Keeping Track of DCE Audit Denial Events
Original Publication Date: 1999-Dec-01
Included in the Prior Art Database: 2003-Jun-19
When adding support for forwarding Audit events to the *Tivoli Event Console (TEC) Server, many events can be sent to the event server from different event sources within a DCE Cell. A method was required to alert the Tivoli administrator looking at the Tivoli Event Console of possible attempts at a security breech. Two different methods were devised to count the number of access denials that were encountered in a DCE cell. A DCE Audit denial event is generated because someone tried to create, access, modify, or delete a resource without the proper permissions. The two methods used to count denial events are: Keep track of the total number of DCE Audit Denial events in a given time interval to alert the administrator if a group of audit denial events are received in a short period of time. This would detect a user who may try accessing resources many times in a short interval. Keep track of the total number of DCE Audit Denial events from a specific client to alert the administrator when a client has an excessive number of denials. This would detect a user who tries to access different resources from the same time period over a long period of time from the same DCE user id.