OSF DCE SIG D. Nicely (USAF) Request For Comments: 1.0 June 1992 POSIX/C2 AUDITING OF DCE API'S 1. INTRODUCTION This document identifies DCE API's which must be audited to meet C2 audit requirements [OrangeBook]. In addition, it groups API's by audit event class, as defined in [POSIX.6D2]. Also associated with each audit event class are API data types which should invoke audit when used (i.e., flags or data structures which are used to invoke authentication, authorization or administration functions or privileges). A brief description of each audit event class is provided consistent with the previously cited POSIX document and DCE service implementations. Rules to be used for determining if an API should be audited and how to classify each API to be audited is also provided. The intent is to provide guidance for implementing audits with the existing API's (DCE 1.0) and for determininng future audit requirements as DCE evolves. 2. AUDIT CLASS DESCRIPTIONS The goal of audit classes is to provide an efficient mechanism by which the DCE API's can be logically grouped and specified in an event list by means of a single value. Some audit event types appear in several different audit event classes. When this happens, the capture of each audit event type will be located in the most logical position within the API for each audit event type. This is to ensure audit event records express the total reason for the auditable event. The twelve audit event classes surveyed here are represented by bit flags as follows: (a) 0000 0000 0001 Attribute Change Event Class (b) 0000 0000 0010 Access Denials Event Class (c) 0000 0000 0100 Admin-Operator Event Class (d) 0000 0000 1000 Audit Event Class (e) 0000 0001 0000 Authentication Event Class (f) 0000 0010 0000 Object Creation Event Class (g) 0000 0100 0000 Object Deletion Event Class (h) 0000 1000 0000 Object Modification Event Class (i) 0001 0000 0000 Path Modification Event Class (j) 0010 0000 0000 Privilege Event Class (k) 0100 0000 0000 Proc Event Class (l) 1000 0000 0000 Proc Control Event Class Nicely Page 1 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 2.1. Attribute Change Event Class (Flag: 0000 0000 0001) 2.1.1. Description This event class includes operations that modify attributes of a file system or private object. File system objects include: filesets, access control lists, Fileset Location Database (FLDB), end point maps and registry database entries, policy and properties. Changes to the Global Directory Service (GDS) namespace is also an attribute change audit event. The following are not considered file system objects: name service database entries, keys, pthread attribute objects, BOS server objects (e.g., bnodes, server keys, administration lists, flags, or times), or UUID's. 2.1.2. Associated data types Any API which uses the following data types to modify attributes: (a) rpc_if_id_vector_t (b) rpc_ns_handle_t (c) rpc_object_inq_fn_t (d) sec_acl_entry_class_t (e) sec_acl_entry_t (f) sec_acl_entry_type_t (g) sec_acl_handle_t (h) sec_acl_key_t (i) sec_acl_list_t (j) sec_acl_mgr_config_t (k) sec_acl_mgr_handle_t (l) sec_acl_permset_t (m) sec_acl_t (n) sec_acl_tsec_acl_p_t (o) sec_acl_type_t (p) sec_rgy_acct_auth_flags (q) sec_rgy_acct_user_t (r) sec_rgy_pgo_flags_t (s) sec_rgy_pgo_item_t (t) sec_rgy_policy_pwd_flags_t (u) sec_rgy_policy_t (v) sec_rgy_properties_flag_t (w) sec_rgy_properties_t 2.1.3. API's to be audited for the Attribute Change event class (a) 0000 0000 0001 afs_syscall (b) 0000 0000 0001 ds_add_entry (c) 0000 0000 0001 ds_modify_entry (d) 0000 0000 0001 ds_modify_rdn (e) 0000 0000 0001 ds_remove_entry (f) 0000 0000 0001 om_put Nicely Page 2 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (g) 0000 0000 0001 om_remove (h) 0000 0000 0001 rdacl_replace (i) 0000 0000 0001 sec_acl_mgr_replace (j) 0000 0000 0001 VC_SetQuota (k) 0000 0000 0011 FTSERVER_CreateTrans (l) 0000 0000 0011 FTSERVER_DeleteTrans (m) 0000 0000 0011 FTSERVER_SetFlags (n) 0000 0000 0011 FTSERVER_SetStatus (o) 0000 0000 0011 sec_acl_replace (p) 0000 0000 0111 VL_GetNewVolumeId (q) 0000 0000 0111 VL_GetNewVolumeIds (r) 0000 0000 0111 VL_ReplaceEntry (s) 0000 0010 0011 FTSERVER_Clone (t) 0000 0010 0011 FTSERVER_CreateVolume (u) 0000 1000 0011 FTSERVER_ReClone 2.2. Access Denials Event Class (Flag: 0000 0000 0010) 2.2.1. Description This event class includes operations that have failed either because access to an object is denied, or because the object does not exist. These include any API which can generates error codes denoting lack of authorization or permission. 2.2.2. Associated data types Any API which uses the following data types to store access denial of failure should be audited: (a) error_status_t (b) sec_acl_no_acl_found (c) sec_acl_result_t (d) sec_id_pac_t (e) sec_key-mgmt_authn_service (f) sec_passwd_rec_t (g) sec_passwd_version_t (h) sec_rgy_acct_admin_replace (i) sec_rgy_acct_admin_valid_mask (j) sec_rgy_acct_key_t (k) sec_rgy_acct_user_t (l) sec_rgy_user_flags_t 2.2.3. Associated error messages The generation of the following error status should be audited: (a) BZACCESS (b) DAUT_ERROR_ACCESS_DENIED (c) rpc_s_no_ns_permission Nicely Page 3 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (d) sec_aclot_implemented (e) sec_acl_invalid_site_name (f) sec_acl_no_acl_found (g) sec_acl_object_not_found (h) sec_acl_unknown_manager_type (i) sec_id_e_bad_cell_uuid (j) sec_id_e_foreign_cell_referral (k) sec_id_e_name_too_long (l) sec_key_mgmt_e_authn_invalid (m) sec_key_mgmt_e_key_unavailable (n) sec_key_mgmt_e_key_unsupporte (o) sec_key_mgmt_e_key_version_ex (p) sec_key_mgmt_e_not_implemented (q) sec_key_mgmt_e_unauthorized (r) sec_login_s_auth_local (s) sec_login_s_context_invalid (t) sec_login_s_default_use (u) sec_login_s_groupset_invalid (v) sec_login_s_not_certified (w) sec_login_s_no_current_context (x) sec_login_s_privileged (y) sec_rgy_bad_alias_owner (z) sec_rgy_bad_name (aa) sec_rgy_dir_move_illegal (ab) sec_rgy_dir_not_found (ac) sec_rgy_incomplete_login_name (ad) sec_rgy_key_none (ae) sec_rgy_not_member_group (af) sec_rgy_not_member_group_org (ag) sec_rgy_not_member_org (ah) sec_rgy_object_not_found (ai) sec_rgy_passwd_invalid (aj) sec_rgy_read_only (ak) sec_rgy_server_unavailable (al) sec_rgy_status_not_authorized (am) VL_PERM (an) VOLS_ERR_BADACCESS 2.2.4. API's to be audited for the Access Denials event class (a) 0000 0000 0010 BOSSVR_GetLog (b) 0000 0000 0010 BOSSVR_ListKeys (c) 0000 0000 0010 FTSERVER_ListAggregates (d) 0000 0000 0010 FTSERVER_ListVolumes (e) 0000 0000 0010 sec_acl_lookup (f) 0000 0000 0010 sec_acl_mgr_get_access (g) 0000 0000 0010 sec_acl_mgr_is_authorized (h) 0000 0000 0010 sec_key_mgmt_get_key (i) 0000 0000 0010 sec_key_mgmt_get_next_key (j) 0000 0000 0010 sec_key_mgmt_get_next_kvno Nicely Page 4 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (k) 0000 0000 0010 sec_key_mgmt_initialize_cursor (l) 0000 0000 0011 FTSERVER_CreateTrans (m) 0000 0000 0011 FTSERVER_DeleteTrans (n) 0000 0000 0011 FTSERVER_SetFlags (o) 0000 0000 0011 FTSERVER_SetStatus (p) 0000 0000 0011 sec_acl_replace (q) 0000 0000 0110 VL_GetStats (r) 0000 0000 0111 VL_GetNewVolumeId (s) 0000 0000 0111 VL_GetNewVolumeIds (t) 0000 0000 0111 VL_ReplaceEntry (u) 0000 0001 0010 rdacl_get_access (v) 0000 0001 0010 sec_key_mgmt_change_key (w) 0000 0001 0010 sec_key_mgmt_delete_key (x) 0000 0001 0010 sec_key_mgmt_delete_key_type (y) 0000 0001 0010 sec_key_mgmt_garbage_collect (z) 0000 0001 0010 sec_key_mgmt_gen_rand_key (aa) 0000 0001 0010 sec_key_mgmt_manage_key (ab) 0000 0001 0010 sec_key_mgmt_set_key (ac) 0000 0001 0010 sec_login_certify_identity (ad) 0000 0001 0010 sec_login_setup_identity (ae) 0000 0001 0010 sec_login_validate_identity (af) 0000 0001 0010 sec_login_valid_and_cert_ident (ag) 0000 0010 0010 FTSERVER_DeleteVolume (ah) 0000 0010 0011 FTSERVER_Clone (ai) 0000 0010 0011 FTSERVER_CreateVolume (aj) 0000 0010 0110 BOSSVR_Install (ak) 0000 0100 0110 BOSSVR_Prune (al) 0000 1000 0010 FTSERVER_Dump (am) 0000 1000 0010 FTSERVER_Forward (an) 0000 1000 0010 FTSERVER_Restore (ao) 0000 1000 0010 sec_rgy_acct_add (ap) 0000 1000 0010 sec_rgy_acct_admin_replace (aq) 0000 1000 0010 sec_rgy_acct_delete (ar) 0000 1000 0010 sec_rgy_acct_passwd (as) 0000 1000 0010 sec_rgy_acct_rename (at) 0000 1000 0010 sec_rgy_acct_replace_all (au) 0000 1000 0010 sec_rgy_acct_user_replace (av) 0000 1000 0010 sec_rgy_auth_plcy_set_info (aw) 0000 1000 0010 sec_rgy_pgo_add (ax) 0000 1000 0010 sec_rgy_pgo_add_member (ay) 0000 1000 0010 sec_rgy_pgo_delete (az) 0000 1000 0010 sec_rgy_pgo_delete_member (ba) 0000 1000 0010 sec_rgy_pgo_rename (bb) 0000 1000 0010 sec_rgy_pgo_replace (bc) 0000 1000 0010 sec_rgy_plcy_set_info (bd) 0000 1000 0010 sec_rgy_properties_set_info (be) 0000 1000 0011 FTSERVER_ReClone (bf) 0000 1000 0110 BOSSVR_GarbageCollectKeys (bg) 0000 1000 0110 VL_AddAddress (bh) 0000 1000 0110 VL_ChangeAddress Nicely Page 5 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (bi) 0000 1000 0110 VL_CreateEntry (bj) 0000 1000 0110 VL_DeleteEntry (bk) 0000 1000 0110 VL_ReleaseLock (bl) 0000 1000 0110 VL_RemoveAddress (bm) 0000 1000 0110 VL_SetLock (bn) 0100 0000 0010 FTSERVER_GetFlags (bo) 0100 0000 0010 FTSERVER_GetStatus (bp) 0100 0000 0010 FTSERVER_Monitor (bq) 0100 0000 0110 BOSSVR_AddKey (br) 0100 0000 0110 BOSSVR_AddSUser (bs) 0100 0000 0110 BOSSVR_DeleteKey (bt) 0100 0000 0110 BOSSVR_DeleteSuser (bu) 0100 0000 0110 BOSSVR_Exec (bv) 0100 0000 0110 BOSSVR_GenerateKey (bw) 0100 0000 0110 BOSSVR_ReBossvr (bx) 0100 0000 0110 BOSSVR_Restart (by) 0100 0000 0110 BOSSVR_RestartAll (bz) 0100 0000 0110 BOSSVR_ShutdownAll (ca) 0100 0000 0110 BOSSVR_StartupAll (cb) 0100 0000 0110 BOSSVR_UnInstall (cc) 0100 0000 0110 BOSSVR_WaitAll (cd) 1000 0000 0110 BOSSVR_CreateBnode (ce) 1000 0000 0110 BOSSVR_DeleteBnode (cf) 1000 0000 0110 BOSSVR_SetNoAuthFlag (cg) 1000 0000 0110 BOSSVR_SetRestartTime (ch) 1000 0000 0110 BOSSVR_SetStatus (ci) 1000 0000 0110 BOSSVR_SetTStatus 2.3. Admin-Operator Event Class (Flag: 0000 0000 0100) 2.3.1. Description This event class includes actions carried out by the an administrator or by the operator(superuser). These include any API which requires privileges or permissions. 