summaryrefslogtreecommitdiff
path: root/usr/src/man/man4/audit.log.4
diff options
context:
space:
mode:
Diffstat (limited to 'usr/src/man/man4/audit.log.4')
-rw-r--r--usr/src/man/man4/audit.log.4803
1 files changed, 803 insertions, 0 deletions
diff --git a/usr/src/man/man4/audit.log.4 b/usr/src/man/man4/audit.log.4
new file mode 100644
index 0000000000..82ee0a0a05
--- /dev/null
+++ b/usr/src/man/man4/audit.log.4
@@ -0,0 +1,803 @@
+'\" te
+.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved
+.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
+.\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
+.\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
+.TH audit.log 4 "29 May 2009" "SunOS 5.11" "File Formats"
+.SH NAME
+audit.log \- audit trail file
+.SH SYNOPSIS
+.LP
+.nf
+\fB#include <bsm/audit.h>\fR
+.fi
+
+.LP
+.nf
+\fB#include <bsm/audit_record.h>\fR
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+\fBaudit.log\fR files are the depository for audit records stored locally or on
+an on an NFS-mounted audit server. These files are kept in directories named in
+the file \fBaudit_control\fR(4) using the \fBdir\fR option. They are named to
+reflect the time they are created and are, when possible, renamed to reflect
+the time they are closed as well. The name takes the form
+.sp
+.LP
+\fIyyyymmddhhmmss\fR\fB\&.not_terminated.\fR\fIhostname\fR
+.sp
+.LP
+when open or if the \fBauditd\fR(1M) terminated ungracefully, and the form
+.sp
+.LP
+\fIyyyymmddhhmmss\fR\fB\&.\fR\fIyyyymmddhhmmss\fR\fB\&.\fR\fIhostname\fR
+.sp
+.LP
+when properly closed. \fByyyy\fR is the year, \fBmm\fR the month, \fBdd\fR day
+in the month, \fBhh\fR hour in the day, \fBmm\fR minute in the hour, and
+\fBss\fR second in the minute. All fields are of fixed width.
+.sp
+.LP
+Audit data is generated in the binary format described below; the default for
+Solaris audit is binary format. See \fBaudit_syslog\fR(5) for an alternate data
+format.
+.sp
+.LP
+The \fBaudit.log\fR file begins with a standalone \fBfile token\fR and
+typically ends with one also. The beginning \fBfile token\fR records the
+pathname of the previous audit file, while the ending \fBfile token\fR records
+the pathname of the next audit file. If the file name is \fBNULL\fR the
+appropriate path was unavailable.
+.sp
+.LP
+The \fBaudit.log\fR files contains audit records. Each audit record is made up
+of \fIaudit tokens\fR. Each record contains a header token followed by various
+data tokens. Depending on the audit policy in place by \fBauditon\fR(2),
+optional other tokens such as trailers or sequences may be included.
+.sp
+.LP
+The tokens are defined as follows:
+.sp
+.LP
+The \fBfile\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+seconds of time 4 bytes
+microseconds of time 4 bytes
+file name length 2 bytes
+file pathname N bytes + 1 terminating NULL byte
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBheader\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+record byte count 4 bytes
+version # 1 byte [2]
+event type 2 bytes
+event modifier 2 bytes
+seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
+nanoseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The expanded \fBheader\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+record byte count 4 bytes
+version # 1 byte [2]
+event type 2 bytes
+event modifier 2 bytes
+address type/length 1 byte
+machine address 4 bytes/16 bytes (IPv4/IPv6 address)
+seconds of time 4 bytes/8 bytes (32/64-bits)
+nanoseconds of time 4 bytes/8 bytes (32/64-bits)
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBtrailer\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+trailer magic number 2 bytes
+record byte count 4 bytes
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBarbitrary\fR \fBdata\fR token is defined:
+.sp
+.in +2
+.nf
+token ID 1 byte
+how to print 1 byte
+basic unit 1 byte
+unit count 1 byte
+data items (depends on basic unit)
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBin_addr\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+IP address type/length 1 byte
+IP address 4 bytes/16 bytes (IPv4/IPv6 address)
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The expanded \fBin_addr\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+IP address type/length 4 bytes/16 bytes (IPv4/IPv6 address)
+IP address 16 bytes
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBip\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+version and ihl 1 byte
+type of service 1 byte
+length 2 bytes
+id 2 bytes
+offset 2 bytes
+ttl 1 byte
+protocol 1 byte
+checksum 2 bytes
+source address 4 bytes
+destination address 4 bytes
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The expanded \fBip\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+version and ihl 1 byte
+type of service 1 byte
+length 2 bytes
+id 2 bytes
+offset 2 bytes
+ttl 1 byte
+protocol 1 byte
+checksum 2 bytes
+address type/type 1 byte
+source address 4 bytes/16 bytes (IPv4/IPv6 address)
+address type/length 1 byte
+destination address 4 bytes/16 bytes (IPv4/IPv6 address)
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBiport\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+port IP address 2 bytes
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBpath\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+path length 2 bytes
+path N bytes + 1 terminating NULL byte
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBpath_attr\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+count 4 bytes
+path \fIcount\fR null-terminated string(s)
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBprocess\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+audit ID 4 bytes
+effective user ID 4 bytes
+effective group ID 4 bytes
+real user ID 4 bytes
+real group ID 4 bytes
+process ID 4 bytes
+session ID 4 bytes
+terminal ID
+ port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ machine address 4 bytes
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The expanded \fBprocess\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+audit ID 4 bytes
+effective user ID 4 bytes
+effective group ID 4 bytes
+real user ID 4 bytes
+real group ID 4 bytes
+process ID 4 bytes
+session ID 4 bytes
+terminal ID
+ port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ address type/length 1 byte
+ machine address 4 bytes/16 bytes (IPv4/IPv6 address)
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBreturn\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+error number 1 byte
+return value 4 bytes/8 bytes (32-bit/64-bit value)
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBsubject\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+audit ID 4 bytes
+effective user ID 4 bytes
+effective group ID 4 bytes
+real user ID 4 bytes
+real group ID 4 bytes
+process ID 4 bytes
+session ID 4 bytes
+terminal ID
+ port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ machine address 4 bytes
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The expanded \fBsubject\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+audit ID 4 bytes
+effective user ID 4 bytes
+effective group ID 4 bytes
+real user ID 4 bytes
+real group ID 4 bytes
+process ID 4 bytes
+session ID 4 bytes
+terminal ID
+ port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ address type/length 1 byte
+ machine address 4 bytes/16 bytes (IPv4/IPv6 address)
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBSystem V IPC\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+object ID type 1 byte
+object ID 4 bytes
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBtext\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+text length 2 bytes
+text N bytes + 1 terminating NULL byte
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBattribute\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+file access mode 4 bytes
+owner user ID 4 bytes
+owner group ID 4 bytes
+file system ID 4 bytes
+node ID 8 bytes
+device 4 bytes/8 bytes (32-bit/64-bit)
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBgroups\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+number groups 2 bytes
+group list N * 4 bytes
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBSystem V IPC permission\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+owner user ID 4 bytes
+owner group ID 4 bytes
+creator user ID 4 bytes
+creator group ID 4 bytes
+access mode 4 bytes
+slot sequence # 4 bytes
+key 4 bytes
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBarg\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+argument # 1 byte
+argument value 4 bytes/8 bytes (32-bit/64-bit value)
+text length 2 bytes
+text N bytes + 1 terminating NULL byte
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBexec_args\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+count 4 bytes
+text \fIcount\fR null-terminated string(s)
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBexec_env\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+count 4 bytes
+text \fIcount\fR null-terminated string(s)
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBexit\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+status 4 bytes
+return value 4 bytes
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBsocket\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+socket type 2 bytes
+remote port 2 bytes
+remote Internet address 4 bytes
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The expanded \fBsocket\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+socket domain 2 bytes
+socket type 2 bytes
+local port 2 bytes
+address type/length 2 bytes
+local port 2 bytes
+local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
+remote port 2 bytes
+remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBseq\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+sequence number 4 bytes
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The \fBprivilege\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+text length 2 bytes
+privilege set name N bytes + 1 terminating NULL byte
+text length 2 bytes
+list of privileges N bytes + 1 terminating NULL byte
+.fi
+.in -2
+
+.sp
+.LP
+The \fBuse-of-auth\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+text length 2 bytes
+authorization(s) N bytes + 1 terminating NULL byte
+.fi
+.in -2
+
+.sp
+.LP
+The \fBuse-of-privilege\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+succ/fail 1 byte
+text length 2 bytes
+privilege used N bytes + 1 terminating NULL byte
+.fi
+.in -2
+
+.sp
+.LP
+The \fBcommand\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+count of args 2 bytes
+argument list (count times)
+text length 2 bytes
+argument text N bytes + 1 terminating NULL byte
+count of env strings 2 bytes
+environment list (count times)
+text length 2 bytes
+env. text N bytes + 1 terminating NULL byte
+.fi
+.in -2
+
+.sp
+.LP
+The \fBACL\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+type 4 bytes
+value 4 bytes
+file mode 4 bytes
+.fi
+.in -2
+
+.sp
+.LP
+The ACE token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+who 4 bytes
+access_mask 4 bytes
+flags 2 bytes
+type 2 bytes
+.fi
+.in -2
+
+.sp
+.LP
+The \fBzonename\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+name length 2 bytes
+name \fI<name length>\fR including terminating NULL byte
+.fi
+.in -2
+
+.sp
+.LP
+The \fBfmri\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+fmri length 2 bytes
+fmri \fI<fmri length>\fR including terminating NULL byte
+.fi
+.in -2
+
+.sp
+.LP
+The \fBlabel\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+label ID 1 byte
+compartment length 1 byte
+classification 2 bytes
+compartment words \fI<compartment length>\fR * 4 bytes
+.fi
+.in -2
+
+.sp
+.LP
+The \fBxatom\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+string length 2 bytes
+atom string \fIstring length\fR bytes
+.fi
+.in -2
+
+.sp
+.LP
+The \fBxclient\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+client ID 4 bytes
+.fi
+.in -2
+
+.sp
+.LP
+The \fBxcolormap\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+XID 4 bytes
+creator UID 4 bytes
+.fi
+.in -2
+
+.sp
+.LP
+The \fBxcursor\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+XID 4 bytes
+creator UID 4 bytes
+.fi
+.in -2
+
+.sp
+.LP
+The \fBxfont\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+XID 4 bytes
+creator UID 4 bytes
+.fi
+.in -2
+
+.sp
+.LP
+The \fBxgc\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+XID 4 bytes
+creator UID 4 bytes
+.fi
+.in -2
+
+.sp
+.LP
+The \fBxpixmap\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+XID 4 bytes
+creator UID 4 bytes
+.fi
+.in -2
+
+.sp
+.LP
+The \fBxproperty\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+XID 4 bytes
+creator UID 4 bytes
+string length 2 bytes
+string \fIstring length\fR bytes
+.fi
+.in -2
+
+.sp
+.LP
+The \fBxselect\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+property length 2 bytes
+property string \fIproperty length\fR bytes
+prop. type len. 2 bytes
+prop type \fIprop. type len.\fR bytes
+data length 2 bytes
+window data \fIdata length\fR bytes
+.fi
+.in -2
+
+.sp
+.LP
+The \fBxwindow\fR token consists of:
+.sp
+.in +2
+.nf
+token ID 1 byte
+XID 4 bytes
+creator UID 4 bytes
+.fi
+.in -2
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i)
+lw(2.75i) |lw(2.75i)
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+Interface StabilitySee below.
+.TE
+
+.sp
+.LP
+The binary file format is Committed. The binary file contents is Uncommitted.
+.SH SEE ALSO
+.sp
+.LP
+\fBaudit\fR(1M), \fBauditd\fR(1M), \fBbsmconv\fR(1M), \fBaudit\fR(2),
+\fBauditon\fR(2), \fBau_to\fR(3BSM), \fBaudit_control\fR(4),
+\fBaudit_syslog\fR(5)
+.sp
+.LP
+Part\ VII, \fISolaris Auditing,\fR in \fISystem Administration Guide: Security
+Services\fR
+.SH NOTES
+.sp
+.LP
+Each token is generally written using the \fBau_to\fR(3BSM) family of function
+calls.
generated by cgit v1.2.3 (git 2.46.0) at 2025-11-02 10:23:11 +0000