Previous section.

Distributed Audit Service (XDAS)
Copyright © 1998 The Open Group

Parameter Passing Conventions

This chapter describes the data types and constants used by the the XDAS functions. It also explains calling conventions for these functions.

Structured Data Types

Wherever these XDAS-API C-bindings describe structured data, only fields that must be provided by all XDAS-API implementations are documented. Individual implementations may provide additional fields, either for internal use within XDAS-API routines, or for use by non-portable applications.

Integer Types

XDAS-API defines the following integer data type 
 

OM_uint32	32-bit unsigned integer
Where guaranteed minimum bit-count is important, this portable data type is used by the XDAS-API routine definitions. Individual XDAS-API implementations include appropriate typedef definitions to map this type onto a built-in data type.

String Data and Similar Data

Byte Strings

Many of the XDAS-API routines take arguments and return values that describe contiguous multi-byte data. All such data are passed between the XDAS-API and the caller using the xdas_buffer_t data type. This data type is a pointer to a buffer descriptor consisting of a length field, which contains the total number of bytes in the data, and a value field, which contains a pointer to the actual data: 
 

typedef struct xdas_buffer_desc_struct{
   size_t   length;
   void    *value;
} xdas_buffer_desc, *xdas_buffer_t;
Storage for data passed to the application by a XDAS-API routine using the xdas_buffer_t conventions is allocated by the XDAS-API routine. The application may free this storage by invoking the xdas_release_buffer() routine. Unused xdas_buffer_desc objects shall have length set to 0, and value set to NULL.

Character Strings

Certain multi-octet data items may be regarded as UTF-8 character strings as defined in Internet RFC 2044. Character strings are passed between the application and the XDAS-API using the xdas_buffer_t data type, defined earlier.

Opaque

Certain multi-octet data items are considered opaque data types at the XDAS-API, because their internal structure only has significance to the implementation. Examples of such opaque data types are

audit service handle

This is opaque to the caller and returned to the caller on initialization of a session between the caller and the XDAS audit service. It is subsequently passed as a parameter to each XDAS-API call as a xdas_audit_ref_t data type.

audit stream handle

This is opaque to the caller and is returned to a caller of the xdas_open_audit_stream() function. It is subsequently passed as a parameter to those functions that manipulate an audit stream as a xdas_audit_stream_t data type.

audit record descriptor

This is opaque to the caller and is returned to a caller of the xdas_start_record() function. It is subsequently passed as a parameter to those functions that manipulate an audit record for submission to the XDAS service as a xdas_audit_rec_desc_t data type.

XDAS Audit Event Record Format

The audit event record format is defined as an UTF-8 character encoding in an xdas_buffer_t structure. Fields are delineated with colons (:); where a colon is part of the alphanumeric string. "%" shall be used as the escape character. The character immediately following a "%" is not interpreted. For example, "%%" yields "%", "%:" yields ":", "%%%:" yields "%:". Empty strings are represented by two adjacent separator characters. Note that this is an ordered sequence. The sequence of fields in the XDAS audit event record format is set out below:

Field Type
Header: "HDR"  
<length_in_bytes> Digits 0-9  
<version> Digits 0-9  
<time_offset> Hexadecimal  
<time_uncertainty_interval> Hexadecimal  
<time_uncertainty_indicator> Hexadecimal  
<time_source> Alphanumeric  
<time_zone> Alphanumeric  
<event_number>: Hexadecimal  
<outcome> Hexadecimal  
Originator "ORG"  
<org_location_name> Alphanumeric  
<org_location_address> Alphanumeric  
<org_service-type> Alphanumeric  
<org_auth_authority> Alphanumeric  
<org_principal_name> Alphanumeric  
<org_principal_id> Alphanumeric  
Initiator "INT"  
<int_auth_authority> Alphanumeric  
<int_domain_specific_name> Alphanumeric  
<int_domain_specific_id> Alphanumeric  
Target "TGT"  
<tgt_location_name> Alphanumeric  
<tgt_location_address> Alphanumeric  
<tgt_service-type> Alphanumeric  
<tgt_auth_authority> Alphanumeric  
<tgt_principal_name> Alphanumeric  
<tgt_principal_id> Alphanumeric  
Source "SRC"  
<pointer_to_source_domain> Alphanumeric  
Event "EVT"  
<event_specific_information> Alphanumeric  
End "END"  

