XDAS Model

Introduction

In , the shaded boxes identify the APIs supported by this version of the XDAS specification. The boxes labelled "Common Format" indicate at which APIs the common format defined in this specification is exposed.

The XDAS Audit Service provides an API to support:

• the submission of audit events by applications

• the import of information from audit logs generated by domain specific audit services

• control of the filtering of audit events prior to submission or import

• control of the disposition of events as a combination of any of logging, action initiation and alarm triggering

• the analysis of audit logs.

The Distributed Audit Service model discussed in this section is illustrated in . This is a logical representation and does not reflect a particular physical architecture. It comprises the following components:

Security Event Detection Service

The Security Event Detection service resides in the callers of the XDAS Audit Event Service Client API (shown in the diagram as applications 1 and 2.) An application is responsible for detecting security relevant activity in the context of its own security domain and to generate an audit event record which contains a description of the activity and information about the security context. An application reports the events it detects via the Audit Event Service Client API.

Audit Event Import Service

Many domains, in particular operating systems, provide their own audit service designed to meet their domain's specific needs in terms of event types and the information recorded about an event. The Audit Event Import Service provides for the import of audit events from a domain specific log for the purposes of merging with XDAS audit information into a time ordered sequence of records for the support of analysis of audit events across domains. In order to use the import service a security domain needs to provide a facility to translate its own audit records into the XDAS common audit event record format.

Note:

The translation to the XDAS common audit event record format does not necessarily preserve all information in the original audit record. The XDAS common audit event record format includes information that can be used to locate the original record within the originating domain's audit trail.

Audit Event Discrimination Service

The Audit Event Discrimination Service discriminates all incoming events against pre-set criteria which are configured via the Audit Event Management Service. Those which do not meet the criteria are ignored. Those which do are passed to the Audit Event Disposition Service.

Audit Event Disposition Service

The Audit Event Disposition Service receives security relevant events from the Audit Event Discrimination Service. Based upon configuration data, the audit disposition service invokes one or more of the following services:

• an Audit Trail Management Service for logging the event,

• an Invoke Action Service for invoking a command or application configured for invocation on the occurrence of the event.

• an Alarm Delivery Service that submits the event to an Event Management Service for handling as a system alarm.

The figure emphasizes that the Event Discrimination Service and Event Disposition Service are not necessarily co-located but may be distributed across different platforms with an event transport service linking the two components. See Distributed Audit Service Model for more discussion.

Audit Trail Management Service

The Audit Trail Management Service receives audit events and stores them in the Audit Stream, in an implementation defined format.

The Audit Trail Management Service supports:

• The configuration and management of the system resources used to store and process the audit records. For example, files which are often referred to as audit logs. The service allows the location of the audit logs to be defined, as well as how and when the service switches from one audit log to the next in the set. The service also supports the archiving of the audit log in the common audit event record format and the retrieval of logs for analysis

  This version of XDAS is not defining an audit log management API. This is unnecessary for support of the primary objectives of XDAS. XDAS interfaces for recording audit event records and analyzing audit event records perceive the audit log as a single time ordered stream of records.

• The Audit Trail Enquiry API provides query access to records on the audit log according to submitted post-selection criteria. The Audit Trail Enquiry API presents security audit event information in a common audit log format. See "Common Format" illustrated in .

Interfaces

Audit Event Submission API
The Audit Event Submission API is defined at the boundary to the Audit Event Discrimination Service for submission of audit events detected within application or platform services

Audit Event Import API
The Audit Event Import API is defined at the boundary to the Audit Event discrimination service for the merging of a set of audit records recorded by a domain specific audit service with the XDAS audit stream. It requires the definition of a common, portable audit log format to support interoperability. See Common format in .

Audit Event Filter Management API
The Audit Event Filter Management API is defined to support management applications to configure the Audit Event Discrimination and Audit Event Disposition Services.

Audit Event Enquiry API
The Audit Event Enquiry API is defined for the retrieval of audit records in the audit stream.

The fifth API, currently out of the scope of this specification is:

Audit Trail Management API
The Audit Trail Management API is defined to configure, manage and archive audit logs that comprise the XDAS audit stream.

Distributed Audit Service Example

XDAS Event Supplier Components

Applications may submit audit event records to the XDAS service via the Audit Event Service API. Domain specific audit services, such as an operating system audit service, may submit audit event records to the XDAS service for integration with the XDAS Audit Stream. In the case of the Audit Event Import API then the caller is required to provide a translation service from the domain specific format to the XDAS common audit event record format.

An XDAS Event Supplier uses the filtering rules to control the events that it submits to the Event Management Service. No decisions regarding the disposition of XDAS events is made by an XDAS Event Supplier.

XDAS Event Consumer Components

• Log the event

• Initiate an action by invoking a program or script

• Initiate an alarm by submitting the XDAS event to the Event Management System as a system alarm.

An audit analysis application is illustrated using the Audit Event Analysis API and an Audit Event Management Application using the Audit Event Management API from a central XDAS Management platform. The actual location and internal structuring of the XDAS Audit Stream is implementation defined.

The method and format for communicating filtering criteria to the individual XDAS Event Supplier components is not defined by this version of the specification.