Previous section.

Distributed Audit Service (XDAS)
Copyright © 1998 The Open Group


The purpose of security audit services is to provide support for:

Many components of distributed systems now include some form of security auditing or event logging capability whereby the component records events deemed to have security relevance within the domain of that component. These services are provided via component specific interfaces and use component specific audit record formats.

However, within distributed systems security relevant activity is not isolated within individual components but spans many components. For example, an intrusion attempt may be made via multiple entry points to the distributed system. Such attempts are not necessarily focused through single points of entry. Also the purpose of a distributed system is to enable the end-users of the system to utilize the resources of components throughout the system and not just those of their local workstation.

Within a distributed system it is therefore necessary to monitor activity across and between components. This is made difficult by the current component specific approaches. It is not easy to compare activity across system components when the events monitored and the record formats may be different. It is especially difficult to do this in a timely manner to detect and respond to intrusion attempts.

The objective of the XDAS specification is to define:

This service is intended to be a complement to existing system component specific audit services, not to replace them. Such local audit services are also likely to handle events, and a level of detail, that may be irrelevant at the global level of XDAS.

Interfaces are supported for use by four different types of applications:

The XDAS-API provides the following benefits:

Business Requirements

The following business requirements for a distributed audit service have been identified. They are detailed in full in this section to convey the overall service context that XDAS is intended to be capable of supporting. The current scope of the XDAS specification is not intended to encompass all these requirements but to provide a basic level of service on which the more complete requirements may be eventually satisfied by developing applications to utilize the XDAS functions. The requirements are grouped according to audit event services, audit service management, audit event management, audit log management and audit event enquiry facilities.

Audit Event Services

Security events are detected outside the XDAS by an operating system or applications. The requirements on a distributed audit service are as follows

Of these requirements, the scope of this XDAS specification provides support for:

Audit Service Management

The business requirements for the user interface for managing the audit service are:

None of these requirements are within the scope of this XDAS specification. However, it does define an API for audit event filter management and defines an authorization model that can be used to support role-based access control. This facilitates the development of management applications to meet the above requirements.

Audit Event Management

The following are requirements on the Audit Event Management interface:

The scope of the XDAS specification does not directly include any of the above functionality. It is expected that much of this functionality may eventually be included within implementations. However, interfaces to event management services are being defined in other specifications, (see XEMS). XDAS Model includes an example of how an XDAS system may be implemented over an event management service.

This XDAS specification defines an API including functions for the definition, enabling and disabling of filtering criteria and the definition of the disposition of events based on those criteria. This API may be used to develop applications that provide the higher level services described above.

Audit Log Management

Audit Log Management requirements are:

The scope of this XDAS specification includes the definition of the contents of an audit record including the provision for domain specific information for the purposes of analysis and the exchange and merging of audit event records. The internal format of audit logs and interfaces for the management of those logs are not within the scope of this version of XDAS.

Audit Event Enquiry

The Audit Event Enquiry requirements are:

A common format for audit events is defined by this XDAS specification.

Functional Scope of XDAS Specification

This subsection summarizes the functions that are within scope and out of scope for this version of the XDAS specification.

Within Scope

The XDAS provides a set of primitives only, which are used by audit applications. This version of the XDAS specification provides support for:

Out of Scope

The following facilities and services are deemed to be out of scope.

Security Requirements

An implementation of the XDAS needs to meet the following security requirements:

The security requirements shall be met by using underlying distributed system security services and platform security services, wherever possible.

Non-functional Requirements

The following non-functional requirements have been taken as input to this specification:
Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy of this publication.

Contents Next section Index