1.\"-
2.\" Copyright (c) 2005 Robert N. M. Watson
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\" notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\" notice, this list of conditions and the following disclaimer in the
12.\" documentation and/or other materials provided with the distribution.
13.\"
14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24.\" SUCH DAMAGE.
25.\"
| 1.\"-
2.\" Copyright (c) 2005 Robert N. M. Watson
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\" notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\" notice, this list of conditions and the following disclaimer in the
12.\" documentation and/or other materials provided with the distribution.
13.\"
14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24.\" SUCH DAMAGE.
25.\"
|
26.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#7 $
| 26.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#8 $
|
27.\"
28.Dd May 1, 2005
29.Dt AUDIT.LOG 5
30.Os
31.Sh NAME
32.Nm audit
33.Nd "Basic Security Module (BSM) File Format"
34.Sh DESCRIPTION
35The
36.Nm
37file format is based on Sun's Basic Security Module (BSM) file format, a
38token-based record stream to represent system audit data.
39This file format is both flexible and extensible, able to describe a broad
40range of data types, and easily extended to describe new data types in a
41moderately backward and forward compatible way.
42.Pp
43BSM token streams typically begin and end with a
44.Dv file
45token, which provides time stamp and file name information for the stream;
46when processing a BSM token stream from a stream as opposed to a single file
47source, file tokens may be seen at any point between ordinary records
48identifying when particular parts of the stream begin and end.
49All other tokens will appear in the context of a complete BSM audit record,
50which begins with a
51.Dv header
52token, and ends with a
53.Dv trailer
54token, which describe the audit record.
55Between these two tokens will appear a variety of data tokens, such as
56process information, file path names, IPC object information, MAC labels,
57socket information, and so on.
58.Pp
59The BSM file format defines specific token orders for each record event type;
60however, some variation may occur depending on the operating system in use,
61what system options, such as mandatory access control, are present.
62.Pp
63This manual page documents the common token types and their binary format, and
64is intended for reference purposes only.
65It is recommended that application programmers use the
66.Xr libbsm 3
67interface to read and write tokens, rather than parsing or constructing
68records by hand.
69.Ss File Token
70The
71.Dv file
72token is used at the beginning and end of an audit log file to indicate
73when the audit log begins and ends.
74It includes a pathname so that, if concatenated together, original file
75boundaries are still observable, and gaps in the audit log can be identified.
76A
77.Dv file
78token can be created using
79.Xr au_to_file 3 .
80.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
81.It Sy "Field" Ta Sy Bytes Ta Sy Description
82.It Li "Token ID" Ta "1 byte" Ta "Token ID"
83.It Li "Seconds" Ta "4 bytes" Ta "File time stamp"
84.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp"
85.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail"
86.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail"
87.El
88.Ss Header Token
89The
90.Dv header
91token is used to mark the beginning of a complete audit record, and includes
92the length of the total record in bytes, a version number for the record
93layout, the event type and subtype, and the time at which the event occurred.
94A
95.Dv header
96token can be created using
97.Xr au_to_header32 3 .
98.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
99.It Sy "Field" Ta Sy Bytes Ta Sy Description
100.It Li "Token ID" Ta "1 byte" Ta "Token ID"
101.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
102.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
103.It Li "Event Type" Ta "2 bytes" Ta "Event type"
104.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
105.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
106.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
107.El
108.Ss Expanded Header Token
109The
110.Dv expanded header
111token is an expanded version of the
112.Dv header
113token, with the addition of a machine IPv4 or IPv6 address.
114The
115.Xr libbsm 3
116API cannot currently create an
117.Dv expanded header
118token.
119.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
120.It Sy "Field" Ta Sy Bytes Ta Sy Description
121.It Li "Token ID" Ta "1 byte" Ta "Token ID"
122.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
123.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
124.It Li "Event Type" Ta "2 bytes" Ta "Event type"
125.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
126.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length"
127.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
128.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
129.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
130.El
131.Ss Trailer Token
132The
133.Dv trailer
134terminates a BSM audit record, and contains a magic number,
135.Dv TRAILER_PAD_MAGIC
136and length that can be used to validate that the record was read properly.
137A
138.Dv trailer
139token can be created using
140.Xr au_to_trailer 3 .
141.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
142.It Sy "Field" Ta Sy Bytes Ta Sy Description
143.It Li "Token ID" Ta "1 byte" Ta "Token ID"
144.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number"
145.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
146.El
147.Ss Arbitrary Data Token
148The
149.Dv arbitrary data
150token contains a byte stream of opaque (untyped) data.
