Logically, each token has a token type identifier followed by data specific to the token. Each token type has its own format and structure. The audit tokens are shown in the table below. Those marked TS in the TS7 column are in Trusted Solaris 2.5.1 and Trusted Solaris 7 only. Those not marked TS are modified versions of audit tokens from the Solaris Basic Security Module. The token scheme can be extended.
Table B-1 Trusted Solaris Audit Tokens
Token Name |
Description |
TS7 |
---|---|---|
acl |
Access Control List information |
TS |
arbitrary |
Data with format and type information |
|
arg |
System call argument value |
|
attr |
File attributes |
|
clearance |
Clearance information |
TS |
exec_args |
Exec system call arguments |
|
exec_env |
Exec system call environment variables |
|
exit |
Program exit information |
|
file |
Audit file information |
|
groups |
Process groups information (obsolete) |
|
header |
Indicates start of record |
|
host |
Indicates the host where the audit record was collected |
TS |
ilabel |
Information label information (obsolete in Trusted Solaris 7) |
TS |
in_addr |
Internet address |
|
ip |
IP header information |
|
ipc |
System V IPC information |
|
ipc_perm |
System V IPC object tokens |
|
iport |
Internet port address |
|
liaison |
Liaison information for Trusted Networking |
TS |
newgroups |
Process groups information |
|
opaque |
Unstructured data (unspecified format) |
|
path |
Path information (path) |
|
priv |
Use of privilege information |
TS |
privilege |
Privilege set information |
TS |
process |
Process token information |
|
return |
Status of system call |
|
seq |
Sequence number token |
|
slabel |
sensitivity label information |
TS |
socket |
Socket type and addresses |
|
socket-inet |
Socket port and address |
|
subject |
Subject information (same structure as process token) |
|
text |
character string |
|
trailer |
Indicates end of record |
|
xatom |
X window atom identification |
TS |
xclient |
X client identification |
TS |
xcolormap |
X window color information |
TS |
xcursor |
X window cursor information |
TS |
xfont |
X window font information |
TS |
xgc |
X window graphical context information |
TS |
xpixmap |
Xwindow pixel mapping information |
TS |
xproperty |
X window property information |
TS |
xselect |
X window data information |
TS |
xwindow |
X window window information |
TS |
An audit record always contains a header token and may contain a trailer token. The header token indicates where the audit record begins in the audit trail. The optional trailer token allows backward seeks of the audit trail. Every audit record contains a subject token, except for audit records from some non-attributable events. In the case of attributable events, these two tokens refer to the values of the process that caused the event. In the case of asynchronous events, the process tokens refer to the system. For an example of how to read an audit record, go to "Reading an Audit Record".
The acl token provides information about any access control lists in place on an object. If there is no current acl, this token is not written to the audit record. Also, unless required by an audit record format, this token is normally recorded only when the appropriate auditing policy is set. The fields are:
A token ID
The object type of an array element
The user/group id of an array element
The permissions given to the subject
The following figure shows the token format.
A list of acl tokens is displayed by praudit(1M) as follows:
acl,user_obj,,rwx acl,user,bin,--- acl,group_obj,,r-x acl,class_obj,,r-- acl,other_obj,,r-x
The arbitrary token encapsulates data for the audit trail. It consists of four fixed fields and an array of data. The item array may have a number of items. The fields are:
A token ID
A suggested format, such as decimal
A size of encapsulated data, such as int
A count of the data array items
An item array
The following figure shows the token format.
The print format field can take the values shown in Table B-2.
Table B-2 arbitrary Token Print Format Field Values
Value |
Action |
---|---|
AUP_BINARY |
Print date in binary |
AUP_OCTAL |
Print date in octal |
AUP_DECIMAL |
Print date in decimal |
AUP_HEX |
Print date in hex |
AUP_STRING |
Print date as a string |
The item size field can take the values shown in Table B-3.
Table B-3 arbitrary Token Item Size Field Values
Value |
Action |
---|---|
AUR_BYTE |
Data is in units of bytes (1 byte) |
AUR_SHORT |
Data is in units of shorts (2 bytes) |
AUR_LONG |
Data is in units of longs (4 bytes) |
AUR_LONGLONG |
Data is in units of longlongs (8 bytes) |
An arbitrary token is displayed by praudit as follows:
arbitrary,decimal,int,1 42
The arg token contains system call argument information. A 32-bit integer system call argument is allowed in an audit record. The fields are:
A token ID
An argument ID of the relevant system call argument
The argument value
The length of an optional descriptive text string (does not show)
An optional text string
The following figure shows the token format.
