1audit.log(4) File Formats audit.log(4)
2
6 audit.log - audit trail file
7
9 #include <bsm/audit.h>
10 #include <bsm/audit_record.h>
13
16 audit.log files are the depository for audit records stored locally or
17 on an on an NFS-mounted audit server. These files are kept in directo‐
18 ries named in the file audit_control(4) using the dir option. They are
19 named to reflect the time they are created and are, when possible,
20 renamed to reflect the time they are closed as well. The name takes the
21 form
22 yyyymmddhhmmss.not_terminated.hostname
25 when open or if the auditd(1M) terminated ungracefully, and the form
28 yyyymmddhhmmss.yyyymmddhhmmss.hostname
31 when properly closed. yyyy is the year, mm the month, dd day in the
34 month, hh hour in the day, mm minute in the hour, and ss second in the
35 minute. All fields are of fixed width.
36 Audit data is generated in the binary format described below; the
39 default for Solaris audit is binary format. See audit_syslog(5) for an
40 alternate data format.
41 The audit.log file begins with a standalone file token and typically
44 ends with one also. The beginning file token records the pathname of
45 the previous audit file, while the ending file token records the path‐
46 name of the next audit file. If the file name is NULL the appropriate
47 path was unavailable.
48 The audit.log files contains audit records. Each audit record is made
51 up of audit tokens. Each record contains a header token followed by
52 various data tokens. Depending on the audit policy in place by audi‐
53 ton(2), optional other tokens such as trailers or sequences may be
54 included.
55 The tokens are defined as follows:
58 The file token consists of:
61 token ID 1 byte
63 seconds of time 4 bytes
64 microseconds of time 4 bytes
65 file name length 2 bytes
66 file pathname N bytes + 1 terminating NULL byte
67 The header token consists of:
72 token ID 1 byte
74 record byte count 4 bytes
75 version # 1 byte [2]
76 event type 2 bytes
77 event modifier 2 bytes
78 seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
79 nanoseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
80 The expanded header token consists of:
85 token ID 1 byte
87 record byte count 4 bytes
88 version # 1 byte [2]
89 event type 2 bytes
90 event modifier 2 bytes
91 address type/length 1 byte
92 machine address 4 bytes/16 bytes (IPv4/IPv6 address)
93 seconds of time 4 bytes/8 bytes (32/64-bits)
94 nanoseconds of time 4 bytes/8 bytes (32/64-bits)
95 The trailer token consists of:
100 token ID 1 byte
102 trailer magic number 2 bytes
103 record byte count 4 bytes
104 The arbitrary data token is defined:
109 token ID 1 byte
111 how to print 1 byte
112 basic unit 1 byte
113 unit count 1 byte
114 data items (depends on basic unit)
115 The in_addr token consists of:
120 token ID 1 byte
122 IP address type/length 1 byte
123 IP address 4 bytes/16 bytes (IPv4/IPv6 address)
124 The expanded in_addr token consists of:
129 token ID 1 byte
131 IP address type/length 4 bytes/16 bytes (IPv4/IPv6 address)
132 IP address 16 bytes
133 The ip token consists of:
138 token ID 1 byte
140 version and ihl 1 byte
141 type of service 1 byte
142 length 2 bytes
143 id 2 bytes
144 offset 2 bytes
145 ttl 1 byte
146 protocol 1 byte
147 checksum 2 bytes
148 source address 4 bytes
149 destination address 4 bytes
150 The expanded ip token consists of:
155 token ID 1 byte
157 version and ihl 1 byte
158 type of service 1 byte
159 length 2 bytes
160 id 2 bytes
161 offset 2 bytes
162 ttl 1 byte
163 protocol 1 byte
164 checksum 2 bytes
165 address type/type 1 byte
166 source address 4 bytes/16 bytes (IPv4/IPv6 address)
167 address type/length 1 byte
