The subject token describes a subject (process). The structure is the same as the process token:
A token ID
The user audit ID
The effective user ID
The effective group ID
The real user ID
The real group ID
The process ID
The session ID
A terminal ID made up of
A device ID
A workstation ID
This token is always returned as part of kernel-generated audit records for system calls. The audit ID, user ID, group ID, process ID, and session ID are long instead of short. Figure B-25 shows the token format.
The subject token fields for the session ID, the real user ID, or the real group ID may be unavailable. The entry is then set to -1.
A subject token is displayed by praudit as follows:
subject,root,root,staff,root,staff,552,552,24 3 patchwork