AUDIT.LOG(5) MidnightBSD File Formats Manual AUDIT.LOG(5)
NAME
audit — Basic Security Module (BSM) file format
DESCRIPTION
The audit file format is based on Sun’s Basic Security Module (BSM) file format, a token-based record stream to represent system audit data. This file format is both flexible and extensible, able to describe a broad range of data types, and easily extended to describe new data types in a moderately backward and forward compatible way.
BSM token streams typically begin and end with a ‘‘file’’ token, which provides time stamp and file name information for the stream; when processing a BSM token stream from a stream as opposed to a single file source, file tokens may be seen at any point between ordinary records identifying when particular parts of the stream begin and end. All other tokens will appear in the context of a complete BSM audit record, which begins with a ‘‘header’’ token, and ends with a ‘‘trailer’’ token, which describe the audit record. Between these two tokens will appear a variety of data tokens, such as process information, file path names, IPC object information, MAC labels, socket information, and so on.
The BSM file format defines specific token orders for each record event type; however, some variation may occur depending on the operating system in use, what system options, such as mandatory access control, are present.
This manual page documents the common token types and their binary format, and is intended for reference purposes only. It is recommended that application programmers use the libbsm(3) interface to read and write tokens, rather than parsing or constructing records by hand.
File Token
The ‘‘file’’ token is used at the beginning
and end of an audit log file to indicate when the audit log begins
and ends. It includes a pathname so that, if concatenated together,
original file boundaries are still observable, and gaps in the
audit log can be identified. A ‘‘file’’
token can be created using au_to_file(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Seconds |
|
|
4 bytes |
|
|
File time stamp |
|
|
Microseconds |
|
|
4 bytes |
|
|
File time stamp |
|
|
File name lengh |
|
|
2 bytes |
|
|
File name of audit trail |
|
|
File pathname |
|
|
N bytes + 1 NUL |
|
|
File name of audit trail |
Header
Token
The ‘‘header’’ token is used to mark the
beginning of a complete audit record, and includes the length of
the total record in bytes, a version number for the record layout,
the event type and subtype, and the time at which the event
occurred. A 32-bit ‘‘header’’ token can be
created using au_to_header32(3); a 64-bit
‘‘header’’ token can be created using
au_to_header64(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Record Byte Count |
|
|
4 bytes |
|
|
Number of bytes in record |
|
|
Version Number |
|
|
2 bytes |
|
|
Record version number |
|
|
Event Type |
|
|
2 bytes |
|
|
Event type |
|
|
Event Modifier |
|
|
2 bytes |
|
|
Event sub-type |
|
|
Seconds |
|
|
4/8 bytes |
|
|
Record time stamp (32/64-bits) |
|
|
Nanoseconds |
|
|
4/8 bytes |
|
|
Record time stamp (32/64-bits) |
Expanded Header
Token
The ‘‘expanded header’’ token is an
expanded version of the ‘‘header’’ token,
with the addition of a machine IPv4 or IPv6 address. A 32-bit
extended ‘‘header’’ token can be created
using au_to_header32_ex(3); a 64-bit extended
‘‘header’’ token can be created using
au_to_header64_ex(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Record Byte Count |
|
|
4 bytes |
|
|
Number of bytes in record |
|
|
Version Number |
|
|
2 bytes |
|
|
Record version number |
|
|
Event Type |
|
|
2 bytes |
|
|
Event type |
|
|
Event Modifier |
