audfilter.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

audﬁlter(1M) audﬁlter(1M)

NAME

audﬁlter - load, clear or display audit ﬁltering policy

SYNOPSIS

/