aud_audit_events(5) OSF aud_audit_events(5)
NAME [Toc] [Back]
aud_audit_events - Auditable events for the audit services
DESCRIPTION [Toc] [Back]
Code is in place for auditing audit service-significant events. Among
these events are:
+ Administrative operations
These are subdivided into modify and query operations.
+ Filter operations
These are subdivided into modify and query operations.
Event class definitions, together with filters, control the auditing
execution at these code points. Filters can be updated dynamically.
Filter files are maintained by a per-host audit daemon, and are shared
among all the audit clients on the same host. The dcecp command
interface program is used for maintaining the filters. (See the dcecp
reference page.) The dcecp command is executable by all users and
system administrators. The control on who is allowed to modify
filters is done through audit daemon's ACL, which maintains the
filters.
The Audit Service RPC interfaces include audit_control and
audit_filter operations.
Administrative Operations [Toc] [Back]
The dce_audit_admin_modify and dce_audit_admin_query event classes
lump together the administrative operations that are performed on the
Audit daemon.
The dce_audit_admin_modify event class has the following events that
modify the operation of the Audit daemon:
+ EVT_MODIFY_STATE - Enables or disables the Audit daemon for
logging.
+ EVT_MODIFY_SSTRATEGY - Modifies storage strategy. This can be
any of the following:
-- Save - If the trail is full, it is backed up and renamed
with a timestamp then writes on the original trail again.
-- Wrap - If the trail is full, goes back to the beginning of
the file, overwriting previously written records.
Hewlett-Packard Company - 1 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
aud_audit_events(5) Open Software Foundation aud_audit_events(5)
+ EVT_REWIND - Rewinds the Audit daemon's central trail file.
+ EVT_STOP - Stops the Audit daemon.
The following are the audit code points in the Audit Service
interfaces, with their Event Types, Event Classes, and any EventSpecific
Information.
Event Type (Event Number, Event Classes)
EVT_MODIFY_STATE (0x306, dce_audit_admin_modify)
Event-Specific Information
None
Event Type (Event Number, Event Classes)
EVT_MODIFY_SSTRATEGY (0x305, dce_audit_admin_modify)
Event-Specific Information
None
Event Type (Event Number, Event Classes)
EVT_REWIND (0x307, dce_audit_admin_modify)
Event-Specific Information
None
Event Type (Event Number, Event Classes)
EVT_STOP (0x308, dce_audit_admin_modify)
Event-Specific Information
None
The dce_audit_admin_query event class has two events:
+ EVT_SHOW_SSTRATEGY - Shows the storage strategy.
+ EVT_SHOW_STATE - Shows the state of the Audit daemon.
Hewlett-Packard Company - 2 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
aud_audit_events(5) Open Software Foundation aud_audit_events(5)
Following are the details of this event class:
Event Type (Event Number, Event Classes)
EVT_SHOW_SSTRATEGY (0x309, dce_audit_admin_query)
Event-Specific Information
None
Event Type (Event Number, Event Classes)
EVT_SHOW_STATE (0x30a, dce_audit_admin_query)
Event-Specific Information
None
Filter Operations [Toc] [Back]
The dce_audit_filter_modify and dce_audit_filter_query event classes
are the filter operations that the Audit daemon handles.
The dce_audit_filter_modify event class has the following events:
+ EVT_ADD_FILTER - Adds a filter.
+ EVT_DELETE_FILTER - Removes all guides for a specific subject.
+ EVT_REMOVE_FILTER - Removes a specific guide for a specific
subject.
Following are the details of this event class:
Event Type (Event Number, Event Classes)
EVT_ADD_FILTER (0x303, dce_audit_filter_modify)
Event-Specific Information
None.
Event Type (Event Number, Event Classes)
EVT_DELETE_FILTER (0x300, dce_audit_filter_modify)
Event-Specific Information
None.
Hewlett-Packard Company - 3 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
aud_audit_events(5) Open Software Foundation aud_audit_events(5)
Event Type (Event Number, Event Classes)
EVT_REMOVE_FILTER (0x304, dce_audit_filter_modify)
Event-Specific Information
None.
The dce_audit_filter_query contains two events:
+ EVT_LIST_FILTER - Lists all subjects that have filters.
+ EVT_SHOW_FILTER - Shows all filters for a specific principal.
Following are the details of this event class.
Event Type (Event Number, Event Classes)
EVT_LIST_FILTER (0x302, dce_audit_filter_query)
Event-Specific Information
None.
Event Type (Event Number, Event Classes)
EVT_SHOW_FILTER (0x301, dce_audit_filter_query)
Event-Specific Information
aud_c_evt_info_long_int esl_type
aud_c_evt_info_char_string subject_name
RELATED INFORMATION [Toc] [Back]
Commands: dcecp(1m).
Files: event_class.5.
Hewlett-Packard Company - 4 -OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96 [ Back ] |