Query: sec_audit_events
OS: hpux
Section: 5
Format: Original Unix Latex Style Formatted with HTML and a Horizontal Scroll Bar
sec_audit_events(5) sec_audit_events(5)NAMEsec_audit_events - Auditable events for the security servicesDESCRIPTIONCode is in place for auditing security-significant events in the Security Server. Among these events are Attempts at invoking Authentica- tion Server/Ticket-granting Server/Privilege Server (AS/TGS/PS) operations. Deletion of Security Server objects, including ACLs accounts pgo items registry properties registry/organization policies registry master key Attempts at invoking an operation that modifies Security Server objects or updates an ACL. Attempts at invoking operations that involve access control. Failed client responses to the server's challenge, detected replays and invalid ticket requests. The usage of cryptographic keys in the RPC runtime. Attempts at chang- ing the maintenance/operation states of the registry server. Event class definitions, together with filters, control the auditing execution at these code points. Filters can be updated dynamically. Filter files are maintained by a per-host audit daemon, and are shared among all the audit clients on the same host. The dcecp command interface program is used for maintaining the filters. (See the dcecp reference page.) The dcecp command is executable by all users and system administrators. The control on who is allowed to modify filters is done through the audit daemon's ACL, which maintains the fil- ters. Security Server RPC interfaces include krb5rpc, rdaclif, rdacliftmp, rpriv, rs_acct, rs_query, rs_rpladmn, rs_update, and rsec_cert. All the RPC interfaces are offered using the rpc_c_authn_dce_secret authentication service. The Security Server's RPC runtime uses dce-rgy as its authentication identity. Within the same process, the security server's UDP/IP interface provides Kerberos AS/TGS functions, with krbtgt/cell_name as its authentication identity. The following are the audit code points in these Security Service interfaces, with their Event Types, Event Classes, and any Event-Specific Information. Authentication Interface (krb5rpc) Operations The rsec_krb5rpc_sendto_kdc() function is an RPC interface operation for accessing Kerberos AS/TGS services. Ticket-granting tickets and application tickets are requested and returned. There is no access control on this interface other than what is within the Kerberos Ticket-granting mechanism itself; that is, the TGS request verification. AS_Request (0x101, dce_sec_authent) None TGS_TicketReq (0x102, dce_sec_authent) None TGS_RenewReq (0x103, dce_sec_authent) None TGS_ValidateReq (0x104, dce_sec_authent) None DACL Management Interface (rdaclif) Operations The rdacl_lookup() operation retrieves an ACL of an object in the Security Server. Review of ACL associated with an object in Security Server is allowed if the caller has any access to the object. ACL_Lookup (0x105, dce_sec_control, dce_sec_query) char *component_name uuid_t manager_type sec_acl_type_t acl_type The rdacl_replace() operation replaces the ACL of an object in the Security Server. The client must have the sec_acl_perm_owner permission for the update to be carried out. ACL_Replace (0x106, dce_sec_control, dce_sec_modify) char *component_name uuid_t man- ager_type sec_acl_type_t acl_type sec_acl_list_t old_acl_list sec_acl_list_t new_acl_list The rdacl_get_access() operation determines the caller's access to a specified object. This call is authorized if the caller has any access to the object. ACL_GetAccess (0x107, dce_sec_control, dce_sec_query) char *component_name uuid_t manager_type sec_acl_permset_t net_rights The rdacl_test_access() operation determines if the caller has the requested access. The return value of the call indicates whether the caller has the requested access to the object. ACL_TestAccess (0x108, dce_sec_control, dce_sec_query) char *component_name uuid_t manager_type sec_acl_permset_t desired_permset The rdacl_get_manager_types() operation lists the types (UUIDs) of ACLs protecting an object. The caller must have some permissions on the object for each of the manager types that is defined for the object. Otherwise, no manager type is returned. ACL_GetMgrTypes (0x10A, dce_sec_control, dce_sec_query) char *component_name sec_acl_type_t