The XDAS comprises both operational and management services. The operational XDAS services are those available to applications in support of the logging of audit records. The management services support the configuration and management of audit events, the audit service itself, as well as providing interfaces for the analysis of audit records.
The XDAS places a dependency on an Event Management Service such that the intermediate event management components do not modify the filtering or routing of audit events, thereby ensuring that an audit alarm, for example, is not filtered out part way to its destination
Operational services include:
All callers are required to initiate a session with the XDAS audit service. This authenticates the caller's identity and establishes a session between the caller and the XDAS. Thereafter, callers may use the XDAS APIs to log events, configure the audit service, or analyze audit streams subject to the XDAS authorities assigned to them.
These allow audit records to be created, filled and committed to the implementation defined audit log in common format.
Management services include:
Each interface specification includes the XDAS authority required to be possessed by a caller in order to utilize the interface. The mechanism for enforcement of the authorization policy is implementation specific. Support is included in this specification for the initialization of a session between a caller and the XDAS service whereby the identity of the caller can be authenticated and appropriate authorization attributes established.
All callers must initiate a session with the XDAS before they can use any of the services it provides. The initialization of the session supports the mutual authentication of the audit client and audit service components and establishes the audit client's XDAS authorities The caller is returned a handle to the XDAS service which is then used for all XDAS API functions. On completion, the caller must terminate the XDAS session.
The behaviour if a client dies or exits without calling terminate session is implementation defined. An implementation may take specific action to try and detect and terminate such sessions itself to address any potential denial of service risks.
Callers submit security relevant events to the Audit Event Service Client API. The functions build the record from the information given by the caller and from the processing environment. The interfaces cover the creation, filling and committing of an audit record to the audit trail.
This service permits domain specific audit services to import their own audit records into the XDAS service for consolidation and analysis at the distributed system level. Only callers with the XDAS_AUDIT_IMPORT authority are permitted to use this function.
The Audit Event Management API provides the means whereby the Audit Event Discrimination Service and the Audit Event Disposition Service are configured. Only callers with the XDAS_AUDIT_CONTROL authority are permitted to use these interfaces.
The Audit Read API is used to extract records from the XDAS audit stream for analysis. The interface supports the copying of a record into a buffer where the contents may be examined by the caller. The interfaces are available to privileged callers who possess the XDAS_AUDIT_READ authority.