OpenSolaris_b135/cmd/auditrecord/audit_record_attr.txt
# audit_record_attr.txt
# Two "#" are comments that are copied to audit_record_attr
# other comments are removed.
##
## Copyright 2010 Sun Microsystems, Inc. All rights reserved.
## Use is subject to license terms.
##
## CDDL HEADER START
##
## The contents of this file are subject to the terms of the
## Common Development and Distribution License (the "License").
## You may not use this file except in compliance with the License.
##
## You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
## or http://www.opensolaris.org/os/licensing.
## See the License for the specific language governing permissions
## and limitations under the License.
##
## When distributing Covered Code, include this CDDL HEADER in each
## file and include the License file at usr/src/OPENSOLARIS.LICENSE.
## If applicable, add the following below this CDDL HEADER, with the
## fields enclosed by brackets "[]" replaced with your own identifying
## information: Portions Copyright [yyyy] [name of copyright owner]
##
## CDDL HEADER END
##
##
# source file for describing audit records.
# This file is in two sections. The first is a list of attribute /
# value pairs used to provide short cuts in annotating the audit
# records. The second is for annotation for each audit record.
# first section: general attributes
# skipClass=<class name of items to skip if only in that class>
# skipClass=no # uncomment to filter unused events
# token name abbreviations
# token=alias:fullname -- short names for key tokens
token=arg:argument
token=attr:attribute
token=acl:acl_entry
token=cmd:command
token=data:data
token=exec_args:exec_arguments
token=exec_env:exec_environment
token=group:group
token=inaddr:ip_addr
token=inet:socket
token=ipc:ipc
token=ipc_perm:ipc_perm
token=newgroup:newgroups
token=path:path
token=path_attr:attribute_path
token=privset:privilege
token=proc:process
token=text:text
token=tid:terminal_adr
token=uauth:use_of_authorization
token=upriv:use_of_privilege
token=zone:zonename
token=fmri:service_instance
token=label:mandatory_label
token=head:header
token=subj:subject
token=ret:return
token=exit:exit
# note names -- certain notes show up repeatedly; collected here
#
# To achieve the maximum line length to be less than 80 characters, the
# note names (message=) can be defined as a multi line, each line except the
# last one finished with the backslash character.
message=ipc_perm:The ipc and ipc_perm tokens are not included if \
the message ID is not valid.
# basic record pattern ("insert" is where event-specific tokens
# are listed.)
kernel=head:insert:subj:[upriv]:ret
user=head:subj:insert:ret
# Second Section
# Annotation Section
#
# Most audit records need annotation beyond what is provided by
# the files audit_event and audit_class. At a minimum, a record
# is represented by a label and a format.
#
# label=record_id like AUE_ACCEPT
# format=token_alias
#
# there is no end line; a new label= end the preceding definition
# and starts the next.
#
# format values are a list of token names, separated by colons. The
# name is either one of the values described above (token=) or is
# a value to be taken literally. If a token name ends with a digit,
# the digit is an index into an array of comments. In the few cases
# where there are no tokens (other than header, subject, return/exit),
# use "format=kernel" or "format="user".
#
# comment is an array of strings separated by colons. If comments
# are listed on separate lines (recommended due to better
# readability/sustainability of the file), the preceding comment
# must end with a colon. The array starts at 1. (If the comment
# contains a colon, use ":" without the quotes.)
#
# case is used to generate alternate descriptions for a given
# record.
#
# Constraints - the string length; bear in mind, that any annotation of
# primitives below longer than is specified, will be silently truncated
# to given/defined amount of characters in the auditrecord(1M) runtime:
#
# primitive <= max (non-truncated) string length
# case <= unlimited; if necessary, text continues on a new line
# comment <= unlimited; if necessary, text continues on a new line
# label <= 43
# note <= unlimited; if necessary, text continues on a new line
# program <= 20
# see <= 39
# syscall <= 20
# title <= 46
# token <= 28 (full name)
#
# To achieve the maximum line length to be less than 80 characters, one can
# define the unlimited primitives as a multi line, each line except the
# last one finished with the backslash character. In addition to above
# mentioned, the "format=" record attribute follows the same rule.
#
#
# AUE_ACCEPT illustrates the use of all the above. Note that
# case is not nested; ellipsis (...) is used to give the effect
# of nesting.
label=AUE_ACCEPT
#accept(2) failure
case=Invalid socket file descriptor
format=arg1
comment=1, file descriptor, "so"
#accept(2) non SOCK_STREAM socket
case=If the socket address is not part of the AF_INET family
format=arg1:arg2:arg3
comment=1, "so", file descriptor:
comment="family", so_family:
comment="type", so_type
case=If the socket address is part of the AF_INET family
case=...If there is no vnode for this file descriptor
format=[arg]1
comment=1, file descriptor, "Bad so"
#accept(2) SOCK_STREAM socket-not bound
case=...or if the socket is not bound
format=[arg]1:[inet]2
comment=1, file descriptor, "so":
comment=local/foreign address (0.0.0.0)
case=...or if the socket address length = 0
format=[arg]1:[inet]2
comment=1, file descriptor, "so":
comment=local/foreign address (0.0.0.0)
case=...or for all other conditions
format=inet1:[inet]1
comment=socket address
#accept(2) failure
# header
# au_to_arg32 "so",file descriptor
# subject
# return <errno != 0>
#
#accept(2) non SOCK_STREAM socket
# header
# au_to_arg32 "so", file descriptor
# au_to_arg32 "family", so_family
# au_to_arg32 "type", so_type
# subject
# return success
#
#accept(2) SOCK_STREAM socket-not bound
# header
# au_to_arg32 "so", file descriptor
# au_to_socket_ex local/foreign address (0.0.0.0)
# subject
# return success
#
#accept(2) SOCK_STREAM socket-bound
# header
# au_to_arg32 "so", file descriptor
# au_to_socket_ex
# subject
# return success
label=AUE_ACCESS
format=path1:[attr]
comment=may be truncated in failure case
# header,163,2,access(2),,Wed Apr 25 13:52:49 2001, + 750000733 msec
# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_succ
# attribute,100777,41416,staff,8388608,402255,0
# subject,tuser10,tuser10,other,tuser10,other,1297,322,255 131585 129.146.89.30
# return,success,0
# trailer,163
#
# header,163,2,access(2),,Wed Apr 25 13:53:02 2001, + 490000427 msec
# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail
# attribute,100000,root,other,8388608,402257,0
# subject,tuser10,tuser10,other,tuser10,other,1433,322,255 131585 129.146.89.30
# return,failure: Permission denied,-1
# trailer,163
#
# header,135,2,access(2),,Wed Apr 25 13:53:15 2001, + 10000329 msec
# path,/export/home/testsuites/CC_final/icenine/arv/access/obj_fail2
# subject,tuser10,tuser10,other,tuser10,other,1553,322,255 131585 129.146.89.30
# return,failure: No such file or directory,-1
# trailer,135
label=AUE_ACCT
case=Zero path
format=arg1
comment=1, 0, "accounting off"
case=Non-zero path
format=path1:[attr]2
comment=may be truncated in failure case:
comment=omitted if failure
label=AUE_ACLSET
syscall=acl
format=arg1:arg2:(0..n)[acl]3
comment=2, SETACL, "cmd":
comment=3, number of ACL entries, "nentries":
comment=Access Control List entries
label=AUE_ADJTIME
format=kernel
label=AUE_ASYNC_DAEMON
skip=Not used
label=AUE_ASYNC_DAEMON_EXIT
skip=Not used
label=AUE_AUDIT
skip=Not used. (Placeholder for the set AUE_AUDIT_*.)
label=AUE_AUDITON
skip=Not used. (Placeholder for the set AUE_AUDITON_*.)
label=AUE_AUDITON_GESTATE
skip=Not used
label=AUE_AUDITON_GETCAR
format=kernel
syscall=auditon: GETCAR
# header,68,2,auditon(2) - get car,,Wed Apr 25 13:49:02 2001, + 710001279 msec
# subject,tuser10,root,other,root,other,966,322,255 131585 129.146.89.30
# return,success,0
# trailer,68
label=AUE_AUDITON_GETCLASS
format=kernel
syscall=auditon: GETCLASS
# header,68,2,auditon(2) - get event class,,Mon May 15 09:14:35 2000, + 30001063 msec
# subject,tuser10,root,other,root,other,1091,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_AUDITON_GETCOND
format=kernel
syscall=auditon: GETCOND
# header,68,2,auditon(2) - get audit state,,Mon May 15 09:14:48 2000, + 110001736 msec
# subject,tuser10,root,other,root,other,1248,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_AUDITON_GETCWD
format=kernel
syscall=auditon: GETCWD
# header,68,2,auditon(2) - get cwd,,Mon May 15 09:15:01 2000, + 120001223 msec
# subject,tuser10,root,other,root,other,1405,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_AUDITON_GETKMASK
format=kernel
syscall=auditon: GETKMASK
# header,68,2,auditon(2) - get kernel mask,,Mon May 15 09:15:14 2000, + 220002225 msec
# subject,tuser10,root,other,root,other,1562,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_AUDITON_GETSTAT
format=kernel
syscall=auditon: A_GETSTAT
# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:27 2000, + 220003386 msec
# subject,tuser10,root,other,root,other,1719,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_AUDITON_GPOLICY
format=kernel
syscall=auditon: GPOLICY
# header,68,2,auditon(2) - get audit statistics,,Mon May 15 09:15:40 2000, + 120004056 msec
# subject,tuser10,root,other,root,other,1879,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_AUDITON_GQCTRL
format=kernel
syscall=auditon: GQCTRL
# header,68,2,auditon(2) - GQCTRL command,,Mon May 15 09:15:53 2000, + 20001415 msec
# subject,tuser10,root,other,root,other,2033,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_AUDITON_GTERMID
skip=Not used.
