header Token
The header token is special in that it marks the beginning of an audit record and combines with the trailer token to bracket all the other tokens in the record. The fields are:
-
A token ID
-
The record length in bytes, including the header and trailer tokens
-
An audit record structure version number
-
An event ID identifying the type of audit event
-
An event ID modifier with descriptive information about the event type
-
The time and date the record was created
The following figure shows a header token.
Figure B-12 header Token Format
The event modifier field has the following flags defined:
|
Value |
Constant Name |
Description |
|---|---|---|
|
0x0001 |
PAD_MACUSE |
MAC decision was successful |
|
0x0002 |
PAD_MACREAD |
MAC read failure |
|
0x0004 |
PAD_MACWRITE |
MAC write failure |
|
0x0008 |
PAD_MACSEARCH |
MAC search failure |
|
0x0010 |
PAD_MACKILL |
MAC signal failure |
|
0x0020 |
PAD_MACTRACE |
MAC trace failure |
|
0x0040 |
PAD_MACIOCTL |
MAC ioctl failure |
|
0x0080 |
PAD_SPRIVUSE |
Successful use of privilege |
|
0x0100 |
PAD_FPRIVUSE |
Failed use of privilege |
|
0x4000 |
PAD_NONATTR |
Nonattributable event |
|
0x8000 |
PAD_FAILURE |
Failed audit event |
A header token is displayed by praudit as follows:
header,449,3,pfsh(1M),,Mon May
- © 2010, Oracle Corporation and/or its affiliates