTR nonattributable event
0x8000 PAD_FAILURE fail audit event
|
in_addr Token
- The in_addr token contains an Internet address. This 4-byte value is an Internet Protocol address. The token has two fields: a token ID that identifies this token as an in_addr token and an Internet address. Figure A-11 shows an in_addr token.
Figure A-11 in_addr
ip Token
- The ip token contains a copy of an Internet Protocol header but does not include any IP options. The IP options may be added by including more of the IP header in the token. The token has two fields: a token ID that identifies this
- as an ip token and a copy of the IP header (all 20 bytes). The IP header structure is defined in /usr/include/netinet/ip.h. Figure A-12 shows an ip token.
Figure A-12 ip
ipc Token
- The ipc token contains the System V IPC message/semaphore/shared-memory handle used by the caller to identify a particular IPC object. This token has three fields: a token ID that identifies this as an ipc token, a type field that specifies the type of the IPC object, and the handle that identifies the IPC object. Figure A-13 shows an ipc token.
Figure A-13 ipc
-
Note - The IPC object identifiers violate the context-free nature of the Solaris CMW audit tokens. No global "name" uniquely identifies IPC objects; instead, they are identified by their handles, which are valid only during the time the IPC objects are active. The identification should not be a problem since the System V IPC mechanisms are seldom used and they all share the same audit class.
- The IPC object type field may have the values shown in Table A-4. The values are defined in /usr/include/bsm/audit.h.
-
Table A-4
| Name | Value | Description |
|
| AU_IPC_MSG | 1 | IPC message object |
| AU_IPC_SEM | 2 | IPC semaphore object |
| AU_IPC_SHM | 3 | IPC shared memory object |
ipc_perm Token
- The ipc_perm token contains a copy of the System V IPC access information. This token is added to audit records generated by shared memory, semaphore, and message IPC events. The token has eight fields: a token ID that identifies this token as an ipc_perm token, the user ID of the IPC owner, the group ID of the IPC owner, the user ID of the IPC creator, the group ID of the IPC creator, the access modes of the IPC, the sequence number of the IPC, and the IPC key value. The values are taken from the ipc_perm structure associated with the IPC object. Figure A-14 shows an ipc_perm token format.
Figure A-14 ipc_perm
iport Token
- The iport token contains the TCP (or UDP) port address. The token has two fields: a token ID that identifies this as an iport token and the TCP/UDP port address. Figure A-15 shows an iport token.
Figure A-15 iport
newgroups Token
- This token is the replacement for the groups token. Note that praudit does not distinguish between the two tokens as both token IDs are labelled groups when ASCII output is displayed.
- The newgroups token records the groups entries from the process's credential. The newgroups token has two fixed fields: a token ID field that identifies this as a newgroups token and a count that represents the number of groups contained in this audit record. The remainder of the token is composed of zero or more group entries. Figure A-16 shows a newgroups token.
Figure A-16 newgroups
-
Note - The newgroups token is output only when the audit policy group is active. See "The auditconfig Command" on page 37 for more information.
opaque Token
- The opaque token contains unformatted data as a sequence of bytes. The token has three fields: a token ID that identifies this as an opaque token, a byte count of the amount of data, and an array of byte data. Figure A-17 shows an opaque token.
Figure A-17 opaque
path Token
- The path token contains access path information for an object. The token contains a token ID and the absolute path to the object based on the real root of the system. The path has the following structure: a byte count of the path length and the path. Figure A-18 shows a path token.
Figure A-18 path
process Token
- The process token contains information describing a process as an object such as the recipient of a signal. The token has 9 fields: a token ID that identifies this token as a process token, the invariant audit ID, the effective user ID, the effective group ID, the real user ID, the real group ID, the process ID, the audit session ID, and a terminal ID. Figure A-19 shows a process token.
Figure A-19 process
- The audit ID, user ID, group ID, process ID, and session ID are long instead of short.
-
Note - The process token fields for the session ID, the real user ID, or the real group ID may be unavailable. The entry is then set to -1.
return Token
- The return token contains the return status of the system call (u_error) and the process return value (u_rval1). The token has three fields: a token ID that identifies this token as a return token, the error status of the system call, and the system call return value. This token is always returned as part of kernel-
- generated audit records for system calls. The token indicates exit status and other return values in application auditing. Figure A-20 shows a return token.
Figure A-20 return
seq Token
- The seq token (sequence token) is an optional token that contains an increasing sequence number. This token is for debugging. The token is added to each audit record when the AUDIT_SEQ policy is active. The seq token has 2 fields: a token ID that identifies this token as a seq token; and a 32-bit unsigned long field that contains the sequence number. The sequence number is incremented every time an audit record is generated and put onto the audit trail. Figure A-21 shows a seq token.
Figure A-21 seq
socket Token
- The socket token contains information describing an Internet socket. The socket token has 6 fields: a token ID that identifies this token as a socket token, a socket type field that indicates the type of socket referenced (TCP/UDP/UNIX), the local port address, the local Internet address, the
- remote port address, and the remote Internet address. The socket type is taken from the designated socket and the port and Internet addresses are taken from the socket's inpcb control structure. Figure A-22 shows a socket token.
Figure A-22 socket
socket-inet Token
- The socket-inet token describes a socket connection to a local port, which is used to represent the socket information in the Internet namespace. The socket-inet token has 4 fields: a token ID that identifies this token as a socket-inet token, a socket family field that indicates the Internet family (AF_INET, AF_OSI, and so on), the address of the local port, and the address of the socket. Figure A-23 shows a socket-inet token.
Figure A-23 socket-inet
subject Token
- The subject token describes a subject (process). The structure is the same as the process token. The token has 9 fields: an ID that identifies this as a subject token, the invariant audit ID, the effective user ID, the effective
- group ID, the real user ID, the real group ID, the process ID, the audit session ID, and a terminal ID. This token is always returned as part of kernel-generated audit records for system calls. Figure A-24 shows the token.
Figure A-24 subject
- The audit ID, user ID, group ID, process ID, and session ID are long instead of short.
-
Note - The subject token fields for the session ID, the real user ID, or the real group ID may be unavailable. The entry is then set to -1.
text Token
- The text token contains a text string. The token has three fields: a token ID that identifies this token as a text token, the length of the text string, and the text string itself. Figure A-25 shows a text token.
Figure A-25 text
trailer Token
- The two tokens, header and trailer, are special in that they distinguish the endpoints of an audit record and bracket all the other tokens. A header token begins an audit record. A trailer token ends an audit record. It is an optional token that is added as the last token of each record only when the AUDIT_TRAIL audit policy has been set.