label=AUE_AUDITON_SESTATE
skip=Not used.
label=AUE_AUDITON_SETCLASS
format=[arg]1:[arg]2
comment=2, "setclass:ec_event", event number:
comment=3, "setclass:ec_class", class mask
syscall=auditon: SETCLASS
# header,120,2,auditon(2) - set event class,,Mon May 15 09:16:39 2000, + 800002966 msec
# argument,2,0x0,setclass:ec_event
# argument,3,0x0,setclass:ec_class
# subject,tuser10,root,other,root,other,2190,367,255 197121 tmach1
# return,success,0
# trailer,120
label=AUE_AUDITON_SETCOND
format=[arg]1
comment=3, "setcond", audit state
syscall=auditon: SETCOND
label=AUE_AUDITON_SETKMASK
format=[arg]1:[arg]2
comment=2, "setkmask as_success", kernel mask:
comment=2, "setkmask as_failure", kernel mask
syscall=auditon: SETKMASK
# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:06 2000, + 300000807 msec
# argument,2,0x0,setkmask:as_success
# argument,2,0x0,setkmask:as_failure
# subject,tuser10,root,other,root,other,2506,367,255 197121 tmach1
# return,success,0
# trailer,124
# header,124,2,auditon(2) - set kernel mask,,Mon May 15 09:17:20 2000, + 430001289 msec
# argument,2,0x0,setkmask:as_success
# argument,2,0x0,setkmask:as_failure
# subject,tuser10,tuser10,other,root,other,2620,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,124
label=AUE_AUDITON_SETSMASK
format=[arg]1:[arg]2
comment=3, "setsmask:as_success", session ID mask:
comment=3, "setsmask:as_failure", session ID mask
syscall=auditon: SETSMASK
# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:33 2000, + 580000668 msec
# argument,3,0x400,setsmask:as_success
# argument,3,0x400,setsmask:as_failure
# subject,tuser10,root,other,root,other,2777,367,255 197121 tmach1
# return,success,0
# trailer,124
# header,124,2,auditon(2) - set mask per session ID,,Mon May 15 09:17:45 2000, + 700001710 msec
# argument,3,0x400,setsmask:as_success
# argument,3,0x400,setsmask:as_failure
# subject,tuser10,tuser10,other,root,other,2885,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,124
label=AUE_AUDITON_SETSTAT
format=kernel
syscall=auditon: SETSTAT
# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:17:58 2000, + 930000818 msec
# subject,tuser10,root,other,root,other,3042,367,255 197121 tmach1
# return,success,0
# trailer,68
# header,68,2,auditon(2) - reset audit statistics,,Mon May 15 09:18:13 2000, + 160001101 msec
# subject,tuser10,tuser10,other,root,other,3156,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,68
label=AUE_AUDITON_SETUMASK
format=[arg]1:[arg]2
comment=3, "setumask:as_success", audit ID mask:
comment=3, "setumask:as_failure", audit ID mask
syscall=auditon: SETUMASK
# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:26 2000, + 670003527 msec
# argument,3,0x400,setumask:as_success
# argument,3,0x400,setumask:as_failure
# subject,tuser10,root,other,root,other,3313,367,255 197121 tmach1
# return,success,0
# trailer,124
# header,124,2,auditon(2) - set mask per uid,,Mon May 15 09:18:38 2000, + 740000732 msec
# argument,3,0x400,setumask:as_success
# argument,3,0x400,setumask:as_failure
# subject,tuser10,tuser10,other,root,other,3421,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,124
label=AUE_AUDITON_SPOLICY
format=[arg]1
comment=1, audit policy flags, "setpolicy"
syscall=auditon: SPOLICY
# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:18:54 2000, + 840 msec
# argument,3,0x200,setpolicy
# subject,tuser10,root,other,root,other,3584,367,255 197121 tmach1
# return,success,0
# trailer,86
# header,86,2,auditon(2) - SPOLICY command,,Mon May 15 09:19:08 2000, + 200002798 msec
# argument,3,0x200,setpolicy
# subject,tuser10,tuser10,other,root,other,3698,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,86
label=AUE_AUDITON_SQCTRL
format=[arg]1:[arg]2:[arg]3:[arg]4
comment=3, "setqctrl:aq_hiwater", queue control param.:
comment=3, "setqctrl:aq_lowater", queue control param.:
comment=3, "setqctrl:aq_bufsz", queue control param.:
comment=3, "setqctrl:aq_delay", queue control param.
syscall=auditon: SQCTRL
# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:23 2000, + 610001124 msec
# argument,3,0x64,setqctrl:aq_hiwater
# argument,3,0xa,setqctrl:aq_lowater
# argument,3,0x400,setqctrl:aq_bufsz
# argument,3,0x14,setqctrl:aq_delay
# subject,tuser10,root,other,root,other,3861,367,255 197121 tmach1
# return,success,0
# trailer,176
# header,176,2,auditon(2) - SQCTRL command,,Mon May 15 09:19:35 2000, + 720003197 msec
# argument,3,0x64,setqctrl:aq_hiwater
# argument,3,0xa,setqctrl:aq_lowater
# argument,3,0x400,setqctrl:aq_bufsz
# argument,3,0x14,setqctrl:aq_delay
# subject,tuser10,tuser10,other,root,other,3969,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,176
label=AUE_AUDITON_STERMID
skip=Not used.
label=AUE_AUDITSTAT
skip=Not used.
label=AUE_AUDITSVC
skip=Not used.
label=AUE_AUDITSYS
skip=Not used. (Place holder for various auditing events.)
label=AUE_BIND
# differs from documented version.
# cases "no vnode" not fully confirmed
# family and type need argument number
case=Invalid socket handle
format=arg1
comment=1, file descriptor, "so"
case=If there is no vnode for this file descriptor
case=or if the socket is not of the AF_INET family
format=arg1:arg2:arg3
comment=1, file descriptor, "so":
comment=1, socket family, "family":
comment=1, socket type, "type"
case=or for all other conditions
format=arg1:inet2
comment=1, file descriptor, "so":
comment=socket address
label=AUE_BRANDSYS
# generic mechanism to allow user-space and kernel components of a brand
# to communicate. The interpretation of the arguments to the call is
# left entirely up to the brand.
format=arg1:arg2:arg3:arg4:arg5:arg6:arg7
comment=1, command, "cmd":
comment=2, command args, "arg":
comment=3, command args, "arg":
comment=4, command args, "arg":
comment=5, command args, "arg":
comment=6, command args, "arg":
comment=7, command args, "arg"
label=AUE_BSMSYS
skip=Not used.
label=AUE_CHDIR
format=path:[attr]
# header,151,2,chdir(2),,Mon May 15 09:20:15 2000, + 70000899 msec
# path,/export/home/CC_final/icenine/arv/chdir/obj_succ
# attribute,40777,root,other,8388608,231558,0
# subject,tuser10,tuser10,other,root,other,4436,367,255 197121 tmach1
# return,success,0
# trailer,151
# header,151,2,chdir(2),,Mon May 15 09:20:27 2000, + 640003327 msec
# path,/export/home/CC_final/icenine/arv/chdir/obj_fail
# attribute,40000,root,other,8388608,237646,0
# subject,tuser10,tuser10,other,root,other,4566,367,255 197121 tmach1
# return,failure: Permission denied,-1
# trailer,151
label=AUE_CHMOD
format=arg1:path:[attr]
comment=2, mode, "new file mode"
# header,173,2,chmod(2),,Mon May 15 09:20:41 2000, + 140000831 msec
# argument,2,0x1f8,new file mode
# path,/export/home/CC_final/icenine/arv/chmod/obj_succ
# attribute,100770,tuser10,other,8388608,243608,0
# subject,tuser10,tuser10,other,root,other,4748,367,255 197121 tmach1
# return,success,0
# trailer,173
# header,173,2,chmod(2),,Mon May 15 09:20:54 2000, + 400001156 msec
# argument,2,0x1f8,new file mode
# path,/export/home/CC_final/icenine/arv/chmod/obj_fail
# attribute,100600,root,other,8388608,243609,0
# subject,tuser10,tuser10,other,root,other,4879,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,173
label=AUE_CHOWN
format=arg1:arg2
comment=2, uid, "new file uid":
comment=3, gid, "new file gid"
# header,193,2,chown(2),,Mon May 15 09:21:07 2000, + 930000756 msec
# argument,2,0x271a,new file uid
# argument,3,0xffffffff,new file gid
# path,/export/home/CC_final/icenine/arv/chown/obj_succ
# attribute,100644,tuser10,other,8388608,268406,0
# subject,tuser10,tuser10,other,root,other,5062,367,255 197121 tmach1
# return,success,0
# trailer,193
# header,193,2,chown(2),,Mon May 15 09:21:20 2000, + 430001153 msec
# argument,2,0x271a,new file uid
# argument,3,0xffffffff,new file gid
# path,/export/home/CC_final/icenine/arv/chown/obj_fail
# attribute,100644,root,other,8388608,268407,0
# subject,tuser10,tuser10,other,root,other,5191,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,193
label=AUE_CHROOT
format=path:[attr]
# header,104,2,chroot(2),,Mon May 15 09:21:33 2000, + 860001094 msec
# path,/
# attribute,40755,root,root,8388608,2,0
# subject,tuser10,root,other,root,other,5370,367,255 197121 tmach1
# return,success,0
# trailer,104
# header,152,2,chroot(2),,Mon May 15 09:21:46 2000, + 130002435 msec
# path,/export/home/CC_final/icenine/arv/chroot/obj_fail
# attribute,40777,tuser10,other,8388608,335110,0
# subject,tuser10,tuser10,other,root,other,5499,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,152
label=AUE_CLOCK_SETTIME
format=kernel
label=AUE_CLOSE
format=arg1:[path]:[attr]
comment=1, file descriptor, "fd"
label=AUE_CONFIGKSSL
case=Adding KSSL entry.
