sec_audit_events(5sec) — Macro Packages and Conventions
NAME
sec_audit_events - Auditable events for the security services
DESCRIPTION
Code is in place for auditing security-significant events in the security server. Among these events are the following:
•Attempts to invoke authentication server/ticket-granting server/privilege server (AS/TGS/PS) operations.
•Deletion of security server objects, including the following:
—
access control lists (ACLs)
—
accounts
—
pgo items
—
registry properties
—
registry/organization policies
—
registry master key
•Attempts to invoke an operation that modifies security server objects or updates an ACL.
•Attempts to invoke operations that involve access control.
•Failed client responses to the server’s challenge, detected replays and invalid ticket requests.
•The use of cryptographic keys in the remote procedure call (RPC) runtime.
•Attempts to change the maintenance/operation states of the registry server.
Event class definitions, together with filters, control the auditing execution at these code points. Filters can be updated dynamically. Filter files are maintained by a per-host audit daemon, and are shared among all the audit clients on the same host. The DCE control program, dcecp, is used to maintain the filters. (See the dcecp(8dce) reference page.) The dcecp command is executable by all users and system administrators. The ability to modify filters is controlled through the audit daemon’s ACL, which maintains the filters.
Security server RPC interfaces include krb5rpc, rdaclif, rdacliftmp, rpriv, rs_acct, rs_query, rs_rpladmn, rs_update, and rsec_cert. All the RPC interfaces are offered using the rpc_c_authn_dce_secret authentication service. The security server’s RPC runtime uses dce-rgy as its authentication identity. Within the same process, the security server’s UDP/IP interface provides Kerberos AS/TGS functions, with krbtgt/cell_name as its authentication identity.
The following are the audit code points in these security service interfaces. Each entry shows the event type, followed by the event number and event classes, and then any event-specific information.
Authentication Interface (krb5rpc) Operations
The rsec_krb5rpc_sendto_kdc() function is an RPC interface operation for accessing Kerberos AS/TGS services. Ticket-granting tickets and application tickets are requested and returned. There is no access control on this interface other than what is within the Kerberos ticket-granting mechanism itself; that is, the TGS request verification.
Event Type (Event Number, Event Classes)
AS_Request (0x101, dce_sec_authent)
Event-Specific Information
None
Event Type (Event Number, Event Classes)
TGS_TicketReq (0x102, dce_sec_authent)
Event-Specific Information
None
Event Type (Event Number, Event Classes)
TGS_RenewReq (0x103, dce_sec_authent)
Event-Specific Information
None
Event Type (Event Number, Event Classes)
TGS_ValidateReq (0x104, dce_sec_authent)
Event-Specific Information
None
DACL Management Interface (rdaclif) Operations
The rdacl_lookup() operation retrieves an ACL of an object in the security server. Review of ACL associated with an object in security server is allowed if the caller has any access to the object.
Event Type (Event Number, Event Classes)
ACL_Lookup (0x105, dce_sec_control, dce_sec_query)
Event-Specific Information
char∗component_name
uuid_tmanager_type
sec_acl_type_tacl_type
The rdacl_replace() operation replaces the ACL of an object in the security server. The client must have the sec_acl_perm_owner permission for the update to be carried out.
Event Type (Event Number, Event Classes)
ACL_Replace (0x106, dce_sec_control, dce_sec_modify)
Event-Specific Information
char∗component_name
uuid_tmanager_type
sec_acl_type_tacl_type
sec_acl_list_told_acl_list
sec_acl_list_tnew_acl_list
The rdacl_get_access() operation determines the caller’s access to a specified object. This call is authorized if the caller has any access to the object.
Event Type (Event Number, Event Classes)
ACL_GetAccess (0x107, dce_sec_control, dce_sec_query)
Event-Specific Information
char∗component_name
uuid_tmanager_type
sec_acl_permset_tnet_rights
The rdacl_test_access() operation determines if the caller has the requested access. The return value of the call indicates whether the caller has the requested access to the object.
