audit.log man page on Solaris

Man page or keyword search:  
man Server   20652 pages
apropos Keyword Search (all sections)
Output format
Solaris logo
[printable version]

audit.log(4)			 File Formats			  audit.log(4)

NAME
       audit.log - audit trail file

SYNOPSIS
       #include <bsm/audit.h>

       #include <bsm/audit_record.h>

DESCRIPTION
       audit.log  files are the depository for audit records stored locally or
       on an on an NFS-mounted audit server. These files are kept in  directo‐
       ries  named in the file audit_control(4) using the dir option. They are
       named to reflect the time they are  created  and	 are,  when  possible,
       renamed to reflect the time they are closed as well. The name takes the
       form

       yyyymmddhhmmss.not_terminated.hostname

       when open or if the auditd(1M) terminated ungracefully, and the form

       yyyymmddhhmmss.yyyymmddhhmmss.hostname

       when properly closed. yyyy is the year, mm the month,  dd  day  in  the
       month,  hh hour in the day, mm minute in the hour, and ss second in the
       minute. All fields are of fixed width.

       Audit data is generated in  the	binary	format	described  below;  the
       default	for Solaris audit is binary format. See audit_syslog(5) for an
       alternate data format.

       The audit.log file begins with a standalone file	 token	and  typically
       ends  with  one	also. The beginning file token records the pathname of
       the previous audit file, while the ending file token records the	 path‐
       name  of	 the next audit file. If the file name is NULL the appropriate
       path was unavailable.

       The audit.log files contains audit records. Each audit record  is  made
       up  of  audit  tokens.  Each record contains a header token followed by
       various data tokens. Depending on the audit policy in  place  by	 audi‐
       ton(2),	optional  other	 tokens	 such  as trailers or sequences may be
       included.

       The tokens are defined as follows:

       The file token consists of:

	 token ID		 1 byte
	 seconds of time	 4 bytes
	 microseconds of time	 4 bytes
	 file name length	 2 bytes
	 file pathname		 N bytes + 1 terminating NULL byte

       The header token consists of:

	 token ID		 1 byte
	 record byte count	 4 bytes
	 version #		 1 byte	   [2]
	 event type		 2 bytes
	 event modifier		 2 bytes
	 seconds of time	 4 bytes/8 bytes (32-bit/64-bit value)
	 nanoseconds of time	 4 bytes/8 bytes (32-bit/64-bit value)

       The expanded header token consists of:

	 token ID		 1 byte
	 record byte count	 4 bytes
	 version #		 1 byte	    [2]
	 event type		 2 bytes
	 event modifier		 2 bytes
	 address type/length	 1 byte
	 machine address	 4 bytes/16 bytes (IPv4/IPv6 address)
	 seconds of time	 4 bytes/8 bytes  (32/64-bits)
	 nanoseconds of time	 4 bytes/8 bytes  (32/64-bits)

       The trailer token consists of:

	 token ID		 1 byte
	 trailer magic number	 2 bytes
	 record byte count	 4 bytes

       The  arbitrary data token is defined:

	 token ID		 1 byte
	 how to print		 1 byte
	 basic unit		 1 byte
	 unit count		 1 byte
	 data items		 (depends on basic unit)

       The in_addr token consists of:

	 token ID		 1 byte
	 IP address type/length	 1 byte
	 IP address	   4 bytes/16 bytes (IPv4/IPv6 address)

       The expanded in_addr token consists of:

	 token ID		 1 byte
	 IP address type/length	 4 bytes/16 bytes (IPv4/IPv6 address)
	 IP address		16 bytes

       The ip token consists of:

	 token ID		 1 byte
	 version and ihl	 1 byte
	 type of service	 1 byte
	 length			 2 bytes
	 id			 2 bytes
	 offset			 2 bytes
	 ttl			 1 byte
	 protocol		 1 byte
	 checksum		 2 bytes
	 source address		 4 bytes
	 destination address	 4 bytes

       The expanded ip token consists of:

	 token ID		 1 byte
	 version and ihl	 1 byte
	 type of service	 1 byte
	 length			 2 bytes
	 id			 2 bytes
	 offset			 2 bytes
	 ttl			 1 byte
	 protocol		 1 byte
	 checksum		 2 bytes
	 address type/type	 1 byte
	 source address		 4 bytes/16 bytes (IPv4/IPv6 address)
	 address type/length	 1 byte
	 destination address	 4 bytes/16 bytes (IPv4/IPv6 address)