format=text1:inaddr2:text3:text4
comment=opcode, KSSL_ADD_ENTRY:
comment=local IP address:
comment=SSL port number:
comment=proxy port number
case=Deleting KSSL entry.
format=text1:inaddr2:text3
comment=opcode, KSSL_DELETE_ENTRY:
comment=local IP address:
comment=SSL port number
label=AUE_CONNECT
# cases "no vnode" not fully confirmed
case=If there is no vnode for this file descriptor
case=If the socket address is not part of the AF_INET family
format=arg1:arg2:arg3
comment=1, file descriptor, "so":
comment=1, socket family, "family":
comment=1, socket type, "type"
case=If the socket address is part of the AF_INET family
format=arg1:inet2
comment=1, file descriptor, "so":
comment=socket address
label=AUE_CORE
syscall=none
title=process dumped core
see=none
format=path:[attr]:arg1
comment=1, signal, "signal"
# see uts/common/c2/audit.c
label=AUE_CREAT
# obsolete - see open(2)
format=path:[attr]
# does not match old BSM manual
# header,151,2,creat(2),,Mon May 15 09:21:59 2000, + 509998810 msec
# path,/export/home/CC_final/icenine/arv/creat/obj_succ
# attribute,100644,tuser10,other,8388608,49679,0
# subject,tuser10,tuser10,other,root,other,5678,367,255 197121 tmach1
# return,success,8
# trailer,151
# header,107,2,creat(2),,Mon May 15 09:22:12 2000, + 50001852 msec
# path,/devices/pseudo/mm@0:null
# subject,tuser10,root,other,root,other,5809,367,255 197121 tmach1
# return,success,8
# trailer,107
# header,83,2,creat(2),,Mon May 15 09:22:12 2000, + 70001870 msec
# path,/obj_fail
# subject,tuser10,tuser10,other,root,other,5806,367,255 197121 tmach1
# return,failure: Permission denied,-1
# trailer,83
label=AUE_CRYPTOADM
title=kernel cryptographic framework
format=text1:(0..n)[text]2
comment=cryptoadm command/operation:
comment=mechanism list
label=AUE_DOORFS
skip=Not used. (Place holder for set of door audit events.)
label=AUE_DOORFS_DOOR_BIND
skip=Not used.
syscall=doorfs: DOOR_BIND
label=AUE_DOORFS_DOOR_CALL
format=arg1:proc2
comment=1, door ID, "door ID":
comment=for process that owns the door
syscall=doorfs: DOOR_CALL
label=AUE_DOORFS_DOOR_CREATE
format=arg1
comment=1, door attributes, "door attr"
syscall=doorfs: DOOR_CREATE
label=AUE_DOORFS_DOOR_CRED
skip=Not used.
syscall=doorfs: DOOR_CRED
label=AUE_DOORFS_DOOR_INFO
skip=Not used.
syscall=doorfs: DOOR_INFO
label=AUE_DOORFS_DOOR_RETURN
format=kernel
syscall=doorfs: DOOR_RETURN
label=AUE_DOORFS_DOOR_REVOKE
format=arg1
comment=1, door ID, "door ID"
syscall=doorfs: DOOR_REVOKE
label=AUE_DOORFS_DOOR_UNBIND
skip=Not used.
syscall=doorfs: DOOR_UNBIND
label=AUE_DUP2
skip=Not used.
label=AUE_ENTERPROM
title=enter prom
syscall=none
format=head:text1:ret
comment="kmdb"
# header,48,2,enter prom,na,tmach1,2004-11-12 09:07:41.342 -08:00
# text,kmdb
# return,success,0
label=AUE_EXEC
# obsolete - see execve(2)
format=path:[attr]1:[exec_args]2:[exec_env]3
comment=omitted on error:
comment=output if argv policy is set:
comment=output if arge policy is set
label=AUE_EXECVE
format=path:[attr]1:[exec_args]2:[exec_env]3
comment=omitted on error:
comment=output if argv policy is set:
comment=output if arge policy is set
# header,107,2,creat(2),,Mon May 15 09:22:25 2000, + 559997464 msec
# path,/devices/pseudo/mm@0:null
# subject,tuser10,root,other,root,other,5974,367,255 197121 tmach1
# return,success,8
# trailer,107
# header,86,2,execve(2),,Mon May 15 09:22:25 2000, + 590003684 msec
# path,/usr/bin/pig
# subject,tuser10,tuser10,other,root,other,5971,367,255 197121 tmach1
# return,failure: No such file or directory,-1
# trailer,86
label=AUE_EXIT
format=[text]1
comment=event aborted
label=AUE_EXITPROM
title=exit prom
syscall=none
format=head:text1:ret
comment="kmdb"
# header,48,2,exit prom,na,tmach1,2004-11-12 09:07:43.547 -08:00
# text,kmdb
# return,success,0
label=AUE_EXPORTFS
skip=Not used.
label=AUE_FACCESSAT
# obsolete
see=access(2)
format=path:[attr]
label=AUE_FACLSET
syscall=facl
case=Invalid file descriptor
format=arg1:arg2
comment=2, SETACL, "cmd":
comment=3, number of ACL entries, "nentries"
case=Zero path
format=arg1:arg2:arg3:[attr]:(0..n)[acl]4
comment=2, SETACL, "cmd":
comment=3, number of ACL entries, "nentries":
comment=1, file descriptor, "no path: fd":
comment=ACLs
case=Non-zero path
format=arg1:arg2:path:[attr]:(0..n)[acl]3
comment=2, SETACL, "cmd":
comment=3, number of ACL entries, "nentries":
comment=ACLs
label=AUE_FCHDIR
format=[path]:[attr]
# header,150,2,fchdir(2),,Mon May 15 09:22:38 2000, + 680001393 msec
# path,/export/home/CC_final/icenine/arv/fchdir/obj_succ
# attribute,40777,tuser10,other,8388608,207662,0
# subject,tuser10,tuser10,other,root,other,6129,367,255 197121 tmach1
# return,success,0
# trailer,150
# header,68,2,fchdir(2),,Mon May 15 09:22:51 2000, + 710001196 msec
# subject,tuser10,tuser10,other,root,other,6258,367,255 197121 tmach1
# return,failure: Permission denied,-1
# trailer,68
label=AUE_FCHMOD
case=With a valid file descriptor and path
format=arg1:path:[attr]
comment=2, mode, "new file mode"
case=With a valid file descriptor and invalid path
format=arg1:[arg]2:[attr]
comment=2, mode, "new file mode":
comment=1, file descriptor, "no path: fd"
case=With an invalid file descriptor
format=arg1
comment=2, mode, "new file mode"
# header,168,2,fchmod(2),,Sat Apr 29 12:28:06 2000, + 350000000 msec
# argument,2,0x1a4,new file mode
# path,/export/home/CC/icenine/arv/fchmod/obj_succ
# attribute,100644,tuser10,other,7602240,26092,0
# subject,tuser10,tuser10,other,root,other,11507,346,16064 196866 tmach1
# return,success,0
# trailer,168
# header,90,2,fchmod(2),,Sat Apr 29 12:28:32 2000, + 930000000 msec
# argument,2,0x1a4,new file mode
# subject,tuser10,tuser10,other,root,other,11759,346,16064 196866 tmach1
# return,failure: Bad file number,-1
# trailer,90
# header,168,2,fchmod(2),,Sat Apr 29 12:28:20 2000, + 770000000 msec
# argument,2,0x1a4,new file mode
# path,/export/home/CC/icenine/arv/fchmod/obj_fail
# attribute,100644,root,other,7602240,26093,0
# subject,tuser10,tuser10,other,root,other,11644,346,16064 196866 tmach1
# return,failure: Not owner,-1
# trailer,168
label=AUE_FCHOWN
case=With a valid file descriptor
format=arg1:arg2:[path]:[attr]
comment=2, uid, "new file uid":
comment=3, gid, "new file gid"
case=With an invalid file descriptor
format=arg1:arg2:[arg]3:[attr]
comment=2, uid, "new file uid":
comment=3, gid, "new file gid":
comment=1, file descriptor, "no path fd"
label=AUE_FCHOWNAT
# obsolete
see=openat(2)
case=With a valid absolute/relative file path
format=path:[attr]
case=With an file path eq. NULL and valid file descriptor
format=kernel
label=AUE_FCHROOT
format=[path]:[attr]
# fchroot -> chdirec -> audit_chdirec
label=AUE_FCNTL
case=With a valid file descriptor
format=arg1:path:attr
comment=2, command, "cmd"
case=With an invalid file descriptor
format=arg1:arg2
comment=2, command, "cmd":
comment=1, file descriptor, "no path fd"
label=AUE_FLOCK
skip=Not used.
