This set of events relates to the management of services or applications. For example, the RPM package manager might throw these events as packages are installed or removed from a Linux system. Windows 32 Service Control Manager (SCM) events sent to the Windows 32 System Event Log may be translated into these events as they are imported into OpenXDASv2. This set of events could also be much more domain-specific, including concepts such as installing, removing, or configuring installable executable-modules within a single application domain. The key idea is to ensure that reported events have security significance.
Table 5-4 Service or Application Management Event Taxonomy
|
Event Name |
Event Identifier |
Corresponding eDir Event |
Description |
Use |
|---|---|---|---|---|
|
Enable Service |
0.0.3.5 |
DSE_CHANGE_MODULE_STATE |
Enable a service or application |
This event ise reported when a service, operation or function is enabled. |
|
Disable Service |
0.0.3.4 |
DSE_CHANGE_MODULE_STATE |
Disable a service or application |
This event is reported when a service, operation or function is disabled. |
The following sections include examples of events related to the management of services or applications.
Click Enable Service to generate an event for enabling a service, as shown in the following example:
Jan 08 15:06:03 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "GMC1-OESMARA","Name" : "CN=SLES11-SP3-191,O=novell"},"Entity" : {"SysAddr" : "164.99.179.191","SysName" : "sles11-sp3-191"}},"Initiator" : {"Account" : {"Domain" : "GMC1-OESMARA","Name" : "CN=SLES11-SP3-191,O=novell"}},"Target" : {"Data" : {"Module State" : "Loaded","Name" : "libspmdclnt.so"}},"Action" : {"Event" : {"Id" : "0.0.3.5","Name" : "ENABLE_SERVICE","CorrelationID" : "eDirectory#4294967295#","SubEvent" : "DSE_CHANGE_MODULE_STATE"},"Time" : {"Offset" : 1390473064},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Disable Service to generate an event for disabling a service, as shown in the following example:
Jan 08 16:04:58 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "GMC1-OESMARA","Name" : "CN=SLES11-SP3-191,O=novell"},"Entity" : {"SysAddr" : "164.99.179.191","SysName" : "sles11-sp3-191"}},"Initiator" : {"Account" : {"Domain" : "GMC1-OESMARA","Name" : "CN=SLES11-SP3-191,O=novell"}},"Target" : {"Data" : {"Module State" : "Unloaded","Name" : "libssldp.so"}},"Action" : {"Event" : {"Id" : "0.0.3.4","Name" : "DISABLE_SERVICE","CorrelationID" : "eDirectory#4294967295#","SubEvent" : "DSE_CHANGE_MODULE_STATE"},"Time" : {"Offset" : 1390473298},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}