Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
25.  BSM Services Reference Audit Token Formats exit Token  Previous   Contents   Next 
   
 

file Token

The file token is a special token that is generated by the audit daemon to mark the beginning of a new audit trail file and the end of an old audit trail file as it is deactivated. The audit daemon builds a special audit record that contains this token to "link" together successive audit files into one audit trail. The file token has four fields:

  • a token ID that identifies this token as a file token

  • a time and date stamp that identifies the time that the file was created or closed

  • a byte count of the file name that includes a null terminator

  • a field that holds the file null-terminated name

The praudit command displays the file token as follows:

file,Tue Sep  1 13:32:42 1992, + 79249 msec,
	/var/audit/localhost/files/19990901202558.19990901203241.quisp

The following figure shows the format of a file token.

Figure 25-11 file Token Format

groups Token (Obsolete)

This token has been replaced by the newgroups token, which provides the same type of information but requires less space. A description of the groups token is provided here for completeness, but the application designer should use the newgroups token. Notice that praudit does not distinguish between the two tokens, as both token IDs are labelled groups when ASCII output is displayed.

The groups token records the groups entries from the process's credential. The groups token has two fixed fields:

  • A token ID that identifies this token as a groups token

  • An array of groups entries of size NGROUPS_MAX (16)

The remainder of the token consists of zero or more group entries. The praudit command displays the group token as follows:

group,staff,admin,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1

The following figure shows the format of a groups token.

Figure 25-12 groups Token Format


Note - The groups token is output only when the audit policy group is active.


header Token

The header token is special in that it marks the beginning of an audit record and combines with the trailer token to bracket all the other tokens in the record. The header token has six fields:

  • a token ID field that identifies this token as a header token

  • a byte count of the total length of the audit record, including both the header and the trailer

  • a version number that identifies the version of the audit record structure

  • the audit event ID that identifies the type of audit event that the record represents

  • the ID modifier that identifies special characteristics of the audit event

  • and the time and date that the record was created

On 64-bit systems, the header token is displayed with a 64-bit time stamp, in place of the 32-bit time stamp.

The praudit command displays the header token for a ioctl() system call as follows:

header,240,1,ioctl(2),es,Tue Sept  1 16:11:44 2001, + 270000 msec

The following figure shows the format of a header token.

Figure 25-13 header Token Format

The ID modifier field has the following flags defined:

0x4000			PAD_NOTATTR						nonattributable event
0x8000			PAD_FAILURE						fail audit event

in_addr Token

The in_addr token contains a 4-byte Internet Protocol address. The in_addr token has two fields:

  • a token ID that identifies this token as an ip address token

  • an Internet address

The praudit command displays the in_addr token as follows:

ip address,129.150.113.7

For the Solaris 8 release, the Internet address can be displayed as an IPv4 address that uses 4 bytes, or as an IPv6 address that uses 16 bytes to describe the type, and 16 bytes to describe the address.The following figure shows the format of an in_addr token.

Figure 25-14 in_addr Token Format

ip Token

The ip token contains a copy of an Internet Protocol header but does not include any IP options. The IP options can be added by including more of the IP header in the token. The ip token has two fields:

  • a token ID that identifies this token as an ip token

  • a copy of the IP header (all 20 bytes)

The praudit command displays the ip token as follows:

ip address,0.0.0.0

The IP header structure is defined in the /usr/include/netinet/ip.h file. The following figure shows the format of an ip token.

Figure 25-15 ip Token Format

ipc Token

The ipc token contains the System V IPC message/semaphore/shared-memory handle that is used by the caller to identify a particular IPC object. The ipc token has three fields:

  • a token ID that identifies this token as an IPC token

  • a type field that specifies the type of IPC object

  • the handle that identifies the IPC object

The praudit command displays the ipc token as follows:

IPC,msg,3

Note - The IPC object identifiers violate the context-free nature of the Solaris CMW audit tokens. No global "name" uniquely identifies IPC objects. Instead, they are identified by their handles, which are valid only during the time the IPC objects are active. The identification should not be a problem since the System V IPC mechanisms are seldom used, and they all share the same audit class.


The following table shows the possible values for the IPC object type field. The values are defined in the /usr/include/bsm/audit.h file.

Table 25-8 Values for the IPC Object Type Field

Name

Value

Description

AU_IPC_MSG

1

IPC message object

AU_IPC_SEM

2

IPC semaphore object

AU_IPC_SHM

3

IPC shared-memory object

The following figure shows the format of an ipc token.

Figure 25-16 ipc Token Format

 
 
 
  Previous   Contents   Next