xref: /freebsd/contrib/openbsm/man/audit.log.5 (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1.\"-
2.\" Copyright (c) 2005-2006 Robert N. M. Watson
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\"    notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\"
14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24.\" SUCH DAMAGE.
25.\"
26.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#16 $
27.\"
28.Dd November 5, 2006
29.Dt AUDIT.LOG 5
30.Os
31.Sh NAME
32.Nm audit
33.Nd "Basic Security Module (BSM) file format"
34.Sh DESCRIPTION
35The
36.Nm
37file format is based on Sun's Basic Security Module (BSM) file format, a
38token-based record stream to represent system audit data.
39This file format is both flexible and extensible, able to describe a broad
40range of data types, and easily extended to describe new data types in a
41moderately backward and forward compatible way.
42.Pp
43BSM token streams typically begin and end with a
44.Dq file
45token, which provides time stamp and file name information for the stream;
46when processing a BSM token stream from a stream as opposed to a single file
47source, file tokens may be seen at any point between ordinary records
48identifying when particular parts of the stream begin and end.
49All other tokens will appear in the context of a complete BSM audit record,
50which begins with a
51.Dq header
52token, and ends with a
53.Dq trailer
54token, which describe the audit record.
55Between these two tokens will appear a variety of data tokens, such as
56process information, file path names, IPC object information, MAC labels,
57socket information, and so on.
58.Pp
59The BSM file format defines specific token orders for each record event type;
60however, some variation may occur depending on the operating system in use,
61what system options, such as mandatory access control, are present.
62.Pp
63This manual page documents the common token types and their binary format, and
64is intended for reference purposes only.
65It is recommended that application programmers use the
66.Xr libbsm 3
67interface to read and write tokens, rather than parsing or constructing
68records by hand.
69.Ss File Token
70The
71.Dq file
72token is used at the beginning and end of an audit log file to indicate
73when the audit log begins and ends.
74It includes a pathname so that, if concatenated together, original file
75boundaries are still observable, and gaps in the audit log can be identified.
76A
77.Dq file
78token can be created using
79.Xr au_to_file 3 .
80.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
81.It Sy "Field	Bytes	Description"
82.It "Token ID	1 byte	Token ID"
83.It "Seconds	4 bytes	File time stamp"
84.It "Microseconds	4 bytes	File time stamp"
85.It "File name lengh	2 bytes	File name of audit trail"
86.It "File pathname	N bytes + 1 NUL	File name of audit trail"
87.El
88.Ss Header Token
89The
90.Dq header
91token is used to mark the beginning of a complete audit record, and includes
92the length of the total record in bytes, a version number for the record
93layout, the event type and subtype, and the time at which the event occurred.
94A 32-bit
95.Dq header
96token can be created using
97.Xr au_to_header32 3 ;
98a 64-bit
99.Dq header
100token can be created using
101.Xr au_to_header64 3 .
102.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
103.It Sy "Field	Bytes	Description"
104.It "Token ID	1 byte	Token ID"
105.It "Record Byte Count	4 bytes	Number of bytes in record"
106.It "Version Number	2 bytes	Record version number"
107.It "Event Type	2 bytes	Event type"
108.It "Event Modifier	2 bytes	Event sub-type"
109.It "Seconds	4/8 bytes	Record time stamp (32/64-bits)"
110.It "Nanoseconds	4/8 bytes	Record time stamp (32/64-bits)"
111.El
112.Ss Expanded Header Token
113The
114.Dq expanded header
115token is an expanded version of the
116.Dq header
117token, with the addition of a machine IPv4 or IPv6 address.
118A 32-bit extended
119.Dq header
120token can be created using
121.Xr au_to_header32_ex 3 ;
122a 64-bit extended
123.Dq header
124token can be created using
125.Xr au_to_header64_ex 3 .
