Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
541542543544545546547548549550
DCE Audit Service
When Alice invokes events in the critical_transactions event class, the principal filter
(filter 1) is applicable because its key matches Alice’s identity. The principal filter is
more specific than the cell filter. Although the cell filter (filter 2) is also applicable to
Alice (Alice belongs to cell X), it is overridden by the principal filter because the cell
filter is overridable. For other principals in Company (cell) X, the only applicable filter is
the cell filter (filter 2). Thus, these same events will cause an audit record to be logged
and also raise an alarm.
Nonoverridable world and cell filters are also useful. Without them, an administrator, for
example, would have to delete all filters for groups and principals of a cell in order to
make a cell-wide filter effective to the whole cell. (System administrators may want to
introduce a temporary nonoverridable cell filter when a cell is suspected to be the source
of a security problem.)
The following figure illustrates the override relations between different types of filters.
An arrow from filter type X to filter type Y means that X overrides Y.
Figure 42-2. Override Relations Between Filter Types
principal foreign_principal group foreign_group cell
world
cell_overridable
world_overridable
overrides
DCE groups are generally defined for the purpose of granting access permissions. A
group filter specifies auditing the intent to use the group’s privileges, instead of
specifying auditing the principals that belong to the group. That is, a group filter would
not have auditing effects on a member principal of the group unless the principal has the
intent to use the group’s privileges (by including the group in the PAC). Because group
filters are defined to audit the intention of using a group’s privileges, they are
independent of other filters and are not overridable.
42.3.7 Audit Trail File
The audit trail file contains all the audit records that are written by the audit daemon.
You can specify either a central audit trail file or a vocal audit trail file.
The central audit trail file is created by the audit daemon when it is started. By default, if
the dce_aud_open() function does not specify a name for an audit trail file, all audit
records are sent to the audit daemon, which stores them in the central audit trail file.
If the dce_aud_open( ) function is invoked with a name for the trail file, this name
becomes the pathname to the local audit trail file and all audit records are sent to that file.
124243 Tandem Computers Incorporated 429