| audit_event (185573) | audit_event (186647) |
|---|---|
| 1# | 1# |
| 2# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#30 $ 3# $FreeBSD: head/contrib/openbsm/etc/audit_event 185573 2008-12-02 23:26:43Z rwatson $ | 2# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#34 $ 3# $FreeBSD: head/contrib/openbsm/etc/audit_event 186647 2008-12-31 11:12:24Z rwatson $ |
| 4# 5# The mapping between event identifiers and values is also hard-coded in 6# audit_kevents.h and audit_uevents.h, so changes must occur in both places, 7# and programs, such as the kernel, may need to be recompiled to recognize 8# those changes. It is advisable not to change the numbering or naming of 9# kernel audit events. 10# | 4# 5# The mapping between event identifiers and values is also hard-coded in 6# audit_kevents.h and audit_uevents.h, so changes must occur in both places, 7# and programs, such as the kernel, may need to be recompiled to recognize 8# those changes. It is advisable not to change the numbering or naming of 9# kernel audit events. 10# |
| 11# Allocation of BSM event identifier ranges: 12# 13# 0 Reserved and invalid 14# 1 - 2047 Reserved for Solaris kernel events 15# 2048 - 5999 Reserved and unallocated 16# 6000 - 9999 Reserved for Solaris user events 17# 10000 - 32767 Reserved and unallocated 18# 32768 - 65535 Available for third party applications 19# 20# Of the third party range, OpenBSM allocates from the following ranges: 21# 22# 43000 - 44999 Reserved for OpenBSM kernel events 23# 45000 - 46999 Reserved for OpenBSM application events 24# |
|
| 110:AUE_NULL:indir system call:no 121:AUE_EXIT:exit(2):pc 132:AUE_FORK:fork(2):pc 143:AUE_OPEN:open(2) - attr only:fa 154:AUE_CREAT:creat(2):fc 165:AUE_LINK:link(2):fc 176:AUE_UNLINK:unlink(2):fd 187:AUE_EXEC:exec(2):pc,ex --- 162 unchanged lines hidden (view full) --- 181200:AUE_SETUID:setuid(2):pc 182201:AUE_STIME:old stime(2):ad 183202:AUE_UTIME:old utime(2):fm 184203:AUE_NICE:old nice(2):pc 185204:AUE_OSETPGRP:Solaris old setpgrp(2):pc 186205:AUE_SETGID:setgid(2):pc 187206:AUE_READL:readl(2):no 188207:AUE_READVL:readvl(2):no | 250:AUE_NULL:indir system call:no 261:AUE_EXIT:exit(2):pc 272:AUE_FORK:fork(2):pc 283:AUE_OPEN:open(2) - attr only:fa 294:AUE_CREAT:creat(2):fc 305:AUE_LINK:link(2):fc 316:AUE_UNLINK:unlink(2):fd 327:AUE_EXEC:exec(2):pc,ex --- 162 unchanged lines hidden (view full) --- 195200:AUE_SETUID:setuid(2):pc 196201:AUE_STIME:old stime(2):ad 197202:AUE_UTIME:old utime(2):fm 198203:AUE_NICE:old nice(2):pc 199204:AUE_OSETPGRP:Solaris old setpgrp(2):pc 200205:AUE_SETGID:setgid(2):pc 201206:AUE_READL:readl(2):no 202207:AUE_READVL:readvl(2):no |
| 203208:AUE_FSTAT:fstat(2):fa |
|
| 189209:AUE_DUP2:dup2(2):no 190210:AUE_MMAP:mmap(2):no 191211:AUE_AUDIT:audit(2):ot 192212:AUE_PRIOCNTLSYS:Solaris priocntlsys(2):pc 193213:AUE_MUNMAP:munmap(2):cl 194214:AUE_SETEGID:setegid(2):pc 195215:AUE_SETEUID:seteuid(2):pc 196216:AUE_PUTMSG:putmsg(2):nt --- 333 unchanged lines hidden (view full) --- 53043182:AUE_STAT_EXTENDED:stat_extended(2):fa 53143183:AUE_UMASK_EXTENDED:umask_extended(2):pc 53243184:AUE_OPENAT:openat(2) - attr only:fa 53343185:AUE_POSIX_OPENPT:posix_openpt(2):ip 53443186:AUE_CAP_NEW:cap_new(2):fm 