The strings HDR, ORG, INT, TGT, SRC and EVT are included to support syntax checking. All fields shall be included in the audit record, with separators, even if they are empty (e.g., ::). The following structure is defined for returning an audit event record 

 

typedef struct xdas_audit_record_desc_struct{
    const OM_uint32			 record_number,
    OM_uint32				 length,
    OM_uint32				 version,
    OM_uint32				 time_offset,
    OM_uint32				 time_uncertainty_interval,
    OM_unit32				 time_uncertainty_indicator,
    xdas_buffer_t			*time_source,
    xdas_buffer_t			*time_zone,
    OM_unit32				 event_number,
    OM_unit32				 outcome,
    xdas_buffer_t			*org_location_name,
    xdas_buffer_t			*org_location_address,
    xdas_buffer_t			*org_service_type,
    xdas_buffer_t			*org_auth_authority,
    xdas_buffer_t			*org_principal_name,
    xdas_buffer_t			*org_principal_identity,
    xdas_buffer_t			*int_auth_authority,
    xdas_buffer_t			*int_principal_name,
    xdas_buffer_t			*int_principal_identity,
    xdas_buffer_t			*tgt_location_name,
    xdas_buffer_t			*tgt_location_address,
    xdas_buffer_t			*tgt_service_type,
    xdas_buffer_t			*tgt_auth_authority,
    xdas_buffer_t			*tgt_principal_name,
    xdas_buffer_t			*tgt_principal_identity,
    xdas_buffer_t			*source_reference,
    xdas_buffer_t			*event_info
} xdas_audit_record_desc, *xdas_audit_record_t;

The components of the audit record structure are:

length

The length in bytes of the retrieved record.

version

The version number of the XDAS service that created the audit record.

time_offset

The time at which the audit record was committed or was timestamped by a specific function call.

time_uncertainty_interval

The interval of time by which the time recorded for this event is uncertain.

time_uncertainty_indicator

The percentage of confidence in the time_uncertainty interval.

time_source

The name or address of the source of the time recorded for this event.

time_zone

The time zone applicable to the domain in which the event occured.

event_number

The event number defining the type of event.

outcome

The outcome code recorded for the event.

org_location_name

The name of the location of the originator domain.

org_location_address

The address of the location of the originator domain.

org_service_type

The service type of the originator domain.

org_auth_authority

The name of the authentication authority for the originator principal.

org_principal_name

The name of the originator principal.

org_principal_identity

The identity of the originator principal.

int_auth_authority

The name of the authentication authority for the initiator principal.

int_principal_name

The name of the initiator principal.

int_principal_identity

The identity of the initiator principal.

tgt_location_name

The name of the location of the target domain.

tgt_location_address

The address of the location of the target domain.

tgt_service_type

The service type of the target domain.

tgt_auth_authority

The name of the authentication authority for the target principal.

tgt_principal_name

The name of the target principal.

tgt_principal_identity

The identity of the target principal.

source_reference

For an imported record, the pointer to the original record within the originating domain.

event_info

The event specific information recorded for the record.

XDAS Name String Syntax

An XDAS name used within an XDAS audit event record consists of an ordered list of zero or more components. This is termed a composite name. Each component is a string name from the namespace of a single naming system and uses the naming syntax of that naming system. A component may be an atomic or a compound name from that namespace.

A composite name is the concatenation of the components of the name from left to right with the XDAS component separator character ('/') separating each component.

Encoding of XDAS Composite Name Strings

Special characters used in the XDAS composite name syntax, such as the component separator or escape characters, have the same encoding as they would in UTF-8

The minimum requirement for all XDAS implementations is to support UTF-8 for communication of name strings.

Backus-Naur Form (BNF) of XDAS Composite Names

This section defines the standard string form of XDAS composite names in BNF. Note that all the characters of the string representation of one name must uniformly use the same encoding and locale information.

The notations used are as follows:

Symbol Meaning
::= Is defined to be
| Alternatively
<text> Non-terminal element
"" Literal expression
* The preceding syntactic unit can appear 0 or more times.
+ The preceding syntactic unit can appear 1 or more times.
{} The enclosed syntactic units are grouped as a single syntactic unit (can be nested).

The XDAS composite name syntax in BNF is as follows.

NULL ::=
// Empty set

<PCS> ::=
// Portable Character Set
// The set consists of the glyphs:
// !"#$%&'()*+,-./0123456789:;<=>?
// @ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_
// `abcdefghijklmnopqrstuvwxyz{|}~

<CharSet> ::=
<PCS>
| Characters from the repertoire of a string representation

<EscapeChar> ::=
%

<ComponentSep> ::=
/

<Quote1> ::=
"

<Quote2> ::=

<MetaChar> ::=
<EscapeChar> | <ComponentSep>

<SimpleChar> ::=
// any character from <CharSet> with <ComponentSep>, <Quote1>,
// and <Quote2> excluded. An <EscapeChar> <MetaChar>, or
// <EscapeChar> <Quote1>, or <EscapeChar> <Quote2> is
// substituted by the corresponding unescaped character and
// is equivalent to a <SimpleChar>.

<Component> ::=
<SimpleChar>*
| <SimpleChar>+ {<Quote1> | <Quote2> | <SimpleChar>}*
| <Quote1> <CharSet>* {<EscapeChar><Quote1>}* <CharSet>* <Quote1>
// <CharSet> must not contain unescaped <Quote1>
// (note that <Quote2> can appear unescaped)
| <Quote2> <CharSet>* {<EscapeChar><Quote2>}* <CharSet>* <Quote2>
// <CharSet> must not contain unescaped <Quote2>
// (note that <Quote1> can appear unescaped)

<CompositeName> ::=
NULL
| <Component> {<ComponentSep> <Component>}*

Time Zone Field

The format of the time_zone" field in the XDAS audit record is as defined in the Single UNIX Specification. It is repeated here for information. 

	std offset [dst [offset] [rule]]
Where:
Note:
Where a ':' character is used within the timezone definition then it will need to be escaped by the '%' character when inserted into the timezone field in an audit record.

Filters

XDAS audit event filters are created using the function ().

Filter Expressions

Filters are used to set the criteria for preselecting events to be recorded, or for selecting records to be imported from an audit stream.

A filter expression is defined as a xdas_buffer_t data type containing UTF-8 characters. It is a sequence of variable length fields, separated by a ":" delimiter, as set out below. Note that if a colon is part of an alphanumeric string, then it shall be escaped. ( See XDAS Audit Event Record Format . ) The format for a single filter expression is set out below:

Field
Include/Exclude Flag  
Attribute  
Operator  
Value  

The Include/Exclude flag, Attribute and Operator fields are the manifest names defined in XDAS Filter Flags , XDAS Filter Attributes and XDAS Filter Operators . The value field is an unspecified string.

A filter may be defined with a list of filter expressions which shall be evaluated in the sequence in which they are listed. The intention is that a subsequent expression may define exceptions to a previous expression. Thus an expression may exclude a set of events based on event class, but a subsequent expression, based on event number, may specifically include a subset of the events otherwise excluded by reference to event class.

Filter Actions

A filter may also define the disposition of an event submitted to, or imported to the XDAS service.

A filter action is defined as a xdas_buffer_t data type containing UTF-8 characters. It is a sequence of variable length fields, separated by a ":" delimiter, as set out below. Note that if a colon is part of an alphanumeric string, then it shall be escaped. ( See XDAS Audit Event Record Format . ) The format for a single filter expression is set out below:

Field
Action Mask  
Text String  

The components of the action mask are the manifest names defined in XDAS Action Masks . The format of the text string is implementation defined.

A filter may be defined with a list of filter actions which shall be executed in the sequence in which they are listed.

Status Values

One or more status codes are returned by each XDAS-API routine. Two distinct sorts of status code are returned. These are termed XDAS status codes and minor status codes. An implementation of XDAS functions shall return [XDAS_S_COMPLETE] and other status values appropriate for the implementation of the function. The characteristics of a particular implementation may make some status returns inappropriate for that implementation.

