| audit.log.5 (161630) | audit.log.5 (168777) |
|---|---|
| 1.\"- 2.\" Copyright (c) 2005-2006 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright --- 9 unchanged lines hidden (view full) --- 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" | 1.\"- 2.\" Copyright (c) 2005-2006 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright --- 9 unchanged lines hidden (view full) --- 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" |
| 26.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#10 $ | 26.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#16 $ |
| 27.\" | 27.\" |
| 28.Dd May 1, 2005 | 28.Dd November 5, 2006 |
| 29.Dt AUDIT.LOG 5 30.Os 31.Sh NAME 32.Nm audit | 29.Dt AUDIT.LOG 5 30.Os 31.Sh NAME 32.Nm audit |
| 33.Nd "Basic Security Module (BSM) File Format" | 33.Nd "Basic Security Module (BSM) file format" |
| 34.Sh DESCRIPTION 35The 36.Nm 37file format is based on Sun's Basic Security Module (BSM) file format, a 38token-based record stream to represent system audit data. 39This file format is both flexible and extensible, able to describe a broad 40range of data types, and easily extended to describe new data types in a 41moderately backward and forward compatible way. 42.Pp 43BSM token streams typically begin and end with a | 34.Sh DESCRIPTION 35The 36.Nm 37file format is based on Sun's Basic Security Module (BSM) file format, a 38token-based record stream to represent system audit data. 39This file format is both flexible and extensible, able to describe a broad 40range of data types, and easily extended to describe new data types in a 41moderately backward and forward compatible way. 42.Pp 43BSM token streams typically begin and end with a |
| 44.Dv file | 44.Dq file |
| 45token, which provides time stamp and file name information for the stream; 46when processing a BSM token stream from a stream as opposed to a single file 47source, file tokens may be seen at any point between ordinary records 48identifying when particular parts of the stream begin and end. 49All other tokens will appear in the context of a complete BSM audit record, 50which begins with a | 45token, which provides time stamp and file name information for the stream; 46when processing a BSM token stream from a stream as opposed to a single file 47source, file tokens may be seen at any point between ordinary records 48identifying when particular parts of the stream begin and end. 49All other tokens will appear in the context of a complete BSM audit record, 50which begins with a |
| 51.Dv header | 51.Dq header |
| 52token, and ends with a | 52token, and ends with a |
| 53.Dv trailer | 53.Dq trailer |
| 54token, which describe the audit record. 55Between these two tokens will appear a variety of data tokens, such as 56process information, file path names, IPC object information, MAC labels, 57socket information, and so on. 58.Pp 59The BSM file format defines specific token orders for each record event type; 60however, some variation may occur depending on the operating system in use, 61what system options, such as mandatory access control, are present. 62.Pp 63This manual page documents the common token types and their binary format, and 64is intended for reference purposes only. 65It is recommended that application programmers use the 66.Xr libbsm 3 67interface to read and write tokens, rather than parsing or constructing 68records by hand. 69.Ss File Token 70The | 54token, which describe the audit record. 55Between these two tokens will appear a variety of data tokens, such as 56process information, file path names, IPC object information, MAC labels, 57socket information, and so on. 58.Pp 59The BSM file format defines specific token orders for each record event type; 60however, some variation may occur depending on the operating system in use, 61what system options, such as mandatory access control, are present. 62.Pp 63This manual page documents the common token types and their binary format, and 64is intended for reference purposes only. 65It is recommended that application programmers use the 66.Xr libbsm 3 67interface to read and write tokens, rather than parsing or constructing 68records by hand. 69.Ss File Token 70The |
| 71.Dv file | 71.Dq file |
| 72token is used at the beginning and end of an audit log file to indicate 73when the audit log begins and ends. 74It includes a pathname so that, if concatenated together, original file 75boundaries are still observable, and gaps in the audit log can be identified. 76A | 72token is used at the beginning and end of an audit log file to indicate 73when the audit log begins and ends. 74It includes a pathname so that, if concatenated together, original file 75boundaries are still observable, and gaps in the audit log can be identified. 76A |
| 77.Dv file | 77.Dq file |
| 78token can be created using 79.Xr au_to_file 3 . | 78token can be created using 79.Xr au_to_file 3 . |
| 80.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 81.It Sy "Field" Ta Sy Bytes Ta Sy Description 82.It Li "Token ID" Ta "1 byte" Ta "Token ID" 83.It Li "Seconds" Ta "4 bytes" Ta "File time stamp" 84.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp" 85.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail" 86.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail" | 80.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 81.It Sy "Field Bytes Description" 82.It "Token ID 1 byte Token ID" 83.It "Seconds 4 bytes File time stamp" 84.It "Microseconds 4 bytes File time stamp" 85.It "File name lengh 2 bytes File name of audit trail" 86.It "File pathname N bytes + 1 NUL File name of audit trail" |
| 87.El 88.Ss Header Token 89The | 87.El 88.Ss Header Token 89The |
