Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
audit.log(4)			 File Formats			  audit.log(4)

NAME
       audit.log - audit trail file

SYNOPSIS
       #include	<bsm/audit.h>

       #include	<bsm/audit_record.h>

DESCRIPTION
       audit.log  files	are the	depository for audit records stored locally or
       on an on	an NFS-mounted audit server. These files are kept in  directo-
       ries  named in the file audit_control(4)	using the dir option. They are
       named to	reflect	the time they are created and are, when	possible,  re-
       named  to  reflect the time they	are closed as well. The	name takes the
       form

	      yyyymmddhhmmss.not_terminated.hostname

       when open or if the auditd(1M) terminated ungracefully, and the form

	      yyyymmddhhmmss.yyyymmddhhmmss.hostname

       when properly closed. yyyy is the year, mm the month,  dd  day  in  the
       month,  hh hour in the day, mm minute in	the hour, and ss second	in the
       minute. All fields are of fixed width.

       Audit data is generated in the binary format described below;  the  de-
       fault  for  Solaris  audit is binary format. See	audit_syslog(5)	for an
       alternate data format.

       The audit.log file begins with a	standalone file	 token	and  typically
       ends  with  one	also. The beginning file token records the pathname of
       the previous audit file,	while the ending file token records the	 path-
       name  of	 the next audit	file. If the file name is NULL the appropriate
       path was	unavailable.

       The audit.log files contains audit records. Each	audit record  is  made
       up  of  audit  tokens.  Each record contains a header token followed by
       various data tokens. Depending on the audit policy in  place  by	 audi-
       ton(2),	optional other tokens such as trailers or sequences may	be in-
       cluded.

       The tokens are defined as follows:

       The file	token consists of:

       token ID		       1 byte
       seconds of time	       4 bytes
       microseconds of time    4 bytes
       file name length	       2 bytes
       file pathname	       N bytes + 1 terminating NULL byte

       The header token	consists of:

       token ID		       1 byte
       record byte count       4 bytes
       version #	       1 byte	 [2]
       event type	       2 bytes
       event modifier	       2 bytes
       seconds of time	       4 bytes/8 bytes (32-bit/64-bit value)
       nanoseconds of time     4 bytes/8 bytes (32-bit/64-bit value)

       The expanded header token consists of:

       token ID		       1 byte
       record byte count       4 bytes
       version #	       1 byte	  [2]
       event type	       2 bytes
       event modifier	       2 bytes
       address type/length     1 byte
       machine address	       4 bytes/16 bytes	(IPv4/IPv6 address)
       seconds of time	       4 bytes/8 bytes	(32/64-bits)
       nanoseconds of time     4 bytes/8 bytes	(32/64-bits)

       The trailer token consists of:

       token ID		       1 byte
       trailer magic number    2 bytes
       record byte count       4 bytes

       The  arbitrary data token is defined:

       token ID		       1 byte
       how to print	       1 byte
       basic unit	       1 byte
       unit count	       1 byte
       data items	       (depends	on basic unit)

       The in_addr token consists of:

       token ID		       1 byte
       IP address type/length  1 byte
       IP address	 4 bytes/16 bytes (IPv4/IPv6 address)

       The expanded in_addr token consists of:

       token ID		       1 byte
       IP address type/length  4 bytes/16 bytes	(IPv4/IPv6 address)
       IP address	      16 bytes

       The ip token consists of:

       token ID		       1 byte
       version and ihl	       1 byte
       type of service	       1 byte
       length		       2 bytes
       id		       2 bytes
       offset		       2 bytes
       ttl		       1 byte
       protocol		       1 byte
       checksum		       2 bytes
       source address	       4 bytes
       destination address     4 bytes

       The expanded ip token consists of:

       token ID		       1 byte
       version and ihl	       1 byte
       type of service	       1 byte
       length		       2 bytes
       id		       2 bytes
       offset		       2 bytes
       ttl		       1 byte
       protocol		       1 byte
       checksum		       2 bytes
       address type/type       1 byte
       source address	       4 bytes/16 bytes	(IPv4/IPv6 address)
       address type/length     1 byte
       destination address     4 bytes/16 bytes	(IPv4/IPv6 address)

       The iport token consists	of:

       token ID		       1 byte
       port IP address	       2 bytes

       The path	token consists of:

       token ID		       1 byte
       path length	       2 bytes
       path		       N bytes + 1 terminating NULL byte

       The path_attr token consists of:

       token ID		       1 byte
       count		       4 bytes
       path		       count null-terminated string(s)

       The process token consists of:

       token ID		       1 byte
       audit ID		       4 bytes
       effective user ID       4 bytes
       effective group ID      4 bytes
       real user ID	       4 bytes
       real group ID	       4 bytes
       process ID	       4 bytes
       session ID	       4 bytes
       terminal	ID
	 port ID	       4 bytes/8 bytes (32-bit/64-bit value)
	 machine address       4 bytes

       The expanded process token consists of:

       token ID		       1 byte
       audit ID		       4 bytes
       effective user ID       4 bytes
       effective group ID      4 bytes
       real user ID	       4 bytes
       real group ID	       4 bytes
       process ID	       4 bytes
       session ID	       4 bytes
       terminal	ID
	 port ID	       4 bytes/8 bytes (32-bit/64-bit value)
	 address type/length   1 byte
	 machine address       4 bytes/16 bytes	(IPv4/IPv6 address)

       The return token	consists of:

       token ID		       1 byte
       error number	       1 byte
       return value	       4 bytes/8 bytes (32-bit/64-bit value)

       The subject token consists of:

       token ID		       1 byte
       audit ID		       4 bytes
       effective user ID       4 bytes
       effective group ID      4 bytes
       real user ID	       4 bytes
       real group ID	       4 bytes
       process ID	       4 bytes
       session ID	       4 bytes
       terminal	ID
	 port ID	       4 bytes/8 bytes (32-bit/64-bit value)
	 machine address       4 bytes

       The expanded subject token consists of:

       token ID		       1 byte
       audit ID		       4 bytes
       effective user ID       4 bytes
       effective group ID      4 bytes
       real user ID	       4 bytes
       real group ID	       4 bytes
       process ID	       4 bytes
       session ID	       4 bytes
       terminal	ID
	 port ID	       4 bytes/8 bytes (32-bit/64-bit value)
	 address type/length   1 byte
	 machine address       4 bytes/16 bytes	(IPv4/IPv6 address)

       The System V IPC	token consists of:

       token ID		       1 byte
       object ID type	       1 byte
       object ID	       4 bytes

       The text	token consists of:

       token ID		       1 byte
       text length	       2 bytes
       text		       N bytes + 1 terminating NULL byte

       The attribute token consists of:

       token ID		       1 byte
       file access mode	       4 bytes
       owner user ID	       4 bytes
       owner group ID	       4 bytes
       file system ID	       4 bytes
       node ID		       8 bytes
       device		       4 bytes/8 bytes (32-bit/64-bit)

       The groups token	consists of:

       token ID		       1 byte
       number groups	       2 bytes
       group list	       N * 4 bytes

       The System V IPC	permission token consists of:

       token ID		       1 byte
       owner user ID	       4 bytes
       owner group ID	       4 bytes
       creator user ID	       4 bytes
       creator group ID	       4 bytes
       access mode	       4 bytes
       slot sequence #	       4 bytes
       key		       4 bytes

       The arg token consists of:

       token ID		       1 byte
       argument	#	       1 byte
       argument	value	       4 bytes/8 bytes (32-bit/64-bit value)
       text length	       2 bytes
       text		       N bytes + 1 terminating NULL byte

       The exec_args token consists of:

       token ID		       1 byte
       count		       4 bytes
       text		       count null-terminated string(s)

       The exec_env token consists of:

       token ID		       1 byte
       count		       4 bytes
       text		       count null-terminated string(s)

       The exit	token consists of:

       token ID		       1 byte
       status		       4 bytes
       return value	       4 bytes

       The socket token	consists of:

       token ID		       1 byte
       socket type	       2 bytes
       remote port	       2 bytes
       remote Internet address 4 bytes

       The expanded socket token consists of:

       token ID		       1 byte
       socket domain	       2 bytes
       socket type	       2 bytes
       local port	       2 bytes
       address type/length     2 bytes
       local port	       2 bytes
       local Internet address  4 bytes/16 bytes	(IPv4/IPv6 address)
       remote port	       2 bytes
       remote Internet address 4 bytes/16 bytes	(IPv4/IPv6 address)

       The seq token consists of:

       token ID		       1 byte
       sequence	number	       4 bytes

       The privilege token consists of:

       token ID		       1 byte
       text length	       2 bytes
       privilege set name      N bytes + 1 terminating NULL byte
       text length	       2 bytes
       list of privileges      N bytes + 1 terminating NULL byte

       The use-of-auth token consists of:

       token ID		       1 byte
       text length	       2 bytes
       authorization(s)	       N bytes + 1 terminating NULL byte

       The command token consists of:

       token ID		       1 byte
       count of	args	       2 bytes
       argument	list	       (count times)
       text length	       2 bytes
       argument	text	       N bytes + 1 terminating NULL byte
       count of	env strings    2 bytes
       environment list	       (count times)
       text length	       2 bytes
       env. text	       N bytes + 1 terminating NULL byte

       The ACL token consists of:

       token ID		       1 byte
       type		       4 bytes
       value		       4 bytes
       file mode	       4 bytes

       The zonename token consists of:

       token ID		   1 byte
       name length	   2 bytes
       name		   _name length_ including terminating NULL byte

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |:				   |
       +-----------------------------+-----------------------------+
       | binary	file format	     |Evolving			   |
       +-----------------------------+-----------------------------+
       | binary	file contents	     |Unstable			   |
       +-----------------------------+-----------------------------+

SEE ALSO
       audit(1M), auditd(1M), bsmconv(1M), audit(2), auditon(2),  au_to(3BSM),
       audit_control(4), audit_syslog(5)

NOTES
       Each  token  is generally written using the au_to(3BSM) family of func-
       tion calls.

SunOS 5.10			  6 Jan	2004			  audit.log(4)

NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | SEE ALSO | NOTES

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=audit.log&sektion=4&manpath=SunOS+5.10>

home | help