PreviousNext

sec_audit_events(5sec)

Auditable events for the security services

Description

Code is in place for auditing security-significant events in the security server. Among these events are

· Attempts at invoking Authentication Server/Ticket-granting Server/Privilege Server (AS/TGS/PS) operations.

· Deletion of security server objects, including

- ACLs

- accounts

- PGO (principal, group, and organization) items

- registry properties

- registry/organization policies

- registry master key

· Attempts at invoking an operation that modifies security server objects or updates an ACL.

· Attempts at invoking operations that involve access control.

· Failed client responses to the servers challenge, detected replays and invalid ticket requests.

· The usage of cryptographic keys in the RPC runtime.

· Attempts at changing the maintenance/operation states of the registry server.

Event class definitions, together with filters, control the auditing execution at these code points. Filters can be updated dynamically. Filter files are maintained by a per-host audit daemon, and are shared among all the audit clients on the same host. The dcecp command interface program is used to maintain the filters. (See the dcecp reference page.) The dcecp command is executable by all users and system administrators. The control on who is allowed to modify filters is done through the audit daemons ACL, which maintains the filters.

Security server RPC interfaces include krb5rpc, rdaclif, rdacliftmp, rpriv, rs_acct, rs_query, rs_rpladmn, rs_update, rsec_cert, and secidmap. All the RPC interfaces are offered using the rpc_c_authn_dce_secret authentication service. The security servers RPC runtime uses dce-rgy as its authentication identity. Within the same process, the security servers UDP/IP interface provides Kerberos AS/TGS functions, with krbtgt/cell_name as its authentication identity.

Audit Code Points

The following topics describe the audit code points in the Security Service interfaces, with their event types, event classes, and any event-specific information.

More:

Authentication Interface (krb5rpc) Operations

DACL Management Interface (rdaclif) Operations

Privilege Server Interface (rpriv) Operations

Registry Server Account Interface (rs_acct) Operations

Registry Miscellaneous Operation Interface (rs_misc) Operations

Registry PGO Interface (rs_pgo) Operations

Registry Policy Interface (rs_policy) Operations

Registry Administration Interface Operations

Registry Server Attributes Manipulation Interface (rs_attr) Operations

Registry Server Attributes Schema Manipulation Interface (rs_attr_schema) Operations

Version 1.1 Privilege Server Manager Interface (rpriv_v1_1) Operations

Related Information