OpenXDAS: API and Source Code Documentation

0.8.351

The following text is taken verbatim from the introduction section of the Open Group Distributed Audit Service (XDAS) Preliminary Specification, version 0.9:

1. Introduction

The purpose of security audit services is to provide support for:

• the principle of accountability, that is holding users of a system accountable for their actions within the system, and
• detection of security policy violations, that is the detection of attempts by unauthorized individuals to access the system, and of attempts by authorized users to misuse their access to the system.

Many components of distributed systems now include some form of security auditing or event logging capability whereby the component records events deemed to have security relevance within the domain of that component. These services are provided via component specific interfaces and use component specific audit record formats.

However, within distributed systems, security relevant activity is not isolated to within individual components, but spans many components. For example, an intrusion attempt may be made via multiple entry points to the distributed system. Such attempts are not necessarily focused through single points of entry. Also the purpose of a distributed system is to enable the endusers of the system to utilize the resources of components throughout the system and not just those of their local workstation.

Within a distributed system it is therefore necessary to monitor activity across and between components. This is made difficult by the current component specific approaches. It is not easy to compare activity across system components when the events monitored and the record formats may be different. It is especially difficult to do this in a timely manner to detect and respond to intrusion attempts.

The objective of the XDAS specification is to define:

• a set of generic events of relevance at a global distributed system level. For example, enduser system sign-on and the initiation and termination of communication sessions.
• a common portable audit record format to facilitate the merging and analysis of audit information from multiple components at the distributed system level.
• an API for use by applications to submit events to XDAS.
• an API to import audit data from existing component specific audit services to XDAS.
• an API to configure event preselection criteria for event submission to XDAS.
• an API to read records from a XDAS audit trail.

This service is intended to be a complement to existing system component specific audit services, not to replace them. Such local audit services are also likely to handle events, and a level of detail, that may be irrelevant at the global level of XDAS.

Interfaces are supported for use by four different types of applications:

• an API to submit events to the audit service, for use by applications that generate audit records and use XDAS to log such events.
• an API and a common audit event record format for use by existing component specific audit services to import audit records into the XDAS audit stream for distributed system level analysis.
• an API to support the configuration of event preselection criteria and event disposition actions, for use by XDAS audit event management applications.
• an API together with a common audit event record format, for use by Audit Log Analysis applications.

The XDAS-API provides the following benefits:

• Application developers have a common API, a generic set of audit events, and a common audit format regardless of the platform on which the XDAS service is running. This is of benefit to the developers of both applications that detect and wish to record security relevant events and of applications that analyze audit events.
• Platform and application infrastructure vendors are able to support the needs of users at the distributed system level within a heterogeneous environment without the necessity to reengineer their current operating system or application specific audit service implementations, perhaps with resulting performance implications.
• End-user organizations benefit through increased effectiveness in enforcing individual accountability within a distributed environment.

1.1 Business Requirements

The following business requirements for a distributed audit service have been identified. They are detailed in full in this section to convey the overall service context that XDAS is intended to be capable of supporting. The current scope of the XDAS specification is not intended to encompass all these requirements, but to provide a basic level of service on which the more complete requirements may be eventually satisfied by developing applications to utilize the XDAS functions. The requirements are grouped according to audit event services, audit service management, audit event management, audit log management and audit event enquiry facilities.

1.1.1 Audit Event Services

Security events are detected outside the XDAS by an operating system or applications. The requirements on a distributed audit service are as follows:

• Handle event records newly generated at the local API level.
• Support the preselection of criteria for the submission of an event, thereby reducing the numbers of audit events generated and analyzed.
• Filter and analyze records for instances or accumulations of pre- determined security events, and trigger timely notification. These filters shall be driven by parameters in a standard format. Three types of event or compound event are identified:
  • a single record selected by one or more fields
  • sequences of selected records
  • timed sequences of records
• Generate local alarms.
• Generate messages to be passed to the audit service management interface.
• Take pre-defined action on the occurrence of specific events.
• Receive records passed on from another system in a standard format and re-interpret them in the context of extra information available from event records arriving from other systems.

Of these requirements, the scope of this XDAS specification provides support for:

• The submission of audit events via an API.
• The return, via the API, to calling applications of the result of applying preselection criteria.
• The capability for the definition of basic forms of event disposition (e.g., log, alarm, action) which can be acted upon by an audit analysis application to meet the other requirements defined above.

1.1.2 Audit Service Management

The business requirements for the user interface for managing the audit service are:

• Support a consistent management interface.
• Integrate the audit system management interface with other elements in the system management infrastructure, including logs, protocols and databases and the management of authorizations.
• Support both Remote and Local Administration. The XDAS must support role-based decentralized administration, such that individuals are only presented with the data that apply to their area of responsibility.
• Support both equivalent GUI and command line access so that the functions are available regardless of the mode of interaction.

None of these requirements are within the scope of this XDAS specification. However, it does define an API for audit event filter management and defines an authorization model that can be used to support role-based access control. This facilitates the development of management applications to meet the above requirements.

1.1.3 Audit Event Management

The following are requirements on the Audit Event Management interface:

• Support the configuration of the disposition of audit alarms, such that audit events of a specific source and type can be sent to a particular destination, and to a particular role at that destination to be actioned.
• Provide a set of standard calls to modify the parameters which define the filtering performed. These are used to configure the actions taken by the filtering and analysis component on each system. They may be originated by an operator or automatically as a result of event processing.
• Support two types of configuration: static configuration and dynamic configuration. With static configuration, the levels of audit data to be generated are pre-set by operator intervention. With dynamic configuration, the events or series of events detected are used to re-configure the filters on the monitor. Reconfiguration can involve increasing or decreasing the level of monitoring activity, as deemed appropriate by the analysis of the event or series of events.
• Determine and effect change to the configuration of security event detection on each of the platforms in a distributed environment. If several systems are monitored and all have a common requirement for maintaining a particular level of event logging, then a single definition should be applied to all.
• Be able to record a security event message whenever a change to the configuration of the event discrimination service is made.

The scope of the XDAS specification does not directly include any of the above functionality. It is expected that much of this functionality may eventually be included within implementations. However, interfaces to event management services are being defined in other specifications, (see XEMS). Chapter 3 includes an example of how an XDAS system may be implemented over an event management service.

This XDAS specification defines an API including functions for the definition, enabling and disabling of filtering criteria and the definition of the disposition of events based on those criteria. This API may be used to develop applications that provide the higher level services described above.

1.1.4 Audit Log Management

Audit Log Management requirements are:

• Log records to a protected audit record repository.
• Ensure that the sequence of events recorded is a reflection of what actually transpired. Thus, any mechanism which generates audit data should incorporate a header or common set of data which is co- ordinated with other systems with which it interacts. The header should contain a minimum set of information describing the date, time, location, initiator, target, message, etc., of the activity. Platforms, applications and network services shall have the ability to add domain specific information to the information set.

The scope of this XDAS specification includes the definition of the contents of an audit record including the provision for domain specific information for the purposes of analysis and the exchange and merging of audit event records. The internal format of audit logs and interfaces for the management of those logs are not within the scope of this version of XDAS.

1.1.5 Audit Event Enquiry

The Audit Event Enquiry requirements are:

• Define a common format for audit events for use by analysis applications.

A common format for audit events is defined by this XDAS specification.