Resource content-access events are related to access of any data files protected by an authentication domain. This could be file system files, database records, Web pages etc. While instrumenting applications, consider securing access to the resources. Resource access can be a high-bandwidth process. Therefore, only security-relevant events should be reported. Such instrumentation should be configurable at the application level by the application administrator, thus must be policy driven. This implies that such applications add additional infrastructure and user interface to allow administrators to manage the resource-access events that has to be audited, and determine the unimportant events within the security context.
Table 5-8 Data Item or Resource Element Content Access Events Taxonomy
|
Event Name |
Event Identifier |
Corresponding eDir Event |
Description |
Use |
|---|---|---|---|---|
|
Create Data Item Association |
0.0.6.0 |
DSE_ADD_VALUE |
Create association with a data item |
This event is reported when rights are granted by an identity to a specific data item – when a trust relationship is established between an identity and a data item. |
|
Terminate Data Item Association |
0.0.6.1 |
DSE_DELETE_ATTRIBUTE DSE_DELETE_VALUE |
Terminate association with a data item |
This event is reported when rights are revoked from an identity to a specific data item – when a trust relationship is revoked between an identity and a data item. This event is also thrown when the last value of a multi valued attribute is deleted via LDAP. |
|
Modify Data Item Association |
0.0.6.3 |
DSE_BKLINK_OPERATOR DSE_BKLINK_SEV DSE_CHANGE_OBJ_SECURITY DSE_CHANGE_PROP_SECURITY DSE_CHANGE_SECURITY_EQUALS |
Modify context of association with data item |
This event is reported when rights are modified on the previously established relationship between an identity and specific data item. |
The following sections include examples for data item and resource element management events.
Click Create Data Item Association to generate an event when rights are granted by an identity to a specific data item, as shown in the following example:
Jan 08 10:20:18 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Name" : "CN=SLES11-SP2-164,O=mycom","Id" : "32833"},"Entity" : {"SysAddr" : "100.1.2.164:39570"}},"Target" : {"Data" : {"Attribute Name" : "Local Received Up To","Attribute Value" : "2918332558536081408","ClassName" : "Tree Root","Syntax" : "9"}},"Action" : {"Event" : {"Id" : "0.0.0.0","Name" : "CREATE_DATA_ITEM_ASSOCIATION","CorrelationID" : "eDirectory#21#bf97ffb6-91d0-4019-6988-b6ff97bfd091","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1389847818},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Terminate Data Item Association to generate an event when rights are revoked from an identity to a specific data item, as shown in the following example:
Jan 08 10:20:18 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Name" : "CN=SLES11-SP2-164,O=mycom","Id" : "32833"},"Entity" : {"SysAddr" : "100.1.2.164:39570"}},"Target" : {"Data" : {"Attribute Name" : "syncPanePoint","ClassName" : "Tree Root","Syntax" : "9"}},"Action" : {"Event" : {"Id" : "0.0.6.1","Name" : "TERMINATE_DATA_ITEM_ASSOCIATION","CorrelationID" : "eDirectory#21#bf97ffb6-91d0-4019-6988-b6ff97bfd091","SubEvent" : "DSE_DELETE_ATTRIBUTE"},"Time" : {"Offset" : 1389847818},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}