151The size of the data is calculated as the size of each unit of data
152multipled by the number of units of data.
153A
154.Dv How to print
155field is present to specify how to print the data, but interpretation of
156that field is not currently defined.
157The
158.Xr libbsm 3
159API cannot currently create an
160.Dv arbitrary data
161token.
162.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
163.It Sy "Field" Ta Sy Bytes Ta Sy Description
164.It Li "Token ID" Ta "1 byte" Ta "Token ID"
165.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information"
166.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes"
167.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present"
168.It Li "Data Items" Ta "Variable" Ta "User data"
169.El
170.Ss in_addr Token
171The
172.Dv in_addr
173token holds a network byte order IPv4 or IPv6 address.
174An
175.Dv in_addr
176token can be created using
177.Xr au_to_in_addr 3
178for an IPv4 address, or
179.Xr au_to_in_addr_ex 3
180for an IPv6 address.
181.Pp
182See the BUGS section for information on the storage of this token.
183.Pp
184.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
185.It Sy "Field" Ta Sy Bytes Ta Sy Description
186.It Li "Token ID" Ta "1 byte" Ta "Token ID"
187.It Li "IP Address Type" Ta "1 byte" Ta "Type of address"
188.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
189.El
190.Ss Expanded in_addr Token
191The
192.Dv expanded in_addr
193token ...
194.Pp
195See the BUGS section for information on the storage of this token.
196.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
197.It Sy "Field" Ta Sy Bytes Ta Sy Description
198.It Li "Token ID" Ta "1 byte" Ta "Token ID"
199.It XXXX
200.El
201.Ss ip Token
202The
203.Dv ip
204token contains an IP packet header in network byte order.
205An
206.Dv ip
| 27.\"
28.Dd May 1, 2005
29.Dt AUDIT.LOG 5
30.Os
31.Sh NAME
32.Nm audit
33.Nd "Basic Security Module (BSM) File Format"
34.Sh DESCRIPTION
35The
36.Nm
37file format is based on Sun's Basic Security Module (BSM) file format, a
38token-based record stream to represent system audit data.
39This file format is both flexible and extensible, able to describe a broad
40range of data types, and easily extended to describe new data types in a
41moderately backward and forward compatible way.
42.Pp
43BSM token streams typically begin and end with a
44.Dv file
45token, which provides time stamp and file name information for the stream;
46when processing a BSM token stream from a stream as opposed to a single file
47source, file tokens may be seen at any point between ordinary records
48identifying when particular parts of the stream begin and end.
49All other tokens will appear in the context of a complete BSM audit record,
50which begins with a
51.Dv header
52token, and ends with a
53.Dv trailer
54token, which describe the audit record.
55Between these two tokens will appear a variety of data tokens, such as
56process information, file path names, IPC object information, MAC labels,
57socket information, and so on.
58.Pp
59The BSM file format defines specific token orders for each record event type;
60however, some variation may occur depending on the operating system in use,
61what system options, such as mandatory access control, are present.
62.Pp
63This manual page documents the common token types and their binary format, and
64is intended for reference purposes only.
65It is recommended that application programmers use the
66.Xr libbsm 3
67interface to read and write tokens, rather than parsing or constructing
68records by hand.
69.Ss File Token
70The
71.Dv file
72token is used at the beginning and end of an audit log file to indicate
73when the audit log begins and ends.
74It includes a pathname so that, if concatenated together, original file
75boundaries are still observable, and gaps in the audit log can be identified.
76A
77.Dv file
78token can be created using
79.Xr au_to_file 3 .
80.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
81.It Sy "Field" Ta Sy Bytes Ta Sy Description
82.It Li "Token ID" Ta "1 byte" Ta "Token ID"
83.It Li "Seconds" Ta "4 bytes" Ta "File time stamp"
84.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp"
85.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail"
86.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail"
87.El
88.Ss Header Token
89The
90.Dv header
91token is used to mark the beginning of a complete audit record, and includes
92the length of the total record in bytes, a version number for the record
93layout, the event type and subtype, and the time at which the event occurred.
94A
95.Dv header
96token can be created using
97.Xr au_to_header32 3 .
