NAME | SYNOPSIS | DESCRIPTION | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO
#include <bsm/audit.h>
#include <bsm/audit_record.h>
audit.log files are the depository for audit records stored locally or on an audit server. These files are kept in directories named in the file audit_control(4). They are named to reflect the time they are created and are, when possible, renamed to reflect the time they are closed as well. The name takes the form
yyyymmddhhmmss.not_terminated.hostname
when open or if the auditd(1M) terminated ungracefully, and the form
yyyymmddhhmmss.yyyymmddhhmmss.hostname
when properly closed. yyyy is the year, mm the month, dd day in the month, hh hour in the day, mm minute in the hour, and ss second in the minute. All fields are of fixed width.
The audit.log file begins with a standalone file token and typically ends with one also. The beginning file token records the pathname of the previous audit file, while the ending file token records the pathname of the next audit file. If the file name is NULL the appropriate path was unavailable.
The audit.log files contains audit records. Each audit record is made up of audit tokens. Each record contains a header token followed by various data tokens. Depending on the audit policy in place by auditon(2), optional other tokens such as trailers or sequences may be included.
The tokens are defined as follows:
The file token consists of:
token ID 1 byte seconds of time 4 bytes milliseconds of time 4 bytes file name length 2 bytes file pathname N bytes + 1 terminating NULL byte |
The header token consists of:
token ID 1 byte record byte count 4 bytes version # 1 byte [2] event type 2 bytes event modifier 2 bytes seconds of time 4 bytes/8 bytes (32-bit/64-bit value) milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) |
The expanded header token consists of:
toke ID 1 byte record byte count 4 bytes version # 1 byte [2] event type 2 bytes event modifier 2 bytes address type/length 4 bytes machine address 4 bytes/16 bytes (IPv4/IPv6 address) seconds of time 4 bytes/8 bytes (32/64-bits) milliseconds of time 4 bytes/8 bytes (32/64-bits) |
The trailer token consists of:
token ID 1 byte trailer magic number 2 bytes record byte count 4 bytes |
The arbitrary data token is defined:
token ID 1 byte how to print 1 byte basic unit 1 byte unit count 1 byte data items (depends on basic unit) |
The in_addr token consists of:
token ID 1 byte internet address 4 bytes |
The expanded in_addr token consists of:
token ID 1 byte IP address type/length 4 bytes IP address 16 bytes |
The ip token consists of:
token ID 1 byte version and ihl 1 byte type of service 1 byte length 2 bytes id 2 bytes offset 2 bytes ttl 1 byte protocol 1 byte checksum 2 bytes source address 4 bytes destination address 4 bytes |
The expanded ip token consists of:
token ID 1 byte version and ihl 1 byte type of service 1 byte length 2 bytes id 2 bytes offset 2 bytes ttl 1 byte protocol 1 byte checksum 2 bytes address type/type 4 bytes source address 4 bytes/16 bytes (IPv4/IPv6 address) address type/length 4 bytes destination address 4 bytes/16 bytes (IPv4/IPv6 address) |
The iport token consists of:
token ID 1 byte port IP address 2 bytes |
The opaque token consists of:
token ID char size short data char, size chars |
The path token consists of:
token ID 1 byte path length 2 bytes path N bytes + 1 terminating NULL byte |
The process token consists of:
token ID 1 byte audit ID 4 bytes effective user ID 4 bytes effective group ID 4 bytes real user ID 4 bytes real group ID 4 bytes process ID 4 bytes session ID 4 bytes terminal ID port ID 4 bytes/8 bytes (32-bit/64-bit value) machine address 4 bytes |
The expanded process token consists of:
token ID 1 byte audit ID 4 bytes effective user ID 4 bytes effective group ID 4 bytes real user ID 4 bytes real group ID 4 bytes process ID 4 bytes session ID 4 bytes terminal ID port ID 4 bytes/8 bytes (32-bit/64-bit value) address type/length 4 bytes machine address 16 bytes |
The return token consists of:
token ID 1 byte error number 1 byte return value 4 bytes/8 bytes (32-bit/64-bit value) |
The subject token consists of:
token ID 1 byte audit ID 4 bytes effective user ID 4 bytes effective group ID 4 bytes real user ID 4 bytes real group ID 4 bytes process ID 4 bytes session ID 4 bytes terminal ID port ID 4 bytes/8 bytes (32-bit/64-bit value) machine address 4 bytes |
The expanded subject token consists of:
token ID 1 byte audit ID 4 bytes effective user ID 4 bytes effective group ID 4 bytes real user ID 4 bytes real group ID 4 bytes process ID 4 bytes session ID 4 bytes terminal ID port ID 4 bytes/8 bytes (32-bit/64-bit value) address type/length 4 bytes machine address 16 bytes |
The System V IPC token consists of:
token ID 1 byte object ID type 1 byte object ID 4 bytes |
The text token consists of:
token ID 1 byte text length 2 bytes text N bytes + 1 terminating NULL byte |
The attribute token consists of:
token ID 1 byte file access mode 4 bytes owner user ID 4 bytes owner group ID 4 bytes file system ID 4 bytes node ID 8 bytes device 4 bytes/8 bytes (32-bit/64-bit) |
The groups token consists of:
token ID 1 byte number groups 2 bytes group list N * 4 bytes |
The System V IPC permission token consists of:
token ID 1 byte owner user ID 4 bytes owner group ID 4 bytes creator user ID 4 bytes creator group ID 4 bytes access mode 4 bytes slot sequence # 4 bytes key 4 bytes |
The arg token consists of:
token ID 1 byte argument # 1 byte argument value 4 bytes/8 bytes (32-bit/64-bit value) text length 2 bytes text N bytes + 1 terminating NULL byte |
The exec_args token consists of:
token ID 1 byte count 4 bytes text count null-terminated string(s) |
The exec_env token consists of:
token ID 1 byte count 4 bytes text count null-terminated string(s) |
The exit token consists of:
token ID 1 byte status 4 bytes return value 4 bytes |
The socket token consists of:
token ID 1 byte socket type 2 bytes remote port 2 bytes remote Internet address 4 bytes |
The expanded socket token consists of:
token ID 1 byte socket type 2 bytes local port 2 bytes address type/length 4 bytes local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) remote port 4 bytes address type/length 4 bytes remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) |
The seq token consists of:
token ID 1 byte sequence number 4 bytes |
The acl token consists of
token ID char num of entries int (following three fields repeated num times) object type int uid/gid int permissions short |
The clearance token consists of
token ID char CLEARANCE label ID char pad character char classification short compartments 8 ints |
The host token consists of
token ID char local Internet address long |
The liaison token consists of
token ID char liaison ID int |
The priv token consists of
token ID char succ/fail char priv. used int |
The privilege token consists of
token ID char type of set char priv. set 4 ints |
The slabel token consists of
token ID char SLABEL pad character char classification short compartments 8 ints |
The xatom token consists of
token ID char string length short atom string string length bytes |
The xcolormap token consists of
token ID char XID int creator UID int |
The xcursor token consists of
token ID char XID int creator UID int |
The xfont token consists of
token ID char XID int creator UID int |
The xgc token consists of
token ID char XID int creator UID int |
The xpixmap token consists of
token ID char XID int creator UID int |
The xproperty token consists of
token ID char XID int creator UID int string length short string string length bytes |
The xselect token consists of
token ID char property length short property string property length bytes prop. type len. short prop type prop. type len. bytes data length short window data data length bytes |
The xwindow token consists of
XID int creator UID int |
These audit tokens have been added to the Trusted Solaris auditing module: acl, clearance, host, liaison, priv, privilege, slabel, xatom, xcolormap, xcursor, xfont, xgc, xpixmap, xproperty, xselect, and xwindow. Trusted Solaris auditing also uses the auditwrite(3TSOL) function instead of au_to_*() function calls to create audit tokens.
By default, auditing is enabled in the Trusted Solaris environment. See Trusted Solaris Audit Administration for how to disable and enable auditing.
NAME | SYNOPSIS | DESCRIPTION | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO