OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

541

542

543

544

545

546

547

548

549

550

DCE Audit Service

2. The administrator decides to create two event classes: the

account_creation_operations class comprised of acct_open() and acct_close(),

and the account_balance_operations class comprised of acct_withdraw(),

acct_deposit( ), and acct_transfer( ). The administrator assigns the event class

account_creation_operations the event class number 0xC0000006. Event class

account_balance_operations is assigned the event class number 0xC0000007.

To create the event classes, the administrator creates and edits two ﬁles, one for

each event class. The name of each of these ﬁles will be the same as the event

class that each represents. Each ﬁle will contain the numbers of the events in each

event class.

The ﬁle with the name account_creation_operations is edited as follows (lines

that begin with # (number sign) are comment lines):

# Event class number of account_creation_operations

ECN = 0xC0000006

# Event number of acct_open()

0xC1000000

# Event number of acct_close()

0xC1000001

The ﬁle with the name account_balance_operations is edited as follows:

# Event number of acct_withdraw()

0xC1000002

# Event number of acct_deposit()

0xC1000003

# Event number of acct_transfer()

0xC1000004

The administrator stores both ﬁles in the dcelocal/etc/audit/ec directory.

3. The administrator decides to create two ﬁlters: one for all users within the cell (for

the cell /.:/torolabcell), and the other for all other users.

The ﬁlter for all users within the cell has the following guides:

• Audit the events in the event class account_balance_operations only, subject

to the next condition.

• Write an audit record only if an operation in that event class failed because of

access denial.

• If the ﬁrst condition is fulﬁlled, write the audit record in an audit trail ﬁle only.

• The administrator then uses the DCE control program’s audﬁlter create

command to create this ﬁlter:

dcecp> audﬁlter create {cell /.../torolabcell} -attribute \

{account_balance_operations denial log}

124243 Tandem Computers Incorporated 42− 13