audit_event to audit flag mappings

Data from Apple found here: https://opensource.apple.com/source/bsm/bsm-8/bsm/etc/audit_event.auto.html 0:AUE_NULL:indir system call:no 1:AUE_EXIT:exit(2):pc 2:AUE_FORK:fork(2):pc 3:AUE_OPEN:open(2) - attr only:fa 4:AUE_CREAT:creat(2):fc 5:AUE_LINK:link(2):fc 6:AUE_UNLINK:unlink(2):fd 7:AUE_EXEC:exec(2):pc,ex 8:AUE_CHDIR:chdir(2):pc 9:AUE_MKNOD:mknod(2):ad 10:AUE_CHMOD:chmod(2):ad 11:AUE_CHOWN:chown(2):fm 12:AUE_UNMOUNT:unmount(2):ad 13:AUE_JUNK:junk:no 14:AUE_ACCESS:access(2):fa 15:AUE_KILL:kill(2):pc 16:AUE_STAT:stat(2):fa 17:AUE_LSTAT:lstat(2):fa 18:AUE_ACCT:acct(2):ad 19:AUE_MCTL:mctl(2):fm 20:AUE_REBOOT:reboot(2):ad 21:AUE_SYMLINK:symlink(2):fc 22:AUE_READLINK:readlink(2):fr 23:AUE_EXECVE:execve(2):pc,ex 24:AUE_CHROOT:chroot(2):pc 25:AUE_VFORK:vfork(2):pc 26:AUE_SETGROUPS:setgroups(2):pc 27:AUE_SETPGRP:setpgrp(2):pc 28:AUE_SWAPON:swapon(2):ad 29:AUE_SETHOSTNAME:sethostname(2):ad 30:AUE_FCNTL:fcntl(2):fm 31:AUE_SETPRIORITY:setpriority(2):pc 32:AUE_CONNECT:connect(2):nt 33:AUE_ACCEPT:accept(2):nt 34:AUE_BIND:bind(2):nt 35:AUE_SETSOCKOPT:setsockopt(2):nt 36:AUE_VTRACE:vtrace(2):pc 37:AUE_SETTIMEOFDAY:settimeofday(2):ad 38:AUE_FCHOWN:fchown(2):fm 39:AUE_FCHMOD:fchmod(2):fm 40:AUE_SETREUID:setreuid(2):pc 41:AUE_SETREGID:setregid(2):pc 42:AUE_RENAME:rename(2):fc,fd 43:AUE_TRUNCATE:truncate(2):fd … Continue reading audit_event to audit flag mappings

BSM Codes

0x00000000:no:invalid class 0x00000001:fr:file read 0x00000002:fw:file write 0x00000004:fa:file attribute access 0x00000008:fm:file attribute modify 0x00000010:fc:file create 0x00000020:fd:file delete 0x00000040:cl:file close 0x00000080:pc:process 0x00000100:nt:network 0x00000200:ip:ipc 0x00000400:na:non attributable 0x00000800:ad:administrative 0x00001000:lo:login_logout 0x00002000:aa:authentication and authorization 0x00004000:ap:application 0x10000000:res:reserved for internal use 0x20000000:io:ioctl 0x40000000:ex:exec 0x80000000:ot:miscellaneous 0xffffffff:all:all flags set