Example descriptions of security audit profiles

Before analyzing examples, you need to become familiar with the Base, Regex and Flow security models.

Example 1

// Describing a trace security audit profile

// base – Base security model object

// session – Flow security model object

audit profile trace =

/* If the audit runtime-level is equal to 0, the audit covers

* base object rules when these rules return

* the "denied" result. */

{ 0 :

{ base :

{ kss : ["denied"]

}

}

/* If the audit runtime-level is equal to 1, the audit covers methods

* of the session object in the following cases:

* 1. Rules of the session object return a "granted"

* or "denied" result, and the finite-state machine is in a state

* other than closed.

* 2. A query expression of the session object is called, and the

* finite-state machine is in a state other than closed. */

, 1 :

{ session :

{ kss : ["granted", "denied"]

, omit : ["closed"]

}

}

/* If the audit runtime-level is equal to 2, the audit covers methods

* of the session object in the following cases:

* 1. Rules of the session object return a "granted"

* or "denied" result.

* 2. A query expression of the session object is called. */

, 2 :

{ session :

{ kss : ["granted", "denied"]

}

}

}

Example 2

// Describing a test security audit profile

// base – Base security model object

// re – Regex security model object

audit profile test =

/* If the audit runtime-level is equal to 0, rules of the base object

* and expressions of the re object are not covered by the audit. */

{ 0 :

{ base :

{ kss : []

}

, re :

{ kss : []

, emit : []

}

}

/* If the audit runtime-level is equal to 1, rules of the

* base object are not covered by the audit, and expressions of the

* re object are covered by the audit.*/

, 1 :

{ base :

{ kss : []

}

, re :

{ kss : []

, emit : ["match", "select"]

}

}

/* If the audit runtime-level is equal to 2, rules of the base object

* and expressions of the re object are covered by the audit. Rules

* of the base object are covered by the audit irrespective of the

* result that they return.*/

, 2 :

{ base :

{ kss : ["granted", "denied"]

}

, re :

{ kss : []

, emit : ["match", "select"]

}

}

}

Page top