label=AUE_FORKALL
format=[arg]1
comment=0, pid, "child PID"
note=The forkall(2) return values are undefined because the audit record
note=is produced at the point that the child process is spawned.
# see audit.c
label=AUE_FORK1
format=[arg]1
comment=0, pid, "child PID"
note=The fork1(2) return values are undefined because the audit record
note=is produced at the point that the child process is spawned.
# see audit.c
label=AUE_FSAT
# obsolete
skip=Not used. (Placeholder for AUE_*AT records)
label=AUE_FSTAT
skip=Not used.
label=AUE_FSTATAT
# obsolete
format=path:[attr]
label=AUE_FSTATFS
case=With a valid file descriptor
format=[path]:[attr]
case=With an invalid file descriptor
format=arg1
comment=1, file descriptor, "no path fd"
label=AUE_FTRUNCATE
skip=Not used.
label=AUE_FUSERS
syscall=utssys: UTS_FUSERS
format=path:attr
label=AUE_FUTIMESAT
# obsolete
format=[path]:[attr]
label=AUE_GETAUDIT
format=kernel
# header,68,2,getaudit(2),,Mon May 15 09:23:57 2000, + 620001408 msec
# subject,tuser10,root,other,root,other,7063,367,255 197121 tmach1
# return,success,0
# trailer,68
# header,68,2,getaudit(2),,Mon May 15 09:24:09 2000, + 490003700 msec
# subject,tuser10,root,other,root,other,7158,367,255 197121 tmach1
# return,success,0
# trailer,68
label=AUE_GETAUDIT_ADDR
format=kernel
# header,73,2,getaudit_addr(2),,Thu Nov 08 15:14:01 2001, + 0 msec
# subject,tuser1,root,staff,root,staff,9689,12289,0 0 tmach2
# return,success,0
label=AUE_GETAUID
format=kernel
# header,68,2,getauid(2),,Mon May 15 09:24:22 2000, + 420000668 msec
# subject,tuser10,root,other,root,other,7303,367,255 197121 tmach1
# return,success,0
# trailer,68
# header,68,2,getauid(2),,Mon May 15 09:24:34 2000, + 490002988 msec
# subject,tuser10,tuser10,other,root,other,7410,367,255 197121 tmach1
# return,failure: Not owner,-1
# trailer,68
label=AUE_GETDENTS
skip=Not used.
#Not security relevant
label=AUE_GETKERNSTATE
skip=Not used.
label=AUE_GETMSG
case=With a valid file descriptor
format=arg1:[path]:attr:arg2
comment=1, file descriptor, "fd":
comment=4, priority, "pri"
case=With an invalid file descriptor
format=arg1:arg2
comment=1, file descriptor, "fd":
comment=4, priority, "pri"
label=AUE_GETPMSG
case=With a valid file descriptor
format=arg1:[path]:attr
comment=1, file descriptor, "fd"
case=With an invalid file descriptor
format=arg1
comment=1, file descriptor, "fd"
label=AUE_GETPORTAUDIT
format=Not used.
label=AUE_GETUSERAUDIT
skip=Not used.
label=AUE_INST_SYNC
format=arg1
comment=2, flags value, "flags"
label=AUE_IOCTL
case=With an invalid file descriptor
format=arg1:arg2:arg3
comment=1, file descriptor, "fd":
comment=2, command, "cmd":
comment=3, arg, "arg"
case=With a valid file descriptor
format=path:[attr]:arg1:arg2
comment=2, ioctl cmd, "cmd":
comment=3, ioctl arg, "arg"
case=Non-file file descriptor
format=arg1:arg2:arg3
comment=1, file descriptor, "fd":
comment=2, ioctl cmd, "cmd":
comment=3, ioctl arg, "arg"
case=Bad file name
format=arg1:arg2:arg3
comment=1, file descriptor, "no path: fd":
comment=2, ioctl cmd, "cmd":
comment=3, ioctl arg, "arg"
# old BSM manual misses a case
label=AUE_JUNK
skip=Not used.
label=AUE_KILL
case=Valid process
format=arg1:[proc]
comment=2, signo, "signal"
case=Zero or negative process
format=arg1:arg2
comment=2, signo, "signal":
comment=1, pid, "process"
label=AUE_KILLPG
skip=Not used.
label=AUE_LCHOWN
format=arg1:arg2:path:[attr]
comment=2, uid, "new file uid":
comment=3, gid, "new file gid"
label=AUE_LINK
format=path1:[attr]:path2
comment=from path:
comment=to path
label=AUE_LSEEK
skip=Not used.
label=AUE_LSTAT
format=path:[attr]
label=AUE_LXSTAT
# obsolete
skip=Not used.
label=AUE_MCTL
skip=Not used.
label=AUE_MEMCNTL
format=arg1:arg2:arg3:arg4:arg5:arg6
comment=1, base address, "base":
comment=2, length, "len":
comment=3, command, "cmd":
comment=4, command args, "arg":
comment=5, command attributes, "attr":
comment=6, 0, "mask"
label=AUE_MKDIR
format=arg1:path:[attr]
comment=2, mode, "mode"
label=AUE_MKNOD
format=arg1:arg2:path:[attr]
comment=2, mode, "mode":
comment=3, dev, "dev"
label=AUE_MMAP
case=With a valid file descriptor
format=arg1:arg2:[path]3:[attr]
comment=1, segment address, "addr":
comment=2, segment address, "len":
comment=if no path, then argument: \
1, "nopath: fd", file descriptor
case=With an invalid file descriptor
format=arg1:arg2:arg3
comment=1, segment address, "addr":
comment=2, segment address, "len":
comment=1, file descriptor, "no path: fd"
label=AUE_MODADDMAJ
title=modctl: bind module
syscall=modctl
format=[text]1:[text]2:text3:arg4:(0..n)[text]5
comment=driver major number:
comment=driver name:
comment=driver major number or "no drvname":
comment=5, number of aliases, "":
comment=aliases
label=AUE_MODADDPRIV
format=kernel
label=AUE_MODCONFIG
skip=Not used.
label=AUE_MODCTL
skip=Not used. (placeholder)
label=AUE_MODDEVPLCY
syscall=modctl
title=modctl: set device policy
case=If unknown minor name/pattern
format=arg1:arg2:arg3:arg4:arg5
comment=2, "major", major number:
comment=2, "lomin", low minor number, if known:
comment=2, "himin", hi minor number, if known:
comment=privileges required for reading:
comment=privileges required for writing
case=else
format=arg1:text2:arg3:arg4
comment=2, "major", major number:
comment=minor name/pattern:
comment=privileges required for reading:
comment=privileges required for writing
label=AUE_MODLOAD
syscall=modctl
title=modctl: load module
format=[text]1:text2
comment=default path:
comment=filename path
label=AUE_MODUNLOAD
syscall=modctl
title=modctl: unload module
format=arg1
comment=1, module ID, "id"
label=AUE_MOUNT
case=UNIX file system
format=arg1:text2:path:[attr]
comment=3, flags, "flags":
comment=filesystem type
case=NFS file system
format=arg1:text2:text3:arg4:path:[attr]
comment=3, flags, "flags":
comment=filesystem type:
comment=host name:
comment=3, flags, "internal flags"
# unix example:
# header,239,2,mount(2),,Sun Apr 16 14:42:32 2000, + 979995208 msec
# argument,3,0x104,flags
# text,ufs
# path,/var2
# attribute,40755,root,root,32,12160,0
# path,/devices/pci@1f,4000/scsi@3/sd@0,0:e
# attribute,60640,root,sys,32,231268,137438953476
# subject,abc,root,other,root,other,1726,1715,255 66049 ohboy
# return,success,4290707268
# ^^^^^^^^^^ <- bugid 4333559
label=AUE_MSGCTL
format=arg1:[ipc]:[ipc_perm]
comment=1, message ID, "msg ID"
note=ipc_perm
# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
label=AUE_MSGCTL_RMID
format=arg1:[ipc]:[ipc_perm]
comment=1, message ID, "msg ID"
note=ipc_perm
syscall=msgctl: IPC_RMID
# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
label=AUE_MSGCTL_SET
format=arg1:[ipc]:[ipc_perm]
comment=1, message ID, "msg ID"
note=ipc_perm
syscall=msgctl: IPC_SET
# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
label=AUE_MSGCTL_STAT
format=arg1:[ipc]:[ipc_perm]
comment=1, message ID, "msg ID"
note=ipc_perm
syscall=msgctl: IPC_STAT
# ipc, ipc_perm: msgctl -> ipc_lookup -> audit_ipc
label=AUE_MSGGET
format=arg1:ipc
comment=1, message key, "msg key"
note=ipc_perm
syscall=msgget
label=AUE_MSGGETL
skip=Not used.
