2 .\" Copyright (c) 2005-2006 Robert N. M. Watson
3 .\" Copyright (c) 2008 Apple Inc.
4 .\" All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
15 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 .\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#23 $
34 .Nd "Basic Security Module (BSM) file format"
38 file format is based on Sun's Basic Security Module (BSM) file format, a
39 token-based record stream to represent system audit data.
40 This file format is both flexible and extensible, able to describe a broad
41 range of data types, and easily extended to describe new data types in a
42 moderately backward and forward compatible way.
44 BSM token streams typically begin and end with a
46 token, which provides time stamp and file name information for the stream;
47 when processing a BSM token stream from a stream as opposed to a single file
48 source, file tokens may be seen at any point between ordinary records
49 identifying when particular parts of the stream begin and end.
50 All other tokens will appear in the context of a complete BSM audit record,
53 token, and ends with a
55 token, which describe the audit record.
56 Between these two tokens will appear a variety of data tokens, such as
57 process information, file path names, IPC object information, MAC labels,
58 socket information, and so on.
60 The BSM file format defines specific token orders for each record event type;
61 however, some variation may occur depending on the operating system in use,
62 what system options, such as mandatory access control, are present.
64 This manual page documents the common token types and their binary format, and
65 is intended for reference purposes only.
66 It is recommended that application programmers use the
68 interface to read and write tokens, rather than parsing or constructing
73 token is used at the beginning and end of an audit log file to indicate
74 when the audit log begins and ends.
75 It includes a pathname so that, if concatenated together, original file
76 boundaries are still observable, and gaps in the audit log can be identified.
79 token can be created using
81 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
82 .It Sy "Field Bytes Description"
83 .It "Token ID 1 byte Token ID"
84 .It "Seconds 4 bytes File time stamp"
85 .It "Microseconds 4 bytes File time stamp"
86 .It "File name lengh 2 bytes File name of audit trail"
87 .It "File pathname N bytes + 1 NUL File name of audit trail"
92 token is used to mark the beginning of a complete audit record, and includes
93 the length of the total record in bytes, a version number for the record
94 layout, the event type and subtype, and the time at which the event occurred.
97 token can be created using
98 .Xr au_to_header32 3 ;
101 token can be created using
102 .Xr au_to_header64 3 .
103 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
104 .It Sy "Field Bytes Description"
105 .It "Token ID 1 byte Token ID"
106 .It "Record Byte Count 4 bytes Number of bytes in record"
107 .It "Version Number 2 bytes Record version number"
108 .It "Event Type 2 bytes Event type"
109 .It "Event Modifier 2 bytes Event sub-type"
110 .It "Seconds 4/8 bytes Record time stamp (32/64-bits)"
111 .It "Nanoseconds 4/8 bytes Record time stamp (32/64-bits)"
113 .Ss Expanded Header Token
116 token is an expanded version of the
118 token, with the addition of a machine IPv4 or IPv6 address.
121 token can be created using
122 .Xr au_to_header32_ex 3 ;
125 token can be created using
126 .Xr au_to_header64_ex 3 .
127 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
128 .It Sy "Field Bytes Description"
129 .It "Token ID 1 byte Token ID"
130 .It "Record Byte Count 4 bytes Number of bytes in record"
131 .It "Version Number 2 bytes Record version number"
132 .It "Event Type 2 bytes Event type"
133 .It "Event Modifier 2 bytes Event sub-type"
134 .It "Address Type/Length 1 byte Host address type and length"
135 .It "Machine Address 4/16 bytes IPv4 or IPv6 address"
136 .It "Seconds 4/8 bytes Record time stamp (32/64-bits)"
137 .It "Nanoseconds 4/8 bytes Record time stamp (32/64-bits)"
142 terminates a BSM audit record, and contains a magic number,
143 .Dv AUT_TRAILER_MAGIC
144 and length that can be used to validate that the record was read properly.
147 token can be created using
148 .Xr au_to_trailer 3 .
149 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
150 .It Sy "Field Bytes Description"
151 .It "Token ID 1 byte Token ID"
152 .It "Trailer Magic 2 bytes Trailer magic number"
153 .It "Record Byte Count 4 bytes Number of bytes in record"
155 .Ss Arbitrary Data Token
158 token contains a byte stream of opaque (untyped) data.
159 The size of the data is calculated as the size of each unit of data
160 multipled by the number of units of data.
163 field is present to specify how to print the data, but interpretation of
164 that field is not currently defined.
167 token can be created using
169 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
170 .It Sy "Field Bytes Description"
171 .It "Token ID 1 byte Token ID"
172 .It "How to Print 1 byte User-defined printing information"
173 .It "Basic Unit 1 byte Size of a unit in bytes"
174 .It "Unit Count 1 byte Number of units of data present"
175 .It "Data Items Variable User data"
180 token holds a network byte order IPv4 address.