       The iport token consists of:

	 token ID		 1 byte
	 port IP address	 2 bytes

       The path token consists of:

	 token ID		 1 byte
	 path length		 2 bytes
	 path			 N bytes + 1 terminating NULL byte

       The path_attr token consists of:

	 token ID		 1 byte
	 count			 4 bytes
	 path			 count null-terminated string(s)

       The process token consists of:

	 token ID		 1 byte
	 audit ID		 4 bytes
	 effective user ID	 4 bytes
	 effective group ID	 4 bytes
	 real user ID		 4 bytes
	 real group ID		 4 bytes
	 process ID		 4 bytes
	 session ID		 4 bytes
	 terminal ID
	   port ID		 4 bytes/8 bytes (32-bit/64-bit value)
	   machine address	 4 bytes

       The expanded process token consists of:

	 token ID		 1 byte
	 audit ID		 4 bytes
	 effective user ID	 4 bytes
	 effective group ID	 4 bytes
	 real user ID		 4 bytes
	 real group ID		 4 bytes
	 process ID		 4 bytes
	 session ID		 4 bytes
	 terminal ID
	   port ID		 4 bytes/8 bytes (32-bit/64-bit value)
	   address type/length	 1 byte
	   machine address	 4 bytes/16 bytes (IPv4/IPv6 address)

       The return token consists of:

	 token ID		 1 byte
	 error number		 1 byte
	 return value		 4 bytes/8 bytes (32-bit/64-bit value)

       The subject token consists of:

	 token ID		 1 byte
	 audit ID		 4 bytes
	 effective user ID	 4 bytes
	 effective group ID	 4 bytes
	 real user ID		 4 bytes
	 real group ID		 4 bytes
	 process ID		 4 bytes
	 session ID		 4 bytes
	 terminal ID
	   port ID		 4 bytes/8 bytes (32-bit/64-bit value)
	   machine address	 4 bytes

       The expanded subject token consists of:

	 token ID		 1 byte
	 audit ID		 4 bytes
	 effective user ID	 4 bytes
	 effective group ID	 4 bytes
	 real user ID		 4 bytes
	 real group ID		 4 bytes
	 process ID		 4 bytes
	 session ID		 4 bytes
	 terminal ID
	   port ID		 4 bytes/8 bytes (32-bit/64-bit value)
	   address type/length	 1 byte
	   machine address	 4 bytes/16 bytes (IPv4/IPv6 address)

       The System V IPC token consists of:

	 token ID		 1 byte
	 object ID type		 1 byte
	 object ID		 4 bytes

       The text token consists of:

	 token ID		 1 byte
	 text length		 2 bytes
	 text			 N bytes + 1 terminating NULL byte

       The attribute token consists of:

	 token ID		 1 byte
	 file access mode	 4 bytes
	 owner user ID		 4 bytes
	 owner group ID		 4 bytes
	 file system ID		 4 bytes
	 node ID		 8 bytes
	 device			 4 bytes/8 bytes (32-bit/64-bit)

       The groups token consists of:

	 token ID		 1 byte
	 number groups		 2 bytes
	 group list		 N * 4 bytes

       The System V IPC permission token consists of:

	 token ID		 1 byte
	 owner user ID		 4 bytes
	 owner group ID		 4 bytes
	 creator user ID	 4 bytes
	 creator group ID	 4 bytes
	 access mode		 4 bytes
	 slot sequence #	 4 bytes
	 key			 4 bytes

       The arg token consists of:

	 token ID		 1 byte
	 argument #		 1 byte
	 argument value		 4 bytes/8 bytes (32-bit/64-bit value)
	 text length		 2 bytes
	 text			 N bytes + 1 terminating NULL byte

       The exec_args token consists of:

	 token ID		 1 byte
	 count			 4 bytes
	 text			 count null-terminated string(s)

       The exec_env token consists of:

	 token ID		 1 byte
	 count			 4 bytes
	 text			 count null-terminated string(s)

