The praudit command displays the process token as follows:

process,root,root,wheel,root,wheel,0,0,0,0.0.0.0

The following figure shows the format of a process token.

Figure 23-22 process Token Format

return Token

The return token contains the return status of the system call (u_error) and the process return value (u_rval1). This token has three fields:

• A token ID that identifies this token as a return token

• The error status of the system call

• The return value of the system call

The return token is always returned as part of kernel-generated audit records for system calls. This token indicates exit status and other return values in application auditing.

The praudit command displays the return token as follows:

return,success,0

The following figures shows the format of a return token.

Figure 23-23 return Token Format

seq Token

The sequence token, seq, is an optional token that contains a sequence number. Used for debugging, this token is added to each audit record when the seq policy is active. The seq token has two fields:

• A token ID that identifies this token as a seq token

• A 32-bit unsigned long field that contains the sequence number

The sequence number is incremented every time an audit record is generated and added to the audit trail. The praudit command displays the seq token as follows:

sequence,1292

The following figure shows the format of a seq token.

Figure 23-24 seq Token Format

Note - The seq token is output only when the seq audit policy is active.

socket Token

The socket token contains information that describes an Internet socket. This token has six fields:

• A token ID that identifies this token as a socket token

• A socket type field that indicates the type of socket referenced, one of TCP, UDP, or UNIX

• The local port address

• The local Internet address

• The remote port address

• The remote Internet address

The praudit command displays the socket token as follows:

socket,0x0000,0x0000,0.0.0.0,0x0000,0.0.0.0

Since the Solaris 8 release, the Internet address can be displayed in IPv4 format or IPv6 format. The IPv4 address uses 4 bytes. The IPv6 address uses 16 bytes to describe the type, and 16 bytes to describe the address. The following figure shows the format of a socket token.

Figure 23-25 socket Token Format

subject Token

The subject token describes a user who performs or attempts to perform an operation. The format is the same as the process token. The subject token has nine fields:

• An ID that identifies this token as a subject token

• The invariant audit ID

• The effective user ID

• The effective group ID

• The real user ID

• The real group ID

• The process ID

• The audit session ID

• A terminal ID that consists of a device ID and a machine ID

The audit ID, user ID, group ID, process ID, and session ID are long instead of short.

Note - The subject token fields for the session ID, the real user ID, or the real group ID might be unavailable. The value is then set to -1.

Any token that contains a terminal ID has several variations. The praudit command hides these variations. So, the terminal ID is handled the same way for any token that contains a terminal ID. The terminal ID is either an IP address and port number, or a device ID. A device ID, such as the serial port that is connected to a modem, can be zero. The terminal ID is specified in one of several formats.

The terminal ID for device numbers is specified as follows:

• 32-bit applications - 4-byte device number, 4-bytes unused

• 64-bit applications - 8-byte device number, 4-bytes unused

The terminal ID for port numbers in releases that are earlier than the Solaris 8 release is specified as follows:

• 32-bit applications - 4-byte port number, 4-byte IP address

• 64-bit applications - 8-byte port number, 4-byte IP address