docs: Added All FreeBSD Manuals

1 files changed, 670 insertions, 0 deletions

diff --git a/static/freebsd/man5/audit.log.5 b/static/freebsd/man5/audit.log.5
new file mode 100644
index 00000000..a1db9981
--- /dev/null
+++ b/static/freebsd/man5/audit.log.5
@@ -0,0 +1,670 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" Copyright (c) 2008 Apple Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd November 5, 2006
+.Dt AUDIT.LOG 5
+.Os
+.Sh NAME
+.Nm audit
+.Nd "Basic Security Module (BSM) file format"
+.Sh DESCRIPTION
+The
+.Nm
+file format is based on Sun's Basic Security Module (BSM) file format, a
+token-based record stream to represent system audit data.
+This file format is both flexible and extensible, able to describe a broad
+range of data types, and easily extended to describe new data types in a
+moderately backward and forward compatible way.
+.Pp
+BSM token streams typically begin and end with a
+.Dq file
+token, which provides time stamp and file name information for the stream;
+when processing a BSM token stream from a stream as opposed to a single file
+source, file tokens may be seen at any point between ordinary records
+identifying when particular parts of the stream begin and end.
+All other tokens will appear in the context of a complete BSM audit record,
+which begins with a
+.Dq header
+token, and ends with a
+.Dq trailer
+token, which describe the audit record.
+Between these two tokens will appear a variety of data tokens, such as
+process information, file path names, IPC object information, MAC labels,
+socket information, and so on.
+.Pp
+The BSM file format defines specific token orders for each record event type;
+however, some variation may occur depending on the operating system in use,
+what system options, such as mandatory access control, are present.
+.Pp
+This manual page documents the common token types and their binary format, and
+is intended for reference purposes only.
+It is recommended that application programmers use the
+.Xr libbsm 3
+interface to read and write tokens, rather than parsing or constructing
+records by hand.
+.Ss File Token
+The
+.Dq file
+token is used at the beginning and end of an audit log file to indicate
+when the audit log begins and ends.
+It includes a pathname so that, if concatenated together, original file
+boundaries are still observable, and gaps in the audit log can be identified.
+A
+.Dq file
+token can be created using
+.Xr au_to_file 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Seconds	4 bytes	File time stamp"
+.It "Microseconds	4 bytes	File time stamp"
+.It "File name length	2 bytes	File name of audit trail"
+.It "File pathname	N bytes + 1 NUL	File name of audit trail"
+.El
+.Ss Header Token
+The
+.Dq header
+token is used to mark the beginning of a complete audit record, and includes
+the length of the total record in bytes, a version number for the record
+layout, the event type and subtype, and the time at which the event occurred.
+A 32-bit
+.Dq header
+token can be created using
+.Xr au_to_header32 3 ;
+a 64-bit
+.Dq header
+token can be created using
+.Xr au_to_header64 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Record Byte Count	4 bytes	Number of bytes in record"
+.It "Version Number	1 byte	Record version number"
+.It "Event Type	2 bytes	Event type"
+.It "Event Modifier	2 bytes	Event sub-type"
+.It "Seconds	4/8 bytes	Record time stamp (32/64-bits)"
+.It "Nanoseconds	4/8 bytes	Record time stamp (32/64-bits)"
+.El
+.Ss Expanded Header Token
+The
+.Dq expanded header
+token is an expanded version of the
+.Dq header
+token, with the addition of a machine IPv4 or IPv6 address.
+A 32-bit extended
+.Dq header
+token can be created using
+.Xr au_to_header32_ex 3 ;
+a 64-bit extended
+.Dq header
+token can be created using
+.Xr au_to_header64_ex 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Record Byte Count	4 bytes	Number of bytes in record"
+.It "Version Number	1 byte	Record version number"
+.It "Event Type	2 bytes	Event type"
+.It "Event Modifier	2 bytes	Event sub-type"
+.It "Address Type/Length	1 byte	Host address type and length"
+.It "Machine Address	4/16 bytes	IPv4 or IPv6 address"
+.It "Seconds	4/8 bytes	Record time stamp (32/64-bits)"
+.It "Nanoseconds	4/8 bytes	Record time stamp (32/64-bits)"
+.El
+.Ss Trailer Token
+The
+.Dq trailer
+terminates a BSM audit record, and contains a magic number,
+.Dv AUT_TRAILER_MAGIC
+and length that can be used to validate that the record was read properly.
+A
+.Dq trailer
+token can be created using
+.Xr au_to_trailer 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Trailer Magic	2 bytes	Trailer magic number"
+.It "Record Byte Count	4 bytes	Number of bytes in record"
+.El
+.Ss Arbitrary Data Token
+The
+.Dq arbitrary data
+token contains a byte stream of opaque (untyped) data.
+The size of the data is calculated as the size of each unit of data
+multiplied by the number of units of data.
+A
+.Dq How to print
+field is present to specify how to print the data, but interpretation of
+that field is not currently defined.
+An
+.Dq arbitrary data
+token can be created using
+.Xr au_to_data 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "How to Print	1 byte	User-defined printing information"
+.It "Basic Unit	1 byte	Size of a unit in bytes"
+.It "Unit Count	1 byte	Number of units of data present"
+.It "Data Items	Variable	User data"
+.El
+.Ss in_addr Token
+The
+.Dq in_addr
+token holds a network byte order IPv4 address.
+An
+.Dq in_addr
+token can be created using
+.Xr au_to_in_addr 3
+for an IPv4 address.
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "IP Address	4 bytes	IPv4 address"
+.El
+.Ss Expanded in_addr Token
+The
+.Dq in_addr_ex
+token holds a network byte order IPv4 or IPv6 address.
+An
+.Dq in_addr_ex
+token can be created using
+.Xr au_to_in_addr_ex 3
+for an IPv6 address.
+.Pp
+See the
+.Sx BUGS
+section for information on the storage of this token.
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "IP Address Type	1 byte	Type of address"
+.It "IP Address	4/16 bytes	IPv4 or IPv6 address"
+.El
+.Ss ip Token
+The
+.Dq ip
+token contains an IP packet header in network byte order.
+An
+.Dq ip
+token can be created using
+.Xr au_to_ip 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Version and IHL	1 byte	Version and IP header length"
+.It "Type of Service	1 byte	IP TOS field"
+.It "Length	2 bytes	IP packet length in network byte order"
+.It "ID	2 bytes	IP header ID for reassembly"
+.It "Offset	2 bytes	IP fragment offset and flags, network byte order"
+.It "TTL	1 byte	IP Time-to-Live"
+.It "Protocol	1 byte	IP protocol number"
+.It "Checksum	2 bytes	IP header checksum, network byte order"
+.It "Source Address	4 bytes	IPv4 source address"
+.It "Destination Address	4 bytes	IPv4 destination address"
+.El
+.Ss iport Token
+The
+.Dq iport
+token stores an IP port number in network byte order.
+An
+.Dq iport
+token can be created using
+.Xr au_to_iport 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Port Number	2 bytes	Port number in network byte order"
+.El
+.Ss Path Token
+The
+.Dq path
+token contains a pathname.
+A
+.Dq path
+token can be created using
+.Xr au_to_path 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Path Length	2 bytes	Length of path in bytes"
+.It "Path	N bytes + 1 NUL	Path name"
+.El
+.Ss path_attr Token
+The
+.Dq path_attr
+token contains a set of NUL-terminated path names.
+The
+.Xr libbsm 3
+API cannot currently create a
+.Dq path_attr
+token.
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Count	2 bytes	Number of NUL-terminated string(s) in token"
+.It "Path	Variable	count NUL-terminated string(s)"
+.El
+.Ss Process Token
+The
+.Dq process
+token contains a description of the security properties of a process
+involved as the target of an auditable event, such as the destination for
+signal delivery.
+It should not be confused with the
+.Dq subject
+token, which describes the subject performing an auditable event.
+This includes both the traditional
+.Ux
+security properties, such as user IDs and group IDs, but also audit
+information such as the audit user ID and session.
+A
+.Dq process
+token can be created using
+.Xr au_to_process32 3
+or
+.Xr au_to_process64 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Audit ID	4 bytes	Audit user ID"
+.It "Effective User ID	4 bytes	Effective user ID"
+.It "Effective Group ID	4 bytes	Effective group ID"
+.It "Real User ID	4 bytes	Real user ID"
+.It "Real Group ID	4 bytes	Real group ID"
+.It "Process ID	4 bytes	Process ID"
+.It "Session ID	4 bytes	Audit session ID"
+.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
+.It "Terminal Machine Address	4 bytes	IP address of machine"
+.El
+.Ss Expanded Process Token
+The
+.Dq expanded process
+token contains the contents of the
+.Dq process
+token, with the addition of a machine address type and variable length
+address storage capable of containing IPv6 addresses.
+An
+.Dq expanded process
+token can be created using
+.Xr au_to_process32_ex 3
+or
+.Xr au_to_process64_ex 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Audit ID	4 bytes	Audit user ID"
+.It "Effective User ID	4 bytes	Effective user ID"
+.It "Effective Group ID	4 bytes	Effective group ID"
+.It "Real User ID	4 bytes	Real user ID"
+.It "Real Group ID	4 bytes	Real group ID"
+.It "Process ID	4 bytes	Process ID"
+.It "Session ID	4 bytes	Audit session ID"
+.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
+.It "Terminal Address Type/Length	4 bytes	Length of machine address"
+.It "Terminal Machine Address	4 bytes	IPv4 or IPv6 address of machine"
+.El
+.Ss Return Token
+The
+.Dq return
+token contains a system call or library function return condition, including
+return value and error number associated with the global variable
+.Er errno .
+A
+.Dq return
+token can be created using
+.Xr au_to_return32 3
+or
+.Xr au_to_return64 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Error Number	1 byte	Errno value, or 0 if undefined"
+.It "Return Value	4/8 bytes	Return value (32/64-bits)"
+.El
+.Ss Subject Token
+The
+.Dq subject
+token contains information on the subject performing the operation described
+by an audit record, and includes similar information to that found in the
+.Dq process
+and
+.Dq expanded process
+tokens.
+However, those tokens are used where the process being described is the
+target of the operation, not the authorizing party.
+A
+.Dq subject
+token can be created using
+.Xr au_to_subject32 3
+and
+.Xr au_to_subject64 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Audit ID	4 bytes	Audit user ID"
+.It "Effective User ID	4 bytes	Effective user ID"
+.It "Effective Group ID	4 bytes	Effective group ID"
+.It "Real User ID	4 bytes	Real user ID"
+.It "Real Group ID	4 bytes	Real group ID"
+.It "Process ID	4 bytes	Process ID"
+.It "Session ID	4 bytes	Audit session ID"
+.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
+.It "Terminal Machine Address	4 bytes	IP address of machine"
+.El
+.Ss Expanded Subject Token
+The
+.Dq expanded subject
+token consists of the same elements as the
+.Dq subject
+token, with the addition of type/length and variable size machine address
+information in the terminal ID.
+An
+.Dq expanded subject
+token can be created using
+.Xr au_to_subject32_ex 3
+or
+.Xr au_to_subject64_ex 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Audit ID	4 bytes	Audit user ID"
+.It "Effective User ID	4 bytes	Effective user ID"
+.It "Effective Group ID	4 bytes	Effective group ID"
+.It "Real User ID	4 bytes	Real user ID"
+.It "Real Group ID	4 bytes	Real group ID"
+.It "Process ID	4 bytes	Process ID"
+.It "Session ID	4 bytes	Audit session ID"
+.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
+.It "Terminal Address Type/Length	1 byte	Length of machine address"
+.It "Terminal Machine Address	4 bytes	IPv4 or IPv6 address of machine"
+.El
+.Ss System V IPC Token
+The
+.Dq System V IPC
+token contains the System V IPC message handle, semaphore handle or shared
+memory handle.
+A System V IPC token may be created using
++.Xr au_to_ipc 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Object ID type	1 byte	Object ID"
+.It "Object ID	4 bytes	Object ID"
+.El
+.Ss Text Token
+The
+.Dq text
+token contains a single NUL-terminated text string.
+A
+.Dq text
+token may be created using
+.Xr au_to_text 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Text Length	2 bytes	Length of text string including NUL"
+.It "Text	N bytes + 1 NUL	Text string including NUL"
+.El
+.Ss Attribute Token
+The
+.Dq attribute
+token describes the attributes of a file associated with the audit event.
+As files may be identified by 0, 1, or many path names, a path name is not
+included with the attribute block for a file; optional
+.Dq path
+tokens may also be present in an audit record indicating which path, if any,
+was used to reach the object.
+An
+.Dq attribute
+token can be created using
+.Xr au_to_attr32 3
+or
+.Xr au_to_attr64 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "File Access Mode	1 byte	mode_t associated with file"
+.It "Owner User ID	4 bytes	uid_t associated with file"
+.It "Owner Group ID	4 bytes	gid_t associated with file"
+.It "File System ID	4 bytes	fsid_t associated with file"
+.It "File System Node ID	8 bytes	ino_t associated with file"
+.It "Device	4/8 bytes	Device major/minor number (32/64-bit)"
+.El
+.Ss Groups Token
+The
+.Dq groups
+token contains a list of group IDs associated with the audit event.
+A
+.Dq groups
+token can be created using
+.Xr au_to_groups 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Number of Groups	2 bytes	Number of groups in token"
+.It "Group List	N * 4 bytes	List of N group IDs"
+.El
+.Ss System V IPC Permission Token
+The
+.Dq System V IPC permission
+token contains a System V IPC access permissions.
+A System V IPC permission token may be created using
+.Xr au_to_ipc_perm 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It Li "Owner user ID" Ta "4 bytes" Ta "User ID of IPC owner"
+.It Li "Owner group ID" Ta "4 bytes" Ta "Group ID of IPC owner"
+.It Li "Creator user ID" Ta "4 bytes" Ta "User ID of IPC creator"
+.It Li "Creator group ID" Ta "4 bytes" Ta "Group ID of IPC creator"
+.It Li "Access mode" Ta "4 bytes" Ta "Access mode"
+.It Li "Sequence number" Ta "4 bytes" Ta "Sequence number"
+.It Li "Key" Ta "4 bytes" Ta "IPC key"
+.El
+.Ss Arg Token
+The
+.Dq arg
+token contains information about arguments of the system call.
+Depending on the size of the desired argument value, an Arg token may be
+created using
+.Xr au_to_arg32 3
+or
+.Xr au_to_arg64 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It Li "Argument ID" Ta "1 byte" Ta "Argument ID"
+.It Li "Argument value" Ta "4/8 bytes" Ta "Argument value"
+.It Li "Length" Ta "2 bytes" Ta "Length of the text"
+.It Li "Text" Ta "N bytes + 1 nul" Ta "The string including nul"
+.El
+.Ss exec_args Token
+The
+.Dq exec_args
+token contains information about arguments of the exec() system call.
+An exec_args token may be created using
+.Xr au_to_exec_args 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It Li "Count" Ta "4 bytes" Ta "Number of arguments"
+.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings"
+.El
+.Ss exec_env Token
+The
+.Dq exec_env
+token contains current environment variables to an exec() system call.
+An exec_args token may be created using
+.Xr au_to_exec_env 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It Li "Count ID" Ta "4 bytes" Ta "Number of variables"
+.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings"
+.El
+.Ss Exit Token
+The
+.Dq exit
+token contains process exit/return code information.
+An
+.Dq exit
+token can be created using
+.Xr au_to_exit 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Status	4 bytes	Process status on exit"
+.It "Return Value	4 bytes	Process return value on exit"
+.El
+.Ss Socket Token
+The
+.Dq socket
+token contains information about UNIX domain and Internet sockets.
+Each token has four or eight fields.
+Depending on the type of socket, a socket token may be created using
+.Xr au_to_sock_unix 3 ,
+.Xr au_to_sock_inet32 3
+or
+.Xr au_to_sock_inet128 3 .
+.Bl -column -offset 3n ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
+.It Li "Local port" Ta "2 bytes" Ta "Local port"
+.It Li "Socket address" Ta "4 bytes" Ta "Socket address"
+.El
+.Ss Expanded Socket Token
+The
+.Dq expanded socket
+token contains information about IPv4 and IPv6 sockets.
+A
+.Dq expanded socket
+token can be created using
+.Xr au_to_socket_ex 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Socket domain" Ta "2 bytes" Ta "Socket domain"
+.It Li "Socket type" Ta "2 bytes" Ta "Socket type"
+.It Li "Address type" Ta "2 byte" Ta "Address type (IPv4/IPv6)"
+.It Li "Local port" Ta "2 bytes" Ta "Local port"
+.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address"
+.It Li "Remote port" Ta "2 bytes" Ta "Remote port"
+.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address"
+.El
+.Ss Seq Token
+The
+.Dq seq
+token contains a unique and monotonically increasing audit event sequence ID.
+Due to the limited range of 32 bits, serial number arithmetic and caution
+should be used when comparing sequence numbers.
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Sequence Number	4 bytes	Audit event sequence number"
+.El
+.Ss privilege Token
+The
+.Dq privilege
+token ...
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.El
+.Ss Use-of-auth Token
+The
+.Dq use-of-auth
+token ...
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.El
+.Ss Command Token
+The
+.Dq command
+token ...
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.El
+.Ss ACL Token
+The
+.Dq ACL
+token ...
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.El
+.Ss Zonename Token
+The
+.Dq zonename
+token holds a NUL-terminated string with the name of the zone or jail from
+which the record originated.
+A
+.Dq zonename
+token can be created using
+.Xr au_to_zonename 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field	Bytes	Description"
+.It "Token ID	1 byte	Token ID"
+.It "Zonename length	2 bytes	Length of zonename string including NUL"
+.It "Zonename	N bytes + 1 NUL	Zonename string including NUL"
+.El
+.Sh SEE ALSO
+.Xr auditreduce 1 ,
+.Xr praudit 1 ,
+.Xr libbsm 3 ,
+.Xr audit 4 ,
+.Xr auditpipe 4 ,
+.Xr audit 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh AUTHORS
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh BUGS
+The
+.Dq How to print
+field in the
+.Dq arbitrary data
+token has undefined values.
+.Pp
+The
+.Dq in_addr
+and
+.Dq in_addr_ex
+token layout documented here appears to be in conflict with the
+.Xr libbsm 3
+implementation of
+.Xr au_to_in_addr_ex 3 .