audit.log(4)

NAME | SYNOPSIS | DESCRIPTION | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO

NAME

audit.log- Audit trail file

SYNOPSIS

#include <bsm/audit.h>

#include <bsm/audit_record.h>

DESCRIPTION

audit.log files are the depository for audit records stored locally or on an audit server. These files are kept in directories named in the file audit_control(4). They are named to reflect the time they are created and are, when possible, renamed to reflect the time they are closed as well. The name takes the form

---

yyyymmddhhmmss.not_terminated.hostname

---

when open or if the auditd(1M) terminated ungracefully, and the form

---

yyyymmddhhmmss.yyyymmddhhmmss.hostname

---

when properly closed. yyyy is the year, mm the month, dd day in the month, hh hour in the day, mm minute in the hour, and ss second in the minute. All fields are of fixed width.

The audit.log file begins with a standalone file token and typically ends with one also. The beginning file token records the pathname of the previous audit file, while the ending file token records the pathname of the next audit file. If the file name is NULL the appropriate path was unavailable.

The audit.log files contains audit records. Each audit record is made up of audit tokens. Each record contains a header token followed by various data tokens. Depending on the audit policy in place by auditon(2), optional other tokens such as trailers or sequences may be included.

The tokens are defined as follows:

The file token consists of:

token ID char seconds of time uint_t milliseconds of time uint_t file name length short file pathname null terminated string

The header token consists of:

token ID char record byte count ulong_t version # char (1) event type ushort_t event modifier ushort_t seconds of time uint_t milliseconds of time uint_t

The trailer token consists of:

token ID char trailer magic number ushort_t record byte count ulong_t

The arbitrary data token is defined:

token ID char how to print char basic unit char unit count char data items depends on basic unit

The in_addr token consists of:

token ID char internet address char

The ip token consists of:

token ID char version and ihl char type of service char length short id ushort_t offset ushort_t ttl char protocol char checksum ushort_t source address long destination address long

The iport token consists of:

token ID char port address short

The opaque token consists of:

token ID char size short data char, size chars

The path token consists of:

token ID char path length short path null terminated string

The process token consists of:

token ID char auid ulong_t euid ulong_t egid ulong_t ruid ulong_t rgid ulong_t pid ulong_t sid ulong_t terminal ID ulong_t (port ID) ulong_t (machine ID)

The return token consists of:

token ID char error number char return value long

The subject token consists of:

token ID char auid ulong_t euid ulong_t egid ulong_t ruid ulong_t rgid ulong_t pid ulong_t sid ulong_t terminal ID ulong_t (port ID) ulong_t (machine ID)

The System V IPC token consists of:

token ID char object ID type char object ID long

The text token consists of:

token ID char text length short text null terminated string

The attribute token consists of:

token ID char mode ulong_t uid ulong_t gid ulong_t file system id long node id long device ulong_t

The groups token consists of:

token ID char number short group list long, size chars

The System V IPC permission token consists of:

token ID char uid ulong_t gid ulong_t cuid ulong_t cgid ulong_t mode ulong_t seq ulong_t key long

The arg token consists of:

token ID char argument # char argument value long string length short text null terminated string

The exec_args token consists of:

token ID char count long text count null terminated string(s)

The exec_env token consists of:

token ID char count long text count null terminated string(s)

The exit token consists of:

token ID char status long return value long

The socket token consists of:

token ID char socket type short local port short local Internet address char remote port short remote Internet address char

The seq token consists of:

token ID char sequence number long

The acl token consists of

token ID char num of entries int (following three fields repeated num times) object type int uid/gid int permissions short

The clearance token consists of

token ID char CLEARANCE label ID char pad character char classification short compartments 8 ints

The host token consists of

token ID char local Internet address long

The liaison token consists of

token ID char liaison ID int

The priv token consists of

token ID char succ/fail char priv. used int

The privilege token consists of

token ID char type of set char priv. set 4 ints

The slabel token consists of

token ID char SLABEL pad character char classification short compartments 8 ints

The xatom token consists of

token ID char string length short atom string string length bytes

The xcolormap token consists of

token ID char XID int creator UID int

The xcursor token consists of

token ID char XID int creator UID int

The xfont token consists of

token ID char XID int creator UID int

The xgc token consists of

token ID char XID int creator UID int

The xpixmap token consists of

token ID char XID int creator UID int

The xproperty token consists of

token ID char XID int creator UID int string length short string string length bytes

The xselect token consists of

token ID char property length short property string property length bytes prop. type len. short prop type prop. type len. bytes data length short window data data length bytes

The xwindow token consists of

XID int creator UID int

SUMMARY OF TRUSTED SOLARIS CHANGES

These audit tokens have been added to the Trusted Solaris auditing module: acl, clearance, host, liaison, priv, privilege, slabel, xatom, xcolormap, xcursor, xfont, xgc, xpixmap, xproperty, xselect, and xwindow. Trusted Solaris auditing also uses auditwrite(3) instead of au_to_*() function calls to create audit tokens.

Information labels (ILs) are not supported in Trusted Solaris 7 and later releases. Trusted Solaris software interprets any ILs on communications and files from systems running earlier releases as ADMIN_LOW.

Objects still have CMW labels, and CMW labels still include the IL component: IL[SL]; however, the IL component is fixed at ADMIN_LOW.

As a result, Trusted Solaris 7 has the following characteristics:

• ILs do not display in window labels; SLs (Sensitivity Labels) display alone within brackets.

• ILs do not float.

• Setting an IL on an object has no effect.

• Getting an object's IL will always return ADMIN_LOW.

• Although certain utilities, library functions, and system calls can manipulate IL strings, the resulting ILs are always ADMIN_LOW, and cannot be set on any objects.

• Options related to information labels in the label_encodings(4) file can be ignored:

  Markings Name= Marks; 
  Float Process Information Label;

SEE ALSO

Trusted Solaris 7 Reference Manual

audit(1M), auditd(1M), audit(2), auditon(2), auditwrite(3), audit_control(4)

SunOS 5.7 Reference Manual

au_to(3)

Trusted Solaris 7  Last Revised 30 Sept 1999

NAME | SYNOPSIS | DESCRIPTION | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO