audit.cfg File—Resource Access Events Filter Syntax

Reference Guide › Configuration Files › audit.cfg File—Filter Audit Records › audit.cfg File—Resource Access Events Filter Syntax

audit.cfg File—Resource Access Events Filter Syntax

Audit records that belong to a resource access event have the following filter format:

ClassName;ObjectName;UserName;ProgramPath;Access;AuthorizationResult

ClassName

Defines the name of the class that the accessed object belongs to.

Note: Enter the name of the class in uppercase.

ObjectName

Defines the name of the object that was accessed.

UserName

Defines the name of the accessor.

ProgramPath

Defines the name of the program used to access the object.

Access

Defines the requested access to the object.

Note: The following values are the values for this parameter that you use in the audit.cfg file to filter out an audit record. In some cases the value of this parameter in the audit.cfg file is different to the value that CA ControlMinder writes in the audit record for that event. Any such differences are noted after the description of each value. Type the parameter in the same case as it appears in the following list.

Values:

*

A wildcard that represents any type of access.

Chdir

Change directory—The accessor made a request to move the object to a different directory.

Chmod

Change mode—The accessor made a request to change the mode of the object.

Chgrp

(UNIX) Change group—The accessor made a request to change the group the object belongs to.

Chown

Change owner—The accessor made a request to change the owner of the object.

Connect

Join user to group—The accessor made a request to add a new user to a group.

Note: The connect value is identical to the join value.

Control

(UNIX) Control—The accessor requested Chown, Chmod, Utime, Sec, Chdir, and Update access to the object.

Cre

Create—The accessor made a request to create an object.

Crrdwr

Create, Read, and Write—The accessor requested Create, Read, and Write access to the object.

Note: CA ControlMinder writes this value as CrRdWrite in the corresponding audit record.

Crread

Create and Read—The accessor requested Create and Read access to the object.

Note: CA ControlMinder writes this value as CrRead in the corresponding audit record.

Crwrite

Create and Write—The accessor requested Create and Write access to the object.

Note: CA ControlMinder writes this value as CrWrite in the corresponding audit record.

Del

Delete—The accessor made a request to delete an object.

Note: CA ControlMinder writes this value as Erase in the corresponding audit record.

Filereplace

Create and Erase—The accessor requested Create and Erase access to the object.

Note: CA ControlMinder writes this value as Replace in the corresponding audit record.

Filescan

Filescan—The accessor requested List access to the object.

Note: CA ControlMinder writes this value as Scan in the corresponding audit record.

Join

Join user to group—The accessor made a request to add a new user to a group.

Note: The join value is identical to the connect value.

Kill

Kill—The accessor made a request to kill a process.

Modify

Modify—The accessor requested Modify access to the object.

OwnGrp

Change owner and Change group—The accessor requested Chown and Chgrp access to the object.

Password—The accessor made a request to change a password.

Note: CA ControlMinder writes this value as Password in the corresponding audit record.

R

Read—The accessor requested read access to an object.

Note: (UNIX) If STAT_intercept is set to 1, this parameter includes stat interception.

Rename

Change file name—The accessor made a request to change the file name of an object.

Sec

Change ACL—The accessor made a request to edit the ACL of the object.

Note: CA ControlMinder writes this value as ACL in the corresponding audit record.

Update

Read, Write, and Execute—The accessor requested Read, Write, and Execute access to an object.

Note: The Update value also filters events when an accessor requested Read and Write access to an object.

Utime

(UNIX) Change time—The accessor made a request to change the modification time of an object.

Note: CA ControlMinder writes this value as Utimes in the corresponding audit record.

W

Write—The accessor requested write access to an object.

X

Execute—The accessor made a request to execute an object.

Note: Some values are not valid for every class. For example, kill is an invalid value for the FILE class, because the kill action is not available to objects in the FILE class. If you enter an invalid value for a class when you write a rule, CA ControlMinder ignores that rule when it reads the file.

AuthorizationResult

Defines the authorization result.

Values: P (permitted), D (denied), *

Example: Audit Filter Policy

This example shows you what an audit filtering policy looks like:
```
env config
er config audit.cfg line+("FIEL;*;*;*;R;P")
```
This policy writes the following line to the audit.cfg file. The line filters audit records that record a permitted attempt by any accessor to access any file resource for reading:
```
FILE;*;*;*;R;P
```