label=AUE_MSGRCV
format=arg1:[ipc]:[ipc_perm]
comment=1, message ID, "msg ID"
note=ipc_perm
syscall=msgrcv
# ipc, ipc_perm: msgrcv -> ipc_lookup -> audit_ipc
label=AUE_MSGRCVL
skip=Not used.
label=AUE_MSGSND
format=arg1:[ipc]:[ipc_perm]
comment=1, message ID, "msg ID"
note=ipc_perm
syscall=msgsnd
# ipc, ipc_perm: msgsnd -> ipc_lookup -> audit_ipc
label=AUE_MSGSNDL
skip=Not used.
label=AUE_MSGSYS
skip=Not used. (Placeholder for AUE_MSG* events.)
label=AUE_MUNMAP
format=arg1:arg2
comment=1, address of memory, "addr":
comment=2, memory segment size, "len"
label=AUE_NFS
skip=Not used.
label=AUE_NFSSVC_EXIT
skip=Not used.
label=AUE_NFS_GETFH
skip=Not used.
label=AUE_NFS_SVC
skip=Not used.
label=AUE_NICE
format=kernel
label=AUE_NULL
skip=Not used. (placeholder)
# used internal to audit_event.c for minimal audit
label=AUE_NTP_ADJTIME
format=kernel
label=AUE_ONESIDE
skip=Not used.
label=AUE_OPEN
skip=Not used. (placeholder for AUE_OPEN_*).
label=AUE_OPEN_R
format=path:[path_attr]:[attr]
see=open(2) - read
label=AUE_OPENAT_R
# obsolete
format=path:[path_attr]:[attr]
see=openat(2)
label=AUE_OPEN_RC
format=path:[path_attr]:[attr]
see=open(2) - read,creat
label=AUE_OPENAT_RC
# obsolete
see=openat(2)
format=path:[path_attr]:[attr]
label=AUE_OPEN_RT
format=path:[path_attr]:[attr]
see=open(2) - read,trunc
label=AUE_OPENAT_RT
# obsolete
see=openat(2)
format=path:[path_attr]:[attr]
label=AUE_OPEN_RTC
format=path:[path_attr]:[attr]
see=open(2) - read,trunc,creat
label=AUE_OPENAT_RTC
# obsolete
see=openat(2)
format=path:[path_attr]:[attr]
label=AUE_OPEN_RW
format=path:[path_attr]:[attr]
see=open(2) - read,write
label=AUE_OPENAT_RW
# obsolete
see=openat(2)
format=path:[path_attr]:[attr]
# aui_fsat(): fm & O_RDWR
label=AUE_OPEN_RWC
format=path:[path_attr]:[attr]
see=open(2) - read,write,creat
label=AUE_OPENAT_RWC
# obsolete
see=openat(2)
format=path:[path_attr]:[attr]
label=AUE_OPEN_RWT
format=path:[path_attr]:[attr]
see=open(2) - read,write,trunc
label=AUE_OPENAT_RWT
# obsolete
see=openat(2)
format=path:[path_attr]:[attr]
label=AUE_OPEN_RWTC
format=path:[path_attr]:[attr]
see=open(2) - read,write,trunc,creat
label=AUE_OPENAT_RWTC
# obsolete
see=openat(2)
format=path:[path_attr]:[attr]
label=AUE_OPEN_W
format=path:[path_attr]:[attr]
see=open(2) - write
label=AUE_OPENAT_W
see=openat(2)
format=path:[path_attr]:[attr]
label=AUE_OPEN_WC
format=path:[path_attr]:[attr]
see=open(2) - write,creat
label=AUE_OPENAT_WC
see=openat(2)
format=path:[path_attr]:[attr]
label=AUE_OPEN_WT
format=path:[path_attr]:[attr]
see=open(2) - write,trunc
label=AUE_OPENAT_WT
see=openat(2)
format=path:[path_attr]:[attr]
label=AUE_OPEN_WTC
format=path:[path_attr]:[attr]
see=open(2) - write,trunc,creat
label=AUE_OPENAT_WTC
see=openat(2)
format=path:[path_attr]:[attr]
label=AUE_OSETPGRP
skip=Not used.
label=AUE_OSTAT
# obsolete
skip=Not used.
label=AUE_PATHCONF
format=path:[attr]
label=AUE_PIPE
format=kernel
# class is no, not usually printed
label=AUE_PORTFS
skip=Not used (placeholder for AUE_PORTFS_*).
label=AUE_PORTFS
skip=Not used (placeholder for AUE_PORTFS_*).
label=AUE_PORTFS_ASSOCIATE
syscall=portfs
see=port_associate(3C)
case=Port association via PORT_SOURCE_FILE
format=[path]1:attr
comment=name of the file/directory to be watched
label=AUE_PORTFS_DISSOCIATE
syscall=portfs
see=port_dissociate(3C)
case=Port disassociation via PORT_SOURCE_FILE
format=kernel
label=AUE_PRIOCNTLSYS
syscall=priocntl
see=priocntl(2)
format=arg1:arg2
comment=1, priocntl version number, "pc_version":
comment=3, command, "cmd"
label=AUE_PROCESSOR_BIND
case=No LWP/thread bound to the processor
format=arg1:arg2:text3:[proc]
comment=1, type of ID, "ID type":
comment=2, ID value, "ID":
comment="PBIND_NONE"
case=With processor bound
format=arg1:arg2:arg3:[proc]
comment=1, type of ID, "ID type":
comment=2, ID value, "ID":
comment=3, processor ID, "processor_id"
label=AUE_PUTMSG
see=putmsg(2)
format=arg1:[path]:[attr]:arg2
comment=1, file descriptor, "fd":
comment=4, priority, "pri"
label=AUE_PUTPMSG
see=putpmsg(2)
format=arg1:[path]:[attr]:arg2:arg3
comment=1, file descriptor, "fd":
comment=4, priority, "pri":
comment=5, flags, "flags"
label=AUE_P_ONLINE
format=arg1:arg2:text3
comment=1, processor ID, "processor ID":
comment=2, flags value, "flags":
comment=text form of flags. Values: \
P_ONLINE, P_OFFLINE, P_NOINTR, P_SPARE, P_FAULTED, P_STATUS
label=AUE_QUOTACTL
skip=Not used.
label=AUE_READ
skip=Not used. (Placeholder for AUE_READ_* events)
label=AUE_READL
skip=Not used. (Obsolete)
label=AUE_READLINK
format=path:[attr]
label=AUE_READV
skip=Not used (obsolete)
# detritus from CMS
label=AUE_READVL
skip=Not used (obsolete)
# detritus from CMS
label=AUE_REBOOT
skip=Not used.
label=AUE_RECV
case=If address family is AF_INET or AF_INET6
format=[arg]1:[inet]
comment=1, file descriptor, "so"
case=If address family is AF_UNIX and path is defined
format=[path]1:[attr]
comment=1, file descriptor, "so"
case=If address family is AF_UNIX and path is NULL
format=[path]1:[attr]
comment=1, file descriptor, "no path: fd"
case=If address family is other than AF_UNIX, AF_INET, AF_INET6
format=[arg]1:[arg]2:[arg]3
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type"
# associated class remapped to AUE_READ's class (audit_event.c:audit_s2e[237])
label=AUE_RECVFROM
format=inet:arg1:[arg]2:inet3:arg4
comment=3, message length, "len":
comment=4, flags, "flags":
comment=from address:
comment=6, address length, "tolen"
note=The socket token for a bad socket is reported as "argument
note=token (1, socket descriptor, "fd")"
label=AUE_RECVMSG
case=If invalid file descriptor
format=arg1:arg2
comment=1, file descriptor, "so":
comment=3, flags, "flags"
case=If valid file descriptor and socket is AF_UNIX and no path
format=arg1:[attr]
comment=1, file descriptor, "no path: fd"
case=If valid file descriptor and socket is AF_UNIX and path defined
format=path:attr
case=If valid file descriptor and socket is AF_INET or AF_INET6
case=.. if socket type is SOCK_DGRAM or SOCK_RAW or SOCK_STREAM
format=arg1:arg2:inet
comment=1, file descriptor, "so":
comment=2, flags, "flags"
case=.. if socket type is unknown
format=arg1:arg2:arg3:arg4
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type":
comment=3, flags, "flags"
label=AUE_RENAME
format=path1:[attr]1:[path]2
comment=from name:
comment=to name
label=AUE_RENAMEAT
# obsolete
format=path1:[attr]1:[path]2
comment=from name:
comment=to name
label=AUE_RFSSYS
skip=Not used.
# apparently replaced
label=AUE_RMDIR
format=path:[attr]
label=AUE_SEMCTL
format=arg1:[ipc]:[ipc_perm]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
label=AUE_SEMCTL_GETALL
format=arg1:[ipc]:[ipc_perm]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: GETALL
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
label=AUE_SEMCTL_GETNCNT
format=arg1:[ipc]:[ipc_perm]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: GETNCNT
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
label=AUE_SEMCTL_GETPID
format=arg1:[ipc]:[ipc_perm]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: GETPID
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
label=AUE_SEMCTL_GETVAL
format=arg1:[ipc]:[ipc_perm]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: GETVAL
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
label=AUE_SEMCTL_GETZCNT
format=arg1:[ipc]:[ipc_perm]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: GETZCNT
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
label=AUE_SEMCTL_RMID
format=arg1:[ipc]:[ipc_perm]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: IPC_RMID
# ipc, ipc_perm token: semctl -> ipc_rmid -> ipc_lookup -> audit_ipc
label=AUE_SEMCTL_SET
format=arg1:[ipc]:[ipc_perm]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: IPC_SET
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
label=AUE_SEMCTL_SETALL
format=arg1:[ipc]:[ipc_perm]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: SETALL
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
label=AUE_SEMCTL_SETVAL
format=arg1:[ipc]:[ipc_perm]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: SETVAL
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
label=AUE_SEMCTL_STAT
format=arg1:[ipc]:[ipc_perm]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
syscall=semctl: IPC_STAT
# ipc, ipc_perm token: semctl -> ipc_lookup -> audit_ipc
label=AUE_SEMGET
format=arg1:[ipc_perm]:ipc
comment=1, semaphore ID, "sem key"
note=ipc_perm
syscall=semctl: SETVAL
# ipc_perm token: semget -> audit_ipcget
label=AUE_SEMGETL
skip=Not used.
label=AUE_SEMOP
format=arg1:[ipc]:[ipc_perm]
comment=1, semaphore ID, "sem ID"
note=ipc_perm
# ipc, ipc_perm token: semop -> ipc_lookup -> audit_ipc
label=AUE_SEMSYS
skip=Not used. (place holder) -- defaults to a semget variant
label=AUE_SEND
case=If address family is AF_INET or AF_INET6
format=[arg]1:[inet]
comment=1, file descriptor, "so"
case=If address family is AF_UNIX and path is defined
format=[path]1:[attr]
comment=1, file descriptor, "so"
case=If address family is AF_UNIX and path is NULL
format=[path]1:[attr]
comment=1, file descriptor, "no path: fd"
case=If address family is other than AF_UNIX, AF_INET, AF_INET6
format=[arg]1:[arg]2:[arg]3
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type"
# associated class remapped to AUE_WRITE's class (audit_event.c:audit_s2e[240])
label=AUE_SENDMSG
case=If invalid file descriptor
format=arg1:arg2
comment=1, file descriptor, "so":
comment=3, flags, "flags"
case=If valid file descriptor
case=...and address family is AF_UNIX and path is defined
format=path:attr
case=...and address family is AF_UNIX and path is NULL
format=path1:attr
comment=1, file descriptor, "nopath: fd"
case=...and address family is AF_INET or AF_INET6, \
socket is SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
format=arg1:arg2:inet
comment=1, file descriptor, "so":
comment=3, flags, "flags"
case=...and unknown address family or address family AF_INET or AF_INET6 \
and not socket SOCK_DGRAM, SOCK_RAW or SOCK_STREAM
format=arg1:arg2:arg3:arg4
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type":
comment=1, flags, "flags"
label=AUE_SENDTO
case=If invalid file descriptor
format=arg1:arg2
comment=1, file descriptor, "so":
comment=3, flags, "flags"
case=If valid file descriptor
case=...and socket is AF_UNIX and path is defined
format=path:attr
case=...and address family is AF_UNIX and path is NULL
format=path1:attr
comment=1, file descriptor, "nopath: fd"
case=...and address family is AF_INET or AF_INET6
format=arg1:arg2:inet
comment=1, file descriptor, "so":
comment=3, flags, "flags"
case=...and unknown address family
format=arg1:arg2:arg3:arg4
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type":
comment=1, flags, "flags"
label=AUE_SETAUDIT
case=With a valid program stack address
format=arg1:arg2:arg3:arg4:arg5:arg6
comment=1, audit user ID, "setaudit:auid":
comment=1, terminal ID, "setaudit:port":
comment=1, terminal ID, "setaudit:machine":
comment=1, preselection mask, "setaudit:as_success":
comment=1, preselection mask, "setaudit:as_failure":
comment=1, audit session ID, "setaudit:asid"
case=With an invalid program stack address
format=kernel
# header,215,2,setaudit(2),,Mon May 15 09:43:28 2000, + 60002627 msec
# argument,1,0x271a,setaudit:auid
# argument,1,0x3ff0201,setaudit:port
# argument,1,0x8192591e,setaudit:machine
# argument,1,0x400,setaudit:as_success
# argument,1,0x400,setaudit:as_failure
# argument,1,0x16f,setaudit:asid
# subject,tuser10,root,other,root,other,20620,367,255 197121 tmach1
# return,success,0
# trailer,215
# header,215,2,setaudit(2),,Mon May 15 09:43:40 2000, + 50000847 msec
# argument,1,0x271a,setaudit:auid
# argument,1,0x3ff0201,setaudit:port
# argument,1,0x8192591e,setaudit:machine
# argument,1,0x400,setaudit:as_success
# argument,1,0x400,setaudit:as_failure
# argument,1,0x16f,setaudit:asid
# subject,tuser10,root,other,root,other,20720,367,255 197121 tmach1
# return,success,0
# trailer,215
label=AUE_SETAUDIT_ADDR
case=With a valid program stack address
format=arg1:arg2:arg3:inaddr4:arg5:arg6:arg7
comment=1, audit user ID, "auid":
comment=1, terminal ID, "port":
comment=1, type, "type":
comment=1, terminal ID, "ip address":
comment=1, preselection mask, "as_success":
comment=1, preselection mask, "as_failure":
comment=1, audit session ID, "asid"
case=With an invalid program stack address
format=kernel
# header,172,2,setaudit_addr(2),,Fri Nov 09 13:52:26 2001, + 0 msec
# argument,1,0x15fa7,auid
# argument,1,0x0,port
# argument,1,0x4,type
# ip address,tmach2
# argument,1,0x9c00,as_success
# argument,1,0x9c00,as_failure
# argument,1,0x1f1,asid
# subject,tuser1,root,staff,tuser1,staff,10420,497,0 0 tmach2
# return,success,0
label=AUE_SETAUID
format=arg1
comment=2, audit user ID, "setauid"
label=AUE_SETDOMAINNAME
skip=Not used. (See AUE_SYSINFO)
# See AUE_SYSINFO with SI_SET_SRPC_DOMAIN
label=AUE_SETEGID
format=arg1
comment=1, group ID, "gid"
label=AUE_SETEUID
format=arg1
comment=1, user ID, "euid"
label=AUE_SETGID
format=arg1
comment=1, group ID, "gid"
label=AUE_SETGROUPS
note=If more than NGROUPS_MAX_DEFAULT groups listed,
note=no tokens are generated.
case=If no groups in list
format=[arg]1
comment=1, 0, "setgroups"
case=If 1 or more groups in list
format=(1..n)arg1
comment=1, gid, "setgroups"
label=AUE_SETHOSTNAME
skip=Not used. (See AUE_SYSINFO)
# See sysinfo call with command SI_SET_HOSTNAME
label=AUE_SETKERNSTATE
skip=Not used.
label=AUE_SETPGID
format=[proc]:[arg]1
comment=2, pgid, "pgid"
label=AUE_SETPGRP
format=kernel
label=AUE_SETPRIORITY
skip=Not used.
