HP UX Auditing System Extensions manual Writing a Dpms service module, Best practices

Page 19

sh -c "/usr/local/bin/rcp_audit_trail hostname /var/.audit/my_trail"

This copies /var/.audit/my_trail to a remote system, assuming that is what the given script intends to do.

Writing a DPMS service module

The Audit Data Process Module Switch (Audit DPMS) framework offers the ability to selectively access audit data in various formats through a set of common programming interfaces. It provides a layer of separation between applications that need to extract information from audit data source and the underlying modules that have the knowledge about the internal data format. For more information,

see audit_dpms(5).

The framework allows Audit DPMS service modules to be plugged in to handle the data in any format. The service modules are a set of dynamically loadable objects invoked by the Audit DPMS API to handle a particular type of audit data and format. Currently, HP-UX provides three DPMS service modules to handle reading and writing from and to HP-UX raw audit data, reading and writing from and to HP-UX portable audit data, and writing to XML format data. For more information, see audit_hpux_raw(5), audit_hpux_portable(5), and audit_hpux_xml(5), respectively.

You can develop new DPMS service modules to plug into the Audit DPMS framework to handle audit data from a source in another format. This section describes how to write a DPMS service module.

Service Provider Interfaces (SPIs)

A new DPMS service module must support the Audit DPMS Application Programming Interfaces (APIs) (for example, audit_dpms_start(3), audit_dpms_end(3), audit_dpms_read_event(3), and audit_dpms_write_event(3)) by implementing the corresponding DPMS service module Service Provider Interfaces (SPIs) (audit_dpm_start(3), audit_dpm_end(3), audit_dpm_read_event(3), and audit_dpm_write_event(3)). The Audit DPMS interface library is the layer implementing the APIs, while the Audit DPMS service modules implement the APIs for different audit record formats. For more information about the Audit DPMS APIs, see audit_dpms_api(3). For more information about the Audit DPMS SPIs, see audit_dpms_spi(3).

A new DPMS service module can make use of the Audit DPMS interface to allow an application to register a set of filtering rules where only the audit events that meet the filtering criteria are returned to the caller. This interface is provided entirely within the DPMS switch; DPMS modules therefore do not provide a plug-in for this interface. For the grammar of the filtering rules, see

audit_dpms_filter(4).

DPMS service module implementation

A sample DPMS service module will be available on a future release of the AudReport product.

Best practices

Although best practices must be developed by each individual organization based on their particular environment, there are some general best practices that can be universally applied. This section contains best practices to provide guidance for making decisions as part of the planning stage.

19

Page 18 Page 20
Image 19
Page 18 Page 20
Contents HP-UX 11i v2 and 11i v3 Security Configuring and Managing the Auditing SystemIntroduction AudienceAuditing system overview CommandsArchitecture Daemons System callsFiles Audit trail Audit tagsAudit events System call audit records Version recordsSystem call table records PID identification recordsSelf-auditing programs Audit tunable parameters HP-UX 11i v3 onlyAudit aware Page Newgrp1 modaccess Setfilexsec1M modaccess Could not lock file Remote user Usernameunspecified Local System Executing login pid = pid. ipcopenNetworking service = ftp Audit unawareDynamically Linked Kernel Modules Auditing system extensions HP-UX 11i v3 onlyAudit Filtering Installation HP-UX Auditing System AdministrationAudit Reporting Configuring users for audit ConfigurationUserdbset command. See userdbset1M and userdb4 Configuring audit filtering Configuring events for auditConfiguring audit settings to be preserved across reboots Role, operation, object Configuring rolesDisabling auditing Reads the /etc/rc.config.d/auditing fileManagement Enabling auditingBest practices Writing a Dpms service moduleService Provider Interfaces SPIs Dpms service module implementationAudit generation and capture Audit policyAudit log analysis Audit retention and storageAudit log configuration, security, and protection TroubleshootingOpt/audit/AudReport/bin Page Audwrite2 GlossaryPage Send comments to HP For more information
Top Page Image Contents