Distributed Audit Service (XDAS)
Copyright © 1998 The Open Group
Figure: Distributed Audit Service Interfaces
the shaded boxes identify the APIs supported by this version of the XDAS
specification. The boxes labelled "Common Format" indicate at which
APIs the common format defined in this specification is exposed.
The XDAS Audit Service provides an API to support:
the submission of audit events by applications
the import of information from audit logs generated by domain specific
control of the filtering of audit events prior to submission or import
control of the disposition of events as a combination of any of logging,
action initiation and alarm triggering
the analysis of audit logs.
The Distributed Audit Service model discussed in this section
is illustrated in
This is a logical representation and does not reflect a particular physical
architecture. It comprises the following components:
- Security Event Detection Service
The Security Event Detection service resides in the callers of the
XDAS Audit Event Service Client API (shown in the diagram as
applications 1 and 2.)
An application is responsible for detecting security relevant activity in
the context of its own security domain and to
generate an audit event record which contains a description of the activity and
information about the security context. An application reports
the events it detects via the Audit Event Service Client API.
- Audit Event Import Service
Many domains, in particular operating systems, provide their own audit
service designed to meet their domain's specific needs in terms of event
types and the information recorded about an event. The Audit Event
Import Service provides for the import of audit events from a domain
specific log for the purposes of merging with XDAS audit information
a time ordered sequence of records for the
support of analysis of audit events across domains. In order to use the
import service a security domain needs to provide a facility to translate its
own audit records into the XDAS common audit event record format.
- The translation to the XDAS common audit event record format does not
necessarily preserve all information in the original audit record. The
XDAS common audit event record format includes information that can be
used to locate the original record within the originating domain's audit
- Audit Event Discrimination Service
The Audit Event Discrimination Service discriminates all
incoming events against pre-set criteria which are configured via
the Audit Event Management Service.
Those which do not meet the criteria are ignored. Those which
do are passed to the Audit Event Disposition Service.
- Audit Event Disposition Service
The Audit Event Disposition Service receives security relevant events
from the Audit Event Discrimination Service.
Based upon configuration data, the audit
disposition service invokes one or more of the following services:
an Audit Trail Management Service for logging the event,
an Invoke Action Service for invoking a command or application
configured for invocation on the occurrence of the event.
an Alarm Delivery Service that submits the event to an Event
Management Service for handling as a system alarm.
The figure emphasizes that the Event Discrimination Service and Event
Disposition Service are not necessarily co-located but may be
distributed across different platforms with an event transport service
linking the two components. See
Distributed Audit Service Model
for more discussion.
- Audit Trail Management Service
The Audit Trail Management Service receives audit events and stores them
in the Audit Stream, in an implementation defined format.
The Audit Trail Management Service supports:
Five application audit APIs are identified in the model but only four are
of these are within the current scope of this specification.
The four APIs within scope are:
- Audit Event Submission API
The Audit Event Submission API is defined at the boundary to the
Audit Event Discrimination Service for submission of audit events
detected within application or platform services
- Audit Event Import API
The Audit Event Import API is defined at the boundary to the
Audit Event discrimination service for the merging of a set of
audit records recorded by a domain specific audit service with the XDAS
audit stream. It
requires the definition of a common, portable audit log format to support
interoperability. See Common format in
- Audit Event Filter Management API
The Audit Event Filter Management API is defined to support management
applications to configure the Audit Event Discrimination and Audit Event
- Audit Event Enquiry API
The Audit Event Enquiry API is defined for the retrieval of audit records
in the audit stream.
The fifth API, currently out of the scope of this specification is:
- Audit Trail Management API
The Audit Trail Management API is defined to configure, manage and archive
audit logs that comprise the XDAS audit stream.
Distributed Audit Service Example
The distributed aspect of an XDAS implementation is illustrated in
Distributed Audit Service Model
For the purposes of this illustration the XDAS implementation is shown
as working over The Open Group Event Management Service. Although this is a
possible method of implementation, and one that is capable of supporting
interoperability between implementations (to the extent that XEMS
supports interoperability) it is not mandated by this specification.
Figure: Distributed Audit Service Model
XDAS Event Supplier Components
An XDAS component executes on each platform within the
distributed system. Those XDAS components providing the Audit Event
Service API and the Audit Event Import API are XEMS Event
Applications may submit audit event records to the XDAS service via
the Audit Event Service API. Domain specific audit services, such
as an operating system audit service, may submit audit event records to
the XDAS service for integration with the XDAS Audit Stream. In the
case of the Audit Event Import API then the caller is required to
provide a translation service from the domain specific format to the
XDAS common audit event record format.
An XDAS Event Supplier uses the filtering rules to control the events
that it submits to the Event Management Service. No decisions regarding
the disposition of XDAS events is made by an XDAS Event Supplier.
XDAS Event Consumer Components
The XDAS components that handle the disposition of events are XEMS Event
Consumers. The XEMS passes XDAS events submitted to it to XDAS Event
Consumers. These components use the action part of the filter rules to
control the disposition of the XDAS events received. The actions are
Log the event
Initiate an action by invoking a program or script
Initiate an alarm by submitting the XDAS event to the Event
Management System as a system alarm.
An audit analysis application is illustrated using the Audit Event
Analysis API and an Audit Event Management Application using the
Audit Event Management API from a central XDAS Management platform.
The actual location and internal structuring of the
XDAS Audit Stream is implementation defined.
The method and format for communicating filtering criteria to the individual XDAS
Event Supplier components is not defined by this version of the specification.
Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy
of this publication.