Browse Prior Art Database

Real Time Audit Trail Mechanism in AIX

IP.com Disclosure Number: IPCOM000122540D
Original Publication Date: 1991-Dec-01
Included in the Prior Art Database: 2005-Apr-04
Document File: 2 page(s) / 86K

Publishing Venue

IBM

Related People

Steves, DH: AUTHOR [+2]

Abstract

Disclosed is a mechanism for providing real-time auditing in a UNIX*- based operating system. Real-time auditing allows a Trusted Program to read audit records as they are generated by the actions of users. This capability can be used to implement interactive auditing tools which allow for instantaneous processing of audit events such as real-time threat monitors. Real-time threat monitoring is a major requirement for higher levels of security.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 52% of the total text.

Real Time Audit Trail Mechanism in AIX

      Disclosed is a mechanism for providing real-time auditing
in a UNIX*- based operating system. Real-time auditing allows a
Trusted Program to read audit records as they are generated by the
actions of users. This capability can be used to implement
interactive auditing tools which allow for instantaneous processing
of audit events such as real-time threat monitors. Real-time threat
monitoring is a major requirement for higher levels of security.

      In audit subsystems found in today's operating systems, the
audit records are written by the audit logger in the kernel to one or
more files. These files are later joined to form an audit trail, and
this audit trail is later analyzed for potential or actual security
problems. The AIX** operating system supports such a collection
mechanism, which can be described as asynchronous auditing, but AIX
also provides synchronous auditing in the sense that it enables
applications to read audit records as they are created.

      The disclosed mechanism uses the device subsystem as a basis. A
special audit pseudo-device is provided with the system. The audit
device is a multiplexed device driver permitting multiple opens of
the same device, but each successive open allocates and uses a
logically separate channel to that device. (This facility is similar
to the clone devices in other variants of UNIX.) It is worth noting
that the I/O device subsystem was used due to the fact that it does
support blocking reads.

      For each open of the audit device, it is possible to specify
which subset of generated audit records are to be returned. The
record selection is done using the system audit class definition
mechanism.  Briefly, audit classes are defined as mappings from a
symbolic name (for the class) to a set of audit event types. Audit
classes are not logically discrete (an event type may be in more than
one class) nor do they partition the audit event types (an event type
may not be defined in any class). Only event types in the specified
classes are returned on the audit device channel for an open.

      For each channel, the audit devi...