sec_audit_events(5)sec_audit_events(5)NAMEsec_audit_events - Auditable events for the security services
DESCRIPTION
Code is in place for auditing security-significant events in the Secu‐
rity Server. Among these events are Attempts at invoking Authentica‐
tion Server/Ticket-granting Server/Privilege Server (AS/TGS/PS) opera‐
tions. Deletion of Security Server objects, including ACLs
accounts pgo items registry properties registry/organization policies
registry master key Attempts at invoking an operation that modifies
Security Server objects or updates an ACL. Attempts at invoking opera‐
tions that involve access control. Failed client responses to the
server's challenge, detected replays and invalid ticket requests. The
usage of cryptographic keys in the RPC runtime. Attempts at changing
the maintenance/operation states of the registry server.
Event class definitions, together with filters, control the auditing
execution at these code points. Filters can be updated dynamically.
Filter files are maintained by a per-host audit daemon, and are shared
among all the audit clients on the same host. The dcecp command
interface program is used for maintaining the filters. (See the dcecp
reference page.) The dcecp command is executable by all users and sys‐
tem administrators. The control on who is allowed to modify filters is
done through the audit daemon's ACL, which maintains the filters.
Security Server RPC interfaces include krb5rpc, rdaclif, rdacliftmp,
rpriv, rs_acct, rs_query, rs_rpladmn, rs_update, and rsec_cert. All
the RPC interfaces are offered using the rpc_c_authn_dce_secret authen‐
tication service. The Security Server's RPC runtime uses dce-rgy as
its authentication identity. Within the same process, the security
server's UDP/IP interface provides Kerberos AS/TGS functions, with
krbtgt/cell_name as its authentication identity.
The following are the audit code points in these Security Service
interfaces, with their Event Types, Event Classes, and any Event-Spe‐
cific Information.
Authentication Interface (krb5rpc) Operations
The rsec_krb5rpc_sendto_kdc() function is an RPC interface operation
for accessing Kerberos AS/TGS services. Ticket-granting tickets and
application tickets are requested and returned. There is no access
control on this interface other than what is within the Kerberos
Ticket-granting mechanism itself; that is, the TGS request verifica‐
tion. AS_Request (0x101, dce_sec_authent) None TGS_TicketReq (0x102,
dce_sec_authent) None TGS_RenewReq (0x103, dce_sec_authent) None
TGS_ValidateReq (0x104, dce_sec_authent) None
DACL Management Interface (rdaclif) Operations
The rdacl_lookup() operation retrieves an ACL of an object in the Secu‐
rity Server. Review of ACL associated with an object in Security
Server is allowed if the caller has any access to the object.
ACL_Lookup (0x105, dce_sec_control, dce_sec_query) char *compo‐
nent_name uuid_t manager_type sec_acl_type_t acl_type
The rdacl_replace() operation replaces the ACL of an object in the
Security Server. The client must have the sec_acl_perm_owner permis‐
sion for the update to be carried out. ACL_Replace (0x106,
dce_sec_control, dce_sec_modify) char *component_name uuid_t
manager_type sec_acl_type_t acl_type sec_acl_list_t old_acl_list
sec_acl_list_t new_acl_list
The rdacl_get_access() operation determines the caller's access to a
specified object. This call is authorized if the caller has any access
to the object. ACL_GetAccess (0x107, dce_sec_control, dce_sec_query)
char *component_name uuid_t manager_type sec_acl_permset_t
net_rights
The rdacl_test_access() operation determines if the caller has the
requested access. The return value of the call indicates whether the
caller has the requested access to the object. ACL_TestAccess (0x108,
dce_sec_control, dce_sec_query) char *component_name uuid_t
manager_type sec_acl_permset_t desired_permset
The rdacl_get_manager_types() operation lists the types (UUIDs) of ACLs
protecting an object. The caller must have some permissions on the
object for each of the manager types that is defined for the object.
Otherwise, no manager type is returned. ACL_GetMgrTypes (0x10A,
dce_sec_control, dce_sec_query) char *component_name sec_acl_type_t
acl_type
The rdacl_get_referral() operation obtains a referral to an ACL update
site. This function is used when the current ACL site yields a
sec_acl_site_readonly error. Some replication managers will require
all updates for a given object to be directed to a given replica.
