audit_dpms_filter.4 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

audit_dpms_ﬁlter(4) audit_dpms_ﬁlter(4)

([a_time].[a_period]

.[a_time])

where:

a_time is in the form mmddHHMM[yyyy ] (month, day, hour, minute, year) in local time (if

year is not speciﬁed, the current year will be used); and,

a_period is a number followed by

m, d, H,orM (year, month, day, hour, minute) as the unit.

The ﬁrst a_time speciﬁes a start time and the second a_time speciﬁes an end time. If the start time

is omitted, the start time will be calculated backwards based on the given end time, or based on the

current local time if the end time is also omitted. If the end time is omitted, the end time will be

calculated based on the given start time, or the current local time will be used if the start time is

also omitted. If both the start time and end time are speciﬁed, a_period will be ignored.

Examples:

• To specify events between Aug 27 13:44 to 14:00, use:

timestamp = (08271344..08271400)

• To specify events since Aug 27 13:44, use:

timestamp = (082713442008..)

• To specify events before Aug 27 14:00, use:

timestamp = (..08271400)

• To specify events in the ﬁrst ﬁve minutes after Aug 27 13:44 2008, use:

timestamp = (082713442008.5M.)

• To specify events in the last ﬁve minutes before Aug 27 14:00 2008, use:

timestamp = (.5M.082714002008)

• To specify events that happened in the last 3 days, use:

timestamp = (.3d.)

keyword syscall, event or profile

These conditions specify a system call (or alias), an event (or alias), or a proﬁle name. Valid names

for these conditions are deﬁned in /etc/audit/audit.conf

/etc/audit/audit_site.conf

Examples:

• To specify

open() system call events, use:

syscall = open

• To specify all system calls or self-auditing events classiﬁed as event

admin, use:

event = admin

• To specify all events deﬁned in proﬁle basic use:

profile = basic

keyword uid, gid, euid or egid

These conditions specify a user ID or group ID. Only those events whose real user ID, real group

ID, effective user ID or effective group ID matches the value will be considered for action.

Examples:

uid=0

euid = 0

gid=20

egid != 5

keyword user, group, effective_user,or effective_group

These conditions have the same effect as the condition types above, except that they take user or

group name instead of user or group ID.

Examples:

2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010