Before analyzing examples, you need to become familiar with the Base, Regex and Flow security models.
Example 1
// Describing a trace security audit profile
// base – Base security model object
// session – Flow security model object
audit profile trace =
/* If the audit runtime-level is equal to 0, the audit covers
* base object rules when these rules return
* the "denied" result. */
{ 0 :
{ base :
{ kss : ["denied"]
}
}
/* If the audit runtime-level is equal to 1, the audit covers methods
* of the session object in the following cases:
* 1. Rules of the session object return any result, and
* the finite-state machine is in a state other than closed.
* 2. A query expression of the session object is executed, and the
* finite-state machine is in a state other than closed. */
, 1 :
{ session :
{ kss : ["granted", "denied"]
, omit : ["closed"]
}
}
/* If the audit runtime-level is equal to 2, the audit covers methods
* of the session object in the following cases:
* 1. Rules of the session object return any result.
* 2. A query expression of the session object is executed. */
, 2 :
{ session :
{ kss : ["granted", "denied"]
}
}
}
Example 2
// Describing a test security audit profile
// base – Base security model object
// re – Regex security model object
audit profile test =
/* If the audit runtime-level is equal to 0, rules of the base object
* and expressions of the re object are not covered by the audit. */
{ 0 :
{ base :
{ kss : []
}
, re :
{ kss : []
, emit : []
}
}
/* If the audit runtime-level is equal to 1, rules of the
* base object are not covered by the audit, and expressions of the
* re object are covered by the audit.*/
, 1 :
{ base :
{ kss : []
}
, re :
{ kss : ["granted"]
, emit : ["match", "select"]
}
}
/* If the audit runtime-level is equal to 2, rules of the base object
* and expressions of the re object are covered by the audit. Rules
* of the base object are covered by the audit irrespective of the
* result that they return.*/
, 2 :
{ base :
{ kss : ["granted", "denied"]
}
, re :
{ kss : ["granted"]
, emit : ["match", "select"]
}
}
}
Page top