xref: /freebsd/contrib/openbsm/man/audit.log.5 (revision 21fdc27a054f668c8b6c2be503fa68622e5226da) 
1.\"-
2.\" Copyright (c) 2005-2006 Robert N. M. Watson
3.\" Copyright (c) 2008 Apple Inc.
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25.\" SUCH DAMAGE.
26.\"
27.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#23 $
28.\"
29.Dd November 5, 2006
30.Dt AUDIT.LOG 5
31.Os
32.Sh NAME
33.Nm audit
34.Nd "Basic Security Module (BSM) file format"
35.Sh DESCRIPTION
36The
37.Nm
38file format is based on Sun's Basic Security Module (BSM) file format, a
39token-based record stream to represent system audit data.
40This file format is both flexible and extensible, able to describe a broad
41range of data types, and easily extended to describe new data types in a
42moderately backward and forward compatible way.
43.Pp
44BSM token streams typically begin and end with a
45.Dq file
46token, which provides time stamp and file name information for the stream;
47when processing a BSM token stream from a stream as opposed to a single file
48source, file tokens may be seen at any point between ordinary records
49identifying when particular parts of the stream begin and end.
50All other tokens will appear in the context of a complete BSM audit record,
51which begins with a
52.Dq header
53token, and ends with a
54.Dq trailer
55token, which describe the audit record.
56Between these two tokens will appear a variety of data tokens, such as
57process information, file path names, IPC object information, MAC labels,
58socket information, and so on.
59.Pp
60The BSM file format defines specific token orders for each record event type;
61however, some variation may occur depending on the operating system in use,
62what system options, such as mandatory access control, are present.
63.Pp
64This manual page documents the common token types and their binary format, and
65is intended for reference purposes only.
66It is recommended that application programmers use the
67.Xr libbsm 3
68interface to read and write tokens, rather than parsing or constructing
69records by hand.
70.Ss File Token
71The
72.Dq file
73token is used at the beginning and end of an audit log file to indicate
74when the audit log begins and ends.
75It includes a pathname so that, if concatenated together, original file
76boundaries are still observable, and gaps in the audit log can be identified.
77A
78.Dq file
79token can be created using
80.Xr au_to_file 3 .
81.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
82.It Sy "Field	Bytes	Description"
83.It "Token ID	1 byte	Token ID"
84.It "Seconds	4 bytes	File time stamp"
85.It "Microseconds	4 bytes	File time stamp"
86.It "File name lengh	2 bytes	File name of audit trail"
87.It "File pathname	N bytes + 1 NUL	File name of audit trail"
88.El
89.Ss Header Token
90The
91.Dq header
92token is used to mark the beginning of a complete audit record, and includes
93the length of the total record in bytes, a version number for the record
94layout, the event type and subtype, and the time at which the event occurred.
95A 32-bit
96.Dq header
97token can be created using
98.Xr au_to_header32 3 ;
99a 64-bit
100.Dq header
101token can be created using
102.Xr au_to_header64 3 .
103.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
104.It Sy "Field	Bytes	Description"
105.It "Token ID	1 byte	Token ID"
106.It "Record Byte Count	4 bytes	Number of bytes in record"
107.It "Version Number	2 bytes	Record version number"
108.It "Event Type	2 bytes	Event type"
109.It "Event Modifier	2 bytes	Event sub-type"
110.It "Seconds	4/8 bytes	Record time stamp (32/64-bits)"
111.It "Nanoseconds	4/8 bytes	Record time stamp (32/64-bits)"
112.El
113.Ss Expanded Header Token
114The
115.Dq expanded header
116token is an expanded version of the
117.Dq header
118token, with the addition of a machine IPv4 or IPv6 address.
119A 32-bit extended
120.Dq header
121token can be created using
122.Xr au_to_header32_ex 3 ;
123a 64-bit extended
124.Dq header
125token can be created using
126.Xr au_to_header64_ex 3 .
