| audit.log.5 (185573) | audit.log.5 (186647) |
|---|---|
| 1.\"- 2.\" Copyright (c) 2005-2006 Robert N. M. Watson | 1.\"- 2.\" Copyright (c) 2005-2006 Robert N. M. Watson |
| 3.\" Copyright (c) 2008 Apple Inc. |
|
| 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright --- 7 unchanged lines hidden (view full) --- 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" | 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright --- 7 unchanged lines hidden (view full) --- 19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25.\" SUCH DAMAGE. 26.\" |
| 26.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#19 $ | 27.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#23 $ |
| 27.\" 28.Dd November 5, 2006 29.Dt AUDIT.LOG 5 30.Os 31.Sh NAME 32.Nm audit 33.Nd "Basic Security Module (BSM) file format" 34.Sh DESCRIPTION --- 99 unchanged lines hidden (view full) --- 134.It "Machine Address 4/16 bytes IPv4 or IPv6 address" 135.It "Seconds 4/8 bytes Record time stamp (32/64-bits)" 136.It "Nanoseconds 4/8 bytes Record time stamp (32/64-bits)" 137.El 138.Ss Trailer Token 139The 140.Dq trailer 141terminates a BSM audit record, and contains a magic number, | 28.\" 29.Dd November 5, 2006 30.Dt AUDIT.LOG 5 31.Os 32.Sh NAME 33.Nm audit 34.Nd "Basic Security Module (BSM) file format" 35.Sh DESCRIPTION --- 99 unchanged lines hidden (view full) --- 135.It "Machine Address 4/16 bytes IPv4 or IPv6 address" 136.It "Seconds 4/8 bytes Record time stamp (32/64-bits)" 137.It "Nanoseconds 4/8 bytes Record time stamp (32/64-bits)" 138.El 139.Ss Trailer Token 140The 141.Dq trailer 142terminates a BSM audit record, and contains a magic number, |
| 142.Dv TRAILER_PAD_MAGIC | 143.Dv AUT_TRAILER_MAGIC |
| 143and length that can be used to validate that the record was read properly. 144A 145.Dq trailer 146token can be created using 147.Xr au_to_trailer 3 . 148.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 149.It Sy "Field Bytes Description" 150.It "Token ID 1 byte Token ID" --- 359 unchanged lines hidden (view full) --- 510.Dq exec_args 511token contains informations about arguements of the exec() system call. 512An exec_args token may be created using 513.Xr au_to_exec_args 3 . 514.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 515.It Sy "Field Bytes Description" 516.It "Token ID 1 byte Token ID" 517.It Li "Count" Ta "4 bytes" Ta "Number of arguments" | 144and length that can be used to validate that the record was read properly. 145A 146.Dq trailer 147token can be created using 148.Xr au_to_trailer 3 . 149.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 150.It Sy "Field Bytes Description" 151.It "Token ID 1 byte Token ID" --- 359 unchanged lines hidden (view full) --- 511.Dq exec_args 512token contains informations about arguements of the exec() system call. 513An exec_args token may be created using 514.Xr au_to_exec_args 3 . 515.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 516.It Sy "Field Bytes Description" 517.It "Token ID 1 byte Token ID" 518.It Li "Count" Ta "4 bytes" Ta "Number of arguments" |
| 518.It Li "Text" Ta "* bytes" Ta "Count null-terminated strings" | 519.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings" |
| 519.El 520.Ss exec_env Token 521The 522.Dq exec_env 523token contains current eviroment variables to an exec() system call. 524An exec_args token may be created using 525.Xr au_to_exec_env 3 . 526.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" --- 28 unchanged lines hidden (view full) --- 555.Xr au_to_sock_inet128 3 . 556.Bl -column -offset 3n ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 557.It Sy "Field" Ta Sy Bytes Ta Sy Description 558.It Li "Token ID" Ta "1 byte" Ta "Token ID" 559.It Li "Socket family" Ta "2 bytes" Ta "Socket family" 560.It Li "Local port" Ta "2 bytes" Ta "Local port" 561.It Li "Socket address" Ta "4 bytes" Ta "Socket address" 562.El | 520.El 521.Ss exec_env Token 522The 523.Dq exec_env 524token contains current eviroment variables to an exec() system call. 525An exec_args token may be created using 526.Xr au_to_exec_env 3 . 527.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" --- 28 unchanged lines hidden (view full) --- 556.Xr au_to_sock_inet128 3 . 557.Bl -column -offset 3n ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 558.It Sy "Field" Ta Sy Bytes Ta Sy Description 559.It Li "Token ID" Ta "1 byte" Ta "Token ID" 560.It Li "Socket family" Ta "2 bytes" Ta "Socket family" 561.It Li "Local port" Ta "2 bytes" Ta "Local port" 562.It Li "Socket address" Ta "4 bytes" Ta "Socket address" 563.El |
| 564.Ss Expanded Socket Token 565The 566.Dq expanded socket 567token contains information about IPv4 and IPv6 sockets. 568A 569.Dq expanded socket 570token can be created using 571.Xr au_to_socket_ex 3 . |
|
| 563.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 564.It Sy "Field Bytes Description" | 572.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 573.It Sy "Field Bytes Description" |
| 565.It "Token ID 1 byte Token ID" 566.It Li "Socket domain" Ta "4 bytes" Ta "Socket domain" 567.It Li "Socket family" Ta "2 bytes" Ta "Socket family" 568.It Li "Address type" Ta "1 byte" Ta "Address type (IPv4/IPv6)" | 574.It Li "Token ID" Ta "1 byte" Ta "Token ID" 575.It Li "Socket domain" Ta "2 bytes" Ta "Socket domain" 576.It Li "Socket type" Ta "2 bytes" Ta "Socket type" 577.It Li "Address type" Ta "2 byte" Ta "Address type (IPv4/IPv6)" |
| 569.It Li "Local port" Ta "2 bytes" Ta "Local port" 570.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address" 571.It Li "Remote port" Ta "2 bytes" Ta "Remote port" 572.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address" 573.El | 578.It Li "Local port" Ta "2 bytes" Ta "Local port" 579.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address" 580.It Li "Remote port" Ta "2 bytes" Ta "Remote port" 581.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address" 582.El |
| 574.Ss Expanded Socket Token 575The 576.Dq expanded socket 577token contains information about IPv4 and IPv6 sockets. 578.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 579.It Sy "Field Bytes Description" 580.It "Token ID 1 byte Token ID" 581.It XXXXX 582.El | |
| 583.Ss Seq Token 584The 585.Dq seq 586token contains a unique and monotonically increasing audit event sequence ID. 587Due to the limited range of 32 bits, serial number arithmetic and caution 588should be used when comparing sequence numbers. 589.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 590.It Sy "Field Bytes Description" --- 88 unchanged lines hidden --- | 583.Ss Seq Token 584The 585.Dq seq 586token contains a unique and monotonically increasing audit event sequence ID. 587Due to the limited range of 32 bits, serial number arithmetic and caution 588should be used when comparing sequence numbers. 589.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 590.It Sy "Field Bytes Description" --- 88 unchanged lines hidden --- |