Event Type (Event Number, Event Classes)
ACL_TestAccess (0x108, dce_sec_control, dce_sec_query)
Event-Specific Information
char∗component_name
uuid_tqmanager_type
sec_acl_permset_tdesired_permset
The rdacl_get_manager_types() operation lists the types (UUIDs) of ACLs protecting an object. The caller must have some permissions on the object for each of the manager types that is defined for the object. Otherwise, no manager type is returned.
Event Type (Event Number, Event Classes)
ACL_GetMgrTypes (0x10A, dce_sec_control, dce_sec_query)
Event-Specific Information
char∗component_name
sec_acl_type_tacl_type
The rdacl_get_referral() operation obtains a referral to an ACL update site. This function is used when the current ACL site yields a sec_acl_site_readonly error. Some replication managers will require all updates for a given object to be directed to a given replica. Clients of the generic ACL interface may know they are dealing with an object that is replicated in this way. This function allows them to recover from this problem and rebind to the proper update site. The client is required to have execute access on the parent of the object named by component_name.
Event Type (Event Number, Event Classes)
ACL_GetReferral (0x10B, dce_sec_control, dce_sec_query)
Event-Specific Information
char∗component_name
uuid_tmanager_type
sec_acl_type_tsec_acl_type
Privilege Server Interface (rpriv) Operations
The rpriv_get_ptgt() operation returns a privilege certificate to the ticket-granting service. The caller supplies the group set, and the privilege server seals the group set in the authorization portion of a privilege ticket-granting ticket (TGT), after first rejecting any groups that are not legitimately part of the caller credentials. A group will be rejected if the caller is not a member of the group, or the group is not allowed on project lists (the projlist_ok flag is not set).
There is no access control on this interface other than what was within the Kerberos ticket-granting mechanism itself; that is, the TGS request verification. This call may result in growth of potential access set. Note that this is a pre-DCE Version 1.1 routine.
Event Type (Event Number, Event Classes)
PRIV_GetPtgt (0x10C, dce_sec_authent, dce_sec_control)
Event-Specific Information
char∗string client_address
unsigned16num_groups/∗ Number of local groups in PAC ∗/
uuid_tgroups/∗ num_groups local groups in PAC ∗/
Registry Server Account Interface (rs_acct) Operations
The rs_acct_add() operation adds an account with a specified login name. The caller needs m, a, and u (mgmt_info, auth_info, and user_info) permissions on the principal of the account that is to be added. The constituent principal, group, and organization (PGO) items for an account must be added before the account can be created. Also, the principal must have been added as a member of the specified group and organization.
Event Type (Event Number, Event Classes)
ACCT_Add (0x10D, dce_sec_control, dce_sec_modify)
Event-Specific Information
char∗login_name
sec_rgy_acct_key_tkey_parts
The rs_acct_delete() operation deletes an account with a specified login name. The caller must have m, a, and u (mgmt_info, auth_info, and user_info) permissions on the principal of the account that is to be deleted.
Event Type (Event Number, Event Classes)
ACCT_Delete (0x10E, dce_sec_control, dce_sec_modify)
Event-Specific Information
char∗login_name
The rs_acct_rename() operation changes the account login name. The caller has to have the m (mgmt_info) permission on the account’s principal to be renamed (old_login_name.pname).
Event Type (Event Number, Event Classes)
ACCT_Rename (0x10F, dce_sec_control, dce_sec_modify)
Event-Specific Information
char∗old_login_name
char∗new_login_name
The rs_acct_lookup() operation returns data for a specified account. The caller must have the r (read) permission according to the ACL of the account’s principal in order to be viewed.
Event Type (Event Number, Event Classes)
ACCT_Lookup (0x110, dce_sec_control, dce_sec_query)
Event-Specific Information
char∗login_name
The rs_acct_replace() operation replaces both the user and administrative information in the account record specified by the input login name. The administrative information contains limitations on the account’s use and privileges. The user information contains such information as the account home directory and default shell. The administrative information can only be modified by a caller with the a (auth_info) privilege for the account’s principal. The user information can be modified by a caller with the u (user_info) privileges for the account’s principal.
Event Type (Event Number, Event Classes)
ACCT_Replace (0x111, dce_sec_control, dce_sec_modify)
Event-Specific Information
char∗login_name
unsigned32 key_parts
The rs_acct_get_projlist() operation returns members of the project list for the specified account. This operation requires the caller to have the r (read) permission on the account principal for which the project list data is to be returned.
Event Type (Event Number, Event Classes)
ACCT_GetProjlist (0x112, dce_sec_control, dce_sec_query)
Event-Specific Information
charlogin_name
Registry Miscellaneous Operation Interface (rs_misc) Operations
The rs_login_get_info() operation returns login information for the specified account. This information is extracted from the account’s entry in the registry database. This operation requires the caller to have the r (read) permission on the account’s principal from which the data is to be returned.
Event Type (Event Number, Event Classes)
LOGIN_GetInfo (0x113, dce_sec_control, dce_sec_query)
Event-Specific Information
char∗login_name
Registry PGO Interface (rs_pgo) Operations
The rs_pgo_add() operation adds a PGO item to the registry database. This operation requires the caller to have the i (insert) permission on the parent directory in which the PGO item is to be created.
Event Type (Event Number, Event Classes)
PGO_Add (0x114, dce_sec_control, dce_sec_modify)
Event-Specific Information
sec_rgy_domain_tname_domain
char∗pgo_name
The rs_pgo_delete() operation deletes a PGO item from registry database. Any account depending on the deleted PGO item is also deleted. The deletion operation requires the caller to have d (delete) permission on the parent directory that contains the PGO item to be deleted and the D (Delete_object) permission on the PGO item itself.
Event Type (Event Number, Event Classes)
PGO_Delete (0x115, dce_sec_control, dce_sec_modify)
Event-Specific Information
sec_rgy_domain_tname_domain
char∗pgo_name
The rs_pgo_replace() operation replaces the data associated with a PGO item in the registry database. The caller needs to have the m (mgmt_info) permission on the PGO item, if quota, flags, or unix_num is being set. (Only a cell principal’s unix_num is modifiable.) The caller needs to have the f (full name) permission to modify the full name of the PGO item.
Event Type (Event Number, Event Classes)
PGO_Replace (0x116, dce_sec_control, dce_sec_modify)
Event-Specific Information
sec_rgy_domain_tname_domain
char∗pgo_name
The rs_pgo_rename() operation renames a PGO item in the registry database. The caller needs to have the n (name) permission on the old name of the PGO item, if performing a rename within a directory. In order to move a PGO item between directories, the caller needs to have the n (name) permission on the old name of the PGO item as well as the d (delete) permission on the old parent directory and the i (insert) permission on the new parent directory in which the PGO item is being added under the new name.
Event Type (Event Classes)
PGO_Rename (0x117, dce_sec_control, dce_sec_modify)
sec_rgy_domain_tname_domain
char ∗old_name
char ∗new_name
The rs_pgo_get() operation returns the name and data for a PGO item. The desired item is identified by a query key, which can be a name, a uuid, a unix_num, or a sequential-search flag. The caller needs to have the r (read) permission on the PGO item to be viewed.
Event Type (Event Number, Event Classes)
PGO_Get (0x118, dce_sec_control, dce_sec_query)
Event-Specific Information
sec_rgy_domain_t name_domain
rs_pgo_query_key_tkey/∗ The query key and one of the ∗/
/∗ following depending on the ∗/
/∗ query key specified: ∗/
case (key == rs_pgo_query_name)
char ∗name/∗ Name of the item being searched ∗/
case (key == rs_pgo_query_id)
uuid_t id_key/∗ uuid of the item being searched ∗/
case (key == rs_pgo_query_unix_num)
unsigned32 unix_num/∗ unix_num of item being searched ∗/
case (key == rs_pgo_query_next)
char ∗scope/∗ Scope of item being searched ∗/
The rs_pgo_key_transfer() operation performs a specified key transfer between the uuid, unix_num, and name of a PGO item. The caller needs to have some permission on the PGO item for id->name and unix_num->name transfers.
Event Type (Event Number, Event Classes)
PGO_KeyTransfer (0x119, dce_sec_control)
Event-Specific Information
sec_rgy_domain_tname_domain
rs_pgo_query_key_t key/∗ The query key ∗/
/∗ One of the following, depending ∗/
/∗ on the query key specified: ∗/
case (key == rs_pgo_query_name)
char ∗name/∗ Name of the item being searched ∗/
case (key == rs_pgo_query_id)
uuid_t id_key/∗ uuid of the item being searched ∗/
case (key == rs_pgo_query_unix_num)
unsigned32 unix_num/∗ unix_num of item being searched ∗/
unsigned32 requested_result_type
The rs_pgo_add_member() operation adds a member to a group or an organization. The caller must have the M (Member_list) permission on the group or organization. Additionally, if this call is for adding a group member, the caller must have the g (groups) permission on the principal to be added.
Event Type (Event Number, Event Classes)
PGO_AddMember (0x11A, dce_sec_control, dce_sec_modify)
Event-Specific Information
sec_rgy_domain_tname_domain
char ∗person_name/∗ Principal’s name ∗/
char ∗go_name /∗ Group or org’s name ∗/
The rs_pgo_delete_member() operation deletes a principal from a group or an organization in the registry database. The caller must have the M (Member_list) permission on the group or organization. Note that the caller does not need to have the g (groups) permission when deleting the principal from a group.
Event Type (Event Number, Event Classes)
PGO_DeleteMember (0x11B, dce_sec_control, dce_sec_modify)
Event-Specific Information
sec_rgy_domain_tname_domain
char ∗person_name/∗ Principal’s name ∗/
char ∗go_name/∗ Group or org’s name ∗/
The rs_pgo_is_member() operation tests whether a specified principal is a member of a specified group or organization. The caller must have t (test) permission on the group or organization.
Event Type (Event Number, Event Classes)
PGO_IsMember (0x11C, dce_sec_control, dce_sec_query)
Event-Specific Information
sec_rgy_domain_tname_domain
char ∗person_name/∗ Principal’s name ∗/
char ∗go_name/∗ Group or org’s name ∗/
The rs_pgo_get_members() operation, if the specified domain is group or organization, lists the members of a specified group or organization. If the domain is principal, list the groups in which the principal is a member. The caller must have the r (read) permission on the principal, group, or organization.
Event Type (Event Number, Event Classes)
PGO_GetMembers (0x11D, dce_sec_control, dce_sec_query)
Event-Specific Information
sec_rgy_domain_tname_domain
char ∗go_name/∗ PGO’s uuid ∗/
Registry Policy Interface (rs_policy) Operations
The rs_properties_get_info() operation returns a list of registry properties. The caller must have the r (read) permission on the policy object from which the property information is to be returned.
Event Type (Event Number, Event Classes)
PROP_GetInfo (0x11E, dce_sec_control, dce_sec_query)
Event-Specific Information
None
The rs_properties_set_info() operation sets the registry properties. The caller must have the m (mgmt_info) permission on the policy object for which the property information is to be set.
Event Type (Event Number, Event Classes)
PROP_SetInfo (0x11F, dce_sec_control, dce_sec_modify)
Event-Specific Information
None
The rs_policy_get_info() operation returns the policy for a specified organization or the registry (if no organization name is specified). The caller must have the r (read) permission on the policy object or organization item from which the data is to be returned. Note that the rs_policy_get_effective() operation uses the same audit event (POLICY_GetInfo) as the rs_policy_get_info() operation.
Event Type (Event Number, Event Classes)
POLICY_GetInfo (0x120, dce_sec_control, dce_sec_query)
Event-Specific Information
char∗organization
The rs_policy_set_info() operation sets the policy for a specified organization or the registry (if no organization name is specified). The caller must have the m (mgmt_info) permission on the policy object or organization item for which the data is to be set.
Event Type (Event Number, Event Classes)
POLICY_SetInfo (0x121, dce_sec_control, dce_sec_modify)
Event-Specific Information
char ∗organization
The rs_auth_policy_get_info() operation returns the authentication policy for a specified account or the registry (if no account is specified). The caller must have the r (read) permission on the policy object or account’s principal from which the data is to be returned.
Event Type (Event Number, Event Classes)
AUTHPOLICY_GetInfo (0x122, dce_sec_control, dce_sec_query)
Event-Specific Information
char ∗account
The rs_auth_policy_get_effective() operation returns the effective authentication policy for an account. If no account is specified, the authentication policy for the registry is returned. The caller must have r (read) permission on the policy object of the registry. If an account is specified, the caller must also have r (read) permission on the account’s principal.
Event Type (Event Number, Event Classes)
No new event is defined for this operation. AUTHPOLICY_GetInfo is used here.
The rs_auth_policy_set_info() operation sets the authentication policy for an account or the registry (if no account is specified). The caller must have a (auth_info) permission on the account’s principal or policy object of the registry.
Event Type (Event Number, Event Classes)
AUTHPOLICY_SetInfo (0x123, dce_sec_control, dce_sec_modify)
Event-Specific Information
char ∗account
Registry Administration Interface Operations
The rs_rep_admin_stop() operation directs the registry server to stop servicing remote procedure calls. The caller must have A (Admin) permission on the registry policy object.
Event Type (Event Number, Event Classes)
REPADMIN_Stop (0x124, dce_sec_control, dce_sec_server)
Event-Specific Information
None
The rs_rep_admin_maint() operation directs the registry server into (checkpoint the database, close files, and so on) or out of maintenance state. The caller must have A (Admin) permission on the registry policy object.
Event Type (Event Number, Event Classes)
REPADMIN_Maint (0x125, dce_sec_control, dce_sec_server)
Event-Specific Information
boolean in_maintenance
The rs_rep_admin_mkey() operation directs the registry to change its master key and reencrypt account keys using the new master key. The caller must have A (Admin) permission on the registry policy object.
Event Type (Event Number, Event Classes)
REPADMIN_Mkey (0x126, dce_sec_control, dce_sec_server)
Event-Specific Information
None
The rs_rep_admin_destroy() operation directs the registry server replica to destroy its database and exit. The caller must have A (Admin) permission on the registry policy object.
Event Type (Event Classes)
REPADMIN_Destroy (0x127, dce_sec_control, dce_sec_server)
Event-Specific Information
None
The rs_rep_admin_init_replica() operation directs the registry server to (re)initialize the slave identified by rep_id. This is a master server only operation. The caller must have A (Admin) permission on the registry policy object.
Event Type (Event Classes)
REPADMIN_Init (0x128, dce_sec_control, dce_sec_server)
Event-Specific Information
char ∗rep_id_str
The rs_rep_admin_set_sw_rev() operation directs the registry server to change its software version. The caller must have A (Admin) permission on the registry policy object.
Event Type (Event Number, Event Classes)
REPADMIN_SetSwRev(0x013A, dce_sec_control, dce_sec_server)
Event-Specific Information
unsigned32 sw_rev
Registry Server Attributes Manipulation Interface (rs_attr) Operations
The rs_attr_update() operation updates (writes/creates) an attribute. The caller must have, for each attribute defined in attr_keys, the q (query_permset) permission on the registry object specified.
Event Type (Event Classes)
ERA_Update (0x12B, dce_sec_control, dce_sec_modify)
Event-Specific Information
char∗ component_name
unsigned32int num_to_write
uuid in_attrs[num_to_write].attr_id
The rs_attr_delete() operation deletes a specified attribute(s). The caller must have delete_permset permission for each attribute specified.