| 90.Dv header | 90.Dq header |
| 91token is used to mark the beginning of a complete audit record, and includes 92the length of the total record in bytes, a version number for the record 93layout, the event type and subtype, and the time at which the event occurred. 94A 32-bit | 91token is used to mark the beginning of a complete audit record, and includes 92the length of the total record in bytes, a version number for the record 93layout, the event type and subtype, and the time at which the event occurred. 94A 32-bit |
| 95.Dv header | 95.Dq header |
| 96token can be created using 97.Xr au_to_header32 3 ; 98a 64-bit | 96token can be created using 97.Xr au_to_header32 3 ; 98a 64-bit |
| 99.Dv header | 99.Dq header |
| 100token can be created using 101.Xr au_to_header64 3 . | 100token can be created using 101.Xr au_to_header64 3 . |
| 102.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 103.It Sy "Field" Ta Sy Bytes Ta Sy Description 104.It Li "Token ID" Ta "1 byte" Ta "Token ID" 105.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" 106.It Li "Version Number" Ta "2 bytes" Ta "Record version number" 107.It Li "Event Type" Ta "2 bytes" Ta "Event type" 108.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type" 109.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)" 110.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)" | 102.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 103.It Sy "Field Bytes Description" 104.It "Token ID 1 byte Token ID" 105.It "Record Byte Count 4 bytes Number of bytes in record" 106.It "Version Number 2 bytes Record version number" 107.It "Event Type 2 bytes Event type" 108.It "Event Modifier 2 bytes Event sub-type" 109.It "Seconds 4/8 bytes Record time stamp (32/64-bits)" 110.It "Nanoseconds 4/8 bytes Record time stamp (32/64-bits)" |
| 111.El 112.Ss Expanded Header Token 113The | 111.El 112.Ss Expanded Header Token 113The |
| 114.Dv expanded header | 114.Dq expanded header |
| 115token is an expanded version of the | 115token is an expanded version of the |
| 116.Dv header | 116.Dq header |
| 117token, with the addition of a machine IPv4 or IPv6 address. 118A 32-bit extended | 117token, with the addition of a machine IPv4 or IPv6 address. 118A 32-bit extended |
| 119.Dv header | 119.Dq header |
| 120token can be created using 121.Xr au_to_header32_ex 3 ; 122a 64-bit extended | 120token can be created using 121.Xr au_to_header32_ex 3 ; 122a 64-bit extended |
| 123.Dv header | 123.Dq header |
| 124token can be created using 125.Xr au_to_header64_ex 3 . | 124token can be created using 125.Xr au_to_header64_ex 3 . |
| 126.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 127.It Sy "Field" Ta Sy Bytes Ta Sy Description 128.It Li "Token ID" Ta "1 byte" Ta "Token ID" 129.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" 130.It Li "Version Number" Ta "2 bytes" Ta "Record version number" 131.It Li "Event Type" Ta "2 bytes" Ta "Event type" 132.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type" 133.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length" 134.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address" 135.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)" 136.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)" | 126.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 127.It Sy "Field Bytes Description" 128.It "Token ID 1 byte Token ID" 129.It "Record Byte Count 4 bytes Number of bytes in record" 130.It "Version Number 2 bytes Record version number" 131.It "Event Type 2 bytes Event type" 132.It "Event Modifier 2 bytes Event sub-type" 133.It "Address Type/Length 1 byte Host address type and length" 134.It "Machine Address 4/16 bytes IPv4 or IPv6 address" 135.It "Seconds 4/8 bytes Record time stamp (32/64-bits)" 136.It "Nanoseconds 4/8 bytes Record time stamp (32/64-bits)" |
| 137.El 138.Ss Trailer Token 139The | 137.El 138.Ss Trailer Token 139The |
| 140.Dv trailer | 140.Dq trailer |
| 141terminates a BSM audit record, and contains a magic number, 142.Dv TRAILER_PAD_MAGIC 143and length that can be used to validate that the record was read properly. 144A | 141terminates a BSM audit record, and contains a magic number, 142.Dv TRAILER_PAD_MAGIC 143and length that can be used to validate that the record was read properly. 144A |
| 145.Dv trailer | 145.Dq trailer |
| 146token can be created using 147.Xr au_to_trailer 3 . | 146token can be created using 147.Xr au_to_trailer 3 . |
| 148.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 149.It Sy "Field" Ta Sy Bytes Ta Sy Description 150.It Li "Token ID" Ta "1 byte" Ta "Token ID" 151.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number" 152.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" | 148.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 149.It Sy "Field Bytes Description" 150.It "Token ID 1 byte Token ID" 151.It "Trailer Magic 2 bytes Trailer magic number" 152.It "Record Byte Count 4 bytes Number of bytes in record" |
| 153.El 154.Ss Arbitrary Data Token 155The | 153.El 154.Ss Arbitrary Data Token 155The |
| 156.Dv arbitrary data | 156.Dq arbitrary data |
| 157token contains a byte stream of opaque (untyped) data. 158The size of the data is calculated as the size of each unit of data 159multipled by the number of units of data. 160A | 157token contains a byte stream of opaque (untyped) data. 158The size of the data is calculated as the size of each unit of data 159multipled by the number of units of data. 160A |
| 161.Dv How to print | 161.Dq How to print |
| 162field is present to specify how to print the data, but interpretation of 163that field is not currently defined. 164An | 162field is present to specify how to print the data, but interpretation of 163that field is not currently defined. 164An |
