Each token has a token type identifier followed by data that is specific to the token. Each token type has its own format. The following table shows the token names with a description of each token.
Table 26–5 Audit Tokens for the Basic Security Module
Token Name |
Description |
For More Information |
---|---|---|
acl |
Access Control List information | |
arbitrary |
Data with format and type information | |
arg |
System call argument value | |
attr |
file vnode tokens | |
exec_args |
Exec system call arguments | |
exec_env |
Exec system call environment variables | |
exit |
Program exit information | |
file |
Audit file information | |
groups |
Process groups information (now obsolete) | |
header |
Indicates start of audit record | |
in_addr |
Internet address | |
ip |
IP header information | |
ipc |
System V IPC information | |
ipc_perm |
System V IPC object tokens | |
iport |
Internet port address | |
newgroups |
Process groups information | |
opaque |
Unstructured data (unspecified format) | |
path |
Path information | |
process |
Process token information | |
return |
Status of system call | |
seq |
Sequence number token | |
socket |
Socket type and addresses | |
subject |
Subject token information (same format as process token) | |
text |
ASCII string | |
trailer |
Indicates end of audit record |
An audit record always contains a header token. The header token indicates where the audit record begins in the audit trail. Every audit record contains a subject token, except for audit records from some nonattributable events. In the case of attributable events, these two tokens refer to the values of the process that caused the event. In the case of asynchronous events, the process tokens refer to the system.
The acl token records information about Access Control Lists. This token consists of four fixed fields. The fixed fields are:
a token ID that identifies this token as an acl token
a field that specifies the ACL type
an ACL ID field
a field that lists the permissions associated with this ACL
The praudit command displays the acl token as follows:
acl,tpanero,staff,0755 |
The acl token format is as follows:
The arbitrary token encapsulates data for the audit trail. This token consists of four fixed fields and an array of data. The fixed fields are as follows:
a token ID that identifies this token as an arbitrary token
a suggested format field (for example, hexadecimal)
a size field that specifies the size of the data that is encapsulated (for example, short)
a count field that provides the number of following items
The remainder of the token is composed of one or more items of the specified type. The praudit command displays the arbitrary token as follows:
arbitrary,decimal,int,1 42 |
The format of arbitrary token is as follows:
The following table shows the possible values of the print format field. Table 26–6.
Table 26–6 Values for the arbitrary Token's Print Format Field
Value |
Action |
---|---|
AUP_BINARY |
Prints the date in binary format |
AUP_OCTAL |
Prints the date in octal format |
AUP_DECIMAL |
Prints the date in decimal format |
AUP_HEX |
Prints the date in hexadecimal format |
AUP_STRING |
Prints the date as a string |
The following table shows the possible values of the item size field.
Table 26–7 Values for the arbitrary Token's Item Size Field
Value |
Action |
---|---|
AUR_BYTE |
Data is printed in units of bytes (1 byte) |
AUR_SHORT |
Data is printed in units of shorts (2 bytes) |
AUR_LONG |
Data is printed in units of longs (4 bytes) |
The arg token contains system call argument information: the argument number of the system call, the augment value, and an optional description. This token allows a 32-bit integer system-call argument in an audit record. The arg token has five fields:
a token ID that identifies this token as an arg token
an argument ID that tells which system call argument the token refers to
the argument value
the length of the descriptive text string
the text string
The praudit command displays the arg token as follows:
argument,1,0x00000000,addr |
The following figure shows the format of the arg token.
The attr token contains information from the file vnode. This token has seven fields:
a token ID that identifies this token as an attr token
the file access mode and type
the owner user ID
the owner group ID
the file system ID
the inode ID
the device ID the file might represent
See the statvfs(2) man page for further information about the file system ID and the device ID.
The attr token usually accompanies a path token and is produced during path searches. In the event of a path-search error, the attr token is not included as part of the audit record since there is no vnode available to obtain the necessary file information. The praudit command displays the attr token as follows:
attribute,100555,root,staff,1805,13871,-4288 |
The following figure shows the format of an attr token.
The exec_args token records the arguments to an exec() system call. The exec_args token has two fixed fields:
a token ID field that identifies this token as an exec_args token
a count that represents the number of arguments that are passed to the exec() system call
The remainder of this token is composed of zero or more null-terminated strings. The praudit command displays the exec_args token as follows:
vi,/etc/security/audit_user |
The following figure shows the format of an exec_args token.
The exec_args token is output only when the audit policy argv is active.
