audit.log.5 (155290) | audit.log.5 (155364) |
---|---|
1.\"- 2.\" Copyright (c) 2005 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright --- 9 unchanged lines hidden (view full) --- 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" | 1.\"- 2.\" Copyright (c) 2005 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright --- 9 unchanged lines hidden (view full) --- 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" |
26.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#7 $ | 26.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#8 $ |
27.\" 28.Dd May 1, 2005 29.Dt AUDIT.LOG 5 30.Os 31.Sh NAME 32.Nm audit 33.Nd "Basic Security Module (BSM) File Format" 34.Sh DESCRIPTION --- 164 unchanged lines hidden (view full) --- 199.It XXXX 200.El 201.Ss ip Token 202The 203.Dv ip 204token contains an IP packet header in network byte order. 205An 206.Dv ip | 27.\" 28.Dd May 1, 2005 29.Dt AUDIT.LOG 5 30.Os 31.Sh NAME 32.Nm audit 33.Nd "Basic Security Module (BSM) File Format" 34.Sh DESCRIPTION --- 164 unchanged lines hidden (view full) --- 199.It XXXX 200.El 201.Ss ip Token 202The 203.Dv ip 204token contains an IP packet header in network byte order. 205An 206.Dv ip |
207token can be cread using | 207token can be created using |
208.Xr au_to_ip 3 . 209.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 210.It Sy "Field" Ta Sy Bytes Ta Sy Description 211.It Li "Token ID" Ta "1 byte" Ta "Token ID" 212.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length" 213.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field" 214.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order" 215.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly" --- 28 unchanged lines hidden (view full) --- 244.El 245.Ss Path Token 246The 247.Dv path 248token contains a pathname. 249A 250.Dv path 251token can be created using | 208.Xr au_to_ip 3 . 209.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 210.It Sy "Field" Ta Sy Bytes Ta Sy Description 211.It Li "Token ID" Ta "1 byte" Ta "Token ID" 212.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length" 213.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field" 214.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order" 215.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly" --- 28 unchanged lines hidden (view full) --- 244.El 245.Ss Path Token 246The 247.Dv path 248token contains a pathname. 249A 250.Dv path 251token can be created using |
252.Xr auto_path 3 . | 252.Xr au_to_path 3 . |
253.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 254.It Sy "Field" Ta Sy Bytes Ta Sy Description 255.It Li "Token ID" Ta "1 byte" Ta "Token ID" 256.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes" 257.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name" 258.El 259.Ss path_attr Token 260The 261.Dv path_attr 262token contains a set of nul-terminated path names. 263The 264.Xr libbsm 3 | 253.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 254.It Sy "Field" Ta Sy Bytes Ta Sy Description 255.It Li "Token ID" Ta "1 byte" Ta "Token ID" 256.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes" 257.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name" 258.El 259.Ss path_attr Token 260The 261.Dv path_attr 262token contains a set of nul-terminated path names. 263The 264.Xr libbsm 3 |
265API cannot currently create an | 265API cannot currently create a |
266.Dv path_attr 267token. 268.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 269.It Sy "Field" Ta Sy Bytes Ta Sy Description 270.It Li "Token ID" Ta "1 byte" Ta "Token ID" 271.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token" 272.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)" 273.El --- 4 unchanged lines hidden (view full) --- 278involved as the target of an auditable event, such as the destination for 279signal delivery. 280It should not be confused with the 281.Dv subject 282token, which describes the subject performing an auditable event. 283This includes both the traditional 284.Ux 285security properties, such as user IDs and group IDs, but also audit | 266.Dv path_attr 267token. 268.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 269.It Sy "Field" Ta Sy Bytes Ta Sy Description 270.It Li "Token ID" Ta "1 byte" Ta "Token ID" 271.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token" 272.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)" 273.El --- 4 unchanged lines hidden (view full) --- 278involved as the target of an auditable event, such as the destination for 279signal delivery. 280It should not be confused with the 281.Dv subject 282token, which describes the subject performing an auditable event. 283This includes both the traditional 284.Ux 285security properties, such as user IDs and group IDs, but also audit |
286information such as the audit user ID and sesion. | 286information such as the audit user ID and session. |
287A 288.Dv process 289token can be created using 290.Xr au_to_process32 3 291or 292.Xr au_to_process64 3 . 293.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 294.It Sy "Field" Ta Sy Bytes Ta Sy Description --- 10 unchanged lines hidden (view full) --- 305.El 306.Ss Expanded Process Token 307The 308.Dv expanded process 309token contains the contents of the 310.Dv process 311token, with the addition of a machine address type and variable length 312address storage capable of containing IPv6 addresses. | 287A 288.Dv process 289token can be created using 290.Xr au_to_process32 3 291or 292.Xr au_to_process64 3 . 293.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 294.It Sy "Field" Ta Sy Bytes Ta Sy Description --- 10 unchanged lines hidden (view full) --- 305.El 306.Ss Expanded Process Token 307The 308.Dv expanded process 309token contains the contents of the 310.Dv process 311token, with the addition of a machine address type and variable length 312address storage capable of containing IPv6 addresses. |
313A | 313An |