| 165.Dv arbitrary data | 165.Dq arbitrary data |
| 166token can be created using 167.Xr au_to_data 3 . | 166token can be created using 167.Xr au_to_data 3 . |
| 168.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 169.It Sy "Field" Ta Sy Bytes Ta Sy Description 170.It Li "Token ID" Ta "1 byte" Ta "Token ID" 171.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information" 172.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes" 173.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present" 174.It Li "Data Items" Ta "Variable" Ta "User data" | 168.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 169.It Sy "Field Bytes Description" 170.It "Token ID 1 byte Token ID" 171.It "How to Print 1 byte User-defined printing information" 172.It "Basic Unit 1 byte Size of a unit in bytes" 173.It "Unit Count 1 byte Number of units of data present" 174.It "Data Items Variable User data" |
| 175.El 176.Ss in_addr Token 177The | 175.El 176.Ss in_addr Token 177The |
| 178.Dv in_addr | 178.Dq in_addr |
| 179token holds a network byte order IPv4 or IPv6 address. 180An | 179token holds a network byte order IPv4 or IPv6 address. 180An |
| 181.Dv in_addr | 181.Dq in_addr |
| 182token can be created using 183.Xr au_to_in_addr 3 184for an IPv4 address, or 185.Xr au_to_in_addr_ex 3 186for an IPv6 address. 187.Pp | 182token can be created using 183.Xr au_to_in_addr 3 184for an IPv4 address, or 185.Xr au_to_in_addr_ex 3 186for an IPv6 address. 187.Pp |
| 188See the BUGS section for information on the storage of this token. | 188See the 189.Sx BUGS 190section for information on the storage of this token. |
| 189.Pp | 191.Pp |
| 190.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 191.It Sy "Field" Ta Sy Bytes Ta Sy Description 192.It Li "Token ID" Ta "1 byte" Ta "Token ID" 193.It Li "IP Address Type" Ta "1 byte" Ta "Type of address" 194.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address" | 192.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 193.It Sy "Field Bytes Description" 194.It "Token ID 1 byte Token ID" 195.It "IP Address Type 1 byte Type of address" 196.It "IP Address 4/16 bytes IPv4 or IPv6 address" |
| 195.El 196.Ss Expanded in_addr Token 197The | 197.El 198.Ss Expanded in_addr Token 199The |
| 198.Dv expanded in_addr | 200.Dq expanded in_addr |
| 199token ... 200.Pp | 201token ... 202.Pp |
| 201See the BUGS section for information on the storage of this token. 202.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 203.It Sy "Field" Ta Sy Bytes Ta Sy Description 204.It Li "Token ID" Ta "1 byte" Ta "Token ID" | 203See the 204.Sx BUGS 205section for information on the storage of this token. 206.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 207.It Sy "Field Bytes Description" 208.It "Token ID 1 byte Token ID" |
| 205.It XXXX 206.El 207.Ss ip Token 208The | 209.It XXXX 210.El 211.Ss ip Token 212The |
| 209.Dv ip | 213.Dq ip |
| 210token contains an IP packet header in network byte order. 211An | 214token contains an IP packet header in network byte order. 215An |
| 212.Dv ip | 216.Dq ip |
| 213token can be created using 214.Xr au_to_ip 3 . | 217token can be created using 218.Xr au_to_ip 3 . |
| 215.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 216.It Sy "Field" Ta Sy Bytes Ta Sy Description 217.It Li "Token ID" Ta "1 byte" Ta "Token ID" 218.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length" 219.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field" 220.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order" 221.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly" 222.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order" 223.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live" 224.It Li "Protocol" Ta "1 byte" Ta "IP protocol number" 225.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order" 226.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address" 227.It Li "Destination Address" Ta "4 bytes" Ta "IPv4 destination address" | 219.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 220.It Sy "Field Bytes Description" 221.It "Token ID 1 byte Token ID" 222.It "Version and IHL 1 byte Version and IP header length" 223.It "Type of Service 1 byte IP TOS field" 224.It "Length 2 bytes IP packet length in network byte order" 225.It "ID 2 bytes IP header ID for reassembly" 226.It "Offset 2 bytes IP fragment offset and flags, network byte order" 227.It "TTL 1 byte IP Time-to-Live" 228.It "Protocol 1 byte IP protocol number" 229.It "Checksum 2 bytes IP header checksum, network byte order" 230.It "Source Address 4 bytes IPv4 source address" 231.It "Destination Address 4 bytes IPv4 destination address" |
| 228.El 229.Ss Expanded ip Token 230The | 232.El 233.Ss Expanded ip Token 234The |
| 231.Dv expanded ip | 235.Dq expanded ip |
| 232token ... | 236token ... |
| 233.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 234.It Sy "Field" Ta Sy Bytes Ta Sy Description 235.It Li "Token ID" Ta "1 byte" Ta "Token ID" | 237.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 238.It Sy "Field Bytes Description" 239.It "Token ID 1 byte Token ID" |
| 236.It XXXX 237.El 238.Ss iport Token 239The | 240.It XXXX 241.El 242.Ss iport Token 243The |
| 240.Dv iport | 244.Dq iport |
| 241token stores an IP port number in network byte order. 242An | 245token stores an IP port number in network byte order. 246An |
| 243.Dv iport | 247.Dq iport |
| 244token can be created using 245.Xr au_to_iport 3 . | 248token can be created using 249.Xr au_to_iport 3 . |
