Audit Token Formats
Each audit token has a token type identifier, which is followed by data that is specific to the token. Each token type has its own format. The following table shows the token names with a brief description of each token. Obsolete tokens are maintained for compatibility with previous Solaris releases.
Table 31–4 Audit Tokens for Solaris Auditing|
Token Name |
Description |
For More Information |
|---|---|---|
|
acl |
Access Control List (ACL) information | |
|
arbitrary |
Data with format and type information |
See the audit.log(4) man page. |
|
arg |
System call argument value | |
|
attribute |
File vnode tokens | |
|
cmd | ||
|
exec_args |
Exec system call arguments | |
|
exec_env |
Exec system call environment variables | |
|
exit |
Program exit information |
See the audit.log(4) man page. |
|
file |
Audit file information | |
|
fmri |
Framework Management Resource Indicator token | |
|
group |
Process groups information |
See groups Token. |
|
groups |
Process groups information | |
|
header |
Indicates start of audit record | |
|
in_addr |
Internet address | |
|
ip |
IP header information |
See the audit.log(4) man page. |
|
ipc |
System V IPC information | |
|
ipc_perm |
System V IPC object tokens | |
|
iport |
Internet port address | |
|
opaque |
Unstructured data (unspecified format) |
See the audit.log(4) man page. |
|
path |
Path information | |
|
path_attr |
Access path information | |
|
privilege |
Privilege set information | |
|
process |
Process token information | |
|
return |
Status of system call | |
|
sequence |
Sequence number token | |
|
socket |
Socket type and addresses | |
|
subject |
Subject token (same format as process token) | |
|
text |
ASCII string | |
|
trailer |
Indicates end of audit record | |
|
uauth |
Use of authorization | |
|
upriv |
Use of privilege | |
|
zonename |
Name of zone |
An audit record always begins with a header token. The header token indicates where the audit record begins in the audit trail. In the case of attributable events, the subject and the process tokens refer to the values of the process that caused the event. In the case of nonattributable events, the process token refers to the system.
acl Token
The acl token records information about Access Control Lists (ACLs).
The praudit -x command shows the fields of the acl token:
<acl type="1" value="root" mode="6"/> |
arg Token
The arg token contains information about the arguments to a system call: the argument number of the system call, the argument value, and an optional description. This token allows a 32-bit integer system-call argument in an audit record.
The praudit -x command shows the fields of the arg token:
<argument arg-num="2" value="0x0" desc="new file uid"/> |
attribute Token
The attribute token contains information from the file vnode.
The attribute token usually accompanies a path token. The attribute token is produced during path searches. If a path-search error occurs, there is no vnode available to obtain the necessary file information. Therefore, the attribute token is not included as part of the audit record. The praudit -x command shows the fields of the attribute token:
<attribute mode="100644" uid="adm" gid="adm" fsid="136" nodeid="2040" device="0"/> |
cmd Token
The cmd token records the list of arguments and the list of environment variables that are associated with a command.
The praudit -x command shows the fields of the cmd token. The following is a truncated cmd token. The line is wrapped for display purposes.
<cmd><arge>WINDOWID=6823679</arge> <arge>COLORTERM=gnome-terminal</arge> <arge>...LANG=C</arge>...<arge>HOST=machine1</arge> <arge>LPDEST=printer1</arge>...</cmd> |
exec_args Token
The exec_args token records the arguments to an exec() system call. The exec_args token has two fixed fields:
-
A token ID field that identifies this token as an exec_args token
-
A count that represents the number of arguments that are passed to the exec() system call
The remainder of this token is composed of count strings. The praudit -x command shows the fields of the exec_args token:
<exec_args><arg>/usr/bin/sh</arg><arg>/usr/bin/hostname</arg></exec_args> |
Note –
The exec_args token is output only when the argv audit policy option is active.
exec_env Token
The exec_env token records the current environment variables to an exec() system call. The exec_env token has two fixed fields:
-
A token ID field that identifies this token as an exec_env token
-
A count that represents the number of arguments that are passed to the exec() system call
The remainder of this token is composed of count strings. The praudit -x command shows the fields of the exec_env token. The line is wrapped for display purposes.