Clients of the generic ACL interface may know they are dealing with an
object that is replicated in this way. This function allows them to
recover from this problem and rebind to the proper update site. The
client is required to have execute access on the parent of the object
named by component_name. ACL_GetReferral (0x10B, dce_sec_control,
dce_sec_query) char *component_name uuid_t manager_type
sec_acl_type_t sec_acl_type
Privilege Server Interface (rpriv) Operations
The rpriv_get_ptgt() operation returns a privilege certificate to the
Ticket-granting service. The caller supplies the group set, and the
Privilege Server seals the group set in the authorization portion of a
privilege Ticket-granting ticket, after first rejecting any groups that
are not legitimately part of the caller credentials. A group will be
rejected if the caller is not a member of the group, or the group is
not allowed on project lists (the projlist_ok flag is not set).
There is no access control on this interface other than what was within
the Kerberos Ticket-granting mechanism itself; that is, the TGS request
verification. This call may result in growth of potential access set.
Note that this is a pre-DCE 1.1 routine. PRIV_GetPtgt (0x10C,
dce_sec_authent, dce_sec_control) char *string client_address
unsigned16 num_groups /* Number of local groups in PAC */
uuid_t groups /* num_groups local groups in PAC */
Registry Server Account Interface (rs_acct) Operations
The rs_acct_add() operation adds an account with a specified login
name. The caller needs to have m, a, and u (mgmt_info, auth_info, and
user_info) permissions on the principal of the account that is to be
added. The constituent principal, group, and organization (PGO) items
for an account must be added before the account can be created. Also,
the principal must have been added as a member of the specified group
and organization. ACCT_Add (0x10D, dce_sec_control, dce_sec_modify)
char *login_name sec_rgy_acct_key_t key_parts
The rs_acct_delete() operation deletes an account with a specified
login name. The caller needs to have m, a, and u (mgmt_info,
auth_info, and user_info) permissions on the principal of the account
that is to be deleted. ACCT_Delete (0x10E, dce_sec_control,
dce_sec_modify) char *login_name
The rs_acct_rename() operation changes the account login name. The
caller has to have the m (mgmt_info) permission on the account's prin‐
cipal to be renamed (old_login_name.pname). ACCT_Rename (0x10F,
dce_sec_control, dce_sec_modify) char *old_login_name char
*new_login_name
The rs_acct_lookup() operation returns data for a specified account.
The caller must have the r (read) permission according to the ACL of
the account's principal in order to be viewed. ACCT_Lookup (0x110,
dce_sec_control, dce_sec_query) char *login_name
The rs_acct_replace() operation replaces both the user and administra‐
tive information in the account record specified by the input login
name. The administrative information contains limitations on the
account's use and privileges. The user information contains such
information as the account home directory and default shell. The
administrative information can only be modified by a caller with the a
(auth_info) privilege for the account's principal. The user informa‐
tion can be modified by a caller with the u (user_info) privileges for
the account's principal. ACCT_Replace (0x111, dce_sec_control,
dce_sec_modify) char *login_name unsigned32 key_parts
The rs_acct_get_projlist() operation returns members of the project
list for the specified account. This operation requires the caller to
have the r (read) permission on the account principal for which the
project list data is to be returned. ACCT_GetProjlist (0x112,
dce_sec_control, dce_sec_query) char login_name
Registry Miscellaneous Operation Interface (rs_misc) Operations
The rs_login_get_info() operation returns login information for the
specified account. This information is extracted from the account's
entry in the registry database. This operation requires the caller to
have the r (read) permission on the account's principal from which the
data is to be returned. LOGIN_GetInfo (0x113, dce_sec_control,
dce_sec_query) char *login_name
Registry PGO Interface (rs_pgo) Operations
The rs_pgo_add() operation adds a PGO item to the registry database.
This operation requires the caller to have the i (insert) permission on
the parent directory in which the PGO item is to be created. PGO_Add
(0x114, dce_sec_control, dce_sec_modify) sec_rgy_domain_t name_domain
char *pgo_name
The rs_pgo_delete() operation deletes a PGO item from registry data‐
base. Any account depending on the deleted PGO item is also deleted.
The deletion operation requires the caller to have the d (delete) per‐
mission on the parent directory that contains the PGO item to be
deleted and the D (Delete_object) permission on the PGO item itself.
PGO_Delete (0x115, dce_sec_control, dce_sec_modify) sec_rgy_domain_t
name_domain char *pgo_name
The rs_pgo_replace() operation replaces the data associated with a PGO
item in the registry database. The caller needs to have the m
(mgmt_info) permission on the PGO item, if quota, flags, or unix_num is
being set. (Only a cell principal's unix_num is modifiable.) The call‐
er needs to have the f (fullname) permission to modify the fullname of
the PGO item. PGO_Replace (0x116, dce_sec_control, dce_sec_modify)
sec_rgy_domain_t name_domain char *pgo_name
The rs_pgo_rename() operation renames a PGO item in the registry data‐
base. The caller needs to have the n (name) permission on the old name
of the PGO item, if performing a rename within a directory. In order
to move a PGO item between directories, the caller needs to have the n
(name) permission on the old name of the PGO item as well as the d
(delete) permission on the old parent directory and the i (insert) per‐
mission on the new parent directory in which the PGO item is being
added under the new name. PGO_Rename (0x117, dce_sec_control,
dce_sec_modify) sec_rgy_domain_t name_domain char *old_name char
*new_name
The rs_pgo_get() operation returns the name and data for a PGO item.
The desired item is identified by a query key, which can be a name, a
uuid, a unix_num, or a sequential-search flag. The caller needs to
have the r (read) permission on the PGO item to be viewed. PGO_Get
(0x118, dce_sec_control, dce_sec_query) sec_rgy_domain_t name_domain
rs_pgo_query_key_t key /* The query key and one of the following */
/* depending on the query key specified: */
case (key == rs_pgo_query_name)
char *name /* Name of the item being searched */
case (key == rs_pgo_query_id)
uuid_t id_key /* uuid of the item being searched */
case (key == rs_pgo_query_unix_num)
unsigned32 unix_num /* unix_num of item being searched */
case (key == rs_pgo_query_next)
char *scope /* Scope of item being searched */
The rs_pgo_key_transfer() operation performs a specified key transfer
between the uuid, unix_num, and name of a PGO item. The caller needs
to have some permission on the PGO item for id->name and unix_num->name
transfers. PGO_KeyTransfer (0x119, dce_sec_control) sec_rgy_domain_t
name_domain rs_pgo_query_key_t key /* The query key */
/* One of the following, depending on the
query
/* key specified: */
case (key == rs_pgo_query_name)
char *name /* Name of the item being searched */
case (key == rs_pgo_query_id)
uuid_t id_key /* uuid of the item being searched */
case (key == rs_pgo_query_unix_num)
unsigned32 unix_num /* unix_num of item being searched */
unsigned32 requested_result_type
The rs_pgo_add_member() operation adds a member to a group or an orga‐
nization. The caller must have the M (Member_list) permission on the
group or organization. Additionally, if this call is for adding a
group member, the caller must have the g (groups) permission on the
principal to be added. PGO_AddMember (0x11A, dce_sec_control,
dce_sec_modify) sec_rgy_domain_t name_domain char *person_name /*
Principal's name */ char *go_name /* Group or organization's
name */
The rs_pgo_delete_member() operation deletes a principal from a group
or an organization in the registry database. The caller must have the
M (Member_list) permission on the group or organization. Note that the
caller does not need to have the g (groups) permission when deleting
the principal from a group. PGO_DeleteMember (0x11B, dce_sec_control,
dce_sec_modify) sec_rgy_domain_t name_domain char *person_name /*
Principal's name */ char *go_name /* Group or organization's
name */
The rs_pgo_is_member() operation tests whether a specified principal is
a member of a specified group or organization. The caller must have t
(test) permission on the group or organization. PGO_IsMember (0x11C,
dce_sec_control, dce_sec_query) sec_rgy_domain_t name_domain char *per‐
son_name /* Principal's name */ char *go_name /* Group
or organization's name */
The rs_pgo_get_members() operation, if the specified domain is group or
organization, lists the members of a specified group or organization.
If the domain is principal, list the groups in which the principal is a
member. The caller must have the r (read) permission on the principal,
group, or organization. PGO_GetMembers (0x11D, dce_sec_control,
dce_sec_query) sec_rgy_domain_t name_domain char *go_name
/* PGO's uuid */
Registry Policy Interface (rs_policy) Operations
The rs_properties_get_info() operation returns a list of registry prop‐
erties. The caller must have the r (read) permission on the policy
object from which the property information is to be returned.
PROP_GetInfo (0x11E, dce_sec_control, dce_sec_query) None
The rs_properties_set_info() operation sets the registry properties.
The caller must have the m (mgmt_info) permission on the policy object
for which the property information is to be set. PROP_SetInfo (0x11F,
dce_sec_control, dce_sec_modify) None
The rs_policy_get_info() operation returns the policy for a specified
organization or the registry (if no organization name is specified).
The caller must have the r (read) permission on the policy object or
organization item from which the data is to be returned. Note that the
rs_policy_get_effective() operation uses the same audit event (POL‐
ICY_GetInfo) as the rs_policy_get_info() operation. POLICY_GetInfo
(0x120, dce_sec_control, dce_sec_query) char *organization
The rs_policy_set_info() operation sets the policy for a specified
organization or the registry (if no organization name is specified).
The caller must have the m (mgmt_info) permission on the policy object
or organization item for which the data is to be set. POLICY_SetInfo
(0x121, dce_sec_control, dce_sec_modify) char *organization
The rs_auth_policy_get_info() operation returns the authentication pol‐
icy for a specified account or the registry (if no account is speci‐
fied). The caller must have the r (read) permission on the policy
object or account's principal from which the data is to be returned.
AUTHPOLICY_GetInfo (0x122, dce_sec_control, dce_sec_query) char
*account
The rs_auth_policy_get_effective() operation returns the effective
authentication policy for an account. If no account is specified, the
authentication policy for the registry is returned. The caller must
have the r (read) permission on the policy object of the registry. If
an account is specified, the caller must also have r (read) permission
on the account's principal. No new event is defined for this opera‐
tion. AUTHPOLICY_GetInfo is used here.
The rs_auth_policy_set_info() operation sets the authentication policy
for an account or the registry (if no account is specified). The call‐
er must have the a (auth_info) permission on the account's principal or
policy object of the registry. AUTHPOLICY_SetInfo (0x123, dce_sec_con‐
trol, dce_sec_modify) char *account
Registry Administration Interface Operations
The rs_rep_admin_stop() operation directs the registry server to stop
servicing remote procedure calls. The caller must have A (Admin) per‐
mission on the registry policy object. REPADMIN_Stop (0x124,
dce_sec_control, dce_sec_server) None
The rs_rep_admin_maint() operation directs the registry server into
(checkpoint the database, close files, and so on) or out of maintenance
state. The caller must have A (Admin) permission on the registry pol‐
icy object. REPADMIN_Maint (0x125, dce_sec_control, dce_sec_server)
boolean in_maintenance
The rs_rep_admin_mkey() operation directs the registry to change its
master key and re-encrypt account keys using the new master key. The
caller must have A (Admin) permission on the registry policy object.
REPADMIN_Mkey (0x126, dce_sec_control, dce_sec_server) None
The rs_rep_admin_destroy() operation directs the registry server
replica to destroy its database and exit. The caller must have A
(Admin) permission on the registry policy object. REPADMIN_Destroy
(0x127, dce_sec_control, dce_sec_server) None
The rs_rep_admin_init_replica() operation directs the registry server
to (re-)initialize the slave identified by rep_id. This is a master
server only operation. The caller must have A (Admin) permission on
the registry policy object. REPADMIN_Init (0x128, dce_sec_control,
dce_sec_server) char *rep_id_str
The rs_rep_admin_set_sw_rev() operation directs the master registry
server to update the current security software version and begin sup‐
porting the security features appropriate for that version. If the
master is successful, the version update is propagated to all replicas
and any replicas that cannot support the new software version will shut
down. This is a master-only operation. The caller must have A (Admin)
permission on the registry policy object. REPADMIN_SetSwRev (0x13A,
dce_sec_control, dce_sec_server) unsigned long software_version
Registry Server Attributes Manipulation Interface (rs_attr) Operations
The rs_attr_update() operation updates (writes/creates) an attribute.
The caller must have, for each attribute defined in attr_keys, the
query_permset permission on the registry object specified. ERA_Update
(0x12B, dce_sec_control, dce_sec_modify) char * component_name
unsigned32 int num_to_write uuid in_attrs[num_to_write].attr_id
The rs_attr_delete() operation deletes a specified attribute(s). The
caller must have delete_permset permission for each attribute speci‐
fied. ERA_Delete (0x12C, dce_sec_control, dce_sec_modify) char * com‐
ponent_name unsigned32 num_to_delete uuid attrs[num_to_delete].attr_id
The rs_attr_lookup_by_id() operation performs a lookup of the
attributes by attribute type ID. If the number of query attribute keys
is 0, this operation will return all attributes that the caller is
authorized to use. The caller must have, for each attribute specified,
the query_permset permission on the registry object specified.
ERA_LookupById (0x12E, dce_sec_control) char * component_name
unsigned32 int num_attr_keys uuid attr_keys[num_attr_keys].attr_id
The rs_attr_lookup_no_expand() operation performs a lookup of the
attributes by attribute type ID without expanding attribute sets to
their constituent member attributes. If the number of query attribute
keys is 0, this operation will return all attributes that the caller is
authorized to use. The caller must have, for each attribute specified,
the query_permset permission on the registry object specified.
ERA_LookupNoExpand (0x12F, dce_sec_control) char * component_name
unsigned32 int num_attr_keys uuid attr_keys[num_attr_keys].attr_id
The rs_attr_lookup_by_name() operation performs a lookup of an
attribute by name. The caller must have, for the attribute specified,
query_permset permission on the registry object specified. ERA_Lookup‐
ByName (0x12G, dce_sec_control) char * component_name char * attr_name
Registry Server Attributes Schema Manipulation Interface (rs_attr_schema)
Operations
The rs_attr_schema_create_entry() operation creates a new schema entry.
The caller must be authorized to add entries to the specified schema.
ERA_SchemaCreate (0x131, dce_sec_control, dce_sec_modify) char *
schema_name char * schema_entry->attr_name uuid schema_entry->attr_id
The rs_attr_schema_delete_entry() operation deletes a schema entry.
The caller must be authorized to delete schema entries.
ERA_SchemaDelete (0x132, dce_sec_control, dce_sec_modify) char
*schema_name uuid attr_id
The rs_attr_schema_update_entry() operation updates the modifiable
fields of a schema entry. The caller needs to have m (mgmt_info) per‐
missions on the schema entry that is to be modified. ERA_SchemaUpdate
(0x133, dce_sec_control, dce_sec_modify) char * schema_name uuid
schema_entry->attr_id
The rs_attr_schema_lookup_by_id() operation retrieves the schema entry
identified by the attribute type uuid. The caller must have r (read)
permissions on the schema entry specified. ERA_SchemaLookupId (0x134,
dce_sec_control) char * schema_name uuid attr_id
The rs_attr_schema_lookup_by_name() operation retrieves the schema
entry identified by the attribute name. The caller must have r (read)
permissions on the schema entry specified. ERA_SchemaLookupName
(0x135, dce_sec_control) char * schema_name char * attr_name
Version 1.1 Privilege Server Manager Interface (rpriv_v1_1) Operations
The rpriv_get_eptgt() operation constructs and returns an extended
privilege certificate to the ticket_granting service. The caller sup‐
plies the extended privilege attributes in the form of an encoded
Extended Privilege Attribute Certificate (EPAC). The procedure by
which the requested privilege attributes are verified depends on how
the call is authenticated and whether the request is "local" (that is,
is a request from a client in this Privilege Server's cell) or is
"intercell" (that is, is from a foreign privilege service).
If the request is local, then the ticket to the Privilege Server is
based on a Kerberos V5 TGT and the requested_privs consists of a single
encoded EPAC. The Privilege Server decodes the requested_privs and
verifies that the requested privileges are valid by performing the nec‐
essary database queries.
If the request is foreign, then the ticket to the privilege service is
based on a DCE EPTGT and the Privilege Server retrieves the EPAC seal
from the DCE authorization data contained in the ticket, and uses it to
verify that the requested privileges are valid. PRIV_GetEptgt (0x136,
dce_sec_control, dce_sec_authent) char * request_location /*
"LOCAL" or "INTERCELL" */
if "LOCAL" request: uuid req_princ_id->uuid; /* requested
local principal uuid */ uuid req_group_id->uuid; /* requested
local primary group uuid */ unsigned short int num_groups /* number of
valid local groups */ uuid = groups[num_groups].uuid /* valid local
groups' uuids */
if "INTERCELL" request: unsigned short int num_epacs /* num‐
ber of epacs in delegation chain */ uuid [num_epacs].pa.realm.uuid /*
privilege attribute realm uuid */ uuid [num_epacs].pa.principal.uuid /*
privilege attribute principal uuid */ uuid [num_epacs].pa.num_groups /*
number of groups in privilege attribute */ uuid
[num_epacs].pa.groups[([epac_set.num_epacs].pa.num_groups)].uuid
/* uuids for groups in privilege
attribute */
The rpriv_become_delegate() operation permits an intermediate server to
become a delegate for its caller. The caller supplies extended privi‐
lege attributes in the form of an encoded Extended Privilege Attribute
Certificate (EPAC). The Privilege Server verifies that the delegation
token for this EPAC chain is correct and then creates a new chain from
the existing one with the intermediary's EPAC as a new delegate.
PRIV_BecomeDelegate (0x138, dce_sec_control, dce_sec_authent) uuid
req_princ_id->uuid; /* requested local principal uuid */ uuid
req_group_id->uuid; /* requested local primary group uuid */
unsigned short int num_groups /* number of valid local groups */ uuid
= groups[num_groups].uuid /* valid local groups' uuids */ unsigned
short int num_epacs /* number of epacs in delegation chain */ uuid
[num_epacs].pa.realm.uuid /* privilege attribute realm uuid */ uuid
[num_epacs].pa.principal.uuid /* privilege attribute principal uuid */
uuid [num_epacs].pa.num_groups /* number of groups in privilege
attribute */ uuid
[num_epacs].pa.groups[([epac_set.num_epacs].pa.num_groups)].uuid
/* uuids for groups in privilege
attribute */
The rpriv_become_impersonator() operation permits an intermediate
server to become an impersonator for its caller. The caller supplies
extended privilege attributes in the form of an encoded Extended Privi‐
lege Attribute Certificate (EPAC). The Privilege Server verifies that
the delegation token for the initator's EPAC is correct and also that
the intermediary is allowed to impersonate the initiator.
PRIV_BecomeImpersonator (0x139, dce_sec_control, dce_sec_authent) uuid
req_princ_id->uuid; /* requested local principal uuid */ uuid
req_group_id->uuid; /* requested local primary group uuid */
unsigned short int num_groups /* number of valid local groups */ uuid
= groups[num_groups].uuid /* valid local groups' uuids */ unsigned
short int num_epacs /* number of epacs in delegation chain */ uuid
[num_epacs].pa.realm.uuid /* privilege attribute realm uuid */ uuid
[num_epacs].pa.principal.uuid /* privilege attribute principal uuid */
uuid [num_epacs].pa.num_groups /* number of groups in privilege
attribute */ uuid
[num_epacs].pa.groups[([epac_set.num_epacs].pa.num_groups)].uuid
/* uuids for groups in privilege
attribute */
RELATED INFORMATION
Commands: dcecp(1m).
Files: dts_audit_events(5), event_class.5.
sec_audit_events(5)