183 token can be created using
187 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
188 .It Sy "Field Bytes Description"
189 .It "Token ID 1 byte Token ID"
190 .It "IP Address 4 bytes IPv4 address"
192 .Ss Expanded in_addr Token
195 token holds a network byte order IPv4 or IPv6 address.
198 token can be created using
199 .Xr au_to_in_addr_ex 3
204 section for information on the storage of this token.
205 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
206 .It Sy "Field Bytes Description"
207 .It "Token ID 1 byte Token ID"
208 .It "IP Address Type 1 byte Type of address"
209 .It "IP Address 4/16 bytes IPv4 or IPv6 address"
214 token contains an IP packet header in network byte order.
217 token can be created using
219 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
220 .It Sy "Field Bytes Description"
221 .It "Token ID 1 byte Token ID"
222 .It "Version and IHL 1 byte Version and IP header length"
223 .It "Type of Service 1 byte IP TOS field"
224 .It "Length 2 bytes IP packet length in network byte order"
225 .It "ID 2 bytes IP header ID for reassembly"
226 .It "Offset 2 bytes IP fragment offset and flags, network byte order"
227 .It "TTL 1 byte IP Time-to-Live"
228 .It "Protocol 1 byte IP protocol number"
229 .It "Checksum 2 bytes IP header checksum, network byte order"
230 .It "Source Address 4 bytes IPv4 source address"
231 .It "Destination Address 4 bytes IPv4 destination address"
236 token stores an IP port number in network byte order.
239 token can be created using
241 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
242 .It Sy "Field Bytes Description"
243 .It "Token ID 1 byte Token ID"
244 .It "Port Number 2 bytes Port number in network byte order"
249 token contains a pathname.
252 token can be created using
254 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
255 .It Sy "Field Bytes Description"
256 .It "Token ID 1 byte Token ID"
257 .It "Path Length 2 bytes Length of path in bytes"
258 .It "Path N bytes + 1 NUL Path name"
263 token contains a set of NUL-terminated path names.
266 API cannot currently create a
269 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
270 .It Sy "Field Bytes Description"
271 .It "Token ID 1 byte Token ID"
272 .It "Count 2 bytes Number of NUL-terminated string(s) in token"
273 .It "Path Variable count NUL-terminated string(s)"
278 token contains a description of the security properties of a process
279 involved as the target of an auditable event, such as the destination for
281 It should not be confused with the
283 token, which describes the subject performing an auditable event.
284 This includes both the traditional
286 security properties, such as user IDs and group IDs, but also audit
287 information such as the audit user ID and session.
290 token can be created using
291 .Xr au_to_process32 3
293 .Xr au_to_process64 3 .
294 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
295 .It Sy "Field Bytes Description"
296 .It "Token ID 1 byte Token ID"
297 .It "Audit ID 4 bytes Audit user ID"
298 .It "Effective User ID 4 bytes Effective user ID"
299 .It "Effective Group ID 4 bytes Effective group ID"
300 .It "Real User ID 4 bytes Real user ID"
301 .It "Real Group ID 4 bytes Real group ID"
302 .It "Process ID 4 bytes Process ID"
303 .It "Session ID 4 bytes Audit session ID"
304 .It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)"
305 .It "Terminal Machine Address 4 bytes IP address of machine"
307 .Ss Expanded Process Token
310 token contains the contents of the
312 token, with the addition of a machine address type and variable length
313 address storage capable of containing IPv6 addresses.
316 token can be created using
317 .Xr au_to_process32_ex 3
319 .Xr au_to_process64_ex 3 .
320 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
321 .It Sy "Field Bytes Description"
322 .It "Token ID 1 byte Token ID"
323 .It "Audit ID 4 bytes Audit user ID"
324 .It "Effective User ID 4 bytes Effective user ID"
325 .It "Effective Group ID 4 bytes Effective group ID"
326 .It "Real User ID 4 bytes Real user ID"
327 .It "Real Group ID 4 bytes Real group ID"
328 .It "Process ID 4 bytes Process ID"
329 .It "Session ID 4 bytes Audit session ID"
330 .It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)"
331 .It "Terminal Address Type/Length 1 byte Length of machine address"
332 .It "Terminal Machine Address 4 bytes IPv4 or IPv6 address of machine"
337 token contains a system call or library function return condition, including
338 return value and error number associated with the global variable
342 token can be created using
345 .Xr au_to_return64 3 .