314.Dv expanded process 315token can be created using 316.Xr au_to_process32_ex 3 317or | 314.Dv expanded process 315token can be created using 316.Xr au_to_process32_ex 3 317or |
318.Xr au_to_process64 3 . | 318.Xr au_to_process64_ex 3 . |
319.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 320.It Sy "Field" Ta Sy Bytes Ta Sy Description 321.It Li "Token ID" Ta "1 byte" Ta "Token ID" 322.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" 323.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" 324.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" 325.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" 326.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" --- 53 unchanged lines hidden (view full) --- 380.El 381.Ss Expanded Subject Token 382The 383.Dv expanded subject 384token consists of the same elements as the 385.Dv subject 386token, with the addition of type/length and variable size machine address 387information in the terminal ID. | 319.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 320.It Sy "Field" Ta Sy Bytes Ta Sy Description 321.It Li "Token ID" Ta "1 byte" Ta "Token ID" 322.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" 323.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" 324.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" 325.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" 326.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" --- 53 unchanged lines hidden (view full) --- 380.El 381.Ss Expanded Subject Token 382The 383.Dv expanded subject 384token consists of the same elements as the 385.Dv subject 386token, with the addition of type/length and variable size machine address 387information in the terminal ID. |
388A | 388An |
389.Dv expanded subject 390token can be created using 391.Xr au_to_subject32_ex 3 392or 393.Xr au_to_subject64_ex 3 . 394.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 395.It Sy "Field" Ta Sy Bytes Ta Sy Description 396.It Li "Token ID" Ta "1 byte" Ta "Token ID" --- 10 unchanged lines hidden (view full) --- 407.El 408.Ss System V IPC Token 409The 410.Dv System V IPC 411token ... 412.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 413.It Sy "Field" Ta Sy Bytes Ta Sy Description 414.It Li "Token ID" Ta "1 byte" Ta "Token ID" | 389.Dv expanded subject 390token can be created using 391.Xr au_to_subject32_ex 3 392or 393.Xr au_to_subject64_ex 3 . 394.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 395.It Sy "Field" Ta Sy Bytes Ta Sy Description 396.It Li "Token ID" Ta "1 byte" Ta "Token ID" --- 10 unchanged lines hidden (view full) --- 407.El 408.Ss System V IPC Token 409The 410.Dv System V IPC 411token ... 412.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 413.It Sy "Field" Ta Sy Bytes Ta Sy Description 414.It Li "Token ID" Ta "1 byte" Ta "Token ID" |
415.It Li "object ID type" Ta "1 byte" Ta "Object ID" | 415.It Li "Object ID type" Ta "1 byte" Ta "Object ID" |
416.It Li "Object ID" Ta "4 bytes" Ta "Object ID" 417.El 418.Ss Text Token 419The 420.Dv text 421token contains a single nul-terminated text string. 422A 423.Dv text --- 9 unchanged lines hidden (view full) --- 433The 434.Dv attribute 435token describes the attributes of a file associated with the audit event. 436As files may be identified by 0, 1, or many path names, a path name is not 437included with the attribute block for a file; optional 438.Dv path 439tokens may also be present in an audit record indicating which path, if any, 440was used to reach the object. | 416.It Li "Object ID" Ta "4 bytes" Ta "Object ID" 417.El 418.Ss Text Token 419The 420.Dv text 421token contains a single nul-terminated text string. 422A 423.Dv text --- 9 unchanged lines hidden (view full) --- 433The 434.Dv attribute 435token describes the attributes of a file associated with the audit event. 436As files may be identified by 0, 1, or many path names, a path name is not 437included with the attribute block for a file; optional 438.Dv path 439tokens may also be present in an audit record indicating which path, if any, 440was used to reach the object. |
441A | 441An |
442.Dv attribute 443token can be created using 444.Xr au_to_attr32 3 445or 446.Xr au_to_attr64 3 . 447.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 448.It Sy "Field" Ta Sy Bytes Ta Sy Description 449.It Li "Token ID" Ta "1 byte" Ta "Token ID" --- 138 unchanged lines hidden (view full) --- 588.Dv zonename 589token ... 590.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 591.It Sy "Field" Ta Sy Bytes Ta Sy Description 592.It Li "Token ID" Ta "1 byte" Ta "Token ID" 593.It Li XXXXX 594.El 595.Sh SEE ALSO | 442.Dv attribute 443token can be created using 444.Xr au_to_attr32 3 445or 446.Xr au_to_attr64 3 . 447.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 448.It Sy "Field" Ta Sy Bytes Ta Sy Description 449.It Li "Token ID" Ta "1 byte" Ta "Token ID" --- 138 unchanged lines hidden (view full) --- 588.Dv zonename 589token ... 590.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 591.It Sy "Field" Ta Sy Bytes Ta Sy Description 592.It Li "Token ID" Ta "1 byte" Ta "Token ID" 593.It Li XXXXX 594.El 595.Sh SEE ALSO |
596.Xr audit 8, 597.Xr libbsm 3 | 596.Xr libbsm 3 , 597.Xr audit 8 |
598.Sh AUTHORS 599The Basic Security Module (BSM) interface to audit records and audit event 600stream format were defined by Sun Microsystems. 601.Pp 602This manual page was written by 603.An Robert Watson Aq rwatson@FreeBSD.org . 604.Sh HISTORY 605The OpenBSM implementation was created by McAfee Research, the security --- 20 unchanged lines hidden --- | 598.Sh AUTHORS 599The Basic Security Module (BSM) interface to audit records and audit event 600stream format were defined by Sun Microsystems. 601.Pp 602This manual page was written by 603.An Robert Watson Aq rwatson@FreeBSD.org . 604.Sh HISTORY 605The OpenBSM implementation was created by McAfee Research, the security --- 20 unchanged lines hidden --- |