127.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
128.It Sy "Field	Bytes	Description"
129.It "Token ID	1 byte	Token ID"
130.It "Record Byte Count	4 bytes	Number of bytes in record"
131.It "Version Number	2 bytes	Record version number"
132.It "Event Type	2 bytes	Event type"
133.It "Event Modifier	2 bytes	Event sub-type"
134.It "Address Type/Length	1 byte	Host address type and length"
135.It "Machine Address	4/16 bytes	IPv4 or IPv6 address"
136.It "Seconds	4/8 bytes	Record time stamp (32/64-bits)"
137.It "Nanoseconds	4/8 bytes	Record time stamp (32/64-bits)"
138.El
139.Ss Trailer Token
140The
141.Dq trailer
142terminates a BSM audit record, and contains a magic number,
143.Dv AUT_TRAILER_MAGIC
144and length that can be used to validate that the record was read properly.
145A
146.Dq trailer
147token can be created using
148.Xr au_to_trailer 3 .
149.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
150.It Sy "Field	Bytes	Description"
151.It "Token ID	1 byte	Token ID"
152.It "Trailer Magic	2 bytes	Trailer magic number"
153.It "Record Byte Count	4 bytes	Number of bytes in record"
154.El
155.Ss Arbitrary Data Token
156The
157.Dq arbitrary data
158token contains a byte stream of opaque (untyped) data.
159The size of the data is calculated as the size of each unit of data
160multipled by the number of units of data.
161A
162.Dq How to print
163field is present to specify how to print the data, but interpretation of
164that field is not currently defined.
165An
166.Dq arbitrary data
167token can be created using
168.Xr au_to_data 3 .
169.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
170.It Sy "Field	Bytes	Description"
171.It "Token ID	1 byte	Token ID"
172.It "How to Print	1 byte	User-defined printing information"
173.It "Basic Unit	1 byte	Size of a unit in bytes"
174.It "Unit Count	1 byte	Number of units of data present"
175.It "Data Items	Variable	User data"
176.El
177.Ss in_addr Token
178The
179.Dq in_addr
180token holds a network byte order IPv4 address.
181An
182.Dq in_addr
183token can be created using
184.Xr au_to_in_addr 3
185for an IPv4 address.
186.Pp
187.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
188.It Sy "Field	Bytes	Description"
189.It "Token ID	1 byte	Token ID"
190.It "IP Address	4 bytes	IPv4 address"
191.El
192.Ss Expanded in_addr Token
193The
194.Dq in_addr_ex
195token holds a network byte order IPv4 or IPv6 address.
196An
197.Dq in_addr_ex
198token can be created using
199.Xr au_to_in_addr_ex 3
200for an IPv6 address.
201.Pp
202See the
203.Sx BUGS
204section for information on the storage of this token.
205.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
206.It Sy "Field	Bytes	Description"
207.It "Token ID	1 byte	Token ID"
208.It "IP Address Type	1 byte	Type of address"
209.It "IP Address	4/16 bytes	IPv4 or IPv6 address"
210.El
211.Ss ip Token
212The
213.Dq ip
214token contains an IP packet header in network byte order.
215An
216.Dq ip
217token can be created using
218.Xr au_to_ip 3 .
219.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
220.It Sy "Field	Bytes	Description"
221.It "Token ID	1 byte	Token ID"
222.It "Version and IHL	1 byte	Version and IP header length"
223.It "Type of Service	1 byte	IP TOS field"
224.It "Length	2 bytes	IP packet length in network byte order"
225.It "ID	2 bytes	IP header ID for reassembly"
226.It "Offset	2 bytes	IP fragment offset and flags, network byte order"
227.It "TTL	1 byte	IP Time-to-Live"
228.It "Protocol	1 byte	IP protocol number"
229.It "Checksum	2 bytes	IP header checksum, network byte order"
230.It "Source Address	4 bytes	IPv4 source address"
231.It "Destination Address	4 bytes	IPv4 destination address"
232.El
233.Ss iport Token
234The
235.Dq iport
236token stores an IP port number in network byte order.
