PreviousNext

Giving Permissions to Audit Clients and Administrators

Using dcecp, you can add entries to the ACL of the audit daemon that will grant audit clients the log permission to the audit trail file. You can create a DCE security group that consists of the servers on the host that are authorized to generate audit records. For example:

group/hosts/<hostname>/audit-clients

Give this group the log permission to the audit daemon. For example:

dcecp> acl modify /.:/hosts/machine1/audit-server \
> -add {group hosts/machine1/audit-clients l}
dcecp>

All audit clients can then be made members of this group and inherit its permissions to the audit daemon.

ACL entries must also be added to grant designated administrators the read, query, and control permissions to the audit daemon. For example, for the administrator's group group/hosts/machine1/audit-admin:

dcecp> acl modify /.:/hosts/machine1/audit-server \
> -add {group hosts/machine1/audit-admin rwc}
dcecp>