diff options
Diffstat (limited to 'contrib/openbsm/man/audit.log.5')
-rw-r--r-- | contrib/openbsm/man/audit.log.5 | 622 |
1 files changed, 622 insertions, 0 deletions
diff --git a/contrib/openbsm/man/audit.log.5 b/contrib/openbsm/man/audit.log.5 new file mode 100644 index 0000000..5d2dec4 --- /dev/null +++ b/contrib/openbsm/man/audit.log.5 @@ -0,0 +1,622 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#6 $ +.\" +.Dd May 1, 2005 +.Dt AUDIT.LOG 5 +.Os +.Sh NAME +.Nm audit +.Nd "Basic Security Module (BSM) File Format" +.Sh DESCRIPTION +The +.Nm +file format is based on Sun's Basic Security Module (BSM) file format, a +token-based record stream to represent system audit data. +This file format is both flexible and extensible, able to describe a broad +range of data types, and easily extended to describe new data types in a +moderately backward and forward compatible way. +.Pp +BSM token streams typically begin and end with a +.Dv file +token, which provides time stamp and file name information for the stream; +when processing a BSM token stream from a stream as opposed to a single file +source, file tokens may be seen at any point between ordinary records +identifying when particular parts of the stream begin and end. +All other tokens will appear in the context of a complete BSM audit record, +which begins with a +.Dv header +token, and ends with a +.Dv trailer +token, which describe the audit record. +Between these two tokens will appear a variety of data tokens, such as +process information, file path names, IPC object information, MAC labels, +socket information, and so on. +.Pp +The BSM file format defines specific token orders for each record event type; +however, some variation may occur depending on the operating system in use, +what system options, such as mandatory access control, are present. +.Pp +This manual page documents the common token types and their binary format, and +is intended for reference purposes only. +It is recommended that application programmers use the +.Xr libbsm 3 +interface to read and write tokens, rather than parsing or constructing +records by hand. +.Ss File Token +The +.Dv file +token is used at the beginning and end of an audit log file to indicate +when the audit log begins and ends. +It includes a pathname so that, if concatenated together, original file +boundaries are still observable, and gaps in the audit log can be identified. +A +.Dv file +token can be created using +.Xr au_to_file 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Seconds" Ta "4 bytes" Ta "File time stamp" +.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp" +.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail" +.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail" +.El +.Ss Header Token +The +.Dv header +token is used to mark the beginning of a complete audit record, and includes +the length of the total record in bytes, a version number for the record +layout, the event type and subtype, and the time at which the event occurred. +A +.Dv header +token can be created using +.Xr au_to_header32 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" +.It Li "Version Number" Ta "2 bytes" Ta "Record version number" +.It Li "Event Type" Ta "2 bytes" Ta "Event type" +.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type" +.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)" +.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)" +.El +.Ss Expanded Header Token +The +.Dv expanded header +token is an expanded version of the +.Dv header +token, with the addition of a machine IPv4 or IPv6 address. +The +.Xr libbsm 3 +API cannot currently create an +.Dv expanded header +token. +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" +.It Li "Version Number" Ta "2 bytes" Ta "Record version number" +.It Li "Event Type" Ta "2 bytes" Ta "Event type" +.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type" +.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length" +.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address" +.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)" +.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)" +.El +.Ss Trailer Token +The +.Dv trailer +terminates a BSM audit record, and contains a magic number, +.Dv TRAILER_PAD_MAGIC +and length that can be used to validate that the record was read properly. +A +.Dv trailer +token can be created using +.Xr au_to_trailer 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number" +.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" +.El +.Ss Arbitrary Data Token +The +.Dv arbitrary data +token contains a byte stream of opaque (untyped) data. +The size of the data is calculated as the size of each unit of data +multipled by the number of units of data. +A +.Dv How to print +field is present to specify how to print the data, but interpretation of +that field is not currently defined. +The +.Xr libbsm 3 +API cannot currently create an +.Dv arbitrary data +token. +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information" +.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes" +.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present" +.It Li "Data Items" Ta "Variable" Ta "User data" +.El +.Ss in_addr Token +The +.Dv in_addr +token holds a network byte order IPv4 or IPv6 address. +An +.Dv in_addr +token can be created using +.Xr au_to_in_addr 3 +for an IPv4 address, or +.Xr au_to_in_addr_ex 3 +for an IPv6 address. +.Pp +See the BUGS section for information on the storage of this token. +.Pp +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "IP Address Type" Ta "1 byte" Ta "Type of address" +.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address" +.El +.Ss Expanded in_addr Token +The +.Dv expanded in_addr +token ... +.Pp +See the BUGS section for information on the storage of this token. +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It XXXX +.El +.Ss ip Token +The +.Dv ip +token contains an IP packet header in network byte order. +An +.Dv ip +token can be cread using +.Xr au_to_ip 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length" +.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field" +.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order" +.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly" +.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order" +.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live" +.It Li "Protocol" Ta "1 byte" Ta "IP protocol number" +.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order" +.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address" +.It Li "Desintation Address" Ta "4 bytes" Ta "IPv4 destination address" +.El +.Ss Expanded ip Token +The +.Dv expanded ip +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It XXXX +.El +.Ss iport Token +The +.Dv iport +token stores an IP port number in network byte order. +An +.Dv iport +token can be created using +.Xr au_to_iport 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order" +.El +.Ss Path Token +The +.Dv path +token contains a pathname. +A +.Dv path +token can be created using +.Xr auto_path 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes" +.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name" +.El +.Ss path_attr Token +The +.Dv path_attr +token contains a set of nul-terminated path names. +The +.Xr libbsm 3 +API cannot currently create an +.Dv path_attr +token. +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token" +.