| 246.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 247.It Sy "Field" Ta Sy Bytes Ta Sy Description 248.It Li "Token ID" Ta "1 byte" Ta "Token ID" 249.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order" | 250.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 251.It Sy "Field Bytes Description" 252.It "Token ID 1 byte Token ID" 253.It "Port Number 2 bytes Port number in network byte order" |
| 250.El 251.Ss Path Token 252The | 254.El 255.Ss Path Token 256The |
| 253.Dv path | 257.Dq path |
| 254token contains a pathname. 255A | 258token contains a pathname. 259A |
| 256.Dv path | 260.Dq path |
| 257token can be created using 258.Xr au_to_path 3 . | 261token can be created using 262.Xr au_to_path 3 . |
| 259.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 260.It Sy "Field" Ta Sy Bytes Ta Sy Description 261.It Li "Token ID" Ta "1 byte" Ta "Token ID" 262.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes" 263.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name" | 263.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 264.It Sy "Field Bytes Description" 265.It "Token ID 1 byte Token ID" 266.It "Path Length 2 bytes Length of path in bytes" 267.It "Path N bytes + 1 NUL Path name" |
| 264.El 265.Ss path_attr Token 266The | 268.El 269.Ss path_attr Token 270The |
| 267.Dv path_attr 268token contains a set of nul-terminated path names. | 271.Dq path_attr 272token contains a set of NUL-terminated path names. |
| 269The 270.Xr libbsm 3 271API cannot currently create a | 273The 274.Xr libbsm 3 275API cannot currently create a |
| 272.Dv path_attr | 276.Dq path_attr |
| 273token. | 277token. |
| 274.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 275.It Sy "Field" Ta Sy Bytes Ta Sy Description 276.It Li "Token ID" Ta "1 byte" Ta "Token ID" 277.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token" 278.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)" | 278.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 279.It Sy "Field Bytes Description" 280.It "Token ID 1 byte Token ID" 281.It "Count 2 bytes Number of NUL-terminated string(s) in token" 282.It "Path Variable count NUL-terminated string(s)" |
| 279.El 280.Ss Process Token 281The | 283.El 284.Ss Process Token 285The |
| 282.Dv process | 286.Dq process |
| 283token contains a description of the security properties of a process 284involved as the target of an auditable event, such as the destination for 285signal delivery. 286It should not be confused with the | 287token contains a description of the security properties of a process 288involved as the target of an auditable event, such as the destination for 289signal delivery. 290It should not be confused with the |
| 287.Dv subject | 291.Dq subject |
| 288token, which describes the subject performing an auditable event. 289This includes both the traditional 290.Ux 291security properties, such as user IDs and group IDs, but also audit 292information such as the audit user ID and session. 293A | 292token, which describes the subject performing an auditable event. 293This includes both the traditional 294.Ux 295security properties, such as user IDs and group IDs, but also audit 296information such as the audit user ID and session. 297A |
| 294.Dv process | 298.Dq process |
| 295token can be created using 296.Xr au_to_process32 3 297or 298.Xr au_to_process64 3 . | 299token can be created using 300.Xr au_to_process32 3 301or 302.Xr au_to_process64 3 . |
| 299.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 300.It Sy "Field" Ta Sy Bytes Ta Sy Description 301.It Li "Token ID" Ta "1 byte" Ta "Token ID" 302.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" 303.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" 304.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" 305.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" 306.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" 307.It Li "Process ID" Ta "4 bytes" Ta "Process ID" 308.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" 309.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" 310.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine" | 303.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 304.It Sy "Field Bytes Description" 305.It "Token ID 1 byte Token ID" 306.It "Audit ID 4 bytes Audit user ID" 307.It "Effective User ID 4 bytes Effective user ID" 308.It "Effective Group ID 4 bytes Effective group ID" 309.It "Real User ID 4 bytes Real user ID" 310.It "Real Group ID 4 bytes Real group ID" 311.It "Process ID 4 bytes Process ID" 312.It "Session ID 4 bytes Audit session ID" 313.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)" 314.It "Terminal Machine Address 4 bytes IP address of machine" |
| 311.El 312.Ss Expanded Process Token 313The | 315.El 316.Ss Expanded Process Token 317The |
| 314.Dv expanded process | 318.Dq expanded process |
| 315token contains the contents of the | 319token contains the contents of the |
| 316.Dv process | 320.Dq process |
| 317token, with the addition of a machine address type and variable length 318address storage capable of containing IPv6 addresses. 319An | 321token, with the addition of a machine address type and variable length 322address storage capable of containing IPv6 addresses. 323An |
| 320.Dv expanded process | 324.Dq expanded process |
| 321token can be created using 322.Xr au_to_process32_ex 3 323or 324.Xr au_to_process64_ex 3 . | 325token can be created using 326.Xr au_to_process32_ex 3 327or 328.Xr au_to_process64_ex 3 . |
