Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ArchCelsum:etc ArchCelsum$ cat security/*
- #
- # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_class#6 $
- #
- 0x00000000:no:invalid class
- 0x00000001:fr:file read
- 0x00000002:fw:file write
- 0x00000004:fa:file attribute access
- 0x00000008:fm:file attribute modify
- 0x00000010:fc:file create
- 0x00000020:fd:file delete
- 0x00000040:cl:file close
- 0x00000080:pc:process
- 0x00000100:nt:network
- 0x00000200:ip:ipc
- 0x00000400:na:non attributable
- 0x00000800:ad:administrative
- 0x00001000:lo:login_logout
- 0x00002000:aa:authentication and authorization
- 0x00004000:ap:application
- 0x20000000:io:ioctl
- 0x40000000:ex:exec
- 0x80000000:ot:miscellaneous
- 0xffffffff:all:all flags set
- cat: security/audit_control: Permission denied
- #
- # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#41 $
- #
- # The mapping between event identifiers and values is also hard-coded in
- # audit_kevents.h and audit_uevents.h, so changes must occur in both places,
- # and programs, such as the kernel, may need to be recompiled to recognize
- # those changes. It is advisable not to change the numbering or naming of
- # kernel audit events.
- #
- # Allocation of BSM event identifier ranges:
- #
- # 0 Reserved and invalid
- # 1 - 2047 Reserved for Solaris kernel events
- # 2048 - 5999 Reserved and unallocated
- # 6000 - 9999 Reserved for Solaris user events
- # 10000 - 32767 Reserved and unallocated
- # 32768 - 65535 Available for third party applications
- #
- # Of the third party range, OpenBSM allocates from the following ranges:
- #
- # 43000 - 44999 Reserved for OpenBSM kernel events
- # 45000 - 46999 Reserved for OpenBSM application events
- #
- 0:AUE_NULL:indir system call:no
- 1:AUE_EXIT:exit(2):pc
- 2:AUE_FORK:fork(2):pc
- 3:AUE_OPEN:open(2) - attr only:fa
- 4:AUE_CREAT:creat(2):fc
- 5:AUE_LINK:link(2):fc
- 6:AUE_UNLINK:unlink(2):fd
- 7:AUE_EXEC:exec(2):pc,ex
- 8:AUE_CHDIR:chdir(2):pc
- 9:AUE_MKNOD:mknod(2):fc
- 10:AUE_CHMOD:chmod(2):fm
- 11:AUE_CHOWN:chown(2):fm
- 12:AUE_UMOUNT:umount(2) - old version:ad
- 13:AUE_JUNK:junk:no
- 14:AUE_ACCESS:access(2):fa
- 15:AUE_KILL:kill(2):pc
- 16:AUE_STAT:stat(2):fa
- 17:AUE_LSTAT:lstat(2):fa
- 18:AUE_ACCT:acct(2):ad
- 19:AUE_MCTL:mctl(2):no
- 20:AUE_REBOOT:reboot(2):ad
- 21:AUE_SYMLINK:symlink(2):fc
- 22:AUE_READLINK:readlink(2):fr
- 23:AUE_EXECVE:execve(2):pc,ex
- 24:AUE_CHROOT:chroot(2):pc
- 25:AUE_VFORK:vfork(2):pc
- 26:AUE_SETGROUPS:setgroups(2):pc
- 27:AUE_SETPGRP:setpgrp(2):pc
- 28:AUE_SWAPON:swapon(2):ad
- 29:AUE_SETHOSTNAME:sethostname(2):ad
- 30:AUE_FCNTL:fcntl(2):fm
- 31:AUE_SETPRIORITY:setpriority(2):pc
- 32:AUE_CONNECT:connect(2):nt
- 33:AUE_ACCEPT:accept(2):nt
- 34:AUE_BIND:bind(2):nt
- 35:AUE_SETSOCKOPT:setsockopt(2):nt
- 36:AUE_VTRACE:vtrace(2):pc
- 37:AUE_SETTIMEOFDAY:settimeofday(2):ad
- 38:AUE_FCHOWN:fchown(2):fm
- 39:AUE_FCHMOD:fchmod(2):fm
- 40:AUE_SETREUID:setreuid(2):pc
- 41:AUE_SETREGID:setregid(2):pc
- 42:AUE_RENAME:rename(2):fc,fd
- 43:AUE_TRUNCATE:truncate(2):fw
- 44:AUE_FTRUNCATE:ftruncate(2):fw
- 45:AUE_FLOCK:flock(2):fm
- 46:AUE_SHUTDOWN:shutdown(2):nt
- 47:AUE_MKDIR:mkdir(2):fc
- 48:AUE_RMDIR:rmdir(2):fd
- 49:AUE_UTIMES:utimes(2):fm
- 50:AUE_ADJTIME:adjtime(2):ad
- 51:AUE_SETRLIMIT:setrlimit(2):pc
- 52:AUE_KILLPG:killpg(2):pc
- 53:AUE_NFS_SVC:nfs_svc(2):ad
- 54:AUE_STATFS:statfs(2):fa
- 55:AUE_FSTATFS:fstatfs(2):fa
- 56:AUE_UNMOUNT:unmount(2):ad
- 57:AUE_ASYNC_DAEMON:async_daemon(2):ad
- 58:AUE_NFS_GETFH:nfs_getfh(2):ad
- 59:AUE_SETDOMAINNAME:setdomainname(2):ad
- 60:AUE_QUOTACTL:quotactl(2):ad
- 61:AUE_EXPORTFS:exportfs(2):ad
- 62:AUE_MOUNT:mount(2):ad
- 63:AUE_SEMSYS:semsys(2):ip
- 64:AUE_MSGSYS:msgsys(2):ip
- 65:AUE_SHMSYS:shmsys(2):ip
- 66:AUE_BSMSYS:bsmsys(2):ad
- 67:AUE_RFSSYS:rfssys(2):ad
- 68:AUE_FCHDIR:fchdir(2):pc
