1.\"- 2.\" Copyright (c) 2005 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" 26.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#6 $ 27.\" 28.Dd May 1, 2005 29.Dt AUDIT.LOG 5 30.Os 31.Sh NAME 32.Nm audit 33.Nd "Basic Security Module (BSM) File Format" 34.Sh DESCRIPTION 35The 36.Nm 37file format is based on Sun's Basic Security Module (BSM) file format, a 38token-based record stream to represent system audit data. 39This file format is both flexible and extensible, able to describe a broad 40range of data types, and easily extended to describe new data types in a 41moderately backward and forward compatible way. 42.Pp 43BSM token streams typically begin and end with a 44.Dv file 45token, which provides time stamp and file name information for the stream; 46when processing a BSM token stream from a stream as opposed to a single file 47source, file tokens may be seen at any point between ordinary records 48identifying when particular parts of the stream begin and end. 49All other tokens will appear in the context of a complete BSM audit record, 50which begins with a 51.Dv header 52token, and ends with a 53.Dv trailer 54token, which describe the audit record. 55Between these two tokens will appear a variety of data tokens, such as 56process information, file path names, IPC object information, MAC labels, 57socket information, and so on. 58.Pp 59The BSM file format defines specific token orders for each record event type; 60however, some variation may occur depending on the operating system in use, 61what system options, such as mandatory access control, are present. 62.Pp 63This manual page documents the common token types and their binary format, and 64is intended for reference purposes only. 65It is recommended that application programmers use the 66.Xr libbsm 3 67interface to read and write tokens, rather than parsing or constructing 68records by hand. 69.Ss File Token 70The 71.Dv file 72token is used at the beginning and end of an audit log file to indicate 73when the audit log begins and ends. 74It includes a pathname so that, if concatenated together, original file 75boundaries are still observable, and gaps in the audit log can be identified. 76A 77.Dv file 78token can be created using 79.Xr au_to_file 3 . 80.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 81.It Sy "Field" Ta Sy Bytes Ta Sy Description 82.It Li "Token ID" Ta "1 byte" Ta "Token ID" 83.It Li "Seconds" Ta "4 bytes" Ta "File time stamp" 84.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp" 85.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail" 86.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail" 87.El 88.Ss Header Token 89The 90.Dv header 91token is used to mark the beginning of a complete audit record, and includes 92the length of the total record in bytes, a version number for the record 93layout, the event type and subtype, and the time at which the event occurred. 94A 95.Dv header 96token can be created using 97.Xr au_to_header32 3 . 98.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 99.It Sy "Field" Ta Sy Bytes Ta Sy Description 100.It Li "Token ID" Ta "1 byte" Ta "Token ID" 101.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" 102.It Li "Version Number" Ta "2 bytes" Ta "Record version number" 103.It Li "Event Type" Ta "2 bytes" Ta "Event type" 104.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type" 105.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)" 106.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)" 107.El 108.Ss Expanded Header Token 109The 110.Dv expanded header 111token is an expanded version of the 112.Dv header 113token, with the addition of a machine IPv4 or IPv6 address. 114The 115.Xr libbsm 3 116API cannot currently create an 117.Dv expanded header 118token. 119.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 120.It Sy "Field" Ta Sy Bytes Ta Sy Description 121.It Li "Token ID" Ta "1 byte" Ta "Token ID" 122.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" 123.It Li "Version Number" Ta "2 bytes" Ta "Record version number" 124.It Li "Event Type" Ta "2 bytes" Ta "Event type" 125.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type" 126.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length" 127.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address" 128.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)" 129.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)" 130.El 131.Ss Trailer Token 132The 133.Dv trailer 134terminates a BSM audit record, and contains a magic number, 135.Dv TRAILER_PAD_MAGIC 136and length that can be used to validate that the record was read properly. 137A 138.Dv trailer 139token can be created using 140.Xr au_to_trailer 3 . 141.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 142.It Sy "Field" Ta Sy Bytes Ta Sy Description 143.It Li "Token ID" Ta "1 byte" Ta "Token ID" 144.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number" 145.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" 146.El 147.Ss Arbitrary Data Token 148The 149.Dv arbitrary data 150token contains a byte stream of opaque (untyped) data. 151The size of the data is calculated as the size of each unit of data 152multipled by the number of units of data. 153A 154.Dv How to print 155field is present to specify how to print the data, but interpretation of 156that field is not currently defined. 