6914628 Implement the user object audit token PSARC/2010/001 User object audit token

PSARC/2010/001 User object audit token
6580704 passwd gww produces a less optimal audit record.

21 files changed, 199 insertions, 48 deletions

diff --git a/usr/src/cmd/auditrecord/audit_record_attr.txt b/usr/src/cmd/auditrecord/audit_record_attr.txt
index d03c712482..6e09e2cd85 100644
--- a/usr/src/cmd/auditrecord/audit_record_attr.txt
+++ b/usr/src/cmd/auditrecord/audit_record_attr.txt
@@ -61,6 +61,7 @@ token=text:text
 token=tid:terminal_adr
 token=uauth:use_of_authorization
 token=upriv:use_of_privilege
+token=user:user_object
 token=zone:zonename
 token=fmri:service_instance
 token=label:mandatory_label
diff --git a/usr/src/cmd/auditreduce/auditrd.h b/usr/src/cmd/auditreduce/auditrd.h
index 7cccc44b0f..8d620e5da5 100644
--- a/usr/src/cmd/auditreduce/auditrd.h
+++ b/usr/src/cmd/auditreduce/auditrd.h
@@ -61,6 +61,7 @@ uid_t	obj_owner;		/* object owner */
 int	subj_id;		/* subject identifier  */
 char	ipc_type;		/* 'o' object type - tell what type of IPC */
 scf_pattern_t fmri;		/* 'o' fmri value */
+uid_t	obj_user;		/* 'o' user value */
 
 /*
  * File selection options
diff --git a/usr/src/cmd/auditreduce/auditrt.h b/usr/src/cmd/auditreduce/auditrt.h
index 8a72146323..64d186d136 100644
--- a/usr/src/cmd/auditreduce/auditrt.h
+++ b/usr/src/cmd/auditreduce/auditrt.h
@@ -154,6 +154,7 @@ typedef struct audit_pcb audit_pcb_t;
 #define	OBJ_SHMGROUP	0x08000  /* 'o' shared memory [c]group */
 #define	OBJ_SHMOWNER	0x10000  /* 'o' shared memory [c]owner */
 #define	OBJ_FMRI	0x20000  /* 'o' fmri object */
+#define	OBJ_USER	0x40000  /* 'o' user object */
 
 #define	SOCKFLG_MACHINE 0	/* search socket token by machine name */
 #define	SOCKFLG_PORT    1	/* search socket token by port number */
@@ -186,6 +187,7 @@ extern uid_t	obj_owner;	/* object owner */
 extern int	subj_id; 	/* subject identifier */
 extern char	ipc_type;	/* 'o' object type - tell what type of IPC */
 extern scf_pattern_t fmri;	/* 'o' fmri value */
+extern uid_t	obj_user;	/* 'o' user value */
 
 /*
  * File selection options
diff --git a/usr/src/cmd/auditreduce/option.c b/usr/src/cmd/auditreduce/option.c
index 016070238a..aea0b14bd8 100644
--- a/usr/src/cmd/auditreduce/option.c
+++ b/usr/src/cmd/auditreduce/option.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -68,7 +68,8 @@ static obj_ent_t obj_tbl[] = {
 			{ "shmid", OBJ_SHM  },
 			{ "shmgroup", OBJ_SHMGROUP  },
 			{ "shmowner", OBJ_SHMOWNER  },
-			{ "sock", OBJ_SOCK } };
+			{ "sock", OBJ_SOCK },
+			{ "user", OBJ_USER } };
 
