audit_dpms_filter.4 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

audit_dpms_ﬁlter(4) audit_dpms_ﬁlter(4)

user = root

effective_user = root

group = users

effective_group != daemon

keyword login_user

This condition speciﬁes a login user’s name. This is typically the user who is responsible for all the

events that occurred in his login session. This name might be different from the real or effective

user name of an event. Only events for which the given user is responsible will be considered for

action. In this case, Audit DPMS framework tries to match the given user name to the user name

appearing in the audit tag. See audit(5) for more information about

audit tag.

Examples:

login_user = mary

keyword pid, ppid or sid

These conditions specify a process ID or a session ID. Only the events whose process ID, parent pro-

cess ID, or audit session ID matches the value will be considered for action. Audit session ID is typi-

cally the session ID of a remote login user’s session. A remote login session is the period of activity

between a user logging in and logging out of the system. This ID stays the same throughout the life

time of each login session.

Examples:

• To specify all events that occurred from a particular login session (1234), use:

sid = 1234

• To specify all events that were done by a particular process (1234), use:

pid = 1234

keyword return or errno

These conditions specify a return status. Only the events with the given return status will be con-

sidered for action. The condition with keyword return takes either success or fail; the condi-

tion with keyword errno takes a particular error number.

Examples:

return = success

errno = 1

keyword cmpt or cid

These conditions specify a compartment label, either by name or by ID. Only the events that

occurred in that compartment will be considered for action.

Examples:

cmpt = oracle

cmpt != init

cid = 1234

See also the Pattern Match section below.

keyword command

This condition speciﬁes a command name. Only the events that were produced by the given com-

mand will be considered for action.

Examples:

command = sh

command != login

See also the Pattern Match section below.

keyword file.pathname

This condition speciﬁes a ﬁle’s pathname. Only the events that operated on the ﬁle with the given

pathname will be considered for action.

Examples:

file.pathname = /etc/passwd

HP-UX 11i Version 3: September 2010 − 3 − Hewlett-Packard Company 3