157The 158.Xr libbsm 3 159API cannot currently create an 160.Dv arbitrary data 161token. 162.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 163.It Sy "Field" Ta Sy Bytes Ta Sy Description 164.It Li "Token ID" Ta "1 byte" Ta "Token ID" 165.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information" 166.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes" 167.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present" 168.It Li "Data Items" Ta "Variable" Ta "User data" 169.El 170.Ss in_addr Token 171The 172.Dv in_addr 173token holds a network byte order IPv4 or IPv6 address. 174An 175.Dv in_addr 176token can be created using 177.Xr au_to_in_addr 3 178for an IPv4 address, or 179.Xr au_to_in_addr_ex 3 180for an IPv6 address. 181.Pp 182See the BUGS section for information on the storage of this token. 183.Pp 184.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 185.It Sy "Field" Ta Sy Bytes Ta Sy Description 186.It Li "Token ID" Ta "1 byte" Ta "Token ID" 187.It Li "IP Address Type" Ta "1 byte" Ta "Type of address" 188.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address" 189.El 190.Ss Expanded in_addr Token 191The 192.Dv expanded in_addr 193token ... 194.Pp 195See the BUGS section for information on the storage of this token. 196.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 197.It Sy "Field" Ta Sy Bytes Ta Sy Description 198.It Li "Token ID" Ta "1 byte" Ta "Token ID" 199.It XXXX 200.El 201.Ss ip Token 202The 203.Dv ip 204token contains an IP packet header in network byte order. 205An 206.Dv ip 207token can be cread using 208.Xr au_to_ip 3 . 209.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 210.It Sy "Field" Ta Sy Bytes Ta Sy Description 211.It Li "Token ID" Ta "1 byte" Ta "Token ID" 212.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length" 213.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field" 214.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order" 215.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly" 216.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order" 217.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live" 218.It Li "Protocol" Ta "1 byte" Ta "IP protocol number" 219.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order" 220.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address" 221.It Li "Desintation Address" Ta "4 bytes" Ta "IPv4 destination address" 222.El 223.Ss Expanded ip Token 224The 225.Dv expanded ip 226token ... 227.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 228.It Sy "Field" Ta Sy Bytes Ta Sy Description 229.It Li "Token ID" Ta "1 byte" Ta "Token ID" 230.It XXXX 231.El 232.Ss iport Token 233The 234.Dv iport 235token stores an IP port number in network byte order. 236An 237.Dv iport 238token can be created using 239.Xr au_to_iport 3 . 240.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 241.It Sy "Field" Ta Sy Bytes Ta Sy Description 242.It Li "Token ID" Ta "1 byte" Ta "Token ID" 243.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order" 244.El 245.Ss Path Token 246The 247.Dv path 248token contains a pathname. 249A 250.Dv path 251token can be created using 252.Xr auto_path 3 . 253.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 254.It Sy "Field" Ta Sy Bytes Ta Sy Description 255.It Li "Token ID" Ta "1 byte" Ta "Token ID" 256.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes" 257.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name" 258.El 259.Ss path_attr Token 260The 261.Dv path_attr 262token contains a set of nul-terminated path names. 263The 264.Xr libbsm 3 265API cannot currently create an 266.Dv path_attr 267token. 268.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 269.It Sy "Field" Ta Sy Bytes Ta Sy Description 270.It Li "Token ID" Ta "1 byte" Ta "Token ID" 271.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token" 272.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)" 273.El 274.Ss Process Token 275The 276.Dv process 277token contains a description of the security properties of a process 278involved as the target of an auditable event, such as the destination for 279signal delivery. 280It should not be confused with the 281.Dv subject 282token, which describes the subject performing an auditable event. 283This includes both the traditional 284.Ux 285security properties, such as user IDs and group IDs, but also audit 286information such as the audit user ID and sesion. 287A 288.Dv process 289token can be created using 290.Xr au_to_process32 3 291or 292.Xr au_to_process64 3 . 293.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 294.It Sy "Field" Ta Sy Bytes Ta Sy Description 295.It Li "Token ID" Ta "1 byte" Ta "Token ID" 296.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" 297.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" 298.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" 299.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" 300.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" 301.It Li "Process ID" Ta "4 bytes" Ta "Process ID" 302.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" 303.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" 304.