1audit.log(4) File Formats audit.log(4)
2
3
4
6 audit.log - audit trail file
7
9 #include <bsm/audit.h>
10
11
12 #include <bsm/audit_record.h>
13
14
16 audit.log files are the depository for audit records stored locally or
17 on an on an NFS-mounted audit server. These files are kept in directo‐
18 ries named in the file audit_control(4) using the dir option. They are
19 named to reflect the time they are created and are, when possible,
20 renamed to reflect the time they are closed as well. The name takes the
21 form
22
23
24 yyyymmddhhmmss.not_terminated.hostname
25
26
27 when open or if the auditd(1M) terminated ungracefully, and the form
28
29
30 yyyymmddhhmmss.yyyymmddhhmmss.hostname
31
32
33 when properly closed. yyyy is the year, mm the month, dd day in the
34 month, hh hour in the day, mm minute in the hour, and ss second in the
35 minute. All fields are of fixed width.
36
37
38 Audit data is generated in the binary format described below; the
39 default for Solaris audit is binary format. See audit_syslog(5) for an
40 alternate data format.
41
42
43 The audit.log file begins with a standalone file token and typically
44 ends with one also. The beginning file token records the pathname of
45 the previous audit file, while the ending file token records the path‐
46 name of the next audit file. If the file name is NULL the appropriate
47 path was unavailable.
48
49
50 The audit.log files contains audit records. Each audit record is made
51 up of audit tokens. Each record contains a header token followed by
52 various data tokens. Depending on the audit policy in place by audi‐
53 ton(2), optional other tokens such as trailers or sequences may be
54 included.
55
56
57 The tokens are defined as follows:
58
59
60 The file token consists of:
61
62 token ID 1 byte
63 seconds of time 4 bytes
64 microseconds of time 4 bytes
65 file name length 2 bytes
66 file pathname N bytes + 1 terminating NULL byte
67
68
69
70
71 The header token consists of:
72
73 token ID 1 byte
74 record byte count 4 bytes
75 version # 1 byte [2]
76 event type 2 bytes
77 event modifier 2 bytes
78 seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
79 nanoseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
80
81
82
83
84 The expanded header token consists of:
85
86 token ID 1 byte
87 record byte count 4 bytes
88 version # 1 byte [2]
89 event type 2 bytes
90 event modifier 2 bytes
91 address type/length 1 byte
92 machine address 4 bytes/16 bytes (IPv4/IPv6 address)
93 seconds of time 4 bytes/8 bytes (32/64-bits)
94 nanoseconds of time 4 bytes/8 bytes (32/64-bits)
95
96
97
98
99 The trailer token consists of:
100
101 token ID 1 byte
102 trailer magic number 2 bytes
103 record byte count 4 bytes
104
105
106
107
108 The arbitrary data token is defined:
109
110 token ID 1 byte
111 how to print 1 byte
112 basic unit 1 byte
113 unit count 1 byte
114 data items (depends on basic unit)
115
116
117
118
119 The in_addr token consists of:
120
121 token ID 1 byte
122 IP address type/length 1 byte
123 IP address 4 bytes/16 bytes (IPv4/IPv6 address)
124
125
126
127
128 The expanded in_addr token consists of:
129
130 token ID 1 byte
131 IP address type/length 4 bytes/16 bytes (IPv4/IPv6 address)
132 IP address 16 bytes
133
134
135
136
137 The ip token consists of:
138
139 token ID 1 byte
140 version and ihl 1 byte
141 type of service 1 byte
142 length 2 bytes
143 id 2 bytes
144 offset 2 bytes
145 ttl 1 byte
146 protocol 1 byte
147 checksum 2 bytes
148 source address 4 bytes
149 destination address 4 bytes
150
151
152
153
154 The expanded ip token consists of:
155
156 token ID 1 byte
157 version and ihl 1 byte
158 type of service 1 byte
159 length 2 bytes
160 id 2 bytes
161 offset 2 bytes
162 ttl 1 byte
163 protocol 1 byte
164 checksum 2 bytes
165 address type/type 1 byte
166 source address 4 bytes/16 bytes (IPv4/IPv6 address)
167 address type/length 1 byte
168 destination address 4 bytes/16 bytes (IPv4/IPv6 address)
169
170
171
172
173 The iport token consists of:
174
175 token ID 1 byte
176 port IP address 2 bytes
177
178
179
180
181 The path token consists of:
182
183 token ID 1 byte
184 path length 2 bytes
185 path N bytes + 1 terminating NULL byte
186
187
188
189
190 The path_attr token consists of:
191
192 token ID 1 byte
193 count 4 bytes
194 path count null-terminated string(s)
195
196
197
198
199 The process token consists of:
200
201 token ID 1 byte
202 audit ID 4 bytes
203 effective user ID 4 bytes
204 effective group ID 4 bytes
205 real user ID 4 bytes
206 real group ID 4 bytes
207 process ID 4 bytes
208 session ID 4 bytes
209 terminal ID
210 port ID 4 bytes/8 bytes (32-bit/64-bit value)
211 machine address 4 bytes
212
213
214
215
216 The expanded process token consists of:
217
218 token ID 1 byte
219 audit ID 4 bytes
220 effective user ID 4 bytes
221 effective group ID 4 bytes
222 real user ID 4 bytes
223 real group ID 4 bytes
224 process ID 4 bytes
225 session ID 4 bytes
226 terminal ID
227 port ID 4 bytes/8 bytes (32-bit/64-bit value)
228 address type/length 1 byte
229 machine address 4 bytes/16 bytes (IPv4/IPv6 address)
230
231
232
233
234 The return token consists of:
235
236 token ID 1 byte
237 error number 1 byte
238 return value 4 bytes/8 bytes (32-bit/64-bit value)
239
240
241
242
243 The subject token consists of:
244
245 token ID 1 byte
246 audit ID 4 bytes
247 effective user ID 4 bytes
248 effective group ID 4 bytes
249 real user ID 4 bytes
250 real group ID 4 bytes
251 process ID 4 bytes
252 session ID 4 bytes
253 terminal ID
254 port ID 4 bytes/8 bytes (32-bit/64-bit value)
255 machine address 4 bytes
256
257
258
259
260 The expanded subject token consists of:
261
262 token ID 1 byte
263 audit ID 4 bytes
264 effective user ID 4 bytes
265 effective group ID 4 bytes
266 real user ID 4 bytes
267 real group ID 4 bytes
268 process ID 4 bytes
269 session ID 4 bytes
270 terminal ID
271 port ID 4 bytes/8 bytes (32-bit/64-bit value)
272 address type/length 1 byte
273 machine address 4 bytes/16 bytes (IPv4/IPv6 address)
274
275
276
277
278 The System V IPC token consists of:
279
280 token ID 1 byte
281 object ID type 1 byte
282 object ID 4 bytes
283
284
285
286
287 The text token consists of:
288
289 token ID 1 byte
290 text length 2 bytes
291 text N bytes + 1 terminating NULL byte
292
293
294
295
296 The attribute token consists of:
297
298 token ID 1 byte
299 file access mode 4 bytes
300 owner user ID 4 bytes
301 owner group ID 4 bytes
302 file system ID 4 bytes
303 node ID 8 bytes
304 device 4 bytes/8 bytes (32-bit/64-bit)
305
306
307
308
309 The groups token consists of:
310
311 token ID 1 byte
312 number groups 2 bytes
313 group list N * 4 bytes
314
315
316
317
318 The System V IPC permission token consists of:
319
320 token ID 1 byte
321 owner user ID 4 bytes
322 owner group ID 4 bytes
323 creator user ID 4 bytes
324 creator group ID 4 bytes
325 access mode 4 bytes
326 slot sequence # 4 bytes
327 key 4 bytes
328
329
330
331
332 The arg token consists of:
333
334 token ID 1 byte
335 argument # 1 byte
336 argument value 4 bytes/8 bytes (32-bit/64-bit value)
337 text length 2 bytes
338 text N bytes + 1 terminating NULL byte
339
340
341
342
343 The exec_args token consists of:
344
345 token ID 1 byte
346 count 4 bytes
347 text count null-terminated string(s)
348
349
350
351
352 The exec_env token consists of:
353
354 token ID 1 byte
355 count 4 bytes
356 text count null-terminated string(s)
357
358
359
360
361 The exit token consists of:
362
363 token ID 1 byte
364 status 4 bytes
365 return value 4 bytes
366
367
368
369
370 The socket token consists of:
371
372 token ID 1 byte
373 socket type 2 bytes
374 remote port 2 bytes
375 remote Internet address 4 bytes
376
377
378
379
380 The expanded socket token consists of:
381
382 token ID 1 byte
383 socket domain 2 bytes
384 socket type 2 bytes
385 local port 2 bytes
386 address type/length 2 bytes
387 local port 2 bytes
388 local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
389 remote port 2 bytes
390 remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
391
392
393
394
395 The seq token consists of:
396
397 token ID 1 byte
398 sequence number 4 bytes
399
400
401
402
403 The privilege token consists of:
404
405 token ID 1 byte
406 text length 2 bytes
407 privilege set name N bytes + 1 terminating NULL byte
408 text length 2 bytes
409 list of privileges N bytes + 1 terminating NULL byte
410
411
412
413 The use-of-auth token consists of:
414
415 token ID 1 byte
416 text length 2 bytes
417 authorization(s) N bytes + 1 terminating NULL byte
418
419
420
421 The use-of-privilege token consists of:
422
423 token ID 1 byte
424 succ/fail 1 byte
425 text length 2 bytes
426 privilege used N bytes + 1 terminating NULL byte
427
428
429
430 The command token consists of:
431
432 token ID 1 byte
433 count of args 2 bytes
434 argument list (count times)
435 text length 2 bytes
436 argument text N bytes + 1 terminating NULL byte
437 count of env strings 2 bytes
438 environment list (count times)
439 text length 2 bytes
440 env. text N bytes + 1 terminating NULL byte
441
442
443
444 The ACL token consists of:
445
446 token ID 1 byte
447 type 4 bytes
448 value 4 bytes
449 file mode 4 bytes
450
451
452
453 The ACE token consists of:
454
455 token ID 1 byte
456 who 4 bytes
457 access_mask 4 bytes
458 flags 2 bytes
459 type 2 bytes
460
461
462
463 The zonename token consists of:
464
465 token ID 1 byte
466 name length 2 bytes
467 name <name length> including terminating NULL byte
468
469
470
471 The fmri token consists of:
472
473 token ID 1 byte
474 fmri length 2 bytes
475 fmri <fmri length> including terminating NULL byte
476
477
478
479 The label token consists of:
480
481 token ID 1 byte
482 label ID 1 byte
483 compartment length 1 byte
484 classification 2 bytes
485 compartment words <compartment length> * 4 bytes
486
487
488
489 The xatom token consists of:
490
491 token ID 1 byte
492 string length 2 bytes
493 atom string string length bytes
494
495
496
497 The xclient token consists of:
498
499 token ID 1 byte
500 client ID 4 bytes
501
502
503
504 The xcolormap token consists of:
505
506 token ID 1 byte
507 XID 4 bytes
508 creator UID 4 bytes
509
510
511
512 The xcursor token consists of:
513
514 token ID 1 byte
515 XID 4 bytes
516 creator UID 4 bytes
517
518
519
520 The xfont token consists of:
521
522 token ID 1 byte
523 XID 4 bytes
524 creator UID 4 bytes
525
526
527
528 The xgc token consists of:
529
530 token ID 1 byte
531 XID 4 bytes
532 creator UID 4 bytes
533
534
535
536 The xpixmap token consists of:
537
538 token ID 1 byte
539 XID 4 bytes
540 creator UID 4 bytes
541
542
543
544 The xproperty token consists of:
545
546 token ID 1 byte
547 XID 4 bytes
548 creator UID 4 bytes
549 string length 2 bytes
550 string string length bytes
551
552
553
554 The xselect token consists of:
555
556 token ID 1 byte
557 property length 2 bytes
558 property string property length bytes
559 prop. type len. 2 bytes
560 prop type prop. type len. bytes
561 data length 2 bytes
562 window data data length bytes
563
564
565
566 The xwindow token consists of:
567
568 token ID 1 byte
569 XID 4 bytes
570 creator UID 4 bytes
571
572
574 See attributes(5) for descriptions of the following attributes:
575
576
577
578
579 ┌─────────────────────────────┬─────────────────────────────┐
580 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
581 ├─────────────────────────────┼─────────────────────────────┤
582 │Interface Stability │See below. │
583 └─────────────────────────────┴─────────────────────────────┘
584
585
586 The binary file format is Committed. The binary file contents is Uncom‐
587 mitted.
588
590 audit(1M), auditd(1M), bsmconv(1M), audit(2), auditon(2), au_to(3BSM),
591 audit_control(4), audit_syslog(5)
592
593
594 Part VII, Solaris Auditing, in System Administration Guide: Security
595 Services
596
598 Each token is generally written using the au_to(3BSM) family of func‐
599 tion calls.
600
601
602
603SunOS 5.11 29 May 2009 audit.log(4)