 extern int	derive_date(char *, struct tm *);
 extern int	parse_time(char *, int);
@@ -413,6 +414,9 @@ proc_object(char *optarg)
 	case OBJ_FMRI:
 		return (proc_fmri(obj_val));
 		/* NOTREACHED */
+	case OBJ_USER:
+		return (proc_user(obj_val, &obj_user));
+		/* NOTREACHED */
 	case OBJ_LP: /* lp objects have not yet been defined */
 	default: /* impossible */
 		(void) sprintf(errbuf, gettext("invalid object type (%s)"),
diff --git a/usr/src/cmd/auditreduce/token.c b/usr/src/cmd/auditreduce/token.c
index c9242ac877..71a0a32a1a 100644
--- a/usr/src/cmd/auditreduce/token.c
+++ b/usr/src/cmd/auditreduce/token.c
@@ -1179,7 +1179,6 @@ process64_ex_token(adr_t *adr)
  * Format of System V IPC token:
  *	System V IPC token id	adr_char
  *	object id		adr_int32
- *
  */
 int
 s5_IPC_token(adr_t *adr)
@@ -1203,7 +1202,6 @@ s5_IPC_token(adr_t *adr)
  *	socket_type		adrm_short
  *	remote_port		adrm_short
  *	remote_inaddr		adrm_int32
- *
  */
 int
 socket_token(adr_t *adr)
@@ -1805,6 +1803,28 @@ useofauth_token(adr_t *adr)
 	return (-1);
 }
 
+/*
+ * Format of user token:
+ *	user token id		adr_char
+ *	uid			adr_uid
+ * 	username		adr_string
+ */
+int
+user_token(adr_t *adr)
+{
+	uid_t	uid;
+
+	adrm_uid(adr, &uid, 1);
+	skip_string(adr);
+
+	if ((flags & M_OBJECT) && (obj_flag == OBJ_USER) &&
+	    (uid == obj_user)) {
+		checkflags |= M_OBJECT;
+	}
+
+	return (-1);
+}
+
 int
 xcolormap_token(adr_t *adr)
 {
diff --git a/usr/src/cmd/passwd/passwd.c b/usr/src/cmd/passwd/passwd.c
index af733c457b..e155f357f1 100644
--- a/usr/src/cmd/passwd/passwd.c
+++ b/usr/src/cmd/passwd/passwd.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -290,11 +290,13 @@ main(int argc, char *argv[])
 			(void) fprintf(stderr, gettext(MSG_INFO), prognamep,
 			    usrname);
 		}
-	} else
+	} else {
 		usrname = argv[optind];
+	}
 
-	if (pam_start("passwd", usrname, &pam_conv, &pamh) != PAM_SUCCESS)
+	if (pam_start("passwd", usrname, &pam_conv, &pamh) != PAM_SUCCESS) {
 		passwd_exit(NOPERM);
+	}
 
 	auth_rep.type = repository.type;
 	auth_rep.scope = repository.scope;
@@ -375,10 +377,6 @@ main(int argc, char *argv[])
 			perror("adt_alloc_event");
 			passwd_exit(NOMEM);
 		}
-		if (argc >= 1) {
-			/* save target user */
-			event->adt_passwd.username = usrname;
-		}
 
 		/* Don't check account expiration when invoked by root */
 		if (ckuid() != SUCCESS) {
@@ -1549,6 +1547,17 @@ passwd_exit(int retcode)
 	}
 	/* write password record */
 	if (event != NULL) {
+		struct passwd *pass;
+
+		if ((pass = getpwnam(usrname)) == NULL) {
+			/* unlikely to ever get here, but ... */
+			event->adt_passwd.username = usrname;
+		} else if (pass->pw_uid != uid) {
+			/* save target user */
+			event->adt_passwd.uid = pass->pw_uid;
+			event->adt_passwd.username = pass->pw_name;
+		}
+
 		if (adt_put_event(event,
 		    retcode == SUCCESS ? ADT_SUCCESS : ADT_FAILURE,
 		    retcode == SUCCESS ? ADT_SUCCESS : ADT_FAIL_PAM +
diff --git a/usr/src/cmd/praudit/praudit.xcl b/usr/src/cmd/praudit/praudit.xcl
index 6d1f33bc8c..02dccf50f0 100644
--- a/usr/src/cmd/praudit/praudit.xcl
+++ b/usr/src/cmd/praudit/praudit.xcl
@@ -19,11 +19,9 @@
 # CDDL HEADER END
 #
 # 
-# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
-# ident	"%Z%%M%	%I%	%E% SMI"
-#
 msgid  ","
 msgstr
 msgid  ""
@@ -289,3 +287,5 @@ msgid  "count"
 msgstr
 msgid  "fmri"
 msgstr
+msgid  "user"
+msgstr
diff --git a/usr/src/cmd/praudit/token.c b/usr/src/cmd/praudit/token.c
index f52291d8d6..e7d56beb9d 100644
--- a/usr/src/cmd/praudit/token.c
+++ b/usr/src/cmd/praudit/token.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -2010,6 +2010,28 @@ useofauth_token(pr_context_t *context)
 