346 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
347 .It Sy "Field Bytes Description"
348 .It "Token ID 1 byte Token ID"
349 .It "Error Number 1 byte Errno value, or 0 if undefined"
350 .It "Return Value 4/8 bytes Return value (32/64-bits)"
355 token contains information on the subject performing the operation described
356 by an audit record, and includes similar information to that found in the
361 However, those tokens are used where the process being described is the
362 target of the operation, not the authorizing party.
365 token can be created using
366 .Xr au_to_subject32 3
368 .Xr au_to_subject64 3 .
369 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
370 .It Sy "Field Bytes Description"
371 .It "Token ID 1 byte Token ID"
372 .It "Audit ID 4 bytes Audit user ID"
373 .It "Effective User ID 4 bytes Effective user ID"
374 .It "Effective Group ID 4 bytes Effective group ID"
375 .It "Real User ID 4 bytes Real user ID"
376 .It "Real Group ID 4 bytes Real group ID"
377 .It "Process ID 4 bytes Process ID"
378 .It "Session ID 4 bytes Audit session ID"
379 .It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)"
380 .It "Terminal Machine Address 4 bytes IP address of machine"
382 .Ss Expanded Subject Token
385 token consists of the same elements as the
387 token, with the addition of type/length and variable size machine address
388 information in the terminal ID.
391 token can be created using
392 .Xr au_to_subject32_ex 3
394 .Xr au_to_subject64_ex 3 .
395 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
396 .It Sy "Field Bytes Description"
397 .It "Token ID 1 byte Token ID"
398 .It "Audit ID 4 bytes Audit user ID"
399 .It "Effective User ID 4 bytes Effective user ID"
400 .It "Effective Group ID 4 bytes Effective group ID"
401 .It "Real User ID 4 bytes Real user ID"
402 .It "Real Group ID 4 bytes Real group ID"
403 .It "Process ID 4 bytes Process ID"
404 .It "Session ID 4 bytes Audit session ID"
405 .It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)"
406 .It "Terminal Address Type/Length 1 byte Length of machine address"
407 .It "Terminal Machine Address 4 bytes IPv4 or IPv6 address of machine"
409 .Ss System V IPC Token
412 token contains the System V IPC message handle, semaphore handle or shared
414 A System V IPC token may be created using
416 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
417 .It Sy "Field Bytes Description"
418 .It "Token ID 1 byte Token ID"
419 .It "Object ID type 1 byte Object ID"
420 .It "Object ID 4 bytes Object ID"
425 token contains a single NUL-terminated text string.
428 token may be created using
430 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
431 .It Sy "Field Bytes Description"
432 .It "Token ID 1 byte Token ID"
433 .It "Text Length 2 bytes Length of text string including NUL"
434 .It "Text N bytes + 1 NUL Text string including NUL"
439 token describes the attributes of a file associated with the audit event.
440 As files may be identified by 0, 1, or many path names, a path name is not
441 included with the attribute block for a file; optional
443 tokens may also be present in an audit record indicating which path, if any,
444 was used to reach the object.
447 token can be created using
451 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
452 .It Sy "Field Bytes Description"
453 .It "Token ID 1 byte Token ID"
454 .It "File Access Mode 1 byte mode_t associated with file"
455 .It "Owner User ID 4 bytes uid_t associated with file"
456 .It "Owner Group ID 4 bytes gid_t associated with file"
457 .It "File System ID 4 bytes fsid_t associated with file"
458 .It "File System Node ID 8 bytes ino_t associated with file"
459 .It "Device 4/8 bytes Device major/minor number (32/64-bit)"
464 token contains a list of group IDs associated with the audit event.
467 token can be created using
469 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
470 .It Sy "Field Bytes Description"
471 .It "Token ID 1 byte Token ID"
472 .It "Number of Groups 2 bytes Number of groups in token"
473 .It "Group List N * 4 bytes List of N group IDs"
475 .Ss System V IPC Permission Token
477 .Dq System V IPC permission
478 token contains a System V IPC access permissions.
479 A System V IPC permission token may be created using
480 .Xr au_to_ipc_perm 3 .
481 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
482 .It Sy "Field Bytes Description"
483 .It "Token ID 1 byte Token ID"
484 .It Li "Owner user ID" Ta "4 bytes" Ta "User ID of IPC owner"
485 .It Li "Owner group ID" Ta "4 bytes" Ta "Group ID of IPC owner"
486 .It Li "Creator user ID" Ta "4 bytes" Ta "User ID of IPC creator"
487 .It Li "Creator group ID" Ta "4 bytes" Ta "Group ID of IPC creator"
488 .It Li "Access mode" Ta "4 bytes" Ta "Access mode"
489 .It Li "Sequnce number" Ta "4 bytes" Ta "Sequnce number"
490 .It Li "Key" Ta "4 bytes" Ta "IPC key"
495 token contains informations about arguments of the system call.
