diff options
Diffstat (limited to 'usr/src/man/man4/audit.log.4')
| -rw-r--r-- | usr/src/man/man4/audit.log.4 | 795 |
1 files changed, 0 insertions, 795 deletions
diff --git a/usr/src/man/man4/audit.log.4 b/usr/src/man/man4/audit.log.4 deleted file mode 100644 index 44c9b17e9c..0000000000 --- a/usr/src/man/man4/audit.log.4 +++ /dev/null @@ -1,795 +0,0 @@ -'\" te -.\" Copyright (c) 2017 Peter Tribble -.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved -.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. -.\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with -.\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] -.TH AUDIT.LOG 4 "Mar 6, 2017" -.SH NAME -audit.log \- audit trail file -.SH SYNOPSIS -.LP -.nf -\fB#include <bsm/audit.h>\fR -.fi - -.LP -.nf -\fB#include <bsm/audit_record.h>\fR -.fi - -.SH DESCRIPTION -.LP -\fBaudit.log\fR files are the depository for audit records stored locally or on -an NFS-mounted audit server. These files are kept in directories as specified -by the \fBp_dir\fR attribute of the \fBaudit_binfile\fR(5) plugin. They are -named to reflect the time they are created and are, when possible, renamed to -reflect the time they are closed as well. The name takes the form -.sp -.LP -\fIyyyymmddhhmmss\fR\fB\&.not_terminated.\fR\fIhostname\fR -.sp -.LP -when open or if \fBauditd\fR(1M) terminated ungracefully, and the form -.sp -.LP -\fIyyyymmddhhmmss\fR\fB\&.\fR\fIyyyymmddhhmmss\fR\fB\&.\fR\fIhostname\fR -.sp -.LP -when properly closed. \fByyyy\fR is the year, \fBmm\fR the month, \fBdd\fR day -in the month, \fBhh\fR hour in the day, \fBmm\fR minute in the hour, and -\fBss\fR second in the minute. All fields are of fixed width. -.sp -.LP -Audit data is generated in the binary format described below; the default for -audit is binary format. See \fBaudit_syslog\fR(5) for an alternate data -format. -.sp -.LP -The \fBaudit.log\fR file begins with a standalone \fBfile token\fR and -typically ends with one also. The beginning \fBfile token\fR records the -pathname of the previous audit file, while the ending \fBfile token\fR records -the pathname of the next audit file. If the file name is \fBNULL\fR the -appropriate path was unavailable. -.sp -.LP -The \fBaudit.log\fR files contains audit records. Each audit record is made up -of \fIaudit tokens\fR. Each record contains a header token followed by various -data tokens. Depending on the audit policy in place by \fBauditon\fR(2), -optional other tokens such as trailers or sequences may be included. -.sp -.LP -The tokens are defined as follows: -.sp -.LP -The \fBfile\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -seconds of time 4 bytes -microseconds of time 4 bytes -file name length 2 bytes -file pathname N bytes + 1 terminating NULL byte -.fi -.in -2 -.sp - -.sp -.LP -The \fBheader\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -record byte count 4 bytes -version # 1 byte [2] -event type 2 bytes -event modifier 2 bytes -seconds of time 4 bytes/8 bytes (32-bit/64-bit value) -nanoseconds of time 4 bytes/8 bytes (32-bit/64-bit value) -.fi -.in -2 -.sp - -.sp -.LP -The expanded \fBheader\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -record byte count 4 bytes -version # 1 byte [2] -event type 2 bytes -event modifier 2 bytes -address type/length 1 byte -machine address 4 bytes/16 bytes (IPv4/IPv6 address) -seconds of time 4 bytes/8 bytes (32/64-bits) -nanoseconds of time 4 bytes/8 bytes (32/64-bits) -.fi -.in -2 -.sp - -.sp -.LP -The \fBtrailer\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -trailer magic number 2 bytes -record byte count 4 bytes -.fi -.in -2 -.sp - -.sp -.LP -The \fBarbitrary\fR \fBdata\fR token is defined: -.sp -.in +2 -.nf -token ID 1 byte -how to print 1 byte -basic unit 1 byte -unit count 1 byte -data items (depends on basic unit) -.fi -.in -2 -.sp - -.sp -.LP -The \fBin_addr\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -IP address type/length 1 byte -IP address 4 bytes/16 bytes (IPv4/IPv6 address) -.fi -.in -2 -.sp - -.sp -.LP -The expanded \fBin_addr\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -IP address type/length 4 bytes/16 bytes (IPv4/IPv6 address) -IP address 16 bytes -.fi -.in -2 -.sp - -.sp -.LP -The \fBip\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -version and ihl 1 byte -type of service 1 byte -length 2 bytes -id 2 bytes -offset 2 bytes -ttl 1 byte -protocol 1 byte -checksum 2 bytes -source address 4 bytes -destination address 4 bytes -.fi -.in -2 -.sp - -.sp -.LP -The expanded \fBip\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -version and ihl 1 byte -type of service 1 byte -length 2 bytes -id 2 bytes -offset 2 bytes -ttl 1 byte -protocol 1 byte -checksum 2 bytes -address type/type 1 byte -source address 4 bytes/16 bytes (IPv4/IPv6 address) -address type/length 1 byte -destination address 4 bytes/16 bytes (IPv4/IPv6 address) -.fi -.in -2 -.sp - -.sp -.LP -The \fBiport\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -port IP address 2 bytes -.fi -.in -2 -.sp - -.sp -.LP -The \fBpath\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -path length 2 bytes -path N bytes + 1 terminating NULL byte -.fi -.in -2 -.sp - -.sp -.LP -The \fBpath_attr\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -count 4 bytes -path \fIcount\fR null-terminated string(s) -.fi -.in -2 -.sp - -.sp -.LP -The \fBprocess\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -audit ID 4 bytes -effective user ID 4 bytes -effective group ID 4 bytes -real user ID 4 bytes -real group ID 4 bytes -process ID 4 bytes -session ID 4 bytes -terminal ID - port ID 4 bytes/8 bytes (32-bit/64-bit value) - machine address 4 bytes -.fi -.in -2 -.sp - -.sp -.LP -The expanded \fBprocess\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -audit ID 4 bytes -effective user ID 4 bytes -effective group ID 4 bytes -real user ID 4 bytes -real group ID 4 bytes -process ID 4 bytes -session ID 4 bytes -terminal ID - port ID 4 bytes/8 bytes (32-bit/64-bit value) - address type/length 1 byte - machine address 4 bytes/16 bytes (IPv4/IPv6 address) -.fi -.in -2 -.sp - -.sp -.LP -The \fBreturn\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -error number 1 byte -return value 4 bytes/8 bytes (32-bit/64-bit value) -.fi -.in -2 -.sp - -.sp -.LP -The \fBsubject\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -audit ID 4 bytes -effective user ID 4 bytes -effective group ID 4 bytes -real user ID 4 bytes -real group ID 4 bytes -process ID 4 bytes -session ID 4 bytes -terminal ID - port ID 4 bytes/8 bytes (32-bit/64-bit value) - machine address 4 bytes -.fi -.in -2 -.sp - -.sp -.LP -The expanded \fBsubject\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -audit ID 4 bytes -effective user ID 4 bytes -effective group ID 4 bytes -real user ID 4 bytes -real group ID 4 bytes -process ID 4 bytes -session ID 4 bytes -terminal ID - port ID 4 bytes/8 bytes (32-bit/64-bit value) - address type/length 1 byte - machine address 4 bytes/16 bytes (IPv4/IPv6 address) -.fi -.in -2 -.sp - -.sp -.LP -The \fBSystem V IPC\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -object ID type 1 byte -object ID 4 bytes -.fi -.in -2 -.sp - -.sp -.LP -The \fBtext\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -text length 2 bytes -text N bytes + 1 terminating NULL byte -.fi -.in -2 -.sp - -.sp -.LP -The \fBattribute\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -file access mode 4 bytes -owner user ID 4 bytes -owner group ID 4 bytes -file system ID 4 bytes -node ID 8 bytes -device 4 bytes/8 bytes (32-bit/64-bit) -.fi -.in -2 -.sp - -.sp -.LP -The \fBgroups\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -number groups 2 bytes -group list N * 4 bytes -.fi -.in -2 -.sp - -.sp -.LP -The \fBSystem V IPC permission\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -owner user ID 4 bytes -owner group ID 4 bytes -creator user ID 4 bytes -creator group ID 4 bytes -access mode 4 bytes -slot sequence # 4 bytes -key 4 bytes -.fi -.in -2 -.sp - -.sp -.LP -The \fBarg\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -argument # 1 byte -argument value 4 bytes/8 bytes (32-bit/64-bit value) -text length 2 bytes -text N bytes + 1 terminating NULL byte -.fi -.in -2 -.sp - -.sp -.LP -The \fBexec_args\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -count 4 bytes -text \fIcount\fR null-terminated string(s) -.fi -.in -2 -.sp - -.sp -.LP -The \fBexec_env\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -count 4 bytes -text \fIcount\fR null-terminated string(s) -.fi -.in -2 -.sp - -.sp -.LP -The \fBexit\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -status 4 bytes -return value 4 bytes -.fi -.in -2 -.sp - -.sp -.LP -The \fBsocket\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -socket type 2 bytes -remote port 2 bytes -remote