label=AUE_SETPPRIV
case=operation privileges off
format=arg1:privset2
comment=setppriv operation:
comment=privileges actually switched off
case=operation privileges on
format=arg1:privset2
comment=setppriv operation:
comment=privileges actually switched on
case=operation privileges off
format=arg1:privset2:privset3
comment=setppriv operation:
comment=privileges before privset:
comment=privileges after privset
#header,220,2,settppriv(2),,test1,Mon Oct 6 10:09:05 PDT 2003, + 753 msec
#argument,2,0x2,op
#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
#privilege,Inheritable,file_link_any,proc_exec,proc_fork,proc_session
#subject,tuser,root,staff,tuser,staff,444,426,200 131585 test0
#return,success,0
label=AUE_SETREGID
format=arg1:arg2
comment=1, real group ID, "rgid":
comment=2, effective group ID, "egid"
label=AUE_SETREUID
format=arg1:arg2
comment=1, real user ID, "ruid":
comment=2, effective user ID, "euid"
label=AUE_SETRLIMIT
format=kernel
# header,73,2,setrlimit(2),,Thu Nov 08 15:14:17 2001, + 0 msec
# subject,tuser1,tuser1,staff,tuser1,staff,9707,497,0 0 tmach2
# return,success,0
label=AUE_SETSID
format=kernel
label=AUE_SETSOCKOPT
case=Invalid file descriptor
format=arg1:arg2
comment=1, file descriptor, "so":
comment=2, level, "level"
case=Valid file descriptor
case=...and socket is AF_UNIX
format=path1:arg2:arg3:arg4:arg5:arg6:[arg]7:[data]8
comment=if no path, will be argument: 1, "nopath: fd", \
file descriptor:
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type":
comment=2, protocol level, "level":
comment=3, option name, "optname":
comment=5, option length, "optlen":
comment=option data
case=...and socket is AF_INET or AF_INET6
format=arg1:arg2:arg3:[arg]4:[data]5:inet
comment=1, file descriptor, "so":
comment=2, protocol level, "level":
comment=3, option name, "optname":
comment=5, option length, "optlen":
comment=option data
case=...and socket adddress family is unknown
format=arg1:arg2:arg3:arg4:arg5:[arg]6:[data]7
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type":
comment=2, protocol level, "level":
comment=3, option name, "optname":
comment=5, option length, "optlen":
comment=option data
label=AUE_SETTIMEOFDAY
skip=Not used.
label=AUE_SETUID
syscall=setuid
format=arg1
comment=1, "uid" to be set
label=AUE_SETUSERAUDIT
skip=Not used.
label=AUE_SHMAT
format=arg1:arg2:[ipc]:[ipc_perm]
comment=1, shared memory ID, "shm ID":
comment=2, shared mem addr, "shm addr"
note=ipc_perm
# ipc, ipc_perm token: shmat -> ipc_lookup -> audit_ipc
label=AUE_SHMCTL
format=arg1:[ipc]:[ipc_perm]
comment=1, shared memory ID, "shm ID"
note=ipc_perm
# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
label=AUE_SHMCTL_RMID
format=arg1:[ipc]:[ipc_perm]
comment=1, shared memory ID, "shm ID"
note=ipc_perm
syscall=semctl: IPC_RMID
# ipc, ipc_perm token: shmctl -> ipc_rmid -> ipc_lookup -> audit_ipc
label=AUE_SHMCTL_SET
format=arg1:[ipc]:[ipc_perm]
comment=1, shared memory ID, "shm ID"
note=ipc_perm
syscall=semctl: IPC_SET
# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
label=AUE_SHMCTL_STAT
format=arg1:[ipc]:[ipc_perm]
comment=1, shared memory ID, "shm ID"
note=ipc_perm
syscall=semctl: IPC_STAT
# ipc, ipc_perm token: shmctl -> ipc_lookup -> audit_ipc
label=AUE_SHMDT
format=arg1
comment=1, shared memory address, "shm adr"
label=AUE_SHMGET
format=arg1:[ipc_perm]:[ipc]
comment=0, shared memory key, "shm key"
note=ipc_perm
# ipc_perm: shmget -> audit_ipcget
label=AUE_SHMGETL
skip=Not used.
label=AUE_SHMSYS
skip=Not used. (Placeholder for shmget and shmctl*)
label=AUE_SHUTDOWN
case=If the socket address is invalid
format=[arg]1:[text]2:[text]3
comment=1, file descriptor, "fd":
comment=bad socket address:
comment=bad peer address
case=If the socket address is part of the AF_INET family
case=..with zero file descriptor
format=arg1:[arg]2:[arg]3:[arg]4
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type":
comment=2, how shutdown code, "how"
case=...with non-zero file descriptor
format=arg1:arg2:inet
comment=1, file descriptor, "so":
comment=2, how shutdown code, "how"
case=If the socket address is AF_UNIX
case=...with zero file descriptor
format=path1:arg2:[arg]3:[arg]4:[arg]5
comment=If error: argument: \
1, "no path: fd", file descriptor:
comment=1, file descriptor, "so":
comment=1, family, "family":
comment=1, type, "type":
comment=2, how shutdown code, "how"
case=...with non-zero file descriptor
format=path1:arg2:arg3:inet
comment=If error: argument: \
1, file descriptor, "no path: fd":
comment=1, file descriptor, "so":
comment=2, how shutdown code, "how"
#old BSM manual wrong; used audit_event.c
label=AUE_SOCKACCEPT
syscall=getmsg: socket accept
format=inet:arg1:[path]:attr:arg2
comment=1, file descriptor, "fd":
comment=4, priority, "pri"
# see putmsg and getmsg for record format
# See audit.c for inet token and audit_start.c for other reference
label=AUE_SOCKCONFIG
format=arg1:arg2:arg3:[path]4
comment=1, domain address, "domain":
comment=2, type, "type":
comment=3, protocol, "protocol":
comment=If no path:argument -- 3, 0, "devpath"
label=AUE_SOCKCONNECT
syscall=putmsg: socket connect
format=inet:arg1:[path]:attr:arg2
comment=1, file descriptor, "fd":
comment=4, priority, "pri"
# same as AUE_SOCKACCEPT
label=AUE_SOCKET
format=arg1:[arg]2:arg3
comment=1, socket domain, "domain":
comment=2, socket type, "type":
comment=3, socket protocol, "protocol"
label=AUE_SOCKETPAIR
skip=Not used.
# unreferenced
label=AUE_SOCKRECEIVE
syscall=getmsg
format=inet:arg1:[path]:attr:arg2
comment=1, file descriptor, "fd":
comment=4, priority, "pri"
# see AUE_SOCKACCEPT
label=AUE_SOCKSEND
syscall=putmsg
format=inet:arg1:[path]:attr:arg2
comment=1, file descriptor, "fd":
comment=4, priority, "pri"
# see AUE_SOCKACCEPT
label=AUE_STAT
format=path:[attr]
label=AUE_STATFS
format=path:[attr]
label=AUE_STATVFS
format=path:[attr]
label=AUE_STIME
format=kernel
label=AUE_SWAPON
skip=Not used.
label=AUE_SYMLINK
format=path:text1:[attr]
comment=symbolic link string
label=AUE_SYSINFO
note=Only SI_SET_HOSTNAME and SI_SET_SRPC_DOMAIN commands
note=are currently audited.
format=arg1:[text]2
comment=1, command, "cmd":
comment=name
label=AUE_SYSTEMBOOT
title=system booted
syscall=none
format=head:text1
comment="booting kernel"
# see audit_start.c and audit_io.c
# no subject or return / exit token
# header,44,2,system booted,na,Fri Nov 09 13:53:42 2001, + 0 msec
# text,booting kernel
label=AUE_TRUNCATE
skip=Not used.
label=AUE_UMOUNT
syscall=umount: old version
note=Implemented as call of the newer umount2(2).
format=path:arg1:[path]:[attr]
comment=2, mflag value = 0, "flags"
label=AUE_UMOUNT2
syscall=umount2
format=path:arg1:[path]:[attr]
comment=2, mflag value, "flags"
label=AUE_UNLINK
format=path:[attr]
label=AUE_UNLINKAT
# obsolete
see=openat(2)
format=path:[attr]
label=AUE_UNMOUNT
skip=Not used.
label=AUE_UTIME
# obsolete
format=path:[attr]
label=AUE_UTIMES
see=futimens(2)
format=path:[attr]
label=AUE_VFORK
format=arg1
comment=0, pid, "child PID"
note=The vfork(2) return values are undefined because the audit record is
note=produced at the point that the child process is spawned.
label=AUE_VPIXSYS
skip=Not used.
label=AUE_VTRACE
skip=Not used.
label=AUE_WRITE
format=path1:attr
comment=if no path, argument -- "1, file descriptor, "no path: fd"
note:An audit record is generated for write only once per file close.
label=AUE_WRITEV
skip=Not used. (obsolete)
label=AUE_XMKNOD
# obsolete
skip=Not used.
label=AUE_XSTAT
# obsolete
skip=Not Used.
