Distributed Audit Service (XDAS) - Example XDAS Event Mappings

Distributed Audit Service (XDAS)
Copyright © 1998 The Open Group

Example XDAS Event Mappings

Oracle Security Events

The following events have been taken from the Oracle Database Administrator's Manual. The table below presents an illustrative mapping to XDAS events. Table: Mapping of ORACLE Audit Events to XDAS Generic Audit Events

Oracle Event Description XDAS-API Event(s)
Alter system configure service or application
Create/drop cluster configure service or application
Alter/truncate cluster configure service or application
Create/drop database link configure service or application
Create/delete index create/delete data item
Alter index modify data item
Not exists THIS IS REPRESENTED BY AN OUTCOME CODE
Create/replace function configure service or application
Create/replace package/package body bgcolor="#FFFFFF" configure service or application
Create/replace procedure configure service or application
Drop function, package, procedure configure service or application
Create/drop public database link configure service or application
Create/drop public synonym configure service or application
Create/drop role configure service or application
Set/alter role configure service service or application
Create/drop rollback segment create/delete data item
Alter rollback segment configure service
Create/drop sequence create/delete data item
Session connect/disconnect create/terminate an association
Set system audit configure audit service
System grant modify account attributes
Create/drop table create/delete data item
Truncate table modify data item contents
Create/drop tablespace configure service or application
Alter tablespace configure service or application
Create trigger configure service or application
Alter trigger enable/disable modify data item
Create/drop/alter user create/delete/modify account
Create/drop view create/delete data item
Alter sequence modify data item
Alter table, comment on table modify data item
Execute procedure invoke service or application
Grant/revoke privilege on procedure configure service or application
Grant/revoke privilege on sequence configure service or application
Grant/revoke privilege on table modify data item attributes
Insert into table modify data item
Lock table modify data item attributes
Select sequence, table create association with data item
Update table, view modify data item
Upgrade data modify data item attributes
Downgrade data modify data item attributes
Upgrade higher level rows modify data item attributes
Insert, update, delete lower level rows create/delete data items,
modify data item attributes
Lower DBMS label modify data item attributes
Raise DBMS label modify data item attributes
Alter DBMS label to a non-comparable label modify data item attributes
Grant MAC privileges modify account attributes,
modify an association context
Switch modes modify an association context

Oracle Event Description	XDAS-API Event(s)
Alter system	configure service or application
Create/drop cluster	configure service or application
Alter/truncate cluster	configure service or application
Create/drop database link	configure service or application
Create/delete index	create/delete data item
Alter index	modify data item
Not exists	THIS IS REPRESENTED BY AN OUTCOME CODE
Create/replace function	configure service or application
Create/replace package/package body bgcolor="#FFFFFF"	configure service or application
Create/replace procedure	configure service or application
Drop function, package, procedure	configure service or application
Create/drop public database link	configure service or application
Create/drop public synonym	configure service or application
Create/drop role	configure service or application
Set/alter role	configure service service or application
Create/drop rollback segment	create/delete data item
Alter rollback segment	configure service
Create/drop sequence	create/delete data item
Session connect/disconnect	create/terminate an association
Set system audit	configure audit service
System grant	modify account attributes
Create/drop table	create/delete data item
Truncate table	modify data item contents
Create/drop tablespace	configure service or application
Alter tablespace	configure service or application
Create trigger	configure service or application
Alter trigger enable/disable	modify data item
Create/drop/alter user	create/delete/modify account
Create/drop view	create/delete data item
Alter sequence	modify data item
Alter table, comment on table	modify data item
Execute procedure	invoke service or application
Grant/revoke privilege on procedure	configure service or application
Grant/revoke privilege on sequence	configure service or application
Grant/revoke privilege on table	modify data item attributes
Insert into table	modify data item
Lock table	modify data item attributes
Select sequence, table	create association with data item
Update table, view	modify data item
Upgrade data	modify data item attributes
Downgrade data	modify data item attributes
Upgrade higher level rows	modify data item attributes
Insert, update, delete lower level rows	create/delete data items,
	modify data item attributes
Lower DBMS label	modify data item attributes
Raise DBMS label	modify data item attributes
Alter DBMS label to a non-comparable label	modify data item attributes
Grant MAC privileges	modify account attributes,
	modify an association context
Switch modes	modify an association context

Mapping

The following events have been taken from the SUN Solaris BSM Manual for audit records. The table below shows where they map to the suggested XDAS events. Table: Mapping of Solaris BSM Audit Events to XDAS Generic Audit Events