53543187:AUE_CAP_GETRIGHTS:cap_getrights(2):fm 53643188:AUE_CAP_ENTER:cap_enter(2):pc 53743189:AUE_CAP_GETMODE:cap_getmode(2):pc | 204209:AUE_DUP2:dup2(2):no 205210:AUE_MMAP:mmap(2):no 206211:AUE_AUDIT:audit(2):ot 207212:AUE_PRIOCNTLSYS:Solaris priocntlsys(2):pc 208213:AUE_MUNMAP:munmap(2):cl 209214:AUE_SETEGID:setegid(2):pc 210215:AUE_SETEUID:seteuid(2):pc 211216:AUE_PUTMSG:putmsg(2):nt --- 333 unchanged lines hidden (view full) --- 54543182:AUE_STAT_EXTENDED:stat_extended(2):fa 54643183:AUE_UMASK_EXTENDED:umask_extended(2):pc 54743184:AUE_OPENAT:openat(2) - attr only:fa 54843185:AUE_POSIX_OPENPT:posix_openpt(2):ip 54943186:AUE_CAP_NEW:cap_new(2):fm 55043187:AUE_CAP_GETRIGHTS:cap_getrights(2):fm 55143188:AUE_CAP_ENTER:cap_enter(2):pc 55243189:AUE_CAP_GETMODE:cap_getmode(2):pc |
| 55343190:AUE_POSIX_SPAWN:posix_spawn(2):pc 55443191:AUE_FSGETPATH:fsgetpath(2):ot |
|
| 538# | 555# |
| 539# User space system events. | 556# Solaris userspace events. |
| 540# | 557# |
| 5586144:AUE_at_create:at-create atjob:ad 5596145:AUE_at_delete:at-delete atjob (at or atrm):ad 5606146:AUE_at_perm:at-permission:no 5616147:AUE_cron_invoke:cron-invoke:ad 5626148:AUE_crontab_create:crontab-crontab created:ad 5636149:AUE_crontab_delete:crontab-crontab deleted:ad 5646150:AUE_crontab_perm:crontab-permission:no 5656151:AUE_inetd_connect:inetd connection:na |
|
| 5416152:AUE_login:login - local:lo 5426153:AUE_logout:logout - local:lo | 5666152:AUE_login:login - local:lo 5676153:AUE_logout:logout - local:lo |
| 5686154:AUE_telnet:login - telnet:lo 5696155:AUE_rlogin:login - rlogin:lo 5706156:AUE_mountd_mount:mount:na 5716157:AUE_mountd_umount:unmount:na 5726158:AUE_rshd:rsh access:lo |
|
| 5436159:AUE_su:su(1):lo 5446160:AUE_halt:system halt:ad | 5736159:AUE_su:su(1):lo 5746160:AUE_halt:system halt:ad |
| 5756161:AUE_reboot:system reboot:ad 5766162:AUE_rexecd:rexecd:lo 5776163:AUE_passwd:passwd:lo 5786164:AUE_rexd:rexd:lo 5796165:AUE_ftpd:ftp access:lo 5806166:AUE_init:init:lo 5816167:AUE_uadmin:uadmin:no |
|
| 5456168:AUE_shutdown:system shutdown:ad | 5826168:AUE_shutdown:system shutdown:ad |
| 5466171:AUE_audit_startup:audit startup:ad 5476172:AUE_audit_shutdown:audit shutdown:ad | 5836168:AUE_poweroff:system poweroff:ad 5846170:AUE_crontab_mod:crontab-modify:ad 5856171:AUE_ftpd_logout:ftp logout:lo 5866172:AUE_ssh:login - ssh:lo 5876173:AUE_role_login:role login:lo 5886180:AUE_prof_cmd: profile command:ad 5896181:AUE_filesystem_add:add filesystem:ad 5906182:AUE_filesystem_delete:delete filesystem:ad 5916183:AUE_filesystem_modify:modify filesystem:ad 5926200:AUE_allocate_succ:allocate-device success:ot 5936201:AUE_allocate_fail:allocate-device failure:ot 5946202:AUE_deallocate_succ:deallocate-device success:ot 5956203:AUE_deallocate_fail:deallocate-device failure:ot 5966204:AUE_listdevice_succ:allocate-list devices success:ot 5976205:AUE_listdevice_fail:allocate-list devices failure:ot |
| 5486207:AUE_create_user:create user:ad 5496208:AUE_modify_user:modify user:ad 5506209:AUE_delete_user:delete user:ad 5516210:AUE_disable_user:disable user:ad | 5986207:AUE_create_user:create user:ad 5996208:AUE_modify_user:modify user:ad 6006209:AUE_delete_user:delete user:ad 6016210:AUE_disable_user:disable user:ad |