 /*
  * -----------------------------------------------------------------------
+ * user_token(): Process user token and display contents
+ * return codes	: -1 - error
+ *		:  0 - successful
+ * NOTE: At the time of call, the user token id has been retrieved
+ *
+ * Format of user token:
+ *	user token id		adr_char
+ *	user id			adr_uid
+ * 	user name		adr_string
+ * -----------------------------------------------------------------------
+ */
+int
+user_token(pr_context_t *context)
+{
+	int	returnstat;
+
+	returnstat = process_tag(context, TAG_UID, 0, 0);
+	return (process_tag(context, TAG_USERNAME, returnstat, 1));
+}
+
+/*
+ * -----------------------------------------------------------------------
  * zonename_token(): Process zonename token and display contents
  * return codes	: -1 - error
  *		:  0 - successful
diff --git a/usr/src/cmd/praudit/toktable.c b/usr/src/cmd/praudit/toktable.c
index cefd302891..ef7f09121e 100644
--- a/usr/src/cmd/praudit/toktable.c
+++ b/usr/src/cmd/praudit/toktable.c
@@ -19,12 +19,10 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 /*
  * Solaris Audit Token Table.
  */
@@ -108,7 +106,6 @@ init_tokens(void)
 	table_initx(AUT_SOCKET, "socket", "old_socket",
 	    socket_token, T_ENCLOSED);
 	table_init(AUT_SEQ, "sequence", sequence_token, T_ENCLOSED);
-	table_init(AUT_ZONENAME, "zone", zonename_token, T_ENCLOSED);
 
 	/*
 	 * Modifier token types
@@ -131,7 +128,8 @@ init_tokens(void)
 	table_init(AUT_ATTR32, "attribute", attribute32_token, T_ENCLOSED);
 	table_initx(AUT_UAUTH, "use of authorization",
 	    "use_of_authorization", useofauth_token, T_ELEMENT);
-	table_init(AUT_TID, "tid", tid_token, T_EXTENDED);
+	table_init(AUT_USER, "user", user_token, T_ENCLOSED);
+	table_init(AUT_ZONENAME, "zone", zonename_token, T_ENCLOSED);
 
 	/*
 	 * X windows token types
@@ -196,6 +194,7 @@ init_tokens(void)
 	table_initx(AUT_IN_ADDR_EX, "ip address", "ip_address",
 	    ip_addr_ex_token, T_ELEMENT);
 	table_init(AUT_SOCKET_EX, "socket", socket_ex_token, T_ENCLOSED);
+	table_init(AUT_TID, "tid", tid_token, T_EXTENDED);
 
 #ifdef _PRAUDIT
 	/*
@@ -305,5 +304,6 @@ init_tokens(void)
 	table_init(TAG_ARBCOUNT, "count", NOFUNC, T_ATTRIBUTE);
 
 	table_init(TAG_HOSTID, "host", NOFUNC, T_ATTRIBUTE);
+	table_init(TAG_USERNAME, "username", pa_adr_string, T_ATTRIBUTE);
 #endif	/* _PRAUDIT */
 }
diff --git a/usr/src/cmd/praudit/toktable.h b/usr/src/cmd/praudit/toktable.h
index 3ce65c3fdf..128686d1ec 100644
--- a/usr/src/cmd/praudit/toktable.h
+++ b/usr/src/cmd/praudit/toktable.h
@@ -19,15 +19,13 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
 #ifndef	_TOKTABLE_H
 #define	_TOKTABLE_H
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -157,6 +155,7 @@ enum tagnum_t { TAG_INVALID = MAXTOKEN,
 	TAG_ACEFLAGS,			/* with ace token */
 	TAG_ACETYPE,			/* with ace token */
 	TAG_ACEID,			/* with ace token */
+	TAG_USERNAME,			/* with user token */
 	MAXTAG
 };
 