BSM Kernel-level Audit Events XDAS-API Event
access(2) query data item attributes
acct(2) configure audit service
adjtime(2) configure service or application
chdir(2) modify processing context
chmod(2) modify data item attributes
chown(2) modify data item attributes
chroot(2) modify processing context
close(2) terminate association with data item
creat(2) create data item
exec(2) invoke service or application component
execve(2) as exec(2)
exit(2) terminate service or application component
fchdir(2) modify processing context
fchmod(2) modify data item attributes
fchown(2) modify data item attributes
fchroot(2) modify processing context
fcntl(2) modify data item attributes
fork(2) invoke service or application
fstat(2) query data item attributes
fstatfs(2) query configuration of service or application
ioctl(2) modify data item attributes
kill(2) modify data item contents
link(2) modify data item attributes
lstat(2) query data item attributes
mkdir(2) create data item
mknod(2) create data item
mmap(2) create a data item
mount(2) enable service
msgctl(2) modify data item attributes
msgget(2) create data item,
msgrcv(2) query data item contents
msgsnd(2) modify data item contents
munmap(2) delete data item
open(2) create an association with a data item
pathconf(2) query context of association with data item
pipe(2) create a data item
process dumped core resource corruption
readlink(2) query data item contents
rename(2) modify data item,
rmdir(2) delete data item
semctl(2) modify data item attributes
semget(2) create data item
semop(2) query/modify data item contents
setgroups(2) modify user session attributes
setspgrp(2) modify user session attributes
setrlimit(2) query/modify configuration of service or application
shmat(2) create association with peer
shmctl(2) query/modify data item attributes
shmdt(2) terminate association with peer
shmget(2) create data item
stat(2) query data item attributes
statfs(2) query configuration of service or application
symlink(2) modify data item attributes
system(2) invoke a service or application
umount(2) terminate a service or application
unlink modify data item attributes
utimes modify data item attributes
vfork(2) invoke service or application
vtrace(2) invoke service or application
/usr/sbin/allocate enable or disable devices
/usr/sbin/halt shutdown system
/usr/sbin/inetd create an association with a peer
/usr/sbin/in.ftpd creat an association with a peer
/usr/bin/login create user session
/usr/lib/nfs/mountd modify configuration of service or application
/usr/bin/passwd modify account attributes
/usr/sbin/reboot start system
/usr/sbin/in.rshd or create user session
/usr/bin/su modify user session attributes

BSM Kernel-level Audit Events	XDAS-API Event
access(2)	query data item attributes
acct(2)	configure audit service
adjtime(2)	configure service or application
chdir(2)	modify processing context
chmod(2)	modify data item attributes
chown(2)	modify data item attributes
chroot(2)	modify processing context
close(2)	terminate association with data item
creat(2)	create data item
exec(2)	invoke service or application component
execve(2)	as exec(2)
exit(2)	terminate service or application component
fchdir(2)	modify processing context
fchmod(2)	modify data item attributes
fchown(2)	modify data item attributes
fchroot(2)	modify processing context
fcntl(2)	modify data item attributes
fork(2)	invoke service or application
fstat(2)	query data item attributes
fstatfs(2)	query configuration of service or application
ioctl(2)	modify data item attributes
kill(2)	modify data item contents
link(2)	modify data item attributes
lstat(2)	query data item attributes
mkdir(2)	create data item
mknod(2)	create data item
mmap(2)	create a data item
mount(2)	enable service
msgctl(2)	modify data item attributes
msgget(2)	create data item,
msgrcv(2)	query data item contents
msgsnd(2)	modify data item contents
munmap(2)	delete data item
open(2)	create an association with a data item
pathconf(2)	query context of association with data item
pipe(2)	create a data item
process dumped core	resource corruption
readlink(2)	query data item contents
rename(2)	modify data item,
rmdir(2)	delete data item
semctl(2)	modify data item attributes
semget(2)	create data item
semop(2)	query/modify data item contents
setgroups(2)	modify user session attributes
setspgrp(2)	modify user session attributes
setrlimit(2)	query/modify configuration of service or application
shmat(2)	create association with peer
shmctl(2)	query/modify data item attributes
shmdt(2)	terminate association with peer
shmget(2)	create data item
stat(2)	query data item attributes
statfs(2)	query configuration of service or application
symlink(2)	modify data item attributes
system(2)	invoke a service or application
umount(2)	terminate a service or application
unlink	modify data item attributes
utimes	modify data item attributes
vfork(2)	invoke service or application
vtrace(2)	invoke service or application
/usr/sbin/allocate	enable or disable devices
/usr/sbin/halt	shutdown system
/usr/sbin/inetd	create an association with a peer
/usr/sbin/in.ftpd	creat an association with a peer
/usr/bin/login	create user session
/usr/lib/nfs/mountd	modify configuration of service or application
/usr/bin/passwd	modify account attributes
/usr/sbin/reboot	start system
/usr/sbin/in.rshd	or create user session
/usr/bin/su	modify user session attributes

