PreviousNext

dts_audit_events(5sec)

Auditable events for the time services

Description

Code is in place for auditing security-significant events in the Time Server. Among these events are:

Time Service processes

Clock readings

Global-set membership (in the Cell Service Profile)

Time Service attributes

Event class definitions, together with filters, control the auditing execution at these code points. Filters can be updated dynamically. Filter files are maintained by a per-host audit daemon, and are shared among all the audit clients on the same host. The dcecp command interface program is used to maintain the filters. (See the dcecp reference page.) The dcecp command is executable by all users and system administrators. The control on who is allowed to modify filters is done through the audit daemons ACL, which maintains the filters.

The Time Server RPC interfaces that manage the Time Service and request and provide the time include time_control, time_service, gbl_time_service, and time_provider.

Audit Code Points

The following topics describe the audit code points in the Time Service RPC interfaces, with their event types, event classes, and any event-specific information.

Control Interface (time_control) Operations

The CreateCmd(~) operation creates the Time Service as a server or a clerk. The caller must have write access to the management interface.

Event Type (Event Number, Event Classes)
EVT_CREATE_CMD (0x200, dce_dts_mgt_modify)

Event-Specific Information
signed32 servType

The DeleteCmd( ) operation deletes the Time Service entity from the system where the command is entered. This command stops the process. The caller must have write access to the management interface.

Event Type (Event Number, Event Classes)
EVT_DELETE_CMD (0x201, dce_dts_mgt_modify)

Event-Specific Information
None

The EnableCmd( ) operation starts the DTS entity on the local node. This command makes the server available to the network. The clockSet argument tells the Time Service whether or not to set the clock after the first synchronization. The caller must have write access to the management interface.

Event Type (Event Number, Event Classes)
EVT_ENABLE_CMD (0x202, dce_dts_mgt_modify)

Event-Specific Information
signed32 clockSet

The DisableCmd operation disables the Time Service by making it unavailable to the network. In the case of servers, it makes it unavailable to the RPC client trying to talk to it. For clerks, it stops synchronizing with servers. The caller must have write access to the management interface.

Event Type (Event Number, Event Classes)
EVT_DISABLE_CMD (0x203, dce_dts_mgt_modify)

Event-Specific Information
None

The UpdateCmd( ) operation gradually adjusts the clock on the local node to the specified time. The caller must have write access to the management interface.

Event Type (Event Number, Event Classes)
EVT_UPDATE_CMD (0x204, dce_dts_synch)

Event-Specific Information
utc_t old_time
utc_t new_time

The ChangeCmd operation changes the epoch number on the server and optionally sets the time to a new time. These values are passed in the argument changeDir. The caller must have write access to the management interface.

Event Type (Event Number, Event Classes)
EVT_CHANGE_CMD (0x205, dce_dts_synch)

Event-Specific Information
signed32 old_epoch
signed32 new_epoch
utc_t old_time
utc_t new_time

The SynchronizeCmd( ) operation causes the Time Service to synchronize immediately. If the argument clockSet is true, the clock is set to the new value after synchronization. The caller must have write access to the management interface.

Event Type (Event Number, Event Classes)
EVT_SYNCHRONIZE_CMD (0x206, dce_dts_synch)

Event-Specific Information
signed32 setClock

The AdvertiseCm( ) operation adds (advertises) this Time Server node as a member of the global set in the Cell Services Profile. The caller must have write access to the management interface.

Event Type (Event Number, Event Classes)
EVT_ADVERTISE_CMD (0x207, dce_dts_mgt_modify)

Event-Specific Information
None

The UnadvertiseCmd( ) operation removes (unadvertises) this Time Server node as a member of the set of global servers in the Cell Services profile. The caller must have write access to the management interface.

Event Type (Event Number, Event Classes)
EVT_UNADVERTISE_CMD (0x208, dce_dts_mgt_modify)

Event-Specific Information
None

The SetDefaultCmd( ) operation, when an attribute with no accompanying value is passed, sets an attribute to its default value. The attribute type is passed in the setAttr argument. The caller must have write access to the management interface.

Event Type (Event Number, Event Classes)
EVT_SET_DEFAULT_CMD (0x209, dce_dts_mgt_modify)

Event-Specific Information
byte useDefault
signed32 attribute

The SetAttrCmd( ) operation, when an attribute and an accompanying value is passed, sets an attribute to a value given. The attribute type is passed in setAttr argument and the attribute value in AttrValue argument. The caller must have write access to the management interface.

Event Type (Event Number, Event Classes)
EVT_SET_ATTR_CMD (0x20A, dce_dts_mgt_modif)

Event-Specific Information
signed32 attribute
signed32 attribute_type

The ShowAttrCmd( ) operation, when passed an attribute name, queries the Time Service for the attributes value. The attribute value is passed back in the argument attrValue. The caller must have read access to the management interface.

Event Type (Event Number, Event Classes)
EVT_SHOW_ATTR_CMD (0x20B, dce_dts_mgt_query)

Event-Specific Information
signed32 attribute
signed32 attribute_type

The ShowAllCharsCmd( ) operation, when not passed a group name with the all value, queries the Time Service for the values of all the characteristic attributes and values. The caller must have read access to the management interface.

Event Type (Event Number, Event Classes)
EVT_SHOW_ALL_CHARS_CMD (0x20C, dce_dts_mgt_query)

Event-Specific Information
None

The ShowAllStatusCmd( ) operation, when passed the all status value, queries the Time Service for the values of all the status attributes. The caller must have read access to the management interface.

Event Type (Event Number, Event Classes)
EVT_SHOW_ALL_STATUS_CMD (0x20D, dce_dts_mgt_query)

Event-Specific Information
None

The ShowAllCntrsCmd( ) operation, when passed the all counters value, queries the Time Service for the values of all the counters. The caller must have read access to the management interface.

Event Type (Event Number, Event Classes)
EVT_SHOW_ALL_CNTRS_CMD (0x20E, dce_dts_mgt_query)

Event-Specific Information
None

The ShowLocServersCmd( ) operation, when passed the local servers value, queries the Time Service for the servers in the local set. A variable conformant array is used to return the set of local servers available. The size of the array transmitted over RPC is determined at run-time. The caller must have read access to the management interface.

Event Type (Event Number, Event Classes)
EVT_SHOW_LOC_SERVERS_CMD (0x20F, dce_dts_mgt_query)

Event-Specific Information
None

The ShowGblServersCmd( ) operation, when passed the global servers value, queries the Time Service for the servers in the global set. A variable conformant array is used to return the set of global servers available. The caller must have read access to the management interface.

Event Type (Event Number, Event Classes)
EVT_SHOW_GBL_SERVERS_CMD (0x210, dce_dts_mgt_query)

Event-Specific Information
None

Time Provider Interface (time_provider) Operations

Auditable events in the RPC-based Time Provider Program (TPP) interfaces are invoked by a Time Service daemon running as a server (in this case it makes an RPC client call to the TPP server).

The ContactProvider( ) operation sends initial contact message to the TPP. The TPP server responds with a control message. This operation may cause modification of the time servers (not the providers) clock and should be defined to be an auditable event in the time server. There is no access control in the provider for this operation, but the integrity of the messages is protected.

Event Type (Event Number, Event Classes)
EVT_CONTACT_PROVIDER (0x211, dce_dts_time_provider)

Event-Specific Information
None

The ServerRequestProviderTime( ) operation has the client send a request to the TPP for times. The TPP server responds with an array of time stamps obtained by querying the Time Provider hardware that it polls. There is no access control in the Time Provider for this operation, but the integrity of the message is protected.

Event Type (Event Number, Event Classes)
EVT_REQUEST_PROVIDER_TIME (0x212, d0ce_dts_time_provider)

Event-Specific Information
None

Related Information
Commands:
aud(8dce)

audfilter(8dce)

dcecp(8dce)

advertise(8dts)

change(8dts)

create(8dts)

delete(8dts)

disable(8dts)

dts_intro(8dts)

dtsd(8dts)

enable(8dts)

exit(8dts)

help(8dts)

quit(8dts)

set(8dts)

show(8dts)

synchronize(8dts)

unadvertise(8dts)

update(8dts)

Files:
aud_audit_events(5sec)

event_class(5sec)

sec_audit_events(5sec)