Open System Services Management and Operations Guide (G06.30+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

221

222

223

224

225

226

227

228

229

230

Audit Records for OSS Objects

Audited events are recorded in the Safeguard audit files (collectively referred to as the audit trail).

Every audited event describes:

• The user or process initiating the event

• The object affected by the event

• The operation, including whether the operation succeeded or failed, and the details of a

defined list of appropriate attributes

Audit records are characterized by the following information:

• If the object of an operation has a pathname, then either the audit record includes the pathname

or the operation is associated with another record that includes the pathname.

• OSS filenames stored in the audit record are uniquely identifiable.

• Operations and outcomes are specified by enumerated values defined by Safeguard.

• An operation that modifies an object’s attributes provides before and after images of the

attributes in the audit record.

• An operation that creates a new object specifies the new object’s attributes in the audit record.

• An operation that deletes an object specifies the object’s attributes in the audit record.

• Failure to search a directory during name resolution is audited. The audit record indicates the

pathname of the directory being searched, up to and including the failure.

This information can be retrieved by using SAFEART, the Safeguard audit-file reduction tool.

Object Names in Audit Records

When the value of an OSS file attribute must appear in an audit record, the OSS name server

writes the file’s object names in its request to the file system. OSS objects have two kinds of object

names, an external name and an internal name.

For objects in the OSS file system, the external name is the fully qualified pathname for the object.

For OSS filesets, the external name is the name of the fileset as seen through SCF.

In most audit records, the external and internal names for the object are both included and separated

by an equal sign (=). For example:

/bin=$ZPNS.Z00000.Z0000004G:56876483

/bin/sh=$OSS1.ZYQ00000.Z000005R:45736652

Sometimes only the internal name appears, in which case a preceding RESOLVE record contains

both names.

The OSS name server maintains the absolute pathname of the mount point for each fileset that it

manages. To ensure that they are generated quickly, all pathnames that are stored in audit records

are normalized as follows:

• All dots (.), double dots (..), multiple slashes, and symbolic-link references are resolved.

• The maximum length of the stored pathname is 1023 bytes. If the actual pathname length

exceeds 1023 bytes, the audited name consists of three periods (…) followed by the last 1020

bytes of the pathname.

Which audit records are generated depends on the operation (see “Auditing of OSS Shell

Commands” (page 225) for a list of what is generated in the audit record of different operations).

A record is generated for an object in an audited fileset after the process that manages the object

checks the user ID to determine whether the user has the authority to perform the requested operation.

When the operation terminates because of an error and a security ruling has not yet been obtained,

no auditing is performed. An operation can also fail after an audit record is logged.

224 Managing Security