Audit Token Formats
Each audit token has a token type identifier, which is followed
by data that is specific to the token. The following table shows the token
names with a brief description of each token. Obsolete tokens are maintained
for compatibility with previous Solaris releases.
Table 7-1 Audit Tokens for Auditing
|
|
|
acl
|
Access Control Entry (ACE) and Access Control List (ACL) information
|
|
arbitrary
|
Data with format and type information
|
|
argument
|
System call argument value
|
|
attribute
|
File vnode information
|
|
cmd
|
Command arguments and environment variables
|
|
exec_args
|
Exec system call arguments
|
|
exec_env
|
Exec system call environment variables
|
|
exit
|
Program exit information
|
|
file
|
Audit file information
|
|
fmri
|
Framework Management Resource Indicator
|
|
group
|
Process groups information
|
|
header
|
Indicates start of audit record
|
|
ip
|
IP header information
|
|
ip address
|
Internet address
|
|
ip port
|
Internet port address
|
|
ipc
|
System V IPC information
|
|
IPC_perm
|
System V IPC object access information
|
|
opaque
|
Unstructured data (unspecified format)
|
|
path
|
Path information
|
|
path_attr
|
Access path information
|
|
privilege
|
Privilege set information
|
|
process
|
Process information
|
|
return
|
Status of system call
|
|
sequence
|
Sequence number
|
|
socket
|
Socket type and addresses
|
|
subject
|
Subject information (same format as process)
|
|
text
|
ASCII string
|
|
trailer
|
Indicates end of audit record
|
|
use of authorization
|
Use of authorization
|
|
use of privilege
|
Use of privilege
|
|
user
|
User ID and user name
|
|
xclient
|
X client identification
|
|
zonename
|
Name of zone
|
|
Trusted Extensions tokens
|
label and X Window System information
|
|
|
For information about obsolete tokens, see the reference material for
the release that included the token.
An audit record always begins with a header token, which indicates where
the audit record begins in the audit trail. In the case of attributable events, the
subject and the process tokens refer to the values of the
process that caused the event. In the case of non-attributable events, the
process token refers to the system.