- The trailer token is special in that it marks the termination of an audit record. Together with the header token, the trailer token delimits an audit record. The trailer token supports backward seeks of the audit trail. The trailer token has three fields: a token ID that identifies this token as a trailer token, a pad number to aid in marking the end of the record, and the total number of characters in the audit record, including both the header and trailer tokens. Figure A-26 shows a trailer token.
Figure A-26 trailer
- The audit trail analysis software ensures that each record contains both header and trailer. In the case of a write error, as when a file system becomes full, an audit record can be incomplete and truncated. auditsvc, the system call responsible for writing data to the audit trail, attempts to put out complete audit records. See the auditsvc(2) man page. If file system space has run out, the call terminates without releasing the current audit record. When the call resumes, it can then repeat the truncated record.
Audit Records
General Audit Record Structure
- The audit records produced by Basic Security Module have a sequence of tokens. Certain tokens are optional within an audit record, according to the current audit policy. The group, sequence, and trailer tokens fall into this category. The administrator can determine if these are included in an audit record with the auditconfig command -getpolicy option.
-
"Event-to-System Call Translation" on page 147 includes two tables which include all possible audit events and indentifies which kernel or user event created the audit event. Table A-5 on page 147 maps audit events to system calls. Table A-6 on page 152 maps audit events to an application or command.
Kernel-Level Generated Audit Records
- These audit records are created by system calls which are used by the kernel. The records are sorted alphabetically by system call. The description of each record includes:
-
- The name of the system call
- A man page reference (if appropriate)
- The audit event number
- The audit event name
- The audit event class
- The mask for the event class
- The audit record structure
-
-
access
- system call..access
- see access(2)
-
-
event ID 14 AUE_ACCESS
event class fa 0x00000004
audit record
header-token
path-token
[attr-token]
subject-token
return-token
-
-
acct
- system call..acct
- see acct(2)
-
-
event ID 18 AUE_ACCT
event class ad 0x00000800
audit record
<path non-zero>
header-token
path-token
[attr-token]
subject-token
return-token
<path zero>
header-token
argument-token (1,"accounting off", 0)
subject-token
return-token
adjtime
- system call..adjtime
- see adjtime(2)
-
-
event ID 50 AUE_ADJTIME
event class ad (0x00000800)
audit record
header-token
subject-token
return-token
audit
- system call..audit
- see audit(2)
-
-
event ID 211 AUE_AUDIT
event class no (0x00000000)
audit record
header-token
subject-token
return-token
-
-
auditon: A_GETCAR
- system call..auditon
- see auditon(2)
-
-
event ID 224 AUE_AUDITON_GETCAR
event class ad (0x00000800)
audit record
header-token
subject-token
return-token
auditon: A_GETCLASS
- system call..auditon
- see auditon(2)
-
-
event ID 231 AUE_AUDITON_GETCLASS
event class ad (0x00000800)
audit record
header-token
subject-token
return-token
auditon: A_GETCOND
- system call..auditon
- see auditon(2)
-
-
event ID 229 AUE_AUDITON_GETCOND
event class ad (0x00000800)
audit record
header-token
subject-token
return-token
auditon: A_GETCWD
- system call..auditon
- see auditon(2)
-
-
event ID 223 AUE_AUDITON_GETCWD
event class ad (0x00000800)
audit record
header-token
subject-token
return-token
-
-
auditon: A_GETKMASK
- system call..auditon
- see auditon(2)
-
-
event ID 221 AUE_AUDITON_GETKMASK
event class ad (0x00000800)
audit record
header-token
subject-token
return-token
auditon: A_GETSTAT
- system call..auditon
- see auditon(2)
-
-
event ID 225 AUE_AUDITON_GETSTAT
event class ad (0x00000800)
audit record
header-token
subject-token
return-token
auditon: A_GETPOLICY
- system call..auditon
- see auditon(2)
-
-
event ID 114 AUE_AUDITON_GPOLICY
event class ad (0x00000800)
audit record
header-token
subject-token
return-token
auditon: A_GETQCTRL
- system call..auditon
- see auditon(2)
-
-
event ID 145 AUE_AUDITON_GQCTRL
event class ad (0x00000800)
audit record
header-token
subject-token
return-token
-
-
auditon: A_SETCLASS
- system call..auditon
- see auditon(2)
-
-
event ID 232 AUE_AUDITON_SETCLASS
event class ad (0x00000800)
audit record
header-token
[argument-token] (2,"setclass:ec_event",event number)
[argument-token] (3,"setclass:ec_class",class mask)
subject-token
return-token
auditon: A_SETCOND
- system call..auditon
- see auditon(2)
-
-
event ID 230 AUE_AUDITON_SETCOND
event class ad (0x00000800)
audit record
header-token
[argument-token] (3,"setcond",audit state)
subject-token
return-token
auditon: A_SETKMASK
- system call..auditon
- see auditon(2)
-
-
event ID 222 AUE_AUDITON_SETKMASK
event class ad (0x00000800)
audit-record
header-token
[argument-token] (2,"setkmask:as_success",kernel mask)
[argument-token] (2,"setkmask:as_failure",kernel mask)
subject-token
return-token
auditon: A_SETSMASK
- system call..auditon
- see auditon(2)
-
-
event ID 228 AUE_AUDITON_SETSMASK
event class ad (0x00000800)
audit record
header-token
-
| [argument-token] | (3,"setsmask:as_success",session ID mask) |
| [argument-token] | (3,"setsmask:as_failure",session ID mask) |
-
subject-token return-token
-
-
auditon: A_SETSTAT
- system call..auditon
- see auditon(2)
-
-
event ID 226 AUE_AUDITON_SETSTAT
event class ad (0x00000800)
audit record
header-token
subject-token
return-token
auditon: A_SETUMASK
- system call..auditon
- see auditon(2)
-
-
event ID 227 AUE_AUDITON_SETUMASK
event class ad (0x00000800)
audit record
header-token
[argument-token] (3,"setumask:as_success",audit ID mask)
[argument-token] (3,"setumask:as_failure",audit ID mask)
subject-token
return-token
auditon: A_SETPOLICY
- system call..auditon
- see auditon(2)
-
-
event ID 142 AUE_AUDITON_SPOLICY
event class ad (0x00000800)
audit record
header-token
[argument-token] (1,"policy",audit policy flags)
subject-token
return-token
-
-
auditon: A_SETQCTRL
- system call..auditon
- see auditon(2)
-
-
event ID 146 AUE_AUDITON_SQCTRL
event class ad (0x00000800)
audit record
header-token
[argument-token] (3,"setqctrl:aq_hiwater",queue control param.)
