1.\"- 2.\" Copyright (c) 2005 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" 26.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#8 $ 27.\" 28.Dd May 1, 2005 29.Dt AUDIT.LOG 5 30.Os 31.Sh NAME 32.Nm audit 33.Nd "Basic Security Module (BSM) File Format" 34.Sh DESCRIPTION 35The 36.Nm 37file format is based on Sun's Basic Security Module (BSM) file format, a 38token-based record stream to represent system audit data. 39This file format is both flexible and extensible, able to describe a broad 40range of data types, and easily extended to describe new data types in a 41moderately backward and forward compatible way. 42.Pp 43BSM token streams typically begin and end with a 44.Dv file 45token, which provides time stamp and file name information for the stream; 46when processing a BSM token stream from a stream as opposed to a single file 47source, file tokens may be seen at any point between ordinary records 48identifying when particular parts of the stream begin and end. 49All other tokens will appear in the context of a complete BSM audit record, 50which begins with a 51.Dv header 52token, and ends with a 53.Dv trailer 54token, which describe the audit record. 55Between these two tokens will appear a variety of data tokens, such as 56process information, file path names, IPC object information, MAC labels, 57socket information, and so on. 58.Pp 59The BSM file format defines specific token orders for each record event type; 60however, some variation may occur depending on the operating system in use, 61what system options, such as mandatory access control, are present. 62.Pp 63This manual page documents the common token types and their binary format, and 64is intended for reference purposes only. 65It is recommended that application programmers use the 66.Xr libbsm 3 67interface to read and write tokens, rather than parsing or constructing 68records by hand. 69.Ss File Token 70The 71.Dv file 72token is used at the beginning and end of an audit log file to indicate 73when the audit log begins and ends. 74It includes a pathname so that, if concatenated together, original file 75boundaries are still observable, and gaps in the audit log can be identified. 76A 77.Dv file 78token can be created using 79.Xr au_to_file 3 . 80.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 81.It Sy "Field" Ta Sy Bytes Ta Sy Description 82.It Li "Token ID" Ta "1 byte" Ta "Token ID" 83.It Li "Seconds" Ta "4 bytes" Ta "File time stamp" 84.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp" 85.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail" 86.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail" 87.El 88.Ss Header Token 89The 90.Dv header 91token is used to mark the beginning of a complete audit record, and includes 92the length of the total record in bytes, a version number for the record 93layout, the event type and subtype, and the time at which the event occurred. 94A 95.Dv header 96token can be created using 97.Xr au_to_header32 3 . 98.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 99.It Sy "Field" Ta Sy Bytes Ta Sy Description 100.It Li "Token ID" Ta "1 byte" Ta "Token ID" 101.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" 102.It Li "Version Number" Ta "2 bytes" Ta "Record version number" 103.It Li "Event Type" Ta "2 bytes" Ta "Event type" 104.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type" 105.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)" 106.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)" 107.El 108.Ss Expanded Header Token 109The 110.Dv expanded header 111token is an expanded version of the 112.Dv header 113token, with the addition of a machine IPv4 or IPv6 address. 114The 115.Xr libbsm 3 116API cannot currently create an 117.Dv expanded header 118token. 119.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 120.It Sy "Field" Ta Sy Bytes Ta Sy Description 121.It Li "Token ID" Ta "1 byte" Ta "Token ID" 122.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" 123.It Li "Version Number" Ta "2 bytes" Ta "Record version number" 124.It Li "Event Type" Ta "2 bytes" Ta "Event type" 125.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type" 126.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length" 127.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address" 128.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)" 129.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)" 130.El 131.Ss Trailer Token 132The 133.Dv trailer 134terminates a BSM audit record, and contains a magic number, 135.Dv TRAILER_PAD_MAGIC 136and length that can be used to validate that the record was read properly. 137A 138.Dv trailer 139token can be created using 140.Xr au_to_trailer 3 . 141.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 142.It Sy "Field" Ta Sy Bytes Ta Sy Description 143.It Li "Token ID" Ta "1 byte" Ta "Token ID" 144.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number" 145.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" 146.El 147.Ss Arbitrary Data Token 148The 149.Dv arbitrary data 150token contains a byte stream of opaque (untyped) data. 151The size of the data is calculated as the size of each unit of data 152multipled by the number of units of data. 153A 154.Dv How to print 155field is present to specify how to print the data, but interpretation of 156that field is not currently defined. 