168 destination address 4 bytes/16 bytes (IPv4/IPv6 address)
169 The iport token consists of:
174 token ID 1 byte
176 port IP address 2 bytes
177 The path token consists of:
182 token ID 1 byte
184 path length 2 bytes
185 path N bytes + 1 terminating NULL byte
186 The path_attr token consists of:
191 token ID 1 byte
193 count 4 bytes
194 path count null-terminated string(s)
195 The process token consists of:
200 token ID 1 byte
202 audit ID 4 bytes
203 effective user ID 4 bytes
204 effective group ID 4 bytes
205 real user ID 4 bytes
206 real group ID 4 bytes
207 process ID 4 bytes
208 session ID 4 bytes
209 terminal ID
210 port ID 4 bytes/8 bytes (32-bit/64-bit value)
211 machine address 4 bytes
212 The expanded process token consists of:
217 token ID 1 byte
219 audit ID 4 bytes
220 effective user ID 4 bytes
221 effective group ID 4 bytes
222 real user ID 4 bytes
223 real group ID 4 bytes
224 process ID 4 bytes
225 session ID 4 bytes
226 terminal ID
227 port ID 4 bytes/8 bytes (32-bit/64-bit value)
228 address type/length 1 byte
229 machine address 4 bytes/16 bytes (IPv4/IPv6 address)
230 The return token consists of:
235 token ID 1 byte
237 error number 1 byte
238 return value 4 bytes/8 bytes (32-bit/64-bit value)
239 The subject token consists of:
244 token ID 1 byte
246 audit ID 4 bytes
247 effective user ID 4 bytes
248 effective group ID 4 bytes
249 real user ID 4 bytes
250 real group ID 4 bytes
251 process ID 4 bytes
252 session ID 4 bytes
253 terminal ID
254 port ID 4 bytes/8 bytes (32-bit/64-bit value)
255 machine address 4 bytes
256 The expanded subject token consists of:
261 token ID 1 byte
263 audit ID 4 bytes
264 effective user ID 4 bytes
265 effective group ID 4 bytes
266 real user ID 4 bytes
267 real group ID 4 bytes
268 process ID 4 bytes
269 session ID 4 bytes
270 terminal ID
271 port ID 4 bytes/8 bytes (32-bit/64-bit value)
272 address type/length 1 byte
273 machine address 4 bytes/16 bytes (IPv4/IPv6 address)
274 The System V IPC token consists of:
279 token ID 1 byte
281 object ID type 1 byte
282 object ID 4 bytes
283 The text token consists of:
288 token ID 1 byte
290 text length 2 bytes
291 text N bytes + 1 terminating NULL byte
292 The attribute token consists of:
297 token ID 1 byte
299 file access mode 4 bytes
300 owner user ID 4 bytes
301 owner group ID 4 bytes
302 file system ID 4 bytes
303 node ID 8 bytes
304 device 4 bytes/8 bytes (32-bit/64-bit)
305 The groups token consists of:
310 token ID 1 byte
312 number groups 2 bytes
313 group list N * 4 bytes
314 The System V IPC permission token consists of:
319 token ID 1 byte
321 owner user ID 4 bytes
322 owner group ID 4 bytes
323 creator user ID 4 bytes
324 creator group ID 4 bytes
325 access mode 4 bytes
326 slot sequence # 4 bytes
327 key 4 bytes
328 The arg token consists of:
333 token ID 1 byte
335 argument # 1 byte
336 argument value 4 bytes/8 bytes (32-bit/64-bit value)
337 text length 2 bytes
338 text N bytes + 1 terminating NULL byte
339 The exec_args token consists of:
344 token ID 1 byte
346 count 4 bytes
347 text count null-terminated string(s)
348 The exec_env token consists of:
353 token ID 1 byte
355 count 4 bytes
356 text count null-terminated string(s)
357 The exit token consists of:
362 token ID 1 byte
364 status 4 bytes
365 return value 4 bytes
366 The socket token consists of:
371 token ID 1 byte
373 socket type 2 bytes
374 remote port 2 bytes
375 remote Internet address 4 bytes
376 The expanded socket token consists of:
381 token ID 1 byte
383 socket domain 2 bytes
384 socket type 2 bytes
385 local port 2 bytes
386 address type/length 2 bytes
387 local port 2 bytes
388 local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
