HP UX Auditing System Extensions Writing a DPMS service module, Best practices, Service Provider Interfaces (SPIs), DPMS service module implementation

sh -c "/usr/local/bin/rcp_audit_trail hostname /var/.audit/my_trail"

This copies /var/.audit/my_trail to a remote system, assuming that is what the given script intends to do.

Writing a DPMS service module

The Audit Data Process Module Switch (Audit DPMS) framework offers the ability to selectively access audit data in various formats through a set of common programming interfaces. It provides a layer of separation between applications that need to extract information from audit data source and the underlying modules that have the knowledge about the internal data format. For more information,

see audit_dpms(5).

The framework allows Audit DPMS service modules to be plugged in to handle the data in any format. The service modules are a set of dynamically loadable objects invoked by the Audit DPMS API to handle a particular type of audit data and format. Currently, HP-UX provides three DPMS service modules to handle reading and writing from and to HP-UX raw audit data, reading and writing from and to HP-UX portable audit data, and writing to XML format data. For more information, see audit_hpux_raw(5), audit_hpux_portable(5), and audit_hpux_xml(5), respectively.

You can develop new DPMS service modules to plug into the Audit DPMS framework to handle audit data from a source in another format. This section describes how to write a DPMS service module.

Service Provider Interfaces (SPIs)

A new DPMS service module must support the Audit DPMS Application Programming Interfaces (APIs) (for example, audit_dpms_start(3), audit_dpms_end(3), audit_dpms_read_event(3), and audit_dpms_write_event(3)) by implementing the corresponding DPMS service module Service Provider Interfaces (SPIs) (audit_dpm_start(3), audit_dpm_end(3), audit_dpm_read_event(3), and audit_dpm_write_event(3)). The Audit DPMS interface library is the layer implementing the APIs, while the Audit DPMS service modules implement the APIs for different audit record formats. For more information about the Audit DPMS APIs, see audit_dpms_api(3). For more information about the Audit DPMS SPIs, see

audit_dpms_spi(3).

A new DPMS service module can make use of the Audit DPMS interface to allow an application to register a set of filtering rules where only the audit events that meet the filtering criteria are returned to the caller. This interface is provided entirely within the DPMS switch; DPMS modules therefore do not provide a plug-in for this interface. For the grammar of the filtering rules, see

audit_dpms_filter(4).

DPMS service module implementation

A sample DPMS service module will be available on a future release of the AudReport product.

Best practices

Although best practices must be developed by each individual organization based on their particular environment, there are some general best practices that can be universally applied. This section contains best practices to provide guidance for making decisions as part of the planning stage.

19