audfilter(1m) Open Software Foundation audfilter(1m)
NAME [Toc] [Back]
audfilter - A dcecp object that manages the event filters on a DCE
host
SYNOPSIS [Toc] [Back]
audfilter catalog
audfilter create audit_filter_name_list -attribute guide_name_list
audfilter delete audit_filter_name_list
audfilter help [operation | -verbose]
audfilter modify audit_filter_name_list
{[-add guide_name_list]
[-remove guide_name_list]}
audfilter operations
audfilter show audit_filter_name_list
ARGUMENTS [Toc] [Back]
audit_filter_name_list
A list of one or more names of audit event filters. A
filter name consists of a filter type and possibly a key,
depending on the type.
The audit filter types are as follows:
Type Key
principal The key is a principal_name.
foreign_principal
The key is a /.../cellname/principal_name.
group The key is a group_name.
foreign_groupThe key is a /.../cellname/group_name.
cell The key is a cellname.
cell_overridable
The key is a cellname.
world This type has no key.
world_overridable
This type has no key.
Hewlett-Packard Company - 1 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
audfilter(1m) Open Software Foundation audfilter(1m)
Examples of audit filter names are principal admin, group
dce, and world.
operation The name of the audfilter operation for which to display
help information.
DESCRIPTION [Toc] [Back]
The audfilter object represents audit event filters, which consist of
a list of guides. Audit event filters are kept by the audit daemon
and used to determine whether an auditable event should be logged. An
audit filter name consists of a filter type and possibly a key
(dependent on the type).
This command operates on the audit daemon named by the _s(aud)
convenience variable. If the variable is not set, the command operates
on the audit daemon on the local host.
DATA STRUCTURES [Toc] [Back]
Several audfilter operations add and remove guide data that is stored
in a filter. A guide specifies which action to take when a particular
audit condition occurs. A single filter can contain multiple guides,
each specifying various actions for different conditions. A guide is
identified by a list of the three elements that make up the guide:
audit conditions, audit actions, and event classes. Essentially, a
guide specifies what (event classes) to audit, when (audit
conditions), and how (audit actions). Note that event classes are
definable by the administrator.
Audit Conditions [Toc] [Back]
The possible audit conditions are as follows:
success Audits only if the event succeeded.
denial Audits only if the event failed due to access denials.
failure Audits only if the event failed due to other reasons.
pending Outcome not yet determined.
Audit Actions [Toc] [Back]
The possible audit actions are as follows:
alarm Sends the audit record to the system console.
all Logs the event and signal the alarm. If all is set, the
show operation returns the action all, not {log alarm all}.
Hewlett-Packard Company - 2 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
audfilter(1m) Open Software Foundation audfilter(1m)
log Logs the audit record either in the audit trail file of the
Audit daemon or in a user-specified audit trail file.
none Takes no audit action.
OPERATIONS [Toc] [Back]
audfilter catalog
Returns a list of names of all filters in the audit daemon. The syntax
is as follows:
audfilter catalog
The catalog operation returns a list of names of all filters
maintained by the audit daemon. It takes no arguments. The names are
a list of a type and, if necessary, a key. They are returned in an
arbitrary order.
Privileges Required [Toc] [Back]
No special permissions are needed to use the audfilter catalog
command.
Examples [Toc] [Back]
dcecp> audfilter catalog
{principal melman}
{foreign_principal /.../cell_X/kevins}
{group dce}
world
dcecp>
audfilter create
Creates a new audit filter. The syntax is as follows:
audfilter create audit_filter_name_list -attribute guide_name_list
Options [Toc] [Back]
-attribute guide_name_list
Specifies a list of one or more guides to be added to the
specified audit event filters that are created. A guide
name consists of three elements: an event class, an audit
condition, and an audit action.
See DATA STRUCTURES for more information about guide names.
Hewlett-Packard Company - 3 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
audfilter(1m) Open Software Foundation audfilter(1m)
The create operation creates a new audit filter. The argument is a
list of names of audit filters to be created. Since a filter that has
no guides is removed by the audit daemon during a clean-up ("garbage
collection") phase, this command requires an -attribute option whose
value is a list of guides to be added to the specified audit filters
on creation. All guides are added to all audit filters specified to
be created. This operation returns an empty string on success.
Privileges Required [Toc] [Back]
You must have w (write) permission on the audit daemon, and you must
be authenticated.
Examples [Toc] [Back]
dcecp> audfilter create {principal melman} -attribute {dce_sec_query denial log}
dcecp>
audfilter delete
Deletes the filter including all filter guides. The syntax is as
follows:
audfilter delete audit_filter_name_list
The delete operation deletes the filter, including all filter guides.
The argument is a list of names of audit filters to be deleted. This
operation returns an empty string on success.
Privileges Required [Toc] [Back]
You must have w (write) permission on the audit daemon, and you must
be authenticated.
Examples [Toc] [Back]
dcecp> audfilter delete {principal jones}
dcecp>
audfilter help
Returns help information about the audfilter object and its
operations. The syntax is as follows:
audfilter help [operation | -verbose]
Options [Toc] [Back]
Hewlett-Packard Company - 4 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
audfilter(1m) Open Software Foundation audfilter(1m)
-verbose Displays information about the audfilter object.
Used without an argument or option, the audfilter help command returns
brief information about each audfilter operation. The optional
operation argument is the name of an operation about which you want
detailed information. Alternatively, you can use the -verbose option
for more detailed information about the audfilter object itself.
Privileges Required [Toc] [Back]
No special privileges are needed to use the audfilter help command.
Examples [Toc] [Back]
dcecp> audfilter help
catalog Returns the list of filters for an audit daemon.
create Creates a new filter with specified guides.
delete Deletes a filter and its associated guides.
modify Adds or removes one or more guides of a filter.
show Returns a list of guides in a specified filter.
help Prints a summary of command-line options.
operations Returns a list of the valid operations for this command.
dcecp>
audfilter modify
Adds or removes one or more guides of a filter. The syntax is as
follows:
audfilter modify audit_filter_name_list
{[-add guide_name_list]
[-remove guide_name_list]}
Options [Toc] [Back]
-add guide_name_list
Specifies a list of one or more guides to be added to the
specified audit event filters that are to be modified. A
guide name consists of three elements: an audit condition,
an audit action, and an event class.
See DATA STRUCTURES for more information about guide names.
-remove guide_name_list
Specifies a list of one or more guides to be removed from
the specified audit event filters that are to be modified.
A guide name consists of three elements: an audit condition,
an audit action, and an event class.
Hewlett-Packard Company - 5 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
audfilter(1m) Open Software Foundation audfilter(1m)
See DATA STRUCTURES for more information about guide names.
The modify operation adds or removes one or more guides of a filter.
The argument is a list of names of audit filters to be modified. In
addition, the specific operation to perform is described with one or
more of the following options: -add and -remove. The argument to both
options is a list of guides. If more than one guide is specified, all
guides are operated on, but not atomically. If the last guide is
removed from a filter, the filter is deleted at some point by the
audit daemon.
Atomicity of multiple actions is not guaranteed.
Similarly, the effect of adding a guide that partially exists in the
specified filter is to change the existing guides. These changes
guarantee that the semantics of the removal/addition are maintained.
This operation returns an empty string on success.
Privileges Required [Toc] [Back]
You must have w (write) permission on the audit daemon, and you must
be authenticated.
Examples [Toc] [Back]
dcecp> audfilter modify {principal jones} \
-add {dce_dts_mgt_modify failure alarm} \
-remove {dce_dts_mgt_query all log}
dcecp>
audfilter operations
Returns a list of the operations supported by the audfilter object.
The syntax is as follows:
audfilter operations
The list of available operations is in alphabetical order except for
help and operations, which are listed last.
Privileges Required [Toc] [Back]
No special privileges are needed to use the audfilter operations
command.
Examples [Toc] [Back]
dcecp> audfilter operations
catalog create delete modify show help operations
Hewlett-Packard Company - 6 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
audfilter(1m) Open Software Foundation audfilter(1m)
dcecp>
audfilter show
Returns a list of guides in a specified filter. The syntax is as
follows:
audfilter show audit_filter_name_list
The show operation returns a list of guides in a specified filter.
The argument is a list of filter names (a filter type, and if needed,
a key) to be shown. If more than one is entered, the output is
concatenated and a blank line inserted between filters.
Privileges Required [Toc] [Back]
You must have r (read) permission on the audit daemon, and you must be
authenticated.
Examples [Toc] [Back]
dcecp> audfilter show {principal truitt}
{dce_dts_mgt_modify failure alarm}
{dce_dts_mgt_query all log}
dcecp>
RELATED INFORMATION [Toc] [Back]
Commands: auditd(1m), dcecp(1m), dcecp_aud(1m), dcecp_audevents(1m),
dcecp_audtrail(1m).
Files: aud_audit_events(5), dts_audit_events(5), event_class(5),
sec_audit_events(5).
Hewlett-Packard Company - 7 -�OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96 [ Back ] |