389 remote port 2 bytes
390 remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
391 The seq token consists of:
396 token ID 1 byte
398 sequence number 4 bytes
399 The privilege token consists of:
404 token ID 1 byte
406 text length 2 bytes
407 privilege set name N bytes + 1 terminating NULL byte
408 text length 2 bytes
409 list of privileges N bytes + 1 terminating NULL byte
410 The use-of-auth token consists of:
414 token ID 1 byte
416 text length 2 bytes
417 authorization(s) N bytes + 1 terminating NULL byte
418 The use-of-privilege token consists of:
422 token ID 1 byte
424 succ/fail 1 byte
425 text length 2 bytes
426 privilege used N bytes + 1 terminating NULL byte
427 The command token consists of:
431 token ID 1 byte
433 count of args 2 bytes
434 argument list (count times)
435 text length 2 bytes
436 argument text N bytes + 1 terminating NULL byte
437 count of env strings 2 bytes
438 environment list (count times)
439 text length 2 bytes
440 env. text N bytes + 1 terminating NULL byte
441 The ACL token consists of:
445 token ID 1 byte
447 type 4 bytes
448 value 4 bytes
449 file mode 4 bytes
450 The ACE token consists of:
454 token ID 1 byte
456 who 4 bytes
457 access_mask 4 bytes
458 flags 2 bytes
459 type 2 bytes
460 The zonename token consists of:
464 token ID 1 byte
466 name length 2 bytes
467 name <name length> including terminating NULL byte
468 The fmri token consists of:
472 token ID 1 byte
474 fmri length 2 bytes
475 fmri <fmri length> including terminating NULL byte
476 The label token consists of:
480 token ID 1 byte
482 label ID 1 byte
483 compartment length 1 byte
484 classification 2 bytes
485 compartment words <compartment length> * 4 bytes
486 The xatom token consists of:
490 token ID 1 byte
492 string length 2 bytes
493 atom string string length bytes
494 The xclient token consists of:
498 token ID 1 byte
500 client ID 4 bytes
501 The xcolormap token consists of:
505 token ID 1 byte
507 XID 4 bytes
508 creator UID 4 bytes
509 The xcursor token consists of:
513 token ID 1 byte
515 XID 4 bytes
516 creator UID 4 bytes
517 The xfont token consists of:
521 token ID 1 byte
523 XID 4 bytes
524 creator UID 4 bytes
525 The xgc token consists of:
529 token ID 1 byte
531 XID 4 bytes
532 creator UID 4 bytes
533 The xpixmap token consists of:
537 token ID 1 byte
539 XID 4 bytes
540 creator UID 4 bytes
541 The xproperty token consists of:
545 token ID 1 byte
547 XID 4 bytes
548 creator UID 4 bytes
549 string length 2 bytes
550 string string length bytes
551 The xselect token consists of:
555 token ID 1 byte
557 property length 2 bytes
558 property string property length bytes
559 prop. type len. 2 bytes
560 prop type prop. type len. bytes
561 data length 2 bytes
562 window data data length bytes
563 The xwindow token consists of:
567 token ID 1 byte
569 XID 4 bytes
570 creator UID 4 bytes
571
574 See attributes(5) for descriptions of the following attributes:
575 ┌─────────────────────────────┬─────────────────────────────┐
580 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
581 ├─────────────────────────────┼─────────────────────────────┤
582 │Interface Stability │See below. │
583 └─────────────────────────────┴─────────────────────────────┘
584 The binary file format is Committed. The binary file contents is Uncom‐
587 mitted.
588
590 audit(1M), auditd(1M), bsmconv(1M), audit(2), auditon(2), au_to(3BSM),
591 audit_control(4), audit_syslog(5)
592 Part VII, Solaris Auditing, in System Administration Guide: Security
595 Services
596
598 Each token is generally written using the au_to(3BSM) family of func‐
599 tion calls.
600SunOS 5.11 29 May 2009 audit.log(4)