The subject token describes a user who performs or attempts to perform an operation. The format is the same as the process token.
The subject token has nine fields:
A token ID that identifies this token as a subject token
The audit ID
The effective user ID
The effective group ID
The real user ID
The real group ID
The process ID
The audit session ID
A terminal ID that consists of a device ID and a machine IP address
The audit ID, user ID, group ID, process ID, and session ID are long instead of short.
The subject token fields for the session ID, the real user ID, or the real group ID might be unavailable. The value is then set to -1.
Any token that contains a terminal ID has several variations. The praudit command hides these variations. So, the terminal ID is handled the same way for any token that contains a terminal ID. The terminal ID is either an IP address and port number, or a device ID. A device ID, such as the serial port that is connected to a modem, can be zero. The terminal ID is specified in one of several formats.
The terminal ID for device numbers is specified as follows:
32-bit applications – 4-byte device number, 4 bytes unused
64-bit applications – 8-byte device number, 4 bytes unused
In releases prior to the Solaris 8 release, the terminal ID for port numbers is specified as follows:
32-bit applications – 4-byte port number, 4-byte IP address
64-bit applications – 8-byte port number, 4-byte IP address
Since the Solaris 8 release, the terminal ID for port numbers is specified as follows:
32-bit with IPv4 – 4-byte port number, 4-byte IP type, 4-byte IP address
32-bit with IPv6 – 4-byte port number, 4-byte IP type, 16-byte IP address
64-bit with IPv4 – 8-byte port number, 4-byte IP type, 4-byte IP address
64-bit with IPv6 – 8-byte port number, 4-byte IP type, 16-byte IP address
The subject token is always returned as part of kernel-generated audit records for system calls. The praudit command displays the subject token as follows:
subject,jdoe,root,root,root,root,1631,1421584480,8243 65558 machine1 |
The praudit -x command shows the fields of the subject token. The line is wrapped for display purposes.
<subject audit-uid="jdoe" uid="root" gid="root" ruid="root" rgid="root" pid="1631" sid="1421584480" tid="8243 65558 machine1"/> |
The following figure shows the format of the subject token.