237An
238.Dq iport
239token can be created using
240.Xr au_to_iport 3 .
241.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
242.It Sy "Field	Bytes	Description"
243.It "Token ID	1 byte	Token ID"
244.It "Port Number	2 bytes	Port number in network byte order"
245.El
246.Ss Path Token
247The
248.Dq path
249token contains a pathname.
250A
251.Dq path
252token can be created using
253.Xr au_to_path 3 .
254.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
255.It Sy "Field	Bytes	Description"
256.It "Token ID	1 byte	Token ID"
257.It "Path Length	2 bytes	Length of path in bytes"
258.It "Path	N bytes + 1 NUL	Path name"
259.El
260.Ss path_attr Token
261The
262.Dq path_attr
263token contains a set of NUL-terminated path names.
264The
265.Xr libbsm 3
266API cannot currently create a
267.Dq path_attr
268token.
269.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
270.It Sy "Field	Bytes	Description"
271.It "Token ID	1 byte	Token ID"
272.It "Count	2 bytes	Number of NUL-terminated string(s) in token"
273.It "Path	Variable	count NUL-terminated string(s)"
274.El
275.Ss Process Token
276The
277.Dq process
278token contains a description of the security properties of a process
279involved as the target of an auditable event, such as the destination for
280signal delivery.
281It should not be confused with the
282.Dq subject
283token, which describes the subject performing an auditable event.
284This includes both the traditional
285.Ux
286security properties, such as user IDs and group IDs, but also audit
287information such as the audit user ID and session.
288A
289.Dq process
290token can be created using
291.Xr au_to_process32 3
292or
293.Xr au_to_process64 3 .
294.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
295.It Sy "Field	Bytes	Description"
296.It "Token ID	1 byte	Token ID"
297.It "Audit ID	4 bytes	Audit user ID"
298.It "Effective User ID	4 bytes	Effective user ID"
299.It "Effective Group ID	4 bytes	Effective group ID"
300.It "Real User ID	4 bytes	Real user ID"
301.It "Real Group ID	4 bytes	Real group ID"
302.It "Process ID	4 bytes	Process ID"
303.It "Session ID	4 bytes	Audit session ID"
304.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
305.It "Terminal Machine Address	4 bytes	IP address of machine"
306.El
307.Ss Expanded Process Token
308The
309.Dq expanded process
310token contains the contents of the
311.Dq process
312token, with the addition of a machine address type and variable length
313address storage capable of containing IPv6 addresses.
314An
315.Dq expanded process
316token can be created using
317.Xr au_to_process32_ex 3
318or
319.Xr au_to_process64_ex 3 .
320.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
321.It Sy "Field	Bytes	Description"
322.It "Token ID	1 byte	Token ID"
323.It "Audit ID	4 bytes	Audit user ID"
324.It "Effective User ID	4 bytes	Effective user ID"
325.It "Effective Group ID	4 bytes	Effective group ID"
326.It "Real User ID	4 bytes	Real user ID"
327.It "Real Group ID	4 bytes	Real group ID"
328.It "Process ID	4 bytes	Process ID"
329.It "Session ID	4 bytes	Audit session ID"
330.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
331.It "Terminal Address Type/Length	1 byte	Length of machine address"
332.It "Terminal Machine Address	4 bytes	IPv4 or IPv6 address of machine"
333.El
334.Ss Return Token
335The
336.Dq return
337token contains a system call or library function return condition, including
338return value and error number associated with the global variable
339.Er errno .
340A
341.Dq return
342token can be created using
343.Xr au_to_return32 3
344or
345.Xr au_to_return64 3 .
