NAME | SYNOPSIS | DESCRIPTION | SEE ALSO | NOTES
#include <bsm/audit.h>
#include <bsm/audit_record.h>
audit.log files are the depository for audit records stored locally or on an audit server. These files are kept in directories named in the file audit_control(4). They are named to reflect the time they are created and are, when possible, renamed to reflect the time they are closed as well. The name takes the form
yyyymmddhhmmss.not_terminated.hostname
when open or if the auditd(1M) terminated ungracefully, and the form
yyyymmddhhmmss.yyyymmddhhmmss.hostname
when properly closed. yyyy is the year, mm the month, dd day in the month, hh hour in the day, mm minute in the hour, and ss second in the minute. All fields are of fixed width.
The audit.log file begins with a standalone file token and typically ends with one also. The beginning file token records the pathname of the previous audit file, while the ending file token records the pathname of the next audit file. If the file name is NULL the appropriate path was unavailable.
The audit.log files contains audit records. Each audit record is made up of audit tokens. Each record contains a header token followed by various data tokens. Depending on the audit policy in place by auditon(2), optional other tokens such as trailers or sequences may be included.
The tokens are defined as follows:
The file token consists of:
token ID char seconds of time uint_t milliseconds of time uint_t file name length short file pathname null terminated string |
The header token consists of:
token ID char record byte count ulong_t version # char (1) event type ushort_t event modifier ushort_t seconds of time uint_t milliseconds of time uint_t |
The trailer token consists of:
token ID char trailer magic number ushort_t record byte count ulong_t |
The arbitrary data token is defined:
token ID char how to print char basic unit char unit count char data items depends on basic unit |
The in_addr token consists of:
token ID char internet address char |
The ip token consists of:
token ID char version and ihl char type of service char length short id ushort_t offset ushort_t ttl char protocol char checksum ushort_t source address long destination address long |
The iport token consists of:
token ID char port address short |
The opaque token consists of:
token ID char size short data char, size chars |
The path token consists of:
token ID char path length short path null terminated string |
The process token consists of:
token ID char auid ulong_t euid ulong_t egid ulong_t ruid ulong_t rgid ulong_t pid ulong_t sid ulong_t terminal ID ulong_t (port ID) ulong_t (machine ID) |
The return token consists of:
token ID char error number char return value long |
The subject token consists of:
token ID char auid ulong_t euid ulong_t egid ulong_t ruid ulong_t rgid ulong_t pid ulong_t sid ulong_t terminal ID ulong_t (port ID) ulong_t (machine ID) |
The System V IPC token consists of:
token ID char object ID type char object ID long |
The text token consists of:
token ID char text length short text null terminated string |
The attribute token consists of:
token ID char mode ulong_t uid ulong_t gid ulong_t file system id long node id long device ulong_t |
The groups token consists of:
token ID char number short group list long, size chars |
The System V IPC permission token consists of:
token ID char uid ulong_t gid ulong_t cuid ulong_t cgid ulong_t mode ulong_t seq ulong_t key long |
The arg token consists of:
token ID char argument # char argument value long string length short text null terminated string |
The exec_args token consists of:
token ID char count long text count null terminated string(s) |
The exec_env token consists of:
token ID char count long text count null terminated string(s) |
The exit token consists of:
token ID char status long return value long |
The socket token consists of:
token ID char socket type short local port short local Internet address char remote port short remote Internet address char |
The seq token consists of:
token ID char sequence number long |
Each token is generally written using the au_to(3) family of function calls.
The functionality described in this man page is available only if the Basic Security Module (BSM) has been enabled. See bsmconv(1M) for more information.
NAME | SYNOPSIS | DESCRIPTION | SEE ALSO | NOTES