Previous section.

Distributed Audit Service (XDAS)
Copyright © 1998 The Open Group

XDAS Model


Figure: Distributed Audit Service Interfaces

In , the shaded boxes identify the APIs supported by this version of the XDAS specification. The boxes labelled "Common Format" indicate at which APIs the common format defined in this specification is exposed.

The XDAS Audit Service provides an API to support:

The Distributed Audit Service model discussed in this section is illustrated in . This is a logical representation and does not reflect a particular physical architecture. It comprises the following components:

Security Event Detection Service

The Security Event Detection service resides in the callers of the XDAS Audit Event Service Client API (shown in the diagram as applications 1 and 2.) An application is responsible for detecting security relevant activity in the context of its own security domain and to generate an audit event record which contains a description of the activity and information about the security context. An application reports the events it detects via the Audit Event Service Client API.

Audit Event Import Service

Many domains, in particular operating systems, provide their own audit service designed to meet their domain's specific needs in terms of event types and the information recorded about an event. The Audit Event Import Service provides for the import of audit events from a domain specific log for the purposes of merging with XDAS audit information into a time ordered sequence of records for the support of analysis of audit events across domains. In order to use the import service a security domain needs to provide a facility to translate its own audit records into the XDAS common audit event record format.
The translation to the XDAS common audit event record format does not necessarily preserve all information in the original audit record. The XDAS common audit event record format includes information that can be used to locate the original record within the originating domain's audit trail.

Audit Event Discrimination Service

The Audit Event Discrimination Service discriminates all incoming events against pre-set criteria which are configured via the Audit Event Management Service. Those which do not meet the criteria are ignored. Those which do are passed to the Audit Event Disposition Service.

Audit Event Disposition Service

The Audit Event Disposition Service receives security relevant events from the Audit Event Discrimination Service. Based upon configuration data, the audit disposition service invokes one or more of the following services:

The figure emphasizes that the Event Discrimination Service and Event Disposition Service are not necessarily co-located but may be distributed across different platforms with an event transport service linking the two components. See Distributed Audit Service Model for more discussion.

Audit Trail Management Service

The Audit Trail Management Service receives audit events and stores them in the Audit Stream, in an implementation defined format.

The Audit Trail Management Service supports:


Five application audit APIs are identified in the model but only four are of these are within the current scope of this specification. The four APIs within scope are:

Audit Event Submission API
The Audit Event Submission API is defined at the boundary to the Audit Event Discrimination Service for submission of audit events detected within application or platform services

Audit Event Import API
The Audit Event Import API is defined at the boundary to the Audit Event discrimination service for the merging of a set of audit records recorded by a domain specific audit service with the XDAS audit stream. It requires the definition of a common, portable audit log format to support interoperability. See Common format in .

Audit Event Filter Management API
The Audit Event Filter Management API is defined to support management applications to configure the Audit Event Discrimination and Audit Event Disposition Services.

Audit Event Enquiry API
The Audit Event Enquiry API is defined for the retrieval of audit records in the audit stream.

The fifth API, currently out of the scope of this specification is:

Audit Trail Management API
The Audit Trail Management API is defined to configure, manage and archive audit logs that comprise the XDAS audit stream.

Distributed Audit Service Example

The distributed aspect of an XDAS implementation is illustrated in Distributed Audit Service Model . For the purposes of this illustration the XDAS implementation is shown as working over The Open Group Event Management Service. Although this is a possible method of implementation, and one that is capable of supporting interoperability between implementations (to the extent that XEMS supports interoperability) it is not mandated by this specification.

Figure: Distributed Audit Service Model

XDAS Event Supplier Components

An XDAS component executes on each platform within the distributed system. Those XDAS components providing the Audit Event Service API and the Audit Event Import API are XEMS Event Suppliers.

Applications may submit audit event records to the XDAS service via the Audit Event Service API. Domain specific audit services, such as an operating system audit service, may submit audit event records to the XDAS service for integration with the XDAS Audit Stream. In the case of the Audit Event Import API then the caller is required to provide a translation service from the domain specific format to the XDAS common audit event record format.

An XDAS Event Supplier uses the filtering rules to control the events that it submits to the Event Management Service. No decisions regarding the disposition of XDAS events is made by an XDAS Event Supplier.

XDAS Event Consumer Components

The XDAS components that handle the disposition of events are XEMS Event Consumers. The XEMS passes XDAS events submitted to it to XDAS Event Consumers. These components use the action part of the filter rules to control the disposition of the XDAS events received. The actions are to:

An audit analysis application is illustrated using the Audit Event Analysis API and an Audit Event Management Application using the Audit Event Management API from a central XDAS Management platform. The actual location and internal structuring of the XDAS Audit Stream is implementation defined.

The method and format for communicating filtering criteria to the individual XDAS Event Supplier components is not defined by this version of the specification.

Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy of this publication.

Contents Next section Index