audit_dpms_filter.4 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

audit_dpms_ﬁlter(4) audit_dpms_ﬁlter(4)

NAME

audit_dpms_ﬁlter - conﬁguration ﬁle for ﬁltering Audit DPMS data

DESCRIPTION

An Audit DPMS ﬁlter ﬁle speciﬁes ﬁltering rules for selecting auditing information on an event basis

through the Audit DPMS APIs (see audit_dpms (5)). The ﬁlter ﬁle is registered through the

audit_dpms_register_filter()

interface and can be applied to either reading or writing of the

audit events (see audit_dpms_api(3)).

Each ﬁlter ﬁle may contain one or more ﬁlters. If no ﬁlter is speciﬁed, all audit events are selected.

Each ﬁlter in the ﬁle must begin with the

[filter] token, followed by one or more ﬁltering rules. The

[filter] token must be speciﬁed literally; it is not optional. During reading or writing of an audit

event, each ﬁlter in the ﬁle is applied one at time. The Audit DPMS framework considers that the given

audit event satisﬁes the ﬁltering rules as long as it satisﬁes one of the ﬁlters.

Each ﬁltering rule consists of an action and one or more ﬁltering expressions on which the logical OR is

performed. An action speciﬁes whether or not to include or exclude the event from the selection. The

ﬁltering expressions specify a set of conditions, and based on those conditions, the Audit DPMS frame-

work determines whether or not to apply the action.

Each ﬁltering rule is separated by a semicolon (

;), or a new line, or both. If both include and exclude

actions are speciﬁed in a ﬁlter, then all of the include expressions (conditions) are processed ﬁrst, and

then excluded as per the speciﬁed exclude expressions (conditions).

Each ﬁltering expression (condition) is a triplet of an attribute keyword, an operator and a value.

Filter Syntax

Here is the syntax of the ﬁlter ﬁle. All keywords are case sensitive.

filter_file: {ﬁlter }*

filter:

[filter]

{ﬁlter_rule }+

filter_rule: action conditions [

;]?

action:

include | exclude | + | -

conditions: condition ( || condition)*

condition: attribute operator value

where:

( )* The asterisk

* means zero or more occurrences.

[ ]? The question mark

? means zero or one occurrence.

{ }+ The plus sign

+ means one or more occurrence.

The ﬁlter ﬁle is preprocessed with

cpp before parsing. You can use cpp directives such as #include,

#define, #ifdef, and C/C++ style comments to organize and document the ﬁlters. See cpp (1). The

/etc/audit/dpms_filters directory is used as the default search path for #include directives

that use relative paths.

Syntax errors in the ﬁlter ﬁle must be corrected before processing new ﬁlter ﬁles.

audit_dpms_register_filter() will not process new ﬁlter ﬁles if it encountered a syntax error on

a previously processed ﬁlter ﬁle.

Conditions

Each ﬁltering expression (condition) is a triplet of:

• an attribute keyword,

• an operator, and

• avalue.

Only the events that match the given condition are selected for further actions (either include or exclude).

See more information about each supported condition type in the following sections, indexed by the attri-

bute keywords.

keyword timestamp

This condition speciﬁes a time period. Only the audit events that occurred during the speciﬁed time

period will be considered for action. A time period is speciﬁed in the form:

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (6 pages)

PAGE 1
audit_dpms_filter(4) audit_dpms_filter(4) NAME audit_dpms_filter - configuration file for filtering Audit DPMS data DESCRIPTION An Audit DPMS filter file specifies filtering rules for selecting auditing information on an event basis through the Audit DPMS APIs (see audit_dpms (5)). The filter file is registered through the audit_dpms_register_filter() interface and can be applied to either reading or writing of the audit events (see audit_dpms_api(3)). Each filter file may contain one or more filters.
PAGE 2
audit_dpms_filter(4) audit_dpms_filter(4) ([a_time].[a_period].[a_time]) where: A a_time is in the form mmddHHMM[yyyy ] (month, day, hour, minute, year) in local time (if year is not specified, the current year will be used); and, a_period is a number followed by y, m, d, H, or M (year, month, day, hour, minute) as the unit. The first a_time specifies a start time and the second a_time specifies an end time.
PAGE 3
audit_dpms_filter(4) audit_dpms_filter(4) user = root effective_user = root group = users effective_group != daemon keyword login_user This condition specifies a login user’s name. This is typically the user who is responsible for all the events that occurred in his login session. This name might be different from the real or effective user name of an event. Only events for which the given user is responsible will be considered for action.
PAGE 4
audit_dpms_filter(4) audit_dpms_filter(4) file.pathname = /var/adm/sulog See also the Pattern Match section below. keyword file.ftype This type of condition specifies a file’s type. Only the audit events that operated on the files with the given type will be considered for action. Examples: A file.ftype = directory file.ftype != charspecial aA The accepted values are: regular, directory, charspecial, blockspecial, symlink, pipe, networkspecial, and socket. keyword file.owner or file.
PAGE 5
audit_dpms_filter(4) audit_dpms_filter(4) Although exact string matches are supported, it is very rare to use exact string matches for selfauditing text. It is more typical to use pattern matches for this type of condition. See the Pattern Match section below. Pattern Match All condition types accept = (is equal to) and != (is not equal to) as the operator.
PAGE 6
audit_dpms_filter(4) audit_dpms_filter(4) The next example selects the root user’s activities in session 1234. [filter] +event=exec; +login_user=root; +command=sh; +sid=1234; More sample DPMS filters can be found under /etc/audit/dpms_filters. A aA SEE ALSO auditdp(1M), audit_dpms_api(3), audit.conf(4).