|
|
In the following table each entry consists of:
The fixed events are listed first, followed by the selectable events.
Fixed events
| Event | Description | System call/command |
|---|---|---|
| add_grp | add a group | groupadd(ADM) |
| add_usr | add a user | useradd(ADM) |
| add_usr_grp | add group members | useradd(ADM), usermod(ADM) |
| audit_buf | set audit buffer attributes | auditbuf(S) |
| audit_ctl | enable/disable auditing | auditoff(ADM), auditon(ADM), auditctl(S) |
| audit_dmp | record auditdmp failures | auditdmp(S) |
| audit_evt | set auditable events | auditset(ADM), auditevt(S) |
| audit_log | set log file attributes | auditlog(ADM), auditlog(S) |
| audit_map | create audit map files | auditmap(ADM) |
| date | change the date | adjtime(2), stime(S) |
| init | change init states | init(ADM) |
| mod_grp | modify group information | groupmod(ADM) |
| mod_usr | modify user information | usermod(ADM) |
| dev_audit | write audit records to legacy audit device | dlvr_audit(ADM) |
Selectable events
| Event | Description | System call/command |
|---|---|---|
| all | All selectable events | |
| none | No selectable events | |
| access | determine accessibility of a file | access(S) |
| acct_off | disable accounting | acct(S) |
| acct_on | enable accounting | acct(S) |
| acct_sw | switch accounting files | acct(S) |
| bad_auth | bad login name or password | login(1) |
| bad_lvl | bad login level | login(1) |
| cancel_job | cancellation of lp job | cancel(1), lpsched(ADM) |
| chg_dir | change working directory | chdir(2), UNRESOLVED XREF-0 fchdir(2) |
| chg_nm | change name of a file | rename(S) |
| chg_root | change root directory | chroot(S) |
| chg_times | change file access times | utime(S) |
| cov_chan_1 | record use of covert channel | NA |
| cov_chan_2 | record use of covert channel | NA |
| cov_chan_3 | unused but reserved | |
| cov_chan_4 | unused but reserved | |
| cov_chan_5 | unused but reserved | |
| cov_chan_6 | unused but reserved | |
| cov_chan_7 | unused but reserved | |
| cov_chan_8 | unused but reserved | |
| create | create a new filesystem object | creat(S) |
| cron | cron job | cron(ADM) |
| dac_mode | change mode of an object | chmod(2), UNRESOLVED XREF-0 fchmod(2) |
| dac_own_grp | change owner or group of object | chown(2), UNRESOLVED XREF-0 fchown(2), UNRESOLVED XREF-0 lchown(2), chgrp(1) |
| def_lvl | change a user's default level | login(1) |
| exec | execute an object | exec(S) |
| exit | terminate a process | exit(S) |
| fcntl | file control | fcntl(S) |
| fd_acl | change the access control lists via file descriptor | facl(S) |
| file_acl | change the access control lists | acl(S) |
| file_priv | change privileges of a file | filepriv(S) |
| fork | create a new process | fork(2), vfork(S) |
| iocntl | I/O control | ioctl(S) |
| ipc_acl | change IPC access control lists | aclipc(S) |
| keyctl | enable special features | keyctl(S) |
| kill | post a signal | kill(2), UNRESOLVED XREF-0 sigsendset(2) |
| link | create a link to an object | link(S) |
| login | use of a login schema | login(1) |
| logoff | terminate a login session | exit(S) |
| lp_admin | administrative use of LP | lpadmin(ADM) |
| lp_misc | miscellaneous use of LP | lpsched(ADM) |
| lwp_bind | bind LWP to processor | processor_bind(2), processor_exbind(S) |
| lwp_create | create lightweight process | fork(S) |
| lwp_unbind | unbind LWP from processor | processor_bind(S) |
| misc | miscellaneous application records | auditdmp(S) |
| mk_dir | make a directory | mkdir(S) |
| mk_node | make a special file | mknod(S) |
| mount | mount a device or filesystem | mount(S) |
| modpath | modify module search path | modpath(S) |
| modadm | register a module | modadmin(ADM) |
| modload | load a module | modload(S) |
| moduload | unload a module | moduload(S) |
| msg_ctl | message control operations | msgctl(S) |
| msg_get | get message queue | msgget(S) |
| msg_op | message operations | msgop(S) |
| open_rd | open an object for reading | open(S) |
| open_wr | open an object for writing | open(S) |
| p_online | bring processor on/offline | p_online(S) |
| page_lvl | printer does not support per-page label | lp(1) |
| passwd | change password | passwd(1) |
| pipe | create a pipe | pipe(S) |
| pm_denied | failed attempt to use privileges | NA |
| prt_job | start/end of printer job | lp(1) |
| prt_lvl | override output label | lp(1) |
| recvfd | receive file descriptor | NA |
| rm_dir | remove a directory | rmdir(S) |
| sched_lk | lock a process into memory | plock(2), memcntl(S) |
| sched_rt | real time scheduler operations | priocntl(S) |
| sched_ts | time sharing scheduler operations | priocntl(S) |
| sem_ctl | semaphore control operations | semctl(S) |
| sem_get | get the set of semaphores | semget(S) |
| sem_op | semaphore operations | semop(S) |
| set_gid | change group ID | UNRESOLVED XREF-0 setgid(2) |
| set_grps | set multiple groups | UNRESOLVED XREF-0 setgroups(2) |
| set_pgrps | set process groups | setpgrp(S) |
| set_sid | set session ID | setsid(S) |
| set_uid | change user ID | setuid(S) |
| setrlimit | set resource limits | setrlimit(S) |
| shm_ctl | shared memory control operations | shmctl(S) |
| shm_get | get shared memory identifier | shmget(S) |
| shm_op | shared memory operations | shmop(S) |
| status | get file status | stat(2), fstat(S) |
| sym_create | create a symbolic link | symlink(S) |
| sym_status | get status of symbolic link | lstat(S) |
| tfadmin | administrative commands | tfadmin(ADM) |
| trunc_lvl | truncate a printed level | lp(1) |
| ulimit | resource limits | ulimit(S) |
| umount | unmount a device or filesystem | umount(S) |
| unlink | unlink an object | unlink(S) |
| chg_priv | legacy system call | chpriv(S-osr5) |
| set_luid | legacy system call | setluid(S-osr5) |
| stop_io | legacy system call | stopio(S-osr5) |