104 lines
3.6 KiB
Plaintext
104 lines
3.6 KiB
Plaintext
A brief list of audit events and their meanings:
|
|
|
|
|
|
Path name events
|
|
|
|
ACCESS DENIED file access denied
|
|
ACCESS FAILED file access failed (e.g. no file)
|
|
CHDIR change working directory
|
|
CHROOT change root directory
|
|
OPEN file open
|
|
OPEN RO file open, read only
|
|
READ SYMLINK read symbolic link
|
|
FILE CRT DEL file creation/deletion
|
|
FILE CRT DEL as above with two pathnames
|
|
FILE WRITE file data write
|
|
MOUNT mount/unmount
|
|
FILE ATTR READ file attribute read
|
|
FILE ATTR WRITE file attribute write
|
|
EXEC exec
|
|
SYSACCT system accounting
|
|
|
|
|
|
File descriptor events
|
|
|
|
FCHDIR change working directory via file descr
|
|
FD READ read file data or attrs via file descr
|
|
FD READ2 as above with a set of file descriptors
|
|
TTY SETLABEL tty reclassify (ioctl)
|
|
FD WRITE write file data via file descriptor
|
|
FD ATTR WRITE write file attributes via file descr
|
|
PIPE create a pipe
|
|
DUP duplicate a descriptor
|
|
CLOSE close a descriptor
|
|
|
|
|
|
Process events
|
|
|
|
FORK create a new process
|
|
EXIT destroy a process (this process)
|
|
PROC READ read a process's address space
|
|
PROC WRITE write a process's address space
|
|
PROC ATTR READ read a process's attributes
|
|
PROC ATTR WRITE change a process's attributes
|
|
PROC OWN ATTR WRITE change this process's attributes
|
|
|
|
|
|
System V IPC events
|
|
|
|
SVIPC ACCESS System V IPC access
|
|
SVIPC CREATE System V IPC create
|
|
SVIPC REMOVE System V IPC remove
|
|
SVIPC CHANGE System V IPC change
|
|
|
|
|
|
BSD IPC events from the socket layer
|
|
|
|
BSDIPC CREATE socket, accept
|
|
BSDIPC CREATE PAIR socketpair
|
|
BSDIPC SHUTDOWN shutdown
|
|
BSDIPC MAC CHANGE setsockopt
|
|
BSDIPC ADDRESS bind, connect, accept syscalls
|
|
BSDIPC RESVPORT bind to reserved port
|
|
BSDIPC DELIVER receive packet delivered to socket
|
|
BSDIPC CANTFIND receive packet no match on port/label
|
|
BSDIPC SNOOP OK raw socket delivery permitted
|
|
BSDIPC SNOOP FAIL raw socket delivery denied
|
|
|
|
|
|
Public object events
|
|
|
|
CLOCK SET set the system clock
|
|
HOSTNAME SET set the host name
|
|
DOMAINNAME SET set the domain name
|
|
HOSTID SET set the host ID
|
|
|
|
|
|
Control and privilege events
|
|
|
|
CHECK PRIV make-or-break privilege checks
|
|
CONTROL controlling the audit subsystem itself
|
|
|
|
|
|
BSD IPC events from the internet protocol layer
|
|
|
|
BSDIPC RX OK receive packet label in range
|
|
BSDIPC RX RANGE receive packet label out of range
|
|
BSDIPC RX MISSING receive packet label missing/malformed
|
|
BSDIPC TX OK transmit packet label in range
|
|
BSDIPC TX RANGE transmit packet label out of range
|
|
BSDIPC TX TOOBIG transmit packet label doesn't fit
|
|
BSDIPC IF CONFIG configure interface address
|
|
BSDIPC IF INVALID ioctl SIOCSIFLABEL disallowed
|
|
BSDIPC IF SETLABEL ioctl SIOCSIFLABEL succeeded
|
|
|
|
|
|
user-level administrative events generated with satwrite(2)
|
|
|
|
AE AUDIT audit subsys reporting on itself
|
|
AE IDENTITY identification & authentication
|
|
AE DBEDIT admin database editor
|
|
AE MOUNT mount / unmount
|
|
AE CUSTOM customer defined
|
|
|