@@ -194,7 +193,6 @@ extern int	iport_token();
 extern int	argument32_token();
 extern int	socket_token();
 extern int	sequence_token();
-extern int	zonename_token();
 
 /*
  * Modifier tokens
@@ -214,6 +212,8 @@ extern int	exec_args_token();
 extern int	exec_env_token();
 extern int	attribute32_token();
 extern int	useofauth_token();
+extern int	user_token();
+extern int	zonename_token();
 
 /*
  * X windows tokens
diff --git a/usr/src/lib/auditd_plugins/syslog/systoken.c b/usr/src/lib/auditd_plugins/syslog/systoken.c
index 466887e2d9..d068514675 100644
--- a/usr/src/lib/auditd_plugins/syslog/systoken.c
+++ b/usr/src/lib/auditd_plugins/syslog/systoken.c
@@ -1332,6 +1332,22 @@ useofauth_token(parse_context_t *ctx)
 }
 
 /*
+ * Format of user token:
+ *	user token id		adr_char
+ *	uid			adr_uid
+ * 	username		adr_string
+ *
+ */
+int
+user_token(parse_context_t *ctx)
+{
+	ctx->adr.adr_now += sizeof (uid_t);
+	skip_bytes(ctx);
+
+	return (0);
+}
+
+/*
  * Format of zonename token:
  *	zonename token id		adr_char
  * 	zonename			adr_string
diff --git a/usr/src/lib/auditd_plugins/syslog/systoken.h b/usr/src/lib/auditd_plugins/syslog/systoken.h
index d1423ca85e..0d3f1acee4 100644
--- a/usr/src/lib/auditd_plugins/syslog/systoken.h
+++ b/usr/src/lib/auditd_plugins/syslog/systoken.h
@@ -105,6 +105,7 @@ extern void	exec_args_token(adr_t *, parse_context_t *);
 extern void	exec_env_token(adr_t *, parse_context_t *);
 extern void	attribute32_token(adr_t *, parse_context_t *);
 extern void	useofauth_token(adr_t *, parse_context_t *);
+extern void	user_token(adr_t *, parse_context_t *);
 
 /*
  * X windows tokens
@@ -157,6 +158,7 @@ extern void	subject64_ex_token(adr_t *, parse_context_t *);
 extern void	process64_ex_token(adr_t *, parse_context_t *);
 extern void	ip_addr_ex_token(adr_t *, parse_context_t *);
 extern void	socket_ex_token(adr_t *, parse_context_t *);
+extern void	tid_token(adr_t *, parse_context_t *);
 #endif
 
 #ifdef __cplusplus
diff --git a/usr/src/lib/libadt_jni/auditxml_jni b/usr/src/lib/libadt_jni/auditxml_jni
index 195a9be3ca..c46b0ae1a4 100644
--- a/usr/src/lib/libadt_jni/auditxml_jni
+++ b/usr/src/lib/libadt_jni/auditxml_jni
@@ -20,7 +20,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 
@@ -787,7 +787,6 @@ sub generateTableC {
 		  'groups'      	=> 'AUT_GROUPS',
 	#	  'header'      	=> 'AUT_HEADER',	# not used
 		  'in_addr'     	=> 'AUT_IN_ADDR',
-		  'tid'          	=> 'AUT_TID',
 		  'ipc'         	=> 'AUT_IPC',
 		  'ipc_perm'    	=> 'AUT_IPC_PERM',
 		  'iport'		=> 'AUT_IPORT',
@@ -806,8 +805,10 @@ sub generateTableC {
 		  'socket-inet' 	=> 'AUT_SOCKET_INET',
 		  'subject'     	=> 'AUT_SUBJECT',
 		  'text'        	=> 'AUT_TEXT',
+		  'tid'          	=> 'AUT_TID',
 	#	  'trailer'     	=> 'AUT_TRAILER',	# not used
 		  'uauth'		=> 'AUT_UAUTH',
+		  'user'		=> 'AUT_USER',
 		  'zonename'		=> 'AUT_ZONENAME'
 		 );
 