346.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
347.It Sy "Field	Bytes	Description"
348.It "Token ID	1 byte	Token ID"
349.It "Error Number	1 byte	Errno value, or 0 if undefined"
350.It "Return Value	4/8 bytes	Return value (32/64-bits)"
351.El
352.Ss Subject Token
353The
354.Dq subject
355token contains information on the subject performing the operation described
356by an audit record, and includes similar information to that found in the
357.Dq process
358and
359.Dq expanded process
360tokens.
361However, those tokens are used where the process being described is the
362target of the operation, not the authorizing party.
363A
364.Dq subject
365token can be created using
366.Xr au_to_subject32 3
367and
368.Xr au_to_subject64 3 .
369.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
370.It Sy "Field	Bytes	Description"
371.It "Token ID	1 byte	Token ID"
372.It "Audit ID	4 bytes	Audit user ID"
373.It "Effective User ID	4 bytes	Effective user ID"
374.It "Effective Group ID	4 bytes	Effective group ID"
375.It "Real User ID	4 bytes	Real user ID"
376.It "Real Group ID	4 bytes	Real group ID"
377.It "Process ID	4 bytes	Process ID"
378.It "Session ID	4 bytes	Audit session ID"
379.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
380.It "Terminal Machine Address	4 bytes	IP address of machine"
381.El
382.Ss Expanded Subject Token
383The
384.Dq expanded subject
385token consists of the same elements as the
386.Dq subject
387token, with the addition of type/length and variable size machine address
388information in the terminal ID.
389An
390.Dq expanded subject
391token can be created using
392.Xr au_to_subject32_ex 3
393or
394.Xr au_to_subject64_ex 3 .
395.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
396.It Sy "Field	Bytes	Description"
397.It "Token ID	1 byte	Token ID"
398.It "Audit ID	4 bytes	Audit user ID"
399.It "Effective User ID	4 bytes	Effective user ID"
400.It "Effective Group ID	4 bytes	Effective group ID"
401.It "Real User ID	4 bytes	Real user ID"
402.It "Real Group ID	4 bytes	Real group ID"
403.It "Process ID	4 bytes	Process ID"
404.It "Session ID	4 bytes	Audit session ID"
405.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
406.It "Terminal Address Type/Length	1 byte	Length of machine address"
407.It "Terminal Machine Address	4 bytes	IPv4 or IPv6 address of machine"
408.El
409.Ss System V IPC Token
410The
411.Dq System V IPC
412token contains the System V IPC message handle, semaphore handle or shared
413memory handle.
414A System V IPC token may be created using
415+.Xr au_to_ipc 3 .
416.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
417.It Sy "Field	Bytes	Description"
418.It "Token ID	1 byte	Token ID"
419.It "Object ID type	1 byte	Object ID"
420.It "Object ID	4 bytes	Object ID"
421.El
422.Ss Text Token
423The
424.Dq text
425token contains a single NUL-terminated text string.
426A
427.Dq text
428token may be created using
429.Xr au_to_text 3 .
430.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
431.It Sy "Field	Bytes	Description"
432.It "Token ID	1 byte	Token ID"
433.It "Text Length	2 bytes	Length of text string including NUL"
434.It "Text	N bytes + 1 NUL	Text string including NUL"
435.El
436.Ss Attribute Token
437The
438.Dq attribute
439token describes the attributes of a file associated with the audit event.
440As files may be identified by 0, 1, or many path names, a path name is not
441included with the attribute block for a file; optional
442.Dq path
443tokens may also be present in an audit record indicating which path, if any,
444was used to reach the object.
445An
446.Dq attribute
447token can be created using
448.Xr au_to_attr32 3
449or
450.Xr au_to_attr64 3 .
451.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
452.It Sy "Field	Bytes	Description"
453.It "Token ID	1 byte	Token ID"
454.It "File Access Mode	1 byte	mode_t associated with file"
455.It "Owner User ID	4 bytes	uid_t associated with file"
456.It "Owner Group ID	4 bytes	gid_t associated with file"
457.It "File System ID	4 bytes	fsid_t associated with file"
458.It "File System Node ID	8 bytes	ino_t associated with file"
459.It "Device	4/8 bytes	Device major/minor number (32/64-bit)"
460.El
461.Ss Groups Token
462The
463.Dq groups
464token contains a list of group IDs associated with the audit event.