- 69:AUE_FCHROOT:fchroot(2):pc
- 70:AUE_VPIXSYS:vpixsys(2):no
- 71:AUE_PATHCONF:pathconf(2):fa
- 72:AUE_OPEN_R:open(2) - read:fr
- 73:AUE_OPEN_RC:open(2) - read,creat:fc,fr,fa,fm
- 74:AUE_OPEN_RT:open(2) - read,trunc:fd,fr,fa,fm
- 75:AUE_OPEN_RTC:open(2) - read,creat,trunc:fc,fd,fr,fa,fm
- 76:AUE_OPEN_W:open(2) - write:fw
- 77:AUE_OPEN_WC:open(2) - write,creat:fc,fw,fa,fm
- 78:AUE_OPEN_WT:open(2) - write,trunc:fd,fw,fa,fm
- 79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw,fa,fm
- 80:AUE_OPEN_RW:open(2) - read,write:fr,fw
- 81:AUE_OPEN_RWC:open(2) - read,write,creat:fc,fw,fr,fa,fm
- 82:AUE_OPEN_RWT:open(2) - read,write,trunc:fd,fr,fw,fa,fm
- 83:AUE_OPEN_RWTC:open(2) - read,write,creat,trunc:fc,fd,fw,fr,fa,fm
- 84:AUE_MSGCTL:msgctl(2) - illegal command:ip
- 85:AUE_MSGCTL_RMID:msgctl(2) - IPC_RMID command:ip
- 86:AUE_MSGCTL_SET:msgctl(2) - IPC_SET command:ip
- 87:AUE_MSGCTL_STAT:msgctl(2) - IPC_STAT command:ip
- 88:AUE_MSGGET:msgget(2):ip
- 89:AUE_MSGRCV:msgrcv(2):ip
- 90:AUE_MSGSND:msgsnd(2):ip
- 91:AUE_SHMCTL:shmctl(2) - illegal command:ip
- 92:AUE_SHMCTL_RMID:shmctl(2) - IPC_RMID command:ip
- 93:AUE_SHMCTL_SET:shmctl(2) - IPC_SET command:ip
- 94:AUE_SHMCTL_STAT:shmctl(2) - IPC_STAT command:ip
- 95:AUE_SHMGET:shmget(2):ip
- 96:AUE_SHMAT:shmat(2):ip
- 97:AUE_SHMDT:shmdt(2):ip
- 98:AUE_SEMCTL:semctl(2) - illegal command:ip
- 99:AUE_SEMCTL_RMID:semctl(2) - IPC_RMID command:ip
- 100:AUE_SEMCTL_SET:semctl(2) - IPC_SET command:ip
- 101:AUE_SEMCTL_STAT:semctl(2) - IPC_STAT command:ip
- 102:AUE_SEMCTL_GETNCNT:semctl(2) - GETNCNT command:ip
- 103:AUE_SEMCTL_GETPID:semctl(2) - GETPID command:ip
- 104:AUE_SEMCTL_GETVAL:semctl(2) - GETVAL command:ip
- 105:AUE_SEMCTL_GETALL:semctl(2) - GETALL command:ip
- 106:AUE_SEMCTL_GETZCNT:semctl(2) - GETZCNT command:ip
- 107:AUE_SEMCTL_SETVAL:semctl(2) - SETVAL command:ip
- 108:AUE_SEMCTL_SETALL:semctl(2) - SETALL command:ip
- 109:AUE_SEMGET:semget(2):ip
- 110:AUE_SEMOP:semop(2):ip
- 111:AUE_CORE:process dumped core:fc
- 112:AUE_CLOSE:close(2):cl
- 113:AUE_SYSTEMBOOT:system booted:na
- 114:AUE_ASYNC_DAEMON_EXIT:async_daemon(2) exited:ad
- 115:AUE_NFSSVC_EXIT:nfssvc(2) exited:ad
- 128:AUE_WRITEL:writel(2):no
- 129:AUE_WRITEVL:writevl(2):no
- 130:AUE_GETAUID:getauid(2):ad
- 131:AUE_SETAUID:setauid(2):ad
- 132:AUE_GETAUDIT:getaudit(2):ad
- 133:AUE_SETAUDIT:setaudit(2):ad
- 134:AUE_GETUSERAUDIT:getuseraudit(2):ad
- 135:AUE_SETUSERAUDIT:setuseraudit(2):ad
- 136:AUE_AUDITSVC:auditsvc(2):ad
- 137:AUE_AUDITUSER:audituser(2):ad
- 138:AUE_AUDITON:auditon(2):ad
- 139:AUE_AUDITON_GTERMID:auditon(2) - GETTERMID command:ad
- 140:AUE_AUDITON_STERMID:auditon(2) - SETTERMID command:ad
- 141:AUE_AUDITON_GPOLICY:auditon(2) - GPOLICY command:ad
- 142:AUE_AUDITON_SPOLICY:auditon(2) - SPOLICY command:ad
- 143:AUE_AUDITON_GESTATE:auditon(2) - GESTATE command:ad
- 144:AUE_AUDITON_SESTATE:auditon(2) - SESTATE command:ad
- 145:AUE_AUDITON_GQCTRL:auditon(2) - GQCTRL command:ad
- 146:AUE_AUDITON_SQCTRL:auditon(2) - SQCTRL command:ad
- 147:AUE_GETKERNSTATE:getkernstate(2):ad
- 148:AUE_SETKERNSTATE:setkernstate(2):ad
- 149:AUE_GETPORTAUDIT:getportaudit(2):ad
- 150:AUE_AUDITSTAT:auditstat(2):ad
- 151:AUE_REVOKE:revoke(2):cl
- 152:AUE_MAC:Solaris AUE_MAC:no
- 153:AUE_ENTERPROM:enter prom:ad
- 154:AUE_EXITPROM:exit prom:ad
- 155:AUE_IFLOAT:Solaris AUE_IFLOAT:no
- 156:AUE_PFLOAT:Solaris AUE_PFLOAT:no
- 157:AUE_UPRIV:Solaris AUE_UPRIV:no
- 158:AUE_IOCTL:ioctl(2):io
- 173:AUE_ONESIDE:one-sided session record:nt
- 174:AUE_MSGGETL:msggetl(2):ip
- 175:AUE_MSGRCVL:msgrcvl(2):ip
- 176:AUE_MSGSNDL:msgsndl(2):ip
- 177:AUE_SEMGETL:semgetl(2):ip
- 178:AUE_SHMGETL:shmgetl(2):ip
- 183:AUE_SOCKET:socket(2):nt
- 184:AUE_SENDTO:sendto(2):nt
- 185:AUE_PIPE:pipe(2):ip
- 186:AUE_SOCKETPAIR:socketpair(2):nt
- 187:AUE_SEND:send(2):nt
- 188:AUE_SENDMSG:sendmsg(2):nt