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine" 305.El 306.Ss Expanded Process Token 307The .Dv expanded process 308token contains the contents of the 309.Dv process 310token, with the addition of a machine address type and variable length 311address storage capable of containing IPv6 addresses. 312A 313.Dv expanded process 314token can be created using 315.Xr au_to_process32_ex 3 316or 317.Xr au_to_process64 3 . 318.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 319.It Sy "Field" Ta Sy Bytes Ta Sy Description 320.It Li "Token ID" Ta "1 byte" Ta "Token ID" 321.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" 322.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" 323.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" 324.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" 325.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" 326.It Li "Process ID" Ta "4 bytes" Ta "Process ID" 327.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" 328.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" 329.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address" 330.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine" 331.El 332.Ss Return Token 333The 334.Dv return 335token contains a system call or library function return condition, including 336return value and error number associated with the global variable 337.Er errno . 338A 339.Dv return 340token can be created using 341.Xr au_to_return32 3 342or 343.Xr au_to_return64 3 . 344.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 345.It Sy "Field" Ta Sy Bytes Ta Sy Description 346.It Li "Token ID" Ta "1 byte" Ta "Token ID" 347.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined" 348.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)" 349.El 350.Ss Subject Token 351The 352.Dv subject 353token contains information on the subject performing the operation described 354by an audit record, and includes similar information to that found in the 355.Dv process 356and 357.Dv expanded process 358tokens. 359However, those tokens are used where the process being described is the 360target of the operation, not the authorizing party. 361A 362.Dv subject 363token can be created using 364.Xr au_to_subject32 3 365and 366.Xr au_to_subject64 3 . 367.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 368.It Sy "Field" Ta Sy Bytes Ta Sy Description 369.It Li "Token ID" Ta "1 byte" Ta "Token ID" 370.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" 371.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" 372.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" 373.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" 374.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" 375.It Li "Process ID" Ta "4 bytes" Ta "Process ID" 376.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" 377.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" 378.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine" 379.El 380.Ss Expanded Subject Token 381The 382.Dv expanded subject 383token consists of the same elements as the 384.Dv subject 385token, with the addition of type/length and variable size machine address 386information in the terminal ID. 387A 388.Dv expanded subject 389token can be created using 390.Xr au_to_subject32_ex 3 391or 392.Xr au_to_subject64_ex 3 . 393.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 394.It Sy "Field" Ta Sy Bytes Ta Sy Description 395.It Li "Token ID" Ta "1 byte" Ta "Token ID" 396.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" 397.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" 398.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" 399.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" 400.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" 401.It Li "Process ID" Ta "4 bytes" Ta "Process ID" 402.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" 403.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" 404.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address" 405.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine" 406.El 407.Ss System V IPC Token 408The 409.Dv System V IPC 410token ... 411.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 412.It Sy "Field" Ta Sy Bytes Ta Sy Description 413.It Li "Token ID" Ta "1 byte" Ta "Token ID" 414.It Li XXXXX 415.El 416.Ss Text Token 417The 418.Dv text 419token contains a single nul-terminated text string. 420A 421.Dv text 422token may be created using 423.Xr au_to_text 3 . 424.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 425.It Sy "Field" Ta Sy Bytes Ta Sy Description 426.It Li "Token ID" Ta "1 byte" Ta "Token ID" 427.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul" 428.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul" 429.El 430.Ss Attribute Token 431The 432.Dv attribute 433token describes the attributes of a file associated with the audit event. 434As files may be identified by 0, 1, or many path names, a path name is not 435included with the attribute block for a file; optional 436.Dv path 437tokens may also be present in an audit record indicating which path, if any, 438was used to reach the object. 439A 440.Dv attribute 441token can be created using 442.Xr au_to_attr32 3 443or 444.Xr au_to_attr64 3 . 445.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 446.It Sy "Field" Ta Sy Bytes Ta Sy Description 447.It Li "Token ID" Ta "1 byte" Ta "Token ID" 448.