Internet address 4 bytes -.fi -.in -2 -.sp - -.sp -.LP -The expanded \fBsocket\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -socket domain 2 bytes -socket type 2 bytes -local port 2 bytes -address type/length 2 bytes -local port 2 bytes -local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) -remote port 2 bytes -remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) -.fi -.in -2 -.sp - -.sp -.LP -The \fBseq\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -sequence number 4 bytes -.fi -.in -2 -.sp - -.sp -.LP -The \fBprivilege\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -text length 2 bytes -privilege set name N bytes + 1 terminating NULL byte -text length 2 bytes -list of privileges N bytes + 1 terminating NULL byte -.fi -.in -2 - -.sp -.LP -The \fBuse-of-auth\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -text length 2 bytes -authorization(s) N bytes + 1 terminating NULL byte -.fi -.in -2 - -.sp -.LP -The \fBuse-of-privilege\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -succ/fail 1 byte -text length 2 bytes -privilege used N bytes + 1 terminating NULL byte -.fi -.in -2 - -.sp -.LP -The \fBcommand\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -count of args 2 bytes -argument list (count times) -text length 2 bytes -argument text N bytes + 1 terminating NULL byte -count of env strings 2 bytes -environment list (count times) -text length 2 bytes -env. text N bytes + 1 terminating NULL byte -.fi -.in -2 - -.sp -.LP -The \fBACL\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -type 4 bytes -value 4 bytes -file mode 4 bytes -.fi -.in -2 - -.sp -.LP -The ACE token consists of: -.sp -.in +2 -.nf -token ID 1 byte -who 4 bytes -access_mask 4 bytes -flags 2 bytes -type 2 bytes -.fi -.in -2 - -.sp -.LP -The \fBzonename\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -name length 2 bytes -name \fI<name length>\fR including terminating NULL byte -.fi -.in -2 - -.sp -.LP -The \fBfmri\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -fmri length 2 bytes -fmri \fI<fmri length>\fR including terminating NULL byte -.fi -.in -2 - -.sp -.LP -The \fBlabel\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -label ID 1 byte -compartment length 1 byte -classification 2 bytes -compartment words \fI<compartment length>\fR * 4 bytes -.fi -.in -2 - -.sp -.LP -The \fBxatom\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -string length 2 bytes -atom string \fIstring length\fR bytes -.fi -.in -2 - -.sp -.LP -The \fBxclient\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -client ID 4 bytes -.fi -.in -2 - -.sp -.LP -The \fBxcolormap\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -XID 4 bytes -creator UID 4 bytes -.fi -.in -2 - -.sp -.LP -The \fBxcursor\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -XID 4 bytes -creator UID 4 bytes -.fi -.in -2 - -.sp -.LP -The \fBxfont\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -XID 4 bytes -creator UID 4 bytes -.fi -.in -2 - -.sp -.LP -The \fBxgc\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -XID 4 bytes -creator UID 4 bytes -.fi -.in -2 - -.sp -.LP -The \fBxpixmap\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -XID 4 bytes -creator UID 4 bytes -.fi -.in -2 - -.sp -.LP -The \fBxproperty\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -XID 4 bytes -creator UID 4 bytes -string length 2 bytes -string \fIstring length\fR bytes -.fi -.in -2 - -.sp -.LP -The \fBxselect\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -property length 2 bytes -property string \fIproperty length\fR bytes -prop. type len. 2 bytes -prop type \fIprop. type len.\fR bytes -data length 2 bytes -window data \fIdata length\fR bytes -.fi -.in -2 - -.sp -.LP -The \fBxwindow\fR token consists of: -.sp -.in +2 -.nf -token ID 1 byte -XID 4 bytes -creator UID 4 bytes -.fi -.in -2 - -.SH ATTRIBUTES -.LP -See \fBattributes\fR(5) for descriptions of the following attributes: -.sp - -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -_ -Interface Stability See below. -.TE - -.sp -.LP -The binary file format is Committed. The binary file contents is Uncommitted. -.SH SEE ALSO -.LP -\fBaudit\fR(1M), \fBauditd\fR(1M), \fBaudit\fR(2), -\fBauditon\fR(2), \fBau_to\fR(3BSM), -\fBaudit_binfile\fR(5), \fBaudit_remote\fR(5), \fBaudit_syslog\fR(5) -.SH NOTES -.LP -Each token is generally written using the \fBau_to\fR(3BSM) family of function -calls. |