The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

audit.log (5)
  • audit.log (4) ( Solaris man: Специальные файлы /dev/* )
  • >> audit.log (5) ( FreeBSD man: Форматы файлов )

  • BSD mandoc
     

    NAME

    
    
    audit
    
     - Basic Security Module (BSM) file format
    
     
    

    DESCRIPTION

    The file format is based on Sun's Basic Security Module (BSM) file format, a token-based record stream to represent system audit data. This file format is both flexible and extensible, able to describe a broad range of data types, and easily extended to describe new data types in a moderately backward and forward compatible way.

    BSM token streams typically begin and end with a ``file'' token, which provides time stamp and file name information for the stream; when processing a BSM token stream from a stream as opposed to a single file source, file tokens may be seen at any point between ordinary records identifying when particular parts of the stream begin and end. All other tokens will appear in the context of a complete BSM audit record, which begins with a ``header'' token, and ends with a ``trailer'' token, which describe the audit record. Between these two tokens will appear a variety of data tokens, such as process information, file path names, IPC object information, MAC labels, socket information, and so on.

    The BSM file format defines specific token orders for each record event type; however, some variation may occur depending on the operating system in use, what system options, such as mandatory access control, are present.

    This manual page documents the common token types and their binary format, and is intended for reference purposes only. It is recommended that application programmers use the libbsm(3) interface to read and write tokens, rather than parsing or constructing records by hand.  

    File Token

    The ``file'' token is used at the beginning and end of an audit log file to indicate when the audit log begins and ends. It includes a pathname so that, if concatenated together, original file boundaries are still observable, and gaps in the audit log can be identified. A ``file'' token can be created using au_to_file3.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Seconds     4 bytes File time stamp"
    "Microseconds4 bytesFile time stamp"
    "File name lengh2 bytesFile name of audit trail"
    "File pathnameN bytes + 1 NULFile name of audit trail"

     

    Header Token

    The
    ``header'' token is used to mark the beginning of a complete audit record, and includes the length of the total record in bytes, a version number for the record layout, the event type and subtype, and the time at which the event occurred. A 32-bit ``header'' token can be created using au_to_header323; a 64-bit ``header'' token can be created using au_to_header643.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Record Byte Count   4 bytes Number of bytes in record"
    "Version Number2 bytesRecord version number"
    "Event Type2 bytesEvent type"
    "Event Modifier2 bytesEvent sub-type"
    "Seconds4/8 bytesRecord time stamp (32/64-bits)"
    "Nanoseconds4/8 bytesRecord time stamp (32/64-bits)"

     

    Expanded Header Token

    The
    ``expanded header'' token is an expanded version of the ``header'' token, with the addition of a machine IPv4 or IPv6 address. A 32-bit extended ``header'' token can be created using au_to_header32_ex3; a 64-bit extended ``header'' token can be created using au_to_header64_ex3.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Record Byte Count   4 bytes Number of bytes in record"
    "Version Number2 bytesRecord version number"
    "Event Type2 bytesEvent type"
    "Event Modifier2 bytesEvent sub-type"
    "Address Type/Length1 byteHost address type and length"
    "Machine Address4/16 bytesIPv4 or IPv6 address"
    "Seconds4/8 bytesRecord time stamp (32/64-bits)"
    "Nanoseconds4/8 bytesRecord time stamp (32/64-bits)"

     

    Trailer Token

    The
    ``trailer'' terminates a BSM audit record, and contains a magic number, TRAILER_PAD_MAGIC and length that can be used to validate that the record was read properly. A ``trailer'' token can be created using au_to_trailer3.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Trailer Magic       2 bytes Trailer magic number"
    "Record Byte Count4 bytesNumber of bytes in record"

     

    Arbitrary Data Token

    The
    ``arbitrary data'' token contains a byte stream of opaque (untyped) data. The size of the data is calculated as the size of each unit of data multipled by the number of units of data. A ``How to print'' field is present to specify how to print the data, but interpretation of that field is not currently defined. An ``arbitrary data'' token can be created using au_to_data3.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "How to Print        1 byte  User-defined printing information"
    "Basic Unit1 byteSize of a unit in bytes"
    "Unit Count1 byteNumber of units of data present"
    "Data ItemsVariableUser data"

     

    in_addr Token

    The
    ``in_addr'' token holds a network byte order IPv4 or IPv6 address. An ``in_addr'' token can be created using au_to_in_addr3 for an IPv4 address, or au_to_in_addr_ex3 for an IPv6 address.

