The header token is special in that it marks the beginning of an audit record and combines with the trailer token to bracket all the other tokens in the record. The fields are:
A token ID
The record length in bytes, including the header and trailer tokens
An audit record structure version number
An event ID identifying the type of audit event
An event ID modifier with descriptive information about the event type
The time and date the record was created
The following figure shows a header token.
The event modifier field has the following flags defined:
Value |
Constant Name |
Description |
---|---|---|
0x0001 |
PAD_MACUSE |
MAC decision was successful |
0x0002 |
PAD_MACREAD |
MAC read failure |
0x0004 |
PAD_MACWRITE |
MAC write failure |
0x0008 |
PAD_MACSEARCH |
MAC search failure |
0x0010 |
PAD_MACKILL |
MAC signal failure |
0x0020 |
PAD_MACTRACE |
MAC trace failure |
0x0040 |
PAD_MACIOCTL |
MAC ioctl failure |
0x0080 |
PAD_SPRIVUSE |
Successful use of privilege |
0x0100 |
PAD_FPRIVUSE |
Failed use of privilege |
0x4000 |
PAD_NONATTR |
Nonattributable event |
0x8000 |
PAD_FAILURE |
Failed audit event |
A header token is displayed by praudit as follows:
header,449,3,pfsh(1M),,Mon May