|
Hopefully, this page is exactly what you are looking for, but if not, you can always find further assistance on Unix/Linux Forum!
File Formats audit.log(4)
NAME
audit.log - audit trail file
SYNOPSIS
#include <bsm/audit.h>
#include <bsm/audit_record.h>
DESCRIPTION
audit.log files are the depository for audit records stored
locally or on an on an NFS-mounted audit server. These files
are kept in directories named in the file audit_control(4)
using the dir option. They are named to reflect the time
they are created and are, when possible, renamed to reflect
the time they are closed as well. The name takes the form
yyyymmddhhmmss.not_terminated.hostname
when open or if the auditd(1M) terminated ungracefully, and
the form
yyyymmddhhmmss.yyyymmddhhmmss.hostname
when properly closed. yyyy is the year, mm the month, dd day
in the month, hh hour in the day, mm minute in the hour, and
ss second in the minute. All fields are of fixed width.
Audit data is generated in the binary format described
below; the default for Solaris audit is binary format. See
audit_syslog(5) for an alternate data format.
The audit.log file begins with a standalone file token and
typically ends with one also. The beginning file token
records the pathname of the previous audit file, while the
ending file token records the pathname of the next audit
file. If the file name is NULL the appropriate path was una-
vailable.
The audit.log files contains audit records. Each audit
record is made up of audit tokens. Each record contains a
header token followed by various data tokens. Depending on
the audit policy in place by auditon(2), optional other
tokens such as trailers or sequences may be included.
The tokens are defined as follows:
The file token consists of:
token ID 1 byte
seconds of time 4 bytes
SunOS 5.10 Last change: 7 Mar 2006 1
File Formats audit.log(4)
microseconds of time 4 bytes
file name length 2 bytes
file pathname N bytes + 1 terminating NULL byte
The header token consists of:
token ID 1 byte
record byte count 4 bytes
version # 1 byte [2]
event type 2 bytes
event modifier 2 bytes
seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
nanoseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
The expanded header token consists of:
token ID 1 byte
record byte count 4 bytes
version # 1 byte [2]
event type 2 bytes
event modifier 2 bytes
address type/length 1 byte
machine address 4 bytes/16 bytes (IPv4/IPv6 address)
seconds of time 4 bytes/8 bytes (32/64-bits)
nanoseconds of time 4 bytes/8 bytes (32/64-bits)
The trailer token consists of:
token ID 1 byte
trailer magic number 2 bytes
record byte count 4 bytes
The arbitrary data token is defined:
token ID 1 byte
how to print 1 byte
basic unit 1 byte
unit count 1 byte
data items (depends on basic unit)
The in_addr token consists of:
token ID 1 byte
IP address type/length 1 byte
IP address 4 bytes/16 bytes (IPv4/IPv6 address)
The expanded in_addr token consists of:
token ID 1 byte
IP address type/length 4 bytes/16 bytes (IPv4/IPv6 address)
IP address 16 bytes
SunOS 5.10 Last change: 7 Mar 2006 2
File Formats audit.log(4)
The ip token consists of:
token ID 1 byte
version and ihl 1 byte
type of service 1 byte
length 2 bytes
id 2 bytes
offset 2 bytes
ttl 1 byte
protocol 1 byte
checksum 2 bytes
source address 4 bytes
destination address 4 bytes
The expanded ip token consists of:
token ID 1 byte
version and ihl 1 byte
type of service 1 byte
length 2 bytes
id 2 bytes
offset 2 bytes
ttl 1 byte
protocol 1 byte
checksum 2 bytes
address type/type 1 byte
source address 4 bytes/16 bytes (IPv4/IPv6 address)
address type/length 1 byte
destination address 4 bytes/16 bytes (IPv4/IPv6 address)
The iport token consists of:
token ID 1 byte
port IP address 2 bytes
The path token consists of:
token ID 1 byte
path length 2 bytes
path N bytes + 1 terminating NULL byte
The path_attr token consists of:
token ID 1 byte
count 4 bytes
path count null-terminated string(s)
The process token consists of:
token ID 1 byte
audit ID 4 bytes
effective user ID 4 bytes
SunOS 5.10 Last change: 7 Mar 2006 3
File Formats audit.log(4)
effective group ID 4 bytes
real user ID 4 bytes
real group ID 4 bytes
process ID 4 bytes
session ID 4 bytes
terminal ID
port ID 4 bytes/8 bytes (32-bit/64-bit value)
machine address 4 bytes
The expanded process token consists of:
token ID 1 byte
audit ID 4 bytes
effective user ID 4 bytes
effective group ID 4 bytes
real user ID 4 bytes
real group ID 4 bytes
process ID 4 bytes
session ID 4 bytes
terminal ID
port ID 4 bytes/8 bytes (32-bit/64-bit value)
address type/length 1 byte
machine address 4 bytes/16 bytes (IPv4/IPv6 address)
The return token consists of:
token ID 1 byte
error number 1 byte
return value 4 bytes/8 bytes (32-bit/64-bit value)
The subject token consists of:
token ID 1 byte
audit ID 4 bytes
effective user ID 4 bytes
effective group ID 4 bytes
real user ID 4 bytes
real group ID 4 bytes
process ID 4 bytes
session ID 4 bytes
terminal ID
port ID 4 bytes/8 bytes (32-bit/64-bit value)
machine address 4 bytes
The expanded subject token consists of:
token ID 1 byte
audit ID 4 bytes
effective user ID 4 bytes
effective group ID 4 bytes
real user ID 4 bytes
real group ID 4 bytes
SunOS 5.10 Last change: 7 Mar 2006 4
File Formats audit.log(4)
process ID 4 bytes
session ID 4 bytes
terminal ID
port ID 4 bytes/8 bytes (32-bit/64-bit value)
address type/length 1 byte
machine address 4 bytes/16 bytes (IPv4/IPv6 address)
The System V IPC token consists of:
token ID 1 byte
object ID type 1 byte
object ID 4 bytes
The text token consists of:
token ID 1 byte
text length 2 bytes
text N bytes + 1 terminating NULL byte
The attribute token consists of:
token ID 1 byte
file access mode 4 bytes
owner user ID 4 bytes
owner group ID 4 bytes
file system ID 4 bytes
node ID 8 bytes
device 4 bytes/8 bytes (32-bit/64-bit)
The groups token consists of:
token ID 1 byte
number groups 2 bytes
group list N * 4 bytes
The System V IPC permission token consists of:
token ID 1 byte
owner user ID 4 bytes
owner group ID 4 bytes
creator user ID 4 bytes
creator group ID 4 bytes
access mode 4 bytes
slot sequence # 4 bytes
key 4 bytes
The arg token consists of:
token ID 1 byte
argument # 1 byte
argument value 4 bytes/8 bytes (32-bit/64-bit value)
text length 2 bytes
SunOS 5.10 Last change: 7 Mar 2006 5
File Formats audit.log(4)
text N bytes + 1 terminating NULL byte
The exec_args token consists of:
token ID 1 byte
count 4 bytes
text count null-terminated string(s)
The exec_env token consists of:
token ID 1 byte
count 4 bytes
text count null-terminated string(s)
The exit token consists of:
token ID 1 byte
status 4 bytes
return value 4 bytes
The socket token consists of:
token ID 1 byte
socket type 2 bytes
remote port 2 bytes
remote Internet address 4 bytes
The expanded socket token consists of:
token ID 1 byte
socket domain 2 bytes
socket type 2 bytes
local port 2 bytes
address type/length 2 bytes
local port 2 bytes
local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
remote port 2 bytes
remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
The seq token consists of:
token ID 1 byte
sequence number 4 bytes
The privilege token consists of:
token ID 1 byte
text length 2 bytes
privilege set name N bytes + 1 terminating NULL byte
text length 2 bytes
list of privileges N bytes + 1 terminating NULL byte
SunOS 5.10 Last change: 7 Mar 2006 6
File Formats audit.log(4)
The use-of-auth token consists of:
token ID 1 byte
text length 2 bytes
authorization(s) N bytes + 1 terminating NULL byte
The use-of-privilege token consists of:
token ID 1 byte
succ/fail 1 byte
text length 2 bytes
privilege used N bytes + 1 terminating NULL byte
The command token consists of:
token ID 1 byte
count of args 2 bytes
argument list (count times)
text length 2 bytes
argument text N bytes + 1 terminating NULL byte
count of env strings 2 bytes
environment list (count times)
text length 2 bytes
env. text N bytes + 1 terminating NULL byte
The ACL token consists of:
token ID 1 byte
type 4 bytes
value 4 bytes
file mode 4 bytes
The zonename token consists of:
token ID 1 byte
name length 2 bytes
name <name length> including terminating NULL byte
The label token consists of:
token ID 1 byte
label ID 1 byte
compartment length 1 byte
classification 2 bytes
compartment words <compartment length> * 4 bytes
SunOS 5.10 Last change: 7 Mar 2006 7
File Formats audit.log(4)
The xatom token consists of:
token ID 1 byte
string length 2 bytes
atom string string length bytes
The xclient token consists of:
token ID 1 byte
client ID 4 bytes
The xcolormap token consists of:
token ID 1 byte
XID 4 bytes
creator UID 4 bytes
The xcursor token consists of:
token ID 1 byte
XID 4 bytes
creator UID 4 bytes
The xfont token consists of:
token ID 1 byte
XID 4 bytes
creator UID 4 bytes
The xgc token consists of:
token ID 1 byte
XID 4 bytes
creator UID 4 bytes
The xpixmap token consists of:
token ID 1 byte
XID 4 bytes
creator UID 4 bytes
The xproperty token consists of:
token ID 1 byte
XID 4 bytes
SunOS 5.10 Last change: 7 Mar 2006 8
File Formats audit.log(4)
creator UID 4 bytes
string length 2 bytes
string string length bytes
The xselect token consists of:
token ID 1 byte
property length 2 bytes
property string property length bytes
prop. type len. 2 bytes
prop type prop. type len. bytes
data length 2 bytes
window data data length bytes
The xwindow token consists of:
XID 4 bytes
creator UID 4 bytes
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Interface Stability | : |
|_____________________________|_____________________________|
| binary file format | Evolving |
|_____________________________|_____________________________|
| binary file contents | Unstable |
|_____________________________|_____________________________|
SEE ALSO
audit(1M), auditd(1M), bsmconv(1M), audit(2), auditon(2),
au_to(3BSM), audit_control(4), audit_syslog(5)
NOTES
Each token is generally written using the au_to(3BSM) family
of function calls.
SunOS 5.10 Last change: 7 Mar 2006 9
Man(1) output converted with
man2html and wrapped by fishsponge
This page was generated on Wed Sep 12 21:37:25 GMT 2007
|
Your favourite pages:
No pages logged yet.
Trying to save cookie... Top 10 most popular pages:
sqlite3 man page (5334 hits)
(openSUSE 10.2)
svn man page (5208 hits)
(FreeBSD 6.2)
adv_cap_autoneg man page (4870 hits)
(Solaris 10 11_06)
CPAN man page (4607 hits)
(Suse Linux 10.1)
ssh man page (4342 hits)
(Suse Linux 10.1)
ssh-socks5-proxy-connect man page (2876 hits)
(Solaris 10 11_06)
netcat man page (2717 hits)
(Suse Linux 10.1)
pprosetup man page (2487 hits)
(Solaris 10 11_06)
startproc man page (2471 hits)
(Suse Linux 10.1)
signal man page (2407 hits)
(Suse Linux 10.1)
|
Man Pages 
