RE: Audit Explanations

From: Darren Moffat (
Date: 08/14/01

Message-Id: <>
Date: Tue, 14 Aug 2001 14:22:32 -0700 (PDT)
From: Darren Moffat <>
Subject: RE: Audit Explanations

Using the example you gave (properly formated where \ is a continutation
on the same line).

header,148,2,open(2) - write,creat,trunc,,Fri Jun 08 13:50:23 2001 \
+979998030 msec
subject,someuser,someuser,staff,someuser,staff,313,312,0 0 someputer

In prose the says:

On Fri Jun 08 @ 13:50:23 process 313 on host someputer, operating on
behalf of user someuser of group staff, opened the file
/export/home/someuser/.Xauthority-n as file descriptor 4 for writing.
Creating it with mode 600 if doesn't exist or truncating it if was
already there. The file was found at inode 16540, the operation was
successful. No additional privelege was used to complete this operation.

>Per your reply "What parts of the audit records you listed do you not
>understand ?
> What is: 148,2,

148 is the number of bytes in the record, 2 is the version number.

> and: .Xauthority-n

path is the path token to this is the file that open(2) was passed.

attribute is on a new line and is the attr token which describes the
vnode that open(2) was operating on.

100600 is the mode.

> and: 313,312,0 0

These are part of the subject token which is described in:

313 == process id
312 == session id
0, 0 someputer is all the terminal id.

0 is the device
0 is the port

Since both of these are 0 this was on the local host and not a remote

> and: return,success,4

The return token. success means open(2) returned a non error value (ie != -1)
and 4 is the return value so in this it is the file descriptor.

Darren J Moffat