Previous section.

Distributed Audit Service (XDAS)
Copyright © 1998 The Open Group

DAS Usage Model

The XDAS comprises both operational and management services. The operational XDAS services are those available to applications in support of the logging of audit records. The management services support the configuration and management of audit events, the audit service itself, as well as providing interfaces for the analysis of audit records.

The XDAS places a dependency on an Event Management Service such that the intermediate event management components do not modify the filtering or routing of audit events, thereby ensuring that an audit alarm, for example, is not filtered out part way to its destination

Operational services include:

Management services include:

Authorization Policy

The authorization policy inherent in the XDAS-API is defined on the principle of the separation of duties. The granting of XDAS authorities is under the control of authorization security services. The following XDAS authorities have been defined:

XDAS_AUDIT_SERVICE
required to initialize a session with the XDAS audit service.

XDAS_AUDIT_SUBMIT
for using the audit logging interfaces of the Audit Event Service Client.

XDAS_AUDIT_IMPORT
required to import audit events records from a domain specific audit service.

XDAS_AUDIT_CONTROL
for use of the Audit Event Management APIs.

XDAS_AUDIT_READ
for access to the Audit Read API.

Each interface specification includes the XDAS authority required to be possessed by a caller in order to utilize the interface. The mechanism for enforcement of the authorization policy is implementation specific. Support is included in this specification for the initialization of a session between a caller and the XDAS service whereby the identity of the caller can be authenticated and appropriate authorization attributes established.

General Audit Service API

Initialize Session

Initialize a session with the XDAS. This call will fail unless the caller possesses at least one XDAS authority.

Terminate Session

Terminate a session with the XDAS

All callers must initiate a session with the XDAS before they can use any of the services it provides. The initialization of the session supports the mutual authentication of the audit client and audit service components and establishes the audit client's XDAS authorities The caller is returned a handle to the XDAS service which is then used for all XDAS API functions. On completion, the caller must terminate the XDAS session.

The behaviour if a client dies or exits without calling terminate session is implementation defined. An implementation may take specific action to try and detect and terminate such sessions itself to address any potential denial of service risks.

Audit Event Service Client API

Start Record

Allocate and initialize an audit record descriptor. The return from this indicates to the caller whether the event requires auditing or not under the current filtering criteria.

Put Event Information

Add event specific information to the initialized audit record

Commit Record

Write the audit record to the audit log

Discard Record

Discard the audit record

Time Stamp Record

Control the time at which the record is timestamped

Callers submit security relevant events to the Audit Event Service Client API. The functions build the record from the information given by the caller and from the processing environment. The interfaces cover the creation, filling and committing of an audit record to the audit trail.

Audit Log Import API

Import_Event_Records

This function supports the import to XDAS by another audit service of multiple audit event records formatted in the XDAS common audit event record format.

This service permits domain specific audit services to import their own audit records into the XDAS service for consolidation and analysis at the distributed system level. Only callers with the XDAS_AUDIT_IMPORT authority are permitted to use this function.

Audit Event Management API

Create Filter

Create or modify an audit filter defining the selection criteria and the action to be taken on detection.

List Filters

Get a list of the names of filters which have been defined

Release Filter List

Release the list of filter names returned by List Filters

Get Filter

Get the specified audit filter

Delete Filter

Delete the specified audit filter

Enable Filter

Enable the specified filter

Disable Filter

Disable the specified filter

The Audit Event Management API provides the means whereby the Audit Event Discrimination Service and the Audit Event Disposition Service are configured. Only callers with the XDAS_AUDIT_CONTROL authority are permitted to use these interfaces.

Audit Read API

Open Audit Stream

Open the XDAS audit stream for read

Rewind Audit Stream

Rewind the audit stream

Close Audit Stream

Close the XDAS audit stream

Get Next

Read the next set of audit records from the specified audit trail into buffer. The caller supplies the buffer length and the maximum number of records to be returned. The implementation may return as many records as will fit into the buffer up to the specified maximum. The caller can then parse the buffer to extract individual records.

The Audit Read API is used to extract records from the XDAS audit stream for analysis. The interface supports the copying of a record into a buffer where the contents may be examined by the caller. The interfaces are available to privileged callers who possess the XDAS_AUDIT_READ authority.

Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy of this publication.

Contents Next section Index