98.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
99.It Sy "Field" Ta Sy Bytes Ta Sy Description
100.It Li "Token ID" Ta "1 byte" Ta "Token ID"
101.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
102.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
103.It Li "Event Type" Ta "2 bytes" Ta "Event type"
104.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
105.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
106.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
107.El
108.Ss Expanded Header Token
109The
110.Dv expanded header
111token is an expanded version of the
112.Dv header
113token, with the addition of a machine IPv4 or IPv6 address.
114The
115.Xr libbsm 3
116API cannot currently create an
117.Dv expanded header
118token.
119.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
120.It Sy "Field" Ta Sy Bytes Ta Sy Description
121.It Li "Token ID" Ta "1 byte" Ta "Token ID"
122.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
123.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
124.It Li "Event Type" Ta "2 bytes" Ta "Event type"
125.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
126.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length"
127.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
128.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
129.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
130.El
131.Ss Trailer Token
132The
133.Dv trailer
134terminates a BSM audit record, and contains a magic number,
135.Dv TRAILER_PAD_MAGIC
136and length that can be used to validate that the record was read properly.
137A
138.Dv trailer
139token can be created using
140.Xr au_to_trailer 3 .
141.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
142.It Sy "Field" Ta Sy Bytes Ta Sy Description
143.It Li "Token ID" Ta "1 byte" Ta "Token ID"
144.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number"
145.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
146.El
147.Ss Arbitrary Data Token
148The
149.Dv arbitrary data
150token contains a byte stream of opaque (untyped) data.
151The size of the data is calculated as the size of each unit of data
152multipled by the number of units of data.
153A
154.Dv How to print
155field is present to specify how to print the data, but interpretation of
156that field is not currently defined.
157The
158.Xr libbsm 3
159API cannot currently create an
160.Dv arbitrary data
161token.
162.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
163.It Sy "Field" Ta Sy Bytes Ta Sy Description
164.It Li "Token ID" Ta "1 byte" Ta "Token ID"
165.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information"
166.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes"
167.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present"
168.It Li "Data Items" Ta "Variable" Ta "User data"
169.El
170.Ss in_addr Token
171The
172.Dv in_addr
173token holds a network byte order IPv4 or IPv6 address.
174An
175.Dv in_addr
176token can be created using
177.Xr au_to_in_addr 3
178for an IPv4 address, or
179.Xr au_to_in_addr_ex 3
180for an IPv6 address.
181.Pp
182See the BUGS section for information on the storage of this token.
183.Pp
184.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
185.It Sy "Field" Ta Sy Bytes Ta Sy Description
186.It Li "Token ID" Ta "1 byte" Ta "Token ID"
187.It Li "IP Address Type" Ta "1 byte" Ta "Type of address"
188.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
189.El
190.Ss Expanded in_addr Token
191The
192.Dv expanded in_addr
193token ...
194.Pp
195See the BUGS section for information on the storage of this token.
196.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
197.It Sy "Field" Ta Sy Bytes Ta Sy Description
198.It Li "Token ID" Ta "1 byte" Ta "Token ID"
199.It XXXX
200.El
201.Ss ip Token
202The
203.Dv ip
204token contains an IP packet header in network byte order.
205An
206.Dv ip
|
207token can be cread using
| 207token can be created using
|
208.Xr au_to_ip 3 .
209.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
210.It Sy "Field" Ta Sy Bytes Ta Sy Description
211.It Li "Token ID" Ta "1 byte" Ta "Token ID"
212.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length"
213.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field"
214.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order"
215.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly"
216.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order"
217.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live"
218.It Li "Protocol" Ta "1 byte" Ta "IP protocol number"
219.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order"
220.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address"
221.It Li "Desintation Address" Ta "4 bytes" Ta "IPv4 destination address"
222.El
223.Ss Expanded ip Token
224The
225.Dv expanded ip
226token ...
227.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
228.It Sy "Field" Ta Sy Bytes Ta Sy Description
229.It Li "Token ID" Ta "1 byte" Ta "Token ID"
230.It XXXX
231.El
232.Ss iport Token
233The
234.Dv iport
235token stores an IP port number in network byte order.
236An
237.Dv iport
238token can be created using
239.Xr au_to_iport 3 .
240.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
241.It Sy "Field" Ta Sy Bytes Ta Sy Description
242.It Li "Token ID" Ta "1 byte" Ta "Token ID"
243.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order"
244.El
245.Ss Path Token
246The
247.Dv path
248token contains a pathname.
249A
250.Dv path
251token can be created using
| 208.Xr au_to_ip 3 .
