aud_audit_events(5sec)

Auditable events for the audit services

Description

Code is in place for auditing audit service-significant events. Among these events are

Administrative operations
These are subdivided into modify and query operations.

Filter operations
These are subdivided into modify and query operations.

Event class definitions, together with filters, control the auditing execution at these code points. Filters can be updated dynamically. Filter files are maintained by a per-host audit daemon, and are shared among all the audit clients on the same host. The dcecp command interface program is used to maintain the filters. (See the dcecp reference page.) The dcecp command is executable by all users and system administrators. The control on who is allowed to modify filters is done through the audit daemons ACL, which maintains the filters.

The Audit Service RPC interfaces include audit_control and audit_filter operations.

Administrative Operations

The dce_audit_admin_modify and dce_audit_admin_query event classes lump together the administrative operations that are performed on the audit daemon.

The dce_audit_admin_modify event class has the following events that modify the operation of the audit daemon:

EVT_MODIFY_STATE - Enables or disables the audit daemon for logging.

EVT_MODIFY_SSTRATEGY - Modifies storage strategy. This can be any of the following:

Save - If the trail is full, back it up and rename it with a timestamp, then write on the original trail again.

Wrap - If the trail is full, go back to the beginning of the file, overwriting previously written records.

EVT_REWIND - Rewinds the audit daemons central trail file.

EVT_STOP - Stops the audit daemon.

Audit Code Points

The following are the audit code points in the Audit Service interfaces, with their event types, event classes, and any event-specific Information

Event Type (Event Number, Event Classes)
EVT_MODIFY_STATE (0x306, dce_audit_admin_modify)