Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014
 
 

Audit Token Formats

Each audit token has a token type identifier, which is followed by data that is specific to the token. The following table shows the token names with a brief description of each token. Obsolete tokens are maintained for compatibility with previous Solaris releases.

Table 7-1  Audit Tokens for Auditing
Token Name
Description
For More Information
acl
Access Control Entry (ACE) and Access Control List (ACL) information
arbitrary
Data with format and type information
argument
System call argument value
attribute
File vnode information
cmd
Command arguments and environment variables
exec_args
Exec system call arguments
exec_env
Exec system call environment variables
exit
Program exit information
file
Audit file information
fmri
Framework Management Resource Indicator
group
Process groups information
header
Indicates start of audit record
ip
IP header information
ip address
Internet address
ip port
Internet port address
ipc
System V IPC information
IPC_perm
System V IPC object access information
opaque
Unstructured data (unspecified format)
path
Path information
path_attr
Access path information
privilege
Privilege set information
process
Process information
return
Status of system call
sequence
Sequence number
socket
Socket type and addresses
subject
Subject information (same format as process)
text
ASCII string
trailer
Indicates end of audit record
use of authorization
Use of authorization
use of privilege
Use of privilege
user
User ID and user name
xclient
X client identification
zonename
Name of zone
Trusted Extensions tokens
label and X Window System information

    The following tokens are obsolete:

  • liaison

  • host

  • tid

For information about obsolete tokens, see the reference material for the release that included the token.

An audit record always begins with a header token, which indicates where the audit record begins in the audit trail. In the case of attributable events, the subject and the process tokens refer to the values of the process that caused the event. In the case of non-attributable events, the process token refers to the system.