OSF DCE Administration Guide--Core Components
DCE Audit Service
42.3.6.2 Filter Guides
A filter contains one or more guides. A filter guide contains three elements: audit
condition, audit action, and event class.
An audit condition specifies the required outcome (or outcomes) of the event before an
audit record is written to the audit trail. These outcomes are not mutually exclusive. The
audit conditions are
• success—Records only if event succeeds.
• failure—Records only if event fails.
• denial—Records only if event failed because of access denial.
An audit action specifies where the audit record is written. The audit actions are
• alarm—Displays the audit record on system console
• log—Logs the audit record through an audit daemon or directly to an audit trail file.
The audit actions are not mutually exclusive; you can specify both.
The third element of the filter guide specifies the event class or event classes to which
the filter will apply (for the specific filter subject identity).
42.3.6.3 Example of Filter Guides
The following is an example of a filter with two guides:
filter type: foreign_principal
key: /.../cell_x/foo
guide 1:
audit conditions - denial
audit actions - log
event classes - Confidential
guide 2:
audit conditions - denial
audit actions - alarm, log
event classes - Restricted
Guide 1 specifies that an audit record will be logged for any event in event class
Confidential if the user is the foreign principal /.../cell_x/foo and the event failed
because of access denial. Guide 2 specifies that an audit record will not only be logged
but also be displayed on the system console for any event in event class Restricted, for
the same user and event outcome.
124243 Tandem Computers Incorporated 42−7