xref: /freebsd/contrib/openbsm/man/audit.log.5 (revision f39bffc62c1395bde25d152c7f68fdf7cbaab414)
1.\"-
2.\" Copyright (c) 2005-2006 Robert N. M. Watson
3.\" Copyright (c) 2008 Apple Inc.
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25.\" SUCH DAMAGE.
26.\"
27.Dd November 5, 2006
28.Dt AUDIT.LOG 5
29.Os
30.Sh NAME
31.Nm audit
32.Nd "Basic Security Module (BSM) file format"
33.Sh DESCRIPTION
34The
35.Nm
36file format is based on Sun's Basic Security Module (BSM) file format, a
37token-based record stream to represent system audit data.
38This file format is both flexible and extensible, able to describe a broad
39range of data types, and easily extended to describe new data types in a
40moderately backward and forward compatible way.
41.Pp
42BSM token streams typically begin and end with a
43.Dq file
44token, which provides time stamp and file name information for the stream;
45when processing a BSM token stream from a stream as opposed to a single file
46source, file tokens may be seen at any point between ordinary records
47identifying when particular parts of the stream begin and end.
48All other tokens will appear in the context of a complete BSM audit record,
49which begins with a
50.Dq header
51token, and ends with a
52.Dq trailer
53token, which describe the audit record.
54Between these two tokens will appear a variety of data tokens, such as
55process information, file path names, IPC object information, MAC labels,
56socket information, and so on.
57.Pp
58The BSM file format defines specific token orders for each record event type;
59however, some variation may occur depending on the operating system in use,
60what system options, such as mandatory access control, are present.
61.Pp
62This manual page documents the common token types and their binary format, and
63is intended for reference purposes only.
64It is recommended that application programmers use the
65.Xr libbsm 3
66interface to read and write tokens, rather than parsing or constructing
67records by hand.
68.Ss File Token
69The
70.Dq file
71token is used at the beginning and end of an audit log file to indicate
72when the audit log begins and ends.
73It includes a pathname so that, if concatenated together, original file
74boundaries are still observable, and gaps in the audit log can be identified.
75A
76.Dq file
77token can be created using
78.Xr au_to_file 3 .
79.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
80.It Sy "Field	Bytes	Description"
81.It "Token ID	1 byte	Token ID"
82.It "Seconds	4 bytes	File time stamp"
83.It "Microseconds	4 bytes	File time stamp"
84.It "File name length	2 bytes	File name of audit trail"
85.It "File pathname	N bytes + 1 NUL	File name of audit trail"
86.El
87.Ss Header Token
88The
89.Dq header
90token is used to mark the beginning of a complete audit record, and includes
91the length of the total record in bytes, a version number for the record
92layout, the event type and subtype, and the time at which the event occurred.
93A 32-bit
94.Dq header
95token can be created using
96.Xr au_to_header32 3 ;
97a 64-bit
98.Dq header
99token can be created using
100.Xr au_to_header64 3 .
101.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
102.It Sy "Field	Bytes	Description"
103.It "Token ID	1 byte	Token ID"
104.It "Record Byte Count	4 bytes	Number of bytes in record"
105.It "Version Number	2 bytes	Record version number"
106.It "Event Type	2 bytes	Event type"
107.It "Event Modifier	2 bytes	Event sub-type"
108.It "Seconds	4/8 bytes	Record time stamp (32/64-bits)"
109.It "Nanoseconds	4/8 bytes	Record time stamp (32/64-bits)"
110.El
111.Ss Expanded Header Token
112The
113.Dq expanded header
114token is an expanded version of the
115.Dq header
116token, with the addition of a machine IPv4 or IPv6 address.
117A 32-bit extended
118.Dq header
119token can be created using
120.Xr au_to_header32_ex 3 ;
121a 64-bit extended
122.Dq header
123token can be created using
124.Xr au_to_header64_ex 3 .
