Browse Prior Art Database

Keeping Track of DCE Audit Denial Events

IP.com Disclosure Number: IPCOM000014322D
Original Publication Date: 1999-Dec-01
Included in the Prior Art Database: 2003-Jun-19
Document File: 2 page(s) / 42K

Publishing Venue

IBM

Related People

Woodrow Arkeketa: AUTHOR [+3]

Abstract

When adding support for forwarding Audit events to the *Tivoli Event Console (TEC) Server, many events can be sent to the event server from different event sources within a DCE Cell. A method was required to alert the Tivoli administrator looking at the Tivoli Event Console of possible attempts at a security breech. Two different methods were devised to count the number of access denials that were encountered in a DCE cell. A DCE Audit denial event is generated because someone tried to create, access, modify, or delete a resource without the proper permissions. The two methods used to count denial events are: Keep track of the total number of DCE Audit Denial events in a given time interval to alert the administrator if a group of audit denial events are received in a short period of time. This would detect a user who may try accessing resources many times in a short interval. Keep track of the total number of DCE Audit Denial events from a specific client to alert the administrator when a client has an excessive number of denials. This would detect a user who tries to access different resources from the same time period over a long period of time from the same DCE user id.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 2

Keeping Track of DCE Audit Denial Events

When adding support for forwarding Audit events to the *Tivoli Event Console (TEC) Server, many events can be sent to the event server from different event sources within a DCE Cell. A method was required to alert the Tivoli administrator looking at the Tivoli Event Console of possible attempts at a security breech. Two different methods were devised to count the number of access denials that were encountered in a DCE cell. A DCE Audit denial event is generated because someone tried to create, access, modify, or delete a resource without the proper permissions. The two methods used to count denial events are:

Keep track of the total number of DCE Audit Denial events in a given time interval to alert the

administrator if a group of audit denial events are received in a short period of time. This would detect a user who may try accessing resources many times in a short interval. Keep track of the total number of DCE Audit Denial events from a specific client to alert the administrator

when a client has an excessive number of denials. This would detect a user who tries to access different resources from the same time period over a long period of time from the same DCE user id.

Keeping track of the total number of DCE Audit Denial events

This is done by generating a DCEAuditDenial event for each DCEAudit denial event encountered. The msg slot for the DCEAuditDenial event contains the string, "Number of denials: nnn.", where nnn is the number of denials encountered up to that time. The DCEAuditDenial event correlates a set of DCEAudit events with an outcome of "denial".

Keeping track of the total number of DCE Audit Denial events from a specific client

This is done by generating a DCEAuditClientDenial event for each DCEAudit denial event that was encounter. The sub_origin slot is used to contain the aud_client slot of the DCEAudit event. The msg slot for the DCEAuditClientDenial event contains the string, "(nnn) Denied client: xxxxx.", where nnn is the number of denials for xxxxx (xxxxx is the client identifier saved in...