Event Type (Event Classes)
ERA_Delete (0x12C, dce_sec_control, dce_sec_modify)
Event-Specific Information
char∗ component_name
unsigned32 num_to_delete
uuid attrs[num_to_delete].attr_id
The rs_attr_lookup_by_id() operation performs a lookup of the attributes by attribute type ID. If the number of query attribute keys is 0, this operation will return all attributes that the caller is authorized to use. The caller must have, for each attribute specified, the q (query_permset) permission on the registry object specified.
Event Type (Event Classes)
ERA_LookupById (0x12E, dce_sec_control)
Event-Specific Information
char∗ component_name
unsigned32 int num_attr_keys
uuid attr_keys[num_attr_keys].attr_id
The rs_attr_lookup_no_expand() operation performs a lookup of the attributes by attribute type ID without expanding attribute sets to their constituent member attributes. If the number of query attribute keys is 0, this operation will return all attributes that the caller is authorized to use. The caller must have, for each attribute specified, q (query_permset) permission on the registry object specified.
Event Type (Event Classes)
ERA_LookupNoExpand (0x12F, dce_sec_control)
Event-Specific Information
char∗ component_name
unsigned32 int num_attr_keys
uuid attr_keys[num_attr_keys].attr_id
The rs_attr_lookup_by_name() operation performs a lookup of an attribute by name. The caller must have, for the attribute specified, q (query_permset) permission on the registry object specified.
Event Type (Event Classes)
ERA_LookupByName (0x130, dce_sec_control)
Event-Specific Information
char∗ component_name
char∗ attr_name
Registry Server Attributes Schema Manipulation Interface (rs_attr_schema) Operations
The rs_attr_schema_create_entry() operation creates a new schema entry. The caller must be authorized to add entries to the specified schema.
Event Type (Event Classes)
ERA_SchemaCreate (0x131, dce_sec_control, dce_sec_modify)
Event-Specific Information
char∗ schema_name
char ∗ schema_entry->attr_name
uuidschema_entry->attr_id
The rs_attr_schema_delete_entry() operation deletes a schema entry. The caller must be authorized to delete schema entries.
Event Type (Event Classes)
ERA_SchemaDelete (0x132, dce_sec_control, dce_sec_modify)
Event-Specific Information
char∗schema_name
uuidattr_id
The rs_attr_schema_update_entry() operation updates the modifiable fields of a schema entry. The caller needs to have m (mgmt_info) permissions on the schema entry that is to be modified.
Event Type (Event Classes)
ERA_SchemaUpdate (0x133, dce_sec_control, dce_sec_modify)
Event-Specific Information
char∗ schema_name
uuidschema_entry->attr_id
The rs_attr_schema_lookup_by_id() operation retrieves the schema entry identified by the attribute type uuid. The caller must have r (read) permissions on the schema entry specified.
Event Type (Event Classes)
ERA_SchemaLookupId (0x134, dce_sec_control)
Event-Specific Information
char∗ schema_name
uuid attr_id
The rs_attr_schema_lookup_by_name() operation retrieves the schema entry identified by the attribute name. The caller must have r (read) permissions on the schema entry specified.
Event Type (Event Classes)
ERA_SchemaLookupName (0x135, dce_sec_control)
Event-Specific Information
char∗ schema_name
char∗ attr_name
Version 1.1 Privilege Server Manager Interface (rpriv_v1_1) Operations
The rpriv_get_eptgt() operation constructs and returns an extended privilege certificate to the ticket_granting service. The caller supplies the extended privilege attributes in the form of an encoded extended privilege attribute certificate (EPAC). The procedure by which the requested privilege attributes are verified depends on how the call is authenticated and whether the request is local (that is, is a request from a client in this privilege server’s cell) or is intercell (that is, is from a foreign privilege service).
If the request is local, then the ticket to the privilege server is based on a Kerberos V5 TGT and the requested_privs consists of a single encoded EPAC. The privilege server decodes the requested_privs and verifies that the requested privileges are valid by performing the necessary database queries.
