1.\"- 2.\" Copyright (c) 2005-2006 Robert N. M. Watson 3.\" Copyright (c) 2008 Apple Inc. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25.\" SUCH DAMAGE. 26.\" 27.Dd November 5, 2006 28.Dt AUDIT.LOG 5 29.Os 30.Sh NAME 31.Nm audit 32.Nd "Basic Security Module (BSM) file format" 33.Sh DESCRIPTION 34The 35.Nm 36file format is based on Sun's Basic Security Module (BSM) file format, a 37token-based record stream to represent system audit data. 38This file format is both flexible and extensible, able to describe a broad 39range of data types, and easily extended to describe new data types in a 40moderately backward and forward compatible way. 41.Pp 42BSM token streams typically begin and end with a 43.Dq file 44token, which provides time stamp and file name information for the stream; 45when processing a BSM token stream from a stream as opposed to a single file 46source, file tokens may be seen at any point between ordinary records 47identifying when particular parts of the stream begin and end. 48All other tokens will appear in the context of a complete BSM audit record, 49which begins with a 50.Dq header 51token, and ends with a 52.Dq trailer 53token, which describe the audit record. 54Between these two tokens will appear a variety of data tokens, such as 55process information, file path names, IPC object information, MAC labels, 56socket information, and so on. 57.Pp 58The BSM file format defines specific token orders for each record event type; 59however, some variation may occur depending on the operating system in use, 60what system options, such as mandatory access control, are present. 61.Pp 62This manual page documents the common token types and their binary format, and 63is intended for reference purposes only. 64It is recommended that application programmers use the 65.Xr libbsm 3 66interface to read and write tokens, rather than parsing or constructing 67records by hand. 68.Ss File Token 69The 70.Dq file 71token is used at the beginning and end of an audit log file to indicate 72when the audit log begins and ends. 73It includes a pathname so that, if concatenated together, original file 74boundaries are still observable, and gaps in the audit log can be identified. 75A 76.Dq file 77token can be created using 78.Xr au_to_file 3 . 79.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 80.It Sy "Field Bytes Description" 81.It "Token ID 1 byte Token ID" 82.It "Seconds 4 bytes File time stamp" 83.It "Microseconds 4 bytes File time stamp" 84.It "File name length 2 bytes File name of audit trail" 85.It "File pathname N bytes + 1 NUL File name of audit trail" 86.El 87.Ss Header Token 88The 89.Dq header 90token is used to mark the beginning of a complete audit record, and includes 91the length of the total record in bytes, a version number for the record 92layout, the event type and subtype, and the time at which the event occurred. 93A 32-bit 94.Dq header 95token can be created using 96.Xr au_to_header32 3 ; 97a 64-bit 98.Dq header 99token can be created using 100.Xr au_to_header64 3 . 101.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 102.It Sy "Field Bytes Description" 103.It "Token ID 1 byte Token ID" 104.It "Record Byte Count 4 bytes Number of bytes in record" 105.It "Version Number 2 bytes Record version number" 106.It "Event Type 2 bytes Event type" 107.It "Event Modifier 2 bytes Event sub-type" 108.It "Seconds 4/8 bytes Record time stamp (32/64-bits)" 109.It "Nanoseconds 4/8 bytes Record time stamp (32/64-bits)" 110.El 111.Ss Expanded Header Token 112The 113.Dq expanded header 114token is an expanded version of the 115.Dq header 116token, with the addition of a machine IPv4 or IPv6 address. 117A 32-bit extended 118.Dq header 119token can be created using 120.Xr au_to_header32_ex 3 ; 121a 64-bit extended 122.Dq header 123token can be created using 124.Xr au_to_header64_ex 3 . 125.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 126.It Sy "Field Bytes Description" 127.It "Token ID 1 byte Token ID" 128.It "Record Byte Count 4 bytes Number of bytes in record" 129.It "Version Number 2 bytes Record version number" 130.It "Event Type 2 bytes Event type" 131.It "Event Modifier 2 bytes Event sub-type" 132.It "Address Type/Length 1 byte Host address type and length" 133.It "Machine Address 4/16 bytes IPv4 or IPv6 address" 134.It "Seconds 4/8 bytes Record time stamp (32/64-bits)" 135.It "Nanoseconds 4/8 bytes Record time stamp (32/64-bits)" 136.El 137.Ss Trailer Token 138The 139.Dq trailer 140terminates a BSM audit record, and contains a magic number, 141.Dv AUT_TRAILER_MAGIC 142and length that can be used to validate that the record was read properly. 143A 144.Dq trailer 145token can be created using 146.Xr au_to_trailer 3 . 147.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 148.It Sy "Field Bytes Description" 149.It "Token ID 1 byte Token ID" 150.It "Trailer Magic 2 bytes Trailer magic number" 151.It "Record Byte Count 4 bytes Number of bytes in record" 152.El 153.Ss Arbitrary Data Token 154The 155.Dq arbitrary data 156token contains a byte stream of opaque (untyped) data. 157The size of the data is calculated as the size of each unit of data 158multiplied by the number of units of data. 159A 160.Dq How to print 161field is present to specify how to print the data, but interpretation of 162that field is not currently defined. 163An 164.Dq arbitrary data 165token can be created using 166.Xr au_to_data 3 . 167.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 168.It Sy "Field Bytes Description" 169.It "Token ID 1 byte Token ID" 170.It "How to Print 1 byte User-defined printing information" 171.It "Basic Unit 1 byte Size of a unit in bytes" 172.It "Unit Count 1 byte Number of units of data present" 173.It "Data Items Variable User data" 174.El 175.Ss in_addr Token 176The 177.Dq in_addr 178token holds a network byte order IPv4 address. 179An 180.Dq in_addr 181token can be created using 182.Xr au_to_in_addr 3 183for an IPv4 address. 184.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 185.It Sy "Field Bytes Description" 186.It "Token ID 1 byte Token ID" 187.It "IP Address 4 bytes IPv4 address" 188.El 189.Ss Expanded in_addr Token 190The 191.Dq in_addr_ex 192token holds a network byte order IPv4 or IPv6 address. 193An 194.Dq in_addr_ex 195token can be created using 196.Xr au_to_in_addr_ex 3 197for an IPv6 address. 198.Pp 199See the 200.Sx BUGS 201section for information on the storage of this token. 202.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 203.It Sy "Field Bytes Description" 204.It "Token ID 1 byte Token ID" 205.It "IP Address Type 1 byte Type of address" 206.It "IP Address 4/16 bytes IPv4 or IPv6 address" 207.El 208.Ss ip Token 209The 210.Dq ip 211token contains an IP packet header in network byte order. 212An 213.Dq ip 214token can be created using 215.Xr au_to_ip 3 . 216.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 217.It Sy "Field Bytes Description" 218.It "Token ID 1 byte Token ID" 219.It "Version and IHL 1 byte Version and IP header length" 220.It "Type of Service 1 byte IP TOS field" 221.It "Length 2 bytes IP packet length in network byte order" 222.It "ID 2 bytes IP header ID for reassembly" 223.It "Offset 2 bytes IP fragment offset and flags, network byte order" 224.It "TTL 1 byte IP Time-to-Live" 225.It "Protocol 1 byte IP protocol number" 226.It "Checksum 2 bytes IP header checksum, network byte order" 227.It "Source Address 4 bytes IPv4 source address" 228.It "Destination Address 4 bytes IPv4 destination address" 229.El 230.Ss iport Token 231The 232.Dq iport 233token stores an IP port number in network byte order. 234An 235.Dq iport 236token can be created using 237.Xr au_to_iport 3 . 238.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 239.It Sy "Field Bytes Description" 240.It "Token ID 1 byte Token ID" 241.It "Port Number 2 bytes Port number in network byte order" 242.El 243.Ss Path Token 244The 245.Dq path 246token contains a pathname. 247A 248.Dq path 249token can be created using 250.Xr au_to_path 3 . 251.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 252.It Sy "Field Bytes Description" 253.It "Token ID 1 byte Token ID" 254.It "Path Length 2 bytes Length of path in bytes" 255.It "Path N bytes + 1 NUL Path name" 256.El 257.Ss path_attr Token 258The 259.Dq path_attr 260token contains a set of NUL-terminated path names. 261The 262.Xr libbsm 3 263API cannot currently create a 264.Dq path_attr 265token. 266.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 267.It Sy "Field Bytes Description" 268.It "Token ID 1 byte Token ID" 269.It "Count 2 bytes Number of NUL-terminated string(s) in token" 270.It "Path Variable count NUL-terminated string(s)" 271.El 272.Ss Process Token 273The 274.Dq process 275token contains a description of the security properties of a process 276involved as the target of an auditable event, such as the destination for 277signal delivery. 278It should not be confused with the 279.Dq subject 280token, which describes the subject performing an auditable event. 281This includes both the traditional 282.Ux 283security properties, such as user IDs and group IDs, but also audit 284information such as the audit user ID and session. 285A 286.Dq process 287token can be created using 288.Xr au_to_process32 3 289or 290.Xr au_to_process64 3 . 291.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 292.It Sy "Field Bytes Description" 293.It "Token ID 1 byte Token ID" 294.It "Audit ID 4 bytes Audit user ID" 295.It "Effective User ID 4 bytes Effective user ID" 296.It "Effective Group ID 4 bytes Effective group ID" 297.It "Real User ID 4 bytes Real user ID" 298.It "Real Group ID 4 bytes Real group ID" 299.It "Process ID 4 bytes Process ID" 300.It "Session ID 4 bytes Audit session ID" 301.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)" 302.It "Terminal Machine Address 4 bytes IP address of machine" 303.El 304.Ss Expanded Process Token 305The 306.Dq expanded process 307token contains the contents of the 308.Dq process 309token, with the addition of a machine address type and variable length 310address storage capable of containing IPv6 addresses. 311An 312.Dq expanded process 313token can be created using 314.Xr au_to_process32_ex 3 315or 316.Xr au_to_process64_ex 3 . 317.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 318.It Sy "Field Bytes Description" 319.It "Token ID 1 byte Token ID" 320.It "Audit ID 4 bytes Audit user ID" 321.It "Effective User ID 4 bytes Effective user ID" 322.It "Effective Group ID 4 bytes Effective group ID" 323.It "Real User ID 4 bytes Real user ID" 324.It "Real Group ID 4 bytes Real group ID" 325.It "Process ID 4 bytes Process ID" 326.It "Session ID 4 bytes Audit session ID" 327.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)" 328.It "Terminal Address Type/Length 1 byte Length of machine address" 329.It "Terminal Machine Address 4 bytes IPv4 or IPv6 address of machine" 330.El 331.Ss Return Token 332The 333.Dq return 334token contains a system call or library function return condition, including 335return value and error number associated with the global variable 336.Er errno . 337A 338.Dq return 339token can be created using 340.Xr au_to_return32 3 341or 342.Xr au_to_return64 3 . 343.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 344.It Sy "Field Bytes Description" 345.It "Token ID 1 byte Token ID" 346.It "Error Number 1 byte Errno value, or 0 if undefined" 347.It "Return Value 4/8 bytes Return value (32/64-bits)" 348.El 349.Ss Subject Token 350The 351.Dq subject 352token contains information on the subject performing the operation described 353by an audit record, and includes similar information to that found in the 354.Dq process 355and 356.Dq expanded process 357tokens. 358However, those tokens are used where the process being described is the 359target of the operation, not the authorizing party. 360A 361.Dq subject 362token can be created using 363.Xr au_to_subject32 3 364and 365.Xr au_to_subject64 3 . 366.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 367.It Sy "Field Bytes Description" 368.It "Token ID 1 byte Token ID" 369.It "Audit ID 4 bytes Audit user ID" 370.It "Effective User ID 4 bytes Effective user ID" 371.It "Effective Group ID 4 bytes Effective group ID" 372.It "Real User ID 4 bytes Real user ID" 373.It "Real Group ID 4 bytes Real group ID" 374.It "Process ID 4 bytes Process ID" 375.It "Session ID 4 bytes Audit session ID" 376.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)" 377.It "Terminal Machine Address 4 bytes IP address of machine" 378.El 379.Ss Expanded Subject Token 380The 381.Dq expanded subject 382token consists of the same elements as the 383.Dq subject 384token, with the addition of type/length and variable size machine address 385information in the terminal ID. 386An 387.Dq expanded subject 388token can be created using 389.Xr au_to_subject32_ex 3 390or 391.Xr au_to_subject64_ex 3 . 392.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 393.It Sy "Field Bytes Description" 394.It "Token ID 1 byte Token ID" 395.It "Audit ID 4 bytes Audit user ID" 396.It "Effective User ID 4 bytes Effective user ID" 397.It "Effective Group ID 4 bytes Effective group ID" 398.It "Real User ID 4 bytes Real user ID" 399.It "Real Group ID 4 bytes Real group ID" 400.It "Process ID 4 bytes Process ID" 401.It "Session ID 4 bytes Audit session ID" 402.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)" 403.It "Terminal Address Type/Length 1 byte Length of machine address" 404.It "Terminal Machine Address 4 bytes IPv4 or IPv6 address of machine" 405.El 406.Ss System V IPC Token 407The 408.Dq System V IPC 409token contains the System V IPC message handle, semaphore handle or shared 410memory handle. 411A System V IPC token may be created using 412+.Xr au_to_ipc 3 . 413.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 414.It Sy "Field Bytes Description" 415.It "Token ID 1 byte Token ID" 416.It "Object ID type 1 byte Object ID" 417.It "Object ID 4 bytes Object ID" 418.El 419.Ss Text Token 420The 421.Dq text 422token contains a single NUL-terminated text string. 423A 424.Dq text 425token may be created using 426.Xr au_to_text 3 . 427.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 428.It Sy "Field Bytes Description" 429.It "Token ID 1 byte Token ID" 430.It "Text Length 2 bytes Length of text string including NUL" 431.It "Text N bytes + 1 NUL Text string including NUL" 432.El 433.Ss Attribute Token 434The 435.Dq attribute 436token describes the attributes of a file associated with the audit event. 437As files may be identified by 0, 1, or many path names, a path name is not 438included with the attribute block for a file; optional 439.Dq path 440tokens may also be present in an audit record indicating which path, if any, 441was used to reach the object. 442An 443.Dq attribute 444token can be created using 445.Xr au_to_attr32 3 446or 447.Xr au_to_attr64 3 . 448.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 449.It Sy "Field Bytes Description" 450.It "Token ID 1 byte Token ID" 451.It "File Access Mode 1 byte mode_t associated with file" 452.It "Owner User ID 4 bytes uid_t associated with file" 453.It "Owner Group ID 4 bytes gid_t associated with file" 454.It "File System ID 4 bytes fsid_t associated with file" 455.It "File System Node ID 8 bytes ino_t associated with file" 456.It "Device 4/8 bytes Device major/minor number (32/64-bit)" 457.El 458.Ss Groups Token 459The 460.Dq groups 461token contains a list of group IDs associated with the audit event. 462A 463.Dq groups 464token can be created using 465.Xr au_to_groups 3 . 466.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 467.It Sy "Field Bytes Description" 468.It "Token ID 1 byte Token ID" 469.It "Number of Groups 2 bytes Number of groups in token" 470.It "Group List N * 4 bytes List of N group IDs" 471.El 472.Ss System V IPC Permission Token 473The 474.Dq System V IPC permission 475token contains a System V IPC access permissions. 476A System V IPC permission token may be created using 477.Xr au_to_ipc_perm 3 . 478.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 479.It Sy "Field Bytes Description" 480.It "Token ID 1 byte Token ID" 481.It Li "Owner user ID" Ta "4 bytes" Ta "User ID of IPC owner" 482.It Li "Owner group ID" Ta "4 bytes" Ta "Group ID of IPC owner" 483.It Li "Creator user ID" Ta "4 bytes" Ta "User ID of IPC creator" 484.It Li "Creator group ID" Ta "4 bytes" Ta "Group ID of IPC creator" 485.It Li "Access mode" Ta "4 bytes" Ta "Access mode" 486.It Li "Sequence number" Ta "4 bytes" Ta "Sequence number" 487.It Li "Key" Ta "4 bytes" Ta "IPC key" 488.El 489.Ss Arg Token 490The 491.Dq arg 492token contains information about arguments of the system call. 493Depending on the size of the desired argument value, an Arg token may be 494created using 495.Xr au_to_arg32 3 496or 497.Xr au_to_arg64 3 . 498.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 499.It Sy "Field Bytes Description" 500.It "Token ID 1 byte Token ID" 501.It Li "Argument ID" Ta "1 byte" Ta "Argument ID" 502.It Li "Argument value" Ta "4/8 bytes" Ta "Argument value" 503.It Li "Length" Ta "2 bytes" Ta "Length of the text" 504.It Li "Text" Ta "N bytes + 1 nul" Ta "The string including nul" 505.El 506.Ss exec_args Token 507The 508.Dq exec_args 509token contains information about arguments of the exec() system call. 510An exec_args token may be created using 511.Xr au_to_exec_args 3 . 512.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 513.It Sy "Field Bytes Description" 514.It "Token ID 1 byte Token ID" 515.It Li "Count" Ta "4 bytes" Ta "Number of arguments" 516.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings" 517.El 518.Ss exec_env Token 519The 520.Dq exec_env 521token contains current environment variables to an exec() system call. 522An exec_args token may be created using 523.Xr au_to_exec_env 3 . 524.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 525.It Sy "Field Bytes Description" 526.It "Token ID 1 byte Token ID" 527.It Li "Count ID" Ta "4 bytes" Ta "Number of variables" 528.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings" 529.El 530.Ss Exit Token 531The 532.Dq exit 533token contains process exit/return code information. 534An 535.Dq exit 536token can be created using 537.Xr au_to_exit 3 . 538.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 539.It Sy "Field Bytes Description" 540.It "Token ID 1 byte Token ID" 541.It "Status 4 bytes Process status on exit" 542.It "Return Value 4 bytes Process return value on exit" 543.El 544.Ss Socket Token 545The 546.Dq socket 547token contains information about UNIX domain and Internet sockets. 548Each token has four or eight fields. 549Depending on the type of socket, a socket token may be created using 550.Xr au_to_sock_unix 3 , 551.Xr au_to_sock_inet32 3 552or 553.Xr au_to_sock_inet128 3 . 554.Bl -column -offset 3n ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" 555.It Sy "Field" Ta Sy Bytes Ta Sy Description 556.It Li "Token ID" Ta "1 byte" Ta "Token ID" 557.It Li "Socket family" Ta "2 bytes" Ta "Socket family" 558.It Li "Local port" Ta "2 bytes" Ta "Local port" 559.It Li "Socket address" Ta "4 bytes" Ta "Socket address" 560.El 561.Ss Expanded Socket Token 562The 563.Dq expanded socket 564token contains information about IPv4 and IPv6 sockets. 565A 566.Dq expanded socket 567token can be created using 568.Xr au_to_socket_ex 3 . 569.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 570.It Sy "Field Bytes Description" 571.It Li "Token ID" Ta "1 byte" Ta "Token ID" 572.It Li "Socket domain" Ta "2 bytes" Ta "Socket domain" 573.It Li "Socket type" Ta "2 bytes" Ta "Socket type" 574.It Li "Address type" Ta "2 byte" Ta "Address type (IPv4/IPv6)" 575.It Li "Local port" Ta "2 bytes" Ta "Local port" 576.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address" 577.It Li "Remote port" Ta "2 bytes" Ta "Remote port" 578.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address" 579.El 580.Ss Seq Token 581The 582.Dq seq 583token contains a unique and monotonically increasing audit event sequence ID. 584Due to the limited range of 32 bits, serial number arithmetic and caution 585should be used when comparing sequence numbers. 586.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 587.It Sy "Field Bytes Description" 588.It "Token ID 1 byte Token ID" 589.It "Sequence Number 4 bytes Audit event sequence number" 590.El 591.Ss privilege Token 592The 593.Dq privilege 594token ... 595.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 596.It Sy "Field Bytes Description" 597.It "Token ID 1 byte Token ID" 598.El 599.Ss Use-of-auth Token 600The 601.Dq use-of-auth 602token ... 603.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 604.It Sy "Field Bytes Description" 605.It "Token ID 1 byte Token ID" 606.El 607.Ss Command Token 608The 609.Dq command 610token ... 611.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 612.It Sy "Field Bytes Description" 613.It "Token ID 1 byte Token ID" 614.El 615.Ss ACL Token 616The 617.Dq ACL 618token ... 619.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 620.It Sy "Field Bytes Description" 621.It "Token ID 1 byte Token ID" 622.El 623.Ss Zonename Token 624The 625.Dq zonename 626token holds a NUL-terminated string with the name of the zone or jail from 627which the record originated. 628A 629.Dq zonename 630token can be created using 631.Xr au_to_zonename 3 . 632.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" 633.It Sy "Field Bytes Description" 634.It "Token ID 1 byte Token ID" 635.It "Zonename length 2 bytes Length of zonename string including NUL" 636.It "Zonename N bytes + 1 NUL Zonename string including NUL" 637.El 638.Sh SEE ALSO 639.Xr auditreduce 1 , 640.Xr praudit 1 , 641.Xr libbsm 3 , 642.Xr audit 4 , 643.Xr auditpipe 4 , 644.Xr audit 8 645.Sh HISTORY 646The OpenBSM implementation was created by McAfee Research, the security 647division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. 648It was subsequently adopted by the TrustedBSD Project as the foundation for 649the OpenBSM distribution. 650.Sh AUTHORS 651The Basic Security Module (BSM) interface to audit records and audit event 652stream format were defined by Sun Microsystems. 653.Pp 654This manual page was written by 655.An Robert Watson Aq rwatson@FreeBSD.org . 656.Sh BUGS 657The 658.Dq How to print 659field in the 660.Dq arbitrary data 661token has undefined values. 662.Pp 663The 664.Dq in_addr 665and 666.Dq in_addr_ex 667token layout documented here appears to be in conflict with the 668.Xr libbsm 3 669implementation of 670.Xr au_to_in_addr_ex 3 . 671