[argument-token] (3,"setqctrl:aq_lowater",queue control param.)
[argument-token] (3,"setqctrl:aq_bufsz",queue control param.)
[argument-token] (3,"setqctrl:aq_delay",queue control param.)
subject-token
return-token
auditsvc
- system call..auditsvc
- see auditsvc(2)
-
-
event ID 136 AUE_AUDITSVC
event class ad (0x00000800)
audit record
<valid file descriptor>
header-token
[path-token]
[attr-token]
subject-token
return-token
<invalid file descriptor>
header-token
argument-token (1, "no path: fd",fd)
subject-token
return-token
chdir
- system call..chdir
- see chdir(2)
-
-
event ID 8 AUE_CHDIR
event class pc 0x00000080
audit record
header-token
path-token
-
[attr-token] subject-token return-token
-
-
chmod
- system call..chmod
- see chmod(2)
-
-
event ID 10 AUE_CHMOD
event class fm 0x00000008
audit record
header-token
argument-token (2,"new file mode", mode)
path-token
[attr-token]
subject-token
return-token
chown
- system call..chown
- see chown(2)
-
-
event ID 11 AUE_CHOWN
event class fm 0x00000008
audit record
header-token
argument-token (2,"new file uid", uid)
argument-token (3,"new file gid", gid)
path-token
[attr-token]
subject-token
return-token
chroot
- system call..chroot
- see chroot(2)
-
-
event ID 24 AUE_CHROOT
event class pc 0x00000080
audit record
header-token
path-token
-
[attr-token] subject-token return-token
-
-
close
- system call..close
- see close(2)
-
-
event ID 112 AUE_CLOSE
event class cl 0x00000040
audit record
<file system object>
header-token
- 2.................3 argument-token......(1,"fd",file descriptor)
-
[path-token]4 [attr-token] subject-token return-token
-
-
creat
- system call..creat
- see creat(2)
-
-
event ID 4 AUE_CREAT
event class fc 0x00000010
audit record
header-token
path-token
[attr-token]
subject-token
return-token
enter prom
- system call..---
-
-
event ID 153 AUE_ENTERPROM
event class na (0x00000400)
- 1. Also for files closed on process termination.
- 2. Only present with close() system call.
- 3. This token may be removed in future releases.
- 4. Only with valid file descriptors.
- audit record
-
header-token text-token
(addr,"monitor PROM"|"kadb")
-
subject-token return-token
-
-
exec
- system call..exec
- see exec(2)
-
-
event ID 7 AUE_EXEC
event class pc,ex 0x40000080
audit record
header-token
path-token
[attr-token]
subject-token
return-token
execve
- system call..execve
- see exec(2)
-
-
event ID 23 AUE_EXECVE
event class pc,ex 0x40000080
audit record
header-token
path-token
[attr-token]
subject-token
return-token
exit prom
- system call..---
-
-
event ID 154 AUE_EXITPROM
event class na (0x00000400)
audit record
header-token
text-token (addr,"monitor PROM"|"kadb")
subject-token
return-token
-
-
exit
- system call..exit
- see exit(2)
-
-
event ID1 1 AUE_EXIT
event class1 pc 0x00000080
audit record
header-token
subject-token
return-token
fchdir
- system call..fchdir
- see chdir(2)
-
-
event ID 68 AUE_FCHDIR
event class pc 0x00000080
audit record
header-token
[path-token]
[attr-token]
subject-token
return-token
fchmod
- system call..fchmod
- see chmod(2)
-
-
event ID 39 AUE_FCHMOD
event class fm 0x00000008
audit record
<valid file descriptor>
header-token
argument-token (2,"new file mode", mode)
[path-token]
[attr-token]
subject-token
return-token
<invalid file descriptor>
header-token
argument-token (2,"new file mode", mode)
argument-token (1, "no path: fd",fd)
subject-token
return-token
-
-
fchown
- system call..fchown
- see chown(2)
-
-
event ID 38 AUE_FCHOWN
event class fm 0x00000008
audit record
<valid file descriptor>
header-token
argument-token (2,"new file uid",uid)
argument-token (3,"new file gid",gid)
[path-token]
[attr-token]
subject-token
return-token
<non-file descriptor>
header-token
argument-token (2,"new file uid",uid)
argument-token (3,"new file gid",gid)
argument-token (1,"no path: fd",fd)
subject-token
return-token
fchroot
- system call..fchroot
- see chroot(2)
-
-
event ID 69 AUE_FCHROOT
event class pc 0x00000080
audit record
header-token
[path-token]
[attr-token]
subject-token
return-token
fcntl
- system call fcntl
- see fcntl(2)
-
-
event ID 30 AUE_FCNTL (cmd=F_GETLK, F_SETLK,F_SETLKW)
event class fm 0x00000008
audit record
<bad file descriptor>
header-token
-
| argument-token | (2,"cmd",cmd) |
| argument-token | (1,"no path: fd",fd) |
-
subject-token return-token
- <file descriptor>
-
header-token argument-token
- (2,"cmd",cmd)
-
path-token attr-token subject-token return-token
-
-
fork
- system call..fork
- see fork(2)
-
-
event ID 2 AUE_FORK
event class pc (0x00000080)
audit record
header-token
[argument -token] (0,"child PID",pid)
subject-token
return-token
fork1
- system call..fork1
- see fork(2)
-
-
event ID 241 AUE_FORK1
event class pc (0x00000080)
audit record
header-token
[argument-token] (0,"child PID",pid)
subject-token
return-token
- 1. Note that the fork() return values are undefined since the audit record is produced at the point that the child process is spawned.
- 2. Note that the fork1() return values are undefined since the audit record is produced at the point that the child process is spawned.
