header Token
The header token is special in that it marks the beginning of an audit record and combines with the trailer token to bracket all the other tokens in the record. The fields are:
-
A token ID
-
The record length in bytes, including the header and trailer tokens
-
An audit record structure version number
-
An event ID identifying the type of audit event from the /etc/security/audit_event file:
-
The praudit -l command displays the event description, for example, system booted.
-
The praudit -r command displays the event number, for example, 113.
-
The praudit -s command displays the event ID, for example, AUE_SYSTEMBOOT.
-
-
An event ID modifier with descriptive information about the event type
-
For extended headers, an IP address type
-
For extended headers, the IP address of the source machine in IPv6 or IPv4 format
-
The time and date the record was created
The following figure shows a header token.
Figure B–12 header Token Format
The event modifier field has the following flags defined:
|
Value |
Constant Name |
Description |
|---|---|---|
|
0x0001 |
PAD_READ |
Data read from object |
|
0x0002 |
PAD_WRITE |
Data written to object |
|
0x0080 |
PAD_SPRIVUSE |
Successfully used privilege |
|
0x0100 |
PAD_FPRIVUSE |
Failed use of privilege |
|
0x4000 |
PAD_NONATTR |
Nonattributable event |
|
0x8000 |
PAD_FAILURE |
Failed audit event |
For the Trusted Solaris 7 and Trusted Solaris 8 4/01 releases, the header token can be displayed with a 64-bit time stamp, in place of the 32-bit time stamp.
For the Trusted Solaris 8 4/01 release, the Internet Address can be displayed as a IPv4 address using 4 bytes, or as an IPv6 address using 16 bytes to describe the type, and 16 bytes to describe the address.
A header token is displayed by praudit as follows:
header,240,1,ioctl(2),,Tue Sept 7 16:11:44 2000, + 270 msec
- © 2010, Oracle Corporation and/or its affiliates