2 .\" Copyright (c) 2017 Peter Tribble
3 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved
4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
6 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 .TH AUDIT.LOG 4 "Mar 6, 2017"
9 audit.log \- audit trail file
13 \fB#include <bsm/audit.h>\fR
18 \fB#include <bsm/audit_record.h>\fR
23 \fBaudit.log\fR files are the depository for audit records stored locally or on
24 an NFS-mounted audit server. These files are kept in directories as specified
25 by the \fBp_dir\fR attribute of the \fBaudit_binfile\fR(5) plugin. They are
26 named to reflect the time they are created and are, when possible, renamed to
27 reflect the time they are closed as well. The name takes the form
30 \fIyyyymmddhhmmss\fR\fB\&.not_terminated.\fR\fIhostname\fR
33 when open or if \fBauditd\fR(8) terminated ungracefully, and the form
36 \fIyyyymmddhhmmss\fR\fB\&.\fR\fIyyyymmddhhmmss\fR\fB\&.\fR\fIhostname\fR
39 when properly closed. \fByyyy\fR is the year, \fBmm\fR the month, \fBdd\fR day
40 in the month, \fBhh\fR hour in the day, \fBmm\fR minute in the hour, and
41 \fBss\fR second in the minute. All fields are of fixed width.
44 Audit data is generated in the binary format described below; the default for
45 audit is binary format. See \fBaudit_syslog\fR(5) for an alternate data
49 The \fBaudit.log\fR file begins with a standalone \fBfile token\fR and
50 typically ends with one also. The beginning \fBfile token\fR records the
51 pathname of the previous audit file, while the ending \fBfile token\fR records
52 the pathname of the next audit file. If the file name is \fBNULL\fR the
53 appropriate path was unavailable.
56 The \fBaudit.log\fR files contains audit records. Each audit record is made up
57 of \fIaudit tokens\fR. Each record contains a header token followed by various
58 data tokens. Depending on the audit policy in place by \fBauditon\fR(2),
59 optional other tokens such as trailers or sequences may be included.
62 The tokens are defined as follows:
65 The \fBfile\fR token consists of:
70 seconds of time 4 bytes
71 microseconds of time 4 bytes
72 file name length 2 bytes
73 file pathname N bytes + 1 terminating NULL byte
80 The \fBheader\fR token consists of:
85 record byte count 4 bytes
88 event modifier 2 bytes
89 seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
90 nanoseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
97 The expanded \fBheader\fR token consists of:
102 record byte count 4 bytes
105 event modifier 2 bytes
106 address type/length 1 byte
107 machine address 4 bytes/16 bytes (IPv4/IPv6 address)
108 seconds of time 4 bytes/8 bytes (32/64-bits)
109 nanoseconds of time 4 bytes/8 bytes (32/64-bits)
116 The \fBtrailer\fR token consists of:
121 trailer magic number 2 bytes
122 record byte count 4 bytes
129 The \fBarbitrary\fR \fBdata\fR token is defined:
137 data items (depends on basic unit)
144 The \fBin_addr\fR token consists of:
149 IP address type/length 1 byte
150 IP address 4 bytes/16 bytes (IPv4/IPv6 address)
157 The expanded \fBin_addr\fR token consists of:
162 IP address type/length 4 bytes/16 bytes (IPv4/IPv6 address)
170 The \fBip\fR token consists of:
175 version and ihl 1 byte
176 type of service 1 byte
183 source address 4 bytes
184 destination address 4 bytes
191 The expanded \fBip\fR token consists of:
196 version and ihl 1 byte
197 type of service 1 byte
204 address type/type 1 byte
205 source address 4 bytes/16 bytes (IPv4/IPv6 address)
206 address type/length 1 byte
207 destination address 4 bytes/16 bytes (IPv4/IPv6 address)
214 The \fBiport\fR token consists of:
219 port IP address 2 bytes
226 The \fBpath\fR token consists of:
232 path N bytes + 1 terminating NULL byte
239 The \fBpath_attr\fR token consists of:
245 path \fIcount\fR null-terminated string(s)
252 The \fBprocess\fR token consists of:
258 effective user ID 4 bytes
259 effective group ID 4 bytes
261 real group ID 4 bytes
265 port ID 4 bytes/8 bytes (32-bit/64-bit value)
266 machine address 4 bytes
273 The expanded \fBprocess\fR token consists of:
279 effective user ID 4 bytes
280 effective group ID 4 bytes
282 real group ID 4 bytes
286 port ID 4 bytes/8 bytes (32-bit/64-bit value)
287 address type/length 1 byte