The exec_env token records the current environment variables to an exec() system call. The exec_env token has two fixed fields:
a token ID field that identifies this token as an exec_env token
a count that represents the number of arguments that are passed to the exec() system call
The remainder of this token is composed of zero or more null-terminated strings. The praudit command displays the exec_env token as follows:
exec_env,25, GROUP=staff,HOME=/export/home/matrix,HOST=mestrix,HOSTTYPE=sun4,HZ=100, LC_COLLATE=en_US.ISO8859-1,LC_CTYPE=en_US.ISO8859-1,LC_MESSAGES=C, LC_MONETARY=en_US.ISO8859-1,LC_NUMERIC=en_US.ISO8859-1, LC_TIME=en_US.ISO8859-1,LOGNAME=matrix,MACHTYPE=sparc, MAIL=/var/mail/matrix,OSTYPE=solaris,PATH=/usr/sbin:/usr/bin,PS1=#, PWD=/var/audit,REMOTEHOST=209.198.087.208,SHELL=/usr/bin/csh,SHLVL=1, TERM=dtterm,TZ=US/Pacific,USER=matrix,VENDOR=sun |
The following figures shows the format of an exec_env token.
The exec_env token is output only when the audit policy arge is active.
The exit token records the exit status of a program. The exit token contains the following fields:
a token ID that identifies this token as an exit token
a program exit status as passed to the exit() system call
a return value that describes the exit status or provides a system error number
The praudit command displays the exit token as follows:
exit,Error 0,0 |
The following figure shows the format of an exit token.
The file token is a special token that is generated by the audit daemon to mark the beginning of a new audit trail file and the end of an old audit trail file as it is deactivated. The audit daemon builds a special audit record that contains this token to “link” together successive audit files into one audit trail. The file token has four fields:
a token ID that identifies this token as a file token
a time and date stamp that identifies the time that the file was created or closed
a byte count of the file name that includes a null terminator
a field that holds the file null-terminated name
The praudit command displays the file token as follows:
file,Tue Sep 1 13:32:42 1992, + 79249 msec, /var/audit/localhost/files/19990901202558.19990901203241.quisp |
The following figure shows the format of a file token.
This token has been replaced by the newgroups token, which provides the same type of information but requires less space. A description of the groups token is provided here for completeness, but the application designer should use the newgroups token. Notice that praudit does not distinguish between the two tokens, as both token IDs are labelled groups when ASCII output is displayed.
The groups token records the groups entries from the process's credential. The groups token has two fixed fields:
A token ID that identifies this token as a groups token
An array of groups entries of size NGROUPS_MAX (16)
The remainder of the token consists of zero or more group entries. The praudit command displays the group token as follows:
group,staff,admin,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1 |
The following figure shows the format of a groups token.
The groups token is output only when the audit policy group is active.
The header token is special in that it marks the beginning of an audit record and combines with the trailer token to bracket all the other tokens in the record. The header token has six fields:
a token ID field that identifies this token as a header token
a byte count of the total length of the audit record, including both the header and the trailer
a version number that identifies the version of the audit record structure
the audit event ID that identifies the type of audit event that the record represents
the ID modifier that identifies special characteristics of the audit event
and the time and date that the record was created
On 64-bit systems, the header token is displayed with a 64-bit time stamp, in place of the 32-bit time stamp.
The praudit command displays the header token for a ioctl() system call as follows:
header,240,1,ioctl(2),es,Tue Sept 1 16:11:44 2001, + 270000 msec |
The following figure shows the format of a header token.
The ID modifier field has the following flags defined:
0x4000 PAD_NOTATTR nonattributable event 0x8000 PAD_FAILURE fail audit event |
The in_addr token contains a 4-byte Internet Protocol address. The in_addr token has two fields:
a token ID that identifies this token as an ip address token
an Internet address
The praudit command displays the in_addr token as follows:
ip address,129.150.113.7 |
For the Solaris 8 release, the Internet address can be displayed as an IPv4 address that uses 4 bytes, or as an IPv6 address that uses 16 bytes to describe the type, and 16 bytes to describe the address.The following figure shows the format of an in_addr token.
The ip token contains a copy of an Internet Protocol header but does not include any IP options. The IP options can be added by including more of the IP header in the token. The ip token has two fields:
a token ID that identifies this token as an ip token
a copy of the IP header (all 20 bytes)
The praudit command displays the ip token as follows:
ip address,0.0.0.0 |
The IP header structure is defined in the /usr/include/netinet/ip.h file. The following figure shows the format of an ip token.
