Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

audfilter(8dce)  —  Maintenance

NAME

audfilter  — A dcecp object that manages the event filters on a DCE host

SYNOPSIS

audfilter catalog

audfilter create audit_filter_name_list attribute guide_name_list

audfilter delete audit_filter_name_list

audfilter help  [operation | verbose  ]

audfilter modify audit_filter_name_list  [add guide_name_list]  [remove guide_name_list]

audfilter operations

audfilter show audit_filter_name_list

Arguments

audit_filter_name_list
A list of one or more names of audit event filters.  A filter name consists of a filter type and possibly a key, depending on the type.

The audit filter types are as follows:

TypeKey

principalThe key is a principal_name. 

foreign_principal
The key is a /.../cellname/principal_name. 

groupThe key is a group_name. 

foreign_group
The key is a /.../cellname/group_name. 

cellThe key is a cellname. 

cell_overridable
The key is a cellname. 

worldThis type has no key. 

world_overridable
This type has no key.

Examples of audit filter names are principal admin , group dce, and world. 

operationThe name of the audfilter  operation for which to display help information. 

Description

The audfilter  object represents audit event filters, which consist of a list of guides.  Audit event filters are kept by the audit daemon and used to determine whether an auditable event should be logged.  An audit filter name consists of a filter type and possibly a key (dependent on the type). 

This command operates on the audit daemon named by the _s(aud) convenience variable.  If the variable is not set, the command operates on the audit daemon on the local host. 

Data Structures

Several audfilter  operations add and remove guide data that is stored in a filter.  A guide specifies which action to take when a particular audit condition occurs.  A single filter can contain multiple guides, each specifying various actions for different conditions.  A guide is identified by a list of the three elements that make up the guide: audit conditions, audit actions, and event classes.  Essentially, a guide specifies what (event classes) to audit, when (audit conditions), and how (audit actions).  Note that event classes are definable by the administrator. 

Audit Conditions

The possible audit conditions are as follows:

successAudits only if the event succeeded. 

denialAudits only if the event failed due to access denials. 

failureAudits only if the event failed due to other reasons. 

pendingOutcome not yet determined. 

Audit Actions

The possible audit actions are as follows:

alarmSends the audit record to the system console. 

allLogs the event and signal the alarm.  If all is set, the show  operation returns the action all, not {log alarm all}. 

logLogs the audit record either in the audit trail file of the Audit daemon or in a user-specified audit trail file. 

noneTakes no audit action. 

Errors

A representative list of errors that might be returned is not shown here.  Refer to the OSF DCE Problem Determination Guide for complete descriptions of all error messages. 

Operations

audfilter catalog

Returns a list of names of all filters in the audit daemon.  The syntax is as follows:

audfilter catalog

The catalog  operation returns a list of names of all filters maintained by the audit daemon.  It takes no arguments.  The names are a list of a type and, if necessary, a key.  They are returned in an arbitrary order. 

Privileges Required

No special permissions are required to use the catalog  operation. 

Examples

dcecp> audfilter catalog
{principal melman}
{foreign_principal /.../cell_X/kevins}
{group dce}
world
dcecp>

audfilter create

Creates a new audit filter.  The syntax is as follows:

audfilter create audit_filter_name_list attribute  guide_name_list

Options

attribute  guide_name_list
Specifies a list of one or more guides to be added to the specified audit event filters that are created.  A guide name consists of three elements: an event class, an audit condition, and an audit action.

See Data Structures for more information about guide names. 

The create  operation creates a new audit filter.  The argument is a list of names of audit filters to be created.  Since a filter that has no guides is removed by the audit daemon during a clean-up (garbage collection) phase, this command requires an attribute  option whose value is a list of guides to be added to the specified audit filters on creation.  All guides are added to all audit filters specified to be created.  The operation returns an empty string on success. 

Privileges Required

You must have w (write) permission on the audit daemon, and you must be authenticated. 

Examples

dcecp> audfilter create {principal melman} -attribute {dce_sec_query denial log}
dcecp>

audfilter delete

Deletes the filter including all filter guides.  The syntax is as follows:

audfilter delete audit_filter_name_list

The delete  operation deletes the filter, including all filter guides.  The argument is a list of names of audit filters to be deleted.  The operation returns an empty string on success. 

Privileges Required

You must have w (write) permission on the audit daemon, and you must be authenticated. 

Examples

dcecp> audfilter delete {principal jones}
dcecp> 

audfilter help

Returns help information about the audfilter  object and its operations.  The syntax is as follows:

audfilter help [operation | verbose ]

Options

verboseDisplays information about the audfilter  object. 

Used without an argument or option, the audfilter help  command returns brief information about each audfilter  operation.  The optional operation argument is the name of an operation about which you want detailed information.  Alternatively, you can use the verbose  option for more detailed information about the audfilter  object itself. 

Privileges Required

No special privileges are needed to use the audfilter help command. 

Examples

dcecp> audfilter help
catalog             Returns the list of filters for an audit daemon.
create              Creates a new filter with specified guides.
delete              Deletes a filter and its associated guides.
modify              Adds or removes one or more guides of a filter.
show                Returns a list of guides in a specified filter.
help                Prints a summary of command-line options.
operations          Returns a list of the valid operations for this command.
dcecp> 

audfilter modify

Adds or removes one or more guides of a filter.  The syntax is as follows:

audfilter modify audit_filter_name_list
 {[add  guide_name_list]
 [remove  guide_name_list]}

Options

add  guide_name_list
Specifies a list of one or more guides to be added to the specified audit event filters that are to be modified.  A guide name consists of three elements: an audit condition, an audit action, and an event class.

See Data Structures for more information about guide names. 

remove  guide_name_list
Specifies a list of one or more guides to be removed from the specified audit event filters that are to be modified.  A guide name consists of three elements: an audit condition, an audit action, and an event class.

See Data Structures for more information about guide names. 

The modify operation adds or removes one or more guides of a filter.  The argument is a list of names of audit filters to be modified.  In addition, the specific operation to perform is described with one or more of the following options: add  and remove .  The argument to both options is a list of guides.  If more than one guide is specified, all guides are operated on, but not atomically.  If the last guide is removed from a filter, the filter is deleted at some point by the audit daemon. 

Atomicity of multiple actions is not guaranteed. 

Similarly, the effect of adding a guide that partially exists in the specified filter is to change the existing guides.  These changes guarantee that the semantics of the removal/addition are maintained.  The operation returns an empty string on success

Privileges Required

You must have w (write) permission on the audit daemon, and you must be authenticated. 

Examples

dcecp> audfilter modify {principal jones} \
       -add {dce_dts_mgt_modify failure alarm} \ -remove {dce_dts_mgt_query all log}
dcecp>

audfilter operations

Returns a list of the operations supported by the audfilter object.  The syntax is as follows:

audfilter operations

The list of available operations is in alphabetical order except for help  and operations, which are listed last. 

Privileges Required

No special privileges are needed to use the audfilter operations command. 

Examples

dcecp> audfilter operations
catalog create delete modify show help operations
dcecp>

audfilter show

Returns a list of guides in a specified filter.  The syntax is as follows:

audfilter show audit_filter_name_list

The show  operation returns a list of guides in a specified filter.  The argument is a list of filter names (a filter type, and if needed, a key) to be shown.  If more than one is entered, the output is concatenated and a blank line inserted between filters. 

Privileges Required

You must have r (read) permission on the audit daemon, and you must be authenticated. 

Examples

dcecp> audfilter show {principal rousseau}
{dce_dts_mgt_modify failure alarm}
{dce_dts_mgt_query all log}
dcecp>

Related Information

Commands: aud(8dce), audevents(8dce), auditd(8sec), audtrail(8dce), dcecp(8dce). 

Files: aud_audit_events(5sec), dts_audit_events(5sec), event_class(5sec), sec_audit_events(5sec). 

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026