audit.cfg File Login and Logout Events Filter Syntax

Audit records that belong to a login or logout event have the following filter format:
capamsc141
Audit records that belong to a login or logout event have the following filter format:
LOGIN;UserName;UserId;TerminalName;LoginProgram;AuthorizationResultOrLoginType
  • LOGIN
    Specifies that the rule filters audit records generated by login and logout events.
  • UserName
    Defines the name of the accessor.
  • UserId
    (UNIX) Defines the native user ID of the accessor.
  • TerminalName
    Defines the terminal at which the event occurred.
  • LoginProgram
    Defines the name of the program that attempted to log in or out.
  • AuthorizationResultorLoginType
    Defines the authorization result.
    Values:
    • *
      A wildcard that represents any type of authorization result.
    • D
      The login attempt was denied.
    • P
      The login attempt was permitted.
    • O
      (UNIX) The accessor logged out.
    • I
      (UNIX) The serevu daemon revoked the accessor's account.
    • E
      (UNIX) The serevu daemon enabled the accessor's account.
    • A
      (UNIX) The serevu daemon or Pluggable Authentication Module audited a user's attempt to log in with an incorrect password.
    Windows does not record logout events.
Examples: Filter Login or Logout Events
  • This example filters all audit records generated when root logs in to a permitted account:
    LOGIN;root;*;*;*;P
  • This example filters all audit records generated when root logs in successfully due to the system's CRON program:
    LOGIN;root;*;*;SBIN_CRON;P
  • This example filters all audit records generated when the _CRONJOB_ process logs the root user out:
    LOGIN;root;*;_CRONJOB_;*;O