2.3.2. Associated data types Any API which uses the following data types to set privileges should be audited: (a) sec_rgy_acct_admin_flags_t (b) sec_rgy_acct_admin_t (c) sec_rgy_override_t 2.3.3. API's to be audited for the Admin-operator event class (a) 0000 0000 0110 VL_GetStats (b) 0000 0000 0111 VL_GetNewVolumeId (c) 0000 0000 0111 VL_GetNewVolumeIds Nicely Page 6 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (d) 0000 0000 0111 VL_ReplaceEntry (e) 0000 1000 0110 BOSSVR_GarbageCollectKeys (f) 0000 1000 0110 VL_AddAddress (g) 0000 1000 0110 VL_ChangeAddress (h) 0000 1000 0110 VL_CreateEntry (i) 0000 1000 0110 VL_DeleteEntry (j) 0000 1000 0110 VL_ReleaseLock (k) 0000 1000 0110 VL_RemoveAddress (l) 0000 1000 0110 VL_SetLock (m) 0100 0000 0110 BOSSVR_AddKey (n) 0100 0000 0110 BOSSVR_AddSUser (o) 0100 0000 0110 BOSSVR_DeleteKey (p) 0100 0000 0110 BOSSVR_DeleteSuser (q) 0100 0000 0110 BOSSVR_Exec (r) 0100 0000 0110 BOSSVR_GenerateKey (s) 0100 0000 0110 BOSSVR_ReBossvr (t) 0100 0000 0110 BOSSVR_Restart (u) 0100 0000 0110 BOSSVR_RestartAll (v) 0100 0000 0110 BOSSVR_ShutdownAll (w) 0100 0000 0110 BOSSVR_StartupAll (x) 0100 0000 0110 BOSSVR_UnInstall (y) 0100 0000 0110 BOSSVR_WaitAll (z) 1000 0000 0110 BOSSVR_CreateBnode (aa) 1000 0000 0110 BOSSVR_DeleteBnode (ab) 1000 0000 0110 BOSSVR_SetNoAuthFlag (ac) 1000 0000 0110 BOSSVR_SetRestartTime (ad) 1000 0000 0110 BOSSVR_SetStatus (ae) 1000 0000 0110 BOSSVR_SetTStatus 2.4. Audit Event Class (Flag: 0000 0000 1000) 2.4.1. Description This event class includes audit event types concerned with audit specific operations. 2.4.2. API's to be audited for the Audits event class (None currently exist in DCE) 2.5. Authentication Event Class (Flag: 0000 0001 0000) 2.5.1. Description This event class includes processes concerned with obtaining access to the system such as login contexts and adding, deleting or changing a principal key. Nicely Page 7 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 2.5.2. API's to be audited for the Authentication event class (a) 0000 0001 0000 sec_login_export_context (b) 0000 0001 0000 sec_login_get_current_context (c) 0000 0001 0000 sec_login_get_expiration (d) 0000 0001 0000 sec_login_get_groups (e) 0000 0001 0000 sec_login_get_pwent (f) 0000 0001 0000 sec_login_import_context (g) 0000 0001 0000 sec_login_init_first (h) 0000 0001 0000 sec_login_newgroups (i) 0000 0001 0000 sec_login_purge_context (j) 0000 0001 0000 sec_login_refresh_identity (k) 0000 0001 0000 sec_login_setup_first (l) 0000 0001 0000 sec_login_set_context (m) 0000 0001 0000 sec_login_validate_first (n) 0000 0001 0000 setpwfile (o) 0000 0001 0010 rdacl_get_access (p) 0000 0001 0010 sec_key_mgmt_change_key (q) 0000 0001 0010 sec_key_mgmt_delete_key (r) 0000 0001 0010 sec_key_mgmt_delete_key_type (s) 0000 0001 0010 sec_key_mgmt_garbage_collect (t) 0000 0001 0010 sec_key_mgmt_gen_rand_key (u) 0000 0001 0010 sec_key_mgmt_manage_key (v) 0000 0001 0010 sec_key_mgmt_set_key (w) 0000 0001 0010 sec_login_certify_identity (x) 0000 0001 0010 sec_login_setup_identity (y) 0000 0001 0010 sec_login_validate_identity (z) 0000 0001 0010 sec_login_valid_and_cert_ident 2.6. Object Creation Event Class (Flag: 0000 0010 0000) 2.6.1. Description This event class includes processes that create file system objects. File system objects include: filesets, access control lists, Fileset Location Database (FLDB), end point maps and registry database entries, policy and properties. They do not include principal, group and organization (PGO) items stored in the name service database, pthread attribute objects, BOS server objects (e.g. bnodes, server keys, administration lists, flags, or times), or UUID's. 2.6.2. API's to be audited for the Object Creation event class (a) 0000 0010 0000 om_copy (b) 0000 0010 0000 om_copy_value (c) 0000 0010 0000 om_create (d) 0000 0010 0000 om_get (e) 0000 0010 0000 VC_BackupVolume (f) 0000 0010 0000 VC_CreateVolume (g) 0000 0010 0010 FTSERVER_DeleteVolume Nicely Page 8 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (h) 0000 0010 0011 FTSERVER_Clone (i) 0000 0010 0011 FTSERVER_CreateVolume (j) 0000 0010 0110 BOSSVR_Install (k) 0000 0110 0000 VC_MoveVolume (l) 0000 0110 0000 VC_RenameVolume 2.7. Object Deletion Event Class (Flag: 0000 0100 0000) 2.7.1. Description This event class includes processes that delete file system objects.File system objects include: filesets, access control lists, Fileset Location Database (FLDB), end point maps and registry database entries, policy and properties. They do not include principal, group and organization (PGO) items stored in the name service database, keys, pthread, attribute objects, BOS server objects (e.g. bnodes, server keys, administration lists, flags, or times), or UUID's. 2.7.2. API's to be audited for the Object Deletion event class (a) 0000 0100 0000 om_delete (b) 0000 0100 0000 VC_DeleteVolume (c) 0000 0100 0000 VC_VolumeZap (d) 0000 0100 0110 BOSSVR_Prune (e) 0000 0110 0000 VC_MoveVolume (f) 0000 0110 0000 VC_RenameVolume 2.8. Object Modification Event Class (Flag: 0000 1000 0000) 2.8.1. Description This event class includes processes that modify file system objects. File system objects include: filesets, access control lists, Fileset Location Database (FLDB), end point maps and registry database entries, policy and properties. They do not include principal, group and organization (PGO) items stored in the name service database, keys, pthread, attribute objects, BOS server objects (e.g. bnodes, server keys, administration lists, flags, or times), or UUID's. 2.8.2. API's to be audited for the Object Modification event class (a) 0000 1000 0000 om_write (b) 0000 1000 0000 rpc_ep_register (c) 0000 1000 0000 rpc_ep_register_no_replace (d) 0000 1000 0000 rpc_ep_unregister (e) 0000 1000 0000 rpc_mgmt_ep_unregister (f) 0000 1000 0000 VC_DumpVolume (g) 0000 1000 0000 VC_RestoreVolume (h) 0000 1000 0000 VC_SyncServer Nicely Page 9 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (i) 0000 1000 0000 VC_SyncVldb (j) 0000 1000 0000 VL_AlterServer (k) 0000 1000 0000 VL_CreateServer (l) 0000 1000 0010 FTSERVER_Dump (m) 0000 1000 0010 FTSERVER_Forward (n) 0000 1000 0010 FTSERVER_Restore (o) 0000 1000 0010 sec_rgy_acct_add (p) 0000 1000 0010 sec_rgy_acct_admin_replace (q) 0000 1000 0010 sec_rgy_acct_delete (r) 0000 1000 0010 sec_rgy_acct_passwd (s) 0000 1000 0010 sec_rgy_acct_rename (t) 0000 1000 0010 sec_rgy_acct_replace_all (u) 0000 1000 0010 sec_rgy_acct_user_replace (v) 0000 1000 0010 sec_rgy_auth_plcy_set_info (w) 0000 1000 0010 sec_rgy_pgo_add (x) 0000 1000 0010 sec_rgy_pgo_add_member (y) 0000 1000 0010 sec_rgy_pgo_delete (z) 0000 1000 0010 sec_rgy_pgo_delete_member (aa) 0000 1000 0010 sec_rgy_pgo_rename (ab) 0000 1000 0010 sec_rgy_pgo_replace (ac) 0000 1000 0010 sec_rgy_plcy_set_info (ad) 0000 1000 0010 sec_rgy_properties_set_info (ae) 0000 1000 0011 FTSERVER_ReClone (af) 0000 1000 0110 BOSSVR_GarbageCollectKeys (ag) 0000 1000 0110 VL_AddAddress (ah) 0000 1000 0110 VL_ChangeAddress (ai) 0000 1000 0110 VL_CreateEntry (aj) 0000 1000 0110 VL_DeleteEntry (ak) 0000 1000 0110 VL_ReleaseLock (al) 0000 1000 0110 VL_RemoveAddress (am) 0000 1000 0110 VL_SetLock 2.9. Path Modification Event Class (Flag: 0001 0000 0000) 2.9.1. Description This event class includes actions that causes the path to be modified. 2.9.2. API's to be audited for the Path Modification event class (None currently exist in DCE) 2.10. Privilege Event Class (Flag: 0010 0000 0000) 2.10.1. Description This class includes operations that succeed because the process has special privileges and operations that fail due to lack of privilege. Nicely Page 10 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 2.10.2. API's to be audited for the Privilege event class (None currently exist in DCE) 2.11. Proc Event Class (Flag: 0100 0000 0000) 2.11.1. Description This event class includes API's which execute processes. Processes are threads, BOS server bnodes or Remote Procedure Call (RPC) runtime routines. 2.11.2. Associated data types Any API which uses the following data types to create or remove a process should be audited: (a) pthread_addr_t (b) pthread_attr_t (c) pthread_condattr_t (d) pthread_destructor_t (e) pthread_initroutine_t (f) pthread_mutex_t (g) pthread_startroutine_t 2.11.3. API's to be audited for the Proc event class (a) 0100 0000 0000 ds_initialize (b) 0100 0000 0000 ds_shutdown (c) 0100 0000 0000 pthread_create (d) 0100 0000 0000 pthread_exit (e) 0100 0000 0000 pthread_lock_global_np (f) 0100 0000 0000 pthread_mutex_lock (g) 0100 0000 0000 pthread_mutex_trylock (h) 0100 0000 0000 pthread_mutex_unlock (i) 0100 0000 0000 pthread_testcancel (j) 0100 0000 0000 pthread_unlock_global_np (k) 0100 0000 0000 pthread_yield (l) 0100 0000 0000 rpc_mgmt_stop_server_listening (m) 0100 0000 0000 sec_rgy_wait_until_consistent (n) 0100 0000 0010 FTSERVER_GetFlags (o) 0100 0000 0010 FTSERVER_GetStatus (p) 0100 0000 0010 FTSERVER_Monitor (q) 0100 0000 0110 BOSSVR_AddKey (r) 0100 0000 0110 BOSSVR_AddSUser (s) 0100 0000 0110 BOSSVR_DeleteKey (t) 0100 0000 0110 BOSSVR_DeleteSuser (u) 0100 0000 0110 BOSSVR_Exec (v) 0100 0000 0110 BOSSVR_GenerateKey (w) 0100 0000 0110 BOSSVR_ReBossvr Nicely Page 11 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (x) 0100 0000 0110 BOSSVR_Restart (y) 0100 0000 0110 BOSSVR_RestartAll (z) 0100 0000 0110 BOSSVR_ShutdownAll (aa) 0100 0000 0110 BOSSVR_StartupAll (ab) 0100 0000 0110 BOSSVR_UnInstall (ac) 0100 0000 0110 BOSSVR_WaitAll (ad) 1100 0000 0000 pthread_cleanup_pop (ae) 1100 0000 0000 pthread_cleanup_push 2.12. Proc Control Event Class (Flag: 1000 0000 0000) 2.12.1. Description This event class includes modifications to process attribute objects. Processes are threads, BOS server bnodes or Remote Procedure Call (RPC) runtime routines. Theses process attribute objects include: thread attribute objects, bnode parameters, server keys or flags, administration lists, and name service entries. 2.12.2. Associated data types Any API which uses the following data types to create or remove a process should be audited: (a) rpc_if_id_t (b) rpc_ns_handle_t 2.12.3. API's to be audited for the Proc Control event class (a) 1000 0000 0000 atfork (b) 1000 0000 0000 pthread_attr_create (c) 1000 0000 0000 pthread_attr_delete (d) 1000 0000 0000 pthread_attr_setinhertsched (e) 1000 0000 0000 pthread_attr_setprio (f) 1000 0000 0000 pthread_attr_setsched (g) 1000 0000 0000 pthread_attr_setstacksize (h) 1000 0000 0000 pthread_cancel (i) 1000 0000 0000 pthread_condattr_create (j) 1000 0000 0000 pthread_condattr_delete (k) 1000 0000 0000 pthread_cond_broadcast (l) 1000 0000 0000 pthread_cond_destroy (m) 1000 0000 0000 pthread_cond_init (n) 1000 0000 0000 pthread_cond_signal (o) 1000 0000 0000 pthread_cond_timedwait (p) 1000 0000 0000 pthread_cond_wait (q) 1000 0000 0000 pthread_delay_np (r) 1000 0000 0000 pthread_detach (s) 1000 0000 0000 pthread_join (t) 1000 0000 0000 pthread_keycreate (u) 1000 0000 0000 pthread_mutexattr_create Nicely Page 12 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (v) 1000 0000 0000 pthread_mutexattr_delete (w) 1000 0000 0000 pthread_mutexattr_setkind_np (x) 1000 0000 0000 pthread_mutex_destroy (y) 1000 0000 0000 pthread_mutex_init (z) 1000 0000 0000 pthread_once (aa) 1000 0000 0000 pthread_setasynccancel (ab) 1000 0000 0000 pthread_setcancel (ac) 1000 0000 0000 pthread_setprio (ad) 1000 0000 0000 pthread_setscheduler (ae) 1000 0000 0000 pthread_setspecific (af) 1000 0000 0000 rpc_mgmt_set_cancel_timeout (ag) 1000 0000 0000 rpc_mgmt_set_com_timeout (ah) 1000 0000 0000 rpc_ns_group_delete (ai) 1000 0000 0000 rpc_ns_group_mbr_add (aj) 1000 0000 0000 rpc_ns_group_mbr_inq_next (ak) 1000 0000 0000 rpc_ns_group_mbr_remove (al) 1000 0000 0000 rpc_ns_mgmt_binding_unexport (am) 1000 0000 0000 rpc_ns_mgmt_entry_create (an) 1000 0000 0000 rpc_ns_mgmt_entry_delete (ao) 1000 0000 0000 rpc_ns_mgmt_entry_inq_if_ids (ap) 1000 0000 0000 rpc_ns_mgmt_handle_set_exp_age (aq) 1000 0000 0000 rpc_ns_mgmt_set_exp_age (ar) 1000 0000 0000 rpc_ns_profile_delete (as) 1000 0000 0000 rpc_ns_profile_elt_add (at) 1000 0000 0000 rpc_ns_profile_elt_inq_next (au) 1000 0000 0000 rpc_ns_profile_elt_remove (av) 1000 0000 0000 rpc_object_set_inq_fn (aw) 1000 0000 0000 rpc_object_set_type (ax) 1000 0000 0000 rpc_server_register_auth_info (ay) 1000 0000 0000 rpc_server_register_if (az) 1000 0000 0000 rpc_server_unregister_if (ba) 1000 0000 0000 rpc_server_use_all_protseqs (bb) 1000 0000 0000 rpc_server_use_all_protseqs_if (bc) 1000 0000 0000 rpc_server_use_protseq (bd) 1000 0000 0000 rpc_server_use_protseq_ep (be) 1000 0000 0000 rpc_server_use_protseq_if (bf) 1000 0000 0000 rpc_ss_register_auth_info (bg) 1000 0000 0110 BOSSVR_CreateBnode (bh) 1000 0000 0110 BOSSVR_DeleteBnode (bi) 1000 0000 0110 BOSSVR_SetNoAuthFlag (bj) 1000 0000 0110 BOSSVR_SetRestartTime (bk) 1000 0000 0110 BOSSVR_SetStatus (bl) 1000 0000 0110 BOSSVR_SetTStatus (bm) 1100 0000 0000 pthread_cleanup_pop (bn) 1100 0000 0000 pthread_cleanup_push Nicely Page 13 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 2.13. API's Not Audited (Flag: 0000 0000 0000) 2.13.1. Description Retrieving data on processes, files, filesets, FLDB, or servers such as enumerations, descriptions, parameters, status, names (cells, files, users, bindings, pgo), membership, lists, date or time stamps, attributes, global name generations or translations, freeing of memory, creating, deleting, modifying or retrieving context details, TGT data, mutext type attributes, UUID creations or using IDL or NIDL compilers. 2.13.2. API's not audited for any event class (a) 0000 0000 0000 BOSSVR_EnumerateInstance (b) 0000 0000 0000 BOSSVR_GetCellName (c) 0000 0000 0000 BOSSVR_GetDates (d) 0000 0000 0000 BOSSVR_GetInstanceInfo (e) 0000 0000 0000 BOSSVR_GetInstanceParm (f) 0000 0000 0000 BOSSVR_GetRestartTime (g) 0000 0000 0000 BOSSVR_GetStatus (h) 0000 0000 0000 BOSSVR_ListSUsers (i) 0000 0000 0000 dce_cf_binding_entry_from_host (j) 0000 0000 0000 dce_cf_find_name_by_key (k) 0000 0000 0000 dce_cf_get_cell_name (l) 0000 0000 0000 dce_cf_get_host_name (m) 0000 0000 0000 dce_cf_prin_name_from_host (n) 0000 0000 0000 dce_error_inq_text (o) 0000 0000 0000 ds_bind (p) 0000 0000 0000 ds_compare (q) 0000 0000 0000 ds_feature (r) 0000 0000 0000 ds_list (s) 0000 0000 0000 ds_read (t) 0000 0000 0000 ds_search (u) 0000 0000 0000 ds_unbind (v) 0000 0000 0000 ds_version (w) 0000 0000 0000 endgrent (x) 0000 0000 0000 endpwent (y) 0000 0000 0000 fileset_transStatus (z) 0000 0000 0000 FTSERVER_AggregateInfo (aa) 0000 0000 0000 FTSERVER_GetOneVolStatus (ab) 0000 0000 0000 getgrent (ac) 0000 0000 0000 getgrid (ad) 0000 0000 0000 getgrnam (ae) 0000 0000 0000 getpwent (af) 0000 0000 0000 getpwnam (ag) 0000 0000 0000 getpwwid (ah) 0000 0000 0000 idl (ai) 0000 0000 0000 ioctl (aj) 0000 0000 0000 om_instance Nicely Page 14 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (ak) 0000 0000 0000 om_read (al) 0000 0000 0000 pthread_attr_getinheritsched (am) 0000 0000 0000 pthread_attr_getprio (an) 0000 0000 0000 pthread_attr_getsched (ao) 0000 0000 0000 pthread_attr_getstacksize (ap) 0000 0000 0000 pthread_getprio (aq) 0000 0000 0000 pthread_getscheduler (ar) 0000 0000 0000 pthread_getspecific (as) 0000 0000 0000 pthread_get_expiration_np (at) 0000 0000 0000 pthread_mutexattr_getkind_np (au) 0000 0000 0000 pthread_self (av) 0000 0000 0000 rdacl_get_manager_types (aw) 0000 0000 0000 rdacl_get_printstring (ax) 0000 0000 0000 rdacl_get_referral (ay) 0000 0000 0000 rdacl_lookup (az) 0000 0000 0000 rdacl_test_access (ba) 0000 0000 0000 rdacl_test_access_on_behalf (bb) 0000 0000 0000 rpccp (bc) 0000 0000 0000 rpcd (bd) 0000 0000 0000 rpc_binding_copy (be) 0000 0000 0000 rpc_binding_free (bf) 0000 0000 0000 rpc_binding_from_string_binding (bg) 0000 0000 0000 rpc_binding_inq_auth_client (bh) 0000 0000 0000 rpc_binding_inq_auth_info (bi) 0000 0000 0000 rpc_binding_inq_object (bj) 0000 0000 0000 rpc_binding_reset (bk) 0000 0000 0000 rpc_binding_server_from_client (bl) 0000 0000 0000 rpc_binding_set_auth_info (bm) 0000 0000 0000 rpc_binding_set_object (bn) 0000 0000 0000 rpc_binding_to_sting_binding (bo) 0000 0000 0000 rpc_binding_vector_free (bp) 0000 0000 0000 rpc_ep_resolve_binding (bq) 0000 0000 0000 rpc_if_id_vector_free (br) 0000 0000 0000 rpc_if_inq_id (bs) 0000 0000 0000 rpc_mgmt_ep_elt_inq_begin (bt) 0000 0000 0000 rpc_mgmt_ep_elt_inq_done (bu) 0000 0000 0000 rpc_mgmt_ep_elt_inq_next (bv) 0000 0000 0000 rpc_mgmt_inq_com_timeout (bw) 0000 0000 0000 rpc_mgmt_inq_dflt_protect_level (bx) 0000 0000 0000 rpc_mgmt_inq_if_ids (by) 0000 0000 0000 rpc_mgmt_inq_server_princ_name (bz) 0000 0000 0000 rpc_mgmt_inq_stats (ca) 0000 0000 0000 rpc_mgmt_is_server_listening (cb) 0000 0000 0000 rpc_mgmt_set_authorization_fn (cc) 0000 0000 0000 rpc_mgmt_set_server_stack_size (cd) 0000 0000 0000 rpc_mgmt_stats_vector_free (ce) 0000 0000 0000 rpc_network_inq_protseqs (cf) 0000 0000 0000 rpc_network_is_protseq_valid (cg) 0000 0000 0000 rpc_ns_binding_export (ch) 0000 0000 0000 rpc_ns_binding_import_begin Nicely Page 15 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (ci) 0000 0000 0000 rpc_ns_binding_import_done (cj) 0000 0000 0000 rpc_ns_binding_import_next (ck) 0000 0000 0000 rpc_ns_binding_inq_entry_name (cl) 0000 0000 0000 rpc_ns_binding_lookup_begin (cm) 0000 0000 0000 rpc_ns_binding_lookup_done (cn) 0000 0000 0000 rpc_ns_binding_lookup_next (co) 0000 0000 0000 rpc_ns_binding_select (cp) 0000 0000 0000 rpc_ns_binding_unexport (cq) 0000 0000 0000 rpc_ns_entry_expand_name (cr) 0000 0000 0000 rpc_ns_entry_object_inq_begin (cs) 0000 0000 0000 rpc_ns_entry_object_inq_done (ct) 0000 0000 0000 rpc_ns_entry_object_inq_next (cu) 0000 0000 0000 rpc_ns_group_mbr_inq_begin (cv) 0000 0000 0000 rpc_ns_group_mbr_inq_done (cw) 0000 0000 0000 rpc_ns_mgmt_inq_exp_age (cx) 0000 0000 0000 rpc_ns_profile_elt_inq_begin (cy) 0000 0000 0000 rpc_ns_profile_elt_inq_done (cz) 0000 0000 0000 rpc_object_inq_type (da) 0000 0000 0000 rpc_protseq_vector_free (db) 0000 0000 0000 rpc_server_inq_bindings (dc) 0000 0000 0000 rpc_server_inq_if (dd) 0000 0000 0000 rpc_server_inq_listen (de) 0000 0000 0000 rpc_ss_allocate (df) 0000 0000 0000 rpc_ss_destroy_client_context (dg) 0000 0000 0000 rpc_ss_disable_allocate (dh) 0000 0000 0000 rpc_ss_enable_allocate (di) 0000 0000 0000 rpc_ss_free (dj) 0000 0000 0000 rpc_ss_get_thread_handle (dk) 0000 0000 0000 rpc_ss_set_client_alloc_free (dl) 0000 0000 0000 rpc_ss_set_thread_handle (dm) 0000 0000 0000 rpc_ss_swap_client_alloc_free (dn) 0000 0000 0000 rpc_string_binding_compose (do) 0000 0000 0000 rpc_string_binding_parse (dp) 0000 0000 0000 rpc_string_free (dq) 0000 0000 0000 rpc_x_no_memory (dr) 0000 0000 0000 sec_acl_bind (ds) 0000 0000 0000 sec_acl_bind_to_addr (dt) 0000 0000 0000 sec_acl_get_access (du) 0000 0000 0000 sec_acl_get_error_info (dv) 0000 0000 0000 sec_acl_get_manager_types (dw) 0000 0000 0000 sec_acl_get_printstring (dx) 0000 0000 0000 sec_acl_mgr_configure (dy) 0000 0000 0000 sec_acl_mgr_get_manager_types (dz) 0000 0000 0000 sec_acl_mgr_get_printstring (ea) 0000 0000 0000 sec_acl_mgr_lookup (eb) 0000 0000 0000 sec_acl_release (ec) 0000 0000 0000 sec_acl_release_handle (ed) 0000 0000 0000 sec_acl_test_access (ee) 0000 0000 0000 sec_acl_test_access_on_behalf (ef) 0000 0000 0000 sec_id_gen_group Nicely Page 16 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (eg) 0000 0000 0000 sec_id_gen_name (eh) 0000 0000 0000 sec_id_parse_group (ei) 0000 0000 0000 sec_id_parse_name (ej) 0000 0000 0000 sec_key_mgmt_free_key (ek) 0000 0000 0000 sec_key_mgmt_release_cursor (el) 0000 0000 0000 sec_login_free_net_info (em) 0000 0000 0000 sec_login_inquire_net_info (en) 0000 0000 0000 sec_login_release_context (eo) 0000 0000 0000 sec_rgy_acct_get_projlist (ep) 0000 0000 0000 sec_rgy_acct_lookup (eq) 0000 0000 0000 sec_rgy_auth_plcy_get_effective (er) 0000 0000 0000 sec_rgy_auth_plcy_get_info (es) 0000 0000 0000 sec_rgy_cell_bind (et) 0000 0000 0000 sec_rgy_cursor_reset (eu) 0000 0000 0000 sec_rgy_login_get_effective (ev) 0000 0000 0000 sec_rgy_login_get_info (ew) 0000 0000 0000 sec_rgy_pgo_get_by_id (ex) 0000 0000 0000 sec_rgy_pgo_get_by_name (ey) 0000 0000 0000 sec_rgy_pgo_get_by_unix_num (ez) 0000 0000 0000 sec_rgy_pgo_get_members (fa) 0000 0000 0000 sec_rgy_pgo_get_next (fb) 0000 0000 0000 sec_rgy_pgo_id_to_name (fc) 0000 0000 0000 sec_rgy_pgo_id_to_unix_num (fd) 0000 0000 0000 sec_rgy_pgo_is_member (fe) 0000 0000 0000 sec_rgy_pgo_name_to_id (ff) 0000 0000 0000 sec_rgy_pgo_name_to_unix_num (fg) 0000 0000 0000 sec_rgy_pgo_unix_num_to_id (fh) 0000 0000 0000 sec_rgy_pgo_unix_num_to_name (fi) 0000 0000 0000 sec_rgy_plcy_get_effective (fj) 0000 0000 0000 sec_rgy_plcy_get_info (fk) 0000 0000 0000 sec_rgy_properties_get_info (fl) 0000 0000 0000 sec_rgy_site_bind (fm) 0000 0000 0000 sec_rgy_site_binding_get_info (fn) 0000 0000 0000 sec_rgy_site_bind_query (fo) 0000 0000 0000 sec_rgy_site_bind_update (fp) 0000 0000 0000 sec_rgy_site_close (fq) 0000 0000 0000 sec_rgy_site_get (fr) 0000 0000 0000 sec_rgy_site_is_readonly (fs) 0000 0000 0000 sec_rgy_site_open (ft) 0000 0000 0000 sec_rgy_site_open_query (fu) 0000 0000 0000 sec_rgy_site_open_update (fv) 0000 0000 0000 setgrent (fw) 0000 0000 0000 setgrfile (fx) 0000 0000 0000 setgroupent (fy) 0000 0000 0000 setpassent (fz) 0000 0000 0000 setpwent (ga) 0000 0000 0000 utc_abstime (gb) 0000 0000 0000 utc_addtime (gc) 0000 0000 0000 utc_anytime (gd) 0000 0000 0000 utc_anyzone Nicely Page 17 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (ge) 0000 0000 0000 utc_ascanytime (gf) 0000 0000 0000 utc_ascgmtime (gg) 0000 0000 0000 utc_asclocaltime (gh) 0000 0000 0000 utc_ascreltime (gi) 0000 0000 0000 utc_binreltime (gj) 0000 0000 0000 utc_bintime (gk) 0000 0000 0000 utc_boundtime (gl) 0000 0000 0000 utc_cmpintervaltime (gm) 0000 0000 0000 utc_cmpmidtime (gn) 0000 0000 0000 utc_gettime (go) 0000 0000 0000 utc_getusertime (gp) 0000 0000 0000 utc_gmtime (gq) 0000 0000 0000 utc_gmtzone (gr) 0000 0000 0000 utc_localtime (gs) 0000 0000 0000 utc_localzone (gt) 0000 0000 0000 utc_mkanytime (gu) 0000 0000 0000 utc_mkascreltime (gv) 0000 0000 0000 utc_mkasctime (gw) 0000 0000 0000 utc_mkbinreltime (gx) 0000 0000 0000 utc_mkbintime (gy) 0000 0000 0000 utc_mkgmtime (gz) 0000 0000 0000 utc_mklocaltime (ha) 0000 0000 0000 utc_mkreltime (hb) 0000 0000 0000 utc_mulftime (hc) 0000 0000 0000 utc_multime (hd) 0000 0000 0000 utc_pointime (he) 0000 0000 0000 utc_reltime (hf) 0000 0000 0000 utc_spantime (hg) 0000 0000 0000 utc_subtime (hh) 0000 0000 0000 uuidgen (hi) 0000 0000 0000 uuid_compare (hj) 0000 0000 0000 uuid_create (hk) 0000 0000 0000 uuid_create_nil (hl) 0000 0000 0000 uuid_equal (hm) 0000 0000 0000 uuid_from_string (hn) 0000 0000 0000 uuid_hash (ho) 0000 0000 0000 uuid_is_nil (hp) 0000 0000 0000 uuid_to_string (hq) 0000 0000 0000 VC_ListVolumes (hr) 0000 0000 0000 VC_VolserStatus (hs) 0000 0000 0000 VC_VolumeStatus (ht) 0000 0000 0000 VldbListByAttributes (hu) 0000 0000 0000 VL_ExpandSiteCookie (hv) 0000 0000 0000 VL_GenerateSites (hw) 0000 0000 0000 VL_GetCellInfo (hx) 0000 0000 0000 VL_GetCEntryByID (hy) 0000 0000 0000 VL_GetCEntryByName (hz) 0000 0000 0000 VL_GetCNextServersByID (ia) 0000 0000 0000 VL_GetCNextServersByName (ib) 0000 0000 0000 VL_GetEntryByID Nicely Page 18 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (ic) 0000 0000 0000 VL_GetEntryByName (id) 0000 0000 0000 VL_GetNextServerByID (ie) 0000 0000 0000 VL_GetNextServerByName (if) 0000 0000 0000 VL_GetSiteInfo (ig) 0000 0000 0000 VL_ListByAttributes (ih) 0000 0000 0000 VL_ListEntry (ii) 0000 0000 0000 VL_Probe (ij) 0000 0000 0000 volser_Date 3. ACKNOWLEDGEMENTS This work was done while the author was on sabbatical at OSF. The author thanks Paul Karger (OSF) for his help during that period. APPENDIX A. LIST OF MASKS AND API'S, ORDERED BY MASK This appendix contains a list of the DCE API's to be audited to meet C2 requirements. The API's have been classifed into 12 categories of audit events using a 12 bit mask whose position determines which, if any, event classes a particular API falls into. For example the API FTSERVER_SetStatus has a bit mask of 0000 0000 0011 and therefore should be audited as an attribute change and access denial audit event. The text below each API and associated mask gives a brief description of why that particular mask bit has been turned on for that API. Using the same example of FTSERVER_SetStatus, Fileset denotes this API sets an attribute on a fileset (status information) the text following names the error status messages returned if this API fails due to lack of permissions. This list has been sorted in numeric order for the audit event masks and then alphabetical order by API name to allow the reviewer to see the commonality between API's within the same event class. (a) 0000 0000 0000 BOSSVR_EnumerateInstance (b) 0000 0000 0000 BOSSVR_GetCellName (c) 0000 0000 0000 BOSSVR_GetDates (d) 0000 0000 0000 BOSSVR_GetInstanceInfo (e) 0000 0000 0000 BOSSVR_GetInstanceParm (f) 0000 0000 0000 BOSSVR_GetRestartTime (g) 0000 0000 0000 BOSSVR_GetStatus (h) 0000 0000 0000 BOSSVR_ListSUsers (i) 0000 0000 0000 dce_cf_binding_entry_from_host (j) 0000 0000 0000 dce_cf_find_name_by_key (k) 0000 0000 0000 dce_cf_get_cell_name (l) 0000 0000 0000 dce_cf_get_host_name (m) 0000 0000 0000 dce_cf_prin_name_from_host (n) 0000 0000 0000 dce_error_inq_text (o) 0000 0000 0000 ds_bind (p) 0000 0000 0000 ds_compare Nicely Page 19 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (q) 0000 0000 0000 ds_feature (r) 0000 0000 0000 ds_list (s) 0000 0000 0000 ds_read (t) 0000 0000 0000 ds_search (u) 0000 0000 0000 ds_unbind (v) 0000 0000 0000 ds_version (w) 0000 0000 0000 endgrent (x) 0000 0000 0000 endpwent (y) 0000 0000 0000 fileset_transStatus (z) 0000 0000 0000 FTSERVER_AggregateInfo (aa) 0000 0000 0000 FTSERVER_GetOneVolStatus (ab) 0000 0000 0000 getgrent (ac) 0000 0000 0000 getgrid (ad) 0000 0000 0000 getgrnam (ae) 0000 0000 0000 getpwent (af) 0000 0000 0000 getpwnam (ag) 0000 0000 0000 getpwwid (ah) 0000 0000 0000 idl (ai) 0000 0000 0000 ioctl (aj) 0000 0000 0000 om_instance (ak) 0000 0000 0000 om_read (al) 0000 0000 0000 pthread_attr_getinheritsched (am) 0000 0000 0000 pthread_attr_getprio (an) 0000 0000 0000 pthread_attr_getsched (ao) 0000 0000 0000 pthread_attr_getstacksize (ap) 0000 0000 0000 pthread_getprio (aq) 0000 0000 0000 pthread_getscheduler (ar) 0000 0000 0000 pthread_getspecific (as) 0000 0000 0000 pthread_get_expiration_np (at) 0000 0000 0000 pthread_mutexattr_getkind_np (au) 0000 0000 0000 pthread_self (av) 0000 0000 0000 rdacl_get_manager_types (aw) 0000 0000 0000 rdacl_get_printstring (ax) 0000 0000 0000 rdacl_get_referral (ay) 0000 0000 0000 rdacl_lookup (az) 0000 0000 0000 rdacl_test_access (ba) 0000 0000 0000 rdacl_test_access_on_behalf (bb) 0000 0000 0000 rpccp (bc) 0000 0000 0000 rpcd (bd) 0000 0000 0000 rpc_binding_copy (be) 0000 0000 0000 rpc_binding_free (bf) 0000 0000 0000 rpc_binding_from_string_binding (bg) 0000 0000 0000 rpc_binding_inq_auth_client (bh) 0000 0000 0000 rpc_binding_inq_auth_info (bi) 0000 0000 0000 rpc_binding_inq_object (bj) 0000 0000 0000 rpc_binding_reset (bk) 0000 0000 0000 rpc_binding_server_from_client (bl) 0000 0000 0000 rpc_binding_set_auth_info (bm) 0000 0000 0000 rpc_binding_set_object (bn) 0000 0000 0000 rpc_binding_to_sting_binding Nicely Page 20 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (bo) 0000 0000 0000 rpc_binding_vector_free (bp) 0000 0000 0000 rpc_ep_resolve_binding (bq) 0000 0000 0000 rpc_if_id_vector_free (br) 0000 0000 0000 rpc_if_inq_id (bs) 0000 0000 0000 rpc_mgmt_ep_elt_inq_begin (bt) 0000 0000 0000 rpc_mgmt_ep_elt_inq_done (bu) 0000 0000 0000 rpc_mgmt_ep_elt_inq_next (bv) 0000 0000 0000 rpc_mgmt_inq_com_timeout (bw) 0000 0000 0000 rpc_mgmt_inq_dflt_protect_level (bx) 0000 0000 0000 rpc_mgmt_inq_if_ids (by) 0000 0000 0000 rpc_mgmt_inq_server_princ_name (bz) 0000 0000 0000 rpc_mgmt_inq_stats (ca) 0000 0000 0000 rpc_mgmt_is_server_listening (cb) 0000 0000 0000 rpc_mgmt_set_authorization_fn (cc) 0000 0000 0000 rpc_mgmt_set_server_stack_size (cd) 0000 0000 0000 rpc_mgmt_stats_vector_free (ce) 0000 0000 0000 rpc_network_inq_protseqs (cf) 0000 0000 0000 rpc_network_is_protseq_valid (cg) 0000 0000 0000 rpc_ns_binding_export (ch) 0000 0000 0000 rpc_ns_binding_import_begin (ci) 0000 0000 0000 rpc_ns_binding_import_done (cj) 0000 0000 0000 rpc_ns_binding_import_next (ck) 0000 0000 0000 rpc_ns_binding_inq_entry_name (cl) 0000 0000 0000 rpc_ns_binding_lookup_begin (cm) 0000 0000 0000 rpc_ns_binding_lookup_done (cn) 0000 0000 0000 rpc_ns_binding_lookup_next (co) 0000 0000 0000 rpc_ns_binding_select (cp) 0000 0000 0000 rpc_ns_binding_unexport (cq) 0000 0000 0000 rpc_ns_entry_expand_name (cr) 0000 0000 0000 rpc_ns_entry_object_inq_begin (cs) 0000 0000 0000 rpc_ns_entry_object_inq_done (ct) 0000 0000 0000 rpc_ns_entry_object_inq_next (cu) 0000 0000 0000 rpc_ns_group_mbr_inq_begin (cv) 0000 0000 0000 rpc_ns_group_mbr_inq_done (cw) 0000 0000 0000 rpc_ns_mgmt_inq_exp_age (cx) 0000 0000 0000 rpc_ns_profile_elt_inq_begin (cy) 0000 0000 0000 rpc_ns_profile_elt_inq_done (cz) 0000 0000 0000 rpc_object_inq_type (da) 0000 0000 0000 rpc_protseq_vector_free (db) 0000 0000 0000 rpc_server_inq_bindings (dc) 0000 0000 0000 rpc_server_inq_if (dd) 0000 0000 0000 rpc_server_inq_listen (de) 0000 0000 0000 rpc_ss_allocate (df) 0000 0000 0000 rpc_ss_destroy_client_context (dg) 0000 0000 0000 rpc_ss_disable_allocate (dh) 0000 0000 0000 rpc_ss_enable_allocate (di) 0000 0000 0000 rpc_ss_free (dj) 0000 0000 0000 rpc_ss_get_thread_handle (dk) 0000 0000 0000 rpc_ss_set_client_alloc_free (dl) 0000 0000 0000 rpc_ss_set_thread_handle Nicely Page 21 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (dm) 0000 0000 0000 rpc_ss_swap_client_alloc_free (dn) 0000 0000 0000 rpc_string_binding_compose (do) 0000 0000 0000 rpc_string_binding_parse (dp) 0000 0000 0000 rpc_string_free (dq) 0000 0000 0000 rpc_x_no_memory (dr) 0000 0000 0000 sec_acl_bind (ds) 0000 0000 0000 sec_acl_bind_to_addr (dt) 0000 0000 0000 sec_acl_get_access (du) 0000 0000 0000 sec_acl_get_error_info (dv) 0000 0000 0000 sec_acl_get_manager_types (dw) 0000 0000 0000 sec_acl_get_printstring (dx) 0000 0000 0000 sec_acl_mgr_configure (dy) 0000 0000 0000 sec_acl_mgr_get_manager_types (dz) 0000 0000 0000 sec_acl_mgr_get_printstring (ea) 0000 0000 0000 sec_acl_mgr_lookup (eb) 0000 0000 0000 sec_acl_release (ec) 0000 0000 0000 sec_acl_release_handle (ed) 0000 0000 0000 sec_acl_test_access (ee) 0000 0000 0000 sec_acl_test_access_on_behalf (ef) 0000 0000 0000 sec_id_gen_group (eg) 0000 0000 0000 sec_id_gen_name (eh) 0000 0000 0000 sec_id_parse_group (ei) 0000 0000 0000 sec_id_parse_name (ej) 0000 0000 0000 sec_key_mgmt_free_key (ek) 0000 0000 0000 sec_key_mgmt_release_cursor (el) 0000 0000 0000 sec_login_free_net_info (em) 0000 0000 0000 sec_login_inquire_net_info (en) 0000 0000 0000 sec_login_release_context (eo) 0000 0000 0000 sec_rgy_acct_get_projlist (ep) 0000 0000 0000 sec_rgy_acct_lookup (eq) 0000 0000 0000 sec_rgy_auth_plcy_get_effective (er) 0000 0000 0000 sec_rgy_auth_plcy_get_info (es) 0000 0000 0000 sec_rgy_cell_bind (et) 0000 0000 0000 sec_rgy_cursor_reset (eu) 0000 0000 0000 sec_rgy_login_get_effective (ev) 0000 0000 0000 sec_rgy_login_get_info (ew) 0000 0000 0000 sec_rgy_pgo_get_by_id (ex) 0000 0000 0000 sec_rgy_pgo_get_by_name (ey) 0000 0000 0000 sec_rgy_pgo_get_by_unix_num (ez) 0000 0000 0000 sec_rgy_pgo_get_members (fa) 0000 0000 0000 sec_rgy_pgo_get_next (fb) 0000 0000 0000 sec_rgy_pgo_id_to_name (fc) 0000 0000 0000 sec_rgy_pgo_id_to_unix_num (fd) 0000 0000 0000 sec_rgy_pgo_is_member (fe) 0000 0000 0000 sec_rgy_pgo_name_to_id (ff) 0000 0000 0000 sec_rgy_pgo_name_to_unix_num (fg) 0000 0000 0000 sec_rgy_pgo_unix_num_to_id (fh) 0000 0000 0000 sec_rgy_pgo_unix_num_to_name (fi) 0000 0000 0000 sec_rgy_plcy_get_effective (fj) 0000 0000 0000 sec_rgy_plcy_get_info Nicely Page 22 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (fk) 0000 0000 0000 sec_rgy_properties_get_info (fl) 0000 0000 0000 sec_rgy_site_bind (fm) 0000 0000 0000 sec_rgy_site_binding_get_info (fn) 0000 0000 0000 sec_rgy_site_bind_query (fo) 0000 0000 0000 sec_rgy_site_bind_update (fp) 0000 0000 0000 sec_rgy_site_close (fq) 0000 0000 0000 sec_rgy_site_get (fr) 0000 0000 0000 sec_rgy_site_is_readonly (fs) 0000 0000 0000 sec_rgy_site_open (ft) 0000 0000 0000 sec_rgy_site_open_query (fu) 0000 0000 0000 sec_rgy_site_open_update (fv) 0000 0000 0000 setgrent (fw) 0000 0000 0000 setgrfile (fx) 0000 0000 0000 setgroupent (fy) 0000 0000 0000 setpassent (fz) 0000 0000 0000 setpwent (ga) 0000 0000 0000 utc_abstime (gb) 0000 0000 0000 utc_addtime (gc) 0000 0000 0000 utc_anytime (gd) 0000 0000 0000 utc_anyzone (ge) 0000 0000 0000 utc_ascanytime (gf) 0000 0000 0000 utc_ascgmtime (gg) 0000 0000 0000 utc_asclocaltime (gh) 0000 0000 0000 utc_ascreltime (gi) 0000 0000 0000 utc_binreltime (gj) 0000 0000 0000 utc_bintime (gk) 0000 0000 0000 utc_boundtime (gl) 0000 0000 0000 utc_cmpintervaltime (gm) 0000 0000 0000 utc_cmpmidtime (gn) 0000 0000 0000 utc_gettime (go) 0000 0000 0000 utc_getusertime (gp) 0000 0000 0000 utc_gmtime (gq) 0000 0000 0000 utc_gmtzone (gr) 0000 0000 0000 utc_localtime (gs) 0000 0000 0000 utc_localzone (gt) 0000 0000 0000 utc_mkanytime (gu) 0000 0000 0000 utc_mkascreltime (gv) 0000 0000 0000 utc_mkasctime (gw) 0000 0000 0000 utc_mkbinreltime (gx) 0000 0000 0000 utc_mkbintime (gy) 0000 0000 0000 utc_mkgmtime (gz) 0000 0000 0000 utc_mklocaltime (ha) 0000 0000 0000 utc_mkreltime (hb) 0000 0000 0000 utc_mulftime (hc) 0000 0000 0000 utc_multime (hd) 0000 0000 0000 utc_pointime (he) 0000 0000 0000 utc_reltime (hf) 0000 0000 0000 utc_spantime (hg) 0000 0000 0000 utc_subtime (hh) 0000 0000 0000 uuidgen Nicely Page 23 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (hi) 0000 0000 0000 uuid_compare (hj) 0000 0000 0000 uuid_create (hk) 0000 0000 0000 uuid_create_nil (hl) 0000 0000 0000 uuid_equal (hm) 0000 0000 0000 uuid_from_string (hn) 0000 0000 0000 uuid_hash (ho) 0000 0000 0000 uuid_is_nil (hp) 0000 0000 0000 uuid_to_string (hq) 0000 0000 0000 VC_ListVolumes (hr) 0000 0000 0000 VC_VolserStatus (hs) 0000 0000 0000 VC_VolumeStatus (ht) 0000 0000 0000 VldbListByAttributes (hu) 0000 0000 0000 VL_ExpandSiteCookie (hv) 0000 0000 0000 VL_GenerateSites (hw) 0000 0000 0000 VL_GetCellInfo (hx) 0000 0000 0000 VL_GetCEntryByID (hy) 0000 0000 0000 VL_GetCEntryByName (hz) 0000 0000 0000 VL_GetCNextServersByID (ia) 0000 0000 0000 VL_GetCNextServersByName (ib) 0000 0000 0000 VL_GetEntryByID (ic) 0000 0000 0000 VL_GetEntryByName (id) 0000 0000 0000 VL_GetNextServerByID (ie) 0000 0000 0000 VL_GetNextServerByName (if) 0000 0000 0000 VL_GetSiteInfo (ig) 0000 0000 0000 VL_ListByAttributes (ih) 0000 0000 0000 VL_ListEntry (ii) 0000 0000 0000 VL_Probe (ij) 0000 0000 0000 volser_Date (ik) 0000 0000 0001 afs_syscall ACL (il) 0000 0000 0001 ds_add_entry GDS namespace (im) 0000 0000 0001 ds_modify_entry GDS namespace (in) 0000 0000 0001 ds_modify_rdn GDS namespace (io) 0000 0000 0001 ds_remove_entry GDS namespace (ip) 0000 0000 0001 om_put Private object (iq) 0000 0000 0001 om_remove Private object (ir) 0000 0000 0001 rdacl_replace ACL (is) 0000 0000 0001 sec_acl_mgr_replace ACL (it) 0000 0000 0001 VC_SetQuota Fileset (iu) 0000 0000 0010 BOSSVR_GetLog BZACCESS Nicely Page 24 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (iv) 0000 0000 0010 BOSSVR_ListKeys BZACCESS (iw) 0000 0000 0010 FTSERVER_ListAggregates VOLS_ERR_BADACCESS (ix) 0000 0000 0010 FTSERVER_ListVolumes VOLS_ERR_BADACCESS (iy) 0000 0000 0010 sec_acl_lookup Undocumented error status for missing permission (iz) 0000 0000 0010 sec_acl_mgr_get_access Undocumented error status for missing permission (ja) 0000 0000 0010 sec_acl_mgr_is_authorized Undocumented error status for missing permission (jb) 0000 0000 0010 sec_key_mgmt_get_key sec_key_mgmt_e_unauthorized (jc) 0000 0000 0010 sec_key_mgmt_get_next_key sec_key_mgmt_e_unauthorized (jd) 0000 0000 0010 sec_key_mgmt_get_next_kvno sec_key_mgmt_e_unauthorized (je) 0000 0000 0010 sec_key_mgmt_initialize_cursor sec_key_mgmt_e_unauthorized (jf) 0000 0000 0011 FTSERVER_CreateTrans Fileset: DAUT_ERROR_ACCESS_DENIED, ENDENTVOL, VOLS_ERR_BADACCESS (jg) 0000 0000 0011 FTSERVER_DeleteTrans Fileset: DAUT_ERROR_ACCESS_DENIED, VOLS_ERR_BADACCESS (jh) 0000 0000 0011 FTSERVER_SetFlags Fileset: DAUT_ERROR_ACCESS_DENIED, VOLS_ERR_BADACCESS (ji) 0000 0000 0011 FTSERVER_SetStatus Fileset: DAUT_ERROR_ACCESS_DENIED, VOLS_ERR_BADACCESS (jj) 0000 0000 0011 sec_acl_replace ACL: Undocumented error status for missing permission (jk) 0000 0000 0110 VL_GetStats Fileset: Superuser, VL_PERM (jl) 0000 0000 0111 VL_GetNewVolumeId Fileset: Cell admin, VL_PERM (jm) 0000 0000 0111 VL_GetNewVolumeIds Fileset: Cell admin, VL_PERM (jn) 0000 0000 0111 VL_ReplaceEntry FLDB: Superuser, VL_BADENTRY, VL_NOENT, VL_PERM (jo) 0000 0001 0000 sec_login_export_context Login context (jp) 0000 0001 0000 sec_login_get_current_context Login context (jq) 0000 0001 0000 sec_login_get_expiration TGT lifetime (jr) 0000 0001 0000 sec_login_get_groups Login context (js) 0000 0001 0000 sec_login_get_pwent Login context (jt) 0000 0001 0000 sec_login_import_context Nicely Page 25 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 Login context (ju) 0000 0001 0000 sec_login_init_first Login context (jv) 0000 0001 0000 sec_login_newgroups Login context (jw) 0000 0001 0000 sec_login_purge_context Login context (jx) 0000 0001 0000 sec_login_refresh_identity Login context (jy) 0000 0001 0000 sec_login_setup_first Login context (jz) 0000 0001 0000 sec_login_set_context Login context (ka) 0000 0001 0000 sec_login_validate_first Login context (kb) 0000 0001 0000 setpwfile Password file (kc) 0000 0001 0010 rdacl_get_access PAC: Undocumented error status for access failure (kd) 0000 0001 0010 sec_key_mgmt_change_key Local key registry: sec_key_mgmt_e_unauthorized (ke) 0000 0001 0010 sec_key_mgmt_delete_key Local key registry: sec_key_mgmt_e_unauthorized (kf) 0000 0001 0010 sec_key_mgmt_delete_key_type Local key registry: sec_key_mgmt_e_unauthorized (kg) 0000 0001 0010 sec_key_mgmt_garbage_collect Local key registry: sec_key_mgmt_e_unauthorized (kh) 0000 0001 0010 sec_key_mgmt_gen_rand_key Local key registry: sec_key_mgmt_e_unauthorized (ki) 0000 0001 0010 sec_key_mgmt_manage_key Local key registry, registry database: sec_key_mgmt_e_unauthorized (kj) 0000 0001 0010 sec_key_mgmt_set_key Local key registry: sec_key_mgmt_e_unauthorized (kk) 0000 0001 0010 sec_login_certify_identity Security server: sec_login_s_not_certified (kl) 0000 0001 0010 sec_login_setup_identity Network: sec_rgy_server_unavailable, sec_rgy_status_object_not_found (km) 0000 0001 0010 sec_login_validate_identity User: sec_rgy_passwd_invalid, sec_rgy_server_unavailable (kn) 0000 0001 0010 sec_login_valid_and_cert_ident User: sec_rgy_passwd_invalid, sec_rgy_registry_unavailable, sec_rgy_s_privileged (ko) 0000 0010 0000 om_copy Private object (kp) 0000 0010 0000 om_copy_value Private object (kq) 0000 0010 0000 om_create Private object Nicely Page 26 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (kr) 0000 0010 0000 om_get Private object (ks) 0000 0010 0000 VC_BackupVolume Fileset (kt) 0000 0010 0000 VC_CreateVolume Fileset (ku) 0000 0010 0010 FTSERVER_DeleteVolume Fileset: VOLS_ERR_BADACCESS (kv) 0000 0010 0011 FTSERVER_Clone Fileset: Fileset, VOLS_ERR_BADACCESS (kw) 0000 0010 0011 FTSERVER_CreateVolume Fileset: Fileset, VOLS_ERR_BADACCESS (kx) 0000 0010 0110 BOSSVR_Install Program: BOS admin, BZACCESS (ky) 0000 0100 0000 om_delete Private object (kz) 0000 0100 0000 VC_DeleteVolume Fileset (la) 0000 0100 0000 VC_VolumeZap Fileset (lb) 0000 0100 0110 BOSSVR_Prune .BAK .OLD: BOS admin, BZACCESS (lc) 0000 0110 0000 VC_MoveVolume Fileset: Fileset (ld) 0000 0110 0000 VC_RenameVolume Fileset: Fileset (le) 0000 1000 0000 om_write Private register (lf) 0000 1000 0000 rpc_ep_register End point map (lg) 0000 1000 0000 rpc_ep_register_no_replace End point map (lh) 0000 1000 0000 rpc_ep_unregister End point map (li) 0000 1000 0000 rpc_mgmt_ep_unregister End point map (lj) 0000 1000 0000 VC_DumpVolume Fileset (lk) 0000 1000 0000 VC_RestoreVolume Fileset (ll) 0000 1000 0000 VC_SyncServer Fileset (lm) 0000 1000 0000 VC_SyncVldb Fileset (ln) 0000 1000 0000 VL_AlterServer FLDB (lo) 0000 1000 0000 VL_CreateServer FLDB (lp) 0000 1000 0010 FTSERVER_Dump Fileset: DAUT_ERROR_ACCESS_DENIED, VOLS_ERR_BADACCESS Nicely Page 27 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (lq) 0000 1000 0010 FTSERVER_Forward Fileset: DAUT_ERROR_ACCESS_DENIED, VOLS_ERR_BADACCESS (lr) 0000 1000 0010 FTSERVER_Restore Fileset: DAUT_ERROR_ACCESS_DENIED, VOLS_ERR_BADACCESS (ls) 0000 1000 0010 sec_rgy_acct_add Registry database: sec_rgy_status_not_authorized, sec_rgy_status_not_member_group, sec_rgy_status_not_member_group_org, sec_rgy_status_not_member_org, sec_rgy_status_object_exists (lt) 0000 1000 0010 sec_rgy_acct_admin_replace Registry database: sec_rgy_status_not_authorized (lu) 0000 1000 0010 sec_rgy_acct_delete Registry database: sec_rgy_status_not_authorized, sec_rgy_status_object_not_found (lv) 0000 1000 0010 sec_rgy_acct_passwd Registry database: sec_rgy_status_not_authorized, sec_rgy_status_object_not_found (lw) 0000 1000 0010 sec_rgy_acct_rename Registry database: sec_rgy_status_name_exists, sec_rgy_status_not_authorized, sec_rgy_status_object_not_found (lx) 0000 1000 0010 sec_rgy_acct_replace_all Registry database: sec_rgy_status_not_authorized, sec_rgy_status_object_not_found (ly) 0000 1000 0010 sec_rgy_acct_user_replace Registry database: sec_rgy_status_not_authorized, sec_rgy_status_object_not_found (lz) 0000 1000 0010 sec_rgy_auth_plcy_set_info Registry database: sec_rgy_status_not_authorized, sec_rgy_status_object_not_found (ma) 0000 1000 0010 sec_rgy_pgo_add Registry database: sec_rgy_status_not_authorized (mb) 0000 1000 0010 sec_rgy_pgo_add_member Registry database: sec_rgy_status_not_authorized (mc) 0000 1000 0010 sec_rgy_pgo_delete Registry database: sec_rgy_status_not_authorized (md) 0000 1000 0010 sec_rgy_pgo_delete_member Registry database: sec_rgy_not_member_group, sec_rgy_not_member_org, sec_rgy_object_not_found, sec_rgy_status_not_authorized (me) 0000 1000 0010 sec_rgy_pgo_rename Registry database: sec_rgy_status_not_authorized (mf) 0000 1000 0010 sec_rgy_pgo_replace Registry database: sec_rgy_object_not_found, sec_rgy_status_not_authorized (mg) 0000 1000 0010 sec_rgy_plcy_set_info Registry database: sec_rgy_object_not_found, sec_rgy_status_not_authorized (mh) 0000 1000 0010 sec_rgy_properties_set_info Nicely Page 28 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 Registry database: sec_rgy_status_not_authorized (mi) 0000 1000 0011 FTSERVER_ReClone Fileset: DAUT_ERROR_ACCESS_DENIED, Fileset, VOLS_ERR_BADACCESS (mj) 0000 1000 0110 BOSSVR_GarbageCollectKeys Local key registry: BOS admin, BZACCESS (mk) 0000 1000 0110 VL_AddAddress FLDB: Superuser, VL_PERM (ml) 0000 1000 0110 VL_ChangeAddress FLDB: Superuser, VL_PERM (mm) 0000 1000 0110 VL_CreateEntry FLDB: Superuser, VL_PERM (mn) 0000 1000 0110 VL_DeleteEntry FLDB: Superuser, VL_PERM (mo) 0000 1000 0110 VL_ReleaseLock Fileset: Superuser, VL_PERM (mp) 0000 1000 0110 VL_RemoveAddress FLDB: Superuser, VL_PERM (mq) 0000 1000 0110 VL_SetLock Fileset: Superuser, VL_PERM (mr) 0100 0000 0000 ds_initialize X/Open Directory Service (ms) 0100 0000 0000 ds_shutdown X/Open Directory Service (mt) 0100 0000 0000 pthread_create Thread (mu) 0100 0000 0000 pthread_exit Thread (mv) 0100 0000 0000 pthread_lock_global_np Thread (mw) 0100 0000 0000 pthread_mutex_lock Thread (mx) 0100 0000 0000 pthread_mutex_trylock Thread (my) 0100 0000 0000 pthread_mutex_unlock Thread (mz) 0100 0000 0000 pthread_testcancel Thread (na) 0100 0000 0000 pthread_unlock_global_np Thread (nb) 0100 0000 0000 pthread_yield Thread (nc) 0100 0000 0000 rpc_mgmt_stop_server_listening Thread (nd) 0100 0000 0000 sec_rgy_wait_until_consistent Security registry (ne) 0100 0000 0010 FTSERVER_GetFlags Fileset: DAUT_ERROR_ACCESS_DENIED, VOLS_ERR_BADACCESS (nf) 0100 0000 0010 FTSERVER_GetStatus Fileset: DAUT_ERROR_ACCESS_DENIED, VOLS_ERR_BADACCESS Nicely Page 29 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (ng) 0100 0000 0010 FTSERVER_Monitor File server: VOLS_ERR_BADACCESS (nh) 0100 0000 0110 BOSSVR_AddKey Server key: BOS admin, BZACCESS (ni) 0100 0000 0110 BOSSVR_AddSUser Admin list: BOS admin, BZACCESS (nj) 0100 0000 0110 BOSSVR_DeleteKey Server key: BOS admin, BZACCESS (nk) 0100 0000 0110 BOSSVR_DeleteSuser Admin list: BOS admin, BZACCESS (nl) 0100 0000 0110 BOSSVR_Exec Subprocess: BOS admin, BZACCESS (nm) 0100 0000 0110 BOSSVR_GenerateKey Server key: BOS admin, BZACCESS (nn) 0100 0000 0110 BOSSVR_ReBossvr Server: BOS admin, BZACCESS (no) 0100 0000 0110 BOSSVR_Restart Process: BOS admin, BZACCESS (np) 0100 0000 0110 BOSSVR_RestartAll Process: BOS admin, BZACCESS (nq) 0100 0000 0110 BOSSVR_ShutdownAll Process: BOS admin, BZACCESS (nr) 0100 0000 0110 BOSSVR_StartupAll Process: BOS admin, BZACCESS (ns) 0100 0000 0110 BOSSVR_UnInstall Program: BOS admin, BZACCESS (nt) 0100 0000 0110 BOSSVR_WaitAll Process: BOS admin, BZACCESS (nu) 1000 0000 0000 atfork Thread (nv) 1000 0000 0000 pthread_attr_create Thread (nw) 1000 0000 0000 pthread_attr_delete Thread (nx) 1000 0000 0000 pthread_attr_setinhertsched Thread (ny) 1000 0000 0000 pthread_attr_setprio Thread (nz) 1000 0000 0000 pthread_attr_setsched Thread (oa) 1000 0000 0000 pthread_attr_setstacksize Thread (ob) 1000 0000 0000 pthread_cancel Thread (oc) 1000 0000 0000 pthread_condattr_create Thread (od) 1000 0000 0000 pthread_condattr_delete Thread (oe) 1000 0000 0000 pthread_cond_broadcast Thread Nicely Page 30 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (of) 1000 0000 0000 pthread_cond_destroy Thread (og) 1000 0000 0000 pthread_cond_init Thread (oh) 1000 0000 0000 pthread_cond_signal Thread (oi) 1000 0000 0000 pthread_cond_timedwait Thread (oj) 1000 0000 0000 pthread_cond_wait Thread (ok) 1000 0000 0000 pthread_delay_np Thread (ol) 1000 0000 0000 pthread_detach Thread (om) 1000 0000 0000 pthread_join Thread (on) 1000 0000 0000 pthread_keycreate Thread (oo) 1000 0000 0000 pthread_mutexattr_create Thread (op) 1000 0000 0000 pthread_mutexattr_delete Thread (oq) 1000 0000 0000 pthread_mutexattr_setkind_np Thread (or) 1000 0000 0000 pthread_mutex_destroy Thread (os) 1000 0000 0000 pthread_mutex_init Thread (ot) 1000 0000 0000 pthread_once Thread (ou) 1000 0000 0000 pthread_setasynccancel Thread (ov) 1000 0000 0000 pthread_setcancel Thread (ow) 1000 0000 0000 pthread_setprio Thread (ox) 1000 0000 0000 pthread_setscheduler Thread (oy) 1000 0000 0000 pthread_setspecific Thread (oz) 1000 0000 0000 rpc_mgmt_set_cancel_timeout Runtime (pa) 1000 0000 0000 rpc_mgmt_set_com_timeout Runtime (pb) 1000 0000 0000 rpc_ns_group_delete Name service database (pc) 1000 0000 0000 rpc_ns_group_mbr_add Name service database (pd) 1000 0000 0000 rpc_ns_group_mbr_inq_next Name service database Nicely Page 31 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (pe) 1000 0000 0000 rpc_ns_group_mbr_remove Name service database (pf) 1000 0000 0000 rpc_ns_mgmt_binding_unexport Name service database (pg) 1000 0000 0000 rpc_ns_mgmt_entry_create Name service database (ph) 1000 0000 0000 rpc_ns_mgmt_entry_delete Name service database (pi) 1000 0000 0000 rpc_ns_mgmt_entry_inq_if_ids Name service database (pj) 1000 0000 0000 rpc_ns_mgmt_handle_set_exp_age Name service database (pk) 1000 0000 0000 rpc_ns_mgmt_set_exp_age Name service database (pl) 1000 0000 0000 rpc_ns_profile_delete Name service database (pm) 1000 0000 0000 rpc_ns_profile_elt_add Name service database (pn) 1000 0000 0000 rpc_ns_profile_elt_inq_next Name service database (po) 1000 0000 0000 rpc_ns_profile_elt_remove Name service database (pp) 1000 0000 0000 rpc_object_set_inq_fn Runtime (pq) 1000 0000 0000 rpc_object_set_type Runtime (pr) 1000 0000 0000 rpc_server_register_auth_info Runtime (ps) 1000 0000 0000 rpc_server_register_if Runtime (pt) 1000 0000 0000 rpc_server_unregister_if Runtime (pu) 1000 0000 0000 rpc_server_use_all_protseqs Runtime (pv) 1000 0000 0000 rpc_server_use_all_protseqs_if Runtime (pw) 1000 0000 0000 rpc_server_use_protseq Runtime (px) 1000 0000 0000 rpc_server_use_protseq_ep Runtime (py) 1000 0000 0000 rpc_server_use_protseq_if Runtime (pz) 1000 0000 0000 rpc_ss_register_auth_info Runtime (qa) 1000 0000 0110 BOSSVR_CreateBnode Bnode: BOS admin, BZACCESS (qb) 1000 0000 0110 BOSSVR_DeleteBnode Bnode: BOS admin, BZACCESS (qc) 1000 0000 0110 BOSSVR_SetNoAuthFlag Server flag: BOS admin, BZACCESS Nicely Page 32 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (qd) 1000 0000 0110 BOSSVR_SetRestartTime BOS Server process: BOS admin, BZACCESS (qe) 1000 0000 0110 BOSSVR_SetStatus Bnode: BOS admin, BZACCESS (qf) 1000 0000 0110 BOSSVR_SetTStatus Bnode: BOS admin, BZACCESS (qg) 1100 0000 0000 pthread_cleanup_pop Thread: Thread (qh) 1100 0000 0000 pthread_cleanup_push Thread: Thread APPENDIX B. LIST OF MASKS AND API'S, ORDERED BY API This appendix contains a list of the DCE API's to be audited to meet C2 requirements. This list has been sorted in alphabetical order by API name to ease the review process by allowing the reviewer to traverse the audit event classification and DCE documentation in the same order. (a) 0000 0000 0001 afs_syscall (b) 1000 0000 0000 atfork (c) 0100 0000 0110 BOSSVR_AddKey (d) 0100 0000 0110 BOSSVR_AddSUser (e) 1000 0000 0110 BOSSVR_CreateBnode (f) 1000 0000 0110 BOSSVR_DeleteBnode (g) 0100 0000 0110 BOSSVR_DeleteKey (h) 0100 0000 0110 BOSSVR_DeleteSuser (i) 0000 0000 0000 BOSSVR_EnumerateInstance (j) 0100 0000 0110 BOSSVR_Exec (k) 0000 1000 0110 BOSSVR_GarbageCollectKeys (l) 0100 0000 0110 BOSSVR_GenerateKey (m) 0000 0000 0000 BOSSVR_GetCellName (n) 0000 0000 0000 BOSSVR_GetDates (o) 0000 0000 0000 BOSSVR_GetInstanceInfo (p) 0000 0000 0000 BOSSVR_GetInstanceParm (q) 0000 0000 0010 BOSSVR_GetLog (r) 0000 0000 0000 BOSSVR_GetRestartTime (s) 0000 0000 0000 BOSSVR_GetStatus (t) 0000 0010 0110 BOSSVR_Install (u) 0000 0000 0010 BOSSVR_ListKeys (v) 0000 0000 0000 BOSSVR_ListSUsers (w) 0000 0100 0110 BOSSVR_Prune (x) 0100 0000 0110 BOSSVR_ReBossvr (y) 0100 0000 0110 BOSSVR_Restart (z) 0100 0000 0110 BOSSVR_RestartAll (aa) 1000 0000 0110 BOSSVR_SetNoAuthFlag (ab) 1000 0000 0110 BOSSVR_SetRestartTime (ac) 1000 0000 0110 BOSSVR_SetStatus (ad) 1000 0000 0110 BOSSVR_SetTStatus Nicely Page 33 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (ae) 0100 0000 0110 BOSSVR_ShutdownAll (af) 0100 0000 0110 BOSSVR_StartupAll (ag) 0100 0000 0110 BOSSVR_UnInstall (ah) 0100 0000 0110 BOSSVR_WaitAll (ai) 0000 0000 0000 dce_cf_binding_entry_from_host (aj) 0000 0000 0000 dce_cf_find_name_by_key (ak) 0000 0000 0000 dce_cf_get_cell_name (al) 0000 0000 0000 dce_cf_get_host_name (am) 0000 0000 0000 dce_cf_prin_name_from_host (an) 0000 0000 0000 dce_error_inq_text (ao) 0000 0000 0001 ds_add_entry (ap) 0000 0000 0000 ds_bind (aq) 0000 0000 0000 ds_compare (ar) 0000 0000 0000 ds_feature (as) 0100 0000 0000 ds_initialize (at) 0000 0000 0000 ds_list (au) 0000 0000 0001 ds_modify_entry (av) 0000 0000 0001 ds_modify_rdn (aw) 0000 0000 0000 ds_read (ax) 0000 0000 0001 ds_remove_entry (ay) 0000 0000 0000 ds_search (az) 0100 0000 0000 ds_shutdown (ba) 0000 0000 0000 ds_unbind (bb) 0000 0000 0000 ds_version (bc) 0000 0000 0000 endgrent (bd) 0000 0000 0000 endpwent (be) 0000 0000 0000 fileset_transStatus (bf) 0000 0000 0000 FTSERVER_AggregateInfo (bg) 0000 0010 0011 FTSERVER_Clone (bh) 0000 0000 0011 FTSERVER_CreateTrans (bi) 0000 0010 0011 FTSERVER_CreateVolume (bj) 0000 0000 0011 FTSERVER_DeleteTrans (bk) 0000 0010 0010 FTSERVER_DeleteVolume (bl) 0000 1000 0010 FTSERVER_Dump (bm) 0000 1000 0010 FTSERVER_Forward (bn) 0100 0000 0010 FTSERVER_GetFlags (bo) 0000 0000 0000 FTSERVER_GetOneVolStatus (bp) 0100 0000 0010 FTSERVER_GetStatus (bq) 0000 0000 0010 FTSERVER_ListAggregates (br) 0000 0000 0010 FTSERVER_ListVolumes (bs) 0100 0000 0010 FTSERVER_Monitor (bt) 0000 1000 0011 FTSERVER_ReClone (bu) 0000 1000 0010 FTSERVER_Restore (bv) 0000 0000 0011 FTSERVER_SetFlags (bw) 0000 0000 0011 FTSERVER_SetStatus (bx) 0000 0000 0000 getgrent (by) 0000 0000 0000 getgrid (bz) 0000 0000 0000 getgrnam (ca) 0000 0000 0000 getpwent (cb) 0000 0000 0000 getpwnam Nicely Page 34 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (cc) 0000 0000 0000 getpwwid (cd) 0000 0000 0000 idl (ce) 0000 0000 0000 ioctl (cf) 0000 0010 0000 om_copy (cg) 0000 0010 0000 om_copy_value (ch) 0000 0010 0000 om_create (ci) 0000 0100 0000 om_delete (cj) 0000 0010 0000 om_get (ck) 0000 0000 0000 om_instance (cl) 0000 0000 0001 om_put (cm) 0000 0000 0000 om_read (cn) 0000 0000 0001 om_remove (co) 0000 1000 0000 om_write (cp) 1000 0000 0000 pthread_attr_create (cq) 1000 0000 0000 pthread_attr_delete (cr) 0000 0000 0000 pthread_attr_getinheritsched (cs) 0000 0000 0000 pthread_attr_getprio (ct) 0000 0000 0000 pthread_attr_getsched (cu) 0000 0000 0000 pthread_attr_getstacksize (cv) 1000 0000 0000 pthread_attr_setinhertsched (cw) 1000 0000 0000 pthread_attr_setprio (cx) 1000 0000 0000 pthread_attr_setsched (cy) 1000 0000 0000 pthread_attr_setstacksize (cz) 1000 0000 0000 pthread_cancel (da) 1100 0000 0000 pthread_cleanup_pop (db) 1100 0000 0000 pthread_cleanup_push (dc) 1000 0000 0000 pthread_condattr_create (dd) 1000 0000 0000 pthread_condattr_delete (de) 1000 0000 0000 pthread_cond_broadcast (df) 1000 0000 0000 pthread_cond_destroy (dg) 1000 0000 0000 pthread_cond_init (dh) 1000 0000 0000 pthread_cond_signal (di) 1000 0000 0000 pthread_cond_timedwait (dj) 1000 0000 0000 pthread_cond_wait (dk) 0100 0000 0000 pthread_create (dl) 1000 0000 0000 pthread_delay_np (dm) 1000 0000 0000 pthread_detach (dn) 0100 0000 0000 pthread_exit (do) 0000 0000 0000 pthread_getprio (dp) 0000 0000 0000 pthread_getscheduler (dq) 0000 0000 0000 pthread_getspecific (dr) 0000 0000 0000 pthread_get_expiration_np (ds) 1000 0000 0000 pthread_join (dt) 1000 0000 0000 pthread_keycreate (du) 0100 0000 0000 pthread_lock_global_np (dv) 1000 0000 0000 pthread_mutexattr_create (dw) 1000 0000 0000 pthread_mutexattr_delete (dx) 0000 0000 0000 pthread_mutexattr_getkind_np (dy) 1000 0000 0000 pthread_mutexattr_setkind_np (dz) 1000 0000 0000 pthread_mutex_destroy Nicely Page 35 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (ea) 1000 0000 0000 pthread_mutex_init (eb) 0100 0000 0000 pthread_mutex_lock (ec) 0100 0000 0000 pthread_mutex_trylock (ed) 0100 0000 0000 pthread_mutex_unlock (ee) 1000 0000 0000 pthread_once (ef) 0000 0000 0000 pthread_self (eg) 1000 0000 0000 pthread_setasynccancel (eh) 1000 0000 0000 pthread_setcancel (ei) 1000 0000 0000 pthread_setprio (ej) 1000 0000 0000 pthread_setscheduler (ek) 1000 0000 0000 pthread_setspecific (el) 0100 0000 0000 pthread_testcancel (em) 0100 0000 0000 pthread_unlock_global_np (en) 0100 0000 0000 pthread_yield (eo) 0000 0001 0010 rdacl_get_access (ep) 0000 0000 0000 rdacl_get_manager_types (eq) 0000 0000 0000 rdacl_get_printstring (er) 0000 0000 0000 rdacl_get_referral (es) 0000 0000 0000 rdacl_lookup (et) 0000 0000 0001 rdacl_replace (eu) 0000 0000 0000 rdacl_test_access (ev) 0000 0000 0000 rdacl_test_access_on_behalf (ew) 0000 0000 0000 rpccp (ex) 0000 0000 0000 rpcd (ey) 0000 0000 0000 rpc_binding_copy (ez) 0000 0000 0000 rpc_binding_free (fa) 0000 0000 0000 rpc_binding_from_string_binding (fb) 0000 0000 0000 rpc_binding_inq_auth_client (fc) 0000 0000 0000 rpc_binding_inq_auth_info (fd) 0000 0000 0000 rpc_binding_inq_object (fe) 0000 0000 0000 rpc_binding_reset (ff) 0000 0000 0000 rpc_binding_server_from_client (fg) 0000 0000 0000 rpc_binding_set_auth_info (fh) 0000 0000 0000 rpc_binding_set_object (fi) 0000 0000 0000 rpc_binding_to_sting_binding (fj) 0000 0000 0000 rpc_binding_vector_free (fk) 0000 1000 0000 rpc_ep_register (fl) 0000 1000 0000 rpc_ep_register_no_replace (fm) 0000 0000 0000 rpc_ep_resolve_binding (fn) 0000 1000 0000 rpc_ep_unregister (fo) 0000 0000 0000 rpc_if_id_vector_free (fp) 0000 0000 0000 rpc_if_inq_id (fq) 0000 0000 0000 rpc_mgmt_ep_elt_inq_begin (fr) 0000 0000 0000 rpc_mgmt_ep_elt_inq_done (fs) 0000 0000 0000 rpc_mgmt_ep_elt_inq_next (ft) 0000 1000 0000 rpc_mgmt_ep_unregister (fu) 0000 0000 0000 rpc_mgmt_inq_com_timeout (fv) 0000 0000 0000 rpc_mgmt_inq_dflt_protect_level (fw) 0000 0000 0000 rpc_mgmt_inq_if_ids (fx) 0000 0000 0000 rpc_mgmt_inq_server_princ_name Nicely Page 36 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (fy) 0000 0000 0000 rpc_mgmt_inq_stats (fz) 0000 0000 0000 rpc_mgmt_is_server_listening (ga) 0000 0000 0000 rpc_mgmt_set_authorization_fn (gb) 1000 0000 0000 rpc_mgmt_set_cancel_timeout (gc) 1000 0000 0000 rpc_mgmt_set_com_timeout (gd) 0000 0000 0000 rpc_mgmt_set_server_stack_size (ge) 0000 0000 0000 rpc_mgmt_stats_vector_free (gf) 0100 0000 0000 rpc_mgmt_stop_server_listening (gg) 0000 0000 0000 rpc_network_inq_protseqs (gh) 0000 0000 0000 rpc_network_is_protseq_valid (gi) 0000 0000 0000 rpc_ns_binding_export (gj) 0000 0000 0000 rpc_ns_binding_import_begin (gk) 0000 0000 0000 rpc_ns_binding_import_done (gl) 0000 0000 0000 rpc_ns_binding_import_next (gm) 0000 0000 0000 rpc_ns_binding_inq_entry_name (gn) 0000 0000 0000 rpc_ns_binding_lookup_begin (go) 0000 0000 0000 rpc_ns_binding_lookup_done (gp) 0000 0000 0000 rpc_ns_binding_lookup_next (gq) 0000 0000 0000 rpc_ns_binding_select (gr) 0000 0000 0000 rpc_ns_binding_unexport (gs) 0000 0000 0000 rpc_ns_entry_expand_name (gt) 0000 0000 0000 rpc_ns_entry_object_inq_begin (gu) 0000 0000 0000 rpc_ns_entry_object_inq_done (gv) 0000 0000 0000 rpc_ns_entry_object_inq_next (gw) 1000 0000 0000 rpc_ns_group_delete (gx) 1000 0000 0000 rpc_ns_group_mbr_add (gy) 0000 0000 0000 rpc_ns_group_mbr_inq_begin (gz) 0000 0000 0000 rpc_ns_group_mbr_inq_done (ha) 1000 0000 0000 rpc_ns_group_mbr_inq_next (hb) 1000 0000 0000 rpc_ns_group_mbr_remove (hc) 1000 0000 0000 rpc_ns_mgmt_binding_unexport (hd) 1000 0000 0000 rpc_ns_mgmt_entry_create (he) 1000 0000 0000 rpc_ns_mgmt_entry_delete (hf) 1000 0000 0000 rpc_ns_mgmt_entry_inq_if_ids (hg) 1000 0000 0000 rpc_ns_mgmt_handle_set_exp_age (hh) 0000 0000 0000 rpc_ns_mgmt_inq_exp_age (hi) 1000 0000 0000 rpc_ns_mgmt_set_exp_age (hj) 1000 0000 0000 rpc_ns_profile_delete (hk) 1000 0000 0000 rpc_ns_profile_elt_add (hl) 0000 0000 0000 rpc_ns_profile_elt_inq_begin (hm) 0000 0000 0000 rpc_ns_profile_elt_inq_done (hn) 1000 0000 0000 rpc_ns_profile_elt_inq_next (ho) 1000 0000 0000 rpc_ns_profile_elt_remove (hp) 0000 0000 0000 rpc_object_inq_type (hq) 1000 0000 0000 rpc_object_set_inq_fn (hr) 1000 0000 0000 rpc_object_set_type (hs) 0000 0000 0000 rpc_protseq_vector_free (ht) 0000 0000 0000 rpc_server_inq_bindings (hu) 0000 0000 0000 rpc_server_inq_if (hv) 0000 0000 0000 rpc_server_inq_listen Nicely Page 37 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (hw) 1000 0000 0000 rpc_server_register_auth_info (hx) 1000 0000 0000 rpc_server_register_if (hy) 1000 0000 0000 rpc_server_unregister_if (hz) 1000 0000 0000 rpc_server_use_all_protseqs (ia) 1000 0000 0000 rpc_server_use_all_protseqs_if (ib) 1000 0000 0000 rpc_server_use_protseq (ic) 1000 0000 0000 rpc_server_use_protseq_ep (id) 1000 0000 0000 rpc_server_use_protseq_if (ie) 0000 0000 0000 rpc_ss_allocate (if) 0000 0000 0000 rpc_ss_destroy_client_context (ig) 0000 0000 0000 rpc_ss_disable_allocate (ih) 0000 0000 0000 rpc_ss_enable_allocate (ii) 0000 0000 0000 rpc_ss_free (ij) 0000 0000 0000 rpc_ss_get_thread_handle (ik) 1000 0000 0000 rpc_ss_register_auth_info (il) 0000 0000 0000 rpc_ss_set_client_alloc_free (im) 0000 0000 0000 rpc_ss_set_thread_handle (in) 0000 0000 0000 rpc_ss_swap_client_alloc_free (io) 0000 0000 0000 rpc_string_binding_compose (ip) 0000 0000 0000 rpc_string_binding_parse (iq) 0000 0000 0000 rpc_string_free (ir) 0000 0000 0000 rpc_x_no_memory (is) 0000 0000 0000 sec_acl_bind (it) 0000 0000 0000 sec_acl_bind_to_addr (iu) 0000 0000 0000 sec_acl_get_access (iv) 0000 0000 0000 sec_acl_get_error_info (iw) 0000 0000 0000 sec_acl_get_manager_types (ix) 0000 0000 0000 sec_acl_get_printstring (iy) 0000 0000 0010 sec_acl_lookup (iz) 0000 0000 0000 sec_acl_mgr_configure (ja) 0000 0000 0010 sec_acl_mgr_get_access (jb) 0000 0000 0000 sec_acl_mgr_get_manager_types (jc) 0000 0000 0000 sec_acl_mgr_get_printstring (jd) 0000 0000 0010 sec_acl_mgr_is_authorized (je) 0000 0000 0000 sec_acl_mgr_lookup (jf) 0000 0000 0001 sec_acl_mgr_replace (jg) 0000 0000 0000 sec_acl_release (jh) 0000 0000 0000 sec_acl_release_handle (ji) 0000 0000 0011 sec_acl_replace (jj) 0000 0000 0000 sec_acl_test_access (jk) 0000 0000 0000 sec_acl_test_access_on_behalf (jl) 0000 0000 0000 sec_id_gen_group (jm) 0000 0000 0000 sec_id_gen_name (jn) 0000 0000 0000 sec_id_parse_group (jo) 0000 0000 0000 sec_id_parse_name (jp) 0000 0001 0010 sec_key_mgmt_change_key (jq) 0000 0001 0010 sec_key_mgmt_delete_key (jr) 0000 0001 0010 sec_key_mgmt_delete_key_type (js) 0000 0000 0000 sec_key_mgmt_free_key (jt) 0000 0001 0010 sec_key_mgmt_garbage_collect Nicely Page 38 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (ju) 0000 0001 0010 sec_key_mgmt_gen_rand_key (jv) 0000 0000 0010 sec_key_mgmt_get_key (jw) 0000 0000 0010 sec_key_mgmt_get_next_key (jx) 0000 0000 0010 sec_key_mgmt_get_next_kvno (jy) 0000 0000 0010 sec_key_mgmt_initialize_cursor (jz) 0000 0001 0010 sec_key_mgmt_manage_key (ka) 0000 0000 0000 sec_key_mgmt_release_cursor (kb) 0000 0001 0010 sec_key_mgmt_set_key (kc) 0000 0001 0010 sec_login_certify_identity (kd) 0000 0001 0000 sec_login_export_context (ke) 0000 0000 0000 sec_login_free_net_info (kf) 0000 0001 0000 sec_login_get_current_context (kg) 0000 0001 0000 sec_login_get_expiration (kh) 0000 0001 0000 sec_login_get_groups (ki) 0000 0001 0000 sec_login_get_pwent (kj) 0000 0001 0000 sec_login_import_context (kk) 0000 0001 0000 sec_login_init_first (kl) 0000 0000 0000 sec_login_inquire_net_info (km) 0000 0001 0000 sec_login_newgroups (kn) 0000 0001 0000 sec_login_purge_context (ko) 0000 0001 0000 sec_login_refresh_identity (kp) 0000 0000 0000 sec_login_release_context (kq) 0000 0001 0000 sec_login_setup_first (kr) 0000 0001 0010 sec_login_setup_identity (ks) 0000 0001 0000 sec_login_set_context (kt) 0000 0001 0000 sec_login_validate_first (ku) 0000 0001 0010 sec_login_validate_identity (kv) 0000 0001 0010 sec_login_valid_and_cert_ident (kw) 0000 1000 0010 sec_rgy_acct_add (kx) 0000 1000 0010 sec_rgy_acct_admin_replace (ky) 0000 1000 0010 sec_rgy_acct_delete (kz) 0000 0000 0000 sec_rgy_acct_get_projlist (la) 0000 0000 0000 sec_rgy_acct_lookup (lb) 0000 1000 0010 sec_rgy_acct_passwd (lc) 0000 1000 0010 sec_rgy_acct_rename (ld) 0000 1000 0010 sec_rgy_acct_replace_all (le) 0000 1000 0010 sec_rgy_acct_user_replace (lf) 0000 0000 0000 sec_rgy_auth_plcy_get_effective (lg) 0000 0000 0000 sec_rgy_auth_plcy_get_info (lh) 0000 1000 0010 sec_rgy_auth_plcy_set_info (li) 0000 0000 0000 sec_rgy_cell_bind (lj) 0000 0000 0000 sec_rgy_cursor_reset (lk) 0000 0000 0000 sec_rgy_login_get_effective (ll) 0000 0000 0000 sec_rgy_login_get_info (lm) 0000 1000 0010 sec_rgy_pgo_add (ln) 0000 1000 0010 sec_rgy_pgo_add_member (lo) 0000 1000 0010 sec_rgy_pgo_delete (lp) 0000 1000 0010 sec_rgy_pgo_delete_member (lq) 0000 0000 0000 sec_rgy_pgo_get_by_id (lr) 0000 0000 0000 sec_rgy_pgo_get_by_name Nicely Page 39 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (ls) 0000 0000 0000 sec_rgy_pgo_get_by_unix_num (lt) 0000 0000 0000 sec_rgy_pgo_get_members (lu) 0000 0000 0000 sec_rgy_pgo_get_next (lv) 0000 0000 0000 sec_rgy_pgo_id_to_name (lw) 0000 0000 0000 sec_rgy_pgo_id_to_unix_num (lx) 0000 0000 0000 sec_rgy_pgo_is_member (ly) 0000 0000 0000 sec_rgy_pgo_name_to_id (lz) 0000 0000 0000 sec_rgy_pgo_name_to_unix_num (ma) 0000 1000 0010 sec_rgy_pgo_rename (mb) 0000 1000 0010 sec_rgy_pgo_replace (mc) 0000 0000 0000 sec_rgy_pgo_unix_num_to_id (md) 0000 0000 0000 sec_rgy_pgo_unix_num_to_name (me) 0000 0000 0000 sec_rgy_plcy_get_effective (mf) 0000 0000 0000 sec_rgy_plcy_get_info (mg) 0000 1000 0010 sec_rgy_plcy_set_info (mh) 0000 0000 0000 sec_rgy_properties_get_info (mi) 0000 1000 0010 sec_rgy_properties_set_info (mj) 0000 0000 0000 sec_rgy_site_bind (mk) 0000 0000 0000 sec_rgy_site_binding_get_info (ml) 0000 0000 0000 sec_rgy_site_bind_query (mm) 0000 0000 0000 sec_rgy_site_bind_update (mn) 0000 0000 0000 sec_rgy_site_close (mo) 0000 0000 0000 sec_rgy_site_get (mp) 0000 0000 0000 sec_rgy_site_is_readonly (mq) 0000 0000 0000 sec_rgy_site_open (mr) 0000 0000 0000 sec_rgy_site_open_query (ms) 0000 0000 0000 sec_rgy_site_open_update (mt) 0100 0000 0000 sec_rgy_wait_until_consistent (mu) 0000 0000 0000 setgrent (mv) 0000 0000 0000 setgrfile (mw) 0000 0000 0000 setgroupent (mx) 0000 0000 0000 setpassent (my) 0000 0000 0000 setpwent (mz) 0000 0001 0000 setpwfile (na) 0000 0000 0000 utc_abstime (nb) 0000 0000 0000 utc_addtime (nc) 0000 0000 0000 utc_anytime (nd) 0000 0000 0000 utc_anyzone (ne) 0000 0000 0000 utc_ascanytime (nf) 0000 0000 0000 utc_ascgmtime (ng) 0000 0000 0000 utc_asclocaltime (nh) 0000 0000 0000 utc_ascreltime (ni) 0000 0000 0000 utc_binreltime (nj) 0000 0000 0000 utc_bintime (nk) 0000 0000 0000 utc_boundtime (nl) 0000 0000 0000 utc_cmpintervaltime (nm) 0000 0000 0000 utc_cmpmidtime (nn) 0000 0000 0000 utc_gettime (no) 0000 0000 0000 utc_getusertime (np) 0000 0000 0000 utc_gmtime Nicely Page 40 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (nq) 0000 0000 0000 utc_gmtzone (nr) 0000 0000 0000 utc_localtime (ns) 0000 0000 0000 utc_localzone (nt) 0000 0000 0000 utc_mkanytime (nu) 0000 0000 0000 utc_mkascreltime (nv) 0000 0000 0000 utc_mkasctime (nw) 0000 0000 0000 utc_mkbinreltime (nx) 0000 0000 0000 utc_mkbintime (ny) 0000 0000 0000 utc_mkgmtime (nz) 0000 0000 0000 utc_mklocaltime (oa) 0000 0000 0000 utc_mkreltime (ob) 0000 0000 0000 utc_mulftime (oc) 0000 0000 0000 utc_multime (od) 0000 0000 0000 utc_pointime (oe) 0000 0000 0000 utc_reltime (of) 0000 0000 0000 utc_spantime (og) 0000 0000 0000 utc_subtime (oh) 0000 0000 0000 uuidgen (oi) 0000 0000 0000 uuid_compare (oj) 0000 0000 0000 uuid_create (ok) 0000 0000 0000 uuid_create_nil (ol) 0000 0000 0000 uuid_equal (om) 0000 0000 0000 uuid_from_string (on) 0000 0000 0000 uuid_hash (oo) 0000 0000 0000 uuid_is_nil (op) 0000 0000 0000 uuid_to_string (oq) 0000 0010 0000 VC_BackupVolume (or) 0000 0010 0000 VC_CreateVolume (os) 0000 0100 0000 VC_DeleteVolume (ot) 0000 1000 0000 VC_DumpVolume (ou) 0000 0000 0000 VC_ListVolumes (ov) 0000 0110 0000 VC_MoveVolume (ow) 0000 0110 0000 VC_RenameVolume (ox) 0000 1000 0000 VC_RestoreVolume (oy) 0000 0000 0001 VC_SetQuota (oz) 0000 1000 0000 VC_SyncServer (pa) 0000 1000 0000 VC_SyncVldb (pb) 0000 0000 0000 VC_VolserStatus (pc) 0000 0000 0000 VC_VolumeStatus (pd) 0000 0100 0000 VC_VolumeZap (pe) 0000 0000 0000 VldbListByAttributes (pf) 0000 1000 0110 VL_AddAddress (pg) 0000 1000 0000 VL_AlterServer (ph) 0000 1000 0110 VL_ChangeAddress (pi) 0000 1000 0110 VL_CreateEntry (pj) 0000 1000 0000 VL_CreateServer (pk) 0000 1000 0110 VL_DeleteEntry (pl) 0000 0000 0000 VL_ExpandSiteCookie (pm) 0000 0000 0000 VL_GenerateSites (pn) 0000 0000 0000 VL_GetCellInfo Nicely Page 41 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (po) 0000 0000 0000 VL_GetCEntryByID (pp) 0000 0000 0000 VL_GetCEntryByName (pq) 0000 0000 0000 VL_GetCNextServersByID (pr) 0000 0000 0000 VL_GetCNextServersByName (ps) 0000 0000 0000 VL_GetEntryByID (pt) 0000 0000 0000 VL_GetEntryByName (pu) 0000 0000 0111 VL_GetNewVolumeId (pv) 0000 0000 0111 VL_GetNewVolumeIds (pw) 0000 0000 0000 VL_GetNextServerByID (px) 0000 0000 0000 VL_GetNextServerByName (py) 0000 0000 0000 VL_GetSiteInfo (pz) 0000 0000 0110 VL_GetStats (qa) 0000 0000 0000 VL_ListByAttributes (qb) 0000 0000 0000 VL_ListEntry (qc) 0000 0000 0000 VL_Probe (qd) 0000 1000 0110 VL_ReleaseLock (qe) 0000 1000 0110 VL_RemoveAddress (qf) 0000 0000 0111 VL_ReplaceEntry (qg) 0000 1000 0110 VL_SetLock (qh) 0000 0000 0000 volser_Date APPENDIX C. Q&A'S FROM THE FIRST REVIEW In the initial review of the DCE API's to determine which should be audited a variety of questions arose. To aid in the review process these questions were captured along with the subsequent answers to show the decision process. Those answers were then captured in section two describing the audit selection process. Both are included here to help arrive at consensus on the audit event selections. If an answer is wrong it will be easier to change the rules in section two and re-incorporate them into affected API's then annote those API's. In addition, the set of rules and decisions can be applied to new API's when created to determine their audit event classification. (a) Q: Is an API which creates, deletes or modifies a thread attribute object an object (create, delete, mod), attribute change, and/or proc control audit event? A: Thread attribute objects are process control auditable events. Threads are processes and the attribute objects are used to configure those processes. Modifications to thread attribute objects are not attribute change auditable events because they are not file system objects. (b) Q: Is an API which creates, deletes or modifies a fileset an object (create, delete, mod), proc and/or an attribute change audit event? Nicely Page 42 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 A: A fileset is a file system object and therefore its creations, deletion or modification is an object (create, delete or modify) audit event. It may also be an attribute change event since filesets do contain attributes of files, currently though they are not marked as attribute change events. (c) Q: Is an API which set attributes for BOSSVR an attribute change and/or a proc control audit events? A: BOSSVR is a process therefore modifications to its associated attributes is a process control audit event. (d) Q: Are server addresses objects, attributes or paths? A: Server addresses are considered attributes and therefore the creation, deletion or modification of server addresses are attribute change audit events. End point maps are considered objects therefore registering a server address in an end point map is an object modify audit event. (e) Q: Is an ACL an object or an attribute? A: An ACL is an attribute and therefore the creation, deletion or modification of an ACL is an attribute change audit event. (f) Q: Is a PGO item an object, path or attribute? A: The registry database is an object therefore a PGO entry added, deleted or changed in the registry database is an object modify audit event. This does not includes modifications to the PGO data in the name service database which changes group data associated with RPCs which are processes. (g) Q: Are registry properties attributes? A: Registry properties are attributes and therefore the creation, deletion or modification of registry properties are attribute change audit event. (h) Q: Is UUID an object or an attribute? A: A UUID is not an object or an attribute therefore its creation is not an auditable event. (i) Q: Is the changing of private object attributes an auditable attribute event or is there no need to audit private objects? A: Private objects are treated as objects and therefore the setting of private object attributes is an attribute change auditable event and the creation, deletion or modification of a Nicely Page 43 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 private object is an object create, delete or modify audit event. (j) Q: Is the creation, deletion or modification of principal keys an authentication or attribute change audit event? A: Adding, deleting or changing a principal's key affects authentication events therefore these operations are considered authentication audit events. Since a key is associated with a principal and not an object it is not an attribute. (k) Q: Is an API which moves a fileset a path modification event? A: A fileset is an object therefore moving a fileset is a object create and delete audit event. (l) Q: When the Fileset Location Database (FLDB) aggregate is modified is that a path modification, administration or attribute change or object modification audit event? A: An FLDB is considered an object and therefore its modification is an object modify audit event. (m) Q: Is the use of alternate password files a path modification, administration or authentication audit event? A: Changes to principal key data is considered an authentication audit event which would include using an alternate password file. (n) Q: Is the generation of global names (sec_id_gen_name) a path modification? A: Generating global names are not auditable events. (o) Q: Where do API's for ACL manager routines fall are they access denial or attribute change auditable events? A: ACL manager routines are not auditable events. (p) Q: Are headers API's? A: Headers contain data types which do contain attribute setting data but the need to audit API's which use data types to set attributes has already been captured and therefore the use of the associated header is not meaningful. (q) Q: How should name service environmental variables be treated? A: The use of environmental variables does not need to be audited. Nicely Page 44 DCE-RFC 1.0 POSIX/C2 Auditing of DCE API's June 1992 (r) Q: How should Object Management objects be treated? A: As objects. (s) Q: How should pioctl calls be treated? A: All pioctl calls are not currently audited but should be more closely looked at since these calls allow flexiblity. (t) Q: Are Remote Procedure Call (RPC) name service modifications proc control auditable events? A: The name service database is not considered an object because its entries are associated with RPCs which are processes. Changes to name service entries adding, deleting or changing groups or members or profiles are proc control audit events. (u) Q: What type of audit event is changes to the Global Directory Service (GDS) name space? A: The GDS name space contains directory information about objects and therefore modifications to it are attribute change audit events. REFERENCES [OrangeBook] Department of Defense Trusted Computer Evaluation Criteria, DoD 5200.28-STD, December 1985. [POSIX.6D2] Security Interface for the Portable Operating System Interface for Computer Environments, P1003.6, Draft 2, September 24, 1991. AUTHOR'S ADDRESS Major Deborah Nicely Internet email: nicelyd@v3.hanscom.af.mil ESD/ICD Telephone: +1-617-271-7297 Hanscom Air Force Base, MA 01731 USA Nicely Page 45