126.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
127.It Sy "Field	Bytes	Description"
128.It "Token ID	1 byte	Token ID"
129.It "Record Byte Count	4 bytes	Number of bytes in record"
130.It "Version Number	2 bytes	Record version number"
131.It "Event Type	2 bytes	Event type"
132.It "Event Modifier	2 bytes	Event sub-type"
133.It "Address Type/Length	1 byte	Host address type and length"
134.It "Machine Address	4/16 bytes	IPv4 or IPv6 address"
135.It "Seconds	4/8 bytes	Record time stamp (32/64-bits)"
136.It "Nanoseconds	4/8 bytes	Record time stamp (32/64-bits)"
137.El
138.Ss Trailer Token
139The
140.Dq trailer
141terminates a BSM audit record, and contains a magic number,
142.Dv TRAILER_PAD_MAGIC
143and length that can be used to validate that the record was read properly.
144A
145.Dq trailer
146token can be created using
147.Xr au_to_trailer 3 .
148.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
149.It Sy "Field	Bytes	Description"
150.It "Token ID	1 byte	Token ID"
151.It "Trailer Magic	2 bytes	Trailer magic number"
152.It "Record Byte Count	4 bytes	Number of bytes in record"
153.El
154.Ss Arbitrary Data Token
155The
156.Dq arbitrary data
157token contains a byte stream of opaque (untyped) data.
158The size of the data is calculated as the size of each unit of data
159multipled by the number of units of data.
160A
161.Dq How to print
162field is present to specify how to print the data, but interpretation of
163that field is not currently defined.
164An
165.Dq arbitrary data
166token can be created using
167.Xr au_to_data 3 .
168.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
169.It Sy "Field	Bytes	Description"
170.It "Token ID	1 byte	Token ID"
171.It "How to Print	1 byte	User-defined printing information"
172.It "Basic Unit	1 byte	Size of a unit in bytes"
173.It "Unit Count	1 byte	Number of units of data present"
174.It "Data Items	Variable	User data"
175.El
176.Ss in_addr Token
177The
178.Dq in_addr
179token holds a network byte order IPv4 or IPv6 address.
180An
181.Dq in_addr
182token can be created using
183.Xr au_to_in_addr 3
184for an IPv4 address, or
185.Xr au_to_in_addr_ex 3
186for an IPv6 address.
187.Pp
188See the
189.Sx BUGS
190section for information on the storage of this token.
191.Pp
192.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
193.It Sy "Field	Bytes	Description"
194.It "Token ID	1 byte	Token ID"
195.It "IP Address Type	1 byte	Type of address"
196.It "IP Address	4/16 bytes	IPv4 or IPv6 address"
197.El
198.Ss Expanded in_addr Token
199The
200.Dq expanded in_addr
201token ...
202.Pp
203See the
204.Sx BUGS
205section for information on the storage of this token.
206.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
207.It Sy "Field	Bytes	Description"
208.It "Token ID	1 byte	Token ID"
209.It XXXX
210.El
211.Ss ip Token
212The
213.Dq ip
214token contains an IP packet header in network byte order.
215An
216.Dq ip
217token can be created using
218.Xr au_to_ip 3 .
219.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
220.It Sy "Field	Bytes	Description"
221.It "Token ID	1 byte	Token ID"
222.It "Version and IHL	1 byte	Version and IP header length"
223.It "Type of Service	1 byte	IP TOS field"
224.It "Length	2 bytes	IP packet length in network byte order"
225.It "ID	2 bytes	IP header ID for reassembly"
226.It "Offset	2 bytes	IP fragment offset and flags, network byte order"
227.It "TTL	1 byte	IP Time-to-Live"
228.It "Protocol	1 byte	IP protocol number"
229.It "Checksum	2 bytes	IP header checksum, network byte order"
230.It "Source Address	4 bytes	IPv4 source address"
231.It "Destination Address	4 bytes	IPv4 destination address"
232.El
233.Ss Expanded ip Token
234The
235.Dq expanded ip
236token ...
