| Current File : //usr/man/man4/audit.log.4 |
'\" te
.\" Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
.TH audit.log 4 "23 Jan 2012" "SunOS 5.11" "File Formats"
.SH NAME
audit.log \- audit trail file
.SH SYNOPSIS
.LP
.nf
\fB#include <bsm/audit.h>\fR
.fi
.LP
.nf
\fB#include <bsm/audit_record.h>\fR
.fi
.SH DESCRIPTION
.sp
.LP
\fBaudit.log\fR files are the depository for audit records stored locally or on an NFS-mounted audit server. These files are kept in directories named in the \fIp_dir\fR property of the audit service \fBaudit_binfile\fR(5) plugin. They are named to reflect the time they are created and are, when possible, renamed to reflect the time they are closed as well. The name takes the form
.sp
.LP
\fIyyyymmddhhmmss\fR\fB\&.not_terminated.\fR\fIhostname\fR
.sp
.LP
when open or if the \fBauditd\fR(1M) terminated ungracefully, and the form
.sp
.LP
\fIyyyymmddhhmmss\fR\fB\&.\fR\fIyyyymmddhhmmss\fR\fB\&.\fR\fIhostname\fR
.sp
.LP
when properly closed. \fByyyy\fR is the year, \fBmm\fR the month, \fBdd\fR day in the month, \fBhh\fR hour in the day, \fBmm\fR minute in the hour, and \fBss\fR second in the minute. All fields are of fixed width.
.sp
.LP
Audit data is generated in the binary format described below; the default for Solaris audit is binary format. See \fBaudit_syslog\fR(5) for an alternate data format.
.sp
.LP
The \fBaudit.log\fR file begins with a standalone \fBfile token\fR and typically ends with one also. The beginning \fBfile token\fR records the pathname of the previous audit file, while the ending \fBfile token\fR records the pathname of the next audit file. If the file name is \fBNULL\fR the appropriate path was unavailable.
.sp
.LP
The \fBaudit.log\fR files contains audit records. Each audit record is made up of \fIaudit tokens\fR. Each record contains a header token followed by various data tokens. Depending on the audit policy in place by \fBauditconfig\fR(1M), optional other tokens such as trailers or sequences may be included.
.sp
.LP
The tokens are defined as follows:
.sp
.LP
The \fBfile\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
seconds of time 4 bytes
microseconds of time 4 bytes
file name length 2 bytes
file pathname N bytes + 1 terminating NULL byte
.fi
.in -2
.sp
.sp
.LP
The \fBheader\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
record byte count 4 bytes
version # 1 byte [2]
event type 2 bytes
event modifier 2 bytes
seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
nanoseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
.fi
.in -2
.sp
.sp
.LP
The expanded \fBheader\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
record byte count 4 bytes
version # 1 byte [2]
event type 2 bytes
event modifier 2 bytes
address type/length 4 bytes
machine address 4 bytes/16 bytes (IPv4/IPv6 address)
seconds of time 4 bytes/8 bytes (32/64-bits)
nanoseconds of time 4 bytes/8 bytes (32/64-bits)
.fi
.in -2
.sp
.sp
.LP
The \fBtrailer\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
trailer magic number 2 bytes
record byte count 4 bytes
.fi
.in -2
.sp
.sp
.LP
The \fBarbitrary\fR \fBdata\fR token is defined:
.sp
.in +2
.nf
token ID 1 byte
how to print 1 byte
basic unit 1 byte
unit count 1 byte
data items (depends on basic unit)
.fi
.in -2
.sp
.sp
.LP
The \fBin_addr\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
IP address 4 bytes (IPv4 address)
.fi
.in -2
.sp
.sp
.LP
The expanded \fBin_addr\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
IP address type/length 4 bytes
IP address 16 bytes (IPv6 address)
.fi
.in -2
.sp
.sp
.LP
The \fBip\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
version and ihl 1 byte
type of service 1 byte
length 2 bytes
id 2 bytes
offset 2 bytes
ttl 1 byte
protocol 1 byte
checksum 2 bytes
source address 4 bytes
destination address 4 bytes
.fi
.in -2
.sp
.sp
.LP
The expanded \fBip\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
version and ihl 1 byte
type of service 1 byte
length 2 bytes
id 2 bytes
offset 2 bytes
ttl 1 byte
protocol 1 byte
checksum 2 bytes
address type/type 1 byte
source address 4 bytes/16 bytes (IPv4/IPv6 address)
