audit_dpms.5 (2011 03)
a
audit_dpms(5) audit_dpms(5)
NAME
audit_dpms - Audit Data Process Module Switch (Audit DPMS)
SYNOPSIS
#include <audit_dpms.h>
#include <audit_dpms_api.h>
cc [flag]... file...
-laudit_dpms [library]...
DESCRIPTION
The Audit Data Process Module Switch (Audit DPMS) framework offers the ability to selectively access
audit data in various formats through a set of common programming interfaces.
Audit DPMS provides a layer of separation between applications that need to extract information from
audit data source and the underlying modules that have the knowledge about the internal data format.
This framework is primarily designed for HP-UX audit data that the HP-UX auditing system collects (see
audit (5)). However, the framework allows service modules to be plugged in to handle the data in any for-
mat. With this layer of separation, an application can treat any data in the same manner by simply
applying the service module corresponding to the given set of data. The application does not need to have
knowledge about the internal format of the data to use the information.
The Audit DPMS framework,
libaudit_dpms
, consists of an interface library and multiple Audit
DPMS service modules. The names for all Audit DPMS’s Application Programming Interfaces (APIs)
start with
audit_dpms_. The names for all DPMS service modules’ Service Provider Interfaces (SPIs)
start with audit_dpm_.
The
audit_dpms_start
, audit_dpms_end, audit_dpms_read_event
and
audit_dpms_write_event
Audit DPMS APIs each call a corresponding audit_dpm_start
,
audit_dpm_end, audit_dpm_read_event
,oraudit_dpm_write_event
interface residing in
the currently loaded DPMS service module.
The Audit DPMS interface library is the layer implementing the APIs. An application typically uses one
DPMS service module to read audit data in one format, and then uses another DPMS service module to
write the audit data in another format. The
auditdp application uses these APIs to convert audit data
in this manner. See auditdp (1M).
Audit data is read or written on an event basis. An audit event consists of the following information:
origin Where the event occurred.
header What the event was, when it occurred and whether it succeeded.
subject Who is responsible for the event.
object What file or socket that the event has tried to access.
details All other miscellaneous information about the event, including system call arguments or
self-auditing text.
See audit_dpms_api(3) for more information about these interfaces.
The Audit DPMS interface library also provides an interface to allow an application to register a set of
filtering rules. Only the audit events that meet the filtering criteria are returned to the caller. See
audit_dpms_api(3) for more information about this interface and see audit_dpms_filter (4) for the gram-
mar of the filtering rules. This interface is provided entirely within the DPMS switch; DPMS modules do
not provide a plug-in for this interface.
The Audit DPMS service modules are a set of dynamically loadable objects invoked by the Audit DPMS
API to handle a particular type of audit data and format. See audit_dpms_spi(3) for more information
about Audit DPMS SPIs.
Currently, HP-UX provides three DPMS service modules to handle reading/writing from/to HP-UX raw
audit data, reading/writing from/to HP-UX portable audit data, and writing to XML format data. See
audit_hpux_raw(5), audit_hpux_portable(5) and audit_hpux_xml(5) for more information about these
DPMS service modules.
One can also develop new DPMS service modules to plug into the Audit DPMS framework to handle audit
data from another source or in another format.
HP-UX 11i Version 3: March 2011 − 1 − Hewlett-Packard Company 1