237.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
238.It Sy "Field	Bytes	Description"
239.It "Token ID	1 byte	Token ID"
240.It XXXX
241.El
242.Ss iport Token
243The
244.Dq iport
245token stores an IP port number in network byte order.
246An
247.Dq iport
248token can be created using
249.Xr au_to_iport 3 .
250.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
251.It Sy "Field	Bytes	Description"
252.It "Token ID	1 byte	Token ID"
253.It "Port Number	2 bytes	Port number in network byte order"
254.El
255.Ss Path Token
256The
257.Dq path
258token contains a pathname.
259A
260.Dq path
261token can be created using
262.Xr au_to_path 3 .
263.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
264.It Sy "Field	Bytes	Description"
265.It "Token ID	1 byte	Token ID"
266.It "Path Length	2 bytes	Length of path in bytes"
267.It "Path	N bytes + 1 NUL	Path name"
268.El
269.Ss path_attr Token
270The
271.Dq path_attr
272token contains a set of NUL-terminated path names.
273The
274.Xr libbsm 3
275API cannot currently create a
276.Dq path_attr
277token.
278.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
279.It Sy "Field	Bytes	Description"
280.It "Token ID	1 byte	Token ID"
281.It "Count	2 bytes	Number of NUL-terminated string(s) in token"
282.It "Path	Variable	count NUL-terminated string(s)"
283.El
284.Ss Process Token
285The
286.Dq process
287token contains a description of the security properties of a process
288involved as the target of an auditable event, such as the destination for
289signal delivery.
290It should not be confused with the
291.Dq subject
292token, which describes the subject performing an auditable event.
293This includes both the traditional
294.Ux
295security properties, such as user IDs and group IDs, but also audit
296information such as the audit user ID and session.
297A
298.Dq process
299token can be created using
300.Xr au_to_process32 3
301or
302.Xr au_to_process64 3 .
303.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
304.It Sy "Field	Bytes	Description"
305.It "Token ID	1 byte	Token ID"
306.It "Audit ID	4 bytes	Audit user ID"
307.It "Effective User ID	4 bytes	Effective user ID"
308.It "Effective Group ID	4 bytes	Effective group ID"
309.It "Real User ID	4 bytes	Real user ID"
310.It "Real Group ID	4 bytes	Real group ID"
311.It "Process ID	4 bytes	Process ID"
312.It "Session ID	4 bytes	Audit session ID"
313.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
314.It "Terminal Machine Address	4 bytes	IP address of machine"
315.El
316.Ss Expanded Process Token
317The
318.Dq expanded process
319token contains the contents of the
320.Dq process
321token, with the addition of a machine address type and variable length
322address storage capable of containing IPv6 addresses.
323An
324.Dq expanded process
325token can be created using
326.Xr au_to_process32_ex 3
327or
328.Xr au_to_process64_ex 3 .
329.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
330.It Sy "Field	Bytes	Description"
331.It "Token ID	1 byte	Token ID"
332.It "Audit ID	4 bytes	Audit user ID"
333.It "Effective User ID	4 bytes	Effective user ID"
334.It "Effective Group ID	4 bytes	Effective group ID"
335.It "Real User ID	4 bytes	Real user ID"
336.It "Real Group ID	4 bytes	Real group ID"
337.It "Process ID	4 bytes	Process ID"
338.It "Session ID	4 bytes	Audit session ID"
339.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
340.It "Terminal Address Type/Length	1 byte	Length of machine address"
341.It "Terminal Machine Address	4 bytes	IPv4 or IPv6 address of machine"
342.El
343.Ss Return Token
344The
345.Dq return
346token contains a system call or library function return condition, including
347return value and error number associated with the global variable
348.Er errno .
349A
350.Dq return
351token can be created using
352.Xr au_to_return32 3
353or
354.Xr au_to_return64 3 .