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file" 449.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file" 450.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file" 451.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file" 452.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file" 453.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)" 454.El 455.Ss Groups Token 456The 457.Dv groups 458token contains a list of group IDs associated with the audit event. 459A 460.Dv groups 461token can be created using 462.Xr au_to_groups 3 . 463.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 464.It Sy "Field" Ta Sy Bytes Ta Sy Description 465.It Li "Token ID" Ta "1 byte" Ta "Token ID" 466.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token" 467.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs" 468.El 469.Ss System V IPC Permission Token 470The 471.Dv System V IPC permission 472token ... 473.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 474.It Sy "Field" Ta Sy Bytes Ta Sy Description 475.It Li "Token ID" Ta "1 byte" Ta "Token ID" 476.It Li XXXXX 477.El 478.Ss Arg Token 479The 480.Dv arg 481token ... 482.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 483.It Sy "Field" Ta Sy Bytes Ta Sy Description 484.It Li "Token ID" Ta "1 byte" Ta "Token ID" 485.It Li XXXXX 486.El 487.Ss exec_args Token 488The 489.Dv exec_args 490token ... 491.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 492.It Sy "Field" Ta Sy Bytes Ta Sy Description 493.It Li "Token ID" Ta "1 byte" Ta "Token ID" 494.It Li XXXXX 495.El 496.Ss exec_env Token 497The 498.Dv exec_env 499token ... 500.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 501.It Sy "Field" Ta Sy Bytes Ta Sy Description 502.It Li "Token ID" Ta "1 byte" Ta "Token ID" 503.It Li XXXXX 504.El 505.Ss Exit Token 506The 507.Dv exit 508token contains process exit/return code information. 509An 510.Dv exit 511token can be created using 512.Xr au_to_exit 3 . 513.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 514.It Sy "Field" Ta Sy Bytes Ta Sy Description 515.It Li "Token ID" Ta "1 byte" Ta "Token ID" 516.It Li "Status" Ta "4 bytes" Ta "Process status on exit" 517.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit" 518.El 519.Ss Socket Token 520The 521.Dv socket 522token ... 523.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 524.It Sy "Field" Ta Sy Bytes Ta Sy Description 525.It Li "Token ID" Ta "1 byte" Ta "Token ID" 526.It Li XXXXX 527.El 528.Ss Expanded Socket Token 529The 530.Dv expanded socket 531token ... 532.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 533.It Sy "Field" Ta Sy Bytes Ta Sy Description 534.It Li "Token ID" Ta "1 byte" Ta "Token ID" 535.It Li XXXXX 536.El 537.Ss Seq Token 538The 539.Dv seq 540token contains a unique and monotonically increasing audit event sequence ID. 541Due to the limited range of 32 bits, serial number arithmetic and caution 542should be used when comparing sequence numbers. 543.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 544.It Sy "Field" Ta Sy Bytes Ta Sy Description 545.It Li "Token ID" Ta "1 byte" Ta "Token ID" 546.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number" 547.El 548.Ss privilege Token 549The 550.Dv privilege 551token ... 552.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 553.It Sy "Field" Ta Sy Bytes Ta Sy Description 554.It Li "Token ID" Ta "1 byte" Ta "Token ID" 555.It Li XXXXX 556.El 557.Ss Use-of-auth Token 558The 559.Dv use-of-auth 560token ... 561.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 562.It Sy "Field" Ta Sy Bytes Ta Sy Description 563.It Li "Token ID" Ta "1 byte" Ta "Token ID" 564.It Li XXXXX 565.El 566.Ss Command Token 567The 568.Dv command 569token ... 570.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 571.It Sy "Field" Ta Sy Bytes Ta Sy Description 572.It Li "Token ID" Ta "1 byte" Ta "Token ID" 573.It Li XXXXX 574.El 575.Ss ACL Token 576The 577.Dv ACL 578token ... 579.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 580.It Sy "Field" Ta Sy Bytes Ta Sy Description 581.It Li "Token ID" Ta "1 byte" Ta "Token ID" 582.It Li XXXXX 583.El 584.Ss Zonename Token 585The 586.Dv zonename 587token ... 588.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 589.It Sy "Field" Ta Sy Bytes Ta Sy Description 590.It Li "Token ID" Ta "1 byte" Ta "Token ID" 591.It Li XXXXX 592.El 593.Sh SEE ALSO 594.Xr libbsm 3 595.Sh AUTHORS 596The Basic Security Module (BSM) interface to audit records and audit event 597stream format were defined by Sun Microsystems. 598.Pp 599This manual page was written by 600.An Robert Watson Aq rwatson@FreeBSD.org . 601.Sh HISTORY 602The OpenBSM implementation was created by McAfee Research, the security 603division of McAfee Inc., under contract to Apple Computer Inc. in 2004. 604It was subsequently adopted by the TrustedBSD Project as the foundation for 605the OpenBSM distribution. 606.Sh BUGS 607The 608.Dv How to print 609field in the 610.Dv arbitrary data 611token has undefined values. 612.Pp 613The 614.Dv in_addr 615and 616.Dv in_addr_ex 617token layout documented here appears to be in conflict with the 618.Xr libbsm 3 619implementations of 620.Xr au_to_in_addr 3 621and 622.Xr au_to_in_addr_ex 3 . 623