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)" +.El +.Ss Process Token +The +.Dv process +token contains a description of the security properties of a process +involved as the target of an auditable event, such as the destination for +signal delivery. +It should not be confused with the +.Dv subject +token, which describes the subject performing an auditable event. +This includes both the traditional +.Ux +security properties, such as user IDs and group IDs, but also audit +information such as the audit user ID and sesion. +A +.Dv process +token can be created using +.Xr au_to_process32 3 +or +.Xr au_to_process64 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" +.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" +.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" +.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" +.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" +.It Li "Process ID" Ta "4 bytes" Ta "Process ID" +.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" +.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" +.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine" +.El +.Ss Expanded Process Token +The .Dv expanded process +token contains the contents of the +.Dv process +token, with the addition of a machine address type and variable length +address storage capable of containing IPv6 addresses. +A +.Dv expanded process +token can be created using +.Xr au_to_process32_ex 3 +or +.Xr au_to_process64 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" +.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" +.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" +.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" +.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" +.It Li "Process ID" Ta "4 bytes" Ta "Process ID" +.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" +.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" +.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address" +.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine" +.El +.Ss Return Token +The +.Dv return +token contains a system call or library function return condition, including +return value and error number associated with the global variable +.Er errno . +A +.Dv return +token can be created using +.Xr au_to_return32 3 +or +.Xr au_to_return64 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined" +.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)" +.El +.Ss Subject Token +The +.Dv subject +token contains information on the subject performing the operation described +by an audit record, and includes similar information to that found in the +.Dv process +and +.Dv expanded process +tokens. +However, those tokens are used where the process being described is the +target of the operation, not the authorizing party. +A +.Dv subject +token can be created using +.Xr au_to_subject32 3 +and +.Xr au_to_subject64 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" +.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" +.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" +.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" +.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" +.It Li "Process ID" Ta "4 bytes" Ta "Process ID" +.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" +.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" +.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine" +.El +.Ss Expanded Subject Token +The +.Dv expanded subject +token consists of the same elements as the +.Dv subject +token, with the addition of type/length and variable size machine address +information in the terminal ID. +A +.Dv expanded subject +token can be created using +.Xr au_to_subject32_ex 3 +or +.Xr au_to_subject64_ex 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" +.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" +.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" +.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" +.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" +.It Li "Process ID" Ta "4 bytes" Ta "Process ID" +.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" +.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" +.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address" +.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine" +.El +.Ss System V IPC Token +The +.Dv System V IPC +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Text Token +The +.Dv text +token contains a single nul-terminated text string. +A +.Dv text +token may be created using +.Xr au_to_text 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul" +.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul" +.El +.Ss Attribute Token +The +.Dv attribute +token describes the attributes of a file associated with the audit event. +As files may be identified by 0, 1, or many path names, a path name is not +included with the attribute block for a file; optional +.Dv path +tokens may also be present in an audit record indicating which path, if any, +was used to reach the object. +A +.Dv attribute +token can be created using +.Xr au_to_attr32 3 +or +.Xr au_to_attr64 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file" +.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file" +.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file" +.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file" +.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file" +.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)" +.El +.Ss Groups Token +The +.Dv groups +token contains a list of group IDs associated with the audit event. +A +.Dv groups +token can be created using +.Xr au_to_groups 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token" +.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs" +.El +.Ss System V IPC Permission Token +The +.Dv System V IPC permission +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Arg Token +The +.Dv arg +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss exec_args Token +The +.Dv exec_args +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss exec_env Token +The +.Dv exec_env +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Exit Token +The +.Dv exit +token contains process exit/return code information. +An +.Dv exit +token can be created using +.Xr au_to_exit 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Status" Ta "4 bytes" Ta "Process status on exit" +.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit" +.El +.Ss Socket Token +The +.Dv socket +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Expanded Socket Token +The +.Dv expanded socket +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Seq Token +The +.Dv seq +token contains a unique and monotonically increasing audit event sequence ID. +Due to the limited range of 32 bits, serial number arithmetic and caution +should be used when comparing sequence numbers. +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number" +.El +.Ss privilege Token +The +.Dv privilege +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Use-of-auth Token +The +.Dv use-of-auth +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Command Token +The +.Dv command +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss ACL Token +The +.Dv ACL +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Zonename Token +The +.Dv zonename +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Sh SEE ALSO +.Xr libbsm 3 +.Sh AUTHORS +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh BUGS +The +.Dv How to print +field in the +.Dv arbitrary data +token has undefined values. +.Pp +The +.Dv in_addr +and +.Dv in_addr_ex +token layout documented here appears to be in conflict with the +.Xr libbsm 3 +implementations of +.Xr au_to_in_addr 3 +and +.Xr au_to_in_addr_ex 3 . |