dts_audit_events(5) OSF dts_audit_events(5)
NAME [Toc] [Back]
dts_audit_events - Auditable events for the time services
DESCRIPTION [Toc] [Back]
Code is in place for auditing security-significant events in the Time
Server. Among these events are:
+ Time Service processes
+ Clock readings
+ Global-set membership (in the Cell Service Profile)
+ Time Service attributes
Event class definitions, together with filters, control the auditing
execution at these code points. Filters can be updated dynamically.
Filter files are maintained by a per-host audit daemon, and are shared
among all the audit clients on the same host. The dcecp command
interface program is used for maintaining the filters. (See the dcecp
reference page.) The dcecp command is executable by all users and
system administrators. The control on who is allowed to modify
filters is done through audit daemon's ACL, which maintains the
filters.
The Time Server RPC interfaces that manage the Time Service and
request and provide the time include time_control, time_service,
gbl_time_service, and time_provider.
The following are the audit code points in these Time Service
interfaces, with their Event Types, Event Classes, and any EventSpecific
Information.
Control Interface (time_control) Operations [Toc] [Back]
The CreateCmd() operation creates the Time Service as a server or a
clerk. The caller must have write access to the management interface.
Event Type (Event Number, Event Classes)
EVT_CREATE_CMD (0x200, dce_dts_mgt_modify)
Event-Specific Information
signed32 servType
The DeleteCmd() operation deletes the Time Service entity from the
system where the command is entered. This command stops the process.
Hewlett-Packard Company - 1 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
dts_audit_events(5) Open Software Foundation dts_audit_events(5)
The caller must have write access to the management interface.
Event Type (Event Number, Event Classes)
EVT_DELETE_CMD (0x201, dce_dts_mgt_modif)
Event-Specific Information
None
The EnableCmd() operation starts the DTS entity on the local node.
This command makes the server available to the network. The clockSet
argument tells the Time Service whether or not to set the clock after
the first synchronization. The caller must have write access to the
management interface.
Event Type (Event Number, Event Classes)
EVT_ENABLE_CMD (0x202, dce_dts_mgt_modify)
Event-Specific Information
signed32 clockSet
The DisableCmd operation disables the Time Service by making it
unavailable to the network. In the case of servers, it makes it
unavailable to the RPC client trying to talk to it. For clerks, it
stops synchronizing with servers. The caller must have write access
to the management interface.
Event Type (Event Number, Event Classes)
EVT_DISABLE_CMD (0x203, dce_dts_mgt_modify)
Event-Specific Information
None
The UpdateCmd() operation gradually adjusts the clock on the local
node to the specified time. The caller must have write access to the
management interface.
Event Type (Event Number, Event Classes)
EVT_UPDATE_CMD (0x204, dce_dts_synch)
Hewlett-Packard Company - 2 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
dts_audit_events(5) Open Software Foundation dts_audit_events(5)
Event-Specific Information
utc_t old_time
utc_t new_time
The ChangeCmd operation changes the epoch number on the server and
optionally sets the time to a new time. These values are passed in
the argument changeDir. The caller must have write access to the
management interface.
Event Type (Event Number, Event Classes)
EVT_CHANGE_CMD (0x205, dce_dts_synch)
Event-Specific Information
signed32 old_epoch
signed32 new_epoch
utc_t old_time
utc_t new_time
The SynchronizeCmd() operation causes the Time Service to synchronize
immediately. If the argument clockSet is true, the clock is set to
the new value after a synchronization. The caller must have write
access to the management interface.
Event Type (Event Number, Event Classes)
EVT_SYNCHRONIZE_CMD (0x206, dce_dts_synch)
Event-Specific Information
signed32 setClock
The AdvertiseCm() operation adds (advertises) this Time Server node as
a member of the global set in the Cell Services Profile. The caller
must have write access to the management interface.
Event Type (Event Number, Event Classes)
EVT_ADVERTISE_CMD (0x207, dce_dts_mgt_modify)
Event-Specific Information
None
Hewlett-Packard Company - 3 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
dts_audit_events(5) Open Software Foundation dts_audit_events(5)
The UnadvertiseCmd() operation removes (unadvertises) this Time Server
node as a member of the set of global servers in the Cell Services
profile. The caller must have write access to the management
interface.
Event Type (Event Number, Event Classes)
EVT_UNADVERTISE_CMD (0x208, dce_dts_mgt_modify)
Event-Specific Information
None
The SetDefaultCmd() operation, when an attribute with no accompanying
value is passed, sets an attribute to its default value. The
attribute type is passed in the setAttr argument. The caller must
have write access to the management interface.