diff --git a/usr/src/lib/libbsm/adt_record.dtd.1 b/usr/src/lib/libbsm/adt_record.dtd.1
index 271388b3ae..0a40554c03 100644
--- a/usr/src/lib/libbsm/adt_record.dtd.1
+++ b/usr/src/lib/libbsm/adt_record.dtd.1
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 
 <!--
- Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  Use is subject to license terms.
 
  CDDL HEADER START
@@ -22,8 +22,6 @@
  information: Portions Copyright [yyyy] [name of copyright owner]
 
  CDDL HEADER END
-
-    ident	"%Z%%M%	%I%	%E% SMI"
 -->
 
 
@@ -102,6 +100,7 @@ tokens.
 			socket			|
 			subject			|
 			text			|
+			user			|
 			use_of_authorization	|
 			use_of_privilege	|
 			X_atom			|
@@ -158,6 +157,13 @@ first token (which is the record token):
 <!-- text token -->
 <!ELEMENT text		(#PCDATA)>
 
+<!-- user token -->
+<!ELEMENT user	EMPTY>
+<!ATTLIST user
+		uid		CDATA #REQUIRED
+		username	CDATA #REQUIRED
+>
+
 <!-- path token -->
 <!ELEMENT path		(#PCDATA)>
 
diff --git a/usr/src/lib/libbsm/adt_record.xsl.1 b/usr/src/lib/libbsm/adt_record.xsl.1
index 122f1f2173..5c19e548b3 100644
--- a/usr/src/lib/libbsm/adt_record.xsl.1
+++ b/usr/src/lib/libbsm/adt_record.xsl.1
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 
 <!--
- Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  Use is subject to license terms.
 
  CDDL HEADER START
@@ -22,8 +22,6 @@
  information: Portions Copyright [yyyy] [name of copyright owner]
 
  CDDL HEADER END
-
-    ident	"%Z%%M%	%I%	%E% SMI"
 -->
 
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
@@ -174,6 +172,13 @@
 	<I>FMRI: </I>   <xsl:value-of select="."/>
 </xsl:template>
 
+<xsl:template match="user">
+	<BR/>
+	<I>USER </I>
+	<I> uid: </I><xsl:value-of select="@uid"/>
+	<I> username: </I><xsl:value-of select="@username"/>
+</xsl:template>
+
 <xsl:template match="group">
 	<BR/>
 	<I>GROUP </I>
diff --git a/usr/src/lib/libbsm/auditxml b/usr/src/lib/libbsm/auditxml
index ae44223d06..42fbf8bd9d 100644
--- a/usr/src/lib/libbsm/auditxml
+++ b/usr/src/lib/libbsm/auditxml
@@ -20,7 +20,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 
@@ -597,7 +597,6 @@ sub generateTableC {
 	#	  'header'      	=> 'AUT_HEADER',	# not defined
 		  'in_peer'     	=> 'ADT_IN_PEER',	# dummy token id
 		  'in_remote'     	=> 'ADT_IN_REMOTE',	# dummy token id
-		  'tid'          	=> 'AUT_TID',
 	#	  'ipc'         	=> 'AUT_IPC',		# not defined
 	#	  'ipc_perm'    	=> 'AUT_IPC_PERM',	# not defined
 		  'iport'		=> 'AUT_IPORT',
@@ -616,8 +615,10 @@ sub generateTableC {
 	#	  'socket-inet' 	=> 'AUT_SOCKET_INET',
 		  'subject'     	=> 'AUT_SUBJECT',
 		  'text'        	=> 'AUT_TEXT',
+		  'tid'          	=> 'AUT_TID',
 	#	  'trailer'     	=> 'AUT_TRAILER',	# not defined
 		  'uauth'		=> 'AUT_UAUTH',
+		  'user'		=> 'AUT_USER',
 		  'zonename'		=> 'AUT_ZONENAME'
 		 );
 
