Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ aud_audit_events(5sec) — DCE 3.1

Media Vault

Software Library

Restoration Projects

Artifacts Sought

aud_audit_events(5sec)  —  Macro Packages and Conventions

NAME

aud_audit_events - Auditable events for the audit services

DESCRIPTION

The DCE Security Service supports the auditing of audit service-significant events.  Among these events are:

       •Administrative operations

These are subdivided into modify and query operations. 

       •Filter operations

These are subdivided into modify and query operations. 

Event class definitions, together with filters, control the auditing execution at these code points.  Filters can be updated dynamically.  Filter files are maintained by a per-host audit daemon, and are shared among all the audit clients on the same host.   The DCE control program, dcecp, is used for maintaining the filters.  (See the dcecp(8dce) reference page.)  The dcecp command is executable by all users and system administrators.  The ability to modify filters is controlled through audit daemon’s access control list (ACL), which maintains the filters. 

The audit service remote procedure call (RPC) interfaces include audit_control and audit_filter operations. 

Administrative Operations

The dce_audit_admin_modify and dce_audit_admin_query event classes lump together the administrative operations that are performed on the audit daemon. 

The dce_audit_admin_modify event class has the following events that modify the operation of the audit daemon:

EVT_MODIFY_STATE
Enables or disables the audit daemon for logging.

EVT_MODIFY_SSTRATEGY
Modifies storage strategy.  This can be any of the following:

SaveIf the trail is full, it is backed up and renamed with a timestamp then writes on the original trail again. 

WrapIf the trail is full, goes back to the beginning of the file, overwriting previously written records. 

EVT_REWIND
Rewinds the audit daemon’s central trail file.

EVT_STOP
Stops the audit daemon.

The following are the audit code points in the audit service interfaces.  Each entry shows the event type, followed by the event number and event classes, and then any event-specific information. 

EVT_MODIFY_STATE (0x306, dce_audit_admin_modify)
Event-specific information: None.

EVT_MODIFY_SSTRATEGY (0x305, dce_audit_admin_modify)
Event-specific information: None.

EVT_REWIND (0x307, dce_audit_admin_modify)
Event-specific information: None.

EVT_STOP (0x308, dce_audit_admin_modify)
Event-specific information: None.

The dce_audit_admin_query event class has two events:

EVT_SHOW_SSTRATEGY
Shows the storage strategy.

EVT_SHOW_STATE
Shows the state of the audit daemon.

Following are the details of this event class:

EVT_SHOW_SSTRATEGY (0x309, dce_audit_admin_query)
Event-specific information: None.

EVT_SHOW_STATE (0x30a, dce_audit_admin_query)
Event-specific information: None.

Filter Operations

The dce_audit_filter_modify and dce_audit_filter_query event classes are the filter operations that the audit daemon handles. 

The dce_audit_filter_modify event class has the following events:

EVT_ADD_FILTER
Adds a filter.

EVT_DELETE_FILTER
Removes all guides for a specific subject.

EVT_REMOVE_FILTER
Removes a specific guide for a specific subject.

Following are the details of this event class:

EVT_ADD_FILTER (0x303, dce_audit_filter_modify)
Event-specific information: None.

EVT_DELETE_FILTER (0x300, dce_audit_filter_modify)
Event-specific information: None.

EVT_REMOVE_FILTER (0x304,  dce_audit_filter_modify)
Event-specific information: None.

The dce_audit_filter_query contains two events:

EVT_LIST_FILTER
Lists all subjects that have filters.

EVT_SHOW_FILTER
Shows all filters for a specific principal.

Following are the details of this event class. 

EVT_LIST_FILTER (0x302, dce_audit_filter_query)
Event-specific information: None.

EVT_SHOW_FILTER (0x301, dce_audit_filter_query)
Event-specific information:
aud_c_evt_info_long_intesl_type aud_c_evt_info_char_stringsubject_name

RELATED INFORMATION

Commands: dcecp(8dce). 

Files: event_class(5sec). 

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026