The header token is special in that it marks the beginning of an audit record and combines with the trailer token to bracket all the other tokens in the record. The header token has six fields:
a token ID field that identifies this token as a header token
a byte count of the total length of the audit record, including both the header and the trailer
a version number that identifies the version of the audit record structure
the audit event ID that identifies the type of audit event that the record represents
the ID modifier that identifies special characteristics of the audit event
and the time and date that the record was created
On 64-bit systems, the header token is displayed with a 64-bit time stamp, in place of the 32-bit time stamp.
The praudit command displays the header token for a ioctl() system call as follows:
header,240,1,ioctl(2),es,Tue Sept 1 16:11:44 2001, + 270000 msec |
The following figure shows the format of a header token.
The ID modifier field has the following flags defined:
0x4000 PAD_NOTATTR nonattributable event 0x8000 PAD_FAILURE fail audit event |