test

System Administration Guide: Security Services

subject Token

The subject token describes a user who performs or attempts to perform an operation. The format is the same as the process token.

The subject token has nine fields:

The audit ID, user ID, group ID, process ID, and session ID are long instead of short.

Note –

The subject token fields for the session ID, the real user ID, or the real group ID might be unavailable. The value is then set to -1.

Any token that contains a terminal ID has several variations. The praudit command hides these variations. So, the terminal ID is handled the same way for any token that contains a terminal ID. The terminal ID is either an IP address and port number, or a device ID. A device ID, such as the serial port that is connected to a modem, can be zero. The terminal ID is specified in one of several formats.

The terminal ID for device numbers is specified as follows:

In releases prior to the Solaris 8 release, the terminal ID for port numbers is specified as follows:

Since the Solaris 8 release, the terminal ID for port numbers is specified as follows:

The subject token is always returned as part of kernel-generated audit records for system calls. The praudit command displays the subject token as follows:


subject,jdoe,root,root,root,root,1631,1421584480,8243 65558 machine1

The praudit -x command shows the fields of the subject token. The line is wrapped for display purposes.


<subject audit-uid="jdoe" uid="root" gid="root" ruid="root" 
rgid="root" pid="1631" sid="1421584480" tid="8243 65558 machine1"/>

The following figure shows the format of the subject token.

Figure 31–6 subject Token Format

The preceding context describes the graphic.