audit_dpms_filter.4 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

audit_dpms_ﬁlter(4) audit_dpms_ﬁlter(4)

Although exact string matches are supported, it is very rare to use exact string matches for self-

auditing text. It is more typical to use pattern matches for this type of condition. See the Pattern

Match section below.

Pattern Match

All condition types accept

= (is equal to) and

!= (is not equal to) as the operator.

Condition types with the following keywords also accept pattern match operators

=˜ (matches), and !˜

(does not match):

cmpt,

command,

effective_user

, effective_group

file.pathname,

file.owner, file.group,

user, group,

hostname, source, and

selfaud_text

Note: Pattern match means the string has to just contain the pattern, while equal means the string

has to exactly match.

A pattern is an Extended Regular Expression (ERE) surrounded by a pair of slashes (

/). More informa-

tion about ERE can be found in the regexp (5) manpage. Note that all characters in the pattern string are

case sensitive.

Examples:

file.pathname =˜ /passwd/

selfaud_text =˜ /ˆlogin/

selfaud_text =˜ /passwd/

selfaud_text =˜ /ˆACCESS CONTROL CHECK:/

source =˜ /domain.com/

EXAMPLES

The following example selects all activities of user "joe" except between the times of August 27th 17:00

and 17:30, and all activities of user "fred" and "mary" between times August 27th 18:00 and 18:30.

[filter]

include login_user=joe

exclude timestamp=(08271700..08271730)

[filter]

include login_user=fred || login_user=mary

include timestamp=(08271800..08271830)

The next example selects all failed login attempts in the last month.

[filter]

+timestamp=(.1m.);

+event=login;

+return=fail;

+selfaud_text=˜/ˆlogin/;

-command=su;

The next example selects all attempts to access to password ﬁle, and attempts to change password since

the start of August 27th 2008.

[filter]

include timestamp=(082700002008..)

include file.pathname=˜/passwd/

[filter]

include timestamp=(08270000..)

include event=admin

include command=passwd

include selfaud_text=˜/passwd/

HP-UX 11i Version 3: September 2010 − 5 − Hewlett-Packard Company 5