System Administration Guide: Security Services

trailer Token

The two tokens, header and trailer, are special in that they distinguish the end points of an audit record and bracket all the other tokens. A header token begins an audit record. A trailer token ends an audit record. The trailer token is an optional token and is added as the last token of each record only when the trail audit policy has been set.

The trailer token supports backward seeks of the audit trail. The trailer token has three fields:

The praudit command displays the trailer token as follows:


trailer,136

The following figure shows the format of a trailer token.

Figure 25–28 trailer Token Format

Diagram shows the format for a trailer token, which includes a Token ID, then a Pad number, then a Byte count.

The audit trail analysis software ensures that each record contains both the header and trailer tokens. In the case of a write error, as when a file system becomes full, an audit record can be incomplete and truncated. The auditsvc() system call, that is responsible for writing data to the audit trail, attempts to write complete audit records. When file system space runs out, the system call terminates without releasing the current audit record. When the system call resumes, it can then repeat the truncated record. For more information, see the auditsvc(2) man page.