The subject token describes a subject (process). The structure is the same as the process token. The token has 9 fields: an ID that identifies this as a subject token, the invariant audit ID, the effective user ID, the effective group ID, the real user ID, the real group ID, the process ID, the audit session ID, and a terminal ID. This token is always returned as part of kernel-generated audit records for system calls. Figure A-24 shows the token.
The audit ID, user ID, group ID, process ID, and session ID are long instead of short.
The subject token fields for the session ID, the real user ID, or the real group ID may be unavailable. The entry is then set to -1.