arg Token
The arg token contains system call argument information: the argument number of the system call, the augment value, and an optional description. This token allows a 32-bit integer system-call argument in an audit record. The arg token has five fields:
a token ID that identifies this token as an arg token
an argument ID that tells which system call argument the token refers to
the argument value
the length of the descriptive text string
the text string
The praudit command displays the arg token as follows:
argument,1,0x00000000,addr |
The following figure shows the format of the arg token.
Figure 25-6 arg Token Format
attr Token
The attr token contains information from the file vnode. This token has seven fields:
a token ID that identifies this token as an attr token
the file access mode and type
the owner user ID
the owner group ID
the file system ID
the inode ID
the device ID the file might represent
See the statvfs(2) man page for further information about the file system ID and the device ID.
The attr token usually accompanies a path token and is produced during path searches. In the event of a path-search error, the attr token is not included as part of the audit record since there is no vnode available to obtain the necessary file information. The praudit command displays the attr token as follows:
attribute,100555,root,staff,1805,13871,-4288 |
The following figure shows the format of an attr token.
Figure 25-7 attr Token Format
exec_args Token
The exec_args token records the arguments to an exec() system call. The exec_args token has two fixed fields:
a token ID field that identifies this token as an exec_args token
a count that represents the number of arguments that are passed to the exec() system call
The remainder of this token is composed of zero or more null-terminated strings. The praudit command displays the exec_args token as follows:
vi,/etc/security/audit_user |
The following figure shows the format of an exec_args token.
Figure 25-8 exec_args Token Format
Note - The exec_args token is output only when the audit policy argv is active.
exec_env Token
The exec_env token records the current environment variables to an exec() system call. The exec_env token has two fixed fields:
a token ID field that identifies this token as an exec_env token
a count that represents the number of arguments that are passed to the exec() system call
The remainder of this token is composed of zero or more null-terminated strings. The praudit command displays the exec_env token as follows:
exec_env,25, GROUP=staff,HOME=/export/home/matrix,HOST=mestrix,HOSTTYPE=sun4,HZ=100, LC_COLLATE=en_US.ISO8859-1,LC_CTYPE=en_US.ISO8859-1,LC_MESSAGES=C, LC_MONETARY=en_US.ISO8859-1,LC_NUMERIC=en_US.ISO8859-1, LC_TIME=en_US.ISO8859-1,LOGNAME=matrix,MACHTYPE=sparc, MAIL=/var/mail/matrix,OSTYPE=solaris,PATH=/usr/sbin:/usr/bin,PS1=#, PWD=/var/audit,REMOTEHOST=209.198.087.208,SHELL=/usr/bin/csh,SHLVL=1, TERM=dtterm,TZ=US/Pacific,USER=matrix,VENDOR=sun |
The following figures shows the format of an exec_env token.
Figure 25-9 exec_env Token Format
Note - The exec_env token is output only when the audit policy arge is active.
exit Token
The exit token records the exit status of a program. The exit token contains the following fields:
a token ID that identifies this token as an exit token
a program exit status as passed to the exit() system call
a return value that describes the exit status or provides a system error number
The praudit command displays the exit token as follows:
exit,Error 0,0 |
The following figure shows the format of an exit token.
Figure 25-10 exit Token Format