acl_type The rdacl_get_referral() operation obtains a referral to an ACL update site. This function is used when the current ACL site yields a sec_acl_site_readonly error. Some replication managers will require all updates for a given object to be directed to a given replica. Clients of the generic ACL interface may know they are dealing with an object that is replicated in this way. This function allows them to recover from this problem and rebind to the proper update site. The client is required to have execute access on the parent of the object named by component_name. ACL_GetReferral (0x10B, dce_sec_control, dce_sec_query) char *component_name uuid_t manager_type sec_acl_type_t sec_acl_type Privilege Server Interface (rpriv) Operations The rpriv_get_ptgt() operation returns a privilege certificate to the Ticket-granting service. The caller supplies the group set, and the Privilege Server seals the group set in the authorization portion of a privilege Ticket-granting ticket, after first rejecting any groups that are not legitimately part of the caller credentials. A group will be rejected if the caller is not a member of the group, or the group is not allowed on project lists (the projlist_ok flag is not set). There is no access control on this interface other than what was within the Kerberos Ticket-granting mechanism itself; that is, the TGS request verification. This call may result in growth of potential access set. Note that this is a pre-DCE 1.1 routine. PRIV_GetPtgt (0x10C, dce_sec_authent, dce_sec_control) char *string client_address unsigned16 num_groups /* Number of local groups in PAC */ uuid_t groups /* num_groups local groups in PAC */ Registry Server Account Interface (rs_acct) Operations The rs_acct_add() operation adds an account with a specified login name. The caller needs to have m, a, and u (mgmt_info, auth_info, and user_info) permissions on the principal of the account that is to be added. The constituent principal, group, and organization (PGO) items for an account must be added before the account can be created. Also, the principal must have been added as a member of the specified group and organization. ACCT_Add (0x10D, dce_sec_control, dce_sec_modify) char *login_name sec_rgy_acct_key_t key_parts The rs_acct_delete() operation deletes an account with a specified login name. The caller needs to have m, a, and u (mgmt_info, auth_info, and user_info) permissions on the principal of the account that is to be deleted. ACCT_Delete (0x10E, dce_sec_control, dce_sec_modify) char *login_name The rs_acct_rename() operation changes the account login name. The caller has to have the m (mgmt_info) permission on the account's prin- cipal to be renamed (old_login_name.pname). ACCT_Rename (0x10F, dce_sec_control, dce_sec_modify) char *old_login_name char *new_login_name The rs_acct_lookup() operation returns data for a specified account. The caller must have the r (read) permission according to the ACL of the account's principal in order to be viewed. ACCT_Lookup (0x110, dce_sec_control, dce_sec_query) char *login_name The rs_acct_replace() operation replaces both the user and administrative information in the account record specified by the input login name. The administrative information contains limitations on the account's use and privileges. The user information contains such infor- mation as the account home directory and default shell. The administrative information can only be modified by a caller with the a (auth_info) privilege for the account's principal. The user information can be modified by a caller with the u (user_info) privileges for the account's principal. ACCT_Replace (0x111, dce_sec_control, dce_sec_modify) char *login_name unsigned32 key_parts The rs_acct_get_projlist() operation returns members of the project list for the specified account. This operation requires the caller to have the r (read) permission on the account principal for which the project list data is to be returned. ACCT_GetProjlist (0x112, dce_sec_control, dce_sec_query) char login_name Registry Miscellaneous Operation Interface (rs_misc) Operations The rs_login_get_info() operation returns login information for the specified account. This information is extracted from the account's entry in the registry database. This operation requires the caller to have the r (read) permission on the account's principal from which the data is to be returned. LOGIN_GetInfo (0x113, dce_sec_control, dce_sec_query) char *login_name Registry PGO Interface (rs_pgo) Operations The rs_pgo_add() operation adds a PGO item to the registry database. This operation requires the caller to have the i (insert) permission on the parent directory in which the PGO item is to be created. PGO_Add (0x114, dce_sec_control, dce_sec_modify) sec_rgy_domain_t name_domain char *pgo_name The rs_pgo_delete() operation deletes a PGO item from registry database. Any account depending on the deleted PGO item is also deleted. The deletion operation requires the caller to have the d (delete) permission on the parent directory that contains the PGO item to be deleted and the D (Delete_object) permission on the PGO item itself. PGO_Delete (0x115, dce_sec_control, dce_sec_modify) sec_rgy_domain_t name_domain char *pgo_name The rs_pgo_replace() operation replaces the data associated with a PGO item in the registry database. The caller needs to have the m (mgmt_info) permission on the PGO item, if quota, flags, or unix_num is being set. (Only a cell principal's unix_num is modifiable.) The caller needs to have the f (fullname) permission to modify the fullname of the PGO item. PGO_Replace (0x116, dce_sec_control, dce_sec_mod- ify) sec_rgy_domain_t name_domain char *pgo_name The rs_pgo_rename() operation renames a PGO item in the registry database. The caller needs to have the n (name) permission on the old name of the PGO item, if performing a rename within a directory. In order to move a PGO item between directories, the caller needs to have the n (name) permission on the old name of the PGO item as well as the d (delete) permission on the old parent directory and the i (insert) permission on the new parent directory in which the PGO item is being added under the new name. PGO_Rename (0x117, dce_sec_control, dce_sec_modify) sec_rgy_domain_t name_domain char *old_name char *new_name The rs_pgo_get() operation returns the name and data for a PGO item. The desired item is identified by a query key, which can be a name, a uuid, a unix_num, or a sequential-search flag. The caller needs to have the r (read) permission on the PGO item to be viewed. PGO_Get (0x118, dce_sec_control, dce_sec_query) sec_rgy_domain_t name_domain rs_pgo_query_key_t key /* The query key and one of the following */ /* depending on the query key specified: */ case (key == rs_pgo_query_name) char *name /* Name of the item being searched */ case (key == rs_pgo_query_id) uuid_t id_key /* uuid of the item being searched */ case (key == rs_pgo_query_unix_num) unsigned32 unix_num /* unix_num of item being searched */ case (key == rs_pgo_query_next) char *scope /* Scope of item being searched */ The rs_pgo_key_transfer() operation performs a specified key transfer between the uuid, unix_num, and name of a PGO item. The caller needs to have some permission on the PGO item for id->name and unix_num->name transfers. PGO_KeyTransfer (0x119, dce_sec_control) sec_rgy_domain_t name_domain rs_pgo_query_key_t key /* The query key */ /* One of the following, depending on the query /* key specified: */ case (key == rs_pgo_query_name) char *name /* Name of the item being searched */ case (key == rs_pgo_query_id) uuid_t id_key /* uuid of the item being searched */ case (key == rs_pgo_query_unix_num) unsigned32 unix_num /* unix_num of item being searched */ unsigned32 requested_result_type The rs_pgo_add_member() operation adds a member to a group or an organization. The caller must have the M (Member_list) permission on the group or organization. Additionally, if this call is for adding a group member, the caller must have the g (groups) permission on the principal to be added. PGO_AddMember (0x11A, dce_sec_control, dce_sec_modify) sec_rgy_domain_t name_domain char *person_name /* Principal's name */ char *go_name /* Group or organization's name */ The rs_pgo_delete_member() operation deletes a principal from a group or an organization in the registry database. The caller must have the M (Member_list) permission on the group or organization. Note that the caller does not need to have the g (groups) permission when deleting the principal from a group. PGO_DeleteMember (0x11B, dce_sec_control, dce_sec_modify) sec_rgy_domain_t name_domain char *per- son_name /* Principal's name */ char *go_name /* Group or organization's name */ The rs_pgo_is_member() operation tests whether a specified principal is a member of a specified group or organization. The caller must have t (test) permission on the group or organization. PGO_IsMember (0x11C, dce_sec_control, dce_sec_query) sec_rgy_domain_t name_domain char *person_name /* Principal's name */ char *go_name /* Group or organization's name */ The rs_pgo_get_members() operation, if the specified domain is group or organization, lists the members of a specified group or organiza- tion. If the domain is principal, list the groups in which the principal is a member. The caller must have the r (read) permission on the principal, group, or organization. PGO_GetMembers (0x11D, dce_sec_control, dce_sec_query) sec_rgy_domain_t name_domain char *go_name /* PGO's uuid */ Registry Policy Interface (rs_policy) Operations The rs_properties_get_info() operation returns a list of registry properties. The caller must have the r (read) permission on the policy object from which the property information is to be returned. PROP_GetInfo (0x11E, dce_sec_control, dce_sec_query) None The rs_properties_set_info() operation sets the registry properties. The caller must have the m (mgmt_info) permission on the policy object for which the property information is to be set. PROP_SetInfo (0x11F, dce_sec_control, dce_sec_modify) None The rs_policy_get_info() operation returns the policy for a specified organization or the registry (if no organization name is specified). The caller must have the r (read) permission on the policy object or organization item from which the data is to be returned. Note that the rs_policy_get_effective() operation uses the same audit event (POLICY_GetInfo) as the rs_policy_get_info() operation. POLICY_GetInfo (0x120, dce_sec_control, dce_sec_query) char *organization The rs_policy_set_info() operation sets the policy for a specified organization or the registry (if no organization name is specified). The caller must have the m (mgmt_info) permission on the policy object or organization item for which the data is to be set. POLICY_Set- Info (0x121, dce_sec_control, dce_sec_modify) char *organization The rs_auth_policy_get_info() operation returns the authentication policy for a specified account or the registry (if no account is speci- fied). The caller must have the r (read) permission on the policy object or account's principal from which the data is to be returned. AUTHPOLICY_GetInfo (0x122, dce_sec_control, dce_sec_query) char *account The rs_auth_policy_get_effective() operation returns the effective authentication policy for an account. If no account is specified, the authentication policy for the registry is returned. The caller must have the r (read) permission on the policy object of the registry. If an account is specified, the caller must also have r (read) permission on the account's principal. No new event is defined for this opera- tion. AUTHPOLICY_GetInfo is used here. The rs_auth_policy_set_info() operation sets the authentication policy for an account or the registry (if no account is specified). The caller must have the a (auth_info) permission on the account's principal or policy object of the registry. AUTHPOLICY_SetInfo (0x123, dce_sec_control, dce_sec_modify) char *account Registry Administration Interface Operations The rs_rep_admin_stop() operation directs the registry server to stop servicing remote procedure calls. The caller must have A (Admin) permission on the registry policy object. REPADMIN_Stop (0x124, dce_sec_control, dce_sec_server) None The rs_rep_admin_maint() operation directs the registry server into (checkpoint the database, close files, and so on) or out of maintenance state. The caller must have A (Admin) permission on the registry policy object. REPADMIN_Maint (0x125, dce_sec_control, dce_sec_server) boolean in_maintenance The rs_rep_admin_mkey() operation directs the registry to change its master key and re-encrypt account keys using the new master key. The caller must have A (Admin) permission on the registry policy object. REPADMIN_Mkey (0x126, dce_sec_control, dce_sec_server) None The rs_rep_admin_destroy() operation directs the registry server replica to destroy its database and exit. The caller must have A (Admin) permission on the registry policy object. REPADMIN_Destroy (0x127, dce_sec_control, dce_sec_server) None The rs_rep_admin_init_replica() operation directs the registry server to (re-)initialize the slave identified by rep_id. This is a master server only operation. The caller must have A (Admin) permission on the registry policy object. REPADMIN_Init (0x128, dce_sec_control, dce_sec_server) char *rep_id_str The rs_rep_admin_set_sw_rev() operation directs the master registry server to update the current security software version and begin sup- porting the security features appropriate for that version. If the master is successful, the version update is propagated to all replicas and any replicas that cannot support the new software version will shut down. This is a master-only operation. The caller must have A (Admin) permission on the registry policy object. REPADMIN_SetSwRev (0x13A, dce_sec_control, dce_sec_server) unsigned long software_ver- sion Registry Server Attributes Manipulation Interface (rs_attr) Operations The rs_attr_update() operation updates (writes/creates) an attribute. The caller must have, for each attribute defined in attr_keys, the query_permset permission on the registry object specified. ERA_Update (0x12B, dce_sec_control, dce_sec_modify) char * component_name unsigned32 int num_to_write uuid in_attrs[num_to_write].attr_id The rs_attr_delete() operation deletes a specified attribute(s). The caller must have delete_permset permission for each attribute speci- fied. ERA_Delete (0x12C, dce_sec_control, dce_sec_modify) char * component_name unsigned32 num_to_delete uuid attrs[num_to_delete].attr_id The rs_attr_lookup_by_id() operation performs a lookup of the attributes by attribute type ID. If the number of query attribute keys is 0, this operation will return all attributes that the caller is authorized to use. The caller must have, for each attribute specified, the query_permset permission on the registry object specified. ERA_LookupById (0x12E, dce_sec_control) char * component_name unsigned32 int num_attr_keys uuid attr_keys[num_attr_keys].attr_id The rs_attr_lookup_no_expand() operation performs a lookup of the attributes by attribute type ID without expanding attribute sets to their constituent member attributes. If the number of query attribute keys is 0, this operation will return all attributes that the caller is authorized to use. The caller must have, for each attribute specified, the query_permset permission on the registry object specified. ERA_LookupNoExpand (0x12F, dce_sec_control) char * component_name unsigned32 int num_attr_keys uuid attr_keys[num_attr_keys].attr_id The rs_attr_lookup_by_name() operation performs a lookup of an attribute by name. The caller must have, for the attribute specified, query_permset permission on the registry object specified. ERA_LookupByName (0x12G, dce_sec_control) char * component_name char * attr_name Registry Server Attributes Schema Manipulation Interface (rs_attr_schema) Operations The rs_attr_schema_create_entry() operation creates a new schema entry. The caller must be authorized to add entries to the specified schema. ERA_SchemaCreate (0x131, dce_sec_control, dce_sec_modify) char * schema_name char * schema_entry->attr_name uuid schema_entry->attr_id The rs_attr_schema_delete_entry() operation deletes a schema entry. The caller must be authorized to delete schema entries. ERA_SchemaDelete (0x132, dce_sec_control, dce_sec_modify) char *schema_name uuid attr_id The rs_attr_schema_update_entry() operation updates the modifiable fields of a schema entry. The caller needs to have m (mgmt_info) per- missions on the schema entry that is to be modified. ERA_SchemaUpdate (0x133, dce_sec_control, dce_sec_modify) char * schema_name uuid schema_entry->attr_id The rs_attr_schema_lookup_by_id() operation retrieves the schema entry identified by the attribute type uuid. The caller must have r (read) permissions on the schema entry specified. ERA_SchemaLookupId (0x134, dce_sec_control) char * schema_name uuid attr_id The rs_attr_schema_lookup_by_name() operation retrieves the schema entry identified by the attribute name. The caller must have r (read) permissions on the schema entry specified. ERA_SchemaLookupName (0x135, dce_sec_control) char * schema_name char * attr_name Version 1.1 Privilege