- 189:AUE_RECV:recv(2):nt
- 190:AUE_RECVMSG:recvmsg(2):nt
- 191:AUE_RECVFROM:recvfrom(2):nt
- 192:AUE_READ:read(2):no
- 193:AUE_GETDENTS:getdents(2):no
- 194:AUE_LSEEK:lseek(2):no
- 195:AUE_WRITE:write(2):no
- 196:AUE_WRITEV:writev(2):no
- 197:AUE_NFS:nfs server:ad
- 198:AUE_READV:readv(2):no
- 199:AUE_OSTAT:Solaris old stat(2):fa
- 200:AUE_SETUID:setuid(2):pc
- 201:AUE_STIME:old stime(2):ad
- 202:AUE_UTIME:old utime(2):fm
- 203:AUE_NICE:old nice(2):pc
- 204:AUE_OSETPGRP:Solaris old setpgrp(2):pc
- 205:AUE_SETGID:setgid(2):pc
- 206:AUE_READL:readl(2):no
- 207:AUE_READVL:readvl(2):no
- 208:AUE_FSTAT:fstat(2):fa
- 209:AUE_DUP2:dup2(2):no
- 210:AUE_MMAP:mmap(2):no
- 211:AUE_AUDIT:audit(2):ot
- 212:AUE_PRIOCNTLSYS:Solaris priocntlsys(2):pc
- 213:AUE_MUNMAP:munmap(2):cl
- 214:AUE_SETEGID:setegid(2):pc
- 215:AUE_SETEUID:seteuid(2):pc
- 216:AUE_PUTMSG:putmsg(2):nt
- 217:AUE_GETMSG:getmsg(2):nt
- 218:AUE_PUTPMSG:putpmsg(2):nt
- 219:AUE_GETPMSG:getpmsg(2):nt
- 220:AUE_AUDITSYS:audit system calls place holder:no
- 221:AUE_AUDITON_GETKMASK:auditon(2) - get kernel mask:ad
- 222:AUE_AUDITON_SETKMASK:auditon(2) - set kernel mask:ad
- 223:AUE_AUDITON_GETCWD:auditon(2) - get cwd:ad
- 224:AUE_AUDITON_GETCAR:auditon(2) - get car:ad
- 225:AUE_AUDITON_GETSTAT:auditon(2) - get audit statistics:ad
- 226:AUE_AUDITON_SETSTAT:auditon(2) - reset audit statistics:ad
- 227:AUE_AUDITON_SETUMASK:auditon(2) - set mask per uid:ad
- 228:AUE_AUDITON_SETSMASK:auditon(2) - set mask per session ID:ad
- 229:AUE_AUDITON_GETCOND:auditon(2) - get audit state:ad
- 230:AUE_AUDITON_SETCOND:auditon(2) - set audit state:ad
- 231:AUE_AUDITON_GETCLASS:auditon(2) - get event class:ad
- 232:AUE_AUDITON_SETCLASS:auditon(2) - set event class:ad
- 233:AUE_UTSSYS:utssys(2) - fusers:ad
- 234:AUE_STATVFS:statvfs(2):fa
- 235:AUE_XSTAT:xstat(2):fa
- 236:AUE_LXSTAT:lxstat(2):fa
- 237:AUE_LCHOWN:lchown(2):fm
- 238:AUE_MEMCNTL:memcntl(2):ot
- 239:AUE_SYSINFO:sysinfo(2):ad
- 240:AUE_XMKNOD:xmknod(2):fc
- 241:AUE_FORK1:fork1(2):pc
- 242:AUE_MODCTL:modctl(2) system call place holder:no
- 243:AUE_MODLOAD:modctl(2) - load module:ad
- 244:AUE_MODUNLOAD:modctl(2) - unload module:ad
- 245:AUE_MODCONFIG:modctl(2) - configure module:ad
- 246:AUE_MODADDMAJ:modctl(2) - bind module:ad
- 247:AUE_SOCKACCEPT:getmsg-accept:nt
- 248:AUE_SOCKCONNECT:putmsg-connect:nt
- 249:AUE_SOCKSEND:putmsg-send:nt
- 250:AUE_SOCKRECEIVE:getmsg-receive:nt
- 251:AUE_ACLSET:acl(2) - SETACL comand:fm
- 252:AUE_FACLSET:facl(2) - SETACL command:fm
- 253:AUE_DOORFS:doorfs(2) - system call place holder:no
- 254:AUE_DOORFS_DOOR_CALL:doorfs(2) - DOOR_CALL:ip
- 255:AUE_DOORFS_DOOR_RETURN:doorfs(2) - DOOR_RETURN:ip
- 256:AUE_DOORFS_DOOR_CREATE:doorfs(2) - DOOR_CREATE:ip
- 257:AUE_DOORFS_DOOR_REVOKE:doorfs(2) - DOOR_REVOKE:ip
- 258:AUE_DOORFS_DOOR_INFO:doorfs(2) - DOOR_INFO:ip
- 259:AUE_DOORFS_DOOR_CRED:doorfs(2) - DOOR_CRED:ip
- 260:AUE_DOORFS_DOOR_BIND:doorfs(2) - DOOR_BIND:ip
- 261:AUE_DOORFS_DOOR_UNBIND:doorfs(2) - DOOR_UNBIND:ip
- 262:AUE_P_ONLINE:p_online(2):ad
- 263:AUE_PROCESSOR_BIND:processor_bind(2):ad
- 264:AUE_INST_SYNC:inst_sync(2):ad
- 265:AUE_SOCKCONFIG:configure socket:nt
- 266:AUE_SETAUDIT_ADDR:setaudit_addr(2):ad
- 267:AUE_GETAUDIT_ADDR:getaudit_addr(2):ad
- 268:AUE_UMOUNT2:Solaris umount(2):ad
- 269:AUE_FSAT:fsat(2) - place holder:no
- 270:AUE_OPENAT_R:openat(2) - read:fr
- 271:AUE_OPENAT_RC:openat(2) - read,creat:fc,fr,fa,fm
- 272:AUE_OPENAT_RT:openat(2) - read,trunc:fd,fr,fa,fm
- 273:AUE_OPENAT_RTC:openat(2) - read,creat,trunc:fc,fd,fr,fa,fm
- 274:AUE_OPENAT_W:openat(2) - write:fw
- 275:AUE_OPENAT_WC:openat(2) - write,creat:fc,fw,fa,fm
- 276:AUE_OPENAT_WT:openat(2) - write,trunc:fd,fw,fa,fm
- 277:AUE_OPENAT_WTC:openat(2) - write,creat,trunc:fc,fd,fw,fa,fm
- 278:AUE_OPENAT_RW:openat(2) - read,write:fr,fw