465A
466.Dq groups
467token can be created using
468.Xr au_to_groups 3 .
469.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
470.It Sy "Field	Bytes	Description"
471.It "Token ID	1 byte	Token ID"
472.It "Number of Groups	2 bytes	Number of groups in token"
473.It "Group List	N * 4 bytes	List of N group IDs"
474.El
475.Ss System V IPC Permission Token
476The
477.Dq System V IPC permission
478token contains a System V IPC access permissions.
479A System V IPC permission token may be created using
480.Xr au_to_ipc_perm 3 .
481.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
482.It Sy "Field	Bytes	Description"
483.It "Token ID	1 byte	Token ID"
484.It Li "Owner user ID" Ta "4 bytes" Ta "User ID of IPC owner"
485.It Li "Owner group ID" Ta "4 bytes" Ta "Group ID of IPC owner"
486.It Li "Creator user ID" Ta "4 bytes" Ta "User ID of IPC creator"
487.It Li "Creator group ID" Ta "4 bytes" Ta "Group ID of IPC creator"
488.It Li "Access mode" Ta "4 bytes" Ta "Access mode"
489.It Li "Sequnce number" Ta "4 bytes" Ta "Sequnce number"
490.It Li "Key" Ta "4 bytes" Ta "IPC key"
491.El
492.Ss Arg Token
493The
494.Dq arg
495token contains informations about arguments of the system call.
496Depending on the size of the desired argument value, an Arg token may be
497created using
498.Xr au_to_arg32 3
499or
500.Xr au_to_arg64 3 .
501.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
502.It Sy "Field	Bytes	Description"
503.It "Token ID	1 byte	Token ID"
504.It Li "Argument ID" Ta "1 byte" Ta "Argument ID"
505.It Li "Argument value" Ta "4/8 bytes" Ta "Argument value"
506.It Li "Length" Ta "2 bytes" Ta "Length of the text"
507.It Li "Text" Ta "N bytes + 1 nul" Ta "The string including nul"
508.El
509.Ss exec_args Token
510The
511.Dq exec_args
512token contains informations about arguements of the exec() system call.
513An exec_args token may be created using
514.Xr au_to_exec_args 3 .
515.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
516.It Sy "Field	Bytes	Description"
517.It "Token ID	1 byte	Token ID"
518.It Li "Count" Ta "4 bytes" Ta "Number of arguments"
519.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings"
520.El
521.Ss exec_env Token
522The
523.Dq exec_env
524token contains current eviroment variables to an exec() system call.
525An exec_args token may be created using
526.Xr au_to_exec_env 3 .
527.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
528.It Sy "Field	Bytes	Description"
529.It "Token ID	1 byte	Token ID"
530.It Li "Count ID" Ta "4 bytes" Ta "Number of variables"
531.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings"
532.El
533.Ss Exit Token
534The
535.Dq exit
536token contains process exit/return code information.
537An
538.Dq exit
539token can be created using
540.Xr au_to_exit 3 .
541.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
542.It Sy "Field	Bytes	Description"
543.It "Token ID	1 byte	Token ID"
544.It "Status	4 bytes	Process status on exit"
545.It "Return Value	4 bytes	Process return value on exit"
546.El
547.Ss Socket Token
548The
549.Dq socket
550token contains information about UNIX domain and Internet sockets.
551Each token has four or eight fields.
552Depending on the type of socket, a socket token may be created using
553.Xr au_to_sock_unix 3 ,
554.Xr au_to_sock_inet32 3
555or
556.Xr au_to_sock_inet128 3 .