address type/length 1 byte
destination address 4 bytes/16 bytes (IPv4/IPv6 address)
.fi
.in -2
.sp
.sp
.LP
The \fBiport\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
port IP address 2 bytes
.fi
.in -2
.sp
.sp
.LP
The \fBpath\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
path length 2 bytes
path N bytes + 1 terminating NULL byte
.fi
.in -2
.sp
.sp
.LP
The \fBpath_attr\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
count 4 bytes
path \fIcount\fR null-terminated string(s)
.fi
.in -2
.sp
.sp
.LP
The \fBprocess\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
audit ID 4 bytes
effective user ID 4 bytes
effective group ID 4 bytes
real user ID 4 bytes
real group ID 4 bytes
process ID 4 bytes
session ID 4 bytes
terminal ID
port ID 4 bytes/8 bytes (32-bit/64-bit value)
machine address 4 bytes (IPv4 address)
.fi
.in -2
.sp
.sp
.LP
The expanded \fBprocess\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
audit ID 4 bytes
effective user ID 4 bytes
effective group ID 4 bytes
real user ID 4 bytes
real group ID 4 bytes
process ID 4 bytes
session ID 4 bytes
terminal ID
port ID 4 bytes/8 bytes (32-bit/64-bit value)
address type/length 4 bytes
machine address 16 bytes (IPv6 address)
.fi
.in -2
.sp
.sp
.LP
The \fBreturn\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
error number 1 byte
return value 4 bytes/8 bytes (32-bit/64-bit value)
.fi
.in -2
.sp
.sp
.LP
The \fBsubject\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
audit ID 4 bytes
effective user ID 4 bytes
effective group ID 4 bytes
real user ID 4 bytes
real group ID 4 bytes
process ID 4 bytes
session ID 4 bytes
terminal ID
port ID 4 bytes/8 bytes (32-bit/64-bit value)
machine address 4 bytes (IPv4 address)
.fi
.in -2
.sp
.sp
.LP
The expanded \fBsubject\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
audit ID 4 bytes
effective user ID 4 bytes
effective group ID 4 bytes
real user ID 4 bytes
real group ID 4 bytes
process ID 4 bytes
session ID 4 bytes
terminal ID
port ID 4 bytes/8 bytes (32-bit/64-bit value)
address type/length 4 byte
machine address 16 bytes (IPv6 address)
.fi
.in -2
.sp
.sp
.LP
The \fBSystem V IPC\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
object ID type 1 byte
object ID 4 bytes
.fi
.in -2
.sp
.sp
.LP
The \fBtext\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
text length 2 bytes
text N bytes + 1 terminating NULL byte
.fi
.in -2
.sp
.sp
.LP
The \fBattribute\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
file access mode 4 bytes
owner user ID 4 bytes
owner group ID 4 bytes
file system ID 4 bytes
node ID 8 bytes
device 4 bytes/8 bytes (32-bit/64-bit)
.fi
.in -2
.sp
.sp
.LP
The \fBgroups\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
number groups 2 bytes
group list N * 4 bytes
.fi
.in -2
.sp
.sp
.LP
The \fBSystem V IPC permission\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
owner user ID 4 bytes
owner group ID 4 bytes
creator user ID 4 bytes
creator group ID 4 bytes
access mode 4 bytes
slot sequence # 4 bytes
key 4 bytes
.fi
.in -2
.sp
.sp
.LP
The \fBgroup\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
group ID 4 bytes
group name length 2 bytes
group name \fIgroup name len\fR including terminating NULL byte
.fi
.in -2
.sp
.sp
.LP
The \fBarg\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
argument # 1 byte
argument value 4 bytes/8 bytes (32-bit/64-bit value)
text length 2 bytes
text N bytes + 1 terminating NULL byte
.fi
.in -2
.sp
.sp
.LP
The \fBexec_args\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
count 4 bytes
text \fIcount\fR null-terminated string(s)
.fi
.in -2
.sp
.sp
.LP
The \fBexec_env\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
count 4 bytes
text \fIcount\fR null-terminated string(s)
.fi
.in -2
.sp
.sp
.LP
The \fBexit\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
status 4 bytes
return value 4 bytes
.fi
.in -2
.sp
.sp
.LP
The \fBsocket\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
socket type 2 bytes
remote port 2 bytes
remote Internet address 4 bytes
.fi
.in -2
.sp
.sp
.LP