- 279:AUE_OPENAT_RWC:openat(2) - read,write,create:fc,fw,fr,fa,fm
- 280:AUE_OPENAT_RWT:openat(2) - read,write,trunc:fd,fw,fr,fa,fm
- 281:AUE_OPENAT_RWTC:openat(2) - read,write,creat,trunc:fc,fd,fw,fr,fa,fm
- 282:AUE_RENAMEAT:renameat(2):fc,fd
- 283:AUE_FSTATAT:fstatat(2):fa
- 284:AUE_FCHOWNAT:fchownat(2):fm
- 285:AUE_FUTIMESAT:futimesat(2):fm
- 286:AUE_UNLINKAT:unlinkat(2):fd
- 287:AUE_CLOCK_SETTIME:clock_settime(2):ad
- 288:AUE_NTP_ADJTIME:ntp_adjtime(2):ad
- 289:AUE_SETPPRIV:setppriv(2):pc
- 290:AUE_MODDEVPLCY:modctl(2) - configure device policy:ad
- 291:AUE_MODADDPRIV:modctl(2) - configure additional privilege:ad
- 292:AUE_CRYPTOADM:kernel cryptographic framework:ad
- 293:AUE_CONFIGKSSL:configure kernel SSL:ad
- 294:AUE_BRANDSYS:brandsys(2):ot
- 295:AUE_PF_POLICY_ADDRULE:Add IPsec policy rule:ad
- 296:AUE_PF_POLICY_DELRULE:Delete IPsec policy rule:ad
- 297:AUE_PF_POLICY_CLONE:Clone IPsec policy:ad
- 298:AUE_PF_POLICY_FLIP:Flip IPsec policy:ad
- 299:AUE_PF_POLICY_FLUSH:Flush IPsec policy rules:ad
- 300:AUE_PF_POLICY_ALGS:Update IPsec algorithms:ad
- 301:AUE_PORTFS:portfs:fa
- #
- # What follows are deprecated Darwin event numbers that may soon^H^H^H^Hnow
- # conflict with Solaris events.
- #
- 301:AUE_DARWIN_GETFSSTAT:getfsstat(2):fa
- 302:AUE_DARWIN_PTRACE:ptrace(2):pc
- 303:AUE_DARWIN_CHFLAGS:chflags(2):fm
- 304:AUE_DARWIN_FCHFLAGS:fchflags(2):fm
- 305:AUE_DARWIN_PROFILE:profil(2):pc
- 306:AUE_DARWIN_KTRACE:ktrace(2):pc
- 307:AUE_DARWIN_SETLOGIN:setlogin(2):pc
- 308:AUE_DARWIN_REBOOT:reboot(2):ad
- 309:AUE_DARWIN_REVOKE:revoke(2):cl
- 310:AUE_DARWIN_UMASK:umask(2):pc
- 311:AUE_DARWIN_MPROTECT:mprotect(2):fm
- 312:AUE_DARWIN_SETPRIORITY:setpriority(2):pc,ot
- 313:AUE_DARWIN_SETTIMEOFDAY:settimeofday(2):ad
- 314:AUE_DARWIN_FLOCK:flock(2):fm
- 315:AUE_DARWIN_MKFIFO:mkfifo(2):fc
- 316:AUE_DARWIN_POLL:poll(2):no
- 317:AUE_DARWIN_SOCKETPAIR:socketpair(2):nt
- 318:AUE_DARWIN_FUTIMES:futimes(2):fm
- 319:AUE_DARWIN_SETSID:setsid(2):pc
- 320:AUE_DARWIN_SETPRIVEXEC:setprivexec(2):pc
- 321:AUE_DARWIN_NFSSVC:nfssvc(2):ad
- 322:AUE_DARWIN_GETFH:getfh(2):fa
- 323:AUE_DARWIN_QUOTACTL:quotactl(2):ad
- 324:AUE_DARWIN_ADDPROFILE:add_profil():pc
- 325:AUE_DARWIN_KDEBUGTRACE:kdebug_trace():pc
- 326:AUE_DARWIN_FSTAT:fstat(2):fa
- 327:AUE_DARWIN_FPATHCONF:fpathconf(2):fa
- 328:AUE_DARWIN_GETDIRENTRIES:getdirentries(2):no
- 329:AUE_DARWIN_TRUNCATE:truncate(2):fw
- 330:AUE_DARWIN_FTRUNCATE:ftruncate(2):fw
- 331:AUE_DARWIN_SYSCTL:sysctl(3):ad
- 332:AUE_DARWIN_MLOCK:mlock(2):pc
- 333:AUE_DARWIN_MUNLOCK:munlock(2):pc
- 334:AUE_DARWIN_UNDELETE:undelete(2):fm
- 335:AUE_DARWIN_GETATTRLIST:getattrlist():fa
- 336:AUE_DARWIN_SETATTRLIST:setattrlist():fm
- 337:AUE_DARWIN_GETDIRENTRIESATTR:getdirentriesattr():fa
- 338:AUE_DARWIN_EXCHANGEDATA:exchangedata():fw
- 339:AUE_DARWIN_SEARCHFS:searchfs():fa
- 340:AUE_DARWIN_MINHERIT:minherit(2):pc
- 341:AUE_DARWIN_SEMCONFIG:semconfig():ip
- 342:AUE_DARWIN_SEMOPEN:sem_open(2):ip
- 343:AUE_DARWIN_SEMCLOSE:sem_close(2):ip
- 344:AUE_DARWIN_SEMUNLINK:sem_unlink(2):ip
- 345:AUE_DARWIN_SHMOPEN:shm_open(2):ip
- 346:AUE_DARWIN_SHMUNLINK:shm_unlink(2):ip
- 347:AUE_DARWIN_LOADSHFILE:load_shared_file():fr
- 348:AUE_DARWIN_RESETSHFILE:reset_shared_file():ot
- 349:AUE_DARWIN_NEWSYSTEMSHREG:new_system_share_regions():ot
- 350:AUE_DARWIN_PTHREADKILL:pthread_kill(2):pc
- 351:AUE_DARWIN_PTHREADSIGMASK:pthread_sigmask(2):pc
- 352:AUE_DARWIN_AUDITCTL:auditctl(2):ad
- 353:AUE_DARWIN_RFORK:rfork(2):pc
- 354:AUE_DARWIN_LCHMOD:lchmod(2):fm
- 355:AUE_DARWIN_SWAPOFF:swapoff(2):ad
- 356:AUE_DARWIN_INITPROCESS:init_process():pc
- 357:AUE_DARWIN_MAPFD:map_fd():fa
- 358:AUE_DARWIN_TASKFORPID:task_for_pid():pc
- 359:AUE_DARWIN_PIDFORTASK:pid_for_task():pc
- 360:AUE_DARWIN_SYSCTL_NONADMIN:sysctl() - non-admin:ot
- 361:AUE_DARWIN_COPYFILE:copyfile():fr,fw
- #
- # OpenBSM-specific kernel events.
