Open System Services Programmer's Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series

251

252

253

254

255

256

257

258

259

260

Security Auditing of OSS files

Your application program does not need to provide its own file auditing mechanism. Your system

manager can enable file auditing on a specific fileset. When auditing is enabled, certain application

program activities for any file in that fileset can automatically generate entries in the audit file for

the system where the file is located.

The following subsections describe:

• “How to Identify an Audited file in Audit Records” (page 253)

• “What Operations and Objects Are Audited” (page 253)

• “Considerations for File Auditing” (page 255)

How to Identify an Audited file in Audit Records

You can write either an OSS or Guardian application program to process audit records. Audit

files are structured files and are easiest to process with Guardian APIs. The structure and Guardian

file naming conventions for audit files, the field names and object types, and the format of audit

file records are described in the Safeguard Audit Service Manual.

The audit record for an audited file event identifies the file being audited with both its absolute

OSS pathname and the internal name used for it by Guardian access mechanisms. The internal

name includes the creation version serial number (CRVSN) so that a specific instance of a file can

be identified. An audit entry looks like:

pathname=$volume_name.subvolume_name.file_identifier:crvsn

For example:

/bin/ed=$DATA13.ZYQ00001.Z0004G7:1934568735

where 1934568735 is the CRVSN of the file being audited. For more information on the use of

the CRVSN with files, refer to the Open System Services Management and Operations Guide.

What Operations and Objects Are Audited

Table 37 (page 253) and Table 38 (page 255) provide a brief overview of the information logged

for audited OSS files and available through the SAFEART program. Table 39 (page 255) lists the

audited Guardian procedures that can be used from an OSS program.

Manipulating an audited Guardian file through OSS function calls and the /G directory also causes

log entries; the information logged for Guardian files is controlled by Guardian auditing policies

rather than by membership in an audited fileset. Similarly, manipulation of Guardian files through

Guardian procedure calls from an OSS program can be audited through Guardian policies, which

are not discussed in this guide.

NOTE: To determine which RVUs support an OSS function, see Appendix A: Documented OSS

Functions (page 438).

Table 37 OSS Function Calls Audited When Used With Audited Filesets

Attributes or Actions AuditedOSS Function

The value of the access_mode parameter.access()

Use on files in the /G directory is also audited.

The number of ACL entries and the value of each changed ACL entry before and after the

call.

acl()

For AF_UNIX sockets, the values of the access_mode parameter, the OSS user ID, group

ID, and rdev.

bind()

The values of the file mode before and after the call.chmod()

fchmod()

lchmod()

Security Auditing of OSS files 253