OSF DCE Application Development Guide--Core Components
Using the Audit API Functions
The audit_trail parameter is the trail descriptor returned in the dce_aud_open() call
made earlier. The ard parameter is the audit record descriptor returned in the
dce_aud_start( ) call (and used in the dce_aud_put_ev_info() function call). The format
parameter specifies a format version number of the event-specific information. The
initial version number should be zero, and be incremented when the format changes. For
example, the data type used for account numbers might change from 32-bit integer to
UUID. The event outcome must be provided in this call, even if it has been provided in
the dce_aud_start() call made earlier. If the event outcome (except
aud_c_esl_cond_unknown) is provided in both calls, the values must be the same.
34.1.5 Closing an Audit Trail File
The audit trail file must be closed using the dce_aud_close( ) function when the
application shuts down (because of the rpc_mgmt_stop_server_listening() function
call or other exceptional conditions). For example, to close the trail, the bank server’s
main program can make the following function call:
dce_aud_close(audit_trail, &status);
This function flushes buffered audit records to stable storage and releases the memory
allocated for the trail descriptor.
34.2 Writing Audit Trail Analysis and Examination Tools
The audit APIs can be used to write audit trail analysis and examination tools that
selectively review the following:
• Events that are invoked by one or more subjects, for example, principals, groups, and
cells
• Events that have a specific outcome
• Events that occurred during a specified time period
• Events that have specific event IDs
In its most basic form, an audit trail analysis and examination tool must perform five
functions:
• Open an audit trail file for reading
• Read the audit records into a buffer
• Transform the audit records into human-readable form
• Discard the audit record
• Close the audit trail file
124245 Tandem Computers Incorporated 34−5