209.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
210.It Sy "Field" Ta Sy Bytes Ta Sy Description
211.It Li "Token ID" Ta "1 byte" Ta "Token ID"
212.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length"
213.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field"
214.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order"
215.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly"
216.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order"
217.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live"
218.It Li "Protocol" Ta "1 byte" Ta "IP protocol number"
219.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order"
220.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address"
221.It Li "Desintation Address" Ta "4 bytes" Ta "IPv4 destination address"
222.El
223.Ss Expanded ip Token
224The
225.Dv expanded ip
226token ...
227.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
228.It Sy "Field" Ta Sy Bytes Ta Sy Description
229.It Li "Token ID" Ta "1 byte" Ta "Token ID"
230.It XXXX
231.El
232.Ss iport Token
233The
234.Dv iport
235token stores an IP port number in network byte order.
236An
237.Dv iport
238token can be created using
239.Xr au_to_iport 3 .
240.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
241.It Sy "Field" Ta Sy Bytes Ta Sy Description
242.It Li "Token ID" Ta "1 byte" Ta "Token ID"
243.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order"
244.El
245.Ss Path Token
246The
247.Dv path
248token contains a pathname.
249A
250.Dv path
251token can be created using
|
252.Xr auto_path 3 .
| 252.Xr au_to_path 3 .
|
253.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
254.It Sy "Field" Ta Sy Bytes Ta Sy Description
255.It Li "Token ID" Ta "1 byte" Ta "Token ID"
256.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes"
257.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name"
258.El
259.Ss path_attr Token
260The
261.Dv path_attr
262token contains a set of nul-terminated path names.
263The
264.Xr libbsm 3
| 253.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
254.It Sy "Field" Ta Sy Bytes Ta Sy Description
255.It Li "Token ID" Ta "1 byte" Ta "Token ID"
256.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes"
257.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name"
258.El
259.Ss path_attr Token
260The
261.Dv path_attr
262token contains a set of nul-terminated path names.
263The
264.Xr libbsm 3
|
265API cannot currently create an
| 265API cannot currently create a
|
266.Dv path_attr
267token.
268.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
269.It Sy "Field" Ta Sy Bytes Ta Sy Description
270.It Li "Token ID" Ta "1 byte" Ta "Token ID"
271.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token"
272.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)"
273.El
274.Ss Process Token
275The
276.Dv process
277token contains a description of the security properties of a process
278involved as the target of an auditable event, such as the destination for
279signal delivery.
280It should not be confused with the
281.Dv subject
282token, which describes the subject performing an auditable event.
283This includes both the traditional
284.Ux
285security properties, such as user IDs and group IDs, but also audit
| 266.Dv path_attr
267token.
268.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
269.It Sy "Field" Ta Sy Bytes Ta Sy Description
270.It Li "Token ID" Ta "1 byte" Ta "Token ID"
271.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token"
272.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)"
273.El
274.Ss Process Token
275The
276.Dv process
277token contains a description of the security properties of a process
278involved as the target of an auditable event, such as the destination for
279signal delivery.
280It should not be confused with the
281.Dv subject
282token, which describes the subject performing an auditable event.
283This includes both the traditional
284.Ux
285security properties, such as user IDs and group IDs, but also audit
|
286information such as the audit user ID and sesion.
| 286information such as the audit user ID and session.
|
287A
288.Dv process
289token can be created using
290.Xr au_to_process32 3
291or
292.Xr au_to_process64 3 .
293.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
294.It Sy "Field" Ta Sy Bytes Ta Sy Description
295.It Li "Token ID" Ta "1 byte" Ta "Token ID"
296.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
297.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
298.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
299.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
300.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
301.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
302.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
303.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
304.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
305.El
306.Ss Expanded Process Token
307The
308.Dv expanded process
309token contains the contents of the
310.Dv process
311token, with the addition of a machine address type and variable length
312address storage capable of containing IPv6 addresses.
| 287A
288.Dv process
289token can be created using
290.Xr au_to_process32 3
291or
292.Xr au_to_process64 3 .