An arg token is displayed by praudit as follows:
argument,2,0x3,cmd
The attr token contains file attribute information from the kernel's internal representation of a file or folder. This token usually accompanies a path token and is produced during path searches. In the event of a path-search error, this token is not included as part of the audit record since the file attribute information is not available. The fields are:
A token ID
The file access mode and type
The owner user ID
The owner group ID
The file system ID
The inode ID
The device ID that the file might represent
See the statvfs(2) man page for further information about the file system ID and the device ID. The following figure shows the token format.
An attr token is displayed by praudit as follows:
attribute,100555,root,root,1805,13871,-4288
The clearance token contains Trusted Solaris clearance information. The fields are:
A token ID
The CMW clearance, containing
A pad ID identifying the label type
The clearance's classifications
The clearance's compartments
The following figure shows the token format.
A clearance token is displayed by praudit as follows:
clearance,TOP SECRET
The exec_args token records the arguments to an exec() system call. The fields are:
A token ID
A count that represents the number of arguments passed to the exec call
Zero or more null-terminated strings, the arguments of the exec call
The following figure shows an exec_args token.
The exec_args token is output only when the audit policy argv is active. See "Dynamic Procedures" for more information.
An exec_args token is displayed by praudit as follows:
exec_args,
The exec_env token records the current environment variables to an exec() system call. The fields are:
A token ID
A count of the current environment variables in the exec call
Zero or more null-terminated strings, the variables of the exec call
The following figure shows an exec_env token.
The exec_env token is output only when the audit policy arge is active. See "Dynamic Procedures" for more information.
An exec_envtoken is displayed by praudit as follows:
exec_env,
The exit token records the exit status of a program and a return value. The fields are:
A token ID
A program exit status as passed to the exit() system call
A return value that describes the exit status or indicates a system error number
The following figure shows an exit token.
An exit token is displayed by praudit as follows:
exit,Error 0,0
The file token is a special token generated by the audit daemon to mark the beginning of a new audit trail file and the end of an old file as it is deactivated. The audit daemon builds a special audit record containing this token to link together successive audit files into one audit trail. The fields are:
A token ID
A time and date stamp that identifies the time the file was created or closed
A byte count of the file name including a null terminator (does not show)
The file null-terminated name
The following figure shows the token format.
A file token is displayed by praudit as follows:
file,Fri Jan 23 13:32:42 1997, + 79249 msec, /etc/security/audit/patchwork/files/19920901202558.19920901203241.patchwork
This token has been replaced by the newgroups token, which provides the same type of information but requires less space. A description of the groups token is provided here for completeness, but the application designer should use the newgroups token. Note that praudit does not distinguish between the two tokens as both token IDs are labelled groups when character output is displayed.
The groups token records the groups entries from the process's credential. The fields are:
A token ID
An array of groups entries of size NGROUPS_MAX (16)
The following figure shows a groups token.
A groups token is displayed by praudit as follows:
group,staff,wheel,daemon,kmem,bin,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1
The groups token is output only when the audit policy group is active. See "The auditconfig Command" for more information.
The header token is special in that it marks the beginning of an audit record and combines with the trailer token to bracket all the other tokens in the record. The fields are:
A token ID
The record length in bytes, including the header and trailer tokens
An audit record structure version number
An event ID identifying the type of audit event
An event ID modifier with descriptive information about the event type
The time and date the record was created
The following figure shows a header token.
The event modifier field has the following flags defined:
Value |
Constant Name |
Description |
---|---|---|
0x0001 |
PAD_MACUSE |
MAC decision was successful |
0x0002 |
PAD_MACREAD |
MAC read failure |
0x0004 |
PAD_MACWRITE |
MAC write failure |
0x0008 |
PAD_MACSEARCH |
MAC search failure |
0x0010 |
PAD_MACKILL |
MAC signal failure |
0x0020 |
PAD_MACTRACE |
MAC trace failure |
0x0040 |
PAD_MACIOCTL |
MAC ioctl failure |
0x0080 |
PAD_SPRIVUSE |
Successful use of privilege |
0x0100 |
PAD_FPRIVUSE |
Failed use of privilege |
0x4000 |
PAD_NONATTR |
Nonattributable event |
0x8000 |
PAD_FAILURE |
Failed audit event |
A header token is displayed by praudit as follows:
header,449,3,pfsh(1M),,Mon May
The host token contains the machine ID for the workstation which generated this audit record. The fields are:
A token ID
The workstation ID of the host that generated the audit record
The following figure shows the token format.
A host token is displayed by praudit as follows:
host,patchwork
The in_addr token contains an Internet address. This 4-byte value is an Internet Protocol address. The fields are:
A token ID
An Internet address
The following figure shows the token format.
An in_addr token is displayed by praudit as follows:
ip addr,129.150.110.3
The ip token contains a copy of an Internet Protocol header but does not include any IP options. The IP options may be added by including more of the IP header in the token. The IP header structure is defined in /usr/include/netinet/ip.h. The fields are:
A token ID
A 20-byte copy of an IP header (all 20 bytes)
The following figure shows the token format.
An ip token is displayed by praudit as follows:
ip,0.0.0.0
The ipc token contains the System V IPC message/semaphore/shared-memory handle used by the caller to identify a particular IPC object. The fields are:
A token ID
An IPC object type identifier
The IPC object handle
The following figure shows the token format.
An ipc token is displayed by praudit as follows:
IPC,msg,3
The IPC object identifiers violate the context-free nature of the Solaris CMW audit tokens. No global "name" uniquely identifies IPC objects; instead, they are identified by their handles, which are valid only during the time the IPC objects are active. The identification should not be a problem since the System V IPC mechanisms are seldom used and they all share the same audit class.
The IPC object type field may have the values shown in Table B-4. The values are defined in </usr/include/bsm/audit.h>.
Table B-4 IPC Object Type Field
Name |
Value |
Description |
---|---|---|
AU_IPC_MSG |
1 |
IPC message object |
AU_IPC_SEM |
2 |
IPC semaphore object |
AU_IPC_SHM |
3 |
IPC shared memory object |
The ipc_perm token contains a copy of the System V IPC access information. Audit records for shared memory, semaphore, and message IPCs have this token added. The fields are:
A token ID
The IPC owner's user ID
The IPC owner's group ID
The IPC creator's user ID
The IPC creator's group ID
The IPC access modes
The IPC sequence number
The IPC key value
The values are taken from the ipc_perm structure associated with the IPC object. The following figure shows the token format.
An ipc_perm token is displayed by praudit as follows:
IPC perm,root,wheel,root,wheel,0,0,0x00000000
The iport token contains the TCP (or UDP) port address. The fields are:
A token ID
A TCP/UDP address
The following figure shows the token format.
An iport token is displayed by praudit as follows:
iport,0xf6d6
The liaison token contains a liaison ID used by the Trusted Networking software. The fields are:
A token ID
The liaison ID
The following figure shows the token format.
A liaisontoken is displayed by praudit as follows:
liaison,17
This token is the replacement for the groups token. Note that praudit does not distinguish between the two tokens as both token IDs are labelled groups when character output is displayed.
The newgroups token records the groups entries from the process's credential. The fields are:
A token ID field
A count of the number of groups contained in this audit record.
Zero or more group entries.
The following figure shows the token format.
The newgroups token is output only when the audit policy group is active. See "The auditconfig Command" for more information.
A newgroups token is displayed by praudit as follows:
newgroups,1,analysts
The opaque token contains unformatted data as a sequence of bytes. The fields are:
A token ID
A byte count of the data array
An array of byte data
The following figure shows the token format.
An opaque token is displayed by praudit as follows:
opaque,12,0x4f5041515545204441544100
The path token contains access path information for an object. The fields are:
A token ID
A byte count of the path length (does not show)
An absolute path to the object based on the real root of the system
The following figure shows the token format.
A path token is displayed by praudit as follows:
path,/etc/security/audit/patchwork
The priv token contains use of privilege information. The fields are:
A token ID
A success/failure field indicating whether the use of privilege was successful (1 success, 0 failure)
The privilege being tested
The following figure shows a priv token.
A priv token is displayed by praudit as follows:
useofpriv,failed use of priv,win_mac_write
The privilege token contains privilege information for an object or a subject. The fields are:
A token ID
The type of privilege
The privilege set
where type is one of the following:
Value |
Type |
---|---|
0 |
Unknown or Undefined |
1 |
Forced |
2 |
Allowed |
3 |
Effective |
4 |
Inheritable |
5 |
Permitted |
6 |
Saved |
The following figure shows the token format.
A privilege token is displayed by praudit as follows:
privilege,1,proc_tcb_audit
The process token contains information describing a process as an object such as the recipient of a signal. The fields are:
A token ID
The user audit ID
The effective user ID
The effective group ID
The real user ID
The real group ID
The process ID
The session ID
A terminal ID made up of
A device ID
A workstation ID
The following figure shows the token format.
The audit ID, user ID, group ID, process ID, and session ID are long instead of short.
The process token fields for the session ID, the real user ID, or the real group ID may be unavailable. The entry is then set to -1.
A process token is displayed by praudit as follows:
process,root,root,wheel,root,wheel,0,0,0,0.0.0.0
The return token contains the return status of the system call (u_error) and the process return value (u_rval1). The token indicates exit status and other return values in application auditing. This token is always returned as part of kernel-generated audit records for system calls. The fields are:
A token ID
The system call error status
The system call return value
The following figure shows the token format.
A return token is displayed by praudit as follows:
return,failure: No such file or directory,-1
The seq token (sequence token) is an optional token that contains an increasing sequence number. This token is for debugging. The token is added to each audit record when the AUDIT_SEQ policy is active. The fields are:
A token ID
A 32-bit unsigned long-sequence number
The sequence number is incremented every time an audit record is generated and put onto the audit trail. The following figure shows the token format.
A seq token is displayed by praudit as follows:
sequence,1292
The slabel token contains a sensitivity label. The fields are:
A token ID
A sensitivity label
The following figure shows the token format.
An slabel token is displayed by praudit as follows:
slabel,ADMIN_LOW
The socket token contains information describing an Internet socket. The fields are:
A token ID
A socket type field (TCP/UDP/UNIX)
The local port address
The local Internet address
The remote port address
The remote Internet address
The socket type is taken from the designated socket and the port and Internet addresses are taken from the socket's inpcb control structure. The following figure shows the token format.
A socket token is displayed by praudit as follows:
socket,0x0000,0x0000,0.0.0.0,0x0000,0.0.0.0 socket,0x0002,0x8008,patchwork
The socket-inet token describes a socket connection to a local port, which is used to represent the socket information in the Internet namespace. The fields are:
A token ID
A socket family field that indicates the Internet family (AF_INET, AF_OSI, and so on)
The local port address
The socket address
The following figure shows the token format.
A socket-inet token is displayed by praudit as follows:
socket,0x0002,0x8008,patchwork
The subject token describes a subject (process). The structure is the same as the process token:
A token ID
The user audit ID
The effective user ID
The effective group ID
The real user ID
The real group ID
The process ID
The session ID
A terminal ID made up of
A device ID
A workstation ID
This token is always returned as part of kernel-generated audit records for system calls. The audit ID, user ID, group ID, process ID, and session ID are long instead of short. Figure B-25 shows the token format.
The subject token fields for the session ID, the real user ID, or the real group ID may be unavailable. The entry is then set to -1.
A subject token is displayed by praudit as follows:
subject,root,root,staff,root,staff,552,552,24 3 patchwork
The text token contains a text string. The fields are:
A token ID
The length of the text string (does not show)
A text string
The following figure shows the token format.
A text token is displayed by praudit as follows:
text,emily
A trailer token it marks the end of an audit record to support backward seeks of the audit trail. It is an optional token that is added as the last token of each record only when the AUDIT_TRAIL audit policy has been set. The fields are:
A token ID
A pad number that marks the end of the record (does not show)
The total number of audit record characters including the header and trailer tokens
The following figure shows the token format.
A trailer token is displayed by praudit as follows:
trailer,136
The xatom token contains information concerning an X atom. The fields are:
A token ID
The string length
A text string identifying the atom
The following figure shows the token format.
An xatom token is displayed by praudit as follows:
xatom,_DT_SAVE_MODE
The xclient token contains information concerning the X client. The fields are:
A token ID
The client ID
The following figure shows the token format.
An xclient token is displayed by praudit as follows:
xclient,15
The xcolormap token contains information about the colormaps. The fields are:
A token ID
The X server identifier
The creator's user ID
The following figure shows the token format.
An xcolormap token is displayed by praudit as follows:
xcolormap,0x08c00005,srv
The xcursor token contains information about the cursors. The fields are:
A token ID
The X server identifier
The creator's user ID
Figure B-35 shows the token format.
An xcursor token is displayed by praudit as follows:
xcursor,0x0f400006,srv
The xfont token contains information about the fonts. The fields are:
A token ID
The X server identifier
The creator's user ID
Figure B-35 shows the token format.
An xfont token is displayed by praudit as follows:
xfont,0x08c00001,srv
The xgc token contains information about the xgc. The fields are:
A token ID
The X server identifier
The creator's user ID
Figure B-35 shows the token format.
An xgc token is displayed by praudit as follows:
xgc,0x002f2ca0,srv
The xpixmap token contains information about the pixel mappings. The fields are:
A token ID
The X server identifier
The creator's user ID
Figure B-35 shows the token format.
An xpixmap token is displayed by praudit as follows:
xpixmap,0x08c00005,srv
The xproperty token contains information about various properties of a window. The fields are:
A token ID
The X server identifier
The creator's user ID
A string length
A string (atom name)
The following figure shows an xproperty token format.
An xproperty token is displayed by praudit as follows:
xproperty,0x000075d5,root,_MOTIF_DEFAULT_BINDINGS
The xselect token contains the data moved between windows. This data is a byte stream with no assumed internal structure, and a property string. The fields are:
A token ID
The length of the property string
The property string
A length for the property type
The property type string
A length field that gives the number of bytes of data
A byte string containing the data
The following figure shows the token format.
An xselect token is displayed by praudit as follows:
xselect,
The xwindow token contains information about a window. The fields are:
A token ID
The X server identifier
The creator's user ID
Figure B-35 shows the token format.
An xwindow token is displayed by praudit as follows:
xwindow,0x07400001,gww