
sun.com \| docs.sun.com	How To Buy \| My Sun \| Worldwide Sites

Previous Contents Index Next Next

The terminal ID for port numbers in the Solaris 8 release or the Solaris 9 release is specified as follows:

32-bit with IPv4 - 4-byte port number, 4-byte IP type, 4-byte IP address
32-bit with IPv6 - 4-byte port number, 4-byte IP type, 16-byte IP address
64-bit with IPv4 - 8-byte port number, 4-byte IP type, 4-byte IP address
64-bit with IPv6 - 8-byte port number, 4-byte IP type, 16-byte IP address

The subject token is always returned as part of kernel-generated audit records for system calls. The praudit command displays the subject token as follows:

subject,cjc,cjc,staff,cjc,staff,424,223,0 0 quisp

The following figure shows the format of the subject token.

Figure 23-26 subject Token Format

The preceding context describes the graphic.

`text` Token

The text token contains a text string. This token has three fields:

A token ID that identifies this token as a text token
The length of the text string
The text string itself

The praudit command displays the text token as follows:

text,aw_test_token

The following figure shows the format of a text token.

Figure 23-27 text Token Format

`trailer` Token

The two tokens, header and trailer, are special in that they distinguish the end points of an audit record and bracket all the other tokens. A header token begins an audit record. A trailer token ends an audit record. The trailer token is an optional token. The trailer token is added as the last token of each record only when the trail audit policy has been set.

If an audit record was generated with trailers turned on, the auditreduce command verifies that the trailer points back to the record header correctly. The trailer token supports backward seeks of the audit trail.

The trailer token has three fields:

A token ID that identifies this token as a trailer token
A pad number to aid in marking the end of the record
The total number of characters in the audit record, including both the header and trailer tokens

The praudit command displays the trailer token as follows:

trailer,136

The following figure shows the format of a trailer token.

Figure 23-28 trailer Token Format

Diagram shows the format for a trailer token, which includes a Token ID, then a Pad number, then a Byte count.

Device Allocation Reference

Device allocation protects removable media from unauthorized use. You can require that a user allocate a device. You can deny a user permission to use a device. Such allocation measures can protect your site from loss of data, computer viruses, and other security breaches. The following section provides information about device allocation.

Components of the Device-Allocation Mechanism

The components of the device-allocation mechanism are as follows:

The allocate, deallocate, dminfo, and list_devices commands. For more information, see Using the Device Allocation Commands.
The /etc/security/device_allocate file. See the device_allocate(4) man page.
The /etc/security/device_maps file. See the device_maps(4) man page.
A lock file in the /etc/security/dev directory for each allocatable device.
The changed attributes of the device-special files that are associated with each allocatable device.
Device-clean scripts for each allocatable device.

The device_allocate file, the device_maps file, and the lock files are local configuration files. These files are not administered as name service databases because tape drives, diskette drives, and printers connect to specific machines.

Using the Device Allocation Commands

This section describes some of the options to the allocate, deallocate, and list_devices commands that are for use by administrators. Only root or a role of equivalent power can access these options. The commands are detailed on their respective man pages.

Table 23-8 Administrative Options to the Device Allocation Commands

Command With Option	Description
`allocate` `-F` device_special_filename	Reallocates the specified device. This option is often used with the `-U` option to reallocate the specified device to the specified user. Without the `-U` option, the device is allocated to `root`.
`allocate` `-U` username	Causes the device to be allocated to the user who is specified rather than to the current user. This option allows you to allocate a device for another user, without having to assume that user's identity.
`deallocate` `-F` device_special_filename	Forces the deallocation of a device. Devices that a user has allocated are not automatically deallocated when the process terminates or when the user logs out. When a user forgets to deallocate a tape drive, you can force deallocation by using the `-F` option.
`deallocate` `-I`	Forces the deallocation of all allocatable devices. This option should be used only at system initialization.
`list_devices`	Lists all the device-special files that are associated with any device that is listed in the `device_maps` file.
`list_devices` `-U` username	Lists the devices that are allocatable or allocated to the user ID that is associated with the specified user name. This option allows you to check which devices are allocatable or allocated to another user.

The Allocate Error State

An allocatable device is in the allocate error state if it is owned by user bin and group bin with a device-special file mode of 0100. If a user wants to allocate a device that is in the allocate error state, you can try to force the deallocation of the device. The deallocate command with the -F option forces deallocation. Or, you can use allocate -U to assign the device to the user. Once the device is allocated, you can investigate any error messages that appear. After any problems with the device are corrected, you must use the force option, -F to clear the allocate error state from the device.