Summary of auditable events and classes

Table of auditable events

In the following table each entry consists of:

the event
a brief description of the event
the system call or user level command that triggers the event

NOTE: An event is applicable only if the system software configuration supports the stated system call or command. Some events may not be applicable because they are supported in earlier releases, but not the current release. However, non-applicable events are reserved to allow release compatibility.

The fixed events are listed first, followed by the selectable events.

Fixed events

Event Description System call/command

add_grp add a group groupadd(1M)

add_usr add a user useradd(1M)

add_usr_grp add group members useradd(1M), usermod(1M)

audit_buf set audit buffer attributes auditbuf(2)

audit_ctl enable/disable auditing auditoff(1M), auditon(1M), auditctl(2)

audit_dmp record auditdmp failures auditdmp(2)

audit_evt set auditable events auditset(1M), auditevt(2)

audit_log set log file attributes auditlog(1M), auditlog(2)

audit_map create audit map files auditmap(1M)

date change the date adjtime(2), stime(2)

init change init states init(1M)

mod_grp modify group information groupmod(1M)

mod_usr modify user information usermod(1M)

Event	Description	System call/command
add_grp	add a group	groupadd(1M)
add_usr	add a user	useradd(1M)
add_usr_grp	add group members	useradd(1M), usermod(1M)
audit_buf	set audit buffer attributes	auditbuf(2)
audit_ctl	enable/disable auditing	auditoff(1M), auditon(1M), auditctl(2)
audit_dmp	record auditdmp failures	auditdmp(2)
audit_evt	set auditable events	auditset(1M), auditevt(2)
audit_log	set log file attributes	auditlog(1M), auditlog(2)
audit_map	create audit map files	auditmap(1M)
date	change the date	adjtime(2), stime(2)
init	change init states	init(1M)
mod_grp	modify group information	groupmod(1M)
mod_usr	modify user information	usermod(1M)

Selectable events

Event Description System call/command

all All selectable events

none No selectable events

access determine accessibility of a file access(2)

acct_off disable accounting acct(2)

acct_on enable accounting acct(2)

acct_sw switch accounting files acct(2)

bad_auth bad login name or password login(1)

bad_lvl bad login level login(1)

cancel_job cancellation of lp job cancel(1), lpsched(1M)

chg_dir change working directory chdir(2), fchdir(2)

chg_nm change name of a file rename(2)

chg_root change root directory chroot(2)

chg_times change file access times utime(2)

cov_chan_1 record use of covert channel NA

cov_chan_2 record use of covert channel NA

cov_chan_3 unused but reserved

cov_chan_4 unused but reserved

cov_chan_5 unused but reserved

cov_chan_6 unused but reserved

cov_chan_7 unused but reserved

cov_chan_8 unused but reserved

create create a new filesystem object creat(2)

cron cron job cron(1M)

dac_mode change mode of an object chmod(2), fchmod(2)

dac_own_grp change owner or group of object chown(2), fchown(2), lchown(2), chgrp(1)

def_lvl change a user's default level login(1)

exec execute an object exec(2)

exit terminate a process exit(2)

fcntl file control fcntl(2)

fd_acl change the access control lists via file descriptor facl(2)

file_acl change the access control lists acl(2)

file_priv change privileges of a file filepriv(2)

fork create a new process fork(2), vfork(2)

Event	Description	System call/command
all	All selectable events
none	No selectable events
access	determine accessibility of a file	access(2)
acct_off	disable accounting	acct(2)
acct_on	enable accounting	acct(2)
acct_sw	switch accounting files	acct(2)
bad_auth	bad login name or password	login(1)
bad_lvl	bad login level	login(1)
cancel_job	cancellation of lp job	cancel(1), lpsched(1M)
chg_dir	change working directory	chdir(2), fchdir(2)
chg_nm	change name of a file	rename(2)
chg_root	change root directory	chroot(2)
chg_times	change file access times	utime(2)
cov_chan_1	record use of covert channel	NA
cov_chan_2	record use of covert channel	NA
cov_chan_3	unused but reserved
cov_chan_4	unused but reserved
cov_chan_5	unused but reserved
cov_chan_6	unused but reserved
cov_chan_7	unused but reserved
cov_chan_8	unused but reserved
create	create a new filesystem object	creat(2)
cron	cron job	cron(1M)
dac_mode	change mode of an object	chmod(2), fchmod(2)
dac_own_grp	change owner or group of object	chown(2), fchown(2), lchown(2), chgrp(1)
def_lvl	change a user's default level	login(1)
exec	execute an object	exec(2)
exit	terminate a process	exit(2)
fcntl	file control	fcntl(2)
fd_acl	change the access control lists via file descriptor	facl(2)
file_acl	change the access control lists	acl(2)
file_priv	change privileges of a file	filepriv(2)
fork	create a new process	fork(2), vfork(2)

iocntl I/O control ioctl(2)

ipc_acl change IPC access control lists aclipc(2)

keyctl enable special features keyctl(2)

kill post a signal kill(2), sigsendset(2)

link create a link to an object link(2)

login use of a login schema login(1)

logoff terminate a login session exit(2)

lp_admin administrative use of LP lpadmin(1M)

lp_misc miscellaneous use of LP lpsched(1M)

lwp_bind bind LWP to processor processor_bind(2), processor_exbind(2)

lwp_create create lightweight process fork(2)

lwp_unbind unbind LWP from processor processor_bind(2)

misc miscellaneous application records auditdmp(2)

mk_dir make a directory mkdir(2)

mk_node make a special file mknod(2)

mount mount a device or filesystem mount(2)

modpath modify module search path modpath(2)

modadm register a module modadmin(1M)

modload load a module modload(2)

moduload unload a module moduload(2)

msg_ctl message control operations msgctl(2)

msg_get get message queue msgget(2)

msg_op message operations msgop(2)

open_rd open an object for reading open(2)

open_wr open an object for writing open(2)

p_online bring processor on/offline p_online(2)

page_lvl printer does not support per-page label lp(1)

passwd change password passwd(1)

pipe create a pipe pipe(2)

pm_denied failed attempt to use privileges NA

prt_job start/end of printer job lp(1)

prt_lvl override output label lp(1)

recvfd receive file descriptor NA

rm_dir remove a directory rmdir(2)

sched_lk lock a process into memory plock(2), memcntl(2)

sched_rt real time scheduler operations priocntl(2)

sched_ts time sharing scheduler operations priocntl(2)

sem_ctl semaphore control operations semctl(2)

sem_get get the set of semaphores semget(2)

sem_op semaphore operations semop(2)

set_gid change group ID setgid(2)

set_grps set multiple groups setgroups(2)

set_pgrps set process groups setpgrp(2)

set_sid set session ID setsid(2)

set_uid change user ID setuid(2)

setrlimit set resource limits setrlimit(2)

shm_ctl shared memory control operations shmctl(2)

shm_get get shared memory identifier shmget(2)

shm_op shared memory operations shmop(2)

status get file status stat(2), fstat(2)

sym_create create a symbolic link symlink(2)

sym_status get status of symbolic link lstat(2)

tfadmin administrative commands tfadmin(1M)

trunc_lvl truncate a printed level lp(1)

ulimit resource limits ulimit(2)

umount unmount a device or filesystem umount(2)

unlink unlink an object unlink(2)

iocntl	I/O control	ioctl(2)
ipc_acl	change IPC access control lists	aclipc(2)
keyctl	enable special features	keyctl(2)
kill	post a signal	kill(2), sigsendset(2)
link	create a link to an object	link(2)
login	use of a login schema	login(1)
logoff	terminate a login session	exit(2)
lp_admin	administrative use of LP	lpadmin(1M)
lp_misc	miscellaneous use of LP	lpsched(1M)
lwp_bind	bind LWP to processor	processor_bind(2), processor_exbind(2)
lwp_create	create lightweight process	fork(2)
lwp_unbind	unbind LWP from processor	processor_bind(2)
misc	miscellaneous application records	auditdmp(2)
mk_dir	make a directory	mkdir(2)
mk_node	make a special file	mknod(2)
mount	mount a device or filesystem	mount(2)
modpath	modify module search path	modpath(2)
modadm	register a module	modadmin(1M)
modload	load a module	modload(2)
moduload	unload a module	moduload(2)
msg_ctl	message control operations	msgctl(2)
msg_get	get message queue	msgget(2)
msg_op	message operations	msgop(2)
open_rd	open an object for reading	open(2)
open_wr	open an object for writing	open(2)
p_online	bring processor on/offline	p_online(2)
page_lvl	printer does not support per-page label	lp(1)
passwd	change password	passwd(1)

pipe	create a pipe	pipe(2)
pm_denied	failed attempt to use privileges	NA
prt_job	start/end of printer job	lp(1)
prt_lvl	override output label	lp(1)
recvfd	receive file descriptor	NA
rm_dir	remove a directory	rmdir(2)
sched_lk	lock a process into memory	plock(2), memcntl(2)
sched_rt	real time scheduler operations	priocntl(2)
sched_ts	time sharing scheduler operations	priocntl(2)
sem_ctl	semaphore control operations	semctl(2)
sem_get	get the set of semaphores	semget(2)
sem_op	semaphore operations	semop(2)
set_gid	change group ID	setgid(2)
set_grps	set multiple groups	setgroups(2)
set_pgrps	set process groups	setpgrp(2)
set_sid	set session ID	setsid(2)
set_uid	change user ID	setuid(2)
setrlimit	set resource limits	setrlimit(2)
shm_ctl	shared memory control operations	shmctl(2)
shm_get	get shared memory identifier	shmget(2)
shm_op	shared memory operations	shmop(2)
status	get file status	stat(2), fstat(2)
sym_create	create a symbolic link	symlink(2)
sym_status	get status of symbolic link	lstat(2)
tfadmin	administrative commands	tfadmin(1M)
trunc_lvl	truncate a printed level	lp(1)
ulimit	resource limits	ulimit(2)
umount	unmount a device or filesystem	umount(2)
unlink	unlink an object	unlink(2)