Server Manager Interface (rpriv_v1_1) Operations The rpriv_get_eptgt() operation constructs and returns an extended privilege certificate to the ticket_granting service. The caller sup- plies the extended privilege attributes in the form of an encoded Extended Privilege Attribute Certificate (EPAC). The procedure by which the requested privilege attributes are verified depends on how the call is authenticated and whether the request is "local" (that is, is a request from a client in this Privilege Server's cell) or is "intercell" (that is, is from a foreign privilege service). If the request is local, then the ticket to the Privilege Server is based on a Kerberos V5 TGT and the requested_privs consists of a single encoded EPAC. The Privilege Server decodes the requested_privs and verifies that the requested privileges are valid by performing the nec- essary database queries. If the request is foreign, then the ticket to the privilege service is based on a DCE EPTGT and the Privilege Server retrieves the EPAC seal from the DCE authorization data contained in the ticket, and uses it to verify that the requested privileges are valid. PRIV_GetEptgt (0x136, dce_sec_control, dce_sec_authent) char * request_location /* "LOCAL" or "INTERCELL" */ if "LOCAL" request: uuid req_princ_id->uuid; /* requested local principal uuid */ uuid req_group_id->uuid; /* requested local primary group uuid */ unsigned short int num_groups /* number of valid local groups */ uuid = groups[num_groups].uuid /* valid local groups' uuids */ if "INTERCELL" request: unsigned short int num_epacs /* number of epacs in delegation chain */ uuid [num_epacs].pa.realm.uuid /* privilege attribute realm uuid */ uuid [num_epacs].pa.principal.uuid /* privilege attribute principal uuid */ uuid [num_epacs].pa.num_groups /* number of groups in privilege attribute */ uuid [num_epacs].pa.groups[([epac_set.num_epacs].pa.num_groups)].uuid /* uuids for groups in privilege attribute */ The rpriv_become_delegate() operation permits an intermediate server to become a delegate for its caller. The caller supplies extended privilege attributes in the form of an encoded Extended Privilege Attribute Certificate (EPAC). The Privilege Server verifies that the del- egation token for this EPAC chain is correct and then creates a new chain from the existing one with the intermediary's EPAC as a new dele- gate. PRIV_BecomeDelegate (0x138, dce_sec_control, dce_sec_authent) uuid req_princ_id->uuid; /* requested local principal uuid */ uuid req_group_id->uuid; /* requested local primary group uuid */ unsigned short int num_groups /* number of valid local groups */ uuid = groups[num_groups].uuid /* valid local groups' uuids */ unsigned short int num_epacs /* number of epacs in delegation chain */ uuid [num_epacs].pa.realm.uuid /* privilege attribute realm uuid */ uuid [num_epacs].pa.principal.uuid /* privilege attribute principal uuid */ uuid [num_epacs].pa.num_groups /* number of groups in privilege attribute */ uuid [num_epacs].pa.groups[([epac_set.num_epacs].pa.num_groups)].uuid /* uuids for groups in privilege attribute */ The rpriv_become_impersonator() operation permits an intermediate server to become an impersonator for its caller. The caller supplies extended privilege attributes in the form of an encoded Extended Privilege Attribute Certificate (EPAC). The Privilege Server verifies that the delegation token for the initator's EPAC is correct and also that the intermediary is allowed to impersonate the initiator. PRIV_BecomeImpersonator (0x139, dce_sec_control, dce_sec_authent) uuid req_princ_id->uuid; /* requested local principal uuid */ uuid req_group_id->uuid; /* requested local primary group uuid */ unsigned short int num_groups /* number of valid local groups */ uuid = groups[num_groups].uuid /* valid local groups' uuids */ unsigned short int num_epacs /* number of epacs in delegation chain */ uuid [num_epacs].pa.realm.uuid /* privilege attribute realm uuid */ uuid [num_epacs].pa.principal.uuid /* privilege attribute principal uuid */ uuid [num_epacs].pa.num_groups /* number of groups in privilege attribute */ uuid [num_epacs].pa.groups[([epac_set.num_epacs].pa.num_groups)].uuid /* uuids for groups in privilege attribute */RELATED INFORMATIONCommands: dcecp(1m). Files: dts_audit_events(5), event_class.5. sec_audit_events(5)