unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

audit.log(4)                     File Formats                     audit.log(4)



NAME
       audit.log - audit trail file

SYNOPSIS
       #include <&lt;bsm/audit.h>&gt;

       #include <&lt;bsm/audit_record.h>&gt;

DESCRIPTION
       audit.log  files are the depository for audit records stored locally or
       on an on an NFS-mounted audit server. These files are kept in  directo-
       ries  named in the file audit_control(4) using the dir option. They are
       named to reflect the time they are  created  and  are,  when  possible,
       renamed to reflect the time they are closed as well. The name takes the
       form

              yyyymmddhhmmss.not_terminated.hostname


       when open or if the auditd(1M) terminated ungracefully, and the form

              yyyymmddhhmmss.yyyymmddhhmmss.hostname


       when properly closed. yyyy is the year, mm the month,  dd  day  in  the
       month,  hh hour in the day, mm minute in the hour, and ss second in the
       minute. All fields are of fixed width.

       Audit data is generated in  the  binary  format  described  below;  the
       default  for Solaris audit is binary format. See audit_syslog(5) for an
       alternate data format.

       The audit.log file begins with a standalone file  token  and  typically
       ends  with  one  also. The beginning file token records the pathname of
       the previous audit file, while the ending file token records the  path-
       name  of  the next audit file. If the file name is NULL the appropriate
       path was unavailable.

       The audit.log files contains audit records. Each audit record  is  made
       up  of  audit  tokens.  Each record contains a header token followed by
       various data tokens. Depending on the audit policy in  place  by  audi-
       ton(2),  optional  other  tokens  such  as trailers or sequences may be
       included.

       The tokens are defined as follows:

       The file token consists of:

       token ID                1 byte
       seconds of time         4 bytes
       microseconds of time    4 bytes
       file name length        2 bytes
       file pathname           N bytes + 1 terminating NULL byte

       The header token consists of:

       token ID                1 byte
       record byte count       4 bytes
       version #               1 byte    [2]
       event type              2 bytes
       event modifier          2 bytes
       seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
       nanoseconds of time     4 bytes/8 bytes (32-bit/64-bit value)

       The expanded header token consists of:

       token ID                1 byte
       record byte count       4 bytes
       version #               1 byte     [2]
       event type              2 bytes
       event modifier          2 bytes
       address type/length     1 byte
       machine address         4 bytes/16 bytes (IPv4/IPv6 address)
       seconds of time         4 bytes/8 bytes  (32/64-bits)
       nanoseconds of time     4 bytes/8 bytes  (32/64-bits)

       The trailer token consists of:

       token ID                1 byte
       trailer magic number    2 bytes
       record byte count       4 bytes

       The  arbitrary data token is defined:

       token ID                1 byte
       how to print            1 byte
       basic unit              1 byte
       unit count              1 byte
       data items              (depends on basic unit)

       The in_addr token consists of:

       token ID                1 byte
       IP address type/length  1 byte
       IP address        4 bytes/16 bytes (IPv4/IPv6 address)

       The expanded in_addr token consists of:

       token ID                1 byte
       IP address type/length  4 bytes/16 bytes (IPv4/IPv6 address)
       IP address             16 bytes

       The ip token consists of:

       token ID                1 byte
       version and ihl         1 byte
       type of service         1 byte
       length                  2 bytes
       id                      2 bytes
       offset                  2 bytes
       ttl                     1 byte
       protocol                1 byte
       checksum                2 bytes
       source address          4 bytes
       destination address     4 bytes

       The expanded ip token consists of:

       token ID                1 byte
       version and ihl         1 byte
       type of service         1 byte
       length                  2 bytes
       id                      2 bytes
       offset                  2 bytes
       ttl                     1 byte
       protocol                1 byte
       checksum                2 bytes
       address type/type       1 byte
       source address          4 bytes/16 bytes (IPv4/IPv6 address)
       address type/length     1 byte
       destination address     4 bytes/16 bytes (IPv4/IPv6 address)

       The iport token consists of:

       token ID                1 byte
       port IP address         2 bytes

       The path token consists of:

       token ID                1 byte
       path length             2 bytes
       path                    N bytes + 1 terminating NULL byte

       The path_attr token consists of:

       token ID                1 byte
       count                   4 bytes
       path                    count null-terminated string(s)

       The process token consists of:

       token ID                1 byte
       audit ID                4 bytes
       effective user ID       4 bytes
       effective group ID      4 bytes
       real user ID            4 bytes
       real group ID           4 bytes
       process ID              4 bytes
       session ID              4 bytes
       terminal ID
         port ID               4 bytes/8 bytes (32-bit/64-bit value)
         machine address       4 bytes