|
|
2 bytes |
|
|
Event sub-type |
|
|
Address Type/Length |
|
|
1 byte |
|
|
Host address type and length |
|
|
Machine Address |
|
|
4/16 bytes |
|
|
IPv4 or IPv6 address |
|
|
Seconds |
|
|
4/8 bytes |
|
|
Record time stamp (32/64-bits) |
|
|
Nanoseconds |
|
|
4/8 bytes |
|
|
Record time stamp (32/64-bits) |
Trailer
Token
The ‘‘trailer’’ terminates a BSM audit
record, and contains a magic number, TRAILER_PAD_MAGIC and length
that can be used to validate that the record was read properly. A
‘‘trailer’’ token can be created using
au_to_trailer(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Trailer Magic |
|
|
2 bytes |
|
|
Trailer magic number |
|
|
Record Byte Count |
|
|
4 bytes |
|
|
Number of bytes in record |
Arbitrary Data
Token
The ‘‘arbitrary data’’ token contains a
byte stream of opaque (untyped) data. The size of the data is
calculated as the size of each unit of data multipled by the number
of units of data. A ‘‘How to print’’ field
is present to specify how to print the data, but interpretation of
that field is not currently defined. An ‘‘arbitrary
data’’ token can be created using au_to_data(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
How to Print |
|
|
1 byte |
|
|
User-defined printing information |
|
|
Basic Unit |
|
|
1 byte |
|
|
Size of a unit in bytes |
|
|
Unit Count |
|
|
1 byte |
|
|
Number of units of data present |
|
|
Data Items |
|
|
Variable |
|
|
User data |
in_addr
Token
The ‘‘in_addr’’ token holds a network byte
order IPv4 or IPv6 address. An ‘‘in_addr’’
token can be created using au_to_in_addr(3) for an IPv4 address, or
au_to_in_addr_ex(3) for an IPv6 address.
See the BUGS section for information on the storage of this token.
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
IP Address Type |
|
|
1 byte |
|
|
Type of address |
|
|
IP Address |
|
|
4/16 bytes |
|
|
IPv4 or IPv6 address |
Expanded in_addr
Token
The ‘‘expanded in_addr’’ token ...
See the BUGS section for information on the storage of this token.
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
XXXX
ip Token
The ‘‘ip’’ token contains an IP packet
header in network byte order. An ‘‘ip’’
token can be created using au_to_ip(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Version and IHL |
|
|
1 byte |
|
|
Version and IP header length |
|
|
Type of Service |
|
|
1 byte |
|
|
IP TOS field |
|
|
Length |
|
|
2 bytes |
|
|
IP packet length in network byte order |
|
|
ID |
|
|
2 bytes |
|
|
IP header ID for reassembly |
|
|
Offset |
|
|
2 bytes |
|
|
IP fragment offset and flags, network byte order |
|
|
TTL |
|
|
1 byte |
|
|
IP Time-to-Live |
|
|
Protocol |
|
|
1 byte |
|
|
IP protocol number |
|
|
Checksum |
|
|
2 bytes |
|
|
IP header checksum, network byte order |
|
|
Source Address |
|
|
4 bytes |
|
|
IPv4 source address |
|
|
Destination Address |
|
|
4 bytes |
|
|
IPv4 destination address |
Expanded ip
Token
The ‘‘expanded ip’’ token ...
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
XXXX
iport Token
The ‘‘iport’’ token stores an IP port
number in network byte order. An ‘‘iport’’
token can be created using au_to_iport(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Port Number |
|
|
2 bytes |
|
|
Port number in network byte order |
Path Token
The ‘‘path’’ token contains a pathname. A
‘‘path’’ token can be created using
au_to_path(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Path Length |
|
|
2 bytes |
|
|
Length of path in bytes |
|
|
Path |
|
|
N bytes + 1 NUL |
|
|
Path name |
path_attr
Token
The ‘‘path_attr’’ token contains a set of
NUL-terminated path names. The libbsm(3) API cannot currently
create a ‘‘path_attr’’ token.
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Count |
|
|
2 bytes |
|
|
Number of NUL-terminated string(s) in token |
|
|
Path |
|
|
Variable |
|
|
count NUL-terminated string(s) |
Process
Token
The ‘‘process’’ token contains a
description of the security properties of a process involved as the
target of an auditable event, such as the destination for signal
delivery. It should not be confused with the
‘‘subject’’ token, which describes the
subject performing an auditable event. This includes both the
traditional UNIX security properties, such as user IDs and group
IDs, but also audit information such as the audit user ID and
session. A ‘‘process’’ token can be created
using au_to_process32(3) or au_to_process64(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Audit ID |
|
|
4 bytes |
|
|
Audit user ID |
|
|
Effective User ID |
|
|
4 bytes |
|
|
Effective user ID |
|
|
Effective Group ID |
|
|
4 bytes |
|
|
Effective group ID |
|
|
Real User ID |
|
|
4 bytes |
|
|
Real user ID |
|
|
Real Group ID |
|
|
4 bytes |
|
|
Real group ID |
|
|
Process ID |
|
|
4 bytes |
|
|
Process ID |
|
|
Session ID |
|
|
4 bytes |
|
|
Audit session ID |
|
|
Terminal Port ID |
|
|
4/8 bytes |
|
|
Terminal port ID (32/64-bits) |
|
|
Terminal Machine Address |
|
|
4 bytes |
|
|
IP address of machine |
Expanded Process
Token
The ‘‘expanded process’’ token contains the
contents of the ‘‘process’’ token, with the
addition of a machine address type and variable length address
storage capable of containing IPv6 addresses. An
‘‘expanded process’’ token can be created
using au_to_process32_ex(3) or au_to_process64_ex(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Audit ID |
|
|
4 bytes |
|
|
Audit user ID |
|
|
Effective User ID |
|
|
4 bytes |
|
|
Effective user ID |
|
|
Effective Group ID |
|
|
4 bytes |
|
|
Effective group ID |
|
|
Real User ID |
|
|
4 bytes |
|
|
Real user ID |
|
|
Real Group ID |
|
|
4 bytes |
|
|
Real group ID |
|
|
Process ID |
|
|
4 bytes |
|
|
Process ID |
|
|
Session ID |
|
|
4 bytes |
|
|
Audit session ID |
|
|
Terminal Port ID |
|
|
4/8 bytes |
|
|
Terminal port ID (32/64-bits) |
|
|
Terminal Address Type/Length |
|
|
1 byte |
|
|
Length of machine address |
|
|
Terminal Machine Address |
|
|
4 bytes |
|
|
IPv4 or IPv6 address of machine |
Return
Token
The ‘‘return’’ token contains a system call
or library function return condition, including return value and
error number associated with the global variable errno. A
‘‘return’’ token can be created using
au_to_return32(3) or au_to_return64(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Error Number |
|
|
1 byte |
|
|
Errno value, or 0 if undefined |
|
|
Return Value |
|
|
4/8 bytes |
|
|
Return value (32/64-bits) |
Subject
Token
The ‘‘subject’’ token contains information
on the subject performing the operation described by an audit
record, and includes similar information to that found in the
‘‘process’’ and ‘‘expanded
process’’ tokens. However, those tokens are used where
the process being described is the target of the operation, not the
authorizing party. A ‘‘subject’’ token can
be created using au_to_subject32(3) and au_to_subject64(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Audit ID |
|
|
4 bytes |
|
|
Audit user ID |
|
|
Effective User ID |
|
|
4 bytes |
|
|
Effective user ID |
|
|
Effective Group ID |
|
|
4 bytes |
|
|
Effective group ID |
|
|
Real User ID |
|
|
4 bytes |
|
|
Real user ID |
|
|
Real Group ID |
|
|
4 bytes |
|
|
Real group ID |
|
|
Process ID |
|
|
4 bytes |
|
|
Process ID |
|
|
Session ID |
|
|
4 bytes |
|
|
Audit session ID |
|
|
Terminal Port ID |
|
|
4/8 bytes |
|
|
Terminal port ID (32/64-bits) |
|
|
Terminal Machine Address |
|
|
4 bytes |
|
|
IP address of machine |
Expanded Subject
Token
The ‘‘expanded subject’’ token consists of
the same elements as the ‘‘subject’’ token,
with the addition of type/length and variable size machine address
information in the terminal ID. An ‘‘expanded
subject’’ token can be created using
au_to_subject32_ex(3) or au_to_subject64_ex(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Audit ID |
|
|
4 bytes |
|
|
Audit user ID |
|
|
Effective User ID |
|
|
4 bytes |
|
|
Effective user ID |
|
|
Effective Group ID |
|
|
4 bytes |
|
|
Effective group ID |
|
|
Real User ID |
|
|
4 bytes |
|
|
Real user ID |
|
|
Real Group ID |
|
|
4 bytes |
|
|
Real group ID |
|
|
Process ID |
|
|
4 bytes |
|
|
Process ID |
|
|
Session ID |
|
|
4 bytes |
|
|
Audit session ID |
|
|
Terminal Port ID |
|
|
4/8 bytes |
|
|
Terminal port ID (32/64-bits) |
|
|
Terminal Address Type/Length |
|
|
1 byte |
|
|
Length of machine address |
|
|
Terminal Machine Address |
|
|
4 bytes |
|
|
IPv4 or IPv6 address of machine |
System V IPC
Token
The ‘‘System V IPC’’ token contains the
System V IPC message handle, semaphore handle or shared memory
handle. A System V IPC token may be created using +.Xr au_to_ipc 3
.
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Object ID type |
|
|
1 byte |
|
|
Object ID |
|
|
Object ID |
|
|
4 bytes |
|
|
Object ID |
Text Token
The ‘‘text’’ token contains a single
NUL-terminated text string. A ‘‘text’’
token may be created using au_to_text(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Text Length |
|
|
2 bytes |
|
|
Length of text string including NUL |
|
|
Text |
|
|
N bytes + 1 NUL |
|
|
Text string including NUL |
Attribute
Token
The ‘‘attribute’’ token describes the
attributes of a file associated with the audit event. As files may
be identified by 0, 1, or many path names, a path name is not
included with the attribute block for a file; optional
‘‘path’’ tokens may also be present in an
audit record indicating which path, if any, was used to reach the
object. An ‘‘attribute’’ token can be
created using au_to_attr32(3) or au_to_attr64(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
File Access Mode |
|
|
1 byte |
|
|
mode_t associated with file |
|
|
Owner User ID |
|
|
4 bytes |
|
|
uid_t associated with file |
|
|
Owner Group ID |
|
|
4 bytes |
|
|
gid_t associated with file |
|
|
File System ID |
|
|
4 bytes |
|
|
fsid_t associated with file |
|
|
File System Node ID |
|
|
8 bytes |
|
|
ino_t associated with file |
|
|
Device |
|
|
4/8 bytes |
|
|
Device major/minor number (32/64-bit) |
Groups
Token
The ‘‘groups’’ token contains a list of
group IDs associated with the audit event. A
‘‘groups’’ token can be created using
au_to_groups(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Number of Groups |
|
|
2 bytes |
|
|
Number of groups in token |
|
|
Group List |
|
|
N * 4 bytes |
|
|
List of N group IDs |
System V IPC
Permission Token
The ‘‘System V IPC permission’’ token
contains a System V IPC access permissions. A System V IPC
permission token may be created using au_to_ipc_perm(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Owner user ID |
|
|
4 bytes |
|
|
User ID of IPC owner |
|
|
Owner group ID |
|
|
4 bytes |
|
|
Group ID of IPC owner |
|
|
Creator user ID |
|
|
4 bytes |
|
|
User ID of IPC creator |
|
|
Creator group ID |
|
|
4 bytes |
|
|
Group ID of IPC creator |
|
|
Access mode |
|
|
4 bytes |
|
|
Access mode |
|
|
Sequnce number |
|
|
4 bytes |
|
|
Sequnce number |
|
|
Key |
|
|
4 bytes |
|
|
IPC key |
Arg Token
The ‘‘arg’’ token contains informations
about arguments of the system call. Depending on the size of the
desired argument value, an Arg token may be created using
