Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
.\"-
.\" Copyright (c) 2005-2006 Robert N. M. Watson
.\" Copyright (c) 2008 Apple Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd November 5, 2006
.Dt AUDIT.LOG 5
.Os
.Sh NAME
.Nm audit
.Nd "Basic Security Module (BSM) file format"
.Sh DESCRIPTION
The
.Nm
file format is based on Sun's Basic Security Module (BSM) file format, a
token-based record stream to represent system audit data.
This file format is both flexible and extensible, able to describe a broad
range of data types, and easily extended to describe new data types in a
moderately backward and forward compatible way.
.Pp
BSM token streams typically begin and end with a
.Dq file
token, which provides time stamp and file name information for the stream;
when processing a BSM token stream from a stream as opposed to a single file
source, file tokens may be seen at any point between ordinary records
identifying when particular parts of the stream begin and end.
All other tokens will appear in the context of a complete BSM audit record,
which begins with a
.Dq header
token, and ends with a
.Dq trailer
token, which describe the audit record.
Between these two tokens will appear a variety of data tokens, such as
process information, file path names, IPC object information, MAC labels,
socket information, and so on.
.Pp
The BSM file format defines specific token orders for each record event type;
however, some variation may occur depending on the operating system in use,
what system options, such as mandatory access control, are present.
.Pp
This manual page documents the common token types and their binary format, and
is intended for reference purposes only.
It is recommended that application programmers use the
.Xr libbsm 3
interface to read and write tokens, rather than parsing or constructing
records by hand.
.Ss File Token
The
.Dq file
token is used at the beginning and end of an audit log file to indicate
when the audit log begins and ends.
It includes a pathname so that, if concatenated together, original file
boundaries are still observable, and gaps in the audit log can be identified.
A
.Dq file
token can be created using
.Xr au_to_file 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Seconds	4 bytes	File time stamp"
.It "Microseconds	4 bytes	File time stamp"
.It "File name length	2 bytes	File name of audit trail"
.It "File pathname	N bytes + 1 NUL	File name of audit trail"
.El
.Ss Header Token
The
.Dq header
token is used to mark the beginning of a complete audit record, and includes
the length of the total record in bytes, a version number for the record
layout, the event type and subtype, and the time at which the event occurred.
A 32-bit
.Dq header
token can be created using
.Xr au_to_header32 3 ;
a 64-bit
.Dq header
token can be created using
.Xr au_to_header64 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Record Byte Count	4 bytes	Number of bytes in record"
.It "Version Number	2 bytes	Record version number"
.It "Event Type	2 bytes	Event type"
.It "Event Modifier	2 bytes	Event sub-type"
.It "Seconds	4/8 bytes	Record time stamp (32/64-bits)"
.It "Nanoseconds	4/8 bytes	Record time stamp (32/64-bits)"
.El
.Ss Expanded Header Token
The
.Dq expanded header
token is an expanded version of the
.Dq header
token, with the addition of a machine IPv4 or IPv6 address.
A 32-bit extended
.Dq header
token can be created using
.Xr au_to_header32_ex 3 ;
a 64-bit extended
.Dq header
token can be created using
.Xr au_to_header64_ex 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Record Byte Count	4 bytes	Number of bytes in record"
.It "Version Number	2 bytes	Record version number"
.It "Event Type	2 bytes	Event type"
.It "Event Modifier	2 bytes	Event sub-type"
.It "Address Type/Length	1 byte	Host address type and length"
.It "Machine Address	4/16 bytes	IPv4 or IPv6 address"
.It "Seconds	4/8 bytes	Record time stamp (32/64-bits)"
.It "Nanoseconds	4/8 bytes	Record time stamp (32/64-bits)"
.El
.Ss Trailer Token
The
.Dq trailer
terminates a BSM audit record, and contains a magic number,
.Dv AUT_TRAILER_MAGIC
and length that can be used to validate that the record was read properly.
A
.Dq trailer
token can be created using
.Xr au_to_trailer 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Trailer Magic	2 bytes	Trailer magic number"
.It "Record Byte Count	4 bytes	Number of bytes in record"
.El
.Ss Arbitrary Data Token
The
.Dq arbitrary data
token contains a byte stream of opaque (untyped) data.
The size of the data is calculated as the size of each unit of data
multiplied by the number of units of data.