diff --git a/usr/src/lib/libbsm/common/adt.xml b/usr/src/lib/libbsm/common/adt.xml
index d03446ba71..dc5bdf47eb 100644
--- a/usr/src/lib/libbsm/common/adt.xml
+++ b/usr/src/lib/libbsm/common/adt.xml
@@ -693,10 +693,10 @@ Use is subject to license terms.
 	    <internal token="subject"/>
 	    <external opt="none"/>
 	</entry>
-	<entry id="username">
-	    <internal token="text"/>
-	    <external opt="optional" type="char *"/>
-	    <comment>username if different than caller</comment>
+	<entry id="uid,username">
+	    <internal token="user"/>
+	    <external opt="optional" type="uid_t,char *"/>
+	    <comment>user if different than caller</comment>
 	</entry>
 	<entry id="return">
 	    <internal token="return"/>
@@ -2656,9 +2656,6 @@ Use is subject to license terms.
     <!-- pseudo token; path list generates 0 or more path tokens -->
     <token id="path_list">
     </token>
-    <token id="tid">
-    </token>
-
     <!--
 	privilege token is implemented as one of the pseudo tokens
 	priv_limit, priv_effective, or priv_inherit
@@ -2686,8 +2683,12 @@ Use is subject to license terms.
     </token>
     <token id="text">
     </token>
+    <token id="tid">
+    </token>
     <token id="uauth">
     </token>
+    <token id="user">
+    </token>
     <token id="zonename">
     </token>
 
diff --git a/usr/src/lib/libbsm/common/adt_token.c b/usr/src/lib/libbsm/common/adt_token.c
index 79634de3de..cad7c905b6 100644
--- a/usr/src/lib/libbsm/common/adt_token.c
+++ b/usr/src/lib/libbsm/common/adt_token.c
@@ -844,6 +844,36 @@ adt_to_uauth(datadef *def, void *p_data, int required,
 }
 
 /*
+ * AUT_USER
+ */
+
+/* ARGSUSED */
+static void
+adt_to_user(datadef *def, void *p_data, int required,
+    struct adt_event_state *event, char *format)
+{
+	uid_t	uid;
+	char	*username;
+
+	DPRINTF(("  adt_to_user dd_datatype=%d\n", def->dd_datatype));
+
+	uid = ((union convert *)p_data)->tuid;
+	p_data = adt_adjust_address(p_data, sizeof (uid_t), sizeof (uid_t));
+
+	username = ((union convert *)p_data)->tcharstar;
+
+	if (username == NULL) {
+		if (required) {
+			username = empty;
+		} else {
+			return;
+		}
+	}
+	DPRINTF(("  username=%s\n", username));
+	(void) au_write(event->ae_event_handle, au_to_user(uid, username));
+}
+
+/*
  * AUT_ZONENAME
  */
 
@@ -993,7 +1023,7 @@ adt_to_iport(datadef *def, void *p_data, int required,
  * adt_xlate.h), and the -AUT_PATH value.
  */
 
-#define	MAX_TOKEN_JMP 20
+#define	MAX_TOKEN_JMP 21
 
 static struct token_jmp token_table[MAX_TOKEN_JMP] =
 {
@@ -1016,6 +1046,7 @@ static struct token_jmp token_table[MAX_TOKEN_JMP] =
 	{AUT_TEXT, adt_to_text},
 	{AUT_TID, adt_to_tid},
 	{AUT_UAUTH, adt_to_uauth},
+	{AUT_USER, adt_to_user},
 	{AUT_ZONENAME, adt_to_zonename}
 };
 
diff --git a/usr/src/lib/libbsm/common/au_to.c b/usr/src/lib/libbsm/common/au_to.c
index 9ee2dd7b7a..2e77248b4b 100644
--- a/usr/src/lib/libbsm/common/au_to.c
+++ b/usr/src/lib/libbsm/common/au_to.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -1211,6 +1211,34 @@ au_to_upriv(char sorf, char *priv)
 }
 
