The auditrouteflt.cfg file filters audit records routing by defining records that CA ControlMinder should not send to the Distribution Server. Each line represents a rule for filtering out audit information. The file pathname is defined by the audit_filter configuration setting in the ReportAgent section.
Note: Filtered audit events are written to the local audit file but CA ControlMinder does not send them to the message queue on the Distribution Server. To filter out audit messages from the local audit file, modify filter rules in the file defined by the AuditFiltersFile configuration setting in the logmgr section (by default, audit.cfg).
You can use the auditrouteflt.cfg file to filter out records in the following audit event types, each type by a different syntax:
Note: A * in any column in each type of syntax stands for "any value".
Resource Access Events Filter Syntax
Audit records that belong to a resource access event have the following filter format:
ClassName;ObjectName;UserName;ProgramPath;Access;AuthorizationResult
Defines the name of the class that the accessed object belongs to.
Note: You must enter the name of the class in uppercase.
Defines the name of the object that was accessed.
Defines the name of the accessor.
Defines the name of the program used to access the object.
Defines the requested access to the object.
Values:
A wildcard that represents any type of access.
Change directory—The accessor made a request to move the object to a different directory.
Change mode—The accessor made a request to change the object's mode.
(UNIX) Change group—The accessor made a request to change the group the object belongs to.
Change owner—The accessor made a request to change the owner of the object.
Create—The accessor made a request to create a new object.
Delete—The accessor made a request to delete an object.
Join user to group—The accessor made a request to add a new user to a group.
Kill—The accessor made a request to kill a process.
Read—The accessor requested read access to an object.
Note: (UNIX) This parameter includes stat interception if STAT_intercept is set to 1.
Change file name—The accessor made a request to change the file name of an object.
Change ACL—The accessor made a request to edit an object's ACL.
(UNIX) Change time—The accessor made a request to change the modification time of an object.
Write—The accessor requested write access to an object.
Execute—The accessor made a request to execute an object.
Note: Some values are not valid for every class. For example, kill is an invalid value for the FILE class, because the kill action is not available to objects in the FILE class. If you enter an invalid value for a class when you write a rule, CA ControlMinder ignores that rule when it reads the file.
Defines the authorization result.
Values: P (permitted), D (denied), *
Network Connection Events Filter Syntax
Audit records that belong to a network connection event have the following filter format:
{HOST|TCP};ObjectName;HostName;ProgramPath;Access;AuthorizationResult
Specifies that the rule filters records generated by objects in HOST class, that is, incoming TCP connections.
Specifies that the rule filters records generated by objects in TCP class, that is, connect with service events.
Defines the name of the object that was accessed. ObjectName can be a service name or port number.
Defines the name of the host. HostName must be an object in the HOST class.
Defines the login program type.
(Windows) For outgoing connections, this parameter defines the program path of the process trying to establish the connection.
Note: This parameter has no meaning for incoming connection events. Use * for this parameter to filter audit records generated by incoming connection events.
Defines the type of attempted connection.
Values:
Defines the authorization result.
Values: P (permitted), D (denied), *
Login and Logout Events Filter Syntax
Audit records that belong to a login or logout event have the following filter format:
LOGIN;UserName;UserId;TerminalName;LoginProgram;AuthorizationResultOrLoginType
Specifies that the rule filters audit records generated by login and logout events.
Defines the name of the accessor.
Defines the native user ID of the accessor.
Defines the terminal at which the event occurred.
Defines the name of the program that attempted to log in or out.
Defines the authorization result.
Values:
A wildcard that represents any type of authorization result.
The login attempt was denied.
The login attempt was permitted.
(UNIX) The accessor logged out.
(UNIX) The serevu daemon revoked the accessor's account.
(UNIX) The serevu daemon enabled the accessor's account.
(UNIX) The serevu daemon or Pluggable Authentication Module audited a user's attempt to log in with an incorrect password.
Note: Windows does not record logout events.
Security Database Administration Events Filter Syntax
Audit records that belong to a security database administration event have the following filter format:
ADMIN;ClassName;ObjectName;UserName;EffectiveUserName;TerminalName;Command;CommandResult
Specifies that the rule filters audit records generated by events performed by an administrator.
Defines the class on which the administrator executes the command.
Defines the object that the administrator's command updated.
Defines the name of the user who executed the command.
(UNIX) Defines the name of the effective user to which the rule applies.
(Windows) Defines the name of the native user to which the rule applies.
Defines the terminal at which the event occurred.
Defines the selang command that the administrator executed.
Defines the authorization or command result.
Values: S (command succeeded), F (command failed), D (command denied), *
Trace Messages On a User Events Filter Syntax
Audit records that belong to a trace message on a user event have the following filter format:
TRACE;TracedClassName;TracedObjectName;RealUserName;EffectiveUserName;ACUserName;AuthorizationResult;TraceMessage
Specifies that the rule filters user trace records.
Defines the name of the object class the user tried to access.
Note: You must enter the name of the class in uppercase.
Defines the name of the object that the user tried to access.
(UNIX) Defines the name of the real user that generated the trace record.
(Windows) Defines the name of the native user that generated the trace record.
(UNIX) Defines the name of the effective user that generated the trace record.
(Windows) Defines the name of the native user that generated the trace record. This parameter is identical to the RealUserName parameter. Use * for this parameter.
Defines the user name CA ControlMinder chose to authorize the event.
Defines the authorization result.
Values: P (permitted), D (denied), *
Defines the trace message that was generated.
Examples: Filter Network Connection Events
HOST;telnet;ca.com;*;*;P
TCP;login;ca.com;*;*;D
TCP;telnet;ca.com;*;W;*
Examples: Filter Login or Logout Events
LOGIN;root;*;*;*;P
LOGIN;root;*;*;SBIN_CRON;P
LOGIN;root;*;_CRONJOB_;*;O
Example: Filter Security Database Administration Events
This example filters all audit records generated by successful FILE management commands by admin01:
ADMIN;FILE'*;admin01;*;*;*;S
Example: Filter Trace On a User Message Events
This example filters all user trace records generated when the effective user is root, and root accessed an object in the FILE class:
TRACE;FILE;*;*;root;*;*;*
Example: Audit Filter Policy
This example shows you what an audit filtering policy looks like:
env config
er config auditrouteflt.cfg line+("FILE;*;*;R;P")
This policy writes the following line to the auditrouteflt.cfg file:
FILE;*;*;R;P
This line filters audit records that record a permitted attempt by any accessor to access any file resource for reading.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|