label=AUE_PF_POLICY_ADDRULE
title=Add IPsec policy rule
see=
syscall=none
format=arg1:arg2:[zone]3:[text]4
comment=Operation applied to active policy (1 is active, 0 is inactive):
comment=Operation applied to global policy (1 is global, 0 is tunnel):
comment=affected zone:
comment=Name of target tunnel
label=AUE_PF_POLICY_DELRULE
title=Delete IPsec policy rule
see=
syscall=none
format=arg1:arg2:[zone]3:[text]4
comment=Operation applied to active policy (1 is active, 0 is inactive):
comment=Operation applied to global policy (1 is global, 0 is tunnel):
comment=affected zone:
comment=Name of target tunnel
label=AUE_PF_POLICY_CLONE
title=Clone IPsec policy
see=
syscall=none
format=arg1:arg2:[zone]3:[text]4
comment=Operation applied to active policy (1 is active, 0 is inactive):
comment=Operation applied to global policy (1 is global, 0 is tunnel):
comment=affected zone:
comment=Name of target tunnel
label=AUE_PF_POLICY_FLIP
title=Flip IPsec policy
see=
syscall=none
format=arg1:arg2:[zone]3:[text]4
comment=Operation applied to active policy (1 is active, 0 is inactive):
comment=Operation applied to global policy (1 is global, 0 is tunnel):
comment=affected zone:
comment=Name of target tunnel
label=AUE_PF_POLICY_FLUSH
title=Flip IPsec policy rules
see=
syscall=none
format=arg1:arg2:[zone]3:[text]4
comment=Operation applied to active policy (1 is active, 0 is inactive):
comment=Operation applied to global policy (1 is global, 0 is tunnel):
comment=affected zone:
comment=Name of target tunnel
label=AUE_PF_POLICY_ALGS
title=Update IPsec algorithms
see=
syscall=none
format=arg1:arg2:[zone]3:[text]4
comment=Operation applied to active policy (1 is active, 0 is inactive):
comment=Operation applied to global policy (1 is global, 0 is tunnel):
comment=affected zone:
comment=Name of target tunnel
label=AUE_allocate_fail
program=/usr/sbin/allocate
title=allocate: allocate-device failure
format=(0..n)[text]1
comment=command line arguments
# see audit_allocate.c
label=AUE_allocate_succ
program=/usr/sbin/allocate
title=allocate: allocate-device success
format=(0..n)[text]1
comment=command line arguments
# see audit_allocate.c
label=AUE_at_create
program=/usr/bin/at
title=at: at-create crontab
format=path
label=AUE_at_delete
program=/usr/bin/at
title=at: at-delete atjob (at or atrm)
format=text1:path
comment="ancillary file:" filename or "bad format of at-job name"
label=AUE_at_perm
skip=Not used.
# not referenced outside uevents.h
label=AUE_create_user
skip=Not used.
label=AUE_cron_invoke
program=/usr/sbin/cron
title=cron: cron-invoke at or cron
case=If issue with account find
format=text1
comment="bad user" name or "user <name> account expired"
case=else
format=text1:text2
comment="at-job", "batch-job", "crontab-job", "queue-job (<queue_name>)", \
or "unknown job type (<job_type_id>)":
comment=command
label=AUE_crontab_create
program=/usr/bin/crontab
title=crontab: crontab created
format=path
# See audit_crontab.c
label=AUE_crontab_delete
program=/usr/bin/crontab
title=crontab: crontab delete
format=path
# See audit_crontab.c
label=AUE_crontab_mod
program=/usr/bin/crontab
title=crontab: crontab modify
format=path
# See audit_crontab.c
label=AUE_crontab_perm
skip=Not used.
label=AUE_deallocate_fail
program=/usr/sbin/deallocate
title=deallocate-device failure
format=(0..n)[text]1
comment=command line arguments
# See audit_allocate.c
label=AUE_deallocate_succ
program=/usr/sbin/deallocate
title=deallocate-device success
format=(0..n)[text]1
comment=command line arguments
# See audit_allocate.c
label=AUE_delete_user
skip=Not used.
label=AUE_disable_user
skip=Not used.
label=AUE_enable_user
skip=Not used.
label=AUE_ftpd
program=/usr/sbin/in.ftpd
title=in.ftpd
format=[text]1
comment=error message
# See audit_ftpd
label=AUE_ftpd_logout
program=/usr/sbin/in.ftpd
title=in.ftpd
format=user
# See audit_ftpd
label=AUE_halt_solaris
program=/usr/sbin/halt
title=halt
format=user
# See audit_halt.c
label=AUE_kadmind_auth
format=text1:text2:text3
comment=Op: <requested information>:
comment=Arg: <argument for Op>:
comment=Client: <client principal name>
# See audit_kadmin.c / common_audit()
label=AUE_kadmind_unauth
format=text1:text2:text3
comment=Op: <requested information>:
comment=Arg: <argument for Op>:
comment=Client: <client principal name>
# See audit_kadmin.c / common_audit()
label=AUE_krb5kdc_as_req
format=text1:text2
comment=Client: <client principal name>:
comment=Service: <requested service name>
# See audit_krb5kdc.c / common_audit()
label=AUE_krb5kdc_tgs_req
format=text1:text2
comment=Client: <client principal name>:
comment=Service: <requested service name>
# See audit_krb5kdc.c / common_audit()
label=AUE_krb5kdc_tgs_req_alt_tgt
format=text1:text2
comment=Client: <client principal name>:
comment=Service: <requested service name>
# See audit_krb5kdc.c / common_audit()
label=AUE_krb5kdc_tgs_req_2ndtktmm
format=text1:text2
comment=Client: <client principal name>:
comment=Service: <requested service name>
# See audit_krb5kdc.c / common_audit()
label=AUE_listdevice_fail
title=allocate-list devices failure
program=/usr/sbin/allocate
format=(0..n)[text]1
comment=command line arguments
# See audit_allocate.c
label=AUE_listdevice_succ
title=allocate-list devices success
program=/usr/sbin/allocate
format=(0..n)[text]1
comment=command line arguments
# See audit_allocate.c
label=AUE_modify_user
skip=Not used.
label=AUE_mountd_mount
title=mountd: NFS mount
program=/usr/lib/nfs/mountd
see=mountd(1M)
format=text1:path2
comment=remote client hostname:
comment=mount dir
# See audit_mountd.c
label=AUE_mountd_umount
title=mountd: NFS unmount
program=/usr/lib/nfs/mountd
format=text1:path2
comment=remote client hostname:
comment=mount dir
# See audit_mountd.c
label=AUE_poweroff_solaris
program=/usr/sbin/poweroff
title=poweroff
format=user
# See audit_halt.c
label=AUE_reboot_solaris
program=/usr/sbin/reboot
title=reboot
format=user
# See audit_reboot.c
# header,61,2,reboot(1m),,Fri Nov 09 13:52:34 2001, + 726 msec
# subject,tuser1,root,other,root,other,10422,497,0 0 tmach2
# return,success,0
label=AUE_rexd
program=/usr/sbin/rpc.rexd
title=rpc.rexd
format=[text]1:text2:text3:[text]4:[text]5
comment=error message (failure only):
comment="Remote execution requested by:" hostname:
comment="Username:" username:
comment="User id:" user ID (failure only):
comment="Command line:" command attempted
# See audit_rexd.c
label=AUE_rexecd
program=/usr/sbin/rpc.rexecd
title=rpc.rexecd
format=[text]1:text2:text3:text4
comment=error message (failure only):
comment="Remote execution requested by:" hostname:
comment="Username:" username:
comment="Command line:" command attempted
# See audit_rexecd.c
label=AUE_rshd
program=/usr/sbin/in.rshd
title=in.rshd
format=text1:text2:[text]3:[text]4
comment="cmd" command:
comment="remote user" remote user:
comment="local user" local user:
comment=failure message
# See audit_rshd.c
label=AUE_shutdown_solaris
title=shutdown
program=/usr/ucb/shutdown
format=user
# See audit_shutdown.c
label=AUE_smserverd
program=/usr/lib/smedia/rpc.smserverd
format=[text]1:[text]2
comment=state change:
comment=vid, pid, major/minor device
# see usr/src/cmd/smserverd
# code shows a third token, path, but it isn't implemented.
label=AUE_uadmin_solaris
title=uadmin (obsolete)
program=
see=
format=text1:text2
comment=function code:
comment=argument code
# not used. Replaced by AUE_uadmin_* events, see uadmin.c, adt.xml
label=AUE_LABELSYS_TNRH
title=config Trusted Network remote host cache
see=tnrh(2)
syscall=labelsys: TSOL_TNRH
case=With the flush command (cmd=3)
format=arg1
comment=1, command, "cmd"
case=With the load (cmd=1) and delete (cmd=2) commands
format=arg1:inaddr2:arg3
comment=1, command, "cmd":
comment=ip address of host:
comment=2, prefix length, "prefix len"
label=AUE_LABELSYS_TNRHTP
title=config Trusted Network remote host template
see=tnrhtp(2)
syscall=labelsys: TSOL_TNRHTP
case=With the flush command (cmd=3)
format=arg1
comment=1, command, "cmd"
case=With the load (cmd=1) and delete (cmd=2) commands
format=arg1:text2
comment=1, command, "cmd":
comment=name of template
label=AUE_LABELSYS_TNMLP
title=config Trusted Network multi-level port entry
see=tnmlp(2)
syscall=labelsys: TSOL_TNMLP
case=With the flush command (cmd=3)
format=arg1:text2
comment=1, command, "cmd":
comment="shared", or name of zone
case=With the load (cmd=1) and delete (cmd=2) commands
format=arg1:text2:arg3:arg4:[arg]5
comment=1, command, "cmd":
comment="shared", or name of zone:
comment=2, protocol number, "proto num":
comment=2, starting mlp port number, "mlp_port":
comment=2, ending mlp port number, "mlp_port_upper"