       The exit token consists of:

	 token ID		 1 byte
	 status			 4 bytes
	 return value		 4 bytes

       The socket token consists of:

	 token ID		 1 byte
	 socket type		 2 bytes
	 remote port		 2 bytes
	 remote Internet address 4 bytes

       The expanded socket token consists of:

	 token ID		 1 byte
	 socket domain		 2 bytes
	 socket type		 2 bytes
	 local port		 2 bytes
	 address type/length	 2 bytes
	 local port		 2 bytes
	 local Internet address	 4 bytes/16 bytes (IPv4/IPv6 address)
	 remote port		 2 bytes
	 remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)

       The seq token consists of:

	 token ID		 1 byte
	 sequence number	 4 bytes

       The privilege token consists of:

	 token ID		 1 byte
	 text length		 2 bytes
	 privilege set name	 N bytes + 1 terminating NULL byte
	 text length		 2 bytes
	 list of privileges	 N bytes + 1 terminating NULL byte

       The use-of-auth token consists of:

	 token ID		 1 byte
	 text length		 2 bytes
	 authorization(s)	 N bytes + 1 terminating NULL byte

       The use-of-privilege token consists of:

	 token ID		 1 byte
	 succ/fail		 1 byte
	 text length		 2 bytes
	 privilege used		 N bytes + 1 terminating NULL byte

       The command token consists of:

	 token ID		 1 byte
	 count of args		 2 bytes
	 argument list		 (count times)
	 text length		 2 bytes
	 argument text		 N bytes + 1 terminating NULL byte
	 count of env strings	 2 bytes
	 environment list	 (count times)
	 text length		 2 bytes
	 env. text		 N bytes + 1 terminating NULL byte

       The ACL token consists of:

	 token ID		 1 byte
	 type			 4 bytes
	 value			 4 bytes
	 file mode		 4 bytes

       The zonename token consists of:

	 token ID	     1 byte
	 name length	     2 bytes
	 name		     <name length> including terminating NULL byte

       The label token consists of:

	 token ID		 1 byte
	 label ID		 1 byte
	 compartment length	 1 byte
	 classification		 2 bytes
	 compartment words	 <compartment length> * 4 bytes

       The xatom token consists of:

	 token ID		 1 byte
	 string length		 2 bytes
	 atom string		 string length bytes

       The xclient token consists of:

	 token ID		 1 byte
	 client ID		 4 bytes

       The xcolormap token consists of:

	 token ID		 1 byte
	 XID			 4 bytes
	 creator UID		 4 bytes

       The xcursor token consists of:

	 token ID		 1 byte
	 XID			 4 bytes
	 creator UID		 4 bytes

       The xfont token consists of:

	 token ID		 1 byte
	 XID			 4 bytes
	 creator UID		 4 bytes

       The xgc token consists of:

	 token ID		 1 byte
	 XID			 4 bytes
	 creator UID		 4 bytes

       The xpixmap token consists of:

	 token ID		 1 byte
	 XID			 4 bytes
	 creator UID		 4 bytes

       The xproperty token consists of:

	 token ID		 1 byte
	 XID			 4 bytes
	 creator UID		 4 bytes
	 string length		 2 bytes
	 string			 string length bytes

       The xselect token consists of:

	 token ID		 1 byte
	 property length	 2 bytes
	 property string	 property length bytes
	 prop. type len.	 2 bytes
	 prop type		 prop. type len. bytes
	 data length		 2 bytes
	 window data		 data length bytes

       The xwindow token consists of:

	 token ID		 1 byte
	 XID			 4 bytes
	 creator UID		 4 bytes

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌─────────────────────────────┬─────────────────────────────┐
       │      ATTRIBUTE TYPE	     │	    ATTRIBUTE VALUE	   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Interface Stability	     │See below.		   │
       └─────────────────────────────┴─────────────────────────────┘

       The binary file contents is Unstable.

SEE ALSO
       audit(1M), auditd(1M), bsmconv(1M), audit(2), auditon(2),  au_to(3BSM),
       audit_control(4), audit_syslog(5)

       System Administration Guide: Security Services

NOTES
       Each  token  is generally written using the au_to(3BSM) family of func‐
       tion calls.

SunOS 5.10			  29 May 2009			  audit.log(4)
[top]

List of man pages available for Solaris

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net