Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

audit(1M)

auditd(1M)

bsmconv(1M)

audit(2)

auditon(2)

au_to(3)

audit_control(4)

audit.log(4)

NAME

audit.log − audit trail file

SYNOPSIS

#include <bsm/audit.h>
#include <bsm/audit_record.h>

DESCRIPTION

audit.log files are the depository for audit records stored locally or on an audit server.  These files are kept in directories named in the file audit_control(4).  They are named to reflect the time they are created and are, when possible, renamed to reflect the time they are closed as well.  The name takes the form

yyyymmddhhmmss.not_terminated.hostname

when open or if the auditd(1M) terminated ungracefully, and the form

yyyymmddhhmmss.yyyymmddhhmmss.hostname

when properly closed.  yyyy is the year, mm the month, dd day in the month, hh hour in the day, mm minute in the hour, and ss second in the minute.  All fields are of fixed width. 

The audit.log file begins with a standalone file token and typically ends with one also.  The beginning file token records the pathname of the previous audit file, while the ending file token records the pathname of the next audit file.  If the file name is NULL the appropriate path was unavailable. 

The audit.log files contains audit records.  Each audit record is made up of audit tokens. Each record contains a header token followed by various data tokens. Depending on the audit policy in place by auditon(2), optional other tokens such as trailers or sequences may be included. 

The tokens are defined as follows:

The file token consists of:

token IDchar
seconds of timeu_int
milliseconds of timeu_int
file name lengthshort
file pathnamenull terminated string

The header token consists of:

token IDchar
record byte countu_long
version #char        (1)
event typeu_short
event modifieru_short
seconds of timeu_int
milliseconds of timeu_int

The trailer token consists of:

token IDchar
trailer magic numberu_short
record byte countu_long

The arbitrary data token is defined:

token IDchar
how to printchar
basic unitchar
unit countchar
data itemsdepends on basic unit

The in_addr token consists of:

token IDchar
internet addresschar

The ip token consists of:

token IDchar
version and ihlchar
type of servicechar
lengthshort
idu_short
offsetu_short
ttlchar
protocolchar
checksumu_short
source addresslong
destination addresslong

The iport token consists of:

token IDchar
port addressshort

The opaque token consists of:

token IDchar
sizeshort
datachar, size chars

The path token consists of:

token IDchar
path lengthshort
pathnull terminated string

The process token consists of:

token IDchar
auidu_long
euidu_long
egidu_long
ruidu_long
rgidu_long
pidu_long
sidu_long
terminal IDu_long   (port ID)
u_long   (machine ID)

The return token consists of:

token IDchar
error numberchar
return valuelong

The subject token consists of:

token IDchar
auidu_long
euidu_long
egidu_long
ruidu_long
rgidu_long
pidu_long
sidu_long
terminal IDu_long   (port ID)
u_long   (machine ID)

The System V IPC token consists of:

token IDchar
object ID typechar
object IDlong

The text token consists of:

token IDchar
text lengthshort
textnull terminated string

The attribute token consists of:

token IDchar
modeu_long
uidu_long
gidu_long
file system idlong
node idlong
deviceu_long

The groups token consists of:

token IDchar
numbershort
group listlong, size chars

The System V IPC permission token consists of:

token IDchar
uidu_long
gidu_long
cuidu_long
cgidu_long
modeu_long
sequ_long
keylong

The arg token consists of:

token IDchar
argument #char
argument valuelong
string lengthshort
textnull terminated string

The exec_args token consists of:

token IDchar
countlong
textcount null terminated string(s)

The exec_env token consists of:

token IDchar
countlong
textcount null terminated string(s)

The exit token consists of:

token IDchar
statuslong
return valuelong

The socket token consists of:

token IDchar
socket typeshort
local portshort
local Internet addresschar
remote portshort
remote Internet addresschar

The seq token consists of:

token IDchar
sequence numberlong

SEE ALSO

audit(1M), auditd(1M), bsmconv(1M), audit(2), auditon(2), au_to(3), audit_control(4)

NOTES

Each token is generally written using the au_to(3) family of function calls. 

The functionality described in this man page is available only if the Basic Security Module (BSM) has been enabled.  See bsmconv(1M) for more information. 

SunOS 5.6  —  Last change: 30 Apr 1997

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026