    See the Sx BUGS section for information on the storage of this token.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "IP Address Type     1 byte  Type of address"
    "IP Address4/16 bytesIPv4 or IPv6 address"

     

    Expanded in_addr Token

    The
    ``expanded in_addr'' token ...

    See the Sx BUGS section for information on the storage of this token.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    XXXX

     

    ip Token

    The
    ``ip'' token contains an IP packet header in network byte order. An ``ip'' token can be created using au_to_ip3.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Version and IHL     1 byte  Version and IP header length"
    "Type of Service1 byteIP TOS field"
    "Length2 bytesIP packet length in network byte order"
    "ID2 bytesIP header ID for reassembly"
    "Offset2 bytesIP fragment offset and flags, network byte order"
    "TTL1 byteIP Time-to-Live"
    "Protocol1 byteIP protocol number"
    "Checksum2 bytesIP header checksum, network byte order"
    "Source Address4 bytesIPv4 source address"
    "Destination Address4 bytesIPv4 destination address"

     

    Expanded ip Token

    The
    ``expanded ip'' token ...

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    XXXX

     

    iport Token

    The
    ``iport'' token stores an IP port number in network byte order. An ``iport'' token can be created using au_to_iport3.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Port Number 2 bytes Port number in network byte order"

     

    Path Token

    The
    ``path'' token contains a pathname. A ``path'' token can be created using au_to_path3.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Path Length 2 bytes Length of path in bytes"
    "PathN bytes + 1 NULPath name"

     

    path_attr Token

    The
    ``path_attr'' token contains a set of NUL-terminated path names. The libbsm(3) API cannot currently create a ``path_attr'' token.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Count       2 bytes Number of NUL-terminated string(s) in token"
    "PathVariablecount NUL-terminated string(s)"

     

    Process Token

    The
    ``process'' token contains a description of the security properties of a process involved as the target of an auditable event, such as the destination for signal delivery. It should not be confused with the ``subject'' token, which describes the subject performing an auditable event. This includes both the traditional UNIX security properties, such as user IDs and group IDs, but also audit information such as the audit user ID and session. A ``process'' token can be created using au_to_process323 or au_to_process643.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Audit ID    4 bytes Audit user ID"
    "Effective User ID4 bytesEffective user ID"
    "Effective Group ID4 bytesEffective group ID"
    "Real User ID4 bytesReal user ID"
    "Real Group ID4 bytesReal group ID"
    "Process ID4 bytesProcess ID"
    "Session ID4 bytesAudit session ID"
    "Terminal Port ID4/8 bytesTerminal port ID (32/64-bits)"
    "Terminal Machine Address4 bytesIP address of machine"

     

    Expanded Process Token

    The
    ``expanded process'' token contains the contents of the ``process'' token, with the addition of a machine address type and variable length address storage capable of containing IPv6 addresses. An ``expanded process'' token can be created using au_to_process32_ex3 or au_to_process64_ex3.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Audit ID    4 bytes Audit user ID"
    "Effective User ID4 bytesEffective user ID"
    "Effective Group ID4 bytesEffective group ID"
    "Real User ID4 bytesReal user ID"
    "Real Group ID4 bytesReal group ID"
    "Process ID4 bytesProcess ID"
    "Session ID4 bytesAudit session ID"
    "Terminal Port ID4/8 bytesTerminal port ID (32/64-bits)"
    "Terminal Address Type/Length1 byteLength of machine address"
    "Terminal Machine Address4 bytesIPv4 or IPv6 address of machine"

     

    Return Token

    The
    ``return'' token contains a system call or library function return condition, including return value and error number associated with the global variable Er errno . A ``return'' token can be created using au_to_return323 or au_to_return643.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Error Number        1 byte  Errno value, or 0 if undefined"
    "Return Value4/8 bytesReturn value (32/64-bits)"