125.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
126.It Sy "Field	Bytes	Description"
127.It "Token ID	1 byte	Token ID"
128.It "Record Byte Count	4 bytes	Number of bytes in record"
129.It "Version Number	2 bytes	Record version number"
130.It "Event Type	2 bytes	Event type"
131.It "Event Modifier	2 bytes	Event sub-type"
132.It "Address Type/Length	1 byte	Host address type and length"
133.It "Machine Address	4/16 bytes	IPv4 or IPv6 address"
134.It "Seconds	4/8 bytes	Record time stamp (32/64-bits)"
135.It "Nanoseconds	4/8 bytes	Record time stamp (32/64-bits)"
136.El
137.Ss Trailer Token
138The
139.Dq trailer
140terminates a BSM audit record, and contains a magic number,
141.Dv AUT_TRAILER_MAGIC
142and length that can be used to validate that the record was read properly.
143A
144.Dq trailer
145token can be created using
146.Xr au_to_trailer 3 .
147.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
148.It Sy "Field	Bytes	Description"
149.It "Token ID	1 byte	Token ID"
150.It "Trailer Magic	2 bytes	Trailer magic number"
151.It "Record Byte Count	4 bytes	Number of bytes in record"
152.El
153.Ss Arbitrary Data Token
154The
155.Dq arbitrary data
156token contains a byte stream of opaque (untyped) data.
157The size of the data is calculated as the size of each unit of data
158multiplied by the number of units of data.
159A
160.Dq How to print
161field is present to specify how to print the data, but interpretation of
162that field is not currently defined.
163An
164.Dq arbitrary data
165token can be created using
166.Xr au_to_data 3 .
167.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
168.It Sy "Field	Bytes	Description"
169.It "Token ID	1 byte	Token ID"
170.It "How to Print	1 byte	User-defined printing information"
171.It "Basic Unit	1 byte	Size of a unit in bytes"
172.It "Unit Count	1 byte	Number of units of data present"
173.It "Data Items	Variable	User data"
174.El
175.Ss in_addr Token
176The
177.Dq in_addr
178token holds a network byte order IPv4 address.
179An
180.Dq in_addr
181token can be created using
182.Xr au_to_in_addr 3
183for an IPv4 address.
184.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
185.It Sy "Field	Bytes	Description"
186.It "Token ID	1 byte	Token ID"
187.It "IP Address	4 bytes	IPv4 address"
188.El
189.Ss Expanded in_addr Token
190The
191.Dq in_addr_ex
192token holds a network byte order IPv4 or IPv6 address.
193An
194.Dq in_addr_ex
195token can be created using
196.Xr au_to_in_addr_ex 3
197for an IPv6 address.
198.Pp
199See the
200.Sx BUGS
201section for information on the storage of this token.
202.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
203.It Sy "Field	Bytes	Description"
204.It "Token ID	1 byte	Token ID"
205.It "IP Address Type	1 byte	Type of address"
206.It "IP Address	4/16 bytes	IPv4 or IPv6 address"
207.El
208.Ss ip Token
209The
210.Dq ip
211token contains an IP packet header in network byte order.
212An
213.Dq ip
214token can be created using
215.Xr au_to_ip 3 .
216.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
217.It Sy "Field	Bytes	Description"
218.It "Token ID	1 byte	Token ID"
219.It "Version and IHL	1 byte	Version and IP header length"
220.It "Type of Service	1 byte	IP TOS field"
221.It "Length	2 bytes	IP packet length in network byte order"
222.It "ID	2 bytes	IP header ID for reassembly"
223.It "Offset	2 bytes	IP fragment offset and flags, network byte order"
224.It "TTL	1 byte	IP Time-to-Live"
225.It "Protocol	1 byte	IP protocol number"
226.It "Checksum	2 bytes	IP header checksum, network byte order"
227.It "Source Address	4 bytes	IPv4 source address"
228.It "Destination Address	4 bytes	IPv4 destination address"
229.El
230.Ss iport Token
231The
232.Dq iport
233token stores an IP port number in network byte order.
234An
235.Dq iport
236token can be created using
237.Xr au_to_iport 3 .
238.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
239.It Sy "Field	Bytes	Description"
240.It "Token ID	1 byte	Token ID"
241.It "Port Number	2 bytes	Port number in network byte order"
242.El
243.Ss Path Token
244The
245.Dq path
246token contains a pathname.
247A
248.Dq path
249token can be created using
250.Xr au_to_path 3 .
251.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
252.It Sy "Field	Bytes	Description"
253.It "Token ID	1 byte	Token ID"
254.It "Path Length	2 bytes	Length of path in bytes"
255.It "Path	N bytes + 1 NUL	Path name"
256.El
257.Ss path_attr Token
258The
259.Dq path_attr
260token contains a set of NUL-terminated path names.
261The
262.Xr libbsm 3
263API cannot currently create a
264.Dq path_attr
265token.
266.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
267.It Sy "Field	Bytes	Description"
268.It "Token ID	1 byte	Token ID"
269.It "Count	2 bytes	Number of NUL-terminated string(s) in token"
270.It "Path	Variable	count NUL-terminated string(s)"
271.El
272.Ss Process Token
273The
274.Dq process
275token contains a description of the security properties of a process
276involved as the target of an auditable event, such as the destination for
277signal delivery.
278It should not be confused with the
279.Dq subject
280token, which describes the subject performing an auditable event.
281This includes both the traditional
282.Ux
283security properties, such as user IDs and group IDs, but also audit
284information such as the audit user ID and session.
285A
286.Dq process
287token can be created using
288.Xr au_to_process32 3
289or
290.Xr au_to_process64 3 .
291.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
292.It Sy "Field	Bytes	Description"
293.It "Token ID	1 byte	Token ID"
294.It "Audit ID	4 bytes	Audit user ID"
295.It "Effective User ID	4 bytes	Effective user ID"
296.It "Effective Group ID	4 bytes	Effective group ID"
297.It "Real User ID	4 bytes	Real user ID"
298.It "Real Group ID	4 bytes	Real group ID"
299.It "Process ID	4 bytes	Process ID"
300.It "Session ID	4 bytes	Audit session ID"
301.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
302.It "Terminal Machine Address	4 bytes	IP address of machine"
303.El
304.Ss Expanded Process Token
305The
306.Dq expanded process
307token contains the contents of the
308.Dq process
309token, with the addition of a machine address type and variable length
310address storage capable of containing IPv6 addresses.
311An
312.Dq expanded process
313token can be created using
314.Xr au_to_process32_ex 3
315or
316.Xr au_to_process64_ex 3 .
317.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
318.It Sy "Field	Bytes	Description"
319.It "Token ID	1 byte	Token ID"
320.It "Audit ID	4 bytes	Audit user ID"
321.It "Effective User ID	4 bytes	Effective user ID"
322.It "Effective Group ID	4 bytes	Effective group ID"
323.It "Real User ID	4 bytes	Real user ID"
324.It "Real Group ID	4 bytes	Real group ID"
325.It "Process ID	4 bytes	Process ID"
326.It "Session ID	4 bytes	Audit session ID"
327.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
328.It "Terminal Address Type/Length	1 byte	Length of machine address"
329.It "Terminal Machine Address	4 bytes	IPv4 or IPv6 address of machine"
330.El
331.Ss Return Token
332The
333.Dq return
334token contains a system call or library function return condition, including
335return value and error number associated with the global variable
336.Er errno .
337A
338.Dq return
339token can be created using
340.Xr au_to_return32 3
341or
342.Xr au_to_return64 3 .