293.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
294.It Sy "Field" Ta Sy Bytes Ta Sy Description
295.It Li "Token ID" Ta "1 byte" Ta "Token ID"
296.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
297.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
298.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
299.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
300.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
301.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
302.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
303.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
304.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
305.El
306.Ss Expanded Process Token
307The
308.Dv expanded process
309token contains the contents of the
310.Dv process
311token, with the addition of a machine address type and variable length
312address storage capable of containing IPv6 addresses.
|
313A
| 313An
|
314.Dv expanded process
315token can be created using
316.Xr au_to_process32_ex 3
317or
| 314.Dv expanded process
315token can be created using
316.Xr au_to_process32_ex 3
317or
|
318.Xr au_to_process64 3 .
| 318.Xr au_to_process64_ex 3 .
|
319.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
320.It Sy "Field" Ta Sy Bytes Ta Sy Description
321.It Li "Token ID" Ta "1 byte" Ta "Token ID"
322.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
323.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
324.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
325.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
326.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
327.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
328.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
329.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
330.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
331.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
332.El
333.Ss Return Token
334The
335.Dv return
336token contains a system call or library function return condition, including
337return value and error number associated with the global variable
338.Er errno .
339A
340.Dv return
341token can be created using
342.Xr au_to_return32 3
343or
344.Xr au_to_return64 3 .
345.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
346.It Sy "Field" Ta Sy Bytes Ta Sy Description
347.It Li "Token ID" Ta "1 byte" Ta "Token ID"
348.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined"
349.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)"
350.El
351.Ss Subject Token
352The
353.Dv subject
354token contains information on the subject performing the operation described
355by an audit record, and includes similar information to that found in the
356.Dv process
357and
358.Dv expanded process
359tokens.
360However, those tokens are used where the process being described is the
361target of the operation, not the authorizing party.
362A
363.Dv subject
364token can be created using
365.Xr au_to_subject32 3
366and
367.Xr au_to_subject64 3 .
368.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
369.It Sy "Field" Ta Sy Bytes Ta Sy Description
370.It Li "Token ID" Ta "1 byte" Ta "Token ID"
371.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
372.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
373.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
374.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
375.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
376.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
377.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
378.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
379.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
380.El
381.Ss Expanded Subject Token
382The
383.Dv expanded subject
384token consists of the same elements as the
385.Dv subject
386token, with the addition of type/length and variable size machine address
387information in the terminal ID.
| 319.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
320.It Sy "Field" Ta Sy Bytes Ta Sy Description
321.It Li "Token ID" Ta "1 byte" Ta "Token ID"
322.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
323.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
324.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
325.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
326.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
327.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
328.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
329.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
330.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
331.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
332.El
333.Ss Return Token
334The
335.Dv return
336token contains a system call or library function return condition, including
337return value and error number associated with the global variable
338.Er errno .
339A
340.Dv return
341token can be created using
342.Xr au_to_return32 3
343or
344.Xr au_to_return64 3 .
345.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
346.It Sy "Field" Ta Sy Bytes Ta Sy Description
347.It Li "Token ID" Ta "1 byte" Ta "Token ID"
348.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined"
349.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)"
350.El
351.Ss Subject Token
352The
353.Dv subject
354token contains information on the subject performing the operation described
355by an audit record, and includes similar information to that found in the
356.Dv process
357and
358.Dv expanded process
359tokens.
360However, those tokens are used where the process being described is the
361target of the operation, not the authorizing party.
362A
363.Dv subject
364token can be created using
365.Xr au_to_subject32 3
366and
367.Xr au_to_subject64 3 .
368.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
369.It Sy "Field" Ta Sy Bytes Ta Sy Description
370.It Li "Token ID" Ta "1 byte" Ta "Token ID"
371.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
372.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
373.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
374.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
375.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
376.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
377.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
378.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
379.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
380.El
381.Ss Expanded Subject Token
382The
383.Dv expanded subject
384token consists of the same elements as the
385.Dv subject
386token, with the addition of type/length and variable size machine address
387information in the terminal ID.
|
388A
| 388An
|
389.Dv expanded subject
390token can be created using
391.Xr au_to_subject32_ex 3
392or
393.Xr au_to_subject64_ex 3 .
394.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
395.It Sy "Field" Ta Sy Bytes Ta Sy Description
396.It Li "Token ID" Ta "1 byte" Ta "Token ID"
397.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
398.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
399.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
400.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
401.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
402.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
403.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
404.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
405.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
406.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
407.El
408.Ss System V IPC Token
409The
410.Dv System V IPC
411token ...
412.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
413.It Sy "Field" Ta Sy Bytes Ta Sy Description
414.It Li "Token ID" Ta "1 byte" Ta "Token ID"
| 389.Dv expanded subject
390token can be created using
391.Xr au_to_subject32_ex 3
392or
393.Xr au_to_subject64_ex 3 .
