Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions

181

182

183

184

185

186

187

188

189

190

-t sp_freq The minimum wakeup interval, in minutes, at which the system prints

warning messages on the console for audit log file switch points. The

default sp_freq value is 1 minute.

-w warning The percentage of audit log file space used or minimum file system free

space used after which warning messages are sent to the console. The

default warning value is 90%.

-X command The command is executed each time the audomon switches the audit

trail.

For more information, see audomon(1M).

9.6 Using the Audit Filtering Tools

The audit filtering tools are a set of tools that helps customize and enforce the audit data

pre-filtering policy on the system. A good pre-filtering policy is an efficient way to control

the size and quality of the raw data and therefore minimizes the performance impact of

auditing and reduces the operational cost associated with audit data management. The

audit filtering tools consist of the following main components:

• A configuration tool, audfilter, that interprets the filtering policy as specified in

the configuration file, filter.conf, and puts the policy into effect. You can also

use audfilter to display or clear out the filtering policy that is currently in effect.

• A service daemon, audfilterd, that handles service requests from audfilter.

It also tracks the mounted file system changes and makes sure the filtering policy is

up to date with the new mounted file system information.

• A dynamic loadable kernel module, audit_filters, that makes filtering decisions

and enforces the filtering policy in the kernel.

The following options are available with the audfilter command:

-c Puts the current rule-based audit filtering policy as specified in

/etc/audit/filter.conf into effect. Rules are parsed into

an efficient internal format. Note that a given set of rules may be

expressed in many different ways, but they are all parsed into

the same internal format. A success or failure status will be

reported for the request.

-C compartment Only displays the filtering rules for the specified compartment.

This option must be specified with the -p or -P option.

-c system_call Displays the selected system call.

-m mntpnt Only displays the filtering rules for the specified mount point. This

option must be specified with the -p or -P option.

-p Displays the audit filtering policy currently in effect. The rules are

not displayed the same way as they were written, but in the order

they are evaluated (that is, in the internal format).

182 Audit Administration