     

    Subject Token

    The
    ``subject'' token contains information on the subject performing the operation described by an audit record, and includes similar information to that found in the ``process'' and ``expanded process'' tokens. However, those tokens are used where the process being described is the target of the operation, not the authorizing party. A ``subject'' token can be created using au_to_subject323 and au_to_subject643.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Audit ID    4 bytes Audit user ID"
    "Effective User ID4 bytesEffective user ID"
    "Effective Group ID4 bytesEffective group ID"
    "Real User ID4 bytesReal user ID"
    "Real Group ID4 bytesReal group ID"
    "Process ID4 bytesProcess ID"
    "Session ID4 bytesAudit session ID"
    "Terminal Port ID4/8 bytesTerminal port ID (32/64-bits)"
    "Terminal Machine Address4 bytesIP address of machine"

     

    Expanded Subject Token

    The
    ``expanded subject'' token consists of the same elements as the ``subject'' token, with the addition of type/length and variable size machine address information in the terminal ID. An ``expanded subject'' token can be created using au_to_subject32_ex3 or au_to_subject64_ex3.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Audit ID    4 bytes Audit user ID"
    "Effective User ID4 bytesEffective user ID"
    "Effective Group ID4 bytesEffective group ID"
    "Real User ID4 bytesReal user ID"
    "Real Group ID4 bytesReal group ID"
    "Process ID4 bytesProcess ID"
    "Session ID4 bytesAudit session ID"
    "Terminal Port ID4/8 bytesTerminal port ID (32/64-bits)"
    "Terminal Address Type/Length1 byteLength of machine address"
    "Terminal Machine Address4 bytesIPv4 or IPv6 address of machine"

     

    System V IPC Token

    The
    ``System V IPC'' token contains the System V IPC message handle, semaphore handle or shared memory handle. A System V IPC token may be created using +.Xr au_to_ipc 3 .

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Object ID type      1 byte  Object ID"
    "Object ID4 bytesObject ID"

     

    Text Token

    The
    ``text'' token contains a single NUL-terminated text string. A ``text'' token may be created using au_to_text3.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Text Length 2 bytes Length of text string including NUL"
    "TextN bytes + 1 NULText string including NUL"

     

    Attribute Token

    The
    ``attribute'' token describes the attributes of a file associated with the audit event. As files may be identified by 0, 1, or many path names, a path name is not included with the attribute block for a file; optional ``path'' tokens may also be present in an audit record indicating which path, if any, was used to reach the object. An ``attribute'' token can be created using au_to_attr323 or au_to_attr643.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "File Access Mode    1 byte  mode_t associated with file"
    "Owner User ID4 bytesuid_t associated with file"
    "Owner Group ID4 bytesgid_t associated with file"
    "File System ID4 bytesfsid_t associated with file"
    "File System Node ID8 bytesino_t associated with file"
    "Device4/8 bytesDevice major/minor number (32/64-bit)"

     

    Groups Token

    The
    ``groups'' token contains a list of group IDs associated with the audit event. A ``groups'' token can be created using au_to_groups3.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Number of Groups    2 bytes Number of groups in token"
    "Group ListN * 4 bytesList of N group IDs"

     

    System V IPC Permission Token

    The
    ``System V IPC permission'' token contains a System V IPC access permissions. A System V IPC permission token may be created using au_to_ipc_perm3.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    Owner user ID Ta 4 bytes Ta User ID of IPC owner
    Owner group ID Ta 4 bytes Ta Group ID of IPC owner
    Creator user ID Ta 4 bytes Ta User ID of IPC creator
    Creator group ID Ta 4 bytes Ta Group ID of IPC creator
    Access mode Ta 4 bytes Ta Access mode
    Sequnce number Ta 4 bytes Ta Sequnce number
    Key Ta 4 bytes Ta IPC key

     

    Arg Token

    The
    ``arg'' token contains informations about arguments of the system call. Depending on the size of the desired argument value, an Arg token may be created using au_to_arg323 or au_to_arg643.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    Argument ID Ta 1 byte Ta Argument ID
    Argument value Ta 4/8 bytes Ta Argument value
    Length Ta 2 bytes Ta Length of the text
    Text Ta N bytes + 1 nul Ta The string including nul

     

    exec_args Token

    The
    ``exec_args'' token contains informations about arguements of the exec() system call. An exec_args token may be created using au_to_exec_args3.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    Count Ta 4 bytes Ta Number of arguments
    Text Ta * bytes Ta Count null-terminated strings

     

    exec_env Token

    The
    ``exec_env'' token contains current eviroment variables to an exec() system call. An exec_args token may be created using au_to_exec_env3.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    Count ID Ta 4 bytes Ta Number of variables
    Text Ta * bytes Ta Count nul-terminated strings

     

    Exit Token

    The
    ``exit'' token contains process exit/return code information. An ``exit'' token can be created using au_to_exit3.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Status      4 bytes Process status on exit"
    "Return Value4 bytesProcess return value on exit"

     

    Socket Token

    The
    ``socket'' token contains informations about UNIX domain and Internet sockets. Each token has four or eight fields. Depend on type of socket a socket token may be created using au_to_sock_unix3, au_to_sock_inet323or au_to_sock_inet1283.

    Field Ta Bytes Ta Description
    Token ID Ta 1 byte Ta Token ID
    Socket family Ta 2 bytes Ta Socket family
    Local port Ta 2 bytes Ta Local port
    Socket address Ta 4 bytes Ta Socket address

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    +.It Li "Socket domain" Ta "4 bytes" Ta "Socket domain"
    +.It Li "Socket family" Ta "2 bytes" Ta "Socket family" +.It Li "Address type" Ta "1 byte" Ta "Address type (IPv4/IPv6)" +.It Li "Local port" Ta "2 bytes" Ta "Local port" +.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address" +.It Li "Remote port" Ta "2 bytes" Ta "Remote port" +.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address"

     

    Expanded Socket Token

    The ``expanded socket'' token ...

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    XXXXX

     

    Seq Token

    The
    ``seq'' token contains a unique and monotonically increasing audit event sequence ID. Due to the limited range of 32 bits, serial number arithmetic and caution should be used when comparing sequence numbers.

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    "Sequence Number     4 bytes Audit event sequence number"

     

    privilege Token

    The
    ``privilege'' token ...

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    XXXXX

     

    Use-of-auth Token

    The
    ``use-of-auth'' token ...

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    XXXXX

     

    Command Token

    The
    ``command'' token ...

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    XXXXX

     

    ACL Token

    The
    ``ACL'' token ...

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    XXXXX

     

    Zonename Token

    The
    ``zonename'' token ...

    Field Bytes   Description
    "Token ID       1 byte  Token ID"
    XXXXX

     

    SEE ALSO

    auditreduce(1),
    praudit(1), libbsm(3), audit(4), auditpipe(4), audit(8)  

    HISTORY

    The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution.  

    AUTHORS

    The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems.

    This manual page was written by An Robert Watson Aq [email protected] .  

    BUGS

    The ``How to print'' field in the ``arbitrary data'' token has undefined values.

    The ``in_addr'' and ``in_addr_ex'' token layout documented here appears to be in conflict with the libbsm(3) implementations of au_to_in_addr3 and au_to_in_addr_ex3.


     

    Index

    NAME
    DESCRIPTION
    File Token
    Header Token
    Expanded Header Token
    Trailer Token
    Arbitrary Data Token
    in_addr Token
    Expanded in_addr Token
    ip Token
    Expanded ip Token
    iport Token
    Path Token
    path_attr Token
    Process Token
    Expanded Process Token
    Return Token
    Subject Token
    Expanded Subject Token
    System V IPC Token
    Text Token
    Attribute Token
    Groups Token
    System V IPC Permission Token
    Arg Token
    exec_args Token
    exec_env Token
    Exit Token
    Socket Token
    Expanded Socket Token
    Seq Token
    privilege Token
    Use-of-auth Token
    Command Token
    ACL Token
    Zonename Token
    SEE ALSO
    HISTORY
    AUTHORS
    BUGS


    Поиск по тексту MAN-ов: 




    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2024 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру