Go to main content

Managing Auditing in Oracle® Solaris 11.3

Exit Print View

Updated: December 2018
 
 

Audit Token Formats

Each audit token has a token type identifier, which is followed by data that is specific to the token. The following table shows the token names with a brief description of each token. Obsolete tokens are maintained for compatibility with previous Solaris releases.

Table 8  Audit Tokens for Auditing
Token Name
Description
For More Information
acl
Access Control Entry (ACE) and Access Control List (ACL) information
arbitrary
Data with format and type information
audit.log(4) man page
argument
System call argument value
attribute
File vnode information
cmd
Command arguments and environment variables
exec_args
Exec system call arguments
exec_env
Exec system call environment variables
exit
Program exit information
audit.log(4) man page
file
Audit file information
fmri
Framework Management Resource Indicator
group
Process groups information
header
Indicates start of audit record
ip
IP header information
audit.log(4) man page
ip address
Internet address
ip port
Internet port address
ipc
System V IPC information
IPC_perm
System V IPC object access information
opaque
Unstructured data (unspecified format)
audit.log(4) man page
path
Path information
path_attr
Access path information
privilege
Privilege set information
process
Process information
return
Status of system call
sequence
Sequence number
socket
Socket type and addresses
subject
Subject information (same format as process)
text
ASCII string
trailer
Indicates end of audit record
use of authorization
Use of authorization
use of privilege
Use of privilege
user
User ID and user name
xclient
X client identification
zonename
Name of zone
Trusted Extensions tokens
label and X Window System information

    The following tokens are obsolete:

  • liaison

  • host

  • tid

For information about obsolete tokens, see the reference material for the release that included the token.

An audit record always begins with a header token, which indicates where the audit record begins in the audit trail. In the case of attributable events, the subject and the process tokens refer to the values of the process that caused the event. In the case of non-attributable events, the process token refers to the system.

acl Token

The acl token uses different formats to record information about Access Control Entries (ACEs) for a ZFS file system and about Access Control Lists (ACLs) for a legacy UFS file system.

When the acl token is recorded for a UFS file system, the praudit command shows the fields as follows:

<acl type="1" value="root" mode="6"/>

When the acl token is recorded for a ZFS dataset, the praudit command shows the fields as follows:

<acl who="root" access_mask="default" flags="-i,-R" type="2"/>

argument Token

The argument token contains information about the arguments to a system call: the argument number of the system call, the argument value, and an optional description. This token allows a 32-bit integer system-call argument in an audit record.

The praudit command shows the fields of the argument token as follows:

<argument arg-num="2" value="0x5401" desc="cmd"/>

attribute Token

The attribute token contains information from the file vnode.

The attribute token usually accompanies a path token. The attribute token is produced during path searches. If a path-search error occurs, vnode is not available to obtain the necessary file information. Therefore, the attribute token is not included as part of the audit record. The praudit command shows the fields of the attribute token as follows:

<attribute mode="20620" uid="root" gid="tty" fsid="0" nodeid="9267" device="108233"/>

cmd Token

The cmd token records the list of arguments and the list of environment variables that are associated with a command.

The praudit command shows the fields of the cmd token. The following example is a truncated cmd token. The line is wrapped for display purposes.

<cmd><arge>WINDOWID=6823679</arge>
<arge>COLORTERM=gnome-terminal</arge>
<arge>...LANG=C</arge>...<arge>HOST=system1</arge>
<arge>LPDEST=printer1</arge>...</cmd>

exec_args Token

The exec_args token records the arguments to an exec() system call.

The praudit command shows the fields of the exec_args token as follows:

<exec_args><arg>/usr/bin/sh</arg><arg>/usr/bin/hostname</arg></exec_args>

Note - The exec_args token is output only when the argv audit policy option is active.

exec_env Token

The exec_env token records the current environment variables to an exec() system call.

The praudit command shows the fields of the exec_env token. The line in the following example is wrapped for display purposes.

<exec_env><env>_=/usr/bin/hostname</env>
<env>LANG=C</env><env>PATH=/usr/bin</env>
<env>LOGNAME=jdoe</env><env>USER=jdoe</env>
<env>DISPLAY=:0</env><env>SHELL=/bin/csh</env>
<env>HOME=/home/jdoe</env><env>PWD=/home/jdoe</env><env>TZ=US/Pacific</env>
</exec_env>

Note - The exec_env token is output only when the arge audit policy option is active.

file Token

The file token is a special token that marks the beginning of a new audit file and the end of an old audit file as the old file is deactivated. The initial file token identifies the previous file in the audit trail. The final file token identifies the next file in the audit trail. These tokens link successive audit files into one audit trail.

The praudit command shows the fields of the file token. The line in the following example is wrapped for display purposes.

<file iso8601="2009-04-08 14:18:26.200 -07:00">
/var/audit/system1/files/20090408211826.not_terminated.system1</file>

fmri Token

The fmri token records the use of a fault management resource indicator (FMRI). For more information, see the fmri(5) man page.

The praudit command shows the content of the fmri token as follows:

<fmri service_instance="svc:/system/cryptosvc"</fmri>

group Token

The group token records the group entries from the process's credential. The group token is output only when the group audit policy option is active.

The praudit command shows the fields of the group token as follows:

<group><gid>staff</gid><gid>other</gid></group>

header Token

The header token is special in that it marks the beginning of an audit record. The header token combines with the trailer token to bracket all the other tokens in the record.

    Infrequently, a header token can include one or more event modifiers:

  • fe indicates a failed audit event

  • fp indicates the failed use of privilege

  • na indicates a non-attributable event

    header,52,2,system booted,na,mach1,2011-10-10 10:10:20.564 -07:00
  • rd indicates that data is read from the object

  • sp indicates the successful use of privilege

    header,120,2,exit(2),sp,mach1,2011-10-10 10:10:20.853 -07:00
  • wr indicates that data is written to the object

The praudit command displays the header token as follows:

header,756,2,execve(2),,system1,2010-10-10 12:11:20.209 -07:00

The praudit command displays the fields of the header token at the beginning of the audit record. The line in the following example is wrapped for display purposes.

<record version="2" event="execve(2)" host="system1"
iso8601="2010-10-10 12:11:20.209 -07:00">

ip address Token

The ip address token contains an Internet Protocol address (IP address). The IP address can be displayed in IPv4 or IPv6 format. The IPv4 address uses 4 bytes. The IPv6 address uses 1 byte to describe the address type, and 16 bytes to describe the address.

The praudit command shows the content of the ip address token as follows:

<ip_address>system1</ip_address>

ip port Token

The ip port token contains the TCP or UDP port address.

The praudit command displays the ip port token as follows:

ip port,0xf6d6

ipc Token

The ipc token contains the System V IPC message handle, semaphore handle, or shared-memory handle that is used by the caller to identify a particular IPC object.

The IPC object identifiers violate the context-free nature of the audit tokens. No global "name" uniquely identifies IPC objects. Instead, IPC objects are identified by their handles. The handles are valid only during the time that the IPC objects are active. However, the identification of IPC objects should not be a problem. The System V IPC mechanisms are seldom used, and the mechanisms all share the same audit class.

The following table shows the possible values for the IPC object type field. The values are defined in the /usr/include/bsm/audit.h file.

Table 9  Values for the IPC Object Type Field
Name
Value
Description
AU_IPC_MSG
1
IPC message object
AU_IPC_SEM
2
IPC semaphore object
AU_IPC_SHM
3
IPC shared-memory object

The praudit command shows the fields of the ipc token as follows:

<IPC ipc-type="shm" ipc-id="15"/>

IPC_perm Token

The IPC_perm token contains a copy of the System V IPC access permissions. This token is added to audit records that are generated by IPC shared-memory events, IPC semaphore events, and IPC message events.

The praudit command shows the fields of the IPC_perm token. The line in the following example is wrapped for display purposes.

<IPC_perm uid="jdoe" gid="staff" creator-uid="jdoe"
creator-gid="staff" mode="100600" seq="0" key="0x0"/>

The values are taken from the IPC_perm structure that is associated with the IPC object.

path Token

The path token contains access path information for an object.

The praudit command shows the content of the path token as follows:

<path>/export/home/srv/.xsession-errors</path>

path_attr Token

The path_attr token contains access path information for an object. The access path specifies the sequence of attribute file objects below the path token object. Systems calls such as openat() access attribute files. For more information about attribute file objects, see the fsattr(5) man page.

The praudit command displays the path_attr token as follows:

path_attr,1,attr_file_name

privilege Token

The privilege token records the use of privileges on a process. The privilege token is not recorded for privileges in the basic set. If a privilege has been removed from the basic set by administrative action, then the use of that privilege is recorded. For more information about privileges, see Process Rights Management in Securing Users and Processes in Oracle Solaris 11.3.

The praudit command shows the fields of the privilege token.

<privilege set-type="Inheritable">ALL</privilege>

process Token

The process token contains information about a user who is associated with a process, such as the recipient of a signal.

The praudit command shows the fields of the process token. The line in the following example is wrapped for display purposes.

<process audit-uid="-2" uid="root" gid="root" ruid="root"
rgid="root" pid="567" sid="0" tid="0 0 0.0.0.0"/>

return Token

The return token contains the return status of the system call (u_error) and the process return value (u_rval1).

The return token is always returned as part of kernel-generated audit records for system calls. In application auditing, this token indicates exit status and other return values.

The praudit command displays the return token for a system call as follows:

return,failure: Operation now in progress,-1

The praudit command shows the fields of the return token as follows:

<return errval="failure: Operation now in progress" retval="-1/">

sequence Token

The sequence token contains a sequence number. The sequence number is incremented every time an audit record is added to the audit trail. The sequence token is output only when the seq audit policy option is active. This token is useful for debugging.

The praudit command shows the content of the sequence token:

<sequence seq-num="1292"/>

socket Token

The socket token contains information that describes an Internet socket. In some circumstances, the token includes only the remote port and remote IP address.

The praudit command displays this instance of the socket token as follows:

socket,0x0002,0x83b1,localhost

The expanded token adds information, including socket type and local port information.

The praudit command displays this instance of the socket token as follows. The line in the following example is wrapped for display purposes.

<socket sock_domain="0x0002" sock_type="0x0002" lport="0x83cf"
laddr="example1" fport="0x2383" faddr="server1.Subdomain.Domain.COM"/>

subject Token

The subject token describes a user who performs or attempts to perform an operation. The format is the same as the process token.

The subject token is always returned as part of kernel-generated audit records for system calls. The praudit command displays the subject token as follows:

subject,jdoe,root,root,root,root,1631,1421584480,8243 65558 system1

The praudit command shows the fields of the subject token. The line in the following example is wrapped for display purposes.

<subject audit-uid="jdoe" uid="root" gid="root" ruid="root"
rgid="root" pid="1631" sid="1421584480" tid="8243 65558 system1"/>

text Token

The text token contains a text string.

The praudit command shows the content of the text token as follows:

<text>booting kernel</text>

trailer Token

The two tokens, header and trailer, are special in that they distinguish the beginning and end points of an audit record and bracket all the other tokens. A header token begins an audit record. A trailer token ends an audit record. The trailer token is an optional token, and is added as the last token of each record only when the trail audit policy option has been set.

When an audit record is generated with trailers turned on, the auditreduce command can verify that the trailer token correctly points back to the record header. The trailer token supports backward seeks of the audit trail.

The praudit command displays the trailer token as follows:

trailer,136

use of authorization Token

The use of authorization token records the use of authorizations.

The praudit command displays the use of authorization token as follows:

use of authorization,solaris.role.delegate

use of privilege Token

The use of privilege token records the use of privileges.

The praudit command shows the fields of the use of privilege token as follows:

<use_of_privilege result="successful use of priv">proc_setid</use_of_privilege>

user Token

The user token records the user name and user ID. This token is present if the user name is different from the caller.

The praudit command shows the fields of the user token as follows:

<user uid="123456" username="tester1"/>

xclient Token

The xclient token contains the number of the client connection to the X server.

The praudit command shows the content of the xclient token as follows:

<X_client>15</X_client>

zonename Token

The zonename token records the zone in which the audit event occurred. The string "global" indicates audit events that occur in the global zone.

The praudit command shows the content of the zonename token as follows:

<zone name="graphzone"/>