Audit records that belong to a resource access event have the following filter format:
ClassName;ObjectName;UserName;ProgramPath;Access;AuthorizationResult
Defines the name of the class that the accessed object belongs to.
Note: Enter the name of the class in uppercase.
Defines the name of the object that was accessed.
Defines the name of the accessor.
Defines the name of the program used to access the object.
Defines the requested access to the object.
Note: The following values are the values for this parameter that you use in the audit.cfg file to filter out an audit record. In some cases the value of this parameter in the audit.cfg file is different to the value that CA ControlMinder writes in the audit record for that event. Any such differences are noted after the description of each value. Type the parameter in the same case as it appears in the following list.
Values:
A wildcard that represents any type of access.
Change directory—The accessor made a request to move the object to a different directory.
Change mode—The accessor made a request to change the mode of the object.
(UNIX) Change group—The accessor made a request to change the group the object belongs to.
Change owner—The accessor made a request to change the owner of the object.
Connect
Join user to group—The accessor made a request to add a new user to a group.
Note: The connect value is identical to the join value.
Control
(UNIX) Control—The accessor requested Chown, Chmod, Utime, Sec, Chdir, and Update access to the object.
Create—The accessor made a request to create an object.
Crrdwr
Create, Read, and Write—The accessor requested Create, Read, and Write access to the object.
Note: CA ControlMinder writes this value as CrRdWrite in the corresponding audit record.
Crread
Create and Read—The accessor requested Create and Read access to the object.
Note: CA ControlMinder writes this value as CrRead in the corresponding audit record.
Crwrite
Create and Write—The accessor requested Create and Write access to the object.
Note: CA ControlMinder writes this value as CrWrite in the corresponding audit record.
Delete—The accessor made a request to delete an object.
Note: CA ControlMinder writes this value as Erase in the corresponding audit record.
Filereplace
Create and Erase—The accessor requested Create and Erase access to the object.
Note: CA ControlMinder writes this value as Replace in the corresponding audit record.
Filescan
Filescan—The accessor requested List access to the object.
Note: CA ControlMinder writes this value as Scan in the corresponding audit record.
Join user to group—The accessor made a request to add a new user to a group.
Note: The join value is identical to the connect value.
Kill—The accessor made a request to kill a process.
Modify
Modify—The accessor requested Modify access to the object.
OwnGrp
Change owner and Change group—The accessor requested Chown and Chgrp access to the object.
PW
Password—The accessor made a request to change a password.
Note: CA ControlMinder writes this value as Password in the corresponding audit record.
Read—The accessor requested read access to an object.
Note: (UNIX) If STAT_intercept is set to 1, this parameter includes stat interception.
Change file name—The accessor made a request to change the file name of an object.
Change ACL—The accessor made a request to edit the ACL of the object.
Note: CA ControlMinder writes this value as ACL in the corresponding audit record.
Update
Read, Write, and Execute—The accessor requested Read, Write, and Execute access to an object.
Note: The Update value also filters events when an accessor requested Read and Write access to an object.
(UNIX) Change time—The accessor made a request to change the modification time of an object.
Note: CA ControlMinder writes this value as Utimes in the corresponding audit record.
Write—The accessor requested write access to an object.
Execute—The accessor made a request to execute an object.
Note: Some values are not valid for every class. For example, kill is an invalid value for the FILE class, because the kill action is not available to objects in the FILE class. If you enter an invalid value for a class when you write a rule, CA ControlMinder ignores that rule when it reads the file.
Defines the authorization result.
Values: P (permitted), D (denied), *
Example: Audit Filter Policy
env config er config audit.cfg line+("FIEL;*;*;*;R;P")
FILE;*;*;*;R;P
Copyright © 2013 CA Technologies.
All rights reserved.
|
|