audit.cfg File Security Database Administration Events Filter Syntax
Audit records that belong to a security database administration event have the following filter format:
capamsc141
Audit records that belong to a security database administration event have the following filter format:
ADMIN;ClassName;ObjectName;UserName;EffectiveUserName;TerminalName;Command;CommandResult
- ADMINSpecifies that the rule filters audit records generated by events performed by an administrator.
- ClassNameDefines the class on which the administrator executes the command.
- ObjectNameDefines the object that the administrator's command updated.
- UserNameDefines the name of the user who executed the command.
- EffectiveUserName(UNIX) Defines the name of the effective user to which the rule applies.(Windows) Defines the name of the native user to which the rule applies.
- TerminalNameDefines the terminal at which the event occurred.
- CommandDefines the selang command that the administrator executed.
- CommandResultDefines the authorization or command result.Values:S (command succeeded), F (command failed), D (command denied), *
Example: Filter Security Database Administration Events
This example filters all audit records generated by successful FILE management commands by admin01:
ADMIN;FILE'*;admin01;*;*;*;S