audit_dpms_filter.4 (2010 09)
a
audit_dpms_filter(4) audit_dpms_filter(4)
file.pathname = /var/adm/sulog
See also the Pattern Match section below.
keyword file.ftype
This type of condition specifies a file’s type. Only the audit events that operated on the files with the
given type will be considered for action.
Examples:
file.ftype = directory
file.ftype != charspecial
The accepted values are: regular, directory
, charspecial, blockspecial, symlink,
pipe, networkspecial
, and socket.
keyword file.owner or file.group
These conditions specify the file owner’s user name or group name. Only the events that operated
on the files owned by the given user or group will be considered for action.
Examples:
file.owner = root
file.group != bin
keyword open.oflag
This condition specifies how a file has been opened. The accepted values are:
read-only file is opened only with the O_RDONLYflag
write-only file is opened with the O_WRONLY flag
read file is opened with the O_RDONLY or O_RDWRflag
write file is opened with the O_WRONLY or O_RDWR flag
read-write file is opened with the O_RDWR flag
create file is opened with the O_CREAT flag
truncate file is opened with the O_TRUNC flag
Examples:
open.oflag != read-only
open.oflag = create
keyword source_ip or host_ip
These conditions specify an Internet address, either an IPv4 or IPv6 address, optionally with a net
mask. The source Internet address is the Internet address where the user has logged in from; and
the host Internet address is the Internet address where the event has occurred. Only the events
whose source or host Internet address matches the given value will be considered for action.
Examples:
• To specify the events of the users who logged in from 1.2.3.4, use:
source_ip = 1.2.3.4
• To specify the events that occurred on all the systems on the subnet 1.2.3.0, use:
host_ip = 1.2.3.4/8
• To specify the events that occurred on 080::800:200C:417A, use:
host_ip = 080::800:200C:417A
keyword source or hostname
These conditions have the same effect as the condition type above, except that it takes a hostname
instead of Internet address.
Examples:
source = example1.com
hostname = example2.com
See also the Pattern Match section below.
keyword selfaud_text
This condition specifies a text or text pattern. Only the self-auditing events whose self-auditing text
matches the given value will be considered for action.
4 Hewlett-Packard Company − 4 − HP-UX 11i Version 3: September 2010