au_to_arg32(3) or au_to_arg64(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Argument ID |
|
|
1 byte |
|
|
Argument ID |
|
|
Argument value |
|
|
4/8 bytes |
|
|
Argument value |
|
|
Length |
|
|
2 bytes |
|
|
Length of the text |
|
|
Text |
|
|
N bytes + 1 nul |
|
|
The string including nul |
exec_args
Token
The ‘‘exec_args’’ token contains
informations about arguements of the exec() system call. An
exec_args token may be created using au_to_exec_args(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Count |
|
|
4 bytes |
|
|
Number of arguments |
|
|
Text |
|
|
* bytes |
|
|
Count null-terminated strings |
exec_env
Token
The ‘‘exec_env’’ token contains current
eviroment variables to an exec() system call. An exec_args token
may be created using au_to_exec_env(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Count ID |
|
|
4 bytes |
|
|
Number of variables |
|
|
Text |
|
|
* bytes |
|
|
Count nul-terminated strings |
Exit Token
The ‘‘exit’’ token contains process
exit/return code information. An ‘‘exit’’
token can be created using au_to_exit(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Status |
|
|
4 bytes |
|
|
Process status on exit |
|
|
Return Value |
|
|
4 bytes |
|
|
Process return value on exit |
Socket
Token
The ‘‘socket’’ token contains informations
about UNIX domain and Internet sockets. Each token has four or
eight fields. Depend on type of socket a socket token may be
created using au_to_sock_unix(3), au_to_sock_inet32(3) or
au_to_sock_inet128(3).
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Socket family |
|
|
2 bytes |
|
|
Socket family |
|
|
Local port |
|
|
2 bytes |
|
|
Local port |
|
|
Socket address |
|
|
4 bytes |
|
|
Socket address |
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID +.It Li "Socket domain" Ta "4 bytes" Ta "Socket domain" +.It Li "Socket family" Ta "2 bytes" Ta "Socket family" +.It Li "Address type" Ta "1 byte" Ta "Address type (IPv4/IPv6)" +.It Li "Local port" Ta "2 bytes" Ta "Local port" +.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address" +.It Li "Remote port" Ta "2 bytes" Ta "Remote port" +.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address" |
Expanded Socket
Token
The ‘‘expanded socket’’ token ...
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
XXXXX
Seq Token
The ‘‘seq’’ token contains a unique and
monotonically increasing audit event sequence ID. Due to the
limited range of 32 bits, serial number arithmetic and caution
should be used when comparing sequence numbers.
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
|
|
Sequence Number |
|
|
4 bytes |
|
|
Audit event sequence number |
privilege
Token
The ‘‘privilege’’ token ...
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
XXXXX
Use-of-auth
Token
The ‘‘use-of-auth’’ token ...
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
XXXXX
Command
Token
The ‘‘command’’ token ...
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
XXXXX
ACL Token
The ‘‘ACL’’ token ...
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
XXXXX
Zonename
Token
The ‘‘zonename’’ token ...
|
Field |
|
|
Bytes |
|
|
Description |
|
|
Token ID |
|
|
1 byte |
|
|
Token ID |
XXXXX
SEE ALSO
auditreduce(1), praudit(1), libbsm(3), audit(4), auditpipe(4), audit(8)
HISTORY
The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution.
AUTHORS
The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems.
This manual page was written by Robert Watson 〈rwatson@FreeBSD.org〉.
BUGS
The ‘‘How to print’’ field in the ‘‘arbitrary data’’ token has undefined values.
The ‘‘in_addr’’ and ‘‘in_addr_ex’’ token layout documented here appears to be in conflict with the libbsm(3) implementations of au_to_in_addr(3) and au_to_in_addr_ex(3).
MidnightBSD 0.3 November 5, 2006 MidnightBSD 0.3