157The 158.Xr libbsm 3 159API cannot currently create an 160.Dv arbitrary data 161token. 162.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 163.It Sy "Field" Ta Sy Bytes Ta Sy Description 164.It Li "Token ID" Ta "1 byte" Ta "Token ID" 165.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information" 166.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes" 167.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present" 168.It Li "Data Items" Ta "Variable" Ta "User data" 169.El 170.Ss in_addr Token 171The 172.Dv in_addr 173token holds a network byte order IPv4 or IPv6 address. 174An 175.Dv in_addr 176token can be created using 177.Xr au_to_in_addr 3 178for an IPv4 address, or 179.Xr au_to_in_addr_ex 3 180for an IPv6 address. 181.Pp 182See the BUGS section for information on the storage of this token. 183.Pp 184.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 185.It Sy "Field" Ta Sy Bytes Ta Sy Description 186.It Li "Token ID" Ta "1 byte" Ta "Token ID" 187.It Li "IP Address Type" Ta "1 byte" Ta "Type of address" 188.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address" 189.El 190.Ss Expanded in_addr Token 191The 192.Dv expanded in_addr 193token ... 194.Pp 195See the BUGS section for information on the storage of this token. 196.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 197.It Sy "Field" Ta Sy Bytes Ta Sy Description 198.It Li "Token ID" Ta "1 byte" Ta "Token ID" 199.It XXXX 200.El 201.Ss ip Token 202The 203.Dv ip 204token contains an IP packet header in network byte order. 205An 206.Dv ip 207token can be created using 208.Xr au_to_ip 3 . 209.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 210.It Sy "Field" Ta Sy Bytes Ta Sy Description 211.It Li "Token ID" Ta "1 byte" Ta "Token ID" 212.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length" 213.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field" 214.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order" 215.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly" 216.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order" 217.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live" 218.It Li "Protocol" Ta "1 byte" Ta "IP protocol number" 219.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order" 220.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address" 221.It Li "Desintation Address" Ta "4 bytes" Ta "IPv4 destination address" 222.El 223.Ss Expanded ip Token 224The 225.Dv expanded ip 226token ... 227.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 228.It Sy "Field" Ta Sy Bytes Ta Sy Description 229.It Li "Token ID" Ta "1 byte" Ta "Token ID" 230.It XXXX 231.El 232.Ss iport Token 233The 234.Dv iport 235token stores an IP port number in network byte order. 236An 237.Dv iport 238token can be created using 239.Xr au_to_iport 3 . 240.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 241.It Sy "Field" Ta Sy Bytes Ta Sy Description 242.It Li "Token ID" Ta "1 byte" Ta "Token ID" 243.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order" 244.El 245.Ss Path Token 246The 247.Dv path 248token contains a pathname. 249A 250.Dv path 251token can be created using 252.Xr au_to_path 3 . 253.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 254.It Sy "Field" Ta Sy Bytes Ta Sy Description 255.It Li "Token ID" Ta "1 byte" Ta "Token ID" 256.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes" 257.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name" 258.El 259.Ss path_attr Token 260The 261.Dv path_attr 262token contains a set of nul-terminated path names. 263The 264.Xr libbsm 3 265API cannot currently create a 266.Dv path_attr 267token. 268.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 269.It Sy "Field" Ta Sy Bytes Ta Sy Description 270.It Li "Token ID" Ta "1 byte" Ta "Token ID" 271.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token" 272.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)" 273.El 274.Ss Process Token 275The 276.Dv process 277token contains a description of the security properties of a process 278involved as the target of an auditable event, such as the destination for 279signal delivery. 280It should not be confused with the 281.Dv subject 282token, which describes the subject performing an auditable event. 283This includes both the traditional 284.Ux 285security properties, such as user IDs and group IDs, but also audit 286information such as the audit user ID and session. 287A 288.Dv process 289token can be created using 290.Xr au_to_process32 3 291or 292.Xr au_to_process64 3 . 293.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 294.It Sy "Field" Ta Sy Bytes Ta Sy Description 295.It Li "Token ID" Ta "1 byte" Ta "Token ID" 296.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" 297.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" 298.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" 299.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" 300.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" 301.It Li "Process ID" Ta "4 bytes" Ta "Process ID" 302.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" 303.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" 304.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine" 305.El 306.Ss Expanded Process Token 307The 308.Dv expanded process 309token contains the contents of the 310.Dv process 311token, with the addition of a machine address type and variable length 312address storage capable of containing IPv6 addresses. 313An 314.Dv expanded process 315token can be created using 316.Xr au_to_process32_ex 3 317or 318.Xr au_to_process64_ex 3 . 319.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 320.It Sy "Field" Ta Sy Bytes Ta Sy Description 321.It Li "Token ID" Ta "1 byte" Ta "Token ID" 322.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" 323.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" 324.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" 325.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" 326.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" 327.It Li "Process ID" Ta "4 bytes" Ta "Process ID" 328.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" 329.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" 330.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address" 331.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine" 332.El 333.Ss Return Token 334The 335.Dv return 336token contains a system call or library function return condition, including 337return value and error number associated with the global variable 338.Er errno . 339A 340.Dv return 341token can be created using 342.Xr au_to_return32 3 343or 344.Xr au_to_return64 3 . 345.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 346.It Sy "Field" Ta Sy Bytes Ta Sy Description 347.It Li "Token ID" Ta "1 byte" Ta "Token ID" 348.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined" 349.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)" 350.El 351.Ss Subject Token 352The 353.Dv subject 354token contains information on the subject performing the operation described 355by an audit record, and includes similar information to that found in the 356.Dv process 357and 358.Dv expanded process 359tokens. 360However, those tokens are used where the process being described is the 361target of the operation, not the authorizing party. 362A 363.Dv subject 364token can be created using 365.Xr au_to_subject32 3 366and 367.Xr au_to_subject64 3 . 368.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 369.It Sy "Field" Ta Sy Bytes Ta Sy Description 370.It Li "Token ID" Ta "1 byte" Ta "Token ID" 371.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" 372.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" 373.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" 374.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" 375.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" 376.It Li "Process ID" Ta "4 bytes" Ta "Process ID" 377.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" 378.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" 379.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine" 380.El 381.Ss Expanded Subject Token 382The 383.Dv expanded subject 384token consists of the same elements as the 385.Dv subject 386token, with the addition of type/length and variable size machine address 387information in the terminal ID. 388An 389.Dv expanded subject 390token can be created using 391.Xr au_to_subject32_ex 3 392or 393.Xr au_to_subject64_ex 3 . 394.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 395.It Sy "Field" Ta Sy Bytes Ta Sy Description 396.It Li "Token ID" Ta "1 byte" Ta "Token ID" 397.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" 398.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" 399.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" 400.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" 401.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" 402.It Li "Process ID" Ta "4 bytes" Ta "Process ID" 403.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" 404.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" 405.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address" 406.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine" 407.El 408.Ss System V IPC Token 409The 410.Dv System V IPC 411token ... 412.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 413.It Sy "Field" Ta Sy Bytes Ta Sy Description 414.It Li "Token ID" Ta "1 byte" Ta "Token ID" 415.It Li "Object ID type" Ta "1 byte" Ta "Object ID" 416.It Li "Object ID" Ta "4 bytes" Ta "Object ID" 417.El 418.Ss Text Token 419The 420.Dv text 421token contains a single nul-terminated text string. 422A 423.Dv text 424token may be created using 425.Xr au_to_text 3 . 426.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 427.It Sy "Field" Ta Sy Bytes Ta Sy Description 428.It Li "Token ID" Ta "1 byte" Ta "Token ID" 429.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul" 430.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul" 431.El 432.Ss Attribute Token 433The 434.Dv attribute 435token describes the attributes of a file associated with the audit event. 436As files may be identified by 0, 1, or many path names, a path name is not 437included with the attribute block for a file; optional 438.Dv path 439tokens may also be present in an audit record indicating which path, if any, 440was used to reach the object. 441An 442.Dv attribute 443token can be created using 444.Xr au_to_attr32 3 445or 446.Xr au_to_attr64 3 . 447.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 448.It Sy "Field" Ta Sy Bytes Ta Sy Description 449.It Li "Token ID" Ta "1 byte" Ta "Token ID" 450.