- #
- 43001:AUE_GETFSSTAT:getfsstat(2):fa
- 43002:AUE_PTRACE:ptrace(2):pc
- 43003:AUE_CHFLAGS:chflags(2):fm
- 43004:AUE_FCHFLAGS:fchflags(2):fm
- 43005:AUE_PROFILE:profil(2):pc
- 43006:AUE_KTRACE:ktrace(2):pc
- 43007:AUE_SETLOGIN:setlogin(2):pc
- 43008:AUE_OPENBSM_REVOKE:revoke(2):cl
- 43009:AUE_UMASK:umask(2):pc
- 43010:AUE_MPROTECT:mprotect(2):fm
- 43011:AUE_MKFIFO:mkfifo(2):fc
- 43012:AUE_POLL:poll(2):no
- 43013:AUE_FUTIMES:futimes(2):fm
- 43014:AUE_SETSID:setsid(2):pc
- 43015:AUE_SETPRIVEXEC:setprivexec(2):pc
- 43016:AUE_ADDPROFILE:add_profil():pc
- 43017:AUE_KDEBUGTRACE:kdebug_trace():pc
- 43018:AUE_OPENBSM_FSTAT:fstat(2):fa
- 43019:AUE_FPATHCONF:fpathconf(2):fa
- 43020:AUE_GETDIRENTRIES:getdirentries(2):no
- 43021:AUE_SYSCTL:sysctl(3):ot
- 43022:AUE_MLOCK:mlock(2):pc
- 43023:AUE_MUNLOCK:munlock(2):pc
- 43024:AUE_UNDELETE:undelete(2):fm
- 43025:AUE_GETATTRLIST:getattrlist():fa
- 43026:AUE_SETATTRLIST:setattrlist():fm
- 43027:AUE_GETDIRENTRIESATTR:getdirentriesattr():fa
- 43028:AUE_EXCHANGEDATA:exchangedata():fw
- 43029:AUE_SEARCHFS:searchfs():fa
- 43030:AUE_MINHERIT:minherit(2):pc
- 43031:AUE_SEMCONFIG:semconfig():ip
- 43032:AUE_SEMOPEN:sem_open(2):ip
- 43033:AUE_SEMCLOSE:sem_close(2):ip
- 43034:AUE_SEMUNLINK:sem_unlink(2):ip
- 43035:AUE_SHMOPEN:shm_open(2):ip
- 43036:AUE_SHMUNLINK:shm_unlink(2):ip
- 43037:AUE_LOADSHFILE:load_shared_file():fr
- 43038:AUE_RESETSHFILE:reset_shared_file():ot
- 43039:AUE_NEWSYSTEMSHREG:new_system_share_regions():ot
- 43040:AUE_PTHREADKILL:pthread_kill(2):pc
- 43041:AUE_PTHREADSIGMASK:pthread_sigmask(2):pc
- 43042:AUE_AUDITCTL:auditctl(2):ad
- 43043:AUE_RFORK:rfork(2):pc
- 43044:AUE_LCHMOD:lchmod(2):fm
- 43045:AUE_SWAPOFF:swapoff(2):ad
- 43046:AUE_INITPROCESS:init_process():pc
- 43047:AUE_MAPFD:map_fd():fa
- 43048:AUE_TASKFORPID:task_for_pid():pc
- 43049:AUE_PIDFORTASK:pid_for_task():pc
- 43050:AUE_SYSCTL_NONADMIN:sysctl() - non-admin:ot
- 43051:AUE_COPYFILE:copyfile(2):fr,fw
- 43052:AUE_LUTIMES:lutimes(2):fm
- 43053:AUE_LCHFLAGS:lchflags(2):fm
- 43054:AUE_SENDFILE:sendfile(2):nt
- 43055:AUE_USELIB:uselib(2):fa
- 43056:AUE_GETRESUID:getresuid(2):pc
- 43057:AUE_SETRESUID:setresuid(2):pc
- 43058:AUE_GETRESGID:getresgid(2):pc
- 43059:AUE_SETRESGID:setresgid(2):pc
- 43060:AUE_WAIT4:wait4(2):pc
- 43061:AUE_LGETFH:lgetfh(2):fa
- 43062:AUE_FHSTATFS:fhstatfs(2):fa
- 43063:AUE_FHOPEN:fhopen(2):fa
- 43064:AUE_FHSTAT:fhstat(2):fa
- 43065:AUE_JAIL:jail(2):pc
- 43066:AUE_EACCESS:eaccess(2):fa
- 43067:AUE_KQUEUE:kqueue(2):no
- 43068:AUE_KEVENT:kevent(2):no
- 43069:AUE_FSYNC:fsync(2):fm
- 43070:AUE_NMOUNT:nmount(2):ad
- 43071:AUE_BDFLUSH:bdflush(2):ad
- 43072:AUE_SETFSUID:setfsuid(2):ot
- 43073:AUE_SETFSGID:setfsgid(2):ot
- 43074:AUE_PERSONALITY:personality(2):pc
- 43075:AUE_SCHED_GETSCHEDULER:getscheduler(2):ad
- 43076:AUE_SCHED_SETSCHEDULER:setscheduler(2):ad
- 43077:AUE_PRCTL:prctl(2):pc
- 43078:AUE_GETCWD:getcwd(2):pc
- 43079:AUE_CAPGET:capget(2):pc
- 43080:AUE_CAPSET:capset(2):pc
- 43081:AUE_PIVOT_ROOT:pivot_root(2):pc
- 43082:AUE_RTPRIO::rtprio(2):pc
- 43083:AUE_SCHED_GETPARAM:sched_getparam(2):ad
- 43084:AUE_SCHED_SETPARAM:sched_setparam(2):ad
- 43085:AUE_SCHED_GET_PRIORITY_MAX:sched_get_priority_max(2):ad
- 43086:AUE_SCHED_GET_PRIORITY_MIN:sched_get_priority_min(2):ad
- 43087:AUE_SCHED_RR_GET_INTERVAL:sched_rr_get_interval(2):ad
- 43088:AUE_ACL_GET_FILE:acl_get_file(2):fa
- 43089:AUE_ACL_SET_FILE:acl_set_file(2):fm
- 43090:AUE_ACL_GET_FD:acl_get_fd(2):fa
- 43091:AUE_ACL_SET_FD:acl_set_fd(2):fm
- 43092:AUE_ACL_DELETE_FILE:acl_delete_file(2):fm
- 43093:AUE_ACL_DELETE_FD:acl_delete_fd(2):fm
- 43094:AUE_ACL_CHECK_FILE:acl_aclcheck_file(2):fa
- 43095:AUE_ACL_CHECK_FD:acl_aclcheck_fd(2):fa
- 43096:AUE_ACL_GET_LINK:acl_get_link(2):fa