394.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
395.It Sy "Field" Ta Sy Bytes Ta Sy Description
396.It Li "Token ID" Ta "1 byte" Ta "Token ID"
397.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
398.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
399.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
400.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
401.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
402.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
403.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
404.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
405.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
406.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
407.El
408.Ss System V IPC Token
409The
410.Dv System V IPC
411token ...
412.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
413.It Sy "Field" Ta Sy Bytes Ta Sy Description
414.It Li "Token ID" Ta "1 byte" Ta "Token ID"
|
415.It Li "object ID type" Ta "1 byte" Ta "Object ID"
| 415.It Li "Object ID type" Ta "1 byte" Ta "Object ID"
|
416.It Li "Object ID" Ta "4 bytes" Ta "Object ID"
417.El
418.Ss Text Token
419The
420.Dv text
421token contains a single nul-terminated text string.
422A
423.Dv text
424token may be created using
425.Xr au_to_text 3 .
426.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
427.It Sy "Field" Ta Sy Bytes Ta Sy Description
428.It Li "Token ID" Ta "1 byte" Ta "Token ID"
429.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul"
430.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul"
431.El
432.Ss Attribute Token
433The
434.Dv attribute
435token describes the attributes of a file associated with the audit event.
436As files may be identified by 0, 1, or many path names, a path name is not
437included with the attribute block for a file; optional
438.Dv path
439tokens may also be present in an audit record indicating which path, if any,
440was used to reach the object.
| 416.It Li "Object ID" Ta "4 bytes" Ta "Object ID"
417.El
418.Ss Text Token
419The
420.Dv text
421token contains a single nul-terminated text string.
422A
423.Dv text
424token may be created using
425.Xr au_to_text 3 .
426.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
427.It Sy "Field" Ta Sy Bytes Ta Sy Description
428.It Li "Token ID" Ta "1 byte" Ta "Token ID"
429.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul"
430.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul"
431.El
432.Ss Attribute Token
433The
434.Dv attribute
435token describes the attributes of a file associated with the audit event.
436As files may be identified by 0, 1, or many path names, a path name is not
437included with the attribute block for a file; optional
438.Dv path
439tokens may also be present in an audit record indicating which path, if any,
440was used to reach the object.
|
441A
| 441An
|
442.Dv attribute
443token can be created using
444.Xr au_to_attr32 3
445or
446.Xr au_to_attr64 3 .
447.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
448.It Sy "Field" Ta Sy Bytes Ta Sy Description
449.It Li "Token ID" Ta "1 byte" Ta "Token ID"
450.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file"
451.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file"
452.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file"
453.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file"
454.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file"
455.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)"
456.El
457.Ss Groups Token
458The
459.Dv groups
460token contains a list of group IDs associated with the audit event.
461A
462.Dv groups
463token can be created using
464.Xr au_to_groups 3 .
465.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
466.It Sy "Field" Ta Sy Bytes Ta Sy Description
467.It Li "Token ID" Ta "1 byte" Ta "Token ID"
468.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token"
469.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs"
470.El
471.Ss System V IPC Permission Token
472The
473.Dv System V IPC permission
474token ...
475.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
476.It Sy "Field" Ta Sy Bytes Ta Sy Description
477.It Li "Token ID" Ta "1 byte" Ta "Token ID"
478.It Li XXXXX
479.El
480.Ss Arg Token
481The
482.Dv arg
483token ...
484.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
485.It Sy "Field" Ta Sy Bytes Ta Sy Description
486.It Li "Token ID" Ta "1 byte" Ta "Token ID"
487.It Li XXXXX
488.El
489.Ss exec_args Token
490The
491.Dv exec_args
492token ...
493.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
494.It Sy "Field" Ta Sy Bytes Ta Sy Description
495.It Li "Token ID" Ta "1 byte" Ta "Token ID"
496.It Li XXXXX
497.El
498.Ss exec_env Token
499The
500.Dv exec_env
501token ...
502.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
503.It Sy "Field" Ta Sy Bytes Ta Sy Description
504.It Li "Token ID" Ta "1 byte" Ta "Token ID"
505.It Li XXXXX
506.El
507.Ss Exit Token
508The
509.Dv exit
510token contains process exit/return code information.
511An
512.Dv exit
513token can be created using
514.Xr au_to_exit 3 .
515.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
516.It Sy "Field" Ta Sy Bytes Ta Sy Description
517.It Li "Token ID" Ta "1 byte" Ta "Token ID"
518.It Li "Status" Ta "4 bytes" Ta "Process status on exit"
519.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit"
520.El
521.Ss Socket Token
522The
523.Dv socket
524token ...
