On 64-bit systems, the header token is displayed with a 64-bit time stamp, in place of the 32-bit time stamp.

The praudit command displays the header token for a ioctl() system call as follows:

header,240,1,ioctl(2),es,Tue Sept  1 16:11:44 2001, + 270000 msec

The following figure shows the format of a header token.

Figure 23-13 header Token Format

The ID modifier field has the following flags defined:

0x4000			PAD_NOTATTR						nonattributable event
0x8000			PAD_FAILURE						fail audit event

in_addr Token

The in_addr token contains an Internet Protocol address. Since the Solaris 8 release, the Internet address can be displayed in IPv4 format or IPv6 format. The IPv4 address uses 4 bytes. The IPv6 address uses 16 bytes to describe the type, and 16 bytes to describe the address. The in_addr token has two fields:

• A token ID that identifies this token as an in_addr token

• An Internet address

The praudit command displays the in_addr token as follows:

ip address,129.150.113.7

The following figure shows the format of an in_addr token.

Figure 23-14 in_addr Token Format

ip Token (Obsolete)

The ip token contains a copy of an Internet Protocol header. The ip token has two fields:

• A token ID that identifies this token as an ip token

• A copy of the IP header, that is, all 20 bytes

The praudit command displays the ip token as follows:

ip address,0.0.0.0

The IP header structure is defined in the /usr/include/netinet/ip.h file. The following figure shows the format of an ip token.

Figure 23-15 ip Token Format

ipc Token

The ipc token contains the System V IPC message/semaphore/shared-memory handle that is used by the caller to identify a particular IPC object. The ipc token has three fields:

• A token ID that identifies this token as an IPC token

• A type field that specifies the type of IPC object

• The handle that identifies the IPC object

The praudit command displays the ipc token as follows:

IPC,msg,3

Note - The IPC object identifiers violate the context-free nature of the Solaris audit tokens. No global "name" uniquely identifies IPC objects. Instead, IPC objects are identified by their handles. The handles are valid only during the time that the IPC objects are active. However, the identification of IPC objects should not be a problem. The System V IPC mechanisms are seldom used, and the mechanisms all share the same audit class.

The following table shows the possible values for the IPC object type field. The values are defined in the /usr/include/bsm/audit.h file.

Table 23-7 Values for the IPC Object Type Field

The following figure shows the format of an ipc token.

Figure 23-16 ipc Token Format

ipc_perm Token

The ipc_perm token contains a copy of the System V IPC access information. This token is added to audit records that are generated by IPC shared-memory events, IPC semaphore events, and IPC message events. The ipc_perm token has eight fields:

• A token ID that identifies this token as an ipc_perm token

• The user ID of the IPC owner

• The group ID of the IPC owner

• The user ID of the IPC creator

• The group ID of the IPC creator

• The access modes of the IPC

• The sequence number of the IPC

• The IPC key value

The praudit command displays the ipc_perm token as follows:

IPC perm,root,wheel,root,wheel,0,0,0x00000000

The values are taken from the ipc_perm structure that is associated with the IPC object. The following figure shows the format of an ipc_perm token.

Figure 23-17 ipc_perm Token Format

iport Token

The iport token contains the TCP or UDP port address. The iport token has two fields:

• A token ID that identifies this token as an iport token

• The TCP or UDP port address

The praudit command displays the iport token as follows:

ip port,0xf6d6

The following figure shows the format of an iport token.

Figure 23-18 iport Token Format