XDAS Status Codes

XDAS-API routines return XDAS status codes as their OM_uint32 function value. These codes indicate major status errors that are independent of the underlying mechanism used to provide the security service. A XDAS status code can indicate a single fatal generic API error from the routine error and a single calling error. These errors are encoded into the 32-bit XDAS status code as illustrated in Status Code .
Figure: Status Code
 Hence if a XDAS-API routine returns a XDAS status code containing a non-zero value, the call failed. If the Calling Error field is non-zero, the invoking application's call of the routine was erroneous. Calling errors are defined in Calling Errors . If the Routine Error field is non-zero, the routine failed for one of the routine-specific reasons listed in Routine Errors .

Name Value in Meaning
  Field  
[XDAS_S_CALL_INACCESSIBLE_READ] 1 A required input argument cannot be read.  
[XDAS_S_CALL_INACCESSIBLE_WRITE] 2 A required output argument cannot be written.  
[XDAS_S_CALL_BAD_STRUCTURE] 3 An argument is malformed.  

Table: Calling Errors

Name Value in Meaning
  Field  
[XDAS_S_COMPLETE] 0 Successful completion.  
[XDAS_S_AUTHORIZATION_FAILURE] 1 The caller does not possess  
    the required authority.  
[XDAS_S_BUFF_TOO_SMALL] 2 The buffer allocated by the caller is too  
    small to hold a single audit record.  
[XDAS_S_END] 3 The end of the audit stream has been  
    reached.  
[XDAS_S_FAILURE] 4 An implementation specific error or  
    failure has occurred.  
[XDAS_S_INCOMPLETE_RECORD 5 The audit record has not been fully  
    populated by the caller.  
[XDAS_S_INVALID_ACTION_LIST] 6 The action list supplied is not  
    valid.  
[XDAS_S_INVALID_AUDIT_STREAM] 7 The audit stream supplied is not valid.  
[XDAS_S_INVALID_DAS_REF] 8 The audit service handle supplied does  
    not refer to a valid audit service.  
[XDAS_S_INVALID_EVENT_INFO] 9 The specified audit event information  
    is not valid.  
[XDAS_S_INVALID_EVENT_NO] 10 The event number supplied is not  
    valid.  
[XDAS_S_INVALID_FILTER 11 The filter name supplied is not valid.  
[XDAS_S_INVALID_FILTER_EXPR] 12 The filter expression supplied is  
    not valid.  
[XDAS_S_INVALID_FILTER_LIST] 13 The list of filter names supplied is  
    not valid.  
[XDAS_S_INVALID_FILTER_TYPE] 14 The filter type supplied is not  
    valid.  
[XDAS_S_INVALID_INITIATOR_INFO] 15 The initiator information has a syntax  
    error.  
[XDAS_S_INVALID_ORIG_INFO] 16 The originator information has a syntax  
    error.  
[XDAS_S_INVALID_OUTCOME] 17 The specified outcome is invalid.  
[XDAS_S_INVALID_RECORD_DESCRIPTOR] 18 The specified audit record  
    descriptor is not valid.  
[XDAS_S_INVALID_RECORD_NUMBER] 19 The specified audit record  
    number is not valid.  
[XDAS_S_INVALID_SECURITY_CONTEXT] 20 The security context supplied is  
    invalid.  
[XDAS_S_INVALID_TARGET_INFO] 21 The target information has a syntax error.  
[XDAS_S_NO_AUDIT] 22 The event does not need to be audited.  
[XDAS_S_NO_DECISION_YET] 23 The audit service has insufficient  
    information to decide if the event requires  
    auditing.  
[XDAS_S_NOT_SUPPORTED] 24 The called function is not supported by  
    this implementation  
[XDAS_S_RECORD_SYNTAX_ERROR] 24 A syntax error has been detected  
    in an input record.  
[XDAS_S_STORAGE_FAILURE] 25 The audit record cannot be  
    written to stable storage.  
[XDAS_S_SERVICE_FAILURE] 26 There has been an audit service  
    failure.  

Table: Routine Errors

All [XDAS_S_*] symbols equate to complete OM_uint32 status codes, rather than to bit-field values. For example, the actual value of the symbol [XDAS_S_CALL_BAD_STRUCTURE] (value 3 in the Calling Error field) is 3 << 16. The macros: 

 

XDAS_CALLING_ERROR()
XDAS_ROUTINE_ERROR()
shall be provided, each of which takes a XDAS status code and removes all but the relevant field. For example, the value obtained by applying XDAS_ROUTINE_ERROR() to status code removes the Calling Errors field, leaving only the Routine Errors field. The values delivered by these macros may be directly compared with a [XDAS_S_*] symbol of the appropriate type. The macro XDAS_ERROR() is also provided, which when applied to a XDAS status code returns a non-zero value if the status code indicates a calling or routine error, and a zero value otherwise.

Minor Status Codes

In addition to the function returns, XDAS-API C-language functions return a minor_status argument, which is used to indicate specialised errors from the underlying security mechanism. This argument may contain a single mechanism-specific error, indicated by an OM_uint32 value. It is not expected that portable applications would do anything with this parameter except print out the values for aiding diagnostics. The minor_status argument is always set by a XDAS-API function, even if it returns a calling error or one of the generic API errors indicated above as fatal, although other output arguments may remain unset in such cases. However, output arguments that are expected to return pointers to storage allocated by a function must always be set by the function, even in the event of an error, although in such cases the XDAS-API function may elect to set the returned argument value to NULL to indicate that no storage was actually allocated. Any length field associated with such NULL pointers (as in a xdas_buffer_desc structure) shall be set to zero. The XDAS status code [XDAS_S_FAILURE] is used to indicate that the underlying mechanism detected an error for which no specific XDAS status code is defined. The minor status code provides more details about the error.

Optional Arguments

Various arguments are described as optional. This means that they follow a convention whereby a default value may be requested. The following conventions are used for omitted arguments. These conventions apply only to those arguments that are explicitly documented as optional.

xdas_buffer_t Types (Input or Input,Output)

Specify XDAS_C_NO_BUFFER as a value. For an input argument this signifies that default behaviour is requested, while for an input,output argument it indicates that the information that would be returned by the argument is not required by the application.

Integer Types

Individual argument documentation lists values to be used to indicate default actions. These are passed by value.

Pointer Types

Specify NULL as the value.

Constants

The tables below set out the manifest constants defined by the specification, and the value to which they are set.

Name Value Meaning
XDAS_C_NO_BUFFER NULL No buffer is supplied or returned.

Table: Optional Parameter Constants

Event Record Section Identifiers

These strings are used within an audit event record to mark the beginning and end of sections of data. They are included to support syntax checking.

String Value Purpose
HDR Start of header data  
ORG Start of originator data  
INT Start of initiator data  
TGT Start of target data  
SRC Start of pointer to source record  
EVT Start of event specific data  
END End of record  

Table: XDAS Event Record Section Identifiers

Event Numbers

An event number encodes the identification of an event set as well as the identification of the unique event. A set of event numbers is assigned by the OpenGroup (upon request) to an organization or a vendor. The organization or vendor then has the authority to use event numbers within that set. Conceptually, each event number is a pair (set-id, event-id), where set-id identifies an event set, and the event-id identifies an event within the event set. In practice, each event number must have one of the formats illustrated in Event ID Formats .
Figure: Event ID Formats

Given an event number, its format can be determined from its four high-order bits. Format-A event numbers, which are allocated to organizations such as the OpenGroup itself and major vendors which need more than 16 bits for event-number assignment, devote 7 bits to set-id and 24 bits to event-id. Format-B event numbers are allocated to intermediate-size vendors which need 8 to 16 bits for event-number assignment. Format-C event numbers are allocated to small-size vendors which need less than 8 bits for event number assignments. Format-D event numbers are not administered by the OpenGroup and can be used freely for local security domain-specific events. The use of these event numbers might not be unique across cells and should be avoided by servers which may be installed in more than one cells. Format-E event numbers are reserved for future use.

The following table defines the generic set of XDAS events numbers.

XDAS conforming implementations are required to handle all these defined audit events as valid. An application or system developer that submits or imports security domain specific events to the XDAS service must map those events to these XDAS generic events or register their own set of audit events with the OpenGroup.

Request to register audit events should be made by sending email to dce-registry@osf.org

Refer to the following URL for a list of registered events and event classes:

http://www.camb.opengroup.org/tech/rfc/rfc81.2.html

An XDAS implementation is required to document the procedures for configuring additional registered audit events into the XDAS service as valid audit events.

Event Value Description
XDAS_AE_CREATE_ACCOUNT 0x01000001 Create account  
XDAS_AE_DELETE_ACCOUNT 0x01000002 Delete account  
XDAS_AE_DISABLE_ACCOUNT 0x01000003 Disable account  
XDAS_AE_ENABLE_ACCOUNT 0x01000004 Enable account  
XDAS_AE_QUERY_ACCOUNT 0x01000005 Query account attributes  
XDAS_AE_MODIFY_ACCOUNT 0x01000006 Modify account attributes  
XDAS_AE_CREATE_SESSION 0x01000007 Create a user session  
XDAS_AE_TERMINATE_SESSION 0x01000008 Terminate a user session  
XDAS_AE_QUERY_SESSION 0x01000009 Query a user session attributes  
XDAS_AE_MODIFY_SESSION 0x0100000A Modify user session attributes  
XDAS_AE_CREATE_DATA_ITEM 0x0100000B Create data item  
XDAS_AE_DELETE_DATA_ITEM 0x0100000C Delete data item  
XDAS_AE_QUERY_DATA_ITEM_ATT 0x0100000D Query data item attributes  
XDAS_AE_MODIFY_DATA_ITEM_ATT 0x0100000E Modify data item attributes  
XDAS_AE_INSTALL_SERVICE 0x0100000F Install service or application  
XDAS_AE_REMOVE_SERVICE 0x01000010 Remove service or application  
XDAS_AE_QUERY_SERVICE_CONFIG 0x01000011 Query configuration of service  
    or application  
XDAS_AE_MODIFY_SERVICE_CONFIG 0x01000012 Modify configuration of service  
    or application  
XDAS_AE_DISABLE_SERVICE 0x01000013 Disable service or application  
XDAS_AE_ENABLE_SERVICE 0x01000014 Enable service or application  
XDAS_AE_INVOKE_SERVICE 0x01000015 Invoke service or application  
XDAS_AE_TERMINATE_SERVICE 0x01000016 Terminate service or application  
XDAS_AE_QUERY_PROCESS_CONTEXT 0x01000017 Query processing context  
XDAS_AE_MODIFY_PROCESS_CONTEXT 0x01000018 Modify processing context  
XDAS_AE_CREATE_PEER_ASSOC 0x01000019 Create an association with a peer  
XDAS_AE_TERMINATE_PEER_ASSOC 0x0100001A Terminate an association with  
    a peer  
XDAS_AE_QUERY_ASSOC_CONTEXT 0x0100001B Query an association context  
XDAS_AE_MODIFY_ASSOC_CONTEXT 0x0100001C Modify an association context  
XDAS_AE_RECEIVE_DATA_VIA_ASSOC 0x0100001D Receive data via an association  
XDAS_AE_SEND_DATA_VIA_ASSOC 0x0100001E Send data via an association  
XDAS_AE_CREATE_DATA_ITEM_ASSOC 0x0100001F Create association with data item  
XDAS_AE_TERMINATE_DATA_ITEM_ASSOC 0x01000020 Terminate association with data  
    item  
XDAS_AE_QUERY_DATA_ITEM_ASSOC_CONTEXT 0x01000021 Query context of association  
    with data item  
XDAS_AE_MODIFY_DATA_ITEM_ASSOC_CONTEXT 0x01000022 Modify context of association  
    with data item  
XDAS_AE_QUERY_DATA_ITEM_CONTENTS 0x01000023 Query data item contents  
XDAS_AE_MODIFY_DATA_ITEM_CONTENTS 0x01000024 Modify data item contents  
XDAS_AE_START_SYS 0x01000024 Start system  
XDAS_AE_SHUTDOWN_SYS 0x01000025 Shutdown system  
XDAS_AE_RESOURCE_EXHAUST 0x01000026 Resource exhaustion  
XDAS_AE_RESOURCE_CORRUPT 0x01000027 Resource corruption  
XDAS_AE_BACKUP_DATASTORE 0x01000028 Backup datastore  
XDAS_AE_RECOVER_DATASTORE 0x01000029 Recover datastore  
XDAS_AE_AUD_CONFIG 0x0100002A Configure audit service  
XDAS_AE_AUD_DS_FULL 0x0100002B Audit datastore full  
XDAS_AE_AUD_DS_CORR 0x0100002C Audit datastore corrupted  

Table: XDAS Event Numbers

XDAS Event Classes

Similar to event numbers, event-class numbers encode the identification of an event-class set as well as the identification of a unique event class within that set. A set of event-class numbers is assigned (upon request) by the OpenGroup to an organization or a vendor. The organization or vendor then has the authority to use the the event-class numbers within that set. Conceptually, each event class number is a pair (set-id, class-id), where set-id identifies an event-class set, and the class-id identifies an event class within in the set. In practice, each event-class number must have one of the formats illustrated in Class ID Formats .
Figure: Class ID Formats
 Given an event-class number, its format can be determined from its three high-order bits. Format-A class numbers, which are allocated to organizations/vendors which need more than 8 bits for event-class number assignment, devote 14 bits to set-id and 16 bits to class-id. Format-B class numbers are allocated to vendors which do not need more than 8 bits for event-class number assignment. Format-C class numbers are not administered by the OpenGroup and can be used freely for local security domain-specific event classes. Format-D numbers are reserved for future use. Some event classes will be defined by vendors for product-specific events, thus: EC_VendorA_ProductX_EventClass1. Event classes which encompass multiple vendors will be defined by the OpenGroup (e.g., EC_OSF_C2_Configuration), or by security domain administrators who can tailor the definition to satisfy the specific requirements of their security domain. The default set of event classes are listed in the following table. An XDAS implementation is required to treat as valid all these defined event classes.

The set of event classes may be extended by registration with The OpenGroup, in a similar way to event numbers.

An XDAS implementation is required to document the procedures for configuring additional registered audit event classes into the XDAS service as valid audit event classes.

Event Class Value Description
XDAS_AEC_ACCOUNT_MANAGEMENT 0x01000001 Account management events  
XDAS_AEC_USER_SESSION 0x01000002 User session events  
XDAS_AEC_DATA_ITEM_MANAGEMENT 0x01000003 Data item and resource element  
    management events  
XDAS_AEC_SERVICE_MANAGEMENT 0x01000004 Service or application  
    management events  
XDAS_AEC_SERVICE_UTILIZE 0x01000005 Service and application  
    utilization events  
XDAS_AEC_PEER_ASSOC_MANAGEMENT 0x01000006 Peer association management events  
XDAS_AEC_DATA_ITEM_CONTENT_ACCESS 0x01000007 Data item or resource element  
    content access events  
XDAS_AEC_EXCEPTIONAL 0x01000008 Exceptional events  
XDAS_AEC_AUDIT_SERVICE 0x01000009 Audit service management events  

Table: XDAS Default Event Class Codes

XDAS Event Outcome Codes

The XDAS outcome codes are:

Name Value Meaning
[XDAS_OUT_SUCCESS] 0x00000000 Successful Event
[XDAS_OUT_PRIV_USED] 0x00000100 Privilege used  
[XDAS_OUT_PRIV_GRANTED] 0x00000200 Privilege granted  
[XDAS_OUT_PRIV_REVOKED] 0x00000400 Privilege revoked  
[XDAS_OUT_PRESELECT_CRITERIA_SET] 0x00000800 Preselection criteria set  
    or modified  
[XDAS_OUT_THRESHOLDS_SET] 0x00001000 Thresholds set  
[XDAS_OUT_ACTIONS_SET] 0x00002000 Actions set for alarms  
[XDAS_OUT_THRESHOLD_EXCEEDED] 0x00004000 Pre-set thresholds exceeded  
[XDAS_OUT_FAILURE] 0x00000001 Non security relevant failure  
[XDAS_OUT_SERVICE_UNAVAILABLE] 0x00000101 Service not available  
[XDAS_OUT_SERVICE_FAILURE] 0x00000201 Service failure  
[XDAS_OUT_HARDWARE_FAILURE] 0x00000401 Hardware failure or exception condition  
[XDAS_OUT_LOST_ASSOCIATION] 0x00001001 Service, user or device already enabled  
[XDAS_OUT_ALREADY_DISABLED] 0x00002001 Service, user or device already disabled  
[XDAS_OUT_SERVICE_ERROR] 0x00004001 Service returns an error  
[XDAS_OUT_BUSY] 0x00008001 Service or device busy  
[XDAS_OUT_DISABLED] 0x00010001 Service or device disabled  
[XDAS_OUT_INVALID_INPUT] 0x00020001 Input supplied invalid  
[XDAS_OUT_ENTITY_EXISTS] 0x00040001 Attempt to create an entity which already  
    exists  
[XDAS_OUT_ENTITY_NON-EXISTENT] 0x00080001 Attempt to access a non-existent  
    entity  
[XDAS_OUT_DENIAL] 0x00000002 Security relevant failure  
[XDAS_OUT_INSUFFICIENT_PRIVILEGE] 0x00000102 Not sufficient privilege  
[XDAS_OUT_INVALID_IDENTITY] 0x00000202 Identity supplied not valid  
[XDAS_OUT_INVALID_USER_CREDENTIALS] 0x00000402 User credentials supplied  
    are invalid  

Table: XDAS Event Outcome Codes

The outcome codes are structured into sets for SUCCESS, FAILURE, and DENIAL. Multiple codes from within one of these sets may be returned by a single call by combining them using a bitwise OR, but it is not permitted for outcome codes from the different sets to be returned by a single call. That is, multiple SUCCESS codes may returned by one call, but SUCCESS and FAILURE codes may not be returned by a single call.

XDAS Filter Types

The XDAS filter types are:

Name Value Meaning
XDAS_C_SUBMIT 1 Filters for event submission interface
XDAS_C_IMPORT 2 Filters for event import interface  

Table: XDAS Filter Types

XDAS Filter Expression Flags

The flags used within filter expressions are:

Name Value Meaning
XDAS_C_INCLUDE 1 Include events matching the following rule
XDAS_C_EXCLUDE 2 Exclude events matching the following rule  

Table: XDAS Filter Flags

XDAS Filter Expression Attributes

The attributes that may be used within filter expressions are:

Name Value  
XDAS_VERSION 1 XDAS Version number
XDAS_TIME_OFFSET 2 Time offset from start of epoch  
XDAS_TIME_UNCERT_INTER 3 Time uncertainty interval  
XDAS_TIME_UNCERT_INDIC 4 Time uncertainty indicator  
XDAS_TIME_SOURCE 5 Source of time  
XDAS_TIME_TIME_ZONE 6 Time Zone  
XDAS_EVENT_NUMBER 7 Event number  
XDAS_OUTCOME 8 Event outcome  
XDAS_ORG_LOC_NAME 9 Originator location name  
XDAS_ORG_LOC_ADD 10 Originator location address  
XDAS_ORG_SERV_TYPE 11 Originator service type  
XDAS_ORG_AUTH_AUTH 12 Originator authentication authority  
XDAS_ORG_PRINC_NAME 13 Originator principal name  
XDAS_ORG_PRINC_IDENTITY 14 Originator principal identity  
XDAS_INT_AUTH_AUTH 15 Initiator authentication authority  
XDAS_INT_PRINC_NAME 16 Initiator principal name  
XDAS_INT_PRINC_IDENTITY 17 Initiator principal identity  
XDAS_TGT_LOC_NAME 18 Target location name  
XDAS_TGT_LOC_ADD 19 Target location address  
XDAS_TGT_SERV_TYPE 20 Target service type  
XDAS_TGT_AUTH_AUTH 21 Target authentication authority  
XDAS_TGT_PRINC_NAME 22 Target principal name  
XDAS_TGT_PRINC_IDENTITY 23 Target principal identity  

Table: XDAS Filter Attributes

XDAS Filter Expression Operators

The operators that may be used within filter expressions are:

Operator Value Meaning
XDAS_O_EQ 1 Equal
XDAS_O_NE 2 Not equal  
XDAS_O_GT 3 Greater than  
XDAS_O_LT 4 Less than  
XDAS_O_GE 5 Greater than or equal  
XDAS_O_LE 6 Less than or equal  
XDAS_O_BT 7 Bitwise test  
XDAS_O_SS 8 Substring  

Table: XDAS Filter Operators

XDAS Action Masks

The XDAS action bit masks used within filter definitions are:

Name Value Meaning
XDAS_ACT_LOG 1 Record in Audit Stream
XDAS_ACT_ALARM 2 Submit event to Event Management System  
XDAS_ACT_ACTION 4 Execute specified command  

Table: XDAS Action Codes
Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy of this publication.

Contents Next section Index