'\" te .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] .TH audit.log 4 "29 May 2009" "SunOS 5.11" "File Formats" .SH NAME audit.log \- audit trail file .SH SYNOPSIS .LP .nf \fB#include \fR .fi .LP .nf \fB#include \fR .fi .SH DESCRIPTION .sp .LP \fBaudit.log\fR files are the depository for audit records stored locally or on an on an NFS-mounted audit server. These files are kept in directories named in the file \fBaudit_control\fR(4) using the \fBdir\fR option. They are named to reflect the time they are created and are, when possible, renamed to reflect the time they are closed as well. The name takes the form .sp .LP \fIyyyymmddhhmmss\fR\fB\&.not_terminated.\fR\fIhostname\fR .sp .LP when open or if the \fBauditd\fR(1M) terminated ungracefully, and the form .sp .LP \fIyyyymmddhhmmss\fR\fB\&.\fR\fIyyyymmddhhmmss\fR\fB\&.\fR\fIhostname\fR .sp .LP when properly closed. \fByyyy\fR is the year, \fBmm\fR the month, \fBdd\fR day in the month, \fBhh\fR hour in the day, \fBmm\fR minute in the hour, and \fBss\fR second in the minute. All fields are of fixed width. .sp .LP Audit data is generated in the binary format described below; the default for Solaris audit is binary format. See \fBaudit_syslog\fR(5) for an alternate data format. .sp .LP The \fBaudit.log\fR file begins with a standalone \fBfile token\fR and typically ends with one also. The beginning \fBfile token\fR records the pathname of the previous audit file, while the ending \fBfile token\fR records the pathname of the next audit file. If the file name is \fBNULL\fR the appropriate path was unavailable. .sp .LP The \fBaudit.log\fR files contains audit records. Each audit record is made up of \fIaudit tokens\fR. Each record contains a header token followed by various data tokens. Depending on the audit policy in place by \fBauditon\fR(2), optional other tokens such as trailers or sequences may be included. .sp .LP The tokens are defined as follows: .sp .LP The \fBfile\fR token consists of: .sp .in +2 .nf token ID 1 byte seconds of time 4 bytes microseconds of time 4 bytes file name length 2 bytes file pathname N bytes + 1 terminating NULL byte .fi .in -2 .sp .sp .LP The \fBheader\fR token consists of: .sp .in +2 .nf token ID 1 byte record byte count 4 bytes version # 1 byte [2] event type 2 bytes event modifier 2 bytes seconds of time 4 bytes/8 bytes (32-bit/64-bit value) nanoseconds of time 4 bytes/8 bytes (32-bit/64-bit value) .fi .in -2 .sp .sp .LP The expanded \fBheader\fR token consists of: .sp .in +2 .nf token ID 1 byte record byte count 4 bytes version # 1 byte [2] event type 2 bytes event modifier 2 bytes address type/length 1 byte machine address 4 bytes/16 bytes (IPv4/IPv6 address) seconds of time 4 bytes/8 bytes (32/64-bits) nanoseconds of time 4 bytes/8 bytes (32/64-bits) .fi .in -2 .sp .sp .LP The \fBtrailer\fR token consists of: .sp .in +2 .nf token ID 1 byte trailer magic number 2 bytes record byte count 4 bytes .fi .in -2 .sp .sp .LP The \fBarbitrary\fR \fBdata\fR token is defined: .sp .in +2 .nf token ID 1 byte how to print 1 byte basic unit 1 byte unit count 1 byte data items (depends on basic unit) .fi .in -2 .sp .sp .LP The \fBin_addr\fR token consists of: .sp .in +2 .nf token ID 1 byte IP address type/length 1 byte IP address 4 bytes/16 bytes (IPv4/IPv6 address) .fi .in -2 .sp .sp .LP The expanded \fBin_addr\fR token consists of: .sp .in +2 .nf token ID 1 byte IP address type/length 4 bytes/16 bytes (IPv4/IPv6 address) IP address 16 bytes .fi .in -2 .sp .sp .LP The \fBip\fR token consists of: .sp .in +2 .nf token ID 1 byte version and ihl 1 byte type of service 1 byte length 2 bytes id 2 bytes offset 2 bytes ttl 1 byte protocol 1 byte checksum 2 bytes source address 4 bytes destination address 4 bytes .fi .in -2 .sp .sp .LP The expanded \fBip\fR token consists of: .sp .in +2 .nf token ID 1 byte version and ihl 1 byte type of service 1 byte length 2 bytes id 2 bytes offset 2 bytes ttl 1 byte protocol 1 byte checksum 2 bytes address type/type 1 byte source address 4 bytes/16 bytes (IPv4/IPv6 address) address type/length 1 byte destination address 4 bytes/16 bytes (IPv4/IPv6 address) .fi .in -2 .sp .sp .LP The \fBiport\fR token consists of: .sp .in +2 .nf token ID 1 byte port IP address 2 bytes .fi .in -2 .sp .sp .LP The \fBpath\fR token consists of: .sp .in +2 .nf token ID 1 byte path length 2 bytes path N bytes + 1 terminating NULL byte .fi .in -2 .sp .sp .LP The \fBpath_attr\fR token consists of: .sp .in +2 .nf token ID 1 byte count 4 bytes path \fIcount\fR null-terminated string(s) .fi .in -2 .sp .sp .LP The \fBprocess\fR token consists of: .sp .in +2 .nf token ID 1 byte audit ID 4 bytes effective user ID 4 bytes effective group ID 4 bytes real user ID 4 bytes real group ID 4 bytes process ID 4 bytes session ID 4 bytes terminal ID port ID 4 bytes/8 bytes (32-bit/64-bit value) machine address 4 bytes .fi .in -2 .sp .sp .LP The expanded \fBprocess\fR token consists of: .sp .in +2 .nf token ID 1 byte audit ID 4 bytes effective user ID 4 bytes effective group ID 4 bytes real user ID 4 bytes real group ID 4 bytes process ID 4 bytes session ID 4 bytes terminal ID port ID 4 bytes/8 bytes (32-bit/64-bit value) address type/length 1 byte machine address 4 bytes/16 bytes (IPv4/IPv6 address) .fi .in -2 .sp .sp .LP The \fBreturn\fR token consists of: .sp .in +2 .nf token ID 1 byte error number 1 byte return value 4 bytes/8 bytes (32-bit/64-bit value) .fi .in -2 .sp .sp .LP The \fBsubject\fR token consists of: .sp .in +2 .nf token ID 1 byte audit ID 4 bytes effective user ID 4 bytes effective group ID 4 bytes real user ID 4 bytes real group ID 4 bytes process ID 4 bytes session ID 4 bytes terminal ID port ID 4 bytes/8 bytes (32-bit/64-bit value) machine address 4 bytes .fi .in -2 .sp .sp .LP The expanded \fBsubject\fR token consists of: .sp .in +2 .nf token ID 1 byte audit ID 4 bytes effective user ID 4 bytes effective group ID 4 bytes real user ID 4 bytes real group ID 4 bytes process ID 4 bytes session ID 4 bytes terminal ID port ID 4 bytes/8 bytes (32-bit/64-bit value) address type/length 1 byte machine address 4 bytes/16 bytes (IPv4/IPv6 address) .fi .in -2 .sp .sp .LP The \fBSystem V IPC\fR token consists of: .sp .in +2 .nf token ID 1 byte object ID type 1 byte object ID 4 bytes .fi .in -2 .sp .sp .LP The \fBtext\fR token consists of: .sp .in +2 .nf token ID 1 byte text length 2 bytes text N bytes + 1 terminating NULL byte .fi .in -2 .sp .sp .LP The \fBattribute\fR token consists of: .sp .in +2 .nf token ID 1 byte file access mode 4 bytes owner user ID 4 bytes owner group ID 4 bytes file system ID 4 bytes node ID 8 bytes device 4 bytes/8 bytes (32-bit/64-bit) .fi .in -2 .sp .sp .LP The \fBgroups\fR token consists of: .sp .in +2 .nf token ID 1 byte number groups 2 bytes group list N * 4 bytes .fi .in -2 .sp .sp .LP The \fBSystem V IPC permission\fR token consists of: .sp .in +2 .nf token ID 1 byte owner user ID 4 bytes owner group ID 4 bytes creator user ID 4 bytes creator group ID 4 bytes access mode 4 bytes slot sequence # 4 bytes key 4 bytes .fi .in -2 .sp .sp .LP The \fBarg\fR token consists of: .sp .in +2 .nf token ID 1 byte argument # 1 byte argument value 4 bytes/8 bytes (32-bit/64-bit value) text length 2 bytes text N bytes + 1 terminating NULL byte .fi .in -2 .sp .sp .LP The \fBexec_args\fR token consists of: .sp .in +2 .nf token ID 1 byte count 4 bytes text \fIcount\fR null-terminated string(s) .fi .in -2 .sp .sp .LP The \fBexec_env\fR token consists of: .sp .in +2 .nf token ID 1 byte count 4 bytes text \fIcount\fR null-terminated string(s) .fi .in -2 .sp .sp .LP The \fBexit\fR token consists of: .sp .in +2 .nf token ID 1 byte status 4 bytes return value 4 bytes .fi .in -2 .sp .sp .LP The \fBsocket\fR token consists of: .sp .in +2 .nf token ID 1 byte socket type 2 bytes remote port 2 bytes remote Internet address 4 bytes .fi .in -2 .sp .sp .LP The expanded \fBsocket\fR token consists of: .sp .in +2 .nf token ID 1 byte socket domain 2 bytes socket type 2 bytes local port 2 bytes address type/length 2 bytes local port 2 bytes local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) remote port 2 bytes remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) .fi .in -2 .sp .sp .LP The \fBseq\fR token consists of: .sp .in +2 .nf token ID 1 byte sequence number 4 bytes .fi .in -2 .sp .sp .LP The \fBprivilege\fR token consists of: .sp .in +2 .nf token ID 1 byte text length 2 bytes privilege set name N bytes + 1 terminating NULL byte text length 2 bytes list of privileges N bytes + 1 terminating NULL byte .fi .in -2 .sp .LP The \fBuse-of-auth\fR token consists of: .sp .in +2 .nf token ID 1 byte text length 2 bytes authorization(s) N bytes + 1 terminating NULL byte .fi .in -2 .sp .LP The \fBuse-of-privilege\fR token consists of: .sp .in +2 .nf token ID 1 byte succ/fail 1 byte text length 2 bytes privilege used N bytes + 1 terminating NULL byte .fi .in -2 .sp .LP The \fBcommand\fR token consists of: .sp .in +2 .nf token ID 1 byte count of args 2 bytes argument list (count times) text length 2 bytes argument text N bytes + 1 terminating NULL byte count of env strings 2 bytes environment list (count times) text length 2 bytes env. text N bytes + 1 terminating NULL byte .fi .in -2 .sp .LP The \fBACL\fR token consists of: .sp .in +2 .nf token ID 1 byte type 4 bytes value 4 bytes file mode 4 bytes .fi .in -2 .sp .LP The ACE token consists of: .sp .in +2 .nf token ID 1 byte who 4 bytes access_mask 4 bytes flags 2 bytes type 2 bytes .fi .in -2 .sp .LP The \fBzonename\fR token consists of: .sp .in +2 .nf token ID 1 byte name length 2 bytes name \fI\fR including terminating NULL byte .fi .in -2 .sp .LP The \fBfmri\fR token consists of: .sp .in +2 .nf token ID 1 byte fmri length 2 bytes fmri \fI\fR including terminating NULL byte .fi .in -2 .sp .LP The \fBlabel\fR token consists of: .sp .in +2 .nf token ID 1 byte label ID 1 byte compartment length 1 byte classification 2 bytes compartment words \fI\fR * 4 bytes .fi .in -2 .sp .LP The \fBxatom\fR token consists of: .sp .in +2 .nf token ID 1 byte string length 2 bytes atom string \fIstring length\fR bytes .fi .in -2 .sp .LP The \fBxclient\fR token consists of: .sp .in +2 .nf token ID 1 byte client ID 4 bytes .fi .in -2 .sp .LP The \fBxcolormap\fR token consists of: .sp .in +2 .nf token ID 1 byte XID 4 bytes creator UID 4 bytes .fi .in -2 .sp .LP The \fBxcursor\fR token consists of: .sp .in +2 .nf token ID 1 byte XID 4 bytes creator UID 4 bytes .fi .in -2 .sp .LP The \fBxfont\fR token consists of: .sp .in +2 .nf token ID 1 byte XID 4 bytes creator UID 4 bytes .fi .in -2 .sp .LP The \fBxgc\fR token consists of: .sp .in +2 .nf token ID 1 byte XID 4 bytes creator UID 4 bytes .fi .in -2 .sp .LP The \fBxpixmap\fR token consists of: .sp .in +2 .nf token ID 1 byte XID 4 bytes creator UID 4 bytes .fi .in -2 .sp .LP The \fBxproperty\fR token consists of: .sp .in +2 .nf token ID 1 byte XID 4 bytes creator UID 4 bytes string length 2 bytes string \fIstring length\fR bytes .fi .in -2 .sp .LP The \fBxselect\fR token consists of: .sp .in +2 .nf token ID 1 byte property length 2 bytes property string \fIproperty length\fR bytes prop. type len. 2 bytes prop type \fIprop. type len.\fR bytes data length 2 bytes window data \fIdata length\fR bytes .fi .in -2 .sp .LP The \fBxwindow\fR token consists of: .sp .in +2 .nf token ID 1 byte XID 4 bytes creator UID 4 bytes .fi .in -2 .SH ATTRIBUTES .sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp .sp .TS tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) . ATTRIBUTE TYPEATTRIBUTE VALUE _ Interface StabilitySee below. .TE .sp .LP The binary file format is Committed. The binary file contents is Uncommitted. .SH SEE ALSO .sp .LP \fBaudit\fR(1M), \fBauditd\fR(1M), \fBbsmconv\fR(1M), \fBaudit\fR(2), \fBauditon\fR(2), \fBau_to\fR(3BSM), \fBaudit_control\fR(4), \fBaudit_syslog\fR(5) .sp .LP Part\ VII, \fISolaris Auditing,\fR in \fISystem Administration Guide: Security Services\fR .SH NOTES .sp .LP Each token is generally written using the \fBau_to\fR(3BSM) family of function calls.