Auditing Objects by Name in AIX
Original Publication Date: 1992-Jan-01
Included in the Prior Art Database: 2005-Mar-21
Steves, DH: AUTHOR [+2]
Disclosed is a mechanism for auditing operating system objects by name in a UNIX* based operating system, such as AIX**. This mechanism provides either greater specificity or more efficiency than other existing mechanisms, and also provides the non-circumventability property of a reference monitor.
Auditing Objects by Name in AIX
a mechanism for auditing operating system
objects by name in a UNIX* based operating system, such as AIX**.
This mechanism provides either greater specificity or more efficiency
than other existing mechanisms, and also provides the
non-circumventability property of a reference monitor.
one of the two basic mechanisms used to implement
security in operating systems. Auditing provides detective security
based on user accountability. All auditing systems define the event
types which may be recorded in the audit trail on a per-user basis.
The granularity with which event types are defined is crucial to the
effectiveness of an auditing system, since this definition determines
for which actions a user may be held accountable.
types of actions are generally considered to be
- use of the system authentication mechanism
- access to objects
- administrative actions
- production of printed material
- security-relevant events, such as failed log-ins and
Of these, the
second is the most common type of event and the
most important, since it is directly related to the principal
function of most computer systems - that is, to store and transform
information. But auditing access to objects is also the most
difficult in a UNIX-based system, due to two factors. First, file
accesses (files are the predominant type of object in a UNIX system)
- normally read and write - are made via file descriptors and not by
name. Processes can perform several operations on file descriptors,
including bequeathing them to a child process or sending them to an
unrelated process, and these operations can be used to mask the real
'perpetrator' of an access. Second, auditing characteristics are not
file system information and so could not be stored in the file
itself. Instead, it would be considered as meta-information and this
information is stored in inodes separate from the actual file, and
these inodes exist only when the file itself exists. If the file is
transitory or if the file is updated by replacement and not in place,
then the inode used for a file will constantly change and the
auditing characteristics would be lost.
There are several methods that have been used
in the past to
audit objects. The most common method is to require that all
filesystem events be recorded in the audit trail, and this
information is then pieced together afterwards to determine object
accesses. This method will work, but it is extremely inefficient,
both in writing the audit trail and in processing the audit trail.
This method requires that every file creation, file open, file read,
file write, file descriptor control and file close operation be
audited. In addition, each process creation must be audited.
Moreover, in a system which supports sockets for inter-...