audit.cfg File Resource Access Events Filter Syntax

Audit records that belong to a resource access event have the following filter format:
capamsc141
Audit records that belong to a resource access event have the following filter format:
ClassName;ObjectName;UserName;ProgramPath;Access;AuthorizationResult
  • ClassName
    Defines the name of the class that the accessed object belongs to.
    Enter the name of the class in uppercase.
  • ObjectName
    Defines the name of the object that was accessed.
  • UserName
    Defines the name of the accessor.
  • ProgramPath
    Defines the name of the program used to access the object.
  • Access
    Defines the requested access to the object.
    The following values are the values for this parameter that you use in the audit.cfg file to filter out an audit record. In some cases the value of this parameter in the audit.cfg file is different to the value that
    PAM Server Control
    writes in the audit record for that event. Any such differences are noted after the description of each value. Type the parameter in the same case as it appears in the following list.
    Values:
    • *
      A wildcard that represents any type of access.
    • Chdir
      Change directory The accessor made a request to move the object to a different directory.
    • Chmod
      Change mode The accessor made a request to change the mode of the object.
    • Chgrp
      (UNIX) Change group The accessor made a request to change the group the object belongs to.
    • Chown
      Change owner The accessor made a request to change the owner of the object.
      Connect
      Join user to group The accessor made a request to add a new user to a group.
      Note:
      The connect value is identical to the join value.
      Control
      (UNIX) Control The accessor requested Chown, Chmod, Utime, Sec, Chdir, and Update access to the object.
    • Cre
      Create The accessor made a request to create an object.
      Crrdwr
      Crread
      Create and ReadThe accessor requested Create and Read access to the object.
      Note:
       
      PAM Server Control
      writes this value as CrRead in the corresponding audit record.
      Crwrite
      Create and WriteThe accessor requested Create and Write access to the object.
      Note: 
      PAM Server Control
      writes this value as CrWrite in the corresponding audit record.
    • Del
      DeleteThe accessor made a request to delete an object.
      PAM Server Control
      writes this value as Erase in the corresponding audit record.
    • Join
      Join user to groupThe accessor made a request to add a new user to a group.
      The join value is identical to the connect value.
    • Kill
      Kill The accessor made a request to kill a process.
      Modify
      Modify The accessor requested Modify access to the object.
      OwnGrp
      Change owner and Change groupThe accessor requested Chown and Chgrp access to the object.
      PW
    • R
      ReadThe accessor requested read access to an object.
      (UNIX) If STAT_intercept is set to 1, this parameter includes
      stat
      interception.
    • Rename
      Change file nameThe accessor made a request to change the file name of an object.
    • Sec
      Change ACLThe accessor made a request to edit the ACL of the object.
       
      PAM Server Control
      writes this value as ACL in the corresponding audit record.
      Update
      Read, Write, and ExecuteThe accessor requested Read, Write, and Execute access to an object.
      Note: The Update value also filters events when an accessor requested Read and Write access to an object.
    • Utime
      (UNIX)Change timeThe accessor made a request to change the modification time of an object.
      PAM Server Control
      writes this value as Utimes in the corresponding audit record.
    • W
      WriteThe accessor requested write access to an object.
    • X
      ExecuteThe accessor made a request to execute an object.
    Some values are not valid for every class. For example, kill is an invalid value for the FILE class, because the kill action is not available to objects in the FILE class. If you enter an invalid value for a class when you write a rule, 
    PAM Server Control
    ignores that rule when it reads the file.
  • AuthorizationResult
    Defines the authorization result.
    Values:
P - Permitted
D - Denied
O - Logout
I -  Inactivate (Disable user) by serevu 
E - Enable user login by serevu
A - Password attempt detected
*  - A wildcard that represents any value
Example: Audit Filter Policy
  • This example shows you what an audit filtering policy looks like:
    env config er config audit.cfg line+("FIEL;*;*;*;R;P")
  • This policy writes the following line to the audit.cfg file. The line filters audit records that record a permitted attempt by any accessor to access any file resource for reading:
    FILE;*;*;*;R;P