sun.com   |  docs.sun.com
How To Buy  |  My Sun  |  Worldwide Sites
         
 
Sun Microsystems Logo
 Products and Services
 		 Support and Training
 
 
System Administration Guide: Security Services >> 23.  BSM Service (Reference) >> Audit Token Formats 

Previous Previous     Contents     Index     Next Next

exec_args Token

The exec_args token records the arguments to an exec() system call. The exec_args token has two fixed fields:

  • A token ID field that identifies this token as an exec_args token

  • A count that represents the number of arguments that are passed to the exec() system call

The remainder of this token is composed of zero or more null-terminated strings. The praudit command displays the exec_args token as follows: 

vi,/etc/security/audit_user

The following figure shows the format of an exec_args token.

Figure 23-8 exec_args Token Format

The preceding context describes the graphic.

Note - The exec_args token is output only when the audit policy argv is active.

exec_env Token

The exec_env token records the current environment variables to an exec() system call. The exec_env token has two fixed fields:

  • A token ID field that identifies this token as an exec_env token

  • A count that represents the number of arguments that are passed to the exec() system call

The remainder of this token is composed of zero or more null-terminated strings. The praudit command displays the exec_env token as follows: 

exec_env,25,
GROUP=staff,HOME=/export/home/matrix,HOST=mestrix,HOSTTYPE=sun4u,HZ=100,
LC_COLLATE=en_US.ISO8859-1,LC_CTYPE=en_US.ISO8859-1,LC_MESSAGES=C,
LC_MONETARY=en_US.ISO8859-1,LC_NUMERIC=en_US.ISO8859-1,
LC_TIME=en_US.ISO8859-1,LOGNAME=matrix,MACHTYPE=sparc,
MAIL=/var/mail/matrix,OSTYPE=solaris,PATH=/usr/sbin:/usr/bin,PS1=#,
PWD=/var/audit,REMOTEHOST=192.168.13.5,SHELL=/usr/bin/csh,SHLVL=1,
TERM=dtterm,TZ=US/Pacific,USER=matrix,VENDOR=sun

The following figure shows the format of an exec_env token.

Figure 23-9 exec_env Token Format

The preceding context describes the graphic.

Note - The exec_env token is output only when the audit policy arge is active.

exit Token

The exit token records the exit status of a program. The exit token contains the following fields:

  • A token ID that identifies this token as an exit token

  • A program exit status as passed to the exit() system call

  • A return value that describes the exit status or that provides a system error number

The praudit command displays the exit token as follows: 

exit,Error 0,0

The following figure shows the format of an exit token.

Figure 23-10 exit Token Format

The preceding context describes the graphic.

file Token

The file token is a special token that is generated by the audit daemon. The token marks the beginning of a new audit file and the end of an old audit file as the old file is deactivated. The audit daemon builds a special audit record that contains this token to "link" together successive audit files into one audit trail. The file token has four fields:

  • A token ID that identifies this token as a file token

  • A time and date stamp that identifies the time that the file was created or was closed

  • A byte count of the file name that includes a null terminator

  • A field that holds the file null-terminated name

The praudit command displays the file token as follows: 

file,Tue Sep  1 13:32:42 1992, + 79249 msec,
	/var/audit/localhost/files/19990901202558.19990901203241.quisp

The following figure shows the format of a file token.

Figure 23-11 file Token Format

The preceding context describes the graphic.

group Token (Obsolete)

This token has been replaced by the newgroups token, which provides the same type of information but requires less space. A description of the group token is provided here for completeness, but the application designer should use the newgroups token. Notice that praudit does not distinguish between the two tokens, as both token IDs are labeled group in praudit output.

The group token records the groups entries from the process's credential. The group token has two fixed fields:

  • A token ID that identifies this token as a group token

  • An array of group entries of size NGROUPS_MAX (16)

The remainder of the token consists of zero or more group entries. The praudit command displays the group token as follows:

group,staff,admin,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1

The following figure shows the format of a group token.

Figure 23-12 group Token Format

The preceding context describes the graphic.

Note - The group token is output only when the audit policy group is active.

header Token

The header token is special in that it marks the beginning of an audit record. The header token combines with the trailer token to bracket all the other tokens in the record. The header token has six fields:

  • A token ID field that identifies this token as a header token

  • A byte count of the total length of the audit record, including both the header and the trailer

  • A version number that identifies the version of the audit record structure

  • The audit event ID that identifies the type of audit event that the record represents

  • The ID modifier that identifies special characteristics of the audit event

  • The time and date that the record was created

Previous Previous     Contents     Index     Next Next
 
Copyright 1994-2003 Sun Microsystems