Previous section.

Distributed Audit Service (XDAS)
Copyright © 1998 The Open Group

Example XDAS Event Mappings

Oracle Security Events

The following events have been taken from the Oracle Database Administrator's Manual. The table below presents an illustrative mapping to XDAS events.
Table: Mapping of ORACLE Audit Events to XDAS Generic Audit Events

Oracle Event Description XDAS-API Event(s)
Alter system configure service or application  
Create/drop cluster configure service or application  
Alter/truncate cluster configure service or application  
Create/drop database link configure service or application  
Create/delete index create/delete data item  
Alter index modify data item  
Not exists THIS IS REPRESENTED BY AN OUTCOME CODE  
Create/replace function configure service or application  
Create/replace package/package body bgcolor="#FFFFFF" configure service or application  
Create/replace procedure configure service or application  
Drop function, package, procedure configure service or application  
Create/drop public database link configure service or application  
Create/drop public synonym configure service or application  
Create/drop role configure service or application  
Set/alter role configure service service or application  
Create/drop rollback segment create/delete data item  
Alter rollback segment configure service  
Create/drop sequence create/delete data item  
Session connect/disconnect create/terminate an association  
Set system audit configure audit service  
System grant modify account attributes  
Create/drop table create/delete data item  
Truncate table modify data item contents  
Create/drop tablespace configure service or application  
Alter tablespace configure service or application  
Create trigger configure service or application  
Alter trigger enable/disable modify data item  
Create/drop/alter user create/delete/modify account  
Create/drop view create/delete data item  
Alter sequence modify data item  
Alter table, comment on table modify data item  
Execute procedure invoke service or application  
Grant/revoke privilege on procedure configure service or application  
Grant/revoke privilege on sequence configure service or application  
Grant/revoke privilege on table modify data item attributes  
Insert into table modify data item  
Lock table modify data item attributes  
Select sequence, table create association with data item  
Update table, view modify data item  
Upgrade data modify data item attributes  
Downgrade data modify data item attributes  
Upgrade higher level rows modify data item attributes  
Insert, update, delete lower level rows create/delete data items,  
  modify data item attributes  
Lower DBMS label modify data item attributes  
Raise DBMS label modify data item attributes  
Alter DBMS label to a non-comparable label modify data item attributes  
Grant MAC privileges modify account attributes,  
  modify an association context  
Switch modes modify an association context  

Mapping

The following events have been taken from the SUN Solaris BSM Manual for audit records. The table below shows where they map to the suggested XDAS events.
Table: Mapping of Solaris BSM Audit Events to XDAS Generic Audit Events

BSM Kernel-level Audit Events XDAS-API Event
access(2) query data item attributes  
acct(2) configure audit service  
adjtime(2) configure service or application  
chdir(2) modify processing context  
chmod(2) modify data item attributes  
chown(2) modify data item attributes  
chroot(2) modify processing context  
close(2) terminate association with data item  
creat(2) create data item  
exec(2) invoke service or application component  
execve(2) as exec(2)  
exit(2) terminate service or application component  
fchdir(2) modify processing context  
fchmod(2) modify data item attributes  
fchown(2) modify data item attributes  
fchroot(2) modify processing context  
fcntl(2) modify data item attributes  
fork(2) invoke service or application  
fstat(2) query data item attributes  
fstatfs(2) query configuration of service or application  
ioctl(2) modify data item attributes  
kill(2) modify data item contents  
link(2) modify data item attributes  
lstat(2) query data item attributes  
mkdir(2) create data item  
mknod(2) create data item  
mmap(2) create a data item  
mount(2) enable service  
msgctl(2) modify data item attributes  
msgget(2) create data item,  
msgrcv(2) query data item contents  
msgsnd(2) modify data item contents  
munmap(2) delete data item  
open(2) create an association with a data item  
pathconf(2) query context of association with data item  
pipe(2) create a data item  
process dumped core resource corruption  
readlink(2) query data item contents  
rename(2) modify data item,  
rmdir(2) delete data item  
semctl(2) modify data item attributes  
semget(2) create data item  
semop(2) query/modify data item contents  
setgroups(2) modify user session attributes  
setspgrp(2) modify user session attributes  
setrlimit(2) query/modify configuration of service or application  
shmat(2) create association with peer  
shmctl(2) query/modify data item attributes  
shmdt(2) terminate association with peer  
shmget(2) create data item  
stat(2) query data item attributes  
statfs(2) query configuration of service or application  
symlink(2) modify data item attributes  
system(2) invoke a service or application  
umount(2) terminate a service or application  
unlink modify data item attributes  
utimes modify data item attributes  
vfork(2) invoke service or application  
vtrace(2) invoke service or application  
/usr/sbin/allocate enable or disable devices  
/usr/sbin/halt shutdown system  
/usr/sbin/inetd create an association with a peer  
/usr/sbin/in.ftpd creat an association with a peer  
/usr/bin/login create user session  
/usr/lib/nfs/mountd modify configuration of service or application  
/usr/bin/passwd modify account attributes  
/usr/sbin/reboot start system  
/usr/sbin/in.rshd or create user session  
/usr/bin/su modify user session attributes  

IEEE P1003.1e -- Protection, Audit and Control Interfaces

This table maps the audit events defined in IEEE P1003.1e Draft 15 with the generic XDAS events.

P1003.1e Audit Event XDAS-API Event
AUD_AET_AUD_SWITCH Configure audit service
AUD_AET_AUD_WRITE access to other services  
AUD_AET_CHDIR modify processing context  
AUD_AET_CHMOD modify data item attributes  
AUD_AET_CHOWN modify data item attributes  
AUD_AET_CREAT create a data item  
AUD_AET_DUP create association with a data item  
AUD_AET_EXEC invoke service or application  
AUD_AET_EXIT terminate service or application  
AUD_AET_FORK invoke service or application  
AUD_AET_KILL terminate service or application  
AUD_AET_LINK modify data item attributes  
AUD_AET_MKDIR create data item  
AUD_AET_MKFIFO create data item  
AUD_AET_OPEN create association with data item  
AUD_AET_PIPE create data item  
AUD_AET_RENAME modify data item contents  
AUD_AET_RMDIR delete data item  
AUD_AET_SETGID modify user session attributes  
AUD_AET_SETUID modify user session attributes  
AUD_AET_UNLINK modify data item attributes  
AUD_AET_UTIME modify data item attributes  
AUD_AET_ACL_DELETE_DEF_FILE modify data item attributes  
AUD_AET_ACL_SET_FD modify data item attributes  
AUD_AET_ACL_SET_FILE modify data item attributes  
AUD_AET_CAP_SET_FD modify data item attributes  
AUD_AET_CAP_SET_FILE modify data item attributes  
AUD_AET_CAP_SET_PROC modify processing context  
AUD_AET_INF_SET_FD modify data item attributes  
AUD_AET_INF_SET_FILE modify data item attributes  
AUD_AET_INF_SET_PROC modify processing context  
AUD_AET_MAC_SET_FD modify data item attributes  
AUD_AET_MAC_SET_FILE modify data item attributes  
AUD_AET_MAC_SET_PROC modify processing context  

Table: Mapping of IEEE P1003.1e Audit Events to XDAS Generic Audit Events

Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy of this publication.

Contents Next section Index