man Pages(4): File Formats

audit.log(4)

NAME | SYNOPSIS | DESCRIPTION | SEE ALSO | NOTES

NAME

audit.log- audit trail file

SYNOPSIS

#include <bsm/audit.h>

#include <bsm/audit_record.h>

DESCRIPTION

audit.log files are the depository for audit records stored locally or on an audit server. These files are kept in directories named in the file audit_control(4). They are named to reflect the time they are created and are, when possible, renamed to reflect the time they are closed as well. The name takes the form

yyyymmddhhmmss.not_terminated.hostname

when open or if the auditd(1M) terminated ungracefully, and the form

yyyymmddhhmmss.yyyymmddhhmmss.hostname

when properly closed. yyyy is the year, mm the month, dd day in the month, hh hour in the day, mm minute in the hour, and ss second in the minute. All fields are of fixed width.

The audit.log file begins with a standalone file token and typically ends with one also. The beginning file token records the pathname of the previous audit file, while the ending file token records the pathname of the next audit file. If the file name is NULL the appropriate path was unavailable.

The audit.log files contains audit records. Each audit record is made up of audit tokens. Each record contains a header token followed by various data tokens. Depending on the audit policy in place by auditon(2), optional other tokens such as trailers or sequences may be included.

The tokens are defined as follows:

The file token consists of:

  token ID      
         char
          seconds of time         uint_t
          milliseconds of time    uint_t
          file name length        short
          file pathname           null terminated string

The header token consists of:

        token ID            
  char
                record byte count      ulong_t
                version #              char        (1)
                event type             ushort_t
                event modifier         ushort_t
                seconds of time        uint_t
                milliseconds of time   uint_t

The trailer token consists of:

       token ID            
   char
               trailer magic number    ushort_t
               record byte count       ulong_t

The arbitrary data token is defined:

      token ID       
         char
              how to print             char
              basic unit               char
              unit count               char
              data items              
depends on basic unit

The in_addr token consists of:

      token ID             
   char
              internet address         char

The ip token consists of:

      token ID                
char
              version and ihl          char
              type of service          char
              length                   short
              id                       ushort_t
              offset                   ushort_t
              ttl                      char
              protocol                 char
              checksum                 ushort_t
              source address           long
              destination address      long

The iport token consists of:

      token ID               
 char
              port address             short

The opaque token consists of:

      token ID              
  char
              size                     short
              data                     char, size chars

The path token consists of:

      token ID                
char
              path length              short
              path                     null terminated string

The process token consists of:

      token ID             
   char
              auid                     ulong_t
              euid                     ulong_t
              egid                     ulong_t
              ruid                     ulong_t
              rgid                     ulong_t
              pid                      ulong_t
              sid                      ulong_t
              terminal ID              ulong_t   (port ID)
              ulong_t                   (machine ID)

The return token consists of:

      token ID
                char
              error number             char
              return value             long

The subject token consists of:

      token ID             
   char
              auid                     ulong_t
              euid                     ulong_t
              egid                     ulong_t
              ruid                     ulong_t
              rgid                     ulong_t
              pid                      ulong_t
              sid                      ulong_t
              terminal ID              ulong_t   (port ID)
              ulong_t                   (machine ID)

The System V IPC token consists of:

      token ID        
        char
              object ID type           char
              object ID                long

The text token consists of:

      token ID                
char
              text length              short
              text                     null terminated string

The attribute token consists of:

      token ID           
     char
              mode                     ulong_t
              uid                      ulong_t
              gid                      ulong_t
              file system id           long
              node id                  long
              device                   ulong_t

The groups token consists of:

      token ID
                char
              number                   short
              group list               long, size chars

The System V IPC permission token consists of:

      token
ID                 char
              uid                      ulong_t
              gid                      ulong_t
              cuid                     ulong_t
              cgid                     ulong_t
              mode                     ulong_t
              seq                      ulong_t
              key                      long

The arg token consists of:

      token ID                
char
              argument #               char
              argument value           long
              string length            short
              text                     null terminated string

The exec_args token consists of:

      token ID           
     char
              count                    long
              text                     count null
terminated string(s)

The exec_env token consists of:

      token ID            
    char
              count                    long
              text                     count null
terminated string(s)

The exit token consists of:

      token ID  
              char
              status                   long
              return value             long

The socket token consists of:

      token ID              
  char
              socket type              short
              local port               short
              local Internet address   char
              remote port              short
              remote Internet address  char

The seq token consists of:

      token ID                
char
              sequence number          long

NOTES

Each token is generally written using the au_to(3) family of function calls.

The functionality described in this man page is available only if the Basic Security Module (BSM) has been enabled. See bsmconv(1M) for more information.

SunOS 5.7 Last Revised 30 Apr 1997

NAME | SYNOPSIS | DESCRIPTION | SEE ALSO | NOTES