The ipc token contains the System V IPC message/semaphore/shared-memory handle that is used by the caller to identify a particular IPC object. The ipc token has three fields:
a token ID that identifies this token as an IPC token
a type field that specifies the type of IPC object
the handle that identifies the IPC object
The praudit command displays the ipc token as follows:
IPC,msg,3 |
The IPC object identifiers violate the context-free nature of the Solaris CMW audit tokens. No global “name” uniquely identifies IPC objects. Instead, they are identified by their handles, which are valid only during the time the IPC objects are active. The identification should not be a problem since the System V IPC mechanisms are seldom used, and they all share the same audit class.
The following table shows the possible values for the IPC object type field. The values are defined in the /usr/include/bsm/audit.h file.
Table 26–8 Values for the IPC Object Type Field
Name |
Value |
Description |
---|---|---|
AU_IPC_MSG |
1 |
IPC message object |
AU_IPC_SEM |
2 |
IPC semaphore object |
AU_IPC_SHM |
3 |
IPC shared-memory object |
The following figure shows the format of an ipc token.
The ipc_perm token contains a copy of the System V IPC access information. This token is added to audit records that are generated by IPC shared-memory events, IPC semaphore events, and IPC message events. The ipc_perm token has eight fields:
a token ID that identifies this token as an ipc_perm token
the user ID of the IPC owner
the group ID of the IPC owner
the user ID of the IPC creator
the group ID of the IPC creator
the access modes of the IPC
the sequence number of the IPC
the IPC key value
The praudit command displays the ipc_perm token as follows:
IPC perm,root,wheel,root,wheel,0,0,0x00000000 |
The values are taken from the ipc_perm structure that is associated with the IPC object. The following figure shows the format of an ipc_perm token.
The iport token contains the TCP (or UDP) port address. The iport token has two fields:
a token ID that identifies this token as an iport token
the TCP/UDP port address
The praudit command displays the iport token as follows:
ip port,0xf6d6 |
The following figure shows the format of an iport token.
This token replaces the groups token. Notice that the praudit command does not distinguish between the two tokens, as both token IDs are labelled groups when ASCII output is displayed.
The newgroups token records the groups entries from the process's credential. The newgroups token has two fixed fields:
a token ID field that identifies this token as a newgroups token
a count that represents the number of groups that are contained in this audit record
The remainder of this token is composed of zero or more group entries. The praudit command displays the ip port token as follows:
group, staff, admin |
The following figure shows the format of a newgroups token.
The newgroups token is output only when the group audit policy is active.
The opaque token contains unformatted data as a sequence of bytes. The opaque token has three fields:
a token ID that identifies this token as an opaque token
a byte count of the data
an array of byte data
The praudit command displays the opaque token as follows:
opaque,12,0x4f5041515545204441544100 |
The following figure shows the format of an opaque token.
The path token contains access path information for an object. This token contains the following fields:
a token ID that identifies this token as an path token
a byte count of the path length
the absolute path to the object that is based on the real root of the system
The praudit command displays the path token as follows. Note that the path length field is not displayed.
path,/etc/security/audit_user |
The following figure shows the format of a path token.
The process token contains information about a user who is associated with a process, such as the recipient of a signal. The process token has nine fields:
a token ID that identifies this token as a process token
the invariant audit ID
the effective user ID
the effective group ID
the real user ID
the real group ID
the process ID
the audit session ID
a terminal ID that consists of a device ID and a machine ID
The praudit command displays the process token as follows:
process,root,root,wheel,root,wheel,0,0,0,0.0.0.0 |
The following figure shows the format of a process token.
The audit ID, user ID, group ID, process ID, and session ID are long instead of short.
The process token fields for the session ID, the real user ID, or the real group ID might be unavailable. The value is then set to -1.
Any token that contains a terminal ID has several variations. The praudit command hides these variations on output of the terminal ID so that they all appear the same. This field is handled the same way for any token that contains it. The terminal ID is either an IP address and port number, or a device ID, such as the serial port that is connected to a modem, in which case it is zero. The terminal ID is specified in one of several formats:
32-bit applications: 4-byte device number, 4-bytes unused
64-bit applications: 8-byte device number, 4-bytes unused
For port numbers in the Solaris 7 release or earlier releases:
32-bit applications: 4-byte port number, 4-byte IP address
64-bit applications: 8-byte port number, 4-byte IP address
For port numbers in the Solaris 8 or 9 releases:
32-bit with IPV4: 4-byte port number, 4-byte IP type, 4-byte IP address
32-bit with IPV6: 4-byte port number, 4-byte IP type, 16-byte IP address
64-bit with IPV4: 8-byte port number, 4-byte IP type, 4-byte IP address
64-bit with IPV6: 8-byte port number, 4-byte IP type, 16-byte IP address
The return token contains the return status of the system call (u_error) and the process return value (u_rval1). This token has three fields:
a token ID that identifies this token as a return token
the error status of the system call
the system call return value
The return token is always returned as part of kernel-generated audit records for system calls. This token indicates exit status and other return values in application auditing.
The praudit command displays the return token as follows:
return,success,0 |
The following figures shows the format of a return token.
The seq token (sequence token) is an optional token that contains a sequence number. Used for debugging, this token is added to each audit record when the seq policy is active. The seq token has two fields:
a token ID that identifies this token as a seq token
a 32-bit unsigned long field that contains the sequence number
The sequence number is incremented every time an audit record is generated and added to the audit trail. The praudit command displays the seq token as follows:
sequence,1292 |
The following figure shows the format of a seq token.
The seq token is output only when the seq audit policy is active.
The socket token contains information that describes an Internet socket. This token has six fields:
a token ID that identifies this token as a socket token
a socket type field that indicates the type of socket referenced (TCP/UDP/UNIX)
the local port address
the local Internet address
the remote port address
the remote Internet address
The praudit command displays the socket token as follows:
socket,0x0000,0x0000,0.0.0.0,0x0000,0.0.0.0 |
For the Solaris 8 release, the Internet address can be displayed as a IPv4 address that uses 4 bytes, or as an IPv6 address that uses 16 bytes to describe the type, and 16 bytes to describe the addresses. The following figure shows the format of a socket token.
The subject token describes a user who performs or attempts to perform an operation. The format is the same as the process token. The subject token has nine fields:
an ID that identifies this token as a subject token
the invariant audit ID
the effective user ID
the effective group ID
the real user ID
the real group ID
the process ID
the audit session ID
a terminal ID that consists of a device ID and a machine ID
The subject token is always returned as part of kernel-generated audit records for system calls. The praudit command displays the subject token as follows:
subject,cjc,cjc,staff,cjc,staff,424,223,0 0 quisp |
The audit ID, user ID, group ID, process ID, and session ID are long instead of short.
The subject token fields for the session ID, the real user ID, or the real group ID might be unavailable. The value is then set to -1.
Any token that contains a terminal ID has several variations. The praudit command hides these variations on output of the terminal ID so that they all appear the same. This field is handled the same way for any token that contains it. The terminal ID is either an IP address and port number, or a device ID, such as the serial port that is connected to a modem, in which case it is zero. The terminal ID is specified in one of several formats:
32-bit applications: 4-byte device number, 4-bytes unused
64-bit applications: 8-byte device number, 4-bytes unused
For port numbers in the Solaris 7 release or earlier releases:
32-bit applications: 4-byte port number, 4-byte IP address
64-bit applications: 8-byte port number, 4-byte IP address
For port numbers in the Solaris 8 or 9 releases:
32-bit with IPV4: 4-byte port number, 4-byte IP type, 4-byte IP address
32-bit with IPV6: 4-byte port number, 4-byte IP type, 16-byte IP address
64-bit with IPV4: 8-byte port number, 4-byte IP type, 4-byte IP address
64-bit with IPV6: 8-byte port number, 4-byte IP type, 16-byte IP address
The following figure shows the format of the subject token.
The text token contains a text string. This token has three fields:
a token ID that identifies this token as a text token
the length of the text string
the text string itself
The praudit command displays the text token as follows:
text,aw_test_token |
The following figure shows the format of a text token.
The two tokens, header and trailer, are special in that they distinguish the end points of an audit record and bracket all the other tokens. A header token begins an audit record. A trailer token ends an audit record. The trailer token is an optional token and is added as the last token of each record only when the trail audit policy has been set.
The trailer token supports backward seeks of the audit trail. The trailer token has three fields:
a token ID that identifies this token as a trailer token
a pad number to aid in marking the end of the record
the total number of characters in the audit record, including both the header and trailer tokens
The praudit command displays the trailer token as follows:
trailer,136 |
The following figure shows the format of a trailer token.
The audit trail analysis software ensures that each record contains both the header and trailer tokens. In the case of a write error, as when a file system becomes full, an audit record can be incomplete and truncated. The auditsvc() system call, that is responsible for writing data to the audit trail, attempts to write complete audit records. When file system space runs out, the system call terminates without releasing the current audit record. When the system call resumes, it can then repeat the truncated record. For more information, see the auditsvc(2) man page.