OSF DCE Application Development Guide--Core Components
OSF DCE Application Development Guide—Core Components
b. Write an audit record only if an operation in that event class failed because
of access denial.
c. If the first condition is fulfilled, write the audit record in an audit trail file
only.
The filter for all other users has the following filter guides:
a. Audit the events in both event classes, subject to the next condition.
b. Write an audit record if an operation in that event class succeeded or failed.
c. Write the audit record both in an audit trail file and the console.
The scenarios described here can be summarized as follows:
• The programmer identifies the code points in the distributed application
corresponding to the audit events.
• The programmer uses the audit API functions on those code points to enable
auditing.
• The administrator creates event classes that are used to group the audit events.
• The administrator creates filters to narrow down the conditions by which audit
records are written for the audit events.
Figure 33-2 illustrates the interactions among the audit client program, the audit API
functions (libaudit), the audit daemon (auditd), and the audit management interface
(available from the DCE control program, dcecp).
Figure 33-2. Overview of the DCE Audit Service
(per machine)
audit API
trail files
filter updates
log to file
stat, read
read/write
read/write
Timestamps(filterfiles)
event table
filters
audit records
Event Class
Configuration
Files
stat, read
filter update notification
auditd
auditcp
filters
audit client
auditor
in–core copy
of filters
command i/f
filter read/write
The audit management interface (accessed through the DCE control program) is used by
the systems administrator to specify who, what, when, and how to audit. This is
accomplished through the use of the filters. The audit daemon maintains the filter’s
information in its address space. The filters are also stored in local files so that the filters
can be restored when the machine restarts, and so that audit clients can read the filter
information from these files.
33−10 Tandem Computers Incorporated 124245