- 43097:AUE_ACL_SET_LINK:acl_set_link(2):fm
- 43098:AUE_ACL_DELETE_LINK:acl_delete_link(2):fm
- 43099:AUE_ACL_CHECK_LINK:acl_aclcheck_link(2):fa
- 43100:AUE_SYSARCH:sysarch(2):ot
- 43101:AUE_EXTATTRCTL:extattrctl(2):fm
- 43102:AUE_EXTATTR_GET_FILE:extattr_get_file(2):fa
- 43103:AUE_EXTATTR_SET_FILE:extattr_set_file(2):fm
- 43104:AUE_EXTATTR_LIST_FILE:extattr_list_file(2):fa
- 43105:AUE_EXTATTR_DELETE_FILE:extattr_delete_file(2):fm
- 43106:AUE_EXTATTR_GET_FD:extattr_get_fd(2):fa
- 43107:AUE_EXTATTR_SET_FD:extattr_set_fd(2):fm
- 43108:AUE_EXTATTR_LIST_FD:extattr_list_fd(2):fa
- 43109:AUE_EXTATTR_DELETE_FD:extattr_delete_fd(2):fm
- 43110:AUE_EXTATTR_GET_LINK:extattr_get_link(2):fa
- 43111:AUE_EXTATTR_SET_LINK:extattr_set_link(2):fm
- 43112:AUE_EXTATTR_LIST_LINK:extattr_list_link(2):fa
- 43113:AUE_EXTATTR_DELETE_LINK:extattr_delete_link(2):fm
- 43114:AUE_KENV:kenv(8):ad
- 43115:AUE_JAIL_ATTACH:jail_attach(2):ad
- 43116:AUE_SYSCTL_WRITE:sysctl(3):ad
- 43117:AUE_IOPERM:linux ioperm:ad
- 43118:AUE_READDIR:readdir(3):no
- 43119:AUE_IOPL:linux iopl:ad
- 43120:AUE_VM86:linux vm86:pc
- 43121:AUE_MAC_GET_PROC:mac_get_proc(2):pc
- 43122:AUE_MAC_SET_PROC:mac_set_proc(2):pc
- 43123:AUE_MAC_GET_FD:mac_get_fd(2):fa
- 43124:AUE_MAC_GET_FILE:mac_get_file(2):fa
- 43125:AUE_MAC_SET_FD:mac_set_fd(2):fm
- 43126:AUE_MAC_SET_FILE:mac_set_file(2):fm
- 43127:AUE_MAC_SYSCALL:mac_syscall(2):ad
- 43128:AUE_MAC_GET_PID:mac_get_pid(2):pc
- 43129:AUE_MAC_GET_LINK:mac_get_link(2):fa
- 43130:AUE_MAC_SET_LINK:mac_set_link(2):fm
- 43131:AUE_MAC_EXECVE:mac_execve(2):ex,pc
- 43132:AUE_GETPATH_FROMFD:getpath_fromfd(2):fa
- 43133:AUE_GETPATH_FROMADDR:getpath_fromaddr(2):fa
- 43134:AUE_MQ_OPEN:mq_open(2):ip
- 43135:AUE_MQ_SETATTR:mq_setattr(2):ip
- 43136:AUE_MQ_TIMEDRECEIVE:mq_timedreceive(2):ip
- 43137:AUE_MQ_TIMEDSEND:mq_timedsend(2):ip
- 43138:AUE_MQ_NOTIFY:mq_notify(2):ip
- 43139:AUE_MQ_UNLINK:mq_unlink(2):ip
- 43140:AUE_LISTEN:listen(2):nt
- 43141:AUE_MLOCKALL:mlockall(2):pc
- 43142:AUE_MUNLOCKALL:munlockall(2):pc
- 43143:AUE_CLOSEFROM:closefrom(2):cl
- 43144:AUE_FEXECVE:fexecve(2):pc,ex
- 43145:AUE_FACCESSAT:faccessat(2):fa
- 43146:AUE_FCHMODAT:fchmodat(2):fm
- 43147:AUE_LINKAT:linkat(2):fc
- 43148:AUE_MKDIRAT:mkdirat(2):fc
- 43149:AUE_MKFIFOAT:mkfifoat(2):fc
- 43150:AUE_MKNODAT:mknodat(2):fc
- 43151:AUE_READLINKAT:readlinkat(2):fr
- 43152:AUE_SYMLINKAT:symlinkat(2):fc
- 43153:AUE_MAC_GETFSSTAT:mac_getfsstat(2):fa
- 43154:AUE_MAC_GET_MOUNT:mac_get_mount(2):fa
- 43155:AUE_MAC_GET_LCID:mac_get_lcid(2):pc
- 43156:AUE_MAC_GET_LCTX:mac_get_lctx(2):pc
- 43157:AUE_MAC_SET_LCTX:mac_set_lctx(2):pc
- 43158:AUE_MAC_MOUNT:mac_mount(2):ad
- 43159:AUE_GETLCID:getlcid(2):pc
- 43160:AUE_SETLCID:setlcid(2):pc
- 43161:AUE_TASKNAMEFORPID:taskname_for_pid():pc
- 43162:AUE_ACCESS_EXTENDED:access_extended(2):fa
- 43163:AUE_CHMOD_EXTENDED:chmod_extended(2):fm
- 43164:AUE_FCHMOD_EXTENDED:fchmod_extended(2):fm
- 43165:AUE_FSTAT_EXTENDED:fstat_extended(2):fa
- 43166:AUE_LSTAT_EXTENDED:lstat_extended(2):fa
- 43167:AUE_MKDIR_EXTENDED:mkdir_extended(2):fc
- 43168:AUE_MKFIFO_EXTENDED:mkfifo_extended(2):fc
- 43169:AUE_OPEN_EXTENDED:open_extended(2) - attr only:fa
- 43170:AUE_OPEN_EXTENDED_R:open_extended(2) - read:fr
- 43171:AUE_OPEN_EXTENDED_RC:open_extended(2) - read,creat:fc,fr,fa,fm
- 43172:AUE_OPEN_EXTENDED_RT:open_extended(2) - read,trunc:fd,fr,fa,fm
- 43173:AUE_OPEN_EXTENDED_RTC:open_extended(2) - read,creat,trunc:fc,fd,fr,fa,fm
- 43174:AUE_OPEN_EXTENDED_W:open_extended(2) - write:fw
- 43175:AUE_OPEN_EXTENDED_WC:open_extended(2) - write,creat:fc,fw,fa,fm
- 43176:AUE_OPEN_EXTENDED_WT:open_extended(2) - write,trunc:fd,fw,fa,fm
- 43177:AUE_OPEN_EXTENDED_WTC:open_extended(2) - write,creat,trunc:fc,fd,fw,fa,fm