<exec_env><env>_=/usr/bin/hostname</env> <env>DTXSERVERLOCATION=local</env><env>SESSIONTYPE=altDt</env> <env>LANG=C</env><env>SDT_NO_TOOLTALK=1</env><env>SDT_ALT_HELLO=/bin/true</env> <env>PATH=/usr/bin:/usr/openwin/bin:/usr/ucb</env> <env>OPENWINHOME=/usr/openwin</env><env>LOGNAME=jdoe</env><env>USER=jdoe</env> <env>DISPLAY=:0</env><env>SHELL=/bin/csh</env><env>START_SPECKEYSD=no</env> <env>SDT_ALT_SESSION=/usr/dt/config/Xsession2.jds</env><env>HOME=/home/jdoe</env> <env>SDT_NO_DTDBCACHE=1</env><env>PWD=/home/jdoe</env><env>TZ=US/Pacific</env> </exec_env> |
Note –
The exec_env token is output only when the arge audit policy option is active.
file Token
The file token is a special token that is generated by the auditd daemon. The token marks the beginning of a new audit file and the end of an old audit file as the old file is deactivated. The initial file token identifies the previous file in the audit trail. The final file token identifies the next file in the audit trail. The auditd daemon builds a special audit record that contains this token to “link” together successive audit files into one audit trail.
The file token has four fields:
-
A token ID that identifies this token as a file token
-
A timestamp that identifies the date and the time that the file was created or was closed
-
The file name length
-
A field that holds the file null-terminated name
The praudit -x command shows the fields of the file token. This token identifies the next file in the audit trail. The line is wrapped for display purposes.
<file iso8601="2009-04-08 14:18:26.200 -07:00"> /var/audit/machine1/files/20090408211826.not_terminated.machine1</file> |
fmri Token
The fmri token records the use of a fault management resource indicator (FMRI). For more information, see the smf(5) man page.
The praudit -x command shows the content of the fmri token:
<fmri service_instance="svc:/system/cryptosvc"</fmri> |
groups Token
The groups token replaces the group token. The groups token records the group entries from the process's credential.
The praudit -x command shows the fields of the groups token:
<group><gid>staff</gid><gid>other</gid></group> |
Note –
The groups token is output only when the group audit policy option is active.
header Token
The header token is special in that it marks the beginning of an audit record. The header token combines with the trailer token to bracket all the other tokens in the record.
On 64-bit systems, the header token is displayed with a 64-bit timestamp, in place of the 32-bit timestamp.
The praudit command displays the header token as follows:
header,69,2,su,,machine1,2009-04-08 13:11:58.209 -07:00 |
The praudit -x command displays the fields of the header token at the beginning of the audit record. The line is wrapped for display purposes.
<record version="2" event="su" host="machine1" iso8601="2009-04-08 13:11:58.209 -07:00"> |
in_addr Token
The in_addr token contains an Internet Protocol address. Since the Solaris 8 release, the Internet address can be displayed in IPv4 format or IPv6 format. The IPv4 address uses 4 bytes. The IPv6 address uses 1 byte to describe the address type, and 16 bytes to describe the address.
The praudit -x command shows the content of the in_addr token:
<ip_address>machine1</ip_address> |
ipc Token
The ipc token contains the System V IPC message handle, semaphore handle, or shared-memory handle that is used by the caller to identify a particular IPC object.
Note –
The IPC object identifiers violate the context-free nature of the Solaris audit tokens. No global “name” uniquely identifies IPC objects. Instead, IPC objects are identified by their handles. The handles are valid only during the time that the IPC objects are active. However, the identification of IPC objects should not be a problem. The System V IPC mechanisms are seldom used, and the mechanisms all share the same audit class.
The following table shows the possible values for the IPC object type field. The values are defined in the /usr/include/bsm/audit.h file.
Table 31–5 Values for the IPC Object Type Field|
Name |
Value |
Description |
|---|---|---|
|
AU_IPC_MSG |
1 |
IPC message object |
|
AU_IPC_SEM |
2 |
IPC semaphore object |
|
AU_IPC_SHM |
3 |
IPC shared-memory object |
The praudit -x command shows the fields of the ipc token:
<IPC ipc-type="shm" ipc-id="15"/> |
ipc_perm Token
The ipc_perm token contains a copy of the System V IPC access permissions. This token is added to audit records that are generated by IPC shared-memory events, IPC semaphore events, and IPC message events.
The praudit -x command shows the fields of the ipc_perm token. The line is wrapped for display purposes.
<IPC_perm uid="jdoe" gid="staff" creator-uid="jdoe" creator-gid="staff" mode="100600" seq="0" key="0x0"/> |
The values are taken from the ipc_perm structure that is associated with the IPC object.
iport Token
The iport token contains the TCP or UDP port address.
The praudit command displays the iport token as follows:
ip port,0xf6d6 |
path Token
The path token contains access path information for an object.
The praudit -x command shows the content of the path token:
<path>/etc/security/audit_user</path> |
path_attr Token
The path_attr token contains access path information for an object. The access path specifies the sequence of attribute file objects below the path token object. Systems calls such as openat() access attribute files. For more information on attribute file objects, see the fsattr(5) man page.