If the request is foreign, then the ticket to the privilege service is based on a DCE extended privilege TGT and the privilege server retrieves the EPAC seal from the DCE authorization data contained in the ticket, and uses it to verify that the requested privileges are valid.
Event Type (Event Classes)
PRIV_GetEptgt (0x136, dce_sec_control, dce_sec_authent)
Event-Specific Information
char ∗ request_location/∗ "LOCAL" or "INTERCELL" ∗/
if "LOCAL" request:
uuid req_princ_id->uuid;/∗ requested local principal uuid ∗/
uuid req_group_id->uuid;/∗ requested local primary group uuid ∗/
unsigned short int num_groups/∗ number of valid local groups ∗/
uuid = groups[num_groups].uuid/∗ valid local groups’ uuids ∗/
if "INTERCELL" request:
unsigned short int num_epacs/∗ number of epacs in delegation chain ∗/
uuid [num_epacs].pa.realm.uuid/∗ privilege attribute realm uuid ∗/
uuid [num_epacs].pa.principal.uuid/∗ privilege attribute principal uuid ∗/
uuid [num_epacs].pa.num_groups/∗ number of groups in privilege attribute ∗/
uuid [num_epacs].pa.groups[([epac_set.num_epacs].pa.num_groups)].uuid
/∗ uuids for groups in privilege attribute ∗/
The rpriv_become_delegate() operation permits an intermediate server to become a delegate for its caller. The caller supplies extended privilege attributes in the form of an encoded EPAC. The privilege server verifies that the delegation token for this EPAC chain is correct and then creates a new chain from the existing one with the intermediary’s EPAC as a new delegate.
Event Type (Event Classes)
PRIV_BecomeDelegate (0x138, dce_sec_control, dce_sec_authent)
Event-Specific Information
uuid req_princ_id->uuid;/∗ requested local principal uuid ∗/
uuid req_group_id->uuid;/∗ requested local primary group uuid ∗/
unsigned short int num_groups/∗ number of valid local groups ∗/
uuid = groups[num_groups].uuid/∗ valid local groups’ uuids ∗/
unsigned short int num_epacs/∗ number of epacs in delegation chain ∗/
uuid [num_epacs].pa.realm.uuid/∗ privilege attribute realm uuid ∗/
uuid [num_epacs].pa.principal.uuid/∗ privilege attribute principal uuid ∗/
uuid [num_epacs].pa.num_groups/∗ number of groups in privilege attribute ∗/
uuid [num_epacs].pa.groups[([epac_set.num_epacs].pa.num_groups)].uuid
/∗ uuids for groups in privilege attribute ∗/
The rpriv_become_impersonator() operation permits an intermediate server to become an impersonator for its caller. The caller supplies extended privilege attributes in the form of an encoded EPAC. The privilege server verifies that the delegation token for the initator’s EPAC is correct and also that the intermediary is allowed to impersonate the initiator.
Event Type (Event Classes)
PRIV_BecomeImpersonator (0x139, dce_sec_control, dce_sec_authent)
Event-Specific Information
uuid req_princ_id->uuid;/∗ requested local principal uuid ∗/
uuid req_group_id->uuid;/∗ requested local primary group uuid ∗/
unsigned short int num_groups/∗ number of valid local groups ∗/
uuid = groups[num_groups].uuid/∗ valid local groups’ uuids ∗/
unsigned short int num_epacs/∗ number of epacs in delegation chain ∗/
uuid [num_epacs].pa.realm.uuid/∗ privilege attribute realm uuid ∗/
uuid [num_epacs].pa.principal.uuid/∗ privilege attribute principal uuid ∗/
uuid [num_epacs].pa.num_groups/∗ number of groups in privilege attribute ∗/
uuid [num_epacs].pa.groups[([epac_set.num_epacs].pa.num_groups)].uuid
/∗ uuids for groups in privilege attribute ∗/
RELATED INFORMATION
Commands: dcecp(8dce).
Files: dts_audit_events(5sec), event_class.5sec.