       The expanded process token consists of:

       token ID                1 byte
       audit ID                4 bytes
       effective user ID       4 bytes
       effective group ID      4 bytes
       real user ID            4 bytes
       real group ID           4 bytes
       process ID              4 bytes
       session ID              4 bytes
       terminal ID
         port ID               4 bytes/8 bytes (32-bit/64-bit value)
         address type/length   1 byte
         machine address       4 bytes/16 bytes (IPv4/IPv6 address)

       The return token consists of:

       token ID                1 byte
       error number            1 byte
       return value            4 bytes/8 bytes (32-bit/64-bit value)

       The subject token consists of:

       token ID                1 byte
       audit ID                4 bytes
       effective user ID       4 bytes
       effective group ID      4 bytes
       real user ID            4 bytes
       real group ID           4 bytes
       process ID              4 bytes
       session ID              4 bytes
       terminal ID
         port ID               4 bytes/8 bytes (32-bit/64-bit value)
         machine address       4 bytes

       The expanded subject token consists of:

       token ID                1 byte
       audit ID                4 bytes
       effective user ID       4 bytes
       effective group ID      4 bytes
       real user ID            4 bytes
       real group ID           4 bytes
       process ID              4 bytes
       session ID              4 bytes
       terminal ID
         port ID               4 bytes/8 bytes (32-bit/64-bit value)
         address type/length   1 byte
         machine address       4 bytes/16 bytes (IPv4/IPv6 address)

       The System V IPC token consists of:

       token ID                1 byte
       object ID type          1 byte
       object ID               4 bytes

       The text token consists of:

       token ID                1 byte
       text length             2 bytes
       text                    N bytes + 1 terminating NULL byte

       The attribute token consists of:

       token ID                1 byte
       file access mode        4 bytes
       owner user ID           4 bytes
       owner group ID          4 bytes
       file system ID          4 bytes
       node ID                 8 bytes
       device                  4 bytes/8 bytes (32-bit/64-bit)

       The groups token consists of:

       token ID                1 byte
       number groups           2 bytes
       group list              N * 4 bytes

       The System V IPC permission token consists of:

       token ID                1 byte
       owner user ID           4 bytes
       owner group ID          4 bytes
       creator user ID         4 bytes
       creator group ID        4 bytes
       access mode             4 bytes
       slot sequence #         4 bytes
       key                     4 bytes

       The arg token consists of:

       token ID                1 byte
       argument #              1 byte
       argument value          4 bytes/8 bytes (32-bit/64-bit value)
       text length             2 bytes
       text                    N bytes + 1 terminating NULL byte

       The exec_args token consists of:

       token ID                1 byte
       count                   4 bytes
       text                    count null-terminated string(s)

       The exec_env token consists of:

       token ID                1 byte
       count                   4 bytes
       text                    count null-terminated string(s)

       The exit token consists of:

       token ID                1 byte
       status                  4 bytes
       return value            4 bytes

       The socket token consists of:

       token ID                1 byte
       socket type             2 bytes
       remote port             2 bytes
       remote Internet address 4 bytes

       The expanded socket token consists of:

       token ID                1 byte
       socket domain           2 bytes
       socket type             2 bytes
       local port              2 bytes
       address type/length     2 bytes
       local port              2 bytes
       local Internet address  4 bytes/16 bytes (IPv4/IPv6 address)
       remote port             2 bytes
       remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)

       The seq token consists of:

       token ID                1 byte
       sequence number         4 bytes

       The privilege token consists of:

       token ID                1 byte
       text length             2 bytes
       privilege set name      N bytes + 1 terminating NULL byte
       text length             2 bytes
       list of privileges      N bytes + 1 terminating NULL byte


       The use-of-auth token consists of:

       token ID                1 byte
       text length             2 bytes
       authorization(s)        N bytes + 1 terminating NULL byte


       The command token consists of:

       token ID                1 byte
       count of args           2 bytes
       argument list           (count times)
       text length             2 bytes
       argument text           N bytes + 1 terminating NULL byte
       count of env strings    2 bytes
       environment list        (count times)
       text length             2 bytes
       env. text               N bytes + 1 terminating NULL byte


       The ACL token consists of:

       token ID                1 byte
       type                    4 bytes
       value                   4 bytes
       file mode               4 bytes


       The zonename token consists of:

       token ID            1 byte
       name length         2 bytes
       name                &lt;name length&gt; including terminating NULL byte


ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).  ATTRIBUTE TYPEATTRIBUTE VALUE Interface Stability:
        binary file formatEvolving
        binary file contentsUnstable


SEE ALSO
       audit(1M),  auditd(1M), bsmconv(1M), audit(2), auditon(2), au_to(3BSM),
       audit_control(4), audit_syslog(5)

NOTES
       Each token is generally written using the au_to(3BSM) family  of  func-
       tion calls.



SunOS 5.10                        6 Jan 2004                      audit.log(4)