PreviousNext

Administrator Tasks

The administrator uses the event numbers representing the different code points in the audit client application server program to create event class files and filter guides in the following manner:

1. The administrator obtains the event numbers of the code points (representing each audit event) from the application server programmer. In our example, these code points were assigned the following event numbers:

acct_open( )
0x01000000

acct_close( )
0x01000001

acct_withdraw( )
0x01000002

acct_deposit( )
0x01000003

acct_transfer( )
0x01000004

(Note that event numbers should be entirely sequential. That is, no missing members of the sequence are allowed.)

2. The administrator decides to create two event classes: the account_creation_operations class comprised of acct_open( ) and acct_close( ), and the account_balance_operations class comprised of acct_withdraw( ), acct_deposit( ), and acct_transfer( ). The administrator assigns the event class account_creation_operations the event class number 0xC0000006. Event class account_balance_operations is assigned the event class number 0xC0000007.

To create the event classes, the administrator creates and edits two files, one for each event class. The name of each of these files will be the same as the event class that each represents. Each file will contain the numbers of the events in each event class.

The file with the name account_creation_operations is edited as follows (lines that begin with # (number sign) are comment lines):

# Event class number of account_creation_operations
ECN = 0xC0000006

# Event number of acct_open( )
0xC1000000

# Event number of acct_close( )
0xC1000001

The file with the name account_balance_operations is edited as follows:

# Event number of acct_balance_operations
ECN = )xC0000007

# Event number of acct_withdraw( )
0xC1000002

# Event number of acct_deposit( )
0xC1000003

# Event number of acct_transfer( )
0xC1000004

The administrator stores both files in the dcelocal/etc/audit/ec directory.

3. The administrator decides to create two filters: one for all users within the cell (for the cell /.:/torolabcell), and the other for all other users.

The filter for all users within the cell has the following guides:

· Audit the events in the event class account_balance_operations only, subject to the next condition.

· Write an audit record only if an operation in that event class failed because of access denial.

· If the first condition is fulfilled, write the audit record in an audit trail file only.

· The administrator then uses the DCE control program's audfilter create command to create this filter:

dcecp> audfilter create {cell /.../torolabcell} -attribute \
>{account_balance_operations denial log}
dcecp>

The filter for all other users has the following guides:

· Audit the events in both event classes, subject to the next condition.

· Write an audit record if an operation in that event class succeeded, failed, or failed because of access denial.

· Write the audit record both in an audit trail file and the console.

Following is the dcecp session for creating this filter:

dcecp> audfilter create world -attribute \
>{account_balance_operations,account_creation_operations alarm,log all}
dcecp>

DCE Audit Service Administrative Tasks provides detailed information about the DCE control program's audfilter create command.