The header token is special in that it marks the beginning of an audit record and combines with the trailer token to bracket all the other tokens in the record. The fields are:
A token ID
The record length in bytes, including the header and trailer tokens
An audit record structure version number
An event ID identifying the type of audit event from the /etc/security/audit_event file:
The praudit -l command displays the event description, for example, system booted.
The praudit -r command displays the event number, for example, 113.
The praudit -s command displays the event ID, for example, AUE_SYSTEMBOOT.
An event ID modifier with descriptive information about the event type
For extended headers, an IP address type
For extended headers, the IP address of the source machine in IPv6 or IPv4 format
The time and date the record was created
The following figure shows a header token.
The event modifier field has the following flags defined:
Value |
Constant Name |
Description |
---|---|---|
0x0001 |
PAD_READ |
Data read from object |
0x0002 |
PAD_WRITE |
Data written to object |
0x0080 |
PAD_SPRIVUSE |
Successfully used privilege |
0x0100 |
PAD_FPRIVUSE |
Failed use of privilege |
0x4000 |
PAD_NONATTR |
Nonattributable event |
0x8000 |
PAD_FAILURE |
Failed audit event |
For the Trusted Solaris 7 and Trusted Solaris 8 4/01 releases, the header token can be displayed with a 64-bit time stamp, in place of the 32-bit time stamp.
For the Trusted Solaris 8 4/01 release, the Internet Address can be displayed as a IPv4 address using 4 bytes, or as an IPv6 address using 16 bytes to describe the type, and 16 bytes to describe the address.
A header token is displayed by praudit as follows:
header,240,1,ioctl(2),,Tue Sept 7 16:11:44 2000, + 270 msec