288 machine address 4 bytes/16 bytes (IPv4/IPv6 address)
295 The \fBreturn\fR token consists of:
301 return value 4 bytes/8 bytes (32-bit/64-bit value)
308 The \fBsubject\fR token consists of:
314 effective user ID 4 bytes
315 effective group ID 4 bytes
317 real group ID 4 bytes
321 port ID 4 bytes/8 bytes (32-bit/64-bit value)
322 machine address 4 bytes
329 The expanded \fBsubject\fR token consists of:
335 effective user ID 4 bytes
336 effective group ID 4 bytes
338 real group ID 4 bytes
342 port ID 4 bytes/8 bytes (32-bit/64-bit value)
343 address type/length 1 byte
344 machine address 4 bytes/16 bytes (IPv4/IPv6 address)
351 The \fBSystem V IPC\fR token consists of:
356 object ID type 1 byte
364 The \fBtext\fR token consists of:
370 text N bytes + 1 terminating NULL byte
377 The \fBattribute\fR token consists of:
382 file access mode 4 bytes
383 owner user ID 4 bytes
384 owner group ID 4 bytes
385 file system ID 4 bytes
387 device 4 bytes/8 bytes (32-bit/64-bit)
394 The \fBgroups\fR token consists of:
399 number groups 2 bytes
400 group list N * 4 bytes
407 The \fBSystem V IPC permission\fR token consists of:
412 owner user ID 4 bytes
413 owner group ID 4 bytes
414 creator user ID 4 bytes
415 creator group ID 4 bytes
417 slot sequence # 4 bytes
425 The \fBarg\fR token consists of:
431 argument value 4 bytes/8 bytes (32-bit/64-bit value)
433 text N bytes + 1 terminating NULL byte
440 The \fBexec_args\fR token consists of:
446 text \fIcount\fR null-terminated string(s)
453 The \fBexec_env\fR token consists of:
459 text \fIcount\fR null-terminated string(s)
466 The \fBexit\fR token consists of:
479 The \fBsocket\fR token consists of:
486 remote Internet address 4 bytes
493 The expanded \fBsocket\fR token consists of:
498 socket domain 2 bytes
501 address type/length 2 bytes
503 local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
505 remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
512 The \fBseq\fR token consists of:
517 sequence number 4 bytes
524 The \fBprivilege\fR token consists of:
530 privilege set name N bytes + 1 terminating NULL byte
532 list of privileges N bytes + 1 terminating NULL byte
538 The \fBuse-of-auth\fR token consists of:
544 authorization(s) N bytes + 1 terminating NULL byte
550 The \fBuse-of-privilege\fR token consists of:
557 privilege used N bytes + 1 terminating NULL byte
563 The \fBcommand\fR token consists of:
568 count of args 2 bytes
569 argument list (count times)
571 argument text N bytes + 1 terminating NULL byte
572 count of env strings 2 bytes
573 environment list (count times)
575 env. text N bytes + 1 terminating NULL byte
581 The \fBACL\fR token consists of:
594 The ACE token consists of:
608 The \fBzonename\fR token consists of:
614 name \fI<name length>\fR including terminating NULL byte
620 The \fBfmri\fR token consists of:
626 fmri \fI<fmri length>\fR including terminating NULL byte
632 The \fBlabel\fR token consists of:
638 compartment length 1 byte
639 classification 2 bytes
640 compartment words \fI<compartment length>\fR * 4 bytes
646 The \fBxatom\fR token consists of:
651 string length 2 bytes
652 atom string \fIstring length\fR bytes
658 The \fBxclient\fR token consists of:
669 The \fBxcolormap\fR token consists of:
681 The \fBxcursor\fR token consists of:
693 The \fBxfont\fR token consists of:
705 The \fBxgc\fR token consists of:
717 The \fBxpixmap\fR token consists of:
729 The \fBxproperty\fR token consists of:
736 string length 2 bytes
737 string \fIstring length\fR bytes
743 The \fBxselect\fR token consists of:
748 property length 2 bytes
749 property string \fIproperty length\fR bytes
750 prop. type len. 2 bytes
751 prop type \fIprop. type len.\fR bytes
753 window data \fIdata length\fR bytes
759 The \fBxwindow\fR token consists of:
771 See \fBattributes\fR(5) for descriptions of the following attributes:
779 ATTRIBUTE TYPE ATTRIBUTE VALUE
781 Interface Stability See below.
786 The binary file format is Committed. The binary file contents is Uncommitted.
789 \fBaudit\fR(8), \fBauditd\fR(8), \fBaudit\fR(2),
790 \fBauditon\fR(2), \fBau_to\fR(3BSM),
791 \fBaudit_binfile\fR(5), \fBaudit_remote\fR(5), \fBaudit_syslog\fR(5)
794 Each token is generally written using the \fBau_to\fR(3BSM) family of function