A
.Dq How to print
field is present to specify how to print the data, but interpretation of
that field is not currently defined.
An
.Dq arbitrary data
token can be created using
.Xr au_to_data 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "How to Print	1 byte	User-defined printing information"
.It "Basic Unit	1 byte	Size of a unit in bytes"
.It "Unit Count	1 byte	Number of units of data present"
.It "Data Items	Variable	User data"
.El
.Ss in_addr Token
The
.Dq in_addr
token holds a network byte order IPv4 address.
An
.Dq in_addr
token can be created using
.Xr au_to_in_addr 3
for an IPv4 address.
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "IP Address	4 bytes	IPv4 address"
.El
.Ss Expanded in_addr Token
The
.Dq in_addr_ex
token holds a network byte order IPv4 or IPv6 address.
An
.Dq in_addr_ex
token can be created using
.Xr au_to_in_addr_ex 3
for an IPv6 address.
.Pp
See the
.Sx BUGS
section for information on the storage of this token.
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "IP Address Type	1 byte	Type of address"
.It "IP Address	4/16 bytes	IPv4 or IPv6 address"
.El
.Ss ip Token
The
.Dq ip
token contains an IP packet header in network byte order.
An
.Dq ip
token can be created using
.Xr au_to_ip 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Version and IHL	1 byte	Version and IP header length"
.It "Type of Service	1 byte	IP TOS field"
.It "Length	2 bytes	IP packet length in network byte order"
.It "ID	2 bytes	IP header ID for reassembly"
.It "Offset	2 bytes	IP fragment offset and flags, network byte order"
.It "TTL	1 byte	IP Time-to-Live"
.It "Protocol	1 byte	IP protocol number"
.It "Checksum	2 bytes	IP header checksum, network byte order"
.It "Source Address	4 bytes	IPv4 source address"
.It "Destination Address	4 bytes	IPv4 destination address"
.El
.Ss iport Token
The
.Dq iport
token stores an IP port number in network byte order.
An
.Dq iport
token can be created using
.Xr au_to_iport 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Port Number	2 bytes	Port number in network byte order"
.El
.Ss Path Token
The
.Dq path
token contains a pathname.
A
.Dq path
token can be created using
.Xr au_to_path 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Path Length	2 bytes	Length of path in bytes"
.It "Path	N bytes + 1 NUL	Path name"
.El
.Ss path_attr Token
The
.Dq path_attr
token contains a set of NUL-terminated path names.
The
.Xr libbsm 3
API cannot currently create a
.Dq path_attr
token.
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Count	2 bytes	Number of NUL-terminated string(s) in token"
.It "Path	Variable	count NUL-terminated string(s)"
.El
.Ss Process Token
The
.Dq process
token contains a description of the security properties of a process
involved as the target of an auditable event, such as the destination for
signal delivery.
It should not be confused with the
.Dq subject
token, which describes the subject performing an auditable event.
This includes both the traditional
.Ux
security properties, such as user IDs and group IDs, but also audit
information such as the audit user ID and session.
A
.Dq process
token can be created using
.Xr au_to_process32 3
or
.Xr au_to_process64 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Audit ID	4 bytes	Audit user ID"
.It "Effective User ID	4 bytes	Effective user ID"
.It "Effective Group ID	4 bytes	Effective group ID"
.It "Real User ID	4 bytes	Real user ID"
.It "Real Group ID	4 bytes	Real group ID"
.It "Process ID	4 bytes	Process ID"
.It "Session ID	4 bytes	Audit session ID"
.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
.It "Terminal Machine Address	4 bytes	IP address of machine"
.El
.Ss Expanded Process Token
The
.Dq expanded process
token contains the contents of the
.Dq process
token, with the addition of a machine address type and variable length
address storage capable of containing IPv6 addresses.
An
.Dq expanded process
token can be created using
.Xr au_to_process32_ex 3
or
.Xr au_to_process64_ex 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Audit ID	4 bytes	Audit user ID"
.It "Effective User ID	4 bytes	Effective user ID"
.It "Effective Group ID	4 bytes	Effective group ID"
.It "Real User ID	4 bytes	Real user ID"
.It "Real Group ID	4 bytes	Real group ID"
.It "Process ID	4 bytes	Process ID"
.It "Session ID	4 bytes	Audit session ID"
.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
.It "Terminal Address Type/Length	1 byte	Length of machine address"
.It "Terminal Machine Address	4 bytes	IPv4 or IPv6 address of machine"
.El
.Ss Return Token
The
.Dq return
token contains a system call or library function return condition, including
return value and error number associated with the global variable
.Er errno .
A
.Dq return
token can be created using
.Xr au_to_return32 3
or
.Xr au_to_return64 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Error Number	1 byte	Errno value, or 0 if undefined"
.It "Return Value	4/8 bytes	Return value (32/64-bits)"
.El
.Ss Subject Token
The
.Dq subject
token contains information on the subject performing the operation described
by an audit record, and includes similar information to that found in the
.Dq process
and
.Dq expanded process
tokens.
However, those tokens are used where the process being described is the
target of the operation, not the authorizing party.
A
.Dq subject
token can be created using
.Xr au_to_subject32 3
and
.Xr au_to_subject64 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Audit ID	4 bytes	Audit user ID"
.It "Effective User ID	4 bytes	Effective user ID"
.It "Effective Group ID	4 bytes	Effective group ID"
.It "Real User ID	4 bytes	Real user ID"
.It "Real Group ID	4 bytes	Real group ID"
.It "Process ID	4 bytes	Process ID"
.It "Session ID	4 bytes	Audit session ID"
.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
.It "Terminal Machine Address	4 bytes	IP address of machine"
.El
.Ss Expanded Subject Token
The
.Dq expanded subject
token consists of the same elements as the
.Dq subject
token, with the addition of type/length and variable size machine address
information in the terminal ID.
An
.Dq expanded subject
token can be created using
.Xr au_to_subject32_ex 3
or
.Xr au_to_subject64_ex 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Audit ID	4 bytes	Audit user ID"
.It "Effective User ID	4 bytes	Effective user ID"
.It "Effective Group ID	4 bytes	Effective group ID"
.It "Real User ID	4 bytes	Real user ID"
.It "Real Group ID	4 bytes	Real group ID"
.It "Process ID	4 bytes	Process ID"
.It "Session ID	4 bytes	Audit session ID"
.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
.It "Terminal Address Type/Length	1 byte	Length of machine address"
.It "Terminal Machine Address	4 bytes	IPv4 or IPv6 address of machine"
.El
.Ss System V IPC Token
The
.Dq System V IPC
token contains the System V IPC message handle, semaphore handle or shared
memory handle.
A System V IPC token may be created using
+.Xr au_to_ipc 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Object ID type	1 byte	Object ID"
.It "Object ID	4 bytes	Object ID"
.El
.Ss Text Token
The
.Dq text
token contains a single NUL-terminated text string.
A
.Dq text
token may be created using
.Xr au_to_text 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Text Length	2 bytes	Length of text string including NUL"
.It "Text	N bytes + 1 NUL	Text string including NUL"
.El
.Ss Attribute Token
The
.Dq attribute
token describes the attributes of a file associated with the audit event.
As files may be identified by 0, 1, or many path names, a path name is not
included with the attribute block for a file; optional
.Dq path
tokens may also be present in an audit record indicating which path, if any,
was used to reach the object.
An
.Dq attribute
token can be created using
.Xr au_to_attr32 3
or
.Xr au_to_attr64 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "File Access Mode	1 byte	mode_t associated with file"
.It "Owner User ID	4 bytes	uid_t associated with file"
.It "Owner Group ID	4 bytes	gid_t associated with file"
.It "File System ID	4 bytes	fsid_t associated with file"
.It "File System Node ID	8 bytes	ino_t associated with file"
.It "Device	4/8 bytes	Device major/minor number (32/64-bit)"
.El
.Ss Groups Token
The
.Dq groups
token contains a list of group IDs associated with the audit event.
A
.Dq groups
token can be created using
.Xr au_to_groups 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Number of Groups	2 bytes	Number of groups in token"
.It "Group List	N * 4 bytes	List of N group IDs"
.El
.Ss System V IPC Permission Token
The
.Dq System V IPC permission
token contains a System V IPC access permissions.
A System V IPC permission token may be created using
.Xr au_to_ipc_perm 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It Li "Owner user ID" Ta "4 bytes" Ta "User ID of IPC owner"
.It Li "Owner group ID" Ta "4 bytes" Ta "Group ID of IPC owner"
.It Li "Creator user ID" Ta "4 bytes" Ta "User ID of IPC creator"
.It Li "Creator group ID" Ta "4 bytes" Ta "Group ID of IPC creator"
.It Li "Access mode" Ta "4 bytes" Ta "Access mode"
.It Li "Sequence number" Ta "4 bytes" Ta "Sequence number"
.It Li "Key" Ta "4 bytes" Ta "IPC key"
.El
.Ss Arg Token
The
.Dq arg
token contains information about arguments of the system call.
Depending on the size of the desired argument value, an Arg token may be
created using
.Xr au_to_arg32 3
or
.Xr au_to_arg64 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It Li "Argument ID" Ta "1 byte" Ta "Argument ID"
.It Li "Argument value" Ta "4/8 bytes" Ta "Argument value"
.It Li "Length" Ta "2 bytes" Ta "Length of the text"
.It Li "Text" Ta "N bytes + 1 nul" Ta "The string including nul"
.El
.Ss exec_args Token
The
.Dq exec_args
token contains information about arguments of the exec() system call.
An exec_args token may be created using
.Xr au_to_exec_args 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It Li "Count" Ta "4 bytes" Ta "Number of arguments"
.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings"
.El
.Ss exec_env Token
The
.Dq exec_env
token contains current environment variables to an exec() system call.
An exec_args token may be created using
.Xr au_to_exec_env 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It Li "Count ID" Ta "4 bytes" Ta "Number of variables"
.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings"
.El
.Ss Exit Token
The
.Dq exit
token contains process exit/return code information.
An
.Dq exit
token can be created using
.Xr au_to_exit 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Status	4 bytes	Process status on exit"
.It "Return Value	4 bytes	Process return value on exit"
.El
.Ss Socket Token
The
.Dq socket
token contains information about UNIX domain and Internet sockets.
Each token has four or eight fields.
Depending on the type of socket, a socket token may be created using
.Xr au_to_sock_unix 3 ,
.Xr au_to_sock_inet32 3
or
.Xr au_to_sock_inet128 3 .
.Bl -column -offset 3n ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
.It Li "Local port" Ta "2 bytes" Ta "Local port"
.It Li "Socket address" Ta "4 bytes" Ta "Socket address"
.El
.Ss Expanded Socket Token
The
.Dq expanded socket
token contains information about IPv4 and IPv6 sockets.
A
.Dq expanded socket
token can be created using
.Xr au_to_socket_ex 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Socket domain" Ta "2 bytes" Ta "Socket domain"
.It Li "Socket type" Ta "2 bytes" Ta "Socket type"
.It Li "Address type" Ta "2 byte" Ta "Address type (IPv4/IPv6)"
.It Li "Local port" Ta "2 bytes" Ta "Local port"
.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address"
.It Li "Remote port" Ta "2 bytes" Ta "Remote port"
.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address"
.El
.Ss Seq Token
The
.Dq seq
token contains a unique and monotonically increasing audit event sequence ID.
Due to the limited range of 32 bits, serial number arithmetic and caution
should be used when comparing sequence numbers.
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Sequence Number	4 bytes	Audit event sequence number"
.El
.Ss privilege Token
The
.Dq privilege
token ...
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.El
.Ss Use-of-auth Token
The
.Dq use-of-auth
token ...
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.El
.Ss Command Token
The
.Dq command
token ...
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.El
.Ss ACL Token
The
.Dq ACL
token ...
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.El
.Ss Zonename Token
The
.Dq zonename
token holds a NUL-terminated string with the name of the zone or jail from
which the record originated.
A
.Dq zonename
token can be created using
.Xr au_to_zonename 3 .
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field	Bytes	Description"
.It "Token ID	1 byte	Token ID"
.It "Zonename length	2 bytes	Length of zonename string including NUL"
.It "Zonename	N bytes + 1 NUL	Zonename string including NUL"
.El
.Sh SEE ALSO
.Xr auditreduce 1 ,
.Xr praudit 1 ,
.Xr libbsm 3 ,
.Xr audit 4 ,
.Xr auditpipe 4 ,
.Xr audit 8
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
.Sh AUTHORS
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
.Sh BUGS
The
.Dq How to print
field in the
.Dq arbitrary data
token has undefined values.
.Pp
The
.Dq in_addr
and
.Dq in_addr_ex
token layout documented here appears to be in conflict with the
.Xr libbsm 3
implementation of
.Xr au_to_in_addr_ex 3 .