525.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
526.It Sy "Field" Ta Sy Bytes Ta Sy Description
527.It Li "Token ID" Ta "1 byte" Ta "Token ID"
528.It Li XXXXX
529.El
530.Ss Expanded Socket Token
531The
532.Dv expanded socket
533token ...
534.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
535.It Sy "Field" Ta Sy Bytes Ta Sy Description
536.It Li "Token ID" Ta "1 byte" Ta "Token ID"
537.It Li XXXXX
538.El
539.Ss Seq Token
540The
541.Dv seq
542token contains a unique and monotonically increasing audit event sequence ID.
543Due to the limited range of 32 bits, serial number arithmetic and caution
544should be used when comparing sequence numbers.
545.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
546.It Sy "Field" Ta Sy Bytes Ta Sy Description
547.It Li "Token ID" Ta "1 byte" Ta "Token ID"
548.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number"
549.El
550.Ss privilege Token
551The
552.Dv privilege
553token ...
554.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
555.It Sy "Field" Ta Sy Bytes Ta Sy Description
556.It Li "Token ID" Ta "1 byte" Ta "Token ID"
557.It Li XXXXX
558.El
559.Ss Use-of-auth Token
560The
561.Dv use-of-auth
562token ...
563.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
564.It Sy "Field" Ta Sy Bytes Ta Sy Description
565.It Li "Token ID" Ta "1 byte" Ta "Token ID"
566.It Li XXXXX
567.El
568.Ss Command Token
569The
570.Dv command
571token ...
572.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
573.It Sy "Field" Ta Sy Bytes Ta Sy Description
574.It Li "Token ID" Ta "1 byte" Ta "Token ID"
575.It Li XXXXX
576.El
577.Ss ACL Token
578The
579.Dv ACL
580token ...
581.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
582.It Sy "Field" Ta Sy Bytes Ta Sy Description
583.It Li "Token ID" Ta "1 byte" Ta "Token ID"
584.It Li XXXXX
585.El
586.Ss Zonename Token
587The
588.Dv zonename
589token ...
590.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
591.It Sy "Field" Ta Sy Bytes Ta Sy Description
592.It Li "Token ID" Ta "1 byte" Ta "Token ID"
593.It Li XXXXX
594.El
595.Sh SEE ALSO
| 442.Dv attribute
443token can be created using
444.Xr au_to_attr32 3
445or
446.Xr au_to_attr64 3 .
447.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
448.It Sy "Field" Ta Sy Bytes Ta Sy Description
449.It Li "Token ID" Ta "1 byte" Ta "Token ID"
450.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file"
451.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file"
452.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file"
453.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file"
454.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file"
455.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)"
456.El
457.Ss Groups Token
458The
459.Dv groups
460token contains a list of group IDs associated with the audit event.
461A
462.Dv groups
463token can be created using
464.Xr au_to_groups 3 .
465.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
466.It Sy "Field" Ta Sy Bytes Ta Sy Description
467.It Li "Token ID" Ta "1 byte" Ta "Token ID"
468.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token"
469.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs"
470.El
471.Ss System V IPC Permission Token
472The
473.Dv System V IPC permission
474token ...
475.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
476.It Sy "Field" Ta Sy Bytes Ta Sy Description
477.It Li "Token ID" Ta "1 byte" Ta "Token ID"
478.It Li XXXXX
479.El
480.Ss Arg Token
481The
482.Dv arg
483token ...
484.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
485.It Sy "Field" Ta Sy Bytes Ta Sy Description
486.It Li "Token ID" Ta "1 byte" Ta "Token ID"
487.It Li XXXXX
488.El
489.Ss exec_args Token
490The
491.Dv exec_args
492token ...
493.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
494.It Sy "Field" Ta Sy Bytes Ta Sy Description
495.It Li "Token ID" Ta "1 byte" Ta "Token ID"
496.It Li XXXXX
497.El
498.Ss exec_env Token
499The
500.Dv exec_env
501token ...
502.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
503.It Sy "Field" Ta Sy Bytes Ta Sy Description
504.It Li "Token ID" Ta "1 byte" Ta "Token ID"
505.It Li XXXXX
506.El
507.Ss Exit Token
508The
509.Dv exit
510token contains process exit/return code information.
511An
512.Dv exit
513token can be created using
514.Xr au_to_exit 3 .