| 325.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 326.It Sy "Field" Ta Sy Bytes Ta Sy Description 327.It Li "Token ID" Ta "1 byte" Ta "Token ID" 328.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" 329.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" 330.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" 331.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" 332.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" 333.It Li "Process ID" Ta "4 bytes" Ta "Process ID" 334.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" 335.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" 336.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address" 337.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine" | 329.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 330.It Sy "Field Bytes Description" 331.It "Token ID 1 byte Token ID" 332.It "Audit ID 4 bytes Audit user ID" 333.It "Effective User ID 4 bytes Effective user ID" 334.It "Effective Group ID 4 bytes Effective group ID" 335.It "Real User ID 4 bytes Real user ID" 336.It "Real Group ID 4 bytes Real group ID" 337.It "Process ID 4 bytes Process ID" 338.It "Session ID 4 bytes Audit session ID" 339.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)" 340.It "Terminal Address Type/Length 1 byte Length of machine address" 341.It "Terminal Machine Address 4 bytes IPv4 or IPv6 address of machine" |
| 338.El 339.Ss Return Token 340The | 342.El 343.Ss Return Token 344The |
| 341.Dv return | 345.Dq return |
| 342token contains a system call or library function return condition, including 343return value and error number associated with the global variable 344.Er errno . | 346token contains a system call or library function return condition, including 347return value and error number associated with the global variable 348.Er errno . |
| 345A 346.Dv return | 349A 350.Dq return |
| 347token can be created using 348.Xr au_to_return32 3 349or 350.Xr au_to_return64 3 . | 351token can be created using 352.Xr au_to_return32 3 353or 354.Xr au_to_return64 3 . |
| 351.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 352.It Sy "Field" Ta Sy Bytes Ta Sy Description 353.It Li "Token ID" Ta "1 byte" Ta "Token ID" 354.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined" 355.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)" | 355.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 356.It Sy "Field Bytes Description" 357.It "Token ID 1 byte Token ID" 358.It "Error Number 1 byte Errno value, or 0 if undefined" 359.It "Return Value 4/8 bytes Return value (32/64-bits)" |
| 356.El 357.Ss Subject Token 358The | 360.El 361.Ss Subject Token 362The |
| 359.Dv subject | 363.Dq subject |
| 360token contains information on the subject performing the operation described 361by an audit record, and includes similar information to that found in the | 364token contains information on the subject performing the operation described 365by an audit record, and includes similar information to that found in the |
| 362.Dv process | 366.Dq process |
| 363and | 367and |
| 364.Dv expanded process | 368.Dq expanded process |
| 365tokens. 366However, those tokens are used where the process being described is the 367target of the operation, not the authorizing party. 368A | 369tokens. 370However, those tokens are used where the process being described is the 371target of the operation, not the authorizing party. 372A |
| 369.Dv subject | 373.Dq subject |
| 370token can be created using 371.Xr au_to_subject32 3 372and 373.Xr au_to_subject64 3 . | 374token can be created using 375.Xr au_to_subject32 3 376and 377.Xr au_to_subject64 3 . |
| 374.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 375.It Sy "Field" Ta Sy Bytes Ta Sy Description 376.It Li "Token ID" Ta "1 byte" Ta "Token ID" 377.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" 378.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" 379.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" 380.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" 381.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" 382.It Li "Process ID" Ta "4 bytes" Ta "Process ID" 383.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" 384.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" 385.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine" | 378.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 379.It Sy "Field Bytes Description" 380.It "Token ID 1 byte Token ID" 381.It "Audit ID 4 bytes Audit user ID" 382.It "Effective User ID 4 bytes Effective user ID" 383.It "Effective Group ID 4 bytes Effective group ID" 384.It "Real User ID 4 bytes Real user ID" 385.It "Real Group ID 4 bytes Real group ID" 386.It "Process ID 4 bytes Process ID" 387.It "Session ID 4 bytes Audit session ID" 388.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)" 389.It "Terminal Machine Address 4 bytes IP address of machine" |
| 386.El 387.Ss Expanded Subject Token 388The | 390.El 391.Ss Expanded Subject Token 392The |
| 389.Dv expanded subject | 393.Dq expanded subject |
| 390token consists of the same elements as the | 394token consists of the same elements as the |
| 391.Dv subject | 395.Dq subject |
| 392token, with the addition of type/length and variable size machine address 393information in the terminal ID. 394An | 396token, with the addition of type/length and variable size machine address 397information in the terminal ID. 398An |
| 395.Dv expanded subject | 399.Dq expanded subject |
| 396token can be created using 397.Xr au_to_subject32_ex 3 398or 399.Xr au_to_subject64_ex 3 . | 400token can be created using 401.Xr au_to_subject32_ex 3 402or 403.Xr au_to_subject64_ex 3 . |