-
-
fstatfs
-
| system call4.x call, see statvfs(2) | fstatfs |
| event ID55.........AUE_FSTATFS |
| getaudit |
| system call | getaudit |
- see getaudit(2)
-
-
event ID 132 AUE_GETAUDIT
event class ad (0x00000800)
audit record
header-token
subject-token
return-token
getauid
- system call..getauid
- see getauid(2)
-
-
event ID 130 AUE_GETAUID
event class ad (0x00000800)
audit record
header-token
subject-token
return-token
-
-
getmsg
- system call..getmsg
- see getmsg(2)
-
-
event ID 217 AUE_GETMSG
event class nt (0x00000100)
audit record
header-token
argument-token (1,"fd",file descriptor)
argument-token (4,"pri",priority)
subject-token
return-token
getmsg: socket accept
- system call..getmsg
- see getmsg(2)
-
-
event ID 247 AUE_SOCKACCEPT
event class nt (0x00000100)
audit record
header-token
socket-inet-token
argument-token (1,"fd",file descriptor)
argument-token (4,"pri",priority)
subject-token
return-token
getmsg: socket receive
- system call..getmsg
- see getmsg(2)
-
-
event ID 250 AUE_SOCKRECEIVE
event class nt (0x00000100)
audit record
header-token
socket-inet-token
argument-token (1,"fd",file descriptor)
argument-token (4,"pri",priority)
subject-token
return-token
-
-
getpmsg
- system call..getpmsg
- see getmsg(2)
-
-
event ID 219 AUE_GETPMSG
event class nt (0x00000100)
audit record
header-token
argument-token (1,"fd",file descriptor)
subject-token
return-token
getportaudit
-
| system call | getportaudit |
| event ID149.........AUE_GETPORTAUDIT |
| ioctl |
|
| system call | ioctl |
- see ioctl(2)
-
-
event ID 158 AUE_IOCTL
event class io (0x20000000)
audit record
<good file descriptor>
header-token
path-token
[attr-token]
argument-token (2,"cmd" ioctl cmd)
argument-token (3,"arg" ioctl arg)
subject-token
return-token
<socket>
header-token
[socket-token]
argument-token (2,"cmd" ioctl cmd)
argument-token (3,"arg" ioctl arg)
subject-token
return-token
- <non-file file descriptor>
-
header-token argument-token
- (1,"fd", file descriptor)
-
| argument-token | (2,"cmd", ioctl cmd) |
| argument-token | (3,"arg", ioctl arg) |
-
subject-token return-token
- <bad file name>
-
header-token argument-token
- (1,"no path: fd", fd)
-
| argument-token | (2,"cmd", ioctl cmd) |
| argument-token | (3,"arg", ioctl arg) |
-
subject-token return-token
-
-
kill
- system call..kill
- see kill(2)
-
-
event ID 15 AUE_KILL
event class pc (0x00000080)
audit record
<valid process>
header-token
argument-token (2,"signal",signo)
[process-token]
subject-token
return-token
<zero or negative process>
header-token
argument-token (2,"signal",signo)
argument-token (1,"process",pid))
subject-token
return-token
lchown
- system calll..lchown
- see chown(2)
-
-
event ID 237 AUE_LCHOWN
event class fm 0x00000008
audit record
header-token
-
| argument-token | (2,"new file uid", uid) |
| argument-token | (3,"new file gid", gid) |
-
path-token
- [attr-token] subject-token return-token
-
-
link
- system call..link
- see link(2)
-
-
event ID 5 AUE_LINK
event class fc (0x00000010)
audit record
header-token
path-token (from path)
[attr-token] (from path)
path-token (to path)
subject-token
return-token
lstat
- system call..lstat
- see stat(2)
-
-
event ID 17 AUE_LSTAT
event class fa (0x00000004)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
lxstat
- system call..lxstat
-
-
event ID 236 AUE_LXSTAT
event class fa (0x00000004)
audit record
header-token
path-token
- [attr-token] subject-token return-token
-
-
memcntl
- system call..memcntl
- see memcntl(2)
-
-
event ID 238 AUE_MEMCNTL
event class ot (0x80000000)
audit record
header-token
argument-token (1,"base",base address)
argument-token (2,"len",length)
argument-token (3,"cmd",command)
argument-token (4,"arg",command args
argument-token (5,"attr",command attributes)
argument-token (6,"mask",0)
subject-token
return-token
mkdir
- system call..mkdir
- see mkdir(2)
-
-
event ID 47 AUE_MKDIR
event class fc (0x00000010)
audit record
header-token
argument-token (2,"mode",mode)
path-token
[attr-token]
subject-token
return-token
mknod
- system call..mknod
- see mknod(2)
-
-
event ID 9 AUE_MKNOD
event class fc (0x00000010)
audit record
header-token
argument-token (2,"mode",mode)
-
argument-token........(3,"dev",dev)
-
path-token
- [attr-token] subject-token return-token
-
-
mmap
- system call..mmap
- see mmap(2)
-
-
event ID 210 AUE_MMAP
event class no (0x00000000)
audit record
<valid file descriptor>
header-token
argument-token (1,"addr",segment address)
argumen- token (2,"len",segment length)
[path-token]
[attr-token]
subject-token
return-token
<invalid file descriptor>
header-token
argument-token (1,"addr",segment address)
argument-token (2,"len",segment length)
argument-token (1,"no path: fd",fd)
subject-token
return-token
modctl: MODADDMAJBIND
- system call..modctl
-
-
event ID 246 AUE_MODADDMAJ
event class ad (0x00000800)
audit record
header-token
[text-token] (driver major number)
[text-token] (driver name)
text-token (root dir.|"no rootdir")
text-token (driver major number|"no drvname")
argument-token (5,"", number of aliases)
- (0..n)[text-token]....(aliases)
-
subject-token return-token
-
-
modctl: MODCONFIG
-
| system call | modctl |
| event ID | 245.........AUE_MODCONFIG |
| modctl: MODLOAD |
| system call | modctl |
| event ID | 243.........AUE_MODLOAD |
| modctl: MODUNLOAD |
| system call | modctl |
-
-
event ID 244 AUE_MODUNLOAD
event class ad (0x00000800)
audit record
header-token
argument-token (1,"id", module ID)
subject-token
return-token
-
-
mount
- system call..mount
- see mount(2)
-
-
event ID 62 AUE_MOUNT
event class ad (0x00000800)
audit record
<unix filesystem>
header-token
argument-token (3,"flags",flags)
text-token (filesystem type)
path-token
[attr-token]
subject-token
return-token
<nfs filesystem>
header-token
argument-token (3,"flags",flags)
text-token (filesystem type)
text-token (host name)
argument-token (3,"internal flags",flags)
msgctl: IPC_RMID
- system call..msgctl
- see msgctl(2)
-
-
event ID 85 AUE_MSGCTL_RMID
event class ip (0x00000200)
audit record
header-token
argument-token (1,"msg ID",message ID)
-
[ipc-token]1 subject-token return-token
-
-
msgctl: IPC_SET
- system call..msgctl
- see msgctl(2)
-
-
event ID 86 AUE_MSGCTL_SET
event class ip (0x00000200)
audit record
- 1. The ipc and ipc_perm tokens are not included if the msg ID is invalid.
