The subject token describes a subject (process). The structure is the same as the process token:
A token ID
The user audit ID
The effective user ID
The effective group ID
The real user ID
The real group ID
The process ID
The session ID
A terminal ID made up of
A device ID
A system ID
This token is always returned as part of kernel-generated audit records for system calls. The audit ID, user ID, group ID, process ID, and session ID are long instead of short. Figure B–24 shows the token format.
The subject token fields for the session ID, the real user ID, or the real group ID may be unavailable. The entry is then set to -1.
For the Trusted Solaris 7 release, the process token can be displayed using a 64-bit device ID, in place of the 32-bit value.
For the Trusted Solaris 8 4/01 release, the terminal ID can report an IPv6 address by changing the format to use either 4 or 8 bytes to describe the device, 16 bytes to describe the type, and 16 bytes to describe the address.
A subject token is displayed by praudit as follows:
subject,root,root,staff,root,staff,552,552,24 3 patchwork