Sun and OracleChannel SunHow to BuyLog In繁體中文

man Pages(4): File Formats
只搜尋這本書
搜尋說明
包含在
尋找其他文件
熱門支援資源
 以 PDF 格式下載這本書

NAME

audit.log - audit trail file

SYNOPSIS

#include <bsm/audit.h>
#include <bsm/audit_record.h>

DESCRIPTION

audit.log files are the depository for audit records stored locally or on an audit server. These files are kept in directories named in the file audit_control(4). They are named to reflect the time they are created and are, when possible, renamed to reflect the time they are closed as well. The name takes the form
        yyyymmddhhmmss.not_terminated.hostname
when open or if the auditd(1M) terminated ungracefully, and the form
        yyyymmddhhmmss. yyyymmddhhmmss. hostname
when properly closed. yyyy is the year, mm the month, dd day in the month, hh hour in the day, mm minute in the hour, and ss second in the minute. All fields are of fixed width.
The audit.log file begins with a standalone file token and typically ends with one also. The beginning file token records the pathname of the previous audit file, while the ending file token records the pathname of the next audit file. If the file name is NULL the appropriate path was unavailable.
The audit.log files contains audit records. Each audit record is made up of audit tokens. Each record contains a header token followed by various data tokens. Depending on the audit policy in place by auditon(2), optional other tokens such as trailers or sequences may be included.
The tokens are defined as follows:
The file token consists of:
token ID
char
seconds of time
u_int
milliseconds of time
u_int
file name length
short
file pathname
null terminated string
The header token consists of:
token ID
char
record byte count
u_long
           version #                        char     (1)
           event type                       u_short
           event modifier                    u_short
           seconds of time                  u_int
           milliseconds of time             u_int
The trailer token consists of:
token ID
char
trailer magic number
u_short
record byte count
u_long
The arbitrary data token is defined:
token ID
char
how to print
char
basic unit
char
unit count
char
data items
depends on basic unit
The in_addr token consists of:
token ID
char
internet address
char
The ip token consists of:
token ID
char
version and ihl
char
type of service
char
length
short
id
u_short
offset
u_short
ttl
char
protocol
char
checksum
u_short
source address
long
destination address
long
The iport token consists of:
token ID
char
port address
short
The opaque token consists of:
token ID
char
size
short
data
char, size chars
The path token consists of:
token ID
char
path length
short
path
null terminated string
The process token consists of:
token ID
char
auid
u_long
euid
u_long
egid
u_long
ruid
u_long
rgid
u_long
pid
u_long
sid
u_long
terminal ID
u_long (port ID)
u_long (machine ID)
The return token consists of:
token ID
char
error number
char
return value
long
The subject token consists of:
token ID
char
auid
u_long
euid
u_long
egid
u_long
ruid
u_long
rgid
u_long
pid
u_long
sid
u_long
terminal ID
u_long (port ID)
u_long (machine ID)
The System V IPC token consists of:
token ID
char
object ID type
char
object ID
long
The text token consists of:
token ID
char
text length
short
text
null terminated string
The attribute token consists of:
token ID
char
mode
u_long
uid
u_long
gid
u_long
file system id
long
node id
long
device
u_long
The groups token consists of:
token ID
char
number
short
group list
long, size chars
The System V IPC permission token consists of:
token ID
char
uid
u_long
gid
u_long
cuid
u_long
cgid
u_long
mode
u_long
seq
u_long
key
long
The arg token consists of:
token ID
char
argument #
char
argument value
long
string length
short
text
null terminated string
The exec_args token consists of:
token ID
char
count
long
text
count null terminated string(s)
The exec_env token consists of:
token ID
char
count
long
text
count null terminated string(s)
The exit token consists of:
token ID
char
status
long
return value
long
The socket token consists of:
token ID
char
socket type
short
local port
short
local Internet address
char
remote port
short
remote Internet address
char
The seq token consists of:
token ID
char
sequence number
long

SEE ALSO

audit(1M), auditd(1M), bsmconv(1M), audit(2), auditon(2), au_to (3),audit_control(4)

NOTES

Each token is generally written using the au_to (3)family of function calls.
The functionality described in this man page is available only if the Basic Security Module (BSM) has been enabled. See bsmconv(1M) for more information.