-
header-token argument-token
(1,"msg ID",message ID)
-
[ipc-token]1 subject-token return-token
-
-
msgctl: IPC_STAT
- system call..msgctl
- see msgctl(2)
-
-
event ID 87 AUE_MSGCTL_STAT
event class ip (0x00000200)
audit record
header-token
argument-token (1,"msg ID",message ID)
-
[ipc-token]2 subject-token return-token
-
-
msgget
- system call..msgget
- see msgget(2)
-
-
event ID 88 AUE_MSGGET
event class ip (0x00000200)
audit record
header-token
-
[ipc-token]3 subject-token return-token
-
-
msgrcv
- system call..msgrcv
- see msgop(2)
-
-
event ID 89 AUE_MSGRCV
event class ip (0x00000200)
audit record
header-token
- 1. The ipc and ipc_perm tokens are not included if the msg ID is invalid.
- 2. The ipc and ipc_perm tokens are not included if the msg ID is invalid.
- 3. The ipc and ipc_perm tokens are not included if the msg ID is invalid.
-
argument-token........(1,"msg ID",message ID)
-
[ipc-token]1 subject-token return-token
-
-
msgsnd
- system call..msgsnd
- see msgop(2)
-
-
event ID 90 AUE_MSGSND
event class ip (0x00000200)
audit record
header-token
argument-token (1,"msg ID",message ID)
-
[ipc-token]2 subject-token return-token
-
-
munmap
- system call..munmap
- see munmap(2)
-
-
event 214 AUE_MUNMAP
class cl (0x00000040)
audit record
header-token
argument-token (1,"addr",address of memory)
argument-token (2,"len",memory segment size)
subject-token
return-token
nice
- system call..nice
- see nice(2)
-
-
event ID 203 AUE_NICE
event class pc (0x00000080)
audit record
- 1. The ipc and ipc_perm tokens are not included if the msg ID is invalid.
- 2. The ipc and ipc_perm tokens are not included if the msg ID is invalid.
-
header-token subject-token return-token
-
-
open: read
- system call..open
- see open(2)
-
-
event ID 72 AUE_OPEN_R
event class fr (0x00000001)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
open: read, create
- system call..open
- see open(2)
-
-
event ID 73 AUE_OPEN_RC
event class fc,fr (0x00000011)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
open: read,create,truncate
- system call..open
- see open(2)
-
-
event ID 75 AUE_OPEN_RTC
event class fc,fd,fr (0x00000031)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
-
-
open: read, truncate
- system call..open
- see open(2)
-
-
event ID 74 AUE_OPEN_RT
event class fd,fr (0x00000021)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
open: read, write
- system call..open
- see open(2)
-
-
event ID 80 AUE_OPEN_RW
event class fr,fw (0x00000003)
audit record
header-token
path-token
[attr-token]
subject -token
return-token
open: read,write,create
- system call..open
- see open(2)
-
-
event ID 81 AUE_OPEN_RWC
event class fr,fw,fc (0x00000013)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
open: read,write,create,truncate
- system call..open
- see open(2)
-
-
event ID 83 AUE_OPEN_RWTC
event class fr,fw,fc,fd 0x00000033
audit record
-
header-token path-token [attr-token] subject-token return-token
-
-
open: read,write,truncate
- system call..open
- see open(2)
-
-
event ID 82 AUE_OPEN_RWT
event class fr,fw,fd (0x00000023)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
open: write
- system call..open
- see open(2)
-
-
event ID 76 AUE_OPEN_W
event class fw (0x00000002)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
open: write,create
- system call..open
- see open(2)
-
-
event ID 77 AUE_OPEN_WC
event class fw,fc (0x00000012)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
-
-
open: write,create,truncate
- system call..open
- see open(2)
-
-
event ID 79 AUE_OPEN_WTC
event class fw,fc,fd (0x00000032)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
open: write,truncate
- system call..open
- see open(2)
-
-
event ID 78 AUE_OPEN_WT
event class fw,fd (0x00000022)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
pathconf
-
| system callsee fpathconf(2) | pathconf |
| event ID71.........AUE_PATHCONF |
| pipe |
|
| system call | pipe |
- see pipe(2)
-
-
event ID 185 AUE_PIPE
event class no (0x00000000)
audit record
-
header-token subject-token return-token
-
-
priocntl
- system call..priocntl
- see priocntl(2)
-
-
event ID 212 AUE_PRIOCNTLSYS
event class pc (0x00000080)
audit record
header-token
argument-token (1,"pc_version",priocntl version num.)
