Distributed Audit Service (XDAS)
Copyright © 1998 The Open Group
The purpose of security audit services is to provide support for:
principle of accountability, that is holding users of a system
accountable for their actions within the system, and
detection of security policy violations, that is the detection of
attempts by unauthorized
individuals to access the system and of attempts by authorized users to
misuse their access to the system.
Many components of distributed systems now include some form of security
auditing or event logging capability whereby the component records
events deemed to have security relevance within the domain of that
component. These services are provided via component specific interfaces and
use component specific audit record formats.
However, within distributed systems security relevant activity is not isolated
within individual components but spans many components. For example, an
intrusion attempt may be made via multiple entry points to the
distributed system. Such attempts are not necessarily focused through
single points of entry. Also the purpose of a distributed system is to
enable the end-users of the system to utilize the resources of
components throughout the system and not just those of their local
Within a distributed system it is therefore necessary to monitor
activity across and between components. This is made difficult by the
current component specific approaches. It is not easy to compare activity
across system components when the events monitored and the record
formats may be different. It is especially difficult to do this in a
timely manner to detect and respond to intrusion attempts.
The objective of the XDAS specification is to define:
a set of generic events of relevance at a global distributed system
level. For example, end-user system sign-on and the initiation and
termination of communication sessions.
a common portable audit record format to facilitate the merging and
analysis of audit information from multiple components at the
distributed system level.
an API for use by applications to submit events to XDAS.
an API to import audit data from existing component specific audit
services to XDAS.
an API to configure event preselection criteria for event submission to
an API to read records from a XDAS audit trail
service is intended to be a complement to existing system component specific
audit services, not to replace them.
audit services are also likely to handle events, and a level of detail,
that may be irrelevant
at the global level of XDAS.
Interfaces are supported for use by four different types of applications:
an API to submit events to the audit service, for use by applications
that generate audit records and use XDAS to log such events.
an API and a common audit event record format for use by existing
component specific audit services to import
audit records into the XDAS audit stream for distributed system level
an API to support the configuration of event preselection criteria and
event disposition actions, for use by XDAS audit event management
an API together with a common audit event record format, for use by Audit Log
The XDAS-API provides the following benefits:
Application developers have a common API, a generic
set of audit events, and a common audit format regardless of
the platform on which the XDAS service is running. This is of benefit to
the developers of both applications that detect and wish to record
security relevant events and of applications that analyze audit events.
Platform and application infrastructure vendors are able to support the
needs of users at the distributed
system level within a heterogeneous environment without the necessity to
re-engineer their current operating system or application specific audit service
implementations, perhaps with resulting performance implications.
End-user organizations benefit through increased effectiveness in
enforcing individual accountability within a distributed environment.
The following business requirements for a distributed audit service
have been identified. They are detailed in full
in this section to convey the overall service context that XDAS is intended
to be capable of supporting. The current scope of the XDAS specification is
not intended to encompass all these requirements but to provide a basic
level of service on which the more complete requirements may be eventually satisfied
by developing applications to utilize the XDAS functions.
The requirements are grouped according to
audit event services, audit service management, audit event management,
audit log management
and audit event enquiry facilities.
Audit Event Services
Security events are detected outside the XDAS by an operating system or
applications. The requirements on a distributed audit service are as follows
Handle event records newly generated at the local API level.
Support the preselection of criteria for the
submission of an event, thereby reducing the numbers of audit events
generated and analyzed.
Filter and analyze records for instances or accumulations of pre-determined
security events, and trigger timely notification.
These filters shall be driven by parameters in a standard format.
Three types of event or compound event are identified:
a single record selected by one or more fields
sequences of selected records
timed sequences of records
Generate local alarms.
Generate messages to be passed to the audit service
Take pre-defined action on the occurrence of specific events.
Receive records passed on from another system in a standard format
and re-interpret them in the context of extra information available from
event records arriving from other systems.
Of these requirements, the scope of this XDAS specification provides support for:
The submission of audit events via an API.
The return, via the API, to calling applications of the result of applying
The capability for the definition of basic forms of event disposition
(e.g., log, alarm, action) which can be acted upon by an audit analysis application
to meet the other requirements defined above.
Audit Service Management
The business requirements for the user interface for managing the
audit service are:
Support a consistent management interface.
Integrate the audit system management interface with other elements in
the system management infrastructure, including logs, protocols and
databases and the management of authorizations.
Support both Remote and Local Administration
The XDAS must support role-based decentralized administration, such
that individuals are only presented with the data that apply to their
area of responsibility.
Support both equivalent GUI and command line access so that the functions
are available regardless of the mode of interaction.
None of these requirements are within the scope of this XDAS
specification. However, it does define an API for audit event filter
management and defines an authorization model that can be used to
support role-based access control. This facilitates the development of
management applications to meet the above requirements.
Audit Event Management
The following are requirements on the Audit Event Management interface:
Support the configuration of the disposition of audit alarms, such that
audit events of a specific source and type can be sent to a particular
destination, and to a particular role at that destination to be actioned.
Provide a set of standard calls to modify the parameters which define the
These are used to configure the actions taken by the filtering and
analysis component on each system.
They may be originated by an operator or automatically as a result
of event processing.
Support two types of configuration: static configuration
and dynamic configuration.
With static configuration, the levels of audit data to be
generated are pre-set by operator intervention.
With dynamic configuration, the events or series of events
detected are used to re-configure the filters on the monitor.
Reconfiguration can involve increasing or decreasing the level of
monitoring activity, as deemed appropriate by the analysis of the event
or series of events.
Determine and effect change to the configuration of security
event detection on each of the platforms in a distributed environment.
If several systems are monitored and all have a common requirement
for maintaining a particular level of event logging, then a single
definition should be applied to all.
Be able to record a security event message whenever a change to the configuration
of the event discrimination service is made.
The scope of the XDAS specification does not directly include any of the above
functionality. It is expected that much of this functionality may
eventually be included within implementations. However, interfaces to
event management services are being defined in other specifications,
includes an example of how an XDAS system may be implemented over an
event management service.
This XDAS specification defines an API including functions for the
definition, enabling and disabling of filtering criteria and the
definition of the disposition of events based on those criteria. This
API may be used to develop applications that provide the higher level
services described above.
Audit Log Management
Audit Log Management requirements are:
Log records to a protected audit record repository.
Ensure that the sequence of events recorded is a reflection of what
Thus, any mechanism which generates audit data should incorporate
a header or common set of data which is co-ordinated with
other systems with which it interacts.
The header should contain a minimum set of information describing
the date, time, location, initiator, target, message, etc., of the activity.
Platforms, applications and network services shall have the ability to
add domain specific information to the information set.
The scope of this XDAS specification includes the definition of the
contents of an audit record including the provision for domain specific
information for the purposes of analysis and the exchange and merging of
audit event records. The internal format of audit logs and interfaces
for the management of those logs are not within the scope of this
version of XDAS.
Audit Event Enquiry
The Audit Event Enquiry requirements are:
Define a common format for audit events for use by analysis
A common format for audit events is defined by this XDAS specification.
Functional Scope of XDAS Specification
This subsection summarizes the functions that are within scope and out
of scope for this version of the XDAS specification.
The XDAS provides a set of primitives only, which are used by audit applications.
This version of the XDAS specification provides support for:
The submission of audit events by an application via an API.
The import of audit events from an existing audit service via an API.
The return to calling applications of the result of applying
preselection criteria for both the event submission and event import APIs.
An API for the definition of audit event filters defining preselection criteria
and basic forms of event disposition
(e.g., log, alarm, action) which can be acted upon by a audit analysis
An authorization model that can be used to
support role-based access control. This facilitates the development of
management applications supporting roles and subdivision of duties.
Defines a common format for audit events for use by analysis
applications. This format includes both basic audit information and
provision for domain specific information. This will facilitate the
development of audit analysis applications including the exchange and merging of
audit event records within distributed environments.
Out of Scope
The following facilities and services are deemed to be out of scope.
An implementation of the XDAS needs to meet the following security
Prevent unauthorized recording of audit event records
Prevent unauthorized modification of the audit service configuration
Prevent unauthorized modification of the event detection records.
Prevent unauthorized disclosure of the event records.
Support adequate separation of duties for users.
Provide appropriate measures in dealing with an unauthorized denial of service,
for example, by suspending an offending process, if appropriate.
Protect audit service configuration data.
Protect the audit log and its contents from
any unauthorized modification or deletions.
Protect the audit log by making it accessible only
to principals acting in specific administrative or security roles.
The security requirements shall be met by using underlying distributed
system security services and platform security services, wherever possible.
The following non-functional requirements have been taken as input to this
the XDAS shall be application independent
the XDAS shall not impose a particular placement of access control to
distributed audit services within an operating system kernel
The XDAS shall not constrain future extensibility. Nor shall it
constrain the services of other audit systems, including operating
system and site specific events types and associated data.
Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy
of this publication.