Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions

181

182

183

184

185

186

187

188

189

190

-P Displays audit filtering policy in preview mode as specified in

the /etc/audit/filter.conf file. This option parses the

/etc/audit/filter.conf file, checking for syntax and

semantic errors, but makes no changes to the system. The rules

will not be displayed the same way as they are written, but in

the order they will be evaluated (that is, in the internal format).

-s syscall Restricts the display to the given system call. This option must be

used with the -p or -P option.

-z Clears the audit filtering policy currently in effect. Upon success,

it effectively disables finer grained audit filtering feature.

For more information, see audfilter(1M)

9.7 Using filter.conf

The filter.conf file contains rule-based audit filtering policy that the auditing subsystem

uses to determine what activities to audit on the system. Each rule consists of two parts:

a scope and a condition. All rules together represent a policy.

A scope is an identifier for a mounted file system (also called a partition) for file

operations, or an identifier for non-file operations. The scope can be any of the following

forms:

a. The absolute pathname of a mount point that matches one of those in the

/etc/mnttab file.

b. A pair of major and minor device numbers.

c. Special file name or a pair of hostname and pathname of the directory on the remote

host.

d. Scope in the form of a), b), or c), followed by the keyword all.

e. Scope in the form of a), b), or c), followed by the keyword other.

f. Scope in the form of the keyword other-objects.

See filter.conf(4) for more information.

9.8 Using the Audit Reporting Tools

The audit reporting tools are a set of tools that facilitates the processing of previously

collected HP-UX raw audit data and extracts useful information for compliance reporting

purposes. The audit reporting tools consist of the following main components:

• An audit data processing tool, auditdp, that selectively extracts audit data from

a data source in one of several possible formats and writes the data to the target,

in the same or different format.

• An Audit Data Process Module Switch (Audit DPMS) framework that offers the ability

to selectively access audit data in various formats through a set of common

programming interfaces.

9.7 Using filter.conf 183