IEEE P1003.1e -- Protection, Audit and Control Interfaces

This table maps the audit events defined in IEEE P1003.1e Draft 15 with the generic XDAS events.

P1003.1e Audit Event XDAS-API Event
AUD_AET_AUD_SWITCH Configure audit service
AUD_AET_AUD_WRITE access to other services
AUD_AET_CHDIR modify processing context
AUD_AET_CHMOD modify data item attributes
AUD_AET_CHOWN modify data item attributes
AUD_AET_CREAT create a data item
AUD_AET_DUP create association with a data item
AUD_AET_EXEC invoke service or application
AUD_AET_EXIT terminate service or application
AUD_AET_FORK invoke service or application
AUD_AET_KILL terminate service or application
AUD_AET_LINK modify data item attributes
AUD_AET_MKDIR create data item
AUD_AET_MKFIFO create data item
AUD_AET_OPEN create association with data item
AUD_AET_PIPE create data item
AUD_AET_RENAME modify data item contents
AUD_AET_RMDIR delete data item
AUD_AET_SETGID modify user session attributes
AUD_AET_SETUID modify user session attributes
AUD_AET_UNLINK modify data item attributes
AUD_AET_UTIME modify data item attributes
AUD_AET_ACL_DELETE_DEF_FILE modify data item attributes
AUD_AET_ACL_SET_FD modify data item attributes
AUD_AET_ACL_SET_FILE modify data item attributes
AUD_AET_CAP_SET_FD modify data item attributes
AUD_AET_CAP_SET_FILE modify data item attributes
AUD_AET_CAP_SET_PROC modify processing context
AUD_AET_INF_SET_FD modify data item attributes
AUD_AET_INF_SET_FILE modify data item attributes
AUD_AET_INF_SET_PROC modify processing context
AUD_AET_MAC_SET_FD modify data item attributes
AUD_AET_MAC_SET_FILE modify data item attributes
AUD_AET_MAC_SET_PROC modify processing context

P1003.1e Audit Event	XDAS-API Event
AUD_AET_AUD_SWITCH	Configure audit service
AUD_AET_AUD_WRITE	access to other services
AUD_AET_CHDIR	modify processing context
AUD_AET_CHMOD	modify data item attributes
AUD_AET_CHOWN	modify data item attributes
AUD_AET_CREAT	create a data item
AUD_AET_DUP	create association with a data item
AUD_AET_EXEC	invoke service or application
AUD_AET_EXIT	terminate service or application
AUD_AET_FORK	invoke service or application
AUD_AET_KILL	terminate service or application
AUD_AET_LINK	modify data item attributes
AUD_AET_MKDIR	create data item
AUD_AET_MKFIFO	create data item
AUD_AET_OPEN	create association with data item
AUD_AET_PIPE	create data item
AUD_AET_RENAME	modify data item contents
AUD_AET_RMDIR	delete data item
AUD_AET_SETGID	modify user session attributes
AUD_AET_SETUID	modify user session attributes
AUD_AET_UNLINK	modify data item attributes
AUD_AET_UTIME	modify data item attributes
AUD_AET_ACL_DELETE_DEF_FILE	modify data item attributes
AUD_AET_ACL_SET_FD	modify data item attributes
AUD_AET_ACL_SET_FILE	modify data item attributes
AUD_AET_CAP_SET_FD	modify data item attributes
AUD_AET_CAP_SET_FILE	modify data item attributes
AUD_AET_CAP_SET_PROC	modify processing context
AUD_AET_INF_SET_FD	modify data item attributes
AUD_AET_INF_SET_FILE	modify data item attributes
AUD_AET_INF_SET_PROC	modify processing context
AUD_AET_MAC_SET_FD	modify data item attributes
AUD_AET_MAC_SET_FILE	modify data item attributes
AUD_AET_MAC_SET_PROC	modify processing context

Table: Mapping of IEEE P1003.1e Audit Events to XDAS Generic Audit Events

Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy of this publication.

Contents

Next section

Index