argument-token (3,"cmd",command)
subject-token
return-token
process dumped core
-
| system call | --- |
| event ID111.........AUE_CORE |
| putmsg |
|
| system call | putmsg |
- see putmsg(2)
-
-
event ID 216 AUE_PUTMSG
event class nt (0x00000100)
audit record
header-token
argument-token (1,"fd",file descriptor)
argument-token (4,"pri",priority)
subject-token
return-token
-
-
putmsg: socket connect
- system call..putmsg
- see putmsg(2)
-
-
event ID 248 AUE_SOCKCONNECT
event class nt (0x00000100)
audit record
header-token
socket-inet-token
argument-token (1,"fd",file descriptor)
argument-token (4,"pri",priority)
subject-token
return-token
putmsg: socket send
- system call..putmsg
- see putmsg(2)
-
-
event ID 249 AUE_SOCKSEND
event class nt (0x00000100)
audit record
header-token
socket-inet-token
argument-token (1,"fd",file descriptor)
argument-token (4,"pri",priority)
subject-token
return-token
putpmsg
- system call..putpmsg
- see putmsg(2)
-
-
event ID 218 AUE_PUTPMSG
event class nt (0x00000100)
audit record
header-token
argument-token (1,"fd",file descriptor)
subject-token
return-token
readlink
- system call..readlink
- see readlink(2)
-
-
event ID 22 AUE_READLINK
event class fr (0x00000001)
- audit record
-
header-token path-token [attr-token] subject-token return-token
-
-
rename
- system call..rename
- see rename(2)
-
-
event ID 42 AUE_RENAME
event class fc,fd (0x00000030)
audit record
header-token
path-token (from name)
[attr-token] (from name)
[path-token] (to name)
subject-token
return-token
rmdir
- system call...rmdir
- see rmdir(2)
-
-
event ID 48 AUE_RMDIR
event class fd (0x00000020)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
semctl: GETALL
- system call...semctl
- see semctl(2)
-
-
event ID 105 AUE_SEMCTL_GETALL
event class ip (0x00000200)
audit record
header-token
argument-token (1,"sem ID", semaphore ID)
-
[ipc-token]1 subject-token return-token
-
-
semctl: GETNCNT
- system call..semctl
- see semctl(2)
-
-
event ID 102 AUE_SEMCTL_GETNCNT
event class ip (0x00000200)
audit record
header-token
argument-token (1,"sem ID", semaphore ID)
-
[ipc-token]2 subject-token return-token
-
-
semctl: GETPID
- system call..semctl
- see semctl(2)
-
-
event ID 103 AUE_SEMCTL_GETPID
event class ip (0x00000200)
audit record
argument-token (1,"sem ID", semaphore ID)
-
[ipc-token]3 subject-token return-token
-
-
semctl: GETVAL
- system call..semctl
- see semctl(2)
-
-
event ID 104 AUE_SEMCTL_GETVAL
event class ip (0x00000200)
audit record
header-token
argument-token (1,"sem ID", semaphore ID)
- 1. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
- 2. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
- 3. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
-
[ipc-token]1 subject-token return-token
-
-
semctl: GETZCNT
- system call..semctl
- see semctl(2)
-
-
event ID 106 AUE_SEMCTL_GETZCNT
event class ip (0x00000200)
audit record
header-token
argument-token (1,"sem ID", semaphore ID)
-
[ipc-token]2 subject-token return-token
-
-
semctl: IPC_RMID
- system call..semctl
- see semctl(2)
-
-
event ID 99 AUE_SEMCTL_RMID
event class ip (x00000200)
audit record
header-token
argument-token (1,"sem ID", semaphore ID)
-
[ipc-token]3 subject-token return-token
-
-
semctl: IPC_SET
- system call..semctl
- see semctl(2)
-
-
event ID 100 AUE_SEMCTL_SET
event class ip (0x00000200)
audit record
header-token
argument-token (1,"sem ID", semaphore ID)
- 1. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
- 2. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
- 3. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
-
[ipc-token]1 subject-token return-token
-
-
semctl: SETALL
- system call..semctl
- see semctl(2)
-
-
event ID 108 AUE_SEMCTL_SETALL
event class ip (0x00000200)
audit record
header-token
argument-token (1,"sem ID", semaphore ID)
-
[ipc-token]2 subject-token return-token
-
-
semctl: SETVAL
- system call..semctl
- see semctl(2)
-
-
event ID 107 AUE_SEMCTL_SETVAL
event class ip (0x00000200)
audit record
header-token
argument-token 1,"sem ID", semaphore ID)
-
[ipc- token]3 subject-token return-token
-
-
semctl: IPC_STAT
- system call..semctl
- see semctl(2)
-
-
event ID 101 AUE_SEMCTL_STAT
event class ip (0x00000200)
audit record
header-token
argument-token (1,"sem ID", semaphore ID)
- 1. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
- 2. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
- 3. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
-
[ipc-token] subject-token return-token
-
-
semget
- system call..semget
- see semget(2)
-
-
event ID 109 AUE_SEMGET
event class ip (0x00000200)
audit record
header-token
-
[ipc-token]1 subject-token return-token
-
-
semop
- system call..semop
- see semop(2)
-
-
event ID 110 AUE_SEMOP
event class ip (0x00000200)
audit record
header-token
argument-token (1,"sem ID", semaphore ID)
-
[ipc-token]2 subject-token return-token
-
-
setaudit
- system call..setaudit
- see getaudit(2)
-
-
event ID 133 AUE_SETAUDIT
event class ad (0x00000800)
audit record
<valid program stack address>
header-token
argument-token (1,"setaudit:auid",audit user ID)
argument-token (1,"setaudit:port",terminal ID)
- 1. The ipc and ipc_perm tokens are not included if the system call failed.
- 2. The ipc and ipc_perm tokens are not included if the semaphore ID is invalid.
-
| argument-token | (1,"setaudit:machine",terminal ID) |
| argumeny-token | (1,"setaudit:as_success",preselection mask) |
| argument-token | (1,"setaudit:as_failure",preselection mask) |
| argument-token | (1,"setaudit:asid",audit session ID) |
-
subject-token return-token
- <invalid program stack address>
-
header-token subject-token return-token
-
-
setauid
- system call..setauid
- see getauid(2)
-
-
event ID 131 AUE_SETAUID
event class ad (0x00000800)
audit record
header-token
argument-token (2,"setauid",audit user ID)
subject-token
return-token
setegid
- system call..setegid
- see setuid(2)
-
-
event ID 214 AUE_SETEGID
event class pc (0x00000080)
audit record
header-token
argument-token (1,"gid",group ID)
subject-token
return-token
seteuid
- system call...seteuid
- see setuid(2)
-
-
event ID 215 AUE_SETEUID
event class pc (0x00000080)
audit record
header-token
-
argument-token........(1,"gid",user ID)
-
subject-token return-token
-
-
setgid
- system call..setgid
- see setuid(2)
-
-
event ID 205 AUE_SETGID
event class pc (0x00000080)
audit record
header-token
argument-token (1,"gid",group ID)
subject-token
return-token
setgroups
- system call..setgroups
-
-
see getgroups(2)
event ID 26 AUE_SETGROUPS
event class pc (0x00000080)
audit record
header-token
- 1 [argument-token].......(1,"setgroups",group ID)
-
subject-token return-token
-
-
setpgrp
- system call..setpgrp
- see setpgrp(2)
-
-
event ID 27 AUE_SETPGRP
event class pc (0x00000080)
audit record
header-token
subject-token
return-token
- 1. One token for each group set.
-
-
setrlimit
-
| system callsee getrlimit(2) | setrlimit |
| event ID51.........AUE_SETRLIMIT |
| setuid |
|
| system call | setuid |
- see setuid(2)
- event ID 200
-
-
1 AUE_OSETUID
- event class pc
- (0x00000080)
- audit record
-
header-token argument-token
- (1,"uid",user ID)
-
subject-token return-token
-
-
shmat
- system call..shmat
- see shmop(2)
-
-
event ID 96 AUE_SHMAT
event class ip (0x00000200)
audit record
header-token
argument-token (1,"shmid",shared memory ID)
argument-token (2,"shmaddr",shared mem addr)
- [ipc-token]2 [ipc_perm-token] subject-token return-token
- 1. Due to a current bug in the audit software, this token is reported as AUE_OSETUID
- 2. The ipc and ipc_perm tokens are not included if the shared memory segment ID is invalid.
-
-
shmctl: IPC_RMID
- system call..shmctl
- see shmctl(2)
-
-
event ID 92 AUE_SHMCTL_RMID
event class ip (0x00000200)
audit record
header-token
argument-token (1,"shmid",shared memory ID)
-
[ipc-token]1 subject-token return-lbtoken
-
-
shmctl: IPC_SET
- system call..shmctl
- see shmctl(2)
-
-
event ID 93 AUE_SHMCTL_SET
event class ip (0x00000200)
audit record
header-token
argument-token (1,"shmid",shared memory ID)
-
[ipc-token]2 [ipc_perm-token] subject-token return-token
-
-
shmctl: IPC_STAT
- system call..shmctl
- see shmctl(2)
-
-
event ID 94 AUE_SHMCTL_STAT
event class ip (0x00000200)
audit record
header-token
argument-token (1,"shmid",shared memory ID)
- 1. The ipc and ipc_perm tokens are not included if the shared memory segment ID is invalid.
- 2. The ipc and ipc_perm tokens are not included if the shared memory segment ID is invalid.
-
[ipc-token]1 subject-token return-token
-
-
shmdt
system call shmdt
- see shmop(2)
-
-
event ID 97 AUE_SHMDT
event class ip (0x00000200)
audit record
header-token
argument-token (1,"shmaddr",shared mem addr)
subject-token
return-token
shmget
- system call..shmget
- see shmget(2)
-
-
event ID 95 AUE_SHMGET
event class ip (0x00000200)
audit record
header-token
argument-token (0,"shmid",shared memory ID)
-
[ipc-token]2 [ipc_perm-token] subject-token return-token
-
-
stat
- system call..stat
- see stat(2)
-
-
event ID 16 AUE_STAT
event class fa (0x00000004)
audit record
header-token
path-token
- 1. The ipc and ipc_perm tokens are not included if the shared memory segment ID is invalid.
- 2. The ipc and ipc_perm tokens are not included for failed events.
-
[attr-token] subject-token return-oken
-
-
statfs
-
| system call4.x call, see statvfs(2) | statfs |
| event ID54.........AUE_STATFS |
| statvfs |
| system call | statvfs |
- see statvfs(2)
-
-
event ID 234 AUE_STATVFS
event class fa (0x00000004)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
stime
- system call..stime
- see stime(2)
-
-
event ID 201 AUE_STIME
event class ad (0x00000800)
audit record
header-token
subject-token
return-token
-
-
symlink
- system call..symlink
- see symlink(2)
-
-
event ID 21 AUE_SYMLINK
event class fc (0x00000010)
audit record
header-token
text-token (symbolic link string)
path-token
[attr-token]
subject-token
return-token
sysinfo
- system call..sysinfo
- see sysinfo(2)
-
-
event ID 239 AUE_SYSINFO
event class ad (0x00000800)
audit record
header-token
argument-token (1,"cmd",command)
text-token (name)
subject-token
return-token
system booted
-
| system call | --- |
| event ID | 113.........AUE_SYSTEMBOOT |
| umount: old version |
| system call | umount |
- see umount(2)
-
-
event ID 12 AUE_UMOUNT
event class ad (0x00000800)
audit record
header-token
-
path-token [attr-token] subject-token return-token
-
-
unlink
- system call..unlink
- see unlink(2)
-
-
event ID 6 AUE_UNLINK
event class fd (0x00000020)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
utime
- system call..utime
- see utime(2)
-
-
event ID 202 AUE_UTIME
event class fm (0x00000008)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
utimes
- system call..utimes
- see utimes(2)
-
-
event ID 49 AUE_UTIMES
event class fm (0x00000008)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
-
-
utssys - fusers
-
| system call | utssys |
| event ID233.........AUE_UTSSYS |
| vfork |
|
| system call | vfork |
- see vfork(2)
-
-
event ID 25 AUE_VFORK
event class pc (0x00000080)
audit record
header-token
argument-token (0,"child PID",pid)
subject-token
return- token
vtrace
-
| system call | vtrace |
| event ID36.........AUE_VTRACE |
| xmknod |
|
| system call | xmknod |
-
-
event ID 240 AUE_XMKNOD
event class fc (0x00000010)
- 1. Note that the fork return values are undefined since the audit record is produced at the point that the child process is spawned.
- audit record
-
header-token path-token [attr-token] subject-token return-token
-
-
xstat
- system call..xstat
-
-
event ID 235 AUE_XSTAT
event class fa (0x00000004)
audit record
header-token
path-token
[attr-token]
subject-token
return-token
User-Level Generated Audit Records
- These audit records are created by applications that operate outside the kernel. The records are sorted alphabetically by program. The description of each record includes
-
- The name of the program
- A man page reference (if appropriate)
- The audit event number
- The audit event name
- The audit record structure
-
-
allocate: device allocate
- program.../usr/sbin/allocate
-
-
see allocate(1M)
event ID 6200 AUE_allocate_succ
event class ad (0x00000800)
audit record
header-token
subject-token
newgroups-token
exit-token
-
-
allocate: device allocate failure
-
| programsee allocate(1M) | /usr/sbin/allocate |
| event ID | 6201..........AUE_allocate_fail |
| allocate: deallocate device |
| programsee allocate(1M) | /usr/sbin/allocate |
| event ID | 6202..........AUE_deallocate_succ |
| allocate: deallocate device failure |
| programsee allocate(1M) | /usr/sbin/allocate |
| event ID | 6203..........AUE_deallocate_fail |
| allocate: list device |
| program | /usr/sbin/allocate |
-
-
see allocate(1M)
event ID 6205 AUE_listdevice_succ
event class ad (0x00000800)
audit record
header-token
-
subject-token [group-token] exit-token
-
-
allocate: list device failure
-
| programsee allocate(1M) | /usr/sbin/allocate |
| event ID | 6206..........AUE_listdevice_fail |
| at: create crontab |
| program | /usr/bin/at |
- see at(1)
-
-
event ID 6144 AUE_at_create
event class ad (0x00000800)
audit record
header-token
subject-token
[group-token]
exit-token
at: delete atjob
- program.../usr/bin/at
- see at(1)
-
-
event ID 6145 AUE_at_delete
