Auditable Events

sat_access_denied

Access to the file or some element of the path was denied due to enforcement of MAC or DAC permissions.

sat_access_failed

Access to a file was denied because the path specified does not exist.

sat_chdir

Current working directory was changed with chdir.

sat_chroot

Current root directory was changed with chroot.

sat_open

A file was opened with write permission.

sat_open_ro

A file was opened read-only.

sat_read_symlink

The contents of a symbolic link were read with readlink. Note that the file the link "points" to is not accessed in any way.

sat_file_crt_del

A file was added or removed from a directory.

sat_file_crt_del2

This is the same as sat_file_crt_del, but reports that two files (perhaps a link) were removed.

sat_file_write

The data in a file was modified by truncate.

sat_mount

A filesystem was mounted or unmounted.

sat_file_attr_read

The attributes of a file were read by stat.

sat_file_attr_write

The attributes of a file were written by chmod.

sat_exec

A new process has been introduced by exec.

sat_sysacct

System accounting has been turned on or off.

sat_fchdir

The user changed from the current working directory to the directory "pointed" to by the given open descriptor.

sat_fd_read

Information was read from a file descriptor using read.

sat_fd_read2

The same event as sat_fd_read, but with multiple file descriptors.

sat_tty_setlabel

The user set the label of a port via ioctl.

sat_fd_write

The user finalized a change to a file descriptor.

sat_fd_attr_write

The user changed the attributes of the file "pointed" to by the given file descriptor using fchmod.

sat_pipe

The user created an unnamed pipe.

sat_dup

The user duplicated a file descriptor.

sat_close

The user closed a file descriptor.

sat_proc_read

The user read from a process's address space using ptrace.

sat_proc_write

The user finalized a changes to a process's address space using ptrace.

sat_proc_attr_read

The user read a process's attributes.

sat_proc_attr_write

The user finalized a change to a process's attributes.

sat_fork

The user duplicated the current process (thereby creating a new process).

sat_exit

The user ended the current process.

sat_proc_own_attr_write

Process attributes were changed.

sat_clock_set

The system clock was set.

sat_hostname_set

The hostname was set.

sat_domainname_set

The domain name was set.

sat_hostid_set

The host ID was set.

sat_check_priv

Action requiring superuser privilege was performed.

sat_control

The sat_select command was used.

sat_svipc_access

The user accessed a System V IPC data structure.

sat_svipc_create

The user created a System V IPC data structure.

sat_svipc_remove

The user removed a System V IPC data structure.

sat_svipc_change

The user set some attribute of a System V IPC data structure.

sat_bsdipc_create

The user created a socket.

sat_bsdipc_create_pair

The user created a socket pair.

sat_bsdipc_shutdown

The user shut down a socket.

sat_bsdipc_mac_change

The user changed the MAC label on a socket.

sat_bsdipc_address

A network address was used explicitly via the accept, bind, or connect system calls.

sat_bsdipc_resvport

A reserved port was successfully bound.

sat_bsdipc_deliver

A packet was delivered to a socket.

sat_bsdipc_cantfind

A packet was not delivered because the socket could not be found.

sat_bsdipc_snoop_ok

A packet was delivered to a raw (snoop) socket.

sat_bsdipc_snoop_fail

A packet was not delivered to a raw socket because it was prevented by MAC policy.

sat_bsdipc_rx_ok

A packet was received on an interface.

sat_bsdipc_rx_range

A packet was not received, due to MAC violation outside the allowed label range on that interface.

sat_bsdipc_rx_missing

A packet was received on an interface with a missing or damaged MAC label.

sat_bsdipc_tx_ok

A packet was sent on the interface.

sat_bsdipc_tx_range

A packet was not sent, due to a MAC violation.

sat_bsdipc_tx_toobig

A packet was not sent, because the MAC label was too large for the IP header to contain.

sat_bsdipc_if_config

An interface structure's attributes were changed.

sat_bsdipc_if_invalid

Attempt to change MAC labels was disallowed for lack of MAC privilege.

sat_bsdipc_if_setlabel

The MAC labels on an interface structure were changed.

sat_ae_identity

A login- or logout- related event occurred.

sat_ae_dbedit

A file was modified using the dbedit utility. (This utility is available only with the Trusted IRIX/B optional product.)

sat_ae_mount

An NFS filesystem was mounted.

sat_ae_custom

An application-defined event occurred. Application developers can engineer their applications to generate this event.