| 400.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 401.It Sy "Field" Ta Sy Bytes Ta Sy Description 402.It Li "Token ID" Ta "1 byte" Ta "Token ID" 403.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" 404.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" 405.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" 406.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" 407.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" 408.It Li "Process ID" Ta "4 bytes" Ta "Process ID" 409.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" 410.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" 411.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address" 412.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine" | 404.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 405.It Sy "Field Bytes Description" 406.It "Token ID 1 byte Token ID" 407.It "Audit ID 4 bytes Audit user ID" 408.It "Effective User ID 4 bytes Effective user ID" 409.It "Effective Group ID 4 bytes Effective group ID" 410.It "Real User ID 4 bytes Real user ID" 411.It "Real Group ID 4 bytes Real group ID" 412.It "Process ID 4 bytes Process ID" 413.It "Session ID 4 bytes Audit session ID" 414.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)" 415.It "Terminal Address Type/Length 1 byte Length of machine address" 416.It "Terminal Machine Address 4 bytes IPv4 or IPv6 address of machine" |
| 413.El 414.Ss System V IPC Token 415The | 417.El 418.Ss System V IPC Token 419The |
| 416.Dv System V IPC 417token ... 418.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 419.It Sy "Field" Ta Sy Bytes Ta Sy Description 420.It Li "Token ID" Ta "1 byte" Ta "Token ID" 421.It Li "Object ID type" Ta "1 byte" Ta "Object ID" 422.It Li "Object ID" Ta "4 bytes" Ta "Object ID" | 420.Dq System V IPC 421token contains the System V IPC message handle, semaphore handle or shared 422memory handle. 423A System V IPC token may be created using 424+.Xr au_to_ipc 3 . 425.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 426.It Sy "Field Bytes Description" 427.It "Token ID 1 byte Token ID" 428.It "Object ID type 1 byte Object ID" 429.It "Object ID 4 bytes Object ID" |
| 423.El 424.Ss Text Token 425The | 430.El 431.Ss Text Token 432The |
| 426.Dv text 427token contains a single nul-terminated text string. | 433.Dq text 434token contains a single NUL-terminated text string. |
| 428A | 435A |
| 429.Dv text | 436.Dq text |
| 430token may be created using 431.Xr au_to_text 3 . | 437token may be created using 438.Xr au_to_text 3 . |
| 432.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 433.It Sy "Field" Ta Sy Bytes Ta Sy Description 434.It Li "Token ID" Ta "1 byte" Ta "Token ID" 435.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul" 436.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul" | 439.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 440.It Sy "Field Bytes Description" 441.It "Token ID 1 byte Token ID" 442.It "Text Length 2 bytes Length of text string including NUL" 443.It "Text N bytes + 1 NUL Text string including NUL" |
| 437.El 438.Ss Attribute Token 439The | 444.El 445.Ss Attribute Token 446The |
| 440.Dv attribute | 447.Dq attribute |
| 441token describes the attributes of a file associated with the audit event. 442As files may be identified by 0, 1, or many path names, a path name is not 443included with the attribute block for a file; optional | 448token describes the attributes of a file associated with the audit event. 449As files may be identified by 0, 1, or many path names, a path name is not 450included with the attribute block for a file; optional |
| 444.Dv path | 451.Dq path |
| 445tokens may also be present in an audit record indicating which path, if any, 446was used to reach the object. 447An | 452tokens may also be present in an audit record indicating which path, if any, 453was used to reach the object. 454An |
| 448.Dv attribute | 455.Dq attribute |
| 449token can be created using 450.Xr au_to_attr32 3 451or 452.Xr au_to_attr64 3 . | 456token can be created using 457.Xr au_to_attr32 3 458or 459.Xr au_to_attr64 3 . |
| 453.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 454.It Sy "Field" Ta Sy Bytes Ta Sy Description 455.It Li "Token ID" Ta "1 byte" Ta "Token ID" 456.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file" 457.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file" 458.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file" 459.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file" 460.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file" 461.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)" | 460.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 461.It Sy "Field Bytes Description" 462.It "Token ID 1 byte Token ID" 463.It "File Access Mode 1 byte mode_t associated with file" 464.It "Owner User ID 4 bytes uid_t associated with file" 465.It "Owner Group ID 4 bytes gid_t associated with file" 466.It "File System ID 4 bytes fsid_t associated with file" 467.It "File System Node ID 8 bytes ino_t associated with file" 468.It "Device 4/8 bytes Device major/minor number (32/64-bit)" |
| 462.El 463.Ss Groups Token 464The | 469.El 470.Ss Groups Token 471The |
| 465.Dv groups | 472.Dq groups |
| 466token contains a list of group IDs associated with the audit event. 467A | 473token contains a list of group IDs associated with the audit event. 474A |
| 468.Dv groups | 475.Dq groups |
| 469token can be created using 470.Xr au_to_groups 3 . | 476token can be created using 477.Xr au_to_groups 3 . |
| 471.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 472.It Sy "Field" Ta Sy Bytes Ta Sy Description 473.It Li "Token ID" Ta "1 byte" Ta "Token ID" 474.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token" 475.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs" | 478.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 479.It Sy "Field Bytes Description" 480.It "Token ID 1 byte Token ID" 481.It "Number of Groups 2 bytes Number of groups in token" 482.It "Group List N * 4 bytes List of N group IDs" |