355.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
356.It Sy "Field	Bytes	Description"
357.It "Token ID	1 byte	Token ID"
358.It "Error Number	1 byte	Errno value, or 0 if undefined"
359.It "Return Value	4/8 bytes	Return value (32/64-bits)"
360.El
361.Ss Subject Token
362The
363.Dq subject
364token contains information on the subject performing the operation described
365by an audit record, and includes similar information to that found in the
366.Dq process
367and
368.Dq expanded process
369tokens.
370However, those tokens are used where the process being described is the
371target of the operation, not the authorizing party.
372A
373.Dq subject
374token can be created using
375.Xr au_to_subject32 3
376and
377.Xr au_to_subject64 3 .
378.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
379.It Sy "Field	Bytes	Description"
380.It "Token ID	1 byte	Token ID"
381.It "Audit ID	4 bytes	Audit user ID"
382.It "Effective User ID	4 bytes	Effective user ID"
383.It "Effective Group ID	4 bytes	Effective group ID"
384.It "Real User ID	4 bytes	Real user ID"
385.It "Real Group ID	4 bytes	Real group ID"
386.It "Process ID	4 bytes	Process ID"
387.It "Session ID	4 bytes	Audit session ID"
388.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
389.It "Terminal Machine Address	4 bytes	IP address of machine"
390.El
391.Ss Expanded Subject Token
392The
393.Dq expanded subject
394token consists of the same elements as the
395.Dq subject
396token, with the addition of type/length and variable size machine address
397information in the terminal ID.
398An
399.Dq expanded subject
400token can be created using
401.Xr au_to_subject32_ex 3
402or
403.Xr au_to_subject64_ex 3 .
404.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
405.It Sy "Field	Bytes	Description"
406.It "Token ID	1 byte	Token ID"
407.It "Audit ID	4 bytes	Audit user ID"
408.It "Effective User ID	4 bytes	Effective user ID"
409.It "Effective Group ID	4 bytes	Effective group ID"
410.It "Real User ID	4 bytes	Real user ID"
411.It "Real Group ID	4 bytes	Real group ID"
412.It "Process ID	4 bytes	Process ID"
413.It "Session ID	4 bytes	Audit session ID"
414.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
415.It "Terminal Address Type/Length	1 byte	Length of machine address"
416.It "Terminal Machine Address	4 bytes	IPv4 or IPv6 address of machine"
417.El
418.Ss System V IPC Token
419The
420.Dq System V IPC
421token contains the System V IPC message handle, semaphore handle or shared
422memory handle.
423A System V IPC token may be created using
424+.Xr au_to_ipc 3 .
425.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
426.It Sy "Field	Bytes	Description"
427.It "Token ID	1 byte	Token ID"
428.It "Object ID type	1 byte	Object ID"
429.It "Object ID	4 bytes	Object ID"
430.El
431.Ss Text Token
432The
433.Dq text
434token contains a single NUL-terminated text string.
435A
436.Dq text
437token may be created using
438.Xr au_to_text 3 .
439.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
440.It Sy "Field	Bytes	Description"
441.It "Token ID	1 byte	Token ID"
442.It "Text Length	2 bytes	Length of text string including NUL"
443.It "Text	N bytes + 1 NUL	Text string including NUL"
444.El
445.Ss Attribute Token
446The
447.Dq attribute
448token describes the attributes of a file associated with the audit event.
449As files may be identified by 0, 1, or many path names, a path name is not
450included with the attribute block for a file; optional
451.Dq path
452tokens may also be present in an audit record indicating which path, if any,
453was used to reach the object.
454An
455.Dq attribute
456token can be created using
457.Xr au_to_attr32 3
458or
459.Xr au_to_attr64 3 .
460.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
461.It Sy "Field	Bytes	Description"
462.It "Token ID	1 byte	Token ID"
463.It "File Access Mode	1 byte	mode_t associated with file"
464.It "Owner User ID	4 bytes	uid_t associated with file"
465.It "Owner Group ID	4 bytes	gid_t associated with file"
466.It "File System ID	4 bytes	fsid_t associated with file"
467.It "File System Node ID	8 bytes	ino_t associated with file"
468.It "Device	4/8 bytes	Device major/minor number (32/64-bit)"
469.El
470.Ss Groups Token
471The
472.Dq groups
473token contains a list of group IDs associated with the audit event.
474A
475.Dq groups
476token can be created using
477.Xr au_to_groups 3 .
478.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
479.It Sy "Field	Bytes	Description"
480.It "Token ID	1 byte	Token ID"
481.It "Number of Groups	2 bytes	Number of groups in token"
482.It "Group List	N * 4 bytes	List of N group IDs"
483.El
484.Ss System V IPC Permission Token
485The
486.Dq System V IPC permission
487token contains a System V IPC access permissions.
488A System V IPC permission token may be created using
489.Xr au_to_ipc_perm 3 .
490.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
491.It Sy "Field	Bytes	Description"
492.It "Token ID	1 byte	Token ID"
493.It Li "Owner user ID" Ta "4 bytes" Ta "User ID of IPC owner"
494.It Li "Owner group ID" Ta "4 bytes" Ta "Group ID of IPC owner"
495.It Li "Creator user ID" Ta "4 bytes" Ta "User ID of IPC creator"
496.It Li "Creator group ID" Ta "4 bytes" Ta "Group ID of IPC creator"
497.It Li "Access mode" Ta "4 bytes" Ta "Access mode"
498.It Li "Sequnce number" Ta "4 bytes" Ta "Sequnce number"
499.It Li "Key" Ta "4 bytes" Ta "IPC key"
500.El
501.Ss Arg Token
502The
503.Dq arg
504token contains informations about arguments of the system call.
505Depending on the size of the desired argument value, an Arg token may be
506created using
507.Xr au_to_arg32 3
508or
509.Xr au_to_arg64 3 .
510.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
511.It Sy "Field	Bytes	Description"
512.It "Token ID	1 byte	Token ID"
513.It Li "Argument ID" Ta "1 byte" Ta "Argument ID"
514.It Li "Argument value" Ta "4/8 bytes" Ta "Argument value"
515.It Li "Length" Ta "2 bytes" Ta "Length of the text"
516.It Li "Text" Ta "N bytes + 1 nul" Ta "The string including nul"
517.El
518.Ss exec_args Token
519The
520.Dq exec_args
521token contains informations about arguements of the exec() system call.
522An exec_args token may be created using
523.Xr au_to_exec_args 3 .
524.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
525.It Sy "Field	Bytes	Description"
526.It "Token ID	1 byte	Token ID"
527.It Li "Count" Ta "4 bytes" Ta "Number of arguments"
528.It Li "Text" Ta "* bytes" Ta "Count null-terminated strings"
529.El
530.Ss exec_env Token
531The
532.Dq exec_env
533token contains current eviroment variables to an exec() system call.
534An exec_args token may be created using
535.Xr au_to_exec_env 3 .
536.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
537.It Sy "Field	Bytes	Description"
538.It "Token ID	1 byte	Token ID"
539.It Li "Count ID" Ta "4 bytes" Ta "Number of variables"
540.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings"
541.El
542.Ss Exit Token
543The
544.Dq exit
545token contains process exit/return code information.
546An
547.Dq exit
548token can be created using
549.Xr au_to_exit 3 .
550.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
551.It Sy "Field	Bytes	Description"
552.It "Token ID	1 byte	Token ID"
553.It "Status	4 bytes	Process status on exit"
554.It "Return Value	4 bytes	Process return value on exit"
555.El
556.Ss Socket Token
557The
558.Dq socket
559token contains informations about UNIX domain and Internet sockets.