| 5526211:AUE_enable_user::ad 5536300:AUE_sudo:sudo(1):ad 5546501:AUE_modify_password:modify password:ad 5556511:AUE_create_group:create group:ad 5566512:AUE_delete_group:delete group:ad 5576513:AUE_modify_group:modify group:ad 5586514:AUE_add_to_group:add to group:ad 5596515:AUE_remove_from_group:remove from group:ad 5606521:AUE_revoke_obj:revoke object priv:fm 5616600:AUE_lw_login:loginwindow login:lo 5626601:AUE_lw_logout:loginwindow logout:lo 5637000:AUE_auth_user:user authentication:ad 5647001:AUE_ssconn:SecSrvr connection setup:ad 5657002:AUE_ssauthorize:SecSrvr AuthEngine:ad 5667003:AUE_ssauthint:SecSrvr authinternal mech:ad | 6026211:AUE_enable_user:enable users:ad 6036212:AUE_newgrp_login:newgrp login:lo 6046213:AUE_admin_authenticate:admin login:lo 6056214:AUE_kadmind_auth:authenticated kadmind request:ua 6066215:AUE_kadmind_unauth:unauthenticated kadmind req:ua 6076216:AUE_krb5kdc_as_req:kdc authentication svc request:ap 6086217:AUE_krb5kdc_tgs_req:kdc tkt-grant svc request:ap 6096218:AUE_krb5kdc_tgs_req_2ndtktmm:kdc tgs 2ndtkt mismtch:ap 6106219:AUE_krb5kdc_tgs_req_alt_tgt:kdc tgs issue alt tgt:ap 611# 612# Historic Darwin use of low event numbering space, which collided with the 613# Solaris event space. Now obsoleted and new, higher, event numbers assigned 614# to make it easier to interpret Solaris events using the OpenBSM tools. 615# 6166171:AUE_DARWIN_audit_startup:audit startup:ad 6176172:AUE_DARWIN_audit_shutdown:audit shutdown:ad 6186300:AUE_DARWIN_sudo:sudo(1):ad 6196501:AUE_DARWIN_modify_password:modify password:ad 6206511:AUE_DARWIN_create_group:create group:ad 6216512:AUE_DARWIN_delete_group:delete group:ad 6226513:AUE_DARWIN_modify_group:modify group:ad 6236514:AUE_DARWIN_add_to_group:add to group:ad 6246515:AUE_DARWIN_remove_from_group:remove from group:ad 6256521:AUE_DARWIN_revoke_obj:revoke object priv:fm 6266600:AUE_DARWIN_lw_login:loginwindow login:lo 6276601:AUE_DARWIN_lw_logout:loginwindow logout:lo 6287000:AUE_DARWIN_auth_user:user authentication:ad 6297001:AUE_DARWIN_ssconn:SecSrvr connection setup:ad 6307002:AUE_DARWIN_ssauthorize:SecSrvr AuthEngine:ad 6317003:AUE_DARWIN_ssauthint:SecSrvr authinternal mech:ad 632# 633# Historic/third-party application allocations of event identifiers. 634# |
| 56732800:AUE_openssh:OpenSSH login:lo | 63532800:AUE_openssh:OpenSSH login:lo |
| 636# 637# OpenBSM-managed application event space. 638# 63945000:AUE_audit_startup:audit startup:ad 64045001:AUE_audit_shutdown:audit shutdown:ad 64145014:AUE_modify_password:modify password:ad 64245015:AUE_create_group:create group:ad 64345016:AUE_delete_group:delete group:ad 64445017:AUE_modify_group:modify group:ad 64545018:AUE_add_to_group:add to group:ad 64645019:AUE_remove_from_group:remove from group:ad 64745020:AUE_revoke_obj:revoke object priv:fm 64845021:AUE_lw_login:loginwindow login:lo 64945022:AUE_lw_logout:loginwindow logout:lo 65045023:AUE_auth_user:user authentication:ad 65145024:AUE_ssconn:SecSrvr connection setup:ad 65245025:AUE_ssauthorize:SecSrvr AuthEngine:ad 65345026:AUE_ssauthint:SecSrvr authinternal mech:ad 65445027:AUE_calife:Calife:ad 65545028:AUE_sudo:sudo(1):ad 65645029:AUE_audit_recovery:audit crash recovery:ad |
|