Order of Audit Tokens

Each audit record begins with a header token and ends (optionally) with a trailer token. One or more tokens between the header and trailer describe the event. For user-level and kernel events, the tokens describe the process that performed the event, the objects on which it was performed, and the objects' attributes, such as the owner or mode.

For example, the AUE_LSTAT kernel event, whose audit record is described in Table B-70, has the following tokens:

• header

• path

• attribute (optional)

• subject

• return

If the trail policy has been turned on using the auditconfig command, the trailer token appears in the audit record after the return token.