audit.log(4)




NAME

     audit.log - audit trail file


SYNOPSIS

     #include <bsm/audit.h>

     #include <bsm/audit_record.h>


DESCRIPTION

     audit.log files are the depository for audit records  stored
     locally  or   on  an  audit server.  These files are kept in
     directories named in the  file  audit_control(4).  They  are
     named  to  reflect  the  time they are created and are, when
     possible, renamed to reflect the time  they  are  closed  as
     well. The name takes the form

          yyyymmddhhmmss.not_terminated.hostname

     when open or if the  auditd(1M) terminated ungracefully, and
     the form

          yyyymmddhhmmss.yyyymmddhhmmss.hostname

     when properly closed. yyyy is the year, mm the month, dd day
     in the month, hh hour in the day, mm minute in the hour, and
     ss second in the minute. All fields are of fixed width.

     The audit.log file begins with a standalone  file token  and
     typically  ends  with  one  also.  The beginning  file token
     records the pathname of the previous audit file,  while  the
     ending   file  token  records the pathname of the next audit
     file.   If the file name is NULL the  appropriate  path  was
     unavailable.

     The audit.log  files  contains  audit  records.  Each  audit
     record  is  made  up of audit tokens. Each record contains a
     header token followed by various data tokens.  Depending  on
     the  audit  policy  in  place by  auditon(2), optional other
     tokens such as trailers or sequences may be included.

     The tokens are defined as follows:

     The  file token consists of:

     token ID                1 byte
     seconds of time         4 bytes
     milliseconds of time    4 bytes
     file name length        2 bytes
     file pathname           N bytes + 1 terminating NULL byte

     The header token consists of:

     token ID                1 byte
     record byte count       4 bytes
     version #               1 byte    [2]
     event type              2 bytes
     event modifier          2 bytes
     seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
     milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)

     The expanded header token consists of:

     toke ID                 1 byte
     record byte count       4 bytes
     version #               1 byte     [2]
     event type              2 bytes
     event modifier          2 bytes
     address type/length     4 bytes/16 bytes (IPv4/IPv6 address)
     machine address         4 bytes/16 bytes (IPv4/IPv6 address)
     seconds of time         4 bytes/8 bytes  (32/64-bits)
     milliseconds of time    4 bytes/8 bytes  (32/64-bits)

     The  trailer token consists of:

     token ID                1 byte
     trailer magic number    2 bytes
     record byte count       4 bytes

     The  arbitrary data token is defined:

     token ID                1 byte
     how to print            1 byte
     basic unit              1 byte
     unit count              1 byte
     data items              (depends on basic unit)

     The in_addr token consists of:

     token ID                1 byte
     internet address        4 bytes

     The expanded in_addr token consists of:

     token ID                1 byte
     IP address type/length  4 bytes/16 bytes (IPv4/IPv6 address)
     IP address             16 bytes

     The ip token consists of:

     token ID                1 byte
     version and ihl         1 byte
     type of service         1 byte
     length                  2 bytes
     id                      2 bytes
     offset                  2 bytes
     ttl                     1 byte
     protocol                1 byte
     checksum                2 bytes
     source address          4 bytes
     destination address     4 bytes

     The expanded ip token consists of:

     token ID                1 byte
     version and ihl         1 byte
     type of service         1 byte
     length                  2 bytes
     id                      2 bytes
     offset                  2 bytes
     ttl                     1 byte
     protocol                1 byte
     checksum                2 bytes
     address type/type       4 bytes
     source address          4 bytes/16 bytes (IPv4/IPv6 address)
     address type/length     4 bytes/16 bytes (IPv4/IPv6 address)
     destination address     4 bytes/16 bytes (IPv4/IPv6 address)

     The iport token consists of:

     token ID                1 byte
     port IP address         2 bytes

     The path token consists of:

     token ID                1 byte
     path length             2 bytes
     path                    N bytes + 1 terminating NULL byte

     The process token consists of:

     token ID                1 byte
     audit ID                4 bytes
     effective user ID       4 bytes
     effective group ID      4 bytes
     real user ID            4 bytes
     real group ID           4 bytes
     process ID              4 bytes
     session ID              4 bytes
     terminal ID
       port ID               4 bytes/8 bytes (32-bit/64-bit value)
       machine address       4 bytes

     The expanded process token consists of:

     token ID                1 byte
     audit ID                4 bytes
     effective user ID       4 bytes
     effective group ID      4 bytes
     real user ID            4 bytes
     real group ID           4 bytes
     process ID              4 bytes
     session ID              4 bytes
     terminal ID
       port ID               4 bytes/8 bytes (32-bit/64-bit value)
       address type/length   4 bytes/16 bytes (IPv4/IPv6 address)
       machine address      16 bytes

     The  return token consists of:

     token ID                1 byte
     error number            1 byte
     return value            4 bytes/8 bytes (32-bit/64-bit value)

     The subject token consists of:

     token ID                1 byte
     audit ID                4 bytes
     effective user ID       4 bytes
     effective group ID      4 bytes
     real user ID            4 bytes
     real group ID           4 bytes
     process ID              4 bytes
     session ID              4 bytes
     terminal ID
       port ID               4 bytes/8 bytes (32-bit/64-bit value)
       machine address       4 bytes

     The expanded subject token consists of:

     token ID                1 byte
     audit ID                4 bytes
     effective user ID       4 bytes
     effective group ID      4 bytes
     real user ID            4 bytes
     real group ID           4 bytes
     process ID              4 bytes
     session ID              4 bytes
     terminal ID
       port ID               4 bytes/8 bytes (32-bit/64-bit value)
       address type/length   4 bytes/16 bytes (IPv4/IPv6 address)
       machine address      16 bytes

     The System V IPC token consists of:

     token ID                1 byte
     object ID type          1 byte
     object ID               4 bytes

     The text token consists of:

     token ID                1 byte
     text length             2 bytes
     text                    N bytes + 1 terminating NULL byte

     The attribute token consists of:

     token ID                1 byte
     file access mode        4 bytes
     owner user ID           4 bytes
     owner group ID          4 bytes
     file system ID          4 bytes
     node ID                 8 bytes
     device                  4 bytes/8 bytes (32-bit/64-bit)

     The groups token consists of:

     token ID                1 byte
     number groups           2 bytes
     group list              N * 4 bytes

     The System V IPC permission token consists of:

     token ID                1 byte
     owner user ID           4 bytes
     owner group ID          4 bytes
     creator user ID         4 bytes
     creator group ID        4 bytes
     access mode             4 bytes
     slot sequence #         4 bytes
     key                     4 bytes

     The arg token consists of:

     token ID                1 byte
     argument #              1 byte
     argument value          4 bytes/8 bytes (32-bit/64-bit value)
     text length             2 bytes
     text                    N bytes + 1 terminating NULL byte

     The exec_args token consists of:

     token ID                1 byte
     count                   4 bytes
     text                    count null-terminated string(s)

     The exec_env token consists of:

     token ID                1 byte
     count                   4 bytes
     text                    count null-terminated string(s)

     The exit token consists of:

     token ID                1 byte
     status                  4 bytes
     return value            4 bytes

     The socket token consists of:

     token ID                1 byte
     socket type             2 bytes
     remote port             2 bytes
     remote Internet address 4 bytes

     The expanded socket token consists of:

     token ID                1 byte
     socket domain           2 bytes
     socket type             2 bytes
     local port              2 bytes
     address type/length     4 bytes/16 bytes (IPv4/IPv6 address)
     local port              2 bytes
     local Internet address  4 bytes/16 bytes (IPv4/IPv6 address)
     remote port             2 bytes
     remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)

     The seq token consists of:

     token ID                1 byte
     sequence number         4 bytes


SEE ALSO

     audit(1M), auditd(1M),  bsmconv(1M),  audit(2),  auditon(2),
     au_to(3BSM), audit_control(4)


NOTES

     Each token is generally written using the  au_to(3BSM)  fam-
     ily of function calls.

     The functionality described in this man  page  is  available
     only  if  the  Basic Security Module (BSM) has been enabled.
     See bsmconv(1M) for more information.


Man(1) output converted with man2html