OSF DCE Administration Guide--Core Components

DCE Audit Service
2. The administrator decides to create two event classes: the
account_creation_operations class comprised of acct_open() and acct_close(),
and the account_balance_operations class comprised of acct_withdraw(),
acct_deposit( ), and acct_transfer( ). The administrator assigns the event class
account_creation_operations the event class number 0xC0000006. Event class
account_balance_operations is assigned the event class number 0xC0000007.
To create the event classes, the administrator creates and edits two files, one for
each event class. The name of each of these files will be the same as the event
class that each represents. Each file will contain the numbers of the events in each
event class.
The file with the name account_creation_operations is edited as follows (lines
that begin with # (number sign) are comment lines):
# Event class number of account_creation_operations
ECN = 0xC0000006
# Event number of acct_open()
0xC1000000
# Event number of acct_close()
0xC1000001
The file with the name account_balance_operations is edited as follows:
# Event number of acct_withdraw()
0xC1000002
# Event number of acct_deposit()
0xC1000003
# Event number of acct_transfer()
0xC1000004
The administrator stores both files in the dcelocal/etc/audit/ec directory.
3. The administrator decides to create two filters: one for all users within the cell (for
the cell /.:/torolabcell), and the other for all other users.
The filter for all users within the cell has the following guides:
Audit the events in the event class account_balance_operations only, subject
to the next condition.
Write an audit record only if an operation in that event class failed because of
access denial.
If the first condition is fulfilled, write the audit record in an audit trail file only.
The administrator then uses the DCE control program’s audfilter create
command to create this filter:
dcecp> audfilter create {cell /.../torolabcell} -attribute \
{account_balance_operations denial log}
124243 Tandem Computers Incorporated 42 13