newgroups Token

This token replaces the group token. Notice that the praudit command does not distinguish between the two tokens, as both token IDs are labeled group in praudit output.

The newgroups token records the group entries from the process's credential. The newgroups token has two fixed fields:

• A token ID field that identifies this token as a newgroups token

• A count that represents the number of groups that are contained in this audit record

The remainder of this token is composed of zero or more group entries. The praudit command displays the newgroups token as follows:

group, staff, admin

The following figure shows the format of a newgroups token.

Figure 23-19 newgroups Token Format

Note - The newgroups token is output only when the group audit policy is active.

opaque Token

The opaque token contains unformatted data as a sequence of bytes. The opaque token has three fields:

• A token ID that identifies this token as an opaque token

• A byte count of the data

• An array of byte data

The praudit command displays the opaque token as follows:

opaque,12,0x4f5041515545204441544100

The following figure shows the format of an opaque token.

Figure 23-20 opaque Token Format

path Token

The path token contains access path information for an object. This token contains the following fields:

• A token ID that identifies this token as an path token

• A byte count of the path length

• The absolute path to the object that is based on the real root of the system

The praudit command displays the path token as follows. Note that the path length field is not displayed.

path,/etc/security/audit_user

The following figure shows the format of a path token.

Figure 23-21 path Token Format

process Token

The process token contains information about a user who is associated with a process, such as the recipient of a signal. The process token has nine fields:

• A token ID that identifies this token as a process token

• The invariant audit ID

• The effective user ID

• The effective group ID

• The real user ID

• The real group ID

• The process ID

• The audit session ID

• A terminal ID that consists of a device ID and a machine ID

The audit ID, user ID, group ID, process ID, and session ID are long instead of short.

Note - The process token fields for the session ID, the real user ID, or the real group ID might be unavailable. The value is then set to -1.

Any token that contains a terminal ID has several variations. The praudit command hides these variations. So, the terminal ID is handled the same way for any token that contains a terminal ID. The terminal ID is either an IP address and port number, or a device ID. A device ID, such as the serial port that is connected to a modem, can be zero. The terminal ID is specified in one of several formats.

The terminal ID for device numbers is specified as follows:

• 32-bit applications - 4-byte device number, 4-bytes unused

• 64-bit applications - 8-byte device number, 4-bytes unused

The terminal ID for port numbers in releases that are earlier than the Solaris 8 release is specified as follows:

• 32-bit applications - 4-byte port number, 4-byte IP address

• 64-bit applications - 8-byte port number, 4-byte IP address

The terminal ID for port numbers in the Solaris 8 release or the Solaris 9 release is specified as follows:

• 32-bit with IPv4 - 4-byte port number, 4-byte IP type, 4-byte IP address

• 32-bit with IPv6 - 4-byte port number, 4-byte IP type, 16-byte IP address

• 64-bit with IPv4 - 8-byte port number, 4-byte IP type, 4-byte IP address

• 64-bit with IPv6 - 8-byte port number, 4-byte IP type, 16-byte IP address