343.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
344.It Sy "Field	Bytes	Description"
345.It "Token ID	1 byte	Token ID"
346.It "Error Number	1 byte	Errno value, or 0 if undefined"
347.It "Return Value	4/8 bytes	Return value (32/64-bits)"
348.El
349.Ss Subject Token
350The
351.Dq subject
352token contains information on the subject performing the operation described
353by an audit record, and includes similar information to that found in the
354.Dq process
355and
356.Dq expanded process
357tokens.
358However, those tokens are used where the process being described is the
359target of the operation, not the authorizing party.
360A
361.Dq subject
362token can be created using
363.Xr au_to_subject32 3
364and
365.Xr au_to_subject64 3 .
366.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
367.It Sy "Field	Bytes	Description"
368.It "Token ID	1 byte	Token ID"
369.It "Audit ID	4 bytes	Audit user ID"
370.It "Effective User ID	4 bytes	Effective user ID"
371.It "Effective Group ID	4 bytes	Effective group ID"
372.It "Real User ID	4 bytes	Real user ID"
373.It "Real Group ID	4 bytes	Real group ID"
374.It "Process ID	4 bytes	Process ID"
375.It "Session ID	4 bytes	Audit session ID"
376.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
377.It "Terminal Machine Address	4 bytes	IP address of machine"
378.El
379.Ss Expanded Subject Token
380The
381.Dq expanded subject
382token consists of the same elements as the
383.Dq subject
384token, with the addition of type/length and variable size machine address
385information in the terminal ID.
386An
387.Dq expanded subject
388token can be created using
389.Xr au_to_subject32_ex 3
390or
391.Xr au_to_subject64_ex 3 .
392.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
393.It Sy "Field	Bytes	Description"
394.It "Token ID	1 byte	Token ID"
395.It "Audit ID	4 bytes	Audit user ID"
396.It "Effective User ID	4 bytes	Effective user ID"
397.It "Effective Group ID	4 bytes	Effective group ID"
398.It "Real User ID	4 bytes	Real user ID"
399.It "Real Group ID	4 bytes	Real group ID"
400.It "Process ID	4 bytes	Process ID"
401.It "Session ID	4 bytes	Audit session ID"
402.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
403.It "Terminal Address Type/Length	1 byte	Length of machine address"
404.It "Terminal Machine Address	4 bytes	IPv4 or IPv6 address of machine"
405.El
406.Ss System V IPC Token
407The
408.Dq System V IPC
409token contains the System V IPC message handle, semaphore handle or shared
410memory handle.
411A System V IPC token may be created using
412+.Xr au_to_ipc 3 .
413.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
414.It Sy "Field	Bytes	Description"
415.It "Token ID	1 byte	Token ID"
416.It "Object ID type	1 byte	Object ID"
417.It "Object ID	4 bytes	Object ID"
418.El
419.Ss Text Token
420The
421.Dq text
422token contains a single NUL-terminated text string.
423A
424.Dq text
425token may be created using
426.Xr au_to_text 3 .
427.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
428.It Sy "Field	Bytes	Description"
429.It "Token ID	1 byte	Token ID"
430.It "Text Length	2 bytes	Length of text string including NUL"
431.It "Text	N bytes + 1 NUL	Text string including NUL"
432.El
433.Ss Attribute Token
434The
435.Dq attribute
436token describes the attributes of a file associated with the audit event.
437As files may be identified by 0, 1, or many path names, a path name is not
438included with the attribute block for a file; optional
439.Dq path
440tokens may also be present in an audit record indicating which path, if any,
441was used to reach the object.
442An
443.Dq attribute
444token can be created using
445.Xr au_to_attr32 3
446or
447.Xr au_to_attr64 3 .
448.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
449.It Sy "Field	Bytes	Description"
450.It "Token ID	1 byte	Token ID"
451.It "File Access Mode	1 byte	mode_t associated with file"
452.It "Owner User ID	4 bytes	uid_t associated with file"
453.It "Owner Group ID	4 bytes	gid_t associated with file"
454.It "File System ID	4 bytes	fsid_t associated with file"
455.It "File System Node ID	8 bytes	ino_t associated with file"
456.It "Device	4/8 bytes	Device major/minor number (32/64-bit)"
457.El
458.Ss Groups Token
459The
460.Dq groups
461token contains a list of group IDs associated with the audit event.
462A
463.Dq groups
464token can be created using
465.Xr au_to_groups 3 .
466.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
467.It Sy "Field	Bytes	Description"
468.It "Token ID	1 byte	Token ID"
469.It "Number of Groups	2 bytes	Number of groups in token"
470.It "Group List	N * 4 bytes	List of N group IDs"
471.El
472.Ss System V IPC Permission Token
473The
474.Dq System V IPC permission
475token contains a System V IPC access permissions.
476A System V IPC permission token may be created using
477.Xr au_to_ipc_perm 3 .
478.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
479.It Sy "Field	Bytes	Description"
480.It "Token ID	1 byte	Token ID"
481.It Li "Owner user ID" Ta "4 bytes" Ta "User ID of IPC owner"
482.It Li "Owner group ID" Ta "4 bytes" Ta "Group ID of IPC owner"
483.It Li "Creator user ID" Ta "4 bytes" Ta "User ID of IPC creator"
484.It Li "Creator group ID" Ta "4 bytes" Ta "Group ID of IPC creator"
485.It Li "Access mode" Ta "4 bytes" Ta "Access mode"
486.It Li "Sequence number" Ta "4 bytes" Ta "Sequence number"
487.It Li "Key" Ta "4 bytes" Ta "IPC key"
488.El
489.Ss Arg Token
490The
491.Dq arg
492token contains information about arguments of the system call.
493Depending on the size of the desired argument value, an Arg token may be
494created using
495.Xr au_to_arg32 3
496or
497.Xr au_to_arg64 3 .
498.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
499.It Sy "Field	Bytes	Description"
500.It "Token ID	1 byte	Token ID"
501.It Li "Argument ID" Ta "1 byte" Ta "Argument ID"
502.It Li "Argument value" Ta "4/8 bytes" Ta "Argument value"
503.It Li "Length" Ta "2 bytes" Ta "Length of the text"
504.It Li "Text" Ta "N bytes + 1 nul" Ta "The string including nul"
505.El
506.Ss exec_args Token
507The
508.Dq exec_args
509token contains information about arguments of the exec() system call.
510An exec_args token may be created using
511.Xr au_to_exec_args 3 .
512.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
513.It Sy "Field	Bytes	Description"
514.It "Token ID	1 byte	Token ID"
515.It Li "Count" Ta "4 bytes" Ta "Number of arguments"
516.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings"
517.El
518.Ss exec_env Token
519The
520.Dq exec_env
521token contains current environment variables to an exec() system call.
522An exec_args token may be created using
523.Xr au_to_exec_env 3 .
524.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
525.It Sy "Field	Bytes	Description"
526.It "Token ID	1 byte	Token ID"
527.It Li "Count ID" Ta "4 bytes" Ta "Number of variables"
528.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings"
529.El
530.Ss Exit Token
531The
532.Dq exit
533token contains process exit/return code information.
534An
535.Dq exit
536token can be created using
537.Xr au_to_exit 3 .
538.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
539.It Sy "Field	Bytes	Description"
540.It "Token ID	1 byte	Token ID"
541.It "Status	4 bytes	Process status on exit"
542.It "Return Value	4 bytes	Process return value on exit"
543.El
544.Ss Socket Token
545The
546.Dq socket
547token contains information about UNIX domain and Internet sockets.
548Each token has four or eight fields.
549Depending on the type of socket, a socket token may be created using
550.Xr au_to_sock_unix 3 ,
551.Xr au_to_sock_inet32 3
552or
553.Xr au_to_sock_inet128 3 .