The expanded \fBsocket\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
socket domain 2 bytes
socket type 2 bytes
local port 2 bytes
local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
remote port 2 bytes
remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
.fi
.in -2
.sp
.sp
.LP
The \fBseq\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
sequence number 4 bytes
.fi
.in -2
.sp
.sp
.LP
The \fBprivilege\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
text length 2 bytes
privilege set name N bytes + 1 terminating NULL byte
text length 2 bytes
list of privileges N bytes + 1 terminating NULL byte
.fi
.in -2
.sp
.LP
The \fBuser\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
user ID 4 bytes
user name length 2 bytes
user name <user name len> including terminating NULL byte
.fi
.in -2
.sp
.LP
The \fBuse-of-auth\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
text length 2 bytes
authorization(s) N bytes + 1 terminating NULL byte
.fi
.in -2
.sp
.LP
The \fBuse-of-privilege\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
succ/fail 1 byte
text length 2 bytes
privilege used N bytes + 1 terminating NULL byte
.fi
.in -2
.sp
.LP
The \fBcommand\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
count of args 2 bytes
argument list (count times)
text length 2 bytes
argument text N bytes + 1 terminating NULL byte
count of env strings 2 bytes
environment list (count times)
text length 2 bytes
env. text N bytes + 1 terminating NULL byte
.fi
.in -2
.sp
.LP
The \fBACL\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
type 4 bytes
value 4 bytes
file mode 4 bytes
.fi
.in -2
.sp
.LP
The ACE token consists of:
.sp
.in +2
.nf
token ID 1 byte
who 4 bytes
access_mask 4 bytes
flags 2 bytes
type 2 bytes
.fi
.in -2
.sp
.LP
The \fBzonename\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
name length 2 bytes
name \fI<name length>\fR including terminating NULL byte
.fi
.in -2
.sp
.LP
The \fBfmri\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
fmri length 2 bytes
fmri \fI<fmri length>\fR including terminating NULL byte
.fi
.in -2
.sp
.LP
The \fBlabel\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
label ID 1 byte
compartment length 1 byte
classification 2 bytes
compartment words \fI<compartment length>\fR * 4 bytes
.fi
.in -2
.sp
.LP
The \fBxatom\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
string length 2 bytes
atom string \fIstring length\fR bytes
.fi
.in -2
.sp
.LP
The \fBxclient\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
client ID 4 bytes
.fi
.in -2
.sp
.LP
The \fBxcolormap\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
XID 4 bytes
creator UID 4 bytes
.fi
.in -2
.sp
.LP
The \fBxcursor\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
XID 4 bytes
creator UID 4 bytes
.fi
.in -2
.sp
.LP
The \fBxfont\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
XID 4 bytes
creator UID 4 bytes
.fi
.in -2
.sp
.LP
The \fBxgc\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
XID 4 bytes
creator UID 4 bytes
.fi
.in -2
.sp
.LP
The \fBxpixmap\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
XID 4 bytes
creator UID 4 bytes
.fi
.in -2
.sp
.LP
The \fBxproperty\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
XID 4 bytes
creator UID 4 bytes
string length 2 bytes
string \fIstring length\fR bytes
.fi
.in -2
.sp
.LP
The \fBxselect\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
property length 2 bytes
property string \fIproperty length\fR bytes
prop. type len. 2 bytes
prop type \fIprop. type len.\fR bytes
data length 2 bytes
window data \fIdata length\fR bytes
.fi
.in -2
.sp
.LP
The \fBxwindow\fR token consists of:
.sp
.in +2
.nf
token ID 1 byte
XID 4 bytes
creator UID 4 bytes
.fi
.in -2
.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp
.sp
.TS
tab(�) box;
cw(2.75i) |cw(2.75i)
lw(2.75i) |lw(2.75i)
.
ATTRIBUTE TYPE�ATTRIBUTE VALUE
_
Interface Stability�See below.
.TE
.sp
.LP
The binary file format is Committed. The binary file contents is Uncommitted.
.SH SEE ALSO
.sp
.LP
\fBaudit\fR(1M), \fBauditconfig\fR(1M), \fBauditd\fR(1M), \fBaudit_binfile\fR(5), \fBaudit_syslog\fR(5)