| 476.El 477.Ss System V IPC Permission Token 478The | 483.El 484.Ss System V IPC Permission Token 485The |
| 479.Dv System V IPC permission 480token ... 481.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 482.It Sy "Field" Ta Sy Bytes Ta Sy Description 483.It Li "Token ID" Ta "1 byte" Ta "Token ID" 484.It Li XXXXX | 486.Dq System V IPC permission 487token contains a System V IPC access permissions. 488A System V IPC permission token may be created using 489.Xr au_to_ipc_perm 3 . 490.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 491.It Sy "Field Bytes Description" 492.It "Token ID 1 byte Token ID" 493.It Li "Owner user ID" Ta "4 bytes" Ta "User ID of IPC owner" 494.It Li "Owner group ID" Ta "4 bytes" Ta "Group ID of IPC owner" 495.It Li "Creator user ID" Ta "4 bytes" Ta "User ID of IPC creator" 496.It Li "Creator group ID" Ta "4 bytes" Ta "Group ID of IPC creator" 497.It Li "Access mode" Ta "4 bytes" Ta "Access mode" 498.It Li "Sequnce number" Ta "4 bytes" Ta "Sequnce number" 499.It Li "Key" Ta "4 bytes" Ta "IPC key" |
| 485.El 486.Ss Arg Token 487The | 500.El 501.Ss Arg Token 502The |
| 488.Dv arg 489token ... 490.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 491.It Sy "Field" Ta Sy Bytes Ta Sy Description 492.It Li "Token ID" Ta "1 byte" Ta "Token ID" 493.It Li XXXXX | 503.Dq arg 504token contains informations about arguments of the system call. 505Depending on the size of the desired argument value, an Arg token may be 506created using 507.Xr au_to_arg32 3 508or 509.Xr au_to_arg64 3 . 510.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 511.It Sy "Field Bytes Description" 512.It "Token ID 1 byte Token ID" 513.It Li "Argument ID" Ta "1 byte" Ta "Argument ID" 514.It Li "Argument value" Ta "4/8 bytes" Ta "Argument value" 515.It Li "Length" Ta "2 bytes" Ta "Length of the text" 516.It Li "Text" Ta "N bytes + 1 nul" Ta "The string including nul" |
| 494.El 495.Ss exec_args Token 496The | 517.El 518.Ss exec_args Token 519The |
| 497.Dv exec_args 498token ... 499.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 500.It Sy "Field" Ta Sy Bytes Ta Sy Description 501.It Li "Token ID" Ta "1 byte" Ta "Token ID" 502.It Li XXXXX | 520.Dq exec_args 521token contains informations about arguements of the exec() system call. 522An exec_args token may be created using 523.Xr au_to_exec_args 3 . 524.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 525.It Sy "Field Bytes Description" 526.It "Token ID 1 byte Token ID" 527.It Li "Count" Ta "4 bytes" Ta "Number of arguments" 528.It Li "Text" Ta "* bytes" Ta "Count null-terminated strings" |
| 503.El 504.Ss exec_env Token 505The | 529.El 530.Ss exec_env Token 531The |
| 506.Dv exec_env 507token ... 508.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 509.It Sy "Field" Ta Sy Bytes Ta Sy Description 510.It Li "Token ID" Ta "1 byte" Ta "Token ID" 511.It Li XXXXX | 532.Dq exec_env 533token contains current eviroment variables to an exec() system call. 534An exec_args token may be created using 535.Xr au_to_exec_env 3 . 536.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 537.It Sy "Field Bytes Description" 538.It "Token ID 1 byte Token ID" 539.It Li "Count ID" Ta "4 bytes" Ta "Number of variables" 540.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings" |
| 512.El 513.Ss Exit Token 514The | 541.El 542.Ss Exit Token 543The |
| 515.Dv exit | 544.Dq exit |
| 516token contains process exit/return code information. 517An | 545token contains process exit/return code information. 546An |
| 518.Dv exit | 547.Dq exit |
| 519token can be created using 520.Xr au_to_exit 3 . | 548token can be created using 549.Xr au_to_exit 3 . |
| 521.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 522.It Sy "Field" Ta Sy Bytes Ta Sy Description 523.It Li "Token ID" Ta "1 byte" Ta "Token ID" 524.It Li "Status" Ta "4 bytes" Ta "Process status on exit" 525.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit" | 550.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 551.It Sy "Field Bytes Description" 552.It "Token ID 1 byte Token ID" 553.It "Status 4 bytes Process status on exit" 554.It "Return Value 4 bytes Process return value on exit" |
| 526.El 527.Ss Socket Token 528The | 555.El 556.Ss Socket Token 557The |
| 529.Dv socket 530token ... | 558.Dq socket 559token contains informations about UNIX domain and Internet sockets. 560Each token has four or eight fields. 561Depend on type of socket a socket token may be created using 562.Xr au_to_sock_unix 3 , 563.Xr au_to_sock_inet32 3 or 564.Xr au_to_sock_inet128 3 . |
| 531.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 532.It Sy "Field" Ta Sy Bytes Ta Sy Description 533.It Li "Token ID" Ta "1 byte" Ta "Token ID" | 565.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 566.It Sy "Field" Ta Sy Bytes Ta Sy Description 567.It Li "Token ID" Ta "1 byte" Ta "Token ID" |
| 534.It Li XXXXX | 568.It Li "Socket family" Ta "2 bytes" Ta "Socket family" 569.It Li "Local port" Ta "2 bytes" Ta "Local port" 570.It Li "Socket address" Ta "4 bytes" Ta "Socket address" |
| 535.El | 571.El |
| 572.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 573.It Sy "Field Bytes Description" 574.It "Token ID 1 byte Token ID" 575+.It Li "Socket domain" Ta "4 bytes" Ta "Socket domain" 576+.It Li "Socket family" Ta "2 bytes" Ta "Socket family" 577+.It Li "Address type" Ta "1 byte" Ta "Address type (IPv4/IPv6)" 578+.It Li "Local port" Ta "2 bytes" Ta "Local port" 579+.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address" 580+.It Li "Remote port" Ta "2 bytes" Ta "Remote port" 581+.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address" 582.El |