515.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
516.It Sy "Field" Ta Sy Bytes Ta Sy Description
517.It Li "Token ID" Ta "1 byte" Ta "Token ID"
518.It Li "Status" Ta "4 bytes" Ta "Process status on exit"
519.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit"
520.El
521.Ss Socket Token
522The
523.Dv socket
524token ...
525.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
526.It Sy "Field" Ta Sy Bytes Ta Sy Description
527.It Li "Token ID" Ta "1 byte" Ta "Token ID"
528.It Li XXXXX
529.El
530.Ss Expanded Socket Token
531The
532.Dv expanded socket
533token ...
534.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
535.It Sy "Field" Ta Sy Bytes Ta Sy Description
536.It Li "Token ID" Ta "1 byte" Ta "Token ID"
537.It Li XXXXX
538.El
539.Ss Seq Token
540The
541.Dv seq
542token contains a unique and monotonically increasing audit event sequence ID.
543Due to the limited range of 32 bits, serial number arithmetic and caution
544should be used when comparing sequence numbers.
545.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
546.It Sy "Field" Ta Sy Bytes Ta Sy Description
547.It Li "Token ID" Ta "1 byte" Ta "Token ID"
548.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number"
549.El
550.Ss privilege Token
551The
552.Dv privilege
553token ...
554.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
555.It Sy "Field" Ta Sy Bytes Ta Sy Description
556.It Li "Token ID" Ta "1 byte" Ta "Token ID"
557.It Li XXXXX
558.El
559.Ss Use-of-auth Token
560The
561.Dv use-of-auth
562token ...
563.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
564.It Sy "Field" Ta Sy Bytes Ta Sy Description
565.It Li "Token ID" Ta "1 byte" Ta "Token ID"
566.It Li XXXXX
567.El
568.Ss Command Token
569The
570.Dv command
571token ...
572.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
573.It Sy "Field" Ta Sy Bytes Ta Sy Description
574.It Li "Token ID" Ta "1 byte" Ta "Token ID"
575.It Li XXXXX
576.El
577.Ss ACL Token
578The
579.Dv ACL
580token ...
581.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
582.It Sy "Field" Ta Sy Bytes Ta Sy Description
583.It Li "Token ID" Ta "1 byte" Ta "Token ID"
584.It Li XXXXX
585.El
586.Ss Zonename Token
587The
588.Dv zonename
589token ...
590.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
591.It Sy "Field" Ta Sy Bytes Ta Sy Description
592.It Li "Token ID" Ta "1 byte" Ta "Token ID"
593.It Li XXXXX
594.El
595.Sh SEE ALSO
|
596.Xr audit 8,
597.Xr libbsm 3
| 596.Xr libbsm 3 ,
597.Xr audit 8
|
598.Sh AUTHORS
599The Basic Security Module (BSM) interface to audit records and audit event
600stream format were defined by Sun Microsystems.
601.Pp
602This manual page was written by
603.An Robert Watson Aq rwatson@FreeBSD.org .
604.Sh HISTORY
605The OpenBSM implementation was created by McAfee Research, the security
606division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
607It was subsequently adopted by the TrustedBSD Project as the foundation for
608the OpenBSM distribution.
609.Sh BUGS
610The
611.Dv How to print
612field in the
613.Dv arbitrary data
614token has undefined values.
615.Pp
616The
617.Dv in_addr
618and
619.Dv in_addr_ex
620token layout documented here appears to be in conflict with the
621.Xr libbsm 3
622implementations of
623.Xr au_to_in_addr 3
624and
625.Xr au_to_in_addr_ex 3 .
| 598.Sh AUTHORS
599The Basic Security Module (BSM) interface to audit records and audit event
600stream format were defined by Sun Microsystems.
601.Pp
602This manual page was written by
603.An Robert Watson Aq rwatson@FreeBSD.org .
604.Sh HISTORY
605The OpenBSM implementation was created by McAfee Research, the security
606division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
607It was subsequently adopted by the TrustedBSD Project as the foundation for
608the OpenBSM distribution.
609.Sh BUGS
610The
611.Dv How to print
612field in the
613.Dv arbitrary data
614token has undefined values.
615.Pp
616The
617.Dv in_addr
618and
619.Dv in_addr_ex
620token layout documented here appears to be in conflict with the
621.Xr libbsm 3
622implementations of
623.Xr au_to_in_addr 3
624and
625.Xr au_to_in_addr_ex 3 .
|