OSF DCE Administration Guide--Core Components
DCE Audit Service Administrative Tasks
l Log permission. Allows a principal to write audit records in the audit
trail file.
43.3.2 Initial ACL of the Audit Daemon
The initial ACL of a host’s audit daemon contains the following entries:
{unauthenticated -r--}
{user hosts/nodoz/self crwl}
{group subsys/dce/audit-admin crwl}
{any_other -r--}
The first entry allows any unauthenticated user only read access to the filters. The
second entry allows the host principal (hosts/<hostname>/self) to query and modify the
filters, control the audit daemon, and to write to the audit trail file. The third entry allows
the members of the group subsys/dce/audit-admin the same access rights as the host
principal. The last entry allows all other principals only read access to the filters. You
can modify this ACL to suit your security requirements by using dcecp.
43.3.3 Giving Permissions to Audit Clients and Administrators
Using dcecp, you can add entries to the ACL of the audit daemon that will grant audit
clients the log permission to the audit trail file. You can create a DCE security group that
consists of the servers on the host that are authorized to generate audit records. For
example:
group/hosts/<hostname>/audit-clients
Give this group the log permission to the audit daemon. For example:
dcecp> acl modify /.:/hosts/machine1/audit-server \
-add {group hosts/machine1/audit-clients l}
All audit clients can then be made members of this group and inherit its permssions to
the audit daemon.
ACL entries must also be added to grant designated administrators the read, query, and
control permissions to the audit daemon. For example, for the administrator’s group
group/hosts/machine1/audit-admin:
dcecp> acl modify /.:/hosts/machine1/audit-server \
-add {group hosts/machine1/audit-admin rwc}
124243 Tandem Computers Incorporated 43−3