|
| 536.Ss Expanded Socket Token 537The | 583.Ss Expanded Socket Token 584The |
| 538.Dv expanded socket | 585.Dq expanded socket |
| 539token ... | 586token ... |
| 540.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 541.It Sy "Field" Ta Sy Bytes Ta Sy Description 542.It Li "Token ID" Ta "1 byte" Ta "Token ID" 543.It Li XXXXX | 587.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 588.It Sy "Field Bytes Description" 589.It "Token ID 1 byte Token ID" 590.It XXXXX |
| 544.El 545.Ss Seq Token 546The | 591.El 592.Ss Seq Token 593The |
| 547.Dv seq | 594.Dq seq |
| 548token contains a unique and monotonically increasing audit event sequence ID. 549Due to the limited range of 32 bits, serial number arithmetic and caution 550should be used when comparing sequence numbers. | 595token contains a unique and monotonically increasing audit event sequence ID. 596Due to the limited range of 32 bits, serial number arithmetic and caution 597should be used when comparing sequence numbers. |
| 551.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 552.It Sy "Field" Ta Sy Bytes Ta Sy Description 553.It Li "Token ID" Ta "1 byte" Ta "Token ID" 554.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number" | 598.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 599.It Sy "Field Bytes Description" 600.It "Token ID 1 byte Token ID" 601.It "Sequence Number 4 bytes Audit event sequence number" |
| 555.El 556.Ss privilege Token 557The | 602.El 603.Ss privilege Token 604The |
| 558.Dv privilege | 605.Dq privilege |
| 559token ... | 606token ... |
| 560.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 561.It Sy "Field" Ta Sy Bytes Ta Sy Description 562.It Li "Token ID" Ta "1 byte" Ta "Token ID" 563.It Li XXXXX | 607.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 608.It Sy "Field Bytes Description" 609.It "Token ID 1 byte Token ID" 610.It XXXXX |
| 564.El 565.Ss Use-of-auth Token 566The | 611.El 612.Ss Use-of-auth Token 613The |
| 567.Dv use-of-auth | 614.Dq use-of-auth |
| 568token ... | 615token ... |
| 569.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 570.It Sy "Field" Ta Sy Bytes Ta Sy Description 571.It Li "Token ID" Ta "1 byte" Ta "Token ID" 572.It Li XXXXX | 616.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 617.It Sy "Field Bytes Description" 618.It "Token ID 1 byte Token ID" 619.It XXXXX |
| 573.El 574.Ss Command Token 575The | 620.El 621.Ss Command Token 622The |
| 576.Dv command | 623.Dq command |
| 577token ... | 624token ... |
| 578.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 579.It Sy "Field" Ta Sy Bytes Ta Sy Description 580.It Li "Token ID" Ta "1 byte" Ta "Token ID" 581.It Li XXXXX | 625.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 626.It Sy "Field Bytes Description" 627.It "Token ID 1 byte Token ID" 628.It XXXXX |
| 582.El 583.Ss ACL Token 584The | 629.El 630.Ss ACL Token 631The |
| 585.Dv ACL | 632.Dq ACL |
| 586token ... | 633token ... |
| 587.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 588.It Sy "Field" Ta Sy Bytes Ta Sy Description 589.It Li "Token ID" Ta "1 byte" Ta "Token ID" 590.It Li XXXXX | 634.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 635.It Sy "Field Bytes Description" 636.It "Token ID 1 byte Token ID" 637.It XXXXX |
| 591.El 592.Ss Zonename Token 593The | 638.El 639.Ss Zonename Token 640The |
| 594.Dv zonename | 641.Dq zonename |
| 595token ... | 642token ... |
| 596.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 597.It Sy "Field" Ta Sy Bytes Ta Sy Description 598.It Li "Token ID" Ta "1 byte" Ta "Token ID" 599.It Li XXXXX | 643.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 644.It Sy "Field Bytes Description" 645.It "Token ID 1 byte Token ID" 646.It XXXXX |
| 600.El 601.Sh SEE ALSO | 647.El 648.Sh SEE ALSO |
| 649.Xr auditreduce 1 , 650.Xr praudit 1 , |
|
| 602.Xr libbsm 3 , | 651.Xr libbsm 3 , |
| 652.Xr audit 4 , 653.Xr auditpipe 4 , |
|
| 603.Xr audit 8 | 654.Xr audit 8 |
| 655.Sh HISTORY 656The OpenBSM implementation was created by McAfee Research, the security 657division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. 658It was subsequently adopted by the TrustedBSD Project as the foundation for 659the OpenBSM distribution. |
|
| 604.Sh AUTHORS 605The Basic Security Module (BSM) interface to audit records and audit event 606stream format were defined by Sun Microsystems. 607.Pp 608This manual page was written by 609.An Robert Watson Aq rwatson@FreeBSD.org . | 660.Sh AUTHORS 661The Basic Security Module (BSM) interface to audit records and audit event 662stream format were defined by Sun Microsystems. 663.Pp 664This manual page was written by 665.An Robert Watson Aq rwatson@FreeBSD.org . |
| 610.Sh HISTORY 611The OpenBSM implementation was created by McAfee Research, the security 612division of McAfee Inc., under contract to Apple Computer Inc. in 2004. 613It was subsequently adopted by the TrustedBSD Project as the foundation for 614the OpenBSM distribution. | |
| 615.Sh BUGS 616The | 666.Sh BUGS 667The |
| 617.Dv How to print | 668.Dq How to print |
| 618field in the | 669field in the |
| 619.Dv arbitrary data | 670.Dq arbitrary data |
| 620token has undefined values. 621.Pp 622The | 671token has undefined values. 672.Pp 673The |
| 623.Dv in_addr | 674.Dq in_addr |
| 624and | 675and |
| 625.Dv in_addr_ex | 676.Dq in_addr_ex |
| 626token layout documented here appears to be in conflict with the 627.Xr libbsm 3 628implementations of 629.Xr au_to_in_addr 3 630and 631.Xr au_to_in_addr_ex 3 . | 677token layout documented here appears to be in conflict with the 678.Xr libbsm 3 679implementations of 680.Xr au_to_in_addr 3 681and 682.Xr au_to_in_addr_ex 3 . |