1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
|
<?xml version="1.0" encoding="UTF-8" ?>
<!--
Copyright 2010 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
CDDL HEADER START
The contents of this file are subject to the terms of the
Common Development and Distribution License (the "License").
You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
or http://www.opensolaris.org/os/licensing.
See the License for the specific language governing permissions
and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each
file and include the License file at usr/src/OPENSOLARIS.LICENSE.
If applicable, add the following below this CDDL HEADER, with the
fields enclosed by brackets "[]" replaced with your own identifying
information: Portions Copyright [yyyy] [name of copyright owner]
CDDL HEADER END
-->
<!--Entity Definitions-->
<!-- timeattr or iso8601
timeattr:
the time/date to the second in strftime(3C) default format,
followed by milliseconds offset.
Example: time="Mon May 06 12:10:18 2002" msec="750"
iso8601:
ISO 8601 standard format date time and timezone;
YYYY-MM-DD HH:MM:SS.sss +/-HH:MM; year, month, day 24 hour time with
milliseconds + or - offset from Universal Time (UTC, aka GMT)
Example: iso8601="2003-09-17 16:47:41.831 -07:00"
-->
<!ENTITY % timeattr "time CDATA #IMPLIED
msec CDATA #IMPLIED">
<!ENTITY % iso8601 "iso8601 CDATA #IMPLIED">
<!-- xinfo Generic info for X related tokens. -->
<!ENTITY % xinfo "xid CDATA #REQUIRED
xcreator-uid CDATA #REQUIRED">
<!-- reserved_toks
This represents the set of "reserved" tokens whose placement is
fixed.
-->
<!ENTITY % reserved_toks "(
file |
record |
host |
sequence
)
">
<!-- normaltoks
This represents the set of all tokens other than the "reserved"
tokens.
-->
<!ENTITY % normaltoks "(
acl |
arbitrary |
argument |
attribute |
cmd |
exit |
exec_args |
exec_env |
fmri |
group |
ip |
ip_address |
IPC |
IPC_perm |
ip_port |
liaison |
opaque |
path |
path_attr |
privilege |
process |
return |
sensitivity_label |
old_socket |
socket |
subject |
text |
user |
use_of_authorization |
use_of_privilege |
X_atom |
X_client |
X_color_map |
X_cursor |
X_font |
X_graphic_context |
X_pixmap |
X_property |
X_selection |
X_window |
zone
)
">
<!--Element Definitions-->
<!--
The main element, "audit", consists of a sequence of file & record tokens.
-->
<!ELEMENT audit (file | record)*>
<!-- file token -->
<!ELEMENT file (#PCDATA)>
<!ATTLIST file %iso8601;>
<!-- record token
Audit records will have this general layout of tokens after the
first token (which is the record token):
(tokens),subject,group,(tokens),return,sequence,host
(all tokens after the record token are optional; the host token is unused.)
-->
<!ELEMENT record (
(%normaltoks;)*,
sequence?,
host?
)
>
<!ATTLIST record
version CDATA #REQUIRED
event CDATA #REQUIRED
modifier CDATA #IMPLIED
host CDATA #IMPLIED
%iso8601;
>
<!-- text token -->
<!ELEMENT text (#PCDATA)>
<!-- user token -->
<!ELEMENT user EMPTY>
<!ATTLIST user
uid CDATA #REQUIRED
username CDATA #REQUIRED
>
<!-- path token -->
<!ELEMENT path (#PCDATA)>
<!-- path_attr token -->
<!ELEMENT path_attr (xattr*)>
<!ELEMENT xattr (#PCDATA)>
<!-- host token -->
<!ELEMENT host (#PCDATA)>
<!-- subject token -->
<!ELEMENT subject EMPTY>
<!ATTLIST subject
audit-uid CDATA #REQUIRED
uid CDATA #REQUIRED
gid CDATA #REQUIRED
ruid CDATA #REQUIRED
rgid CDATA #REQUIRED
pid CDATA #REQUIRED
sid CDATA #REQUIRED
tid CDATA #REQUIRED
>
<!-- process token -->
<!ELEMENT process EMPTY>
<!ATTLIST process
audit-uid CDATA #REQUIRED
uid CDATA #REQUIRED
gid CDATA #REQUIRED
ruid CDATA #REQUIRED
rgid CDATA #REQUIRED
pid CDATA #REQUIRED
sid CDATA #REQUIRED
tid CDATA #REQUIRED
>
<!-- return token -->
<!ELEMENT return EMPTY>
<!ATTLIST return
errval CDATA #REQUIRED
retval CDATA #REQUIRED
>
<!-- exit token -->
<!ELEMENT exit EMPTY>
<!ATTLIST exit
errval CDATA #REQUIRED
retval CDATA #REQUIRED
>
<!-- sequence token -->
<!ELEMENT sequence EMPTY>
<!ATTLIST sequence
seq-num CDATA #REQUIRED
>
<!-- fmri token -->
<!ELEMENT fmri (#PCDATA)>
<!-- group token -->
<!ELEMENT group (gid)*>