event class ad (0x00000800)
audit record
header-token
subject-token
[group-token]
exit-token
at: at-permission
- program.../usr/bin/at
- see at(1)
-
-
event ID 6146 AUE_at_perm
event class ad (0x00000800)
- audit record
-
header-token subject-token [group-token] exit-token
-
-
crontab: crontab created
- program.../usr/bin/crontab
- see crontab(1)
-
-
event ID 6148 AUE_crontab_create
event class ad (0x00000800)
audit record
header-token
subject-token
[group-token]
exit-token
crontab: crontab deleted
- program.../usr/bin/crontab
- see crontab(1)
-
-
event ID 6149 AUE_crontab_delete
event class ad (0x00000800)
audit record
header-token
subject-token
[group-token]
exit-token
crontab: cron-invoke atjob or crontab
- program.../usr/bin/crontab
- see crontab(1)
-
-
event ID 6147 AUE_cron_invoke
event class ad (0x00000800)
audit record
header-token
subject-token
text-token (program)
text-token (shell)
text-token (cmd)
exit-token
-
-
crontab: crontab-permission
- program.../usr/bin/crontab
- see crontab(1)
-
-
event ID 6150 AUE_crontab_perm
event class ad (0x00000800)
audit record
header-token
subject-token
[group-token]
exit-token
halt
- program.../usr/sbin/halt
- see halt(1M)
-
-
event ID 6160 AUE_halt_solaris
event class ad (0x00000800)
audit record
header-token
subject-token
return-token
inetd
- program.../usr/sbin/inetd
- see inetd(1M)
-
-
event ID 6151 AUE_inetd_connect
event class na (0x00000400)
audit record
header-token
subject-token
text-token (service name)
return-token
in.ftpd
- program.../usr/sbin/in.ftpd
- see in.ftpd(1M)
-
-
event ID 6165 AUE_ftpd
event class lo (0x00001000)
audit record
header-token
subject-token
text-token (error message, failure only)
return-token
-
-
login: terminal login
- program.../usr/bin/login
- see login(1)
-
-
event ID 6152 AUE_login
event class lo (0x00001000)
audit record
header-token
subject-token
text-token (error message)
return-token
login: rlogin
- program.../usr/bin/login
- see login(1)
-
-
event ID 6155 AUE_rlogin
event class lo (0x00001000)
audit record
header-token
subject-token
text-token (error message)
return-token
login: telnet login
- program.../usr/bin/login
- see login(1)
-
-
event ID 6154 AUE_telnet
event class lo (0x00001000)
audit record
header-token
subject-token
text-token (error message)
return-token
login: logout
- program.../usr/bin/login
- see login(1)
-
-
event ID 6153 AUE_logout
event class lo (0x00001000)
audit record
header-token
subject-token
return-token
-
-
mountd: NFS mount
- program.../usr/lib/nfs/mountd
- see mountd(1M)
-
-
event ID 6156 AUE_mountd_mount
event class na (0x00000400)
audit record
header-token
subject-token
text-token (remote client hostname)
path-token (mount dir)
text-token (error message, failure only)
return-token
mountd: NFS unmount request
- program.../usr/lib/nfs/mountd
- see mountd(1M)
-
-
event ID 6157 AUE_mountd_umount
event class na (0x00000400)
audit record
header-token
subject-token
text-token (remote client hostname)
path-token (mount dir)
text-token (error message, failure only)
return-token
passwd
- program.../usr/bin/passwd
- see passwd(1)
-
-
event ID 6163 AUE_passwd
event class lo (0x00001000)
audit record
header-token
subject-token
text-token (error message)
return-token
reboot
- program.../usr/sbin/reboot
- see reboot(1M)
-
-
event ID 6161 AUE_reboot_solaris
event class ad (0x00000800)
- audit record
-
header-token subject-token return-token
-
-
rpc.rexd
-
| programsee rpc.rexd(1M) | /usr/sbin/rpc.rexd |
| event ID6164..........AUE_rexd |
| in.rexecd |
| programsee in.rexecd(1M) | /usr/sbin/in.rexecd |
| event ID6162..........AUE_rexecd |
| in.rshd |
|
| program | /usr/sbin/in.rshd |
- see in.rshd(1M)
-
-
event ID 6158 AUE_rshd
event class lo (0x00001000)
audit record
header-token
subject-token
-
| text-token | (command string) |
| text-token | (local user) |
| text-token | (remote user) |
-
return-token
-
-
su
- program.../usr/bin/su
- see su(1M)
-
-
event ID 6159 AUE_su
event class lo (0x00001000)
audit record
header-token
text-token (error message)
subject-token
return-token
Event-to-System Call Translation
-
Table A-5 on page 147 associates an audit event name with the system call or kernel event that created it. Table A-6 on page 152 associates an audit event with the application or command that generated it.
-
-
-
-
Table A-5 (4 of 6)
| Audit Event | System Call |
|
| AUE_MSGRCV | "msgrcv" on page 117 |
| AUE_MSGSND | "msgsnd" on page 118 |
| AUE_MUNMAP | "munmap" on page 118 |
| AUE_NICE | "nice" on page 118 |
| AUE_OPEN_R | "open: read" on page 119 |
| AUE_OPEN_RC | "open: read, create" on page 119 |
| AUE_OPEN_RT | "open: read, truncate" on page 120 |
| AUE_OPEN_RTC | "open: read,create,truncate" on page 119 |
| AUE_OPEN_RW | "open: read, write" on page 120 |
| AUE_OPEN_RWC | "open: read,write,create" on page 120 |
| AUE_OPEN_RWT | "open: read,write,truncate" on page 121 |
| AUE_OPEN_RWTC | "open: read,write,create,truncate" on page 120 |
| AUE_OPEN_W | "open: write" on page 121 |
| AUE_OPEN_WC | "open: write,create" on page 121 |
| AUE_OPEN_WT | "open: write,truncate" on page 122 |
| AUE_OPEN_WTC | "open: write,create,truncate" on page 122 |
| AUE_OSETUID | "setuid" on page 132 |
| AUE_PATHCONF | "pathconf" on page 122 |
| AUE_PIPE | "pipe" on page 122 |
| AUE_PRIOCNTLSYS | "priocntl" on page 123 |
| AUE_PUTMSG | "putmsg" on page 123 |
| AUE_PUTPMSG | "putpmsg" on page 124 |
| AUE_READLINK | "readlink" on page 124 |
| AUE_RENAME | "rename" on page 125 |
| AUE_RMDIR | "rmdir" on page 125 |
| AUE_SEMCTL_GETALL | "semctl: GETALL" on page 125 |
| AUE_SEMCTL_GETNCNT | "semctl: GETNCNT" on page 126 |
-
-
-
-
|
|