Event Type (Event Number, Event Classes)
EVT_SET_DEFAULT_CMD (0x209, dce_dts_mgt_modify)
Event-Specific Information
byte useDefault
signed32 attribute
The SetAttrCmd() operation, when an attribute and an accompanying
value is passed, sets an attribute to a value given. The attribute
type is passed in setAttr argument and the attribute value in
AttrValue argument. The caller must have write access to the
management interface.
Event Type (Event Number, Event Classes)
EVT_SET_ATTR_CMD (0x20A, dce_dts_mgt_modif)
Event-Specific Information
signed32 attribute
signed32 attribute_type
The ShowAttrCmd() operation, when passed an attribute name, queries
the Time Service for the attribute's value. The attribute value is
passed back in the argument attrValue. The caller must have read
access to the management interface.
Hewlett-Packard Company - 4 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
dts_audit_events(5) Open Software Foundation dts_audit_events(5)
Event Type (Event Number, Event Classes)
EVT_SHOW_ATTR_CMD (0x20B, dce_dts_mgt_query)
Event-Specific Information
signed32 attribute
signed32 attribute_type
The ShowAllCharsCmd() operation, when not passed a group name with the
all value, queries the Time Service for the values of all the
characteristic attributes and values. The caller must have read
access to the management interface.
Event Type (Event Number, Event Classes)
EVT_SHOW_ALL_CHARS_CMD (0x20C, dce_dts_mgt_query)
Event-Specific Information
None
The ShowAllStatusCmd() operation, when passed the all status value,
queries the Time Service for the values of all the status attributes.
The caller must have read access to the management interface.
Event Type (Event Number, Event Classes)
EVT_SHOW_ALL_STATUS_CMD (0x20D, dce_dts_mgt_query)
Event-Specific Information
None
The ShowAllCntrsCmd() operation, when passed the all counters value,
queries the Time Service for the values of all the counters. The
caller must have read access to the management interface.
Event Type (Event Number, Event Classes)
EVT_SHOW_ALL_CNTRS_CMD (0x20E, dce_dts_mgt_query)
Event-Specific Information
None
Hewlett-Packard Company - 5 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
dts_audit_events(5) Open Software Foundation dts_audit_events(5)
The ShowLocServersCmd() operation, when passed the local servers
value, queries the Time Service for the servers in the local set. A
variable conformant array is used to return the set of local servers
available. The size of the array transmitted over RPC is determined
at run-time. The caller must have read access to the management
interface.
Event Type (Event Number, Event Classes)
EVT_SHOW_LOC_SERVERS_CMD (0x20F, dce_dts_mgt_query)
Event-Specific Information
None
The ShowGblServersCmd() operation, when passed the global servers
value, queries the Time Service for the servers in the global set. A
variable conformant array is used to return the set of global servers
available. The caller must have read access to the management
interface.
Event Type (Event Number, Event Classes)
EVT_SHOW_GBL_SERVERS_CMD (0x210, dce_dts_mgt_query)
Event-Specific Information
None
Time Provider Interface (time_provider) Operations [Toc] [Back]
Auditable events in the RPC-based Time Provider Program (TPP)
interfaces are defined here. These events are invoked by a Time
Service daemon running as a server (in this case it makes an RPC
client call to the TPP server).
The ContactProvider() operation sends initial contact message to the
TPP. The TPP server responds with a control message. This operation
may cause modification of the time server's (not the provider's) clock
and should be defined to be an auditable event in the time server.
There is no access control in the provider for this operation, but the
integrity of the messages is protected.
Event Type (Event Number, Event Classes)
EVT_CONTACT_PROVIDER (0x211, dce_dts_time_provider)
Event-Specific Information
None
Hewlett-Packard Company - 6 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
dts_audit_events(5) Open Software Foundation dts_audit_events(5)
The ServerRequestProviderTime() operation has the client send a
request to the TPP for times. The TPP server responds with an array
of time stamps obtained by querying the Time Provider hardware that it
polls. There is no access control in the Time Provider for this
operation, but the integrity of the message is protected.
Event Type (Event Number, Event Classes)
EVT_REQUEST_PROVIDER_TIME (0x212, dce_dts_time_provider)
Event-Specific Information
None
RELATED INFORMATION [Toc] [Back]
Commands: advertise(1m), aud(1m), audfilter(1m), change(1m),
create(1m), dcecp(1m). delete(1m), disable(1m), dts_intro(1m),
dtsd(1m), enable(1m), exit(1m), help(1m), quit(1m), set(1m), show(1m),
synchronize(1m), unadvertise(1m), update(1m),
Files: event_class.5, sec_audit_events(5).
Hewlett-Packard Company - 7 -OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96 [ Back ] |