Hi Birk, thanks very much for your reply. > Hi, > > You will find the information to the BSM Audit Trail in the HandBook: > "Solaris SHIELD Basic Security Module". > I already read the entire stuff, but could not find the answer to my question. > > An audit record is build by audit tokens. I read the audit_record.h (under /usr/include/bsm) but only found the C declaration for the TOKENS (au_arg_tok_t, au_attr_tok_t, ... etc). What I am (desperately) looking for is the C declaration of an entire audit record. What is explained in "Solaris SHIELD Basic Security Module" is the logical structure of the various types of audit records. Also, I would like to know what is the meaning of the previous and next in the declaration below (from /usr/include/bsm/audit_record.h): struct au_token { char id; struct au_token *next; struct au_token *prev; char *data; /* which data, the tokens ???? */ u_short size; /* of entire record, token, the rest ???*/ union { au_arg_tok_t arg; au_attr_tok_t attr; au_data_tok_t data; au_exit_tok_t exit; au_file_tok_t file; au_groups_tok_t groups; au_header_tok_t header; au_inaddr_tok_t inaddr; au_ip_tok_t ip; au_ipc_perm_tok_t ipc_perm; au_ipc_tok_t ipc; au_iport_tok_t iport; au_invalid_tok_t invalid; au_opaque_tok_t opaque; au_path_tok_t path; au_proc_tok_t proc; au_ret_tok_t ret; au_server_tok_t server; au_seq_tok_t seq; au_socket_tok_t socket; au_subj_tok_t subj; au_text_tok_t text; au_trailer_tok_t trailer; } un; }; typedef struct au_token au_token_t; Does it mean that the tokens form a chained list ? It's really unclear and confusing things. Can you provide further explanations. > There is a program named "praudit". It converts the binary audit trail in > a human readable format - slowly. > > One easy solution for your problem is, actuall used by us, the follow: > > praudit | your_transformer > > Warning, it's _verry_ slow!!!! > Oh yes, it is much more efficient to plug *directly* into the binary audit trail and transform it. But, eh, I need the binary specs of this. Thanks again, if you have further explanations, it would be most appreciated. Cheers, Aziz. --------------------------+------------------------------------- | Abdelaziz Mounji | amo@info.fundp.ac.be | | ASAX project | http://www.info.fundp.ac.be/~amo | | Institut d'Informatique | voice: +32 81 724987 | | University of Namur | Fax : +32 81 724967 | ---------------------------------------------------------------- -- +---------------------+--------------------------------------------------+ | ____ ___ | Justin Lister ruf@cs.uow.edu.au | | | \\ /\ __\ | Center for Computer Security Research | | | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-214-330 | | | _ \\ /| _/ | University of Wollongong fax: 61-42-214-329 | | |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... | | | LiNuX - the only justification for using iNTeL | +---------------------+--------------------------------------------------+