496 Depending on the size of the desired argument value, an Arg token may be
501 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
502 .It Sy "Field Bytes Description"
503 .It "Token ID 1 byte Token ID"
504 .It Li "Argument ID" Ta "1 byte" Ta "Argument ID"
505 .It Li "Argument value" Ta "4/8 bytes" Ta "Argument value"
506 .It Li "Length" Ta "2 bytes" Ta "Length of the text"
507 .It Li "Text" Ta "N bytes + 1 nul" Ta "The string including nul"
512 token contains informations about arguements of the exec() system call.
513 An exec_args token may be created using
514 .Xr au_to_exec_args 3 .
515 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
516 .It Sy "Field Bytes Description"
517 .It "Token ID 1 byte Token ID"
518 .It Li "Count" Ta "4 bytes" Ta "Number of arguments"
519 .It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings"
524 token contains current eviroment variables to an exec() system call.
525 An exec_args token may be created using
526 .Xr au_to_exec_env 3 .
527 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
528 .It Sy "Field Bytes Description"
529 .It "Token ID 1 byte Token ID"
530 .It Li "Count ID" Ta "4 bytes" Ta "Number of variables"
531 .It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings"
536 token contains process exit/return code information.
539 token can be created using
541 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
542 .It Sy "Field Bytes Description"
543 .It "Token ID 1 byte Token ID"
544 .It "Status 4 bytes Process status on exit"
545 .It "Return Value 4 bytes Process return value on exit"
550 token contains information about UNIX domain and Internet sockets.
551 Each token has four or eight fields.
552 Depending on the type of socket, a socket token may be created using
553 .Xr au_to_sock_unix 3 ,
554 .Xr au_to_sock_inet32 3
556 .Xr au_to_sock_inet128 3 .
557 .Bl -column -offset 3n ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
558 .It Sy "Field" Ta Sy Bytes Ta Sy Description
559 .It Li "Token ID" Ta "1 byte" Ta "Token ID"
560 .It Li "Socket family" Ta "2 bytes" Ta "Socket family"
561 .It Li "Local port" Ta "2 bytes" Ta "Local port"
562 .It Li "Socket address" Ta "4 bytes" Ta "Socket address"
564 .Ss Expanded Socket Token
567 token contains information about IPv4 and IPv6 sockets.
570 token can be created using
571 .Xr au_to_socket_ex 3 .
572 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
573 .It Sy "Field Bytes Description"
574 .It Li "Token ID" Ta "1 byte" Ta "Token ID"
575 .It Li "Socket domain" Ta "2 bytes" Ta "Socket domain"
576 .It Li "Socket type" Ta "2 bytes" Ta "Socket type"
577 .It Li "Address type" Ta "2 byte" Ta "Address type (IPv4/IPv6)"
578 .It Li "Local port" Ta "2 bytes" Ta "Local port"
579 .It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address"
580 .It Li "Remote port" Ta "2 bytes" Ta "Remote port"
581 .It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address"
586 token contains a unique and monotonically increasing audit event sequence ID.
587 Due to the limited range of 32 bits, serial number arithmetic and caution
588 should be used when comparing sequence numbers.
589 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
590 .It Sy "Field Bytes Description"
591 .It "Token ID 1 byte Token ID"
592 .It "Sequence Number 4 bytes Audit event sequence number"
598 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
599 .It Sy "Field Bytes Description"
600 .It "Token ID 1 byte Token ID"
603 .Ss Use-of-auth Token
607 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
608 .It Sy "Field Bytes Description"
609 .It "Token ID 1 byte Token ID"
616 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
617 .It Sy "Field Bytes Description"
618 .It "Token ID 1 byte Token ID"
625 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
626 .It Sy "Field Bytes Description"
627 .It "Token ID 1 byte Token ID"
633 token holds a NUL-terminated string with the name of the zone or jail from
634 which the record originated.
637 token can be created using
638 .Xr au_to_zonename 3 .
640 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
641 .It Sy "Field Bytes Description"
642 .It "Token ID 1 byte Token ID"
643 .It "Zonename length 2 bytes Length of zonename string including NUL"
644 .It "Zonename N bytes + 1 NUL Zonename string including NUL"
654 The OpenBSM implementation was created by McAfee Research, the security
655 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
656 It was subsequently adopted by the TrustedBSD Project as the foundation for
657 the OpenBSM distribution.
659 The Basic Security Module (BSM) interface to audit records and audit event
660 stream format were defined by Sun Microsystems.
662 This manual page was written by
663 .An Robert Watson Aq rwatson@FreeBSD.org .
669 token has undefined values.
675 token layout documented here appears to be in conflict with the
678 .Xr au_to_in_addr_ex 3 .