557.Bl -column -offset 3n ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
558.It Sy "Field" Ta Sy Bytes Ta Sy Description
559.It Li "Token ID" Ta "1 byte" Ta "Token ID"
560.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
561.It Li "Local port" Ta "2 bytes" Ta "Local port"
562.It Li "Socket address" Ta "4 bytes" Ta "Socket address"
563.El
564.Ss Expanded Socket Token
565The
566.Dq expanded socket
567token contains information about IPv4 and IPv6 sockets.
568A
569.Dq expanded socket
570token can be created using
571.Xr au_to_socket_ex 3 .
572.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
573.It Sy "Field	Bytes	Description"
574.It Li "Token ID" Ta "1 byte" Ta "Token ID"
575.It Li "Socket domain" Ta "2 bytes" Ta "Socket domain"
576.It Li "Socket type" Ta "2 bytes" Ta "Socket type"
577.It Li "Address type" Ta "2 byte" Ta "Address type (IPv4/IPv6)"
578.It Li "Local port" Ta "2 bytes" Ta "Local port"
579.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address"
580.It Li "Remote port" Ta "2 bytes" Ta "Remote port"
581.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address"
582.El
583.Ss Seq Token
584The
585.Dq seq
586token contains a unique and monotonically increasing audit event sequence ID.
587Due to the limited range of 32 bits, serial number arithmetic and caution
588should be used when comparing sequence numbers.
589.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
590.It Sy "Field	Bytes	Description"
591.It "Token ID	1 byte	Token ID"
592.It "Sequence Number	4 bytes	Audit event sequence number"
593.El
594.Ss privilege Token
595The
596.Dq privilege
597token ...
598.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
599.It Sy "Field	Bytes	Description"
600.It "Token ID	1 byte	Token ID"
601.It XXXXX
602.El
603.Ss Use-of-auth Token
604The
605.Dq use-of-auth
606token ...
607.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
608.It Sy "Field	Bytes	Description"
609.It "Token ID	1 byte	Token ID"
610.It XXXXX
611.El
612.Ss Command Token
613The
614.Dq command
615token ...
616.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
617.It Sy "Field	Bytes	Description"
618.It "Token ID	1 byte	Token ID"
619.It XXXXX
620.El
621.Ss ACL Token
622The
623.Dq ACL
624token ...
625.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
626.It Sy "Field	Bytes	Description"
627.It "Token ID	1 byte	Token ID"
628.It XXXXX
629.El
630.Ss Zonename Token
631The
632.Dq zonename
633token holds a NUL-terminated string with the name of the zone or jail from
634which the record originated.
635A
636.Dz zonename
637token can be created using
638.Xr au_to_zonename 3 .
639.Pp
640.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
641.It Sy "Field	Bytes	Description"
642.It "Token ID	1 byte	Token ID"
643.It "Zonename length	2 bytes	Length of zonename string including NUL"
644.It "Zonename	N bytes + 1 NUL	Zonename string including NUL"
645.El
646.Sh SEE ALSO
647.Xr auditreduce 1 ,
648.Xr praudit 1 ,
649.Xr libbsm 3 ,
650.Xr audit 4 ,
651.Xr auditpipe 4 ,
652.Xr audit 8
653.Sh HISTORY
654The OpenBSM implementation was created by McAfee Research, the security
655division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
656It was subsequently adopted by the TrustedBSD Project as the foundation for
657the OpenBSM distribution.
658.Sh AUTHORS
659The Basic Security Module (BSM) interface to audit records and audit event
660stream format were defined by Sun Microsystems.
661.Pp
662This manual page was written by
663.An Robert Watson Aq rwatson@FreeBSD.org .
664.Sh BUGS
665The
666.Dq How to print
667field in the
668.Dq arbitrary data
669token has undefined values.
670.Pp
671The
672.Dq in_addr
673and
674.Dq in_addr_ex
675token layout documented here appears to be in conflict with the
676.Xr libbsm 3
677implementation of
678.Xr au_to_in_addr_ex 3 .
679