The praudit command displays the path_attr token as follows:
path_attr,1,attr_file_name |
privilege Token
The privilege token records the use of privileges on a process. The privilege token is not recorded for privileges in the basic set. If a privilege has been removed from the basic set by administrative action, then the use of that privilege is recorded. For more information on privileges, see Privileges (Overview)
The praudit -x command shows the fields of the privilege token. The line is wrapped for display purposes.
<privilege set-type="Effective">file_chown,file_dac_read, file_dac_write,net_privaddr,proc_exec,proc_fork,proc_setid</privilege> |
process Token
The process token contains information about a user who is associated with a process, such as the recipient of a signal.
The praudit -x command shows the fields of the process token. The line is wrapped for display purposes.
<process audit-uid="-2" uid="root" gid="root" ruid="root" rgid="root" pid="9" sid="0" tid="0 0 0.0.0.0"/> |
return Token
The return token contains the return status of the system call (u_error) and the process return value (u_rval1).
The return token is always returned as part of kernel-generated audit records for system calls. In application auditing, this token indicates exit status and other return values.
The praudit command displays the return token for a system call as follows:
return,failure: Operation now in progress,-1 |
The praudit -x command shows the fields of the return token:
<return errval="failure: Operation now in progress" retval="-1/"> |
sequence Token
The sequence token contains a sequence number. The sequence number is incremented every time an audit record is added to the audit trail. This token is useful for debugging.
The praudit -x command shows the content of the sequence token:
<sequence seq-num="1292"/> |
Note –
The sequence token is output only when the seq audit policy option is active.
socket Token
The socket token contains information that describes an Internet socket. In some instances, the token has four fields:
-
A token ID that identifies this token as a socket token
-
A socket type field that indicates the type of socket referenced, either TCP, UDP, or UNIX
-
The local port
-
The local IP address
The praudit command displays this instance of the socket token as follows:
socket,0x0002,0x83b1,localhost |
In most instances, the token has eight fields:
-
A token ID that identifies this token as a socket token
-
The socket domain
-
A socket type field that indicates the type of socket referenced, either TCP, UDP, or UNIX
-
The local port
-
The address type, either IPv4 or IPv6
-
The local IP address
-
The remote port
-
The remote IP address
Since the Solaris 8 release, the Internet address can be displayed in IPv4 format or IPv6 format. The IPv4 address uses 4 bytes. The IPv6 address uses 1 byte to describe the address type, and 16 bytes to describe the address.
The praudit -x command shows the fields of the socket token. The line is wrapped for display purposes.
<socket sock_domain="0x0002" sock_type="0x0002" lport="0x83cf" laddr="example1" fport="0x2383" faddr="server1.Subdomain.Domain.COM"/> |
subject Token
The subject token describes a user who performs or attempts to perform an operation. The format is the same as the process token.
The subject token is always returned as part of kernel-generated audit records for system calls. The praudit command displays the subject token as follows:
subject,jdoe,root,root,root,root,1631,1421584480,8243 65558 machine1 |
The praudit -x command shows the fields of the subject token. The line is wrapped for display purposes.
<subject audit-uid="jdoe" uid="root" gid="root" ruid="root" rgid="root" pid="1631" sid="1421584480" tid="8243 65558 machine1"/> |
text Token
The text token contains a text string.
The praudit -x command shows the content of the text token:
<text>booting kernel</text> |
trailer Token
The two tokens, header and trailer, are special in that they distinguish the end points of an audit record and bracket all the other tokens. A header token begins an audit record. A trailer token ends an audit record. The trailer token is an optional token. The trailer token is added as the last token of each record only when the trail audit policy option has been set.
When an audit record is generated with trailers turned on, the auditreduce command can verify that the trailer correctly points back to the record header. The trailer token supports backward seeks of the audit trail.
The praudit command displays the trailer token as follows:
trailer,136 |
uauth Token
The uauth token records the use of authorization with a command or action.
The praudit command displays the uauth token as follows:
use of authorization,solaris.admin.printer.delete |
upriv Token
The upriv token records the use of privilege with a command or action.
The praudit -x command shows the fields of the upriv token:
<use_of_privilege result="successful use of priv">proc_setid</use_of_privilege> |
zonename Token
The zonename token records the zone in which the audit event occurred. The string “global” indicates audit events that occur in the global zone.
The praudit -x command shows the content of the zonename token:
<zone name="graphzone"/> |
- © 2010, Oracle Corporation and/or its affiliates