header Token
The header token is special in that it marks the beginning of an audit record and combines with the trailer token to bracket all the other tokens in the record. The header token has six fields:
-
a token ID field that identifies this token as a header token
-
a byte count of the total length of the audit record, including both the header and the trailer
-
a version number that identifies the version of the audit record structure
-
the audit event ID that identifies the type of audit event that the record represents
-
the ID modifier that identifies special characteristics of the audit event
-
and the time and date that the record was created
On 64-bit systems, the header token is displayed with a 64-bit time stamp, in place of the 32-bit time stamp.
The praudit command displays the header token for a ioctl() system call as follows:
header,240,1,ioctl(2),es,Tue Sept 1 16:11:44 2001, + 270000 msec |
The following figure shows the format of a header token.
Figure 25–13 header Token Format
The ID modifier field has the following flags defined:
0x4000 PAD_NOTATTR nonattributable event 0x8000 PAD_FAILURE fail audit event |
- © 2010, Oracle Corporation and/or its affiliates