audfilter(1m)audfilter(1m)NAME
audfilter - A dcecp object that manages the event filters on a DCE host
SYNOPSIS
audfilter catalog
audfilter create audit_filter_name_list -attribute guide_name_list
audfilter delete audit_filter_name_list
audfilter help [operation | -verbose]
audfilter modify audit_filter_name_list {[-add guide_name_list]
[-remove guide_name_list]}
audfilter operations
audfilter show audit_filter_name_list
ARGUMENTS
A list of one or more names of audit event filters. A filter name con‐
sists of a filter type and possibly a key, depending on the type.
The audit filter types are as follows: Key The key is a principal_name.
The key is a /.../cellname/principal_name. The key is a group_name.
The key is a /.../cellname/group_name. The key is a cellname. The key
is a cellname. This type has no key. This type has no key.
Examples of audit filter names are principal admin, group dce, and
world. The name of the audfilter operation for which to display help
information.
DESCRIPTION
The audfilter object represents audit event filters, which consist of a
list of guides. Audit event filters are kept by the audit daemon and
used to determine whether an auditable event should be logged. An
audit filter name consists of a filter type and possibly a key (depen‐
dent on the type).
This command operates on the audit daemon named by the _s(aud) conve‐
nience variable. If the variable is not set, the command operates on
the audit daemon on the local host.
DATA STRUCTURES
Several audfilter operations add and remove guide data that is stored
in a filter. A guide specifies which action to take when a particular
audit condition occurs. A single filter can contain multiple guides,
each specifying various actions for different conditions. A guide is
identified by a list of the three elements that make up the guide:
audit conditions, audit actions, and event classes. Essentially, a
guide specifies what (event classes) to audit, when (audit conditions),
and how (audit actions). Note that event classes are definable by the
administrator.
Audit Conditions
The possible audit conditions are as follows: Audits only if the event
succeeded. Audits only if the event failed due to access denials.
Audits only if the event failed due to other reasons. Outcome not yet
determined.
Audit Actions
The possible audit actions are as follows: Sends the audit record to
the system console. Logs the event and signal the alarm. If all is
set, the show operation returns the action all, not {log alarm all}.
Logs the audit record either in the audit trail file of the Audit dae‐
mon or in a user-specified audit trail file. Takes no audit action.
OPERATIONS
audfilter catalog
Returns a list of names of all filters in the audit daemon. The syntax
is as follows: audfilter catalog
The catalog operation returns a list of names of all filters maintained
by the audit daemon. It takes no arguments. The names are a list of a
type and, if necessary, a key. They are returned in an arbitrary
order.
Privileges Required
No special permissions are needed to use the audfilter catalog command.
Examples
dcecp> audfilter catalog {principal melman} {foreign_principal
/.../cell_X/kevins} {group dce} world dcecp>
audfilter create
Creates a new audit filter. The syntax is as follows: audfilter create
audit_filter_name_list -attribute guide_name_list
Options Specifies a list of one or more guides to be added to the spec‐
ified audit event filters that are created. A guide name consists of
three elements: an event class, an audit condition, and an audit
action.
See DATA STRUCTURES for more information about guide names.
The create operation creates a new audit filter. The argument is a
list of names of audit filters to be created. Since a filter that has
no guides is removed by the audit daemon during a clean-up ("garbage
collection") phase, this command requires an -attribute option whose
value is a list of guides to be added to the specified audit filters on
creation. All guides are added to all audit filters specified to be
created. This operation returns an empty string on success.
Privileges Required
You must have w (write) permission on the audit daemon, and you must be
authenticated.
Examples
dcecp> audfilter create {principal melman} -attribute {dce_sec_query
denial log} dcecp>
audfilter delete
Deletes the filter including all filter guides. The syntax is as fol‐
lows: audfilter delete audit_filter_name_list
The delete operation deletes the filter, including all filter guides.
The argument is a list of names of audit filters to be deleted. This
operation returns an empty string on success.
Privileges Required
You must have w (write) permission on the audit daemon, and you must be
authenticated.
Examples
dcecp> audfilter delete {principal jones} dcecp>
audfilter help
Returns help information about the audfilter object and its operations.
The syntax is as follows: audfilter help [operation | -verbose]
Options Displays information about the audfilter object.
Used without an argument or option, the audfilter help command returns
brief information about each audfilter operation. The optional opera‐
tion argument is the name of an operation about which you want detailed
information. Alternatively, you can use the -verbose option for more
detailed information about the audfilter object itself.
Privileges Required
No special privileges are needed to use the audfilter help command.
Examples
dcecp> audfilter help catalog Returns the list of filters
for an audit daemon. create Creates a new filter with
specified guides. delete Deletes a filter and its associ‐
ated guides. modify Adds or removes one or more guides of
a filter. show Returns a list of guides in a specified
filter. help Prints a summary of command-line options.
operations Returns a list of the valid operations for this
command. dcecp>
audfilter modify
Adds or removes one or more guides of a filter. The syntax is as fol‐
lows: audfilter modify audit_filter_name_list {[-add guide_name_list]
[-remove guide_name_list]} Options Specifies a list of one or more
guides to be added to the specified audit event filters that are to be
modified. A guide name consists of three elements: an audit condition,
an audit action, and an event class.
See DATA STRUCTURES for more information about guide names. Specifies
a list of one or more guides to be removed from the specified audit
event filters that are to be modified. A guide name consists of three
elements: an audit condition, an audit action, and an event class.
See DATA STRUCTURES for more information about guide names.
The modify operation adds or removes one or more guides of a filter.
The argument is a list of names of audit filters to be modified. In
addition, the specific operation to perform is described with one or
more of the following options: -add and -remove. The argument to both
options is a list of guides. If more than one guide is specified, all
guides are operated on, but not atomically. If the last guide is
removed from a filter, the filter is deleted at some point by the audit
daemon.
Atomicity of multiple actions is not guaranteed.
Similarly, the effect of adding a guide that partially exists in the
specified filter is to change the existing guides. These changes guar‐
antee that the semantics of the removal/addition are maintained. This
operation returns an empty string on success.
Privileges Required
You must have w (write) permission on the audit daemon, and you must be
authenticated.
Examples
dcecp> audfilter modify {principal jones} \
-add {dce_dts_mgt_modify failure alarm} \
-remove {dce_dts_mgt_query all log} dcecp>
audfilter operations
Returns a list of the operations supported by the audfilter object.
The syntax is as follows: audfilter operations
The list of available operations is in alphabetical order except for
help and operations, which are listed last.
Privileges Required
No special privileges are needed to use the audfilter operations com‐
mand.
Examples
dcecp> audfilter operations catalog create delete modify show help
operations dcecp>
audfilter show
Returns a list of guides in a specified filter. The syntax is as fol‐
lows: audfilter show audit_filter_name_list
The show operation returns a list of guides in a specified filter. The
argument is a list of filter names (a filter type, and if needed, a
key) to be shown. If more than one is entered, the output is concate‐
nated and a blank line inserted between filters.
Privileges Required
You must have r (read) permission on the audit daemon, and you must be
authenticated.
Examples
dcecp> audfilter show {principal truitt} {dce_dts_mgt_modify failure
alarm} {dce_dts_mgt_query all log} dcecp>
RELATED INFORMATION
Commands: auditd(1m), dcecp(1m), dcecp_aud(1m), dcecp_audevents(1m),
dcecp_audtrail(1m).
Files: aud_audit_events(5), dts_audit_events(5), event_class(5),
sec_audit_events(5).
audfilter(1m)
