freebsd/contrib/openbsm/man/audit.log.5

.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#9 $
.\"
.Dd May 1, 2005
.Dt AUDIT.LOG 5
.Os
.Sh NAME
.Nm audit
.Nd "Basic Security Module (BSM) File Format"
.Sh DESCRIPTION
The
.Nm
file format is based on Sun's Basic Security Module (BSM) file format, a
token-based record stream to represent system audit data.
This file format is both flexible and extensible, able to describe a broad
range of data types, and easily extended to describe new data types in a
moderately backward and forward compatible way.
.Pp
BSM token streams typically begin and end with a
.Dv file
token, which provides time stamp and file name information for the stream;
when processing a BSM token stream from a stream as opposed to a single file
source, file tokens may be seen at any point between ordinary records
identifying when particular parts of the stream begin and end.
All other tokens will appear in the context of a complete BSM audit record,
which begins with a
.Dv header
token, and ends with a
.Dv trailer
token, which describe the audit record.
Between these two tokens will appear a variety of data tokens, such as
process information, file path names, IPC object information, MAC labels,
socket information, and so on.
.Pp
The BSM file format defines specific token orders for each record event type;
however, some variation may occur depending on the operating system in use,
what system options, such as mandatory access control, are present.
.Pp
This manual page documents the common token types and their binary format, and
is intended for reference purposes only.
It is recommended that application programmers use the
.Xr libbsm 3
interface to read and write tokens, rather than parsing or constructing
records by hand.
.Ss File Token
The
.Dv file
token is used at the beginning and end of an audit log file to indicate
when the audit log begins and ends.
It includes a pathname so that, if concatenated together, original file
boundaries are still observable, and gaps in the audit log can be identified.
A
.Dv file
token can be created using
.Xr au_to_file 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Seconds" Ta "4 bytes" Ta "File time stamp"
.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp"
.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail"
.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail"
.El
.Ss Header Token
The
.Dv header
token is used to mark the beginning of a complete audit record, and includes
the length of the total record in bytes, a version number for the record
layout, the event type and subtype, and the time at which the event occurred.
A
.Dv header
token can be created using
.Xr au_to_header32 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
.It Li "Event Type" Ta "2 bytes" Ta "Event type"
.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
.El
.Ss Expanded Header Token
The
.Dv expanded header
token is an expanded version of the
.Dv header
token, with the addition of a machine IPv4 or IPv6 address.
The
.Xr libbsm 3
API cannot currently create an
.Dv expanded header
token.
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
.It Li "Event Type" Ta "2 bytes" Ta "Event type"
.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length"
.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
.El
.Ss Trailer Token
The
.Dv trailer
terminates a BSM audit record, and contains a magic number,
.Dv TRAILER_PAD_MAGIC
and length that can be used to validate that the record was read properly.
A
.Dv trailer
token can be created using
.Xr au_to_trailer 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number"
.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
.El
.Ss Arbitrary Data Token
The
.Dv arbitrary data
token contains a byte stream of opaque (untyped) data.
The size of the data is calculated as the size of each unit of data
multipled by the number of units of data.
A
.Dv How to print
field is present to specify how to print the data, but interpretation of
that field is not currently defined.
The
.Xr libbsm 3
API cannot currently create an
.Dv arbitrary data
token.
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information"
.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes"
.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present"
.It Li "Data Items" Ta "Variable" Ta "User data"
.El
.Ss in_addr Token
The
.Dv in_addr
token holds a network byte order IPv4 or IPv6 address.
An
.Dv in_addr
token can be created using
.Xr au_to_in_addr 3
for an IPv4 address, or
.Xr au_to_in_addr_ex 3
for an IPv6 address.
.Pp
See the BUGS section for information on the storage of this token.
.Pp
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "IP Address Type" Ta "1 byte" Ta "Type of address"
.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
.El
.Ss Expanded in_addr Token
The
.Dv expanded in_addr
token ...
.Pp
See the BUGS section for information on the storage of this token.
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It XXXX
.El
.Ss ip Token
The
.Dv ip
token contains an IP packet header in network byte order.
An
.Dv ip
token can be created using
.Xr au_to_ip 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length"
.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field"
.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order"
.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly"
.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order"
.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live"
.It Li "Protocol" Ta "1 byte" Ta "IP protocol number"
.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order"
.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address"
.It Li "Destination Address" Ta "4 bytes" Ta "IPv4 destination address"
.El
.Ss Expanded ip Token
The
.Dv expanded ip
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It XXXX
.El
.Ss iport Token
The
.Dv iport
token stores an IP port number in network byte order.
An
.Dv iport
token can be created using
.Xr au_to_iport 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order"
.El
.Ss Path Token
The
.Dv path
token contains a pathname.
A
.Dv path
token can be created using
.Xr au_to_path 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes"
.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name"
.El
.Ss path_attr Token
The
.Dv path_attr
token contains a set of nul-terminated path names.
The
.Xr libbsm 3
API cannot currently create a
.Dv path_attr
token.
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token"
.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)"
.El
.Ss Process Token
The
.Dv process
token contains a description of the security properties of a process
involved as the target of an auditable event, such as the destination for
signal delivery.
It should not be confused with the
.Dv subject
token, which describes the subject performing an auditable event.
This includes both the traditional
.Ux
security properties, such as user IDs and group IDs, but also audit
information such as the audit user ID and session.
A
.Dv process
token can be created using
.Xr au_to_process32 3
or
.Xr au_to_process64 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
.El
.Ss Expanded Process Token
The
.Dv expanded process
token contains the contents of the
.Dv process
token, with the addition of a machine address type and variable length
address storage capable of containing IPv6 addresses.
An
.Dv expanded process
token can be created using
.Xr au_to_process32_ex 3
or
.Xr au_to_process64_ex 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
.El
.Ss Return Token
The
.Dv return
token contains a system call or library function return condition, including
return value and error number associated with the global variable
.Er errno .
A 
.Dv return
token can be created using
.Xr au_to_return32 3
or
.Xr au_to_return64 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined"
.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)"
.El
.Ss Subject Token
The
.Dv subject
token contains information on the subject performing the operation described
by an audit record, and includes similar information to that found in the
.Dv process
and
.Dv expanded process
tokens.
However, those tokens are used where the process being described is the
target of the operation, not the authorizing party.
A
.Dv subject
token can be created using
.Xr au_to_subject32 3
and
.Xr au_to_subject64 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
.El
.Ss Expanded Subject Token
The
.Dv expanded subject
token consists of the same elements as the
.Dv subject
token, with the addition of type/length and variable size machine address
information in the terminal ID.
An
.Dv expanded subject
token can be created using
.Xr au_to_subject32_ex 3
or
.Xr au_to_subject64_ex 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
.El
.Ss System V IPC Token
The
.Dv System V IPC
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Object ID type" Ta "1 byte" Ta "Object ID"
.It Li "Object ID" Ta "4 bytes" Ta "Object ID"
.El
.Ss Text Token
The
.Dv text
token contains a single nul-terminated text string.
A
.Dv text
token may be created using
.Xr au_to_text 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul"
.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul"
.El
.Ss Attribute Token
The
.Dv attribute
token describes the attributes of a file associated with the audit event.
As files may be identified by 0, 1, or many path names, a path name is not
included with the attribute block for a file; optional
.Dv path
tokens may also be present in an audit record indicating which path, if any,
was used to reach the object.
An
.Dv attribute
token can be created using
.Xr au_to_attr32 3
or
.Xr au_to_attr64 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file"
.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file"
.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file"
.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file"
.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file"
.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)"
.El
.Ss Groups Token
The
.Dv groups
token contains a list of group IDs associated with the audit event.
A
.Dv groups
token can be created using
.Xr au_to_groups 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token"
.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs"
.El
.Ss System V IPC Permission Token
The
.Dv System V IPC permission
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss Arg Token
The
.Dv arg
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss exec_args Token
The
.Dv exec_args
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss exec_env Token
The
.Dv exec_env
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss Exit Token
The
.Dv exit
token contains process exit/return code information.
An
.Dv exit
token can be created using
.Xr au_to_exit 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Status" Ta "4 bytes" Ta "Process status on exit"
.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit"
.El
.Ss Socket Token
The
.Dv socket
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss Expanded Socket Token
The
.Dv expanded socket
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss Seq Token
The
.Dv seq
token contains a unique and monotonically increasing audit event sequence ID.
Due to the limited range of 32 bits, serial number arithmetic and caution
should be used when comparing sequence numbers.
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number"
.El
.Ss privilege Token
The
.Dv privilege
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss Use-of-auth Token
The
.Dv use-of-auth
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss Command Token
The
.Dv command
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss ACL Token
The
.Dv ACL
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Ss Zonename Token
The
.Dv zonename
token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li XXXXX
.El
.Sh SEE ALSO
.Xr libbsm 3 ,
.Xr audit 8
.Sh AUTHORS
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
.Sh BUGS
The
.Dv How to print
field in the
.Dv arbitrary data
token has undefined values.
.Pp
The
.Dv in_addr
and
.Dv in_addr_ex
token layout documented here appears to be in conflict with the
.Xr libbsm 3
implementations of
.Xr au_to_in_addr 3
and
.Xr au_to_in_addr_ex 3 .