560Each token has four or eight fields.
561Depend on type of socket a socket token may be created using
562.Xr au_to_sock_unix 3 ,
563.Xr au_to_sock_inet32 3 or
564.Xr au_to_sock_inet128 3 .
565.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
566.It Sy "Field" Ta Sy Bytes Ta Sy Description
567.It Li "Token ID" Ta "1 byte" Ta "Token ID"
568.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
569.It Li "Local port" Ta "2 bytes" Ta "Local port"
570.It Li "Socket address" Ta "4 bytes" Ta "Socket address"
571.El
572.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
573.It Sy "Field	Bytes	Description"
574.It "Token ID	1 byte	Token ID"
575+.It Li "Socket domain" Ta "4 bytes" Ta "Socket domain"
576+.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
577+.It Li "Address type" Ta "1 byte" Ta "Address type (IPv4/IPv6)"
578+.It Li "Local port" Ta "2 bytes" Ta "Local port"
579+.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address"
580+.It Li "Remote port" Ta "2 bytes" Ta "Remote port"
581+.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address"
582.El
583.Ss Expanded Socket Token
584The
585.Dq expanded socket
586token ...
587.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
588.It Sy "Field	Bytes	Description"
589.It "Token ID	1 byte	Token ID"
590.It XXXXX
591.El
592.Ss Seq Token
593The
594.Dq seq
595token contains a unique and monotonically increasing audit event sequence ID.
596Due to the limited range of 32 bits, serial number arithmetic and caution
597should be used when comparing sequence numbers.
598.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
599.It Sy "Field	Bytes	Description"
600.It "Token ID	1 byte	Token ID"
601.It "Sequence Number	4 bytes	Audit event sequence number"
602.El
603.Ss privilege Token
604The
605.Dq privilege
606token ...
607.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
608.It Sy "Field	Bytes	Description"
609.It "Token ID	1 byte	Token ID"
610.It XXXXX
611.El
612.Ss Use-of-auth Token
613The
614.Dq use-of-auth
615token ...
616.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
617.It Sy "Field	Bytes	Description"
618.It "Token ID	1 byte	Token ID"
619.It XXXXX
620.El
621.Ss Command Token
622The
623.Dq command
624token ...
625.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
626.It Sy "Field	Bytes	Description"
627.It "Token ID	1 byte	Token ID"
628.It XXXXX
629.El
630.Ss ACL Token
631The
632.Dq ACL
633token ...
634.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
635.It Sy "Field	Bytes	Description"
636.It "Token ID	1 byte	Token ID"
637.It XXXXX
638.El
639.Ss Zonename Token
640The
641.Dq zonename
642token ...
643.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
644.It Sy "Field	Bytes	Description"
645.It "Token ID	1 byte	Token ID"
646.It XXXXX
647.El
648.Sh SEE ALSO
649.Xr auditreduce 1 ,
650.Xr praudit 1 ,
651.Xr libbsm 3 ,
652.Xr audit 4 ,
653.Xr auditpipe 4 ,
654.Xr audit 8
655.Sh HISTORY
656The OpenBSM implementation was created by McAfee Research, the security
657division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
658It was subsequently adopted by the TrustedBSD Project as the foundation for
659the OpenBSM distribution.
660.Sh AUTHORS
661The Basic Security Module (BSM) interface to audit records and audit event
662stream format were defined by Sun Microsystems.
663.Pp
664This manual page was written by
665.An Robert Watson Aq rwatson@FreeBSD.org .
666.Sh BUGS
667The
668.Dq How to print
669field in the
670.Dq arbitrary data
671token has undefined values.
672.Pp
673The
674.Dq in_addr
675and
676.Dq in_addr_ex
677token layout documented here appears to be in conflict with the
678.Xr libbsm 3
679implementations of
680.Xr au_to_in_addr 3
681and
682.Xr au_to_in_addr_ex 3 .
683