554.Bl -column -offset 3n ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
555.It Sy "Field" Ta Sy Bytes Ta Sy Description
556.It Li "Token ID" Ta "1 byte" Ta "Token ID"
557.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
558.It Li "Local port" Ta "2 bytes" Ta "Local port"
559.It Li "Socket address" Ta "4 bytes" Ta "Socket address"
560.El
561.Ss Expanded Socket Token
562The
563.Dq expanded socket
564token contains information about IPv4 and IPv6 sockets.
565A
566.Dq expanded socket
567token can be created using
568.Xr au_to_socket_ex 3 .
569.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
570.It Sy "Field	Bytes	Description"
571.It Li "Token ID" Ta "1 byte" Ta "Token ID"
572.It Li "Socket domain" Ta "2 bytes" Ta "Socket domain"
573.It Li "Socket type" Ta "2 bytes" Ta "Socket type"
574.It Li "Address type" Ta "2 byte" Ta "Address type (IPv4/IPv6)"
575.It Li "Local port" Ta "2 bytes" Ta "Local port"
576.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address"
577.It Li "Remote port" Ta "2 bytes" Ta "Remote port"
578.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address"
579.El
580.Ss Seq Token
581The
582.Dq seq
583token contains a unique and monotonically increasing audit event sequence ID.
584Due to the limited range of 32 bits, serial number arithmetic and caution
585should be used when comparing sequence numbers.
586.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
587.It Sy "Field	Bytes	Description"
588.It "Token ID	1 byte	Token ID"
589.It "Sequence Number	4 bytes	Audit event sequence number"
590.El
591.Ss privilege Token
592The
593.Dq privilege
594token ...
595.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
596.It Sy "Field	Bytes	Description"
597.It "Token ID	1 byte	Token ID"
598.El
599.Ss Use-of-auth Token
600The
601.Dq use-of-auth
602token ...
603.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
604.It Sy "Field	Bytes	Description"
605.It "Token ID	1 byte	Token ID"
606.El
607.Ss Command Token
608The
609.Dq command
610token ...
611.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
612.It Sy "Field	Bytes	Description"
613.It "Token ID	1 byte	Token ID"
614.El
615.Ss ACL Token
616The
617.Dq ACL
618token ...
619.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
620.It Sy "Field	Bytes	Description"
621.It "Token ID	1 byte	Token ID"
622.El
623.Ss Zonename Token
624The
625.Dq zonename
626token holds a NUL-terminated string with the name of the zone or jail from
627which the record originated.
628A
629.Dq zonename
630token can be created using
631.Xr au_to_zonename 3 .
632.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
633.It Sy "Field	Bytes	Description"
634.It "Token ID	1 byte	Token ID"
635.It "Zonename length	2 bytes	Length of zonename string including NUL"
636.It "Zonename	N bytes + 1 NUL	Zonename string including NUL"
637.El
638.Sh SEE ALSO
639.Xr auditreduce 1 ,
640.Xr praudit 1 ,
641.Xr libbsm 3 ,
642.Xr audit 4 ,
643.Xr auditpipe 4 ,
644.Xr audit 8
645.Sh HISTORY
646The OpenBSM implementation was created by McAfee Research, the security
647division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
648It was subsequently adopted by the TrustedBSD Project as the foundation for
649the OpenBSM distribution.
650.Sh AUTHORS
651The Basic Security Module (BSM) interface to audit records and audit event
652stream format were defined by Sun Microsystems.
653.Pp
654This manual page was written by
655.An Robert Watson Aq rwatson@FreeBSD.org .
656.Sh BUGS
657The
658.Dq How to print
659field in the
660.Dq arbitrary data
661token has undefined values.
662.Pp
663The
664.Dq in_addr
665and
666.Dq in_addr_ex
667token layout documented here appears to be in conflict with the
668.Xr libbsm 3
669implementation of
670.Xr au_to_in_addr_ex 3 .
671