 /*
+ * au_to_user
+ * return s:
+ *	pointer to a user token.
+ */
+token_t *
+au_to_user(uid_t uid,  char *username)
+{
+	token_t *token;			/* local token */
+	adr_t adr;			/* adr memory stream header */
+	char data_header = AUT_USER;	/* header for this token */
+	short  bytes;			/* length of string */
+
+	bytes = (short)strlen(username) + 1;
+
+	token = get_token(sizeof (char) + sizeof (uid_t) + sizeof (short) +
+	    bytes);
+	if (token == NULL)
+		return (NULL);
+	adr_start(&adr, token->tt_data);
+	adr_char(&adr, &data_header, 1);
+	adr_uid(&adr, &uid, 1);
+	adr_short(&adr, &bytes, 1);
+	adr_char(&adr, username, bytes);
+
+	return (token);
+}
+
+/*
  * au_to_xatom
  * return s:
  *	pointer to a xatom token.
diff --git a/usr/src/lib/libbsm/common/mapfile-vers b/usr/src/lib/libbsm/common/mapfile-vers
index 2bc79acfd3..bf8dda1a43 100644
--- a/usr/src/lib/libbsm/common/mapfile-vers
+++ b/usr/src/lib/libbsm/common/mapfile-vers
@@ -276,6 +276,7 @@ SUNWprivate_1.1 {
 	au_to_trailer;
 	au_to_uauth;
 	au_to_upriv;
+	au_to_user;
 	au_to_xatom;
 	au_to_xcolormap;
 	au_to_xclient;
diff --git a/usr/src/uts/common/c2/audit_record.h b/usr/src/uts/common/c2/audit_record.h
index f8818c4b63..2567e3e274 100644
--- a/usr/src/uts/common/c2/audit_record.h
+++ b/usr/src/uts/common/c2/audit_record.h
@@ -98,7 +98,8 @@ extern "C" {
 #define	AUT_ARG32		AUT_ARG
 #define	AUT_SOCKET		((char)0x2E)
 #define	AUT_SEQ			((char)0x2F)
-#define	AUT_TID			((char)0x61)
+#define	AUT_USER		((char)0x36)	/* out of order */
+#define	AUT_TID			((char)0x61)	/* out of order */
 
 /*
  * Modifier token types
@@ -110,9 +111,7 @@ extern "C" {
 #define	AUT_LABEL		((char)0x33)
 #define	AUT_GROUPS		((char)0x34)
 #define	AUT_ACE			((char)0x35)
-/*
- * 0x36, 0x37 unused
- */
+	/* 0x37 unused */
 #define	AUT_PRIV		((char)0x38)
 #define	AUT_UPRIV		((char)0x39)
 #define	AUT_LIAISON		((char)0x3A)
@@ -121,7 +120,7 @@ extern "C" {
 #define	AUT_EXEC_ENV		((char)0x3D)
 #define	AUT_ATTR32		((char)0x3E)
 #define	AUT_UAUTH		((char)0x3F)
-#define	AUT_ZONENAME		((char)0x60)
+#define	AUT_ZONENAME		((char)0x60)	/* out of order */
 
 /*
  * X windows token types
@@ -430,6 +429,7 @@ extern token_t *au_to_tid(au_generic_tid_t *);
 extern token_t *au_to_trailer(void);
 extern token_t *au_to_uauth(char *);
 extern token_t *au_to_upriv(char, char *);
+extern token_t *au_to_user(uid_t, char *);
 extern token_t *au_to_xatom(char *);
 extern token_t *au_to_xselect(char *, char *, char *);
 extern token_t *au_to_xcolormap(int32_t, uid_t);