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file" 451.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file" 452.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file" 453.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file" 454.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file" 455.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)" 456.El 457.Ss Groups Token 458The 459.Dv groups 460token contains a list of group IDs associated with the audit event. 461A 462.Dv groups 463token can be created using 464.Xr au_to_groups 3 . 465.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 466.It Sy "Field" Ta Sy Bytes Ta Sy Description 467.It Li "Token ID" Ta "1 byte" Ta "Token ID" 468.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token" 469.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs" 470.El 471.Ss System V IPC Permission Token 472The 473.Dv System V IPC permission 474token ... 475.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 476.It Sy "Field" Ta Sy Bytes Ta Sy Description 477.It Li "Token ID" Ta "1 byte" Ta "Token ID" 478.It Li XXXXX 479.El 480.Ss Arg Token 481The 482.Dv arg 483token ... 484.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 485.It Sy "Field" Ta Sy Bytes Ta Sy Description 486.It Li "Token ID" Ta "1 byte" Ta "Token ID" 487.It Li XXXXX 488.El 489.Ss exec_args Token 490The 491.Dv exec_args 492token ... 493.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 494.It Sy "Field" Ta Sy Bytes Ta Sy Description 495.It Li "Token ID" Ta "1 byte" Ta "Token ID" 496.It Li XXXXX 497.El 498.Ss exec_env Token 499The 500.Dv exec_env 501token ... 502.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 503.It Sy "Field" Ta Sy Bytes Ta Sy Description 504.It Li "Token ID" Ta "1 byte" Ta "Token ID" 505.It Li XXXXX 506.El 507.Ss Exit Token 508The 509.Dv exit 510token contains process exit/return code information. 511An 512.Dv exit 513token can be created using 514.Xr au_to_exit 3 . 515.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 516.It Sy "Field" Ta Sy Bytes Ta Sy Description 517.It Li "Token ID" Ta "1 byte" Ta "Token ID" 518.It Li "Status" Ta "4 bytes" Ta "Process status on exit" 519.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit" 520.El 521.Ss Socket Token 522The 523.Dv socket 524token ... 525.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 526.It Sy "Field" Ta Sy Bytes Ta Sy Description 527.It Li "Token ID" Ta "1 byte" Ta "Token ID" 528.It Li XXXXX 529.El 530.Ss Expanded Socket Token 531The 532.Dv expanded socket 533token ... 534.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 535.It Sy "Field" Ta Sy Bytes Ta Sy Description 536.It Li "Token ID" Ta "1 byte" Ta "Token ID" 537.It Li XXXXX 538.El 539.Ss Seq Token 540The 541.Dv seq 542token contains a unique and monotonically increasing audit event sequence ID. 543Due to the limited range of 32 bits, serial number arithmetic and caution 544should be used when comparing sequence numbers. 545.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 546.It Sy "Field" Ta Sy Bytes Ta Sy Description 547.It Li "Token ID" Ta "1 byte" Ta "Token ID" 548.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number" 549.El 550.Ss privilege Token 551The 552.Dv privilege 553token ... 554.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 555.It Sy "Field" Ta Sy Bytes Ta Sy Description 556.It Li "Token ID" Ta "1 byte" Ta "Token ID" 557.It Li XXXXX 558.El 559.Ss Use-of-auth Token 560The 561.Dv use-of-auth 562token ... 563.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 564.It Sy "Field" Ta Sy Bytes Ta Sy Description 565.It Li "Token ID" Ta "1 byte" Ta "Token ID" 566.It Li XXXXX 567.El 568.Ss Command Token 569The 570.Dv command 571token ... 572.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 573.It Sy "Field" Ta Sy Bytes Ta Sy Description 574.It Li "Token ID" Ta "1 byte" Ta "Token ID" 575.It Li XXXXX 576.El 577.Ss ACL Token 578The 579.Dv ACL 580token ... 581.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 582.It Sy "Field" Ta Sy Bytes Ta Sy Description 583.It Li "Token ID" Ta "1 byte" Ta "Token ID" 584.It Li XXXXX 585.El 586.Ss Zonename Token 587The 588.Dv zonename 589token ... 590.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 591.It Sy "Field" Ta Sy Bytes Ta Sy Description 592.It Li "Token ID" Ta "1 byte" Ta "Token ID" 593.It Li XXXXX 594.El 595.Sh SEE ALSO 596.Xr libbsm 3 , 597.Xr audit 8 598.Sh AUTHORS 599The Basic Security Module (BSM) interface to audit records and audit event 600stream format were defined by Sun Microsystems. 601.Pp 602This manual page was written by 603.An Robert Watson Aq rwatson@FreeBSD.org . 604.Sh HISTORY 605The OpenBSM implementation was created by McAfee Research, the security 606division of McAfee Inc., under contract to Apple Computer Inc. in 2004. 607It was subsequently adopted by the TrustedBSD Project as the foundation for 608the OpenBSM distribution. 609.Sh BUGS 610The 611.Dv How to print 612field in the 613.Dv arbitrary data 614token has undefined values. 615.Pp 616The 617.Dv in_addr 618and 619.Dv in_addr_ex 620token layout documented here appears to be in conflict with the 621.Xr libbsm 3 622implementations of 623.Xr au_to_in_addr 3 624and 625.Xr au_to_in_addr_ex 3 . 626