- 43178:AUE_OPEN_EXTENDED_RW:open_extended(2) - read,write:fr,fw
- 43179:AUE_OPEN_EXTENDED_RWC:open_extended(2) - read,write,creat:fc,fw,fr,fa,fm
- 43180:AUE_OPEN_EXTENDED_RWT:open_extended(2) - read,write,trunc:fd,fr,fw,fa,fm
- 43181:AUE_OPEN_EXTENDED_RWTC:open_extended(2) - read,write,creat,trunc:fc,fd,fw,fr,fa,fm
- 43182:AUE_STAT_EXTENDED:stat_extended(2):fa
- 43183:AUE_UMASK_EXTENDED:umask_extended(2):pc
- 43184:AUE_OPENAT:openat(2) - attr only:fa
- 43185:AUE_POSIX_OPENPT:posix_openpt(2):ip
- 43186:AUE_CAP_NEW:cap_new(2):fm
- 43187:AUE_CAP_GETRIGHTS:cap_getrights(2):fm
- 43188:AUE_CAP_ENTER:cap_enter(2):pc
- 43189:AUE_CAP_GETMODE:cap_getmode(2):pc
- 43190:AUE_POSIX_SPAWN:posix_spawn(2):pc
- 43191:AUE_FSGETPATH:fsgetpath(2):ot
- 43192:AUE_PREAD:pread(2):no
- 43193:AUE_PWRITE:pwrite(2):no
- 43194:AUE_FSCTL:fsctl():fm
- 43195:AUE_FFSCTL:ffsctl():fm
- 43196:AUE_LPATHCONF:lpathconf(2):fa
- 43197:AUE_PDFORK:pdfork(2):pc
- 43198:AUE_PDKILL:pdkill(2):pc
- 43199:AUE_PDGETPID:pdgetpid(2):pc
- 43200:AUE_PDWAIT:pdwait(2):pc
- #
- 44901:AUE_SESSION_START:session start:aa
- 44902:AUE_SESSION_UPDATE:session update:aa
- 44903:AUE_SESSION_END:session end:aa
- 44904:AUE_SESSION_CLOSE:session close:aa
- #
- # Solaris userspace events.
- #
- 6144:AUE_at_create:at-create atjob:ad
- 6145:AUE_at_delete:at-delete atjob (at or atrm):ad
- 6146:AUE_at_perm:at-permission:no
- 6147:AUE_cron_invoke:cron-invoke:ad
- 6148:AUE_crontab_create:crontab-crontab created:ad
- 6149:AUE_crontab_delete:crontab-crontab deleted:ad
- 6150:AUE_crontab_perm:crontab-permission:no
- 6151:AUE_inetd_connect:inetd connection:na
- 6152:AUE_login:login - local:lo
- 6153:AUE_logout:logout - local:lo
- 6154:AUE_telnet:login - telnet:lo
- 6155:AUE_rlogin:login - rlogin:lo
- 6156:AUE_mountd_mount:mount:na
- 6157:AUE_mountd_umount:unmount:na
- 6158:AUE_rshd:rsh access:lo
- 6159:AUE_su:su(1):lo
- 6160:AUE_halt:system halt:ad
- 6161:AUE_reboot:system reboot:ad
- 6162:AUE_rexecd:rexecd:lo
- 6163:AUE_passwd:passwd:lo
- 6164:AUE_rexd:rexd:lo
- 6165:AUE_ftpd:ftp access:lo
- 6166:AUE_init:init:lo
- 6167:AUE_uadmin:uadmin:no
- 6168:AUE_shutdown:system shutdown:ad
- 6168:AUE_poweroff:system poweroff:ad
- 6170:AUE_crontab_mod:crontab-modify:ad
- 6171:AUE_ftpd_logout:ftp logout:lo
- 6172:AUE_ssh:login - ssh:lo
- 6173:AUE_role_login:role login:lo
- 6180:AUE_prof_cmd: profile command:ad
- 6181:AUE_filesystem_add:add filesystem:ad
- 6182:AUE_filesystem_delete:delete filesystem:ad
- 6183:AUE_filesystem_modify:modify filesystem:ad
- 6200:AUE_allocate_succ:allocate-device success:ot
- 6201:AUE_allocate_fail:allocate-device failure:ot
- 6202:AUE_deallocate_succ:deallocate-device success:ot
- 6203:AUE_deallocate_fail:deallocate-device failure:ot
- 6204:AUE_listdevice_succ:allocate-list devices success:ot
- 6205:AUE_listdevice_fail:allocate-list devices failure:ot
- 6207:AUE_create_user:create user:ad
- 6208:AUE_modify_user:modify user:ad
- 6209:AUE_delete_user:delete user:ad
- 6210:AUE_disable_user:disable user:ad
- 6211:AUE_enable_user:enable user:ad
- 6212:AUE_newgrp_login:newgrp login:lo
- 6213:AUE_admin_authenticate:admin login:lo
- 6214:AUE_kadmind_auth:authenticated kadmind request:ua
- 6215:AUE_kadmind_unauth:unauthenticated kadmind req:ua
- 6216:AUE_krb5kdc_as_req:kdc authentication svc request:ap
- 6217:AUE_krb5kdc_tgs_req:kdc tkt-grant svc request:ap
- 6218:AUE_krb5kdc_tgs_req_2ndtktmm:kdc tgs 2ndtkt mismtch:ap
- 6219:AUE_krb5kdc_tgs_req_alt_tgt:kdc tgs issue alt tgt:ap
- #
- # Historic Darwin use of low event numbering space, which collided with the
- # Solaris event space. Now obsoleted and new, higher, event numbers assigned
- # to make it easier to interpret Solaris events using the OpenBSM tools.
- #
- 6171:AUE_DARWIN_audit_startup:audit startup:ad
- 6172:AUE_DARWIN_audit_shutdown:audit shutdown:ad
- 6300:AUE_DARWIN_sudo:sudo(1):ad
- 6501:AUE_DARWIN_modify_password:modify password:ad
- 6511:AUE_DARWIN_create_group:create group:ad
- 6512:AUE_DARWIN_delete_group:delete group:ad
- 6513:AUE_DARWIN_modify_group:modify group:ad
- 6514:AUE_DARWIN_add_to_group:add to group:ad
- 6515:AUE_DARWIN_remove_from_group:remove from group:ad
- 6521:AUE_DARWIN_revoke_obj:revoke object priv:fm
- 6600:AUE_DARWIN_lw_login:loginwindow login:lo
- 6601:AUE_DARWIN_lw_logout:loginwindow logout:lo
- 7000:AUE_DARWIN_auth_user:user authentication:aa
- 7001:AUE_DARWIN_ssconn:SecSrvr connection setup:aa
- 7002:AUE_DARWIN_ssauthorize:SecSrvr AuthEngine:aa
- 7003:AUE_DARWIN_ssauthint:SecSrvr authinternal mech:aa
- #
- # Historic/third-party application allocations of event identifiers.
- #
- 32800:AUE_openssh:OpenSSH login:lo
- 43201:AUE_GETATTRLISTBULK:getattrlistbulk(2):fa
- 43202:AUE_GETATTRLISTAT:getattrlistat(2):fa
- 43203:AUE_OPENBYID: openbyid(2) - attr only:fa
- 43204:AUE_OPENBYID_R:openbyid(2) - read:fr
- 43205:AUE_OPENBYID_RT:openbyid(2) - read,trunc:fd,fr,fa,fm
- 43206:AUE_OPENBYID_W:openbyid(2) - write:fw
- 43207:AUE_OPENBYID_WT:openbyid(2) - write,trunc:fd,fw,fa,fm
- 43208:AUE_OPENBYID_RW:openbyid(2) - read,write:fr,fw
- 43209:AUE_OPENBYID_RWT:openbyid(2) - read,write,trunc:fd,fr,fw,fa,fm
- #
- # OpenBSM-managed application event space.
- #
- 45000:AUE_audit_startup:audit startup:ad
- 45001:AUE_audit_shutdown:audit shutdown:ad
- 45014:AUE_modify_password:modify password:ad
- 45015:AUE_create_group:create group:ad
- 45016:AUE_delete_group:delete group:ad
- 45017:AUE_modify_group:modify group:ad
- 45018:AUE_add_to_group:add to group:ad
- 45019:AUE_remove_from_group:remove from group:ad
- 45020:AUE_revoke_obj:revoke object priv:fm
- 45021:AUE_lw_login:loginwindow login:lo
- 45022:AUE_lw_logout:loginwindow logout:lo
- 45023:AUE_auth_user:user authentication:aa
- 45024:AUE_ssconn:SecSrvr connection setup:aa
- 45025:AUE_ssauthorize:SecSrvr AuthEngine:aa
- 45026:AUE_ssauthint:SecSrvr authinternal mech:aa
- 45027:AUE_calife:Calife:ad
- 45028:AUE_sudo:sudo(1):aa
- 45029:AUE_audit_recovery:audit crash recovery:ad
- 45030:AUE_ssauthmech:SecSrvr AuthMechanism:aa
- 45031:AUE_sec_assessment:Security Assessment:aa
- cat: security/audit_user: Permission denied
- #!/bin/sh
- #
- # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_warn#3 $
- #
- # command-line arguments are in the form:
- # <warning type> [optional argument] [optional flags]
- #
- # where the warning type may be:
- #
- # allhard All audit trail volumes are over the hard limit.
- # allsoft All audit trail volumes are over the soft limit.
- # auditoff Auditing has been disabled by someone other than auditd.
- # closefile The given trail file has been closed so it is now safe
- # to post-proccess.
- # ebusy The auditd is already running.
- # getacdir The audit trail directory couldn't be parsed from audit_control.
- # hardlimit The given trail volume is over the hard limit.
- # nostart Auditing could not be started.
- # postsigterm There was a problem shutting down auditd.
- # soft The given trail volume is over the soft limit.
- # tmpfile The temporary audit trail file already exist.
- # expired The given trail file expired and was removed.
- #
- # and where the optional flags may be:
- #
- # --will-sleep The system is planning to go to sleep.
- argument=""
- willsleep=0
- type=$1
- shift
- while [ $# -ge 1 ]; do
- case $1 in
- --will-sleep) willsleep=1 ;;
- *) argument=$1 ;;
- esac
- shift
- done
- # Don't log audit warning events when the system is about to sleep.
- if [ $willsleep -eq 0 ]; then
- logger -p security.warning "audit warning: $type $argument"
- fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement