Browse Prior Art Database

Enablement of User Defined DCE Audit Records

IP.com Disclosure Number: IPCOM000013479D
Original Publication Date: 1999-Dec-01
Included in the Prior Art Database: 2003-Jun-18
Document File: 2 page(s) / 60K

Publishing Venue

IBM

Related People

Woodrow Arkeketa: AUTHOR [+3]

Abstract

Distributed Computing Environment (DCE) has three services that are capable of providing audit records: DCE Security Service, DCE Distributed Time Service, and DCE Audit Service. Users can include audit code points in their own application servers to audit the requests made by their clients. When the DCE Event Adapter is shipped it does not know about these kinds of audit records. This disclosure addresses how user-defined audit records can be included so that an existing DCE Event Adapter implementation can recognize and process them as it does the default set of DCE Audit records. To enable the DCE event adapter to send user-written audit records, one should: define the event class under which the audit records are to be converted and sent, configure the node where the event adapter resides, and configure the event server to enable it to receive these new event classes.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 2

Enablement of User Defined DCE Audit Records

Distributed Computing Environment (DCE) has three services that are capable of providing audit records: DCE Security Service, DCE Distributed Time Service, and DCE Audit Service. Users can include audit code points in their own application servers to audit the requests made by their clients. When the DCE Event Adapter is shipped it does not know about these kinds of audit records. This disclosure addresses how user-defined audit records can be included so that an existing DCE Event Adapter implementation can recognize and process them as it does the default set of DCE Audit records. To enable the DCE event adapter to send user-written audit records, one should: define the event class under which the audit records are to be converted and sent, configure the node where the event adapter resides, and configure the event server to enable it to receive these new event classes.

To define other event classes, it is suggested that you look at the audit event classes that come with the DCE Event Adapter to see how they are defined.

The base audit event class has the following attributes (slots):

TEC_CLASS: AuditEvent ISA EVENT DEFINES source: default = "DCEAudit"; aud_event_class_name: STRING; aud_event_class_number: STRING; aud_event_name: STRING; aud_event_number: STRING; aud_server: STRING;
aud_client: STRING; aud_client_addr: STRING; aud_outcome: STRING; aud_authz_status: STRING;
aud_time: STRING; aud_event_specific_info: STRING; aud_event_specific_more: STRING; aud_event_specific_items: LIST_OF STRING; aud_date_last_duplicate: STRING; aud_duplicate_data: LIST_OF STRING; aud_dup_data_length: INTEGER; }; END The TEC audit event classes are defined in the DCE Audit BAROC file, dce_audit.baroc. For example, the AS_Request event from DCE Security Service has the following TEC event class definition:

TEC_CLASS: SecAuditEvent ISA AuditEvent DEFINES { sub_source: default = "Security Service"; }; END TEC_CLASS: SecAS_Request ISA SecAuditEvent DEFINES { aud_event_class_name: default = "dce_sec_authent"; aud_event_class_number: default = "10"; aud_event_name: default = "AS_Request"; aud_event_number: default = "0x0101"; }; END All new audit event classes would be defined in a similar fashion based directly or indirectly on the AuditEvent Class.

The following steps are needed to configure the node where the DCE event adapter resides :

The event adapter should be disabled while making modifications. Configure the AuditLogSource field in the event adapter configuration file The AuditLogSource field in the DCE event adapter configuration file, dce_tec.conf, needs to point to the audit log file...