Audit Record Header Data Structure
The following data structure is used to store header information obtained from an audit record. This structure is normally only used by audit trail analysis and examination tools. That is, it is hidden from client/server applications.
typedef struct {
unsigned32 format;
uuid_t server;
unsigned32 event;
unsigned16
outcome;
unsigned16 authz_st;
uuid_t client;
uuid_t cell;
unsigned16 num_groups;
utc_t time;
char *addr;
uuid_t *groups;
} dce_aud_hdr_t;
format
Contains the version number of the tail format of the event used for the event-specific information. With this format version number, the audit analysis tools can
accommodate changes in the formats of the event-specific information. For example, the event-specific information of an event may initially be defined to be a 32-bit integer, and later changed to a
character string. Format version 0 (zero) is assigned to the initial format for each event.
server
Contains the UUID of the server that generates the audit record.
event
Contains the event number.
outcome
Indicates whether the event failed or succeeded. If the event failed, the reason for the failure is given.
authz_st
Indicates how the client is authorized: by a name or by a DCE Privilege Attribute Certificate (PAC).
client
Contains the UUID of the client.
cell
Contains the UUID of the client's cell.
num_groups
Contains the number of local group privileges the client used for access.
groups
Contains the UUIDs of the local group privileges that are used by the client for the access. By default, the group information is not be included in the header
(num_groups is set to 0 in this case), to minimize the size of the audit records. If the group information is deemed as important, it can be included.
Information about foreign groups (global groups that do not belong to the same cell where the client is registered) is not included in this version of audit header but may be included in later versions when global groups are supported.
time
Contains a timestamp of utc_t type that records the time when the server committed the audit record (that is, after providing the event information through audit
API function calls). Recording this time, rather than recording the time when the audit record is appended to an audit trail, will better maintain the sequence of events. The implementation of the
audit subsystem may involve communication between the server and a remote audit daemon, incurring indefinite delays by network problems or intruders. The inaccuracy in the utc_t timestamp
may be useful for correlating events. When searching for events in an audit trail that occur within a time interval, if the results of the comparisons between the time of an event and the interval's
starting and ending times is maybe (because of inaccuracies), then the event should be returned.
addr
Records the client's address (port address of the caller). Port addresses are not authenticated. A caller can provide a fraudulent port address to a DCE server. However,
if this unauthenticated port address is deemed to be useful information, a DCE server can record this information using this field.
The identity of the server cell is not recorded in the header, because of the assumption that all audit records in an audit trail are for servers within a single cell, and implicitly, the server cell is the local cell.