<!ELEMENT gid (#PCDATA)>
<!-- opaque token -->
<!ELEMENT opaque (#PCDATA)>
<!-- liaison token -->
<!-- (NOTE: liaison is obsolete and is no longer generated -->
<!ELEMENT liaison (#PCDATA)>
<!-- argument token -->
<!ELEMENT argument EMPTY>
<!ATTLIST argument
arg-num CDATA #REQUIRED
value CDATA #REQUIRED
desc CDATA #REQUIRED
>
<!-- attribute token -->
<!ELEMENT attribute EMPTY>
<!ATTLIST attribute
mode CDATA #REQUIRED
uid CDATA #REQUIRED
gid CDATA #REQUIRED
fsid CDATA #REQUIRED
nodeid CDATA #REQUIRED
device CDATA #REQUIRED
>
<!-- cmd token -->
<!ELEMENT cmd (argv*, arge*)>
<!ELEMENT argv (#PCDATA)>
<!ELEMENT arge (#PCDATA)>
<!-- exec_args token -->
<!ELEMENT exec_args (arg*)>
<!ELEMENT arg (#PCDATA)>
<!-- exec_env token -->
<!ELEMENT exec_env (env*)>
<!ELEMENT env (#PCDATA)>
<!-- arbitrary token -->
<!ELEMENT arbitrary (#PCDATA)>
<!ATTLIST arbitrary
print CDATA #REQUIRED
type CDATA #REQUIRED
count CDATA #REQUIRED
>
<!-- privilege token -->
<!ELEMENT privilege (#PCDATA)>
<!ATTLIST privilege
set-type CDATA #REQUIRED
>
<!-- secflags token -->
<!ELEMENT secflags (#PCDATA)>
<!ATTLIST secflags
set-type CDATA #REQUIRED
>
<!-- use_of_privilege token -->
<!ELEMENT use_of_privilege (#PCDATA)>
<!ATTLIST use_of_privilege
result CDATA #REQUIRED
>
<!-- sensitivity_label token -->
<!ELEMENT sensitivity_label (#PCDATA)>
<!-- use_of_authorization token -->
<!ELEMENT use_of_authorization (#PCDATA)>
<!-- IPC token -->
<!ELEMENT IPC EMPTY>
<!ATTLIST IPC
ipc-type CDATA #REQUIRED
ipc-id CDATA #REQUIRED
>
<!-- IPC_perm token -->
<!ELEMENT IPC_perm EMPTY>
<!ATTLIST IPC_perm
uid CDATA #REQUIRED
gid CDATA #REQUIRED
creator-uid CDATA #REQUIRED
creator-gid CDATA #REQUIRED
mode CDATA #REQUIRED
seq CDATA #REQUIRED
key CDATA #REQUIRED
>
<!-- ip_address token -->
<!ELEMENT ip_address (#PCDATA)>
<!-- ip_port token -->
<!-- (NOTE: ip_port is obsolete and is no longer generated -->
<!ELEMENT ip_port (#PCDATA)>
<!-- ip token -->
<!-- (NOTE: ip is obsolete and is no longer generated -->
<!ELEMENT ip EMPTY>
<!ATTLIST ip
version CDATA #REQUIRED
service_type CDATA #REQUIRED
len CDATA #REQUIRED
id CDATA #REQUIRED
offset CDATA #REQUIRED
time_to_live CDATA #REQUIRED
protocol CDATA #REQUIRED
cksum CDATA #REQUIRED
src_addr CDATA #REQUIRED
dest_addr CDATA #REQUIRED
>
<!-- old_socket token -->
<!ELEMENT old_socket EMPTY>
<!ATTLIST old_socket
type CDATA #REQUIRED
port CDATA #REQUIRED
addr CDATA #REQUIRED
>
<!-- socket token -->
<!ELEMENT socket EMPTY>
<!ATTLIST socket
sock_domain CDATA #REQUIRED
sock_type CDATA #REQUIRED
lport CDATA #REQUIRED
laddr CDATA #REQUIRED
fport CDATA #REQUIRED
faddr CDATA #REQUIRED
>
<!-- acl token -->
<!ELEMENT acl EMPTY>
<!ATTLIST acl
type CDATA #IMPLIED
value CDATA #IMPLIED
mode CDATA #IMPLIED
flags CDATA #IMPLIED
id CDATA #IMPLIED
access_mask CDATA #IMPLIED
>
<!-- tid token -->
<!-- future intent: contain one of ipadr | MTUadr | device -->
<!ELEMENT tid (ipadr*)>
<!ATTLIST tid
type CDATA #REQUIRED
>
<!-- ipadr content of tid token -->
<!ELEMENT ipadr EMPTY>
<!ATTLIST ipadr
local-port CDATA #REQUIRED
remote-port CDATA #REQUIRED
host CDATA #REQUIRED
>
<!-- X_atom token -->
<!ELEMENT X_atom (#PCDATA)>
<!-- X_color_map token -->
<!ELEMENT X_color_map EMPTY>
<!ATTLIST X_color_map %xinfo;>
<!-- X_cursor token -->
<!ELEMENT X_cursor EMPTY>
<!ATTLIST X_cursor %xinfo;>
<!-- X_font token -->
<!ELEMENT X_font EMPTY>
<!ATTLIST X_font %xinfo;>
<!-- X_graphic_context token -->
<!ELEMENT X_graphic_context EMPTY>
<!ATTLIST X_graphic_context %xinfo;>
<!-- X_pixmap token -->
<!ELEMENT X_pixmap EMPTY>
<!ATTLIST X_pixmap %xinfo;>
<!-- X_window token -->
<!ELEMENT X_window EMPTY>
<!ATTLIST X_window %xinfo;>
<!-- X_property token -->
<!ELEMENT X_property (#PCDATA)>
<!ATTLIST X_property %xinfo;>
<!-- X_client token -->
<!ELEMENT X_client (#PCDATA)>
<!-- X_selection token -->
<!ELEMENT X_selection (xsel_text, xsel_type, xsel_data)>
<!ELEMENT x_sel_text (#PCDATA)>
<!ELEMENT x_sel_type (#PCDATA)>
<!ELEMENT x_sel_data (#PCDATA)>
<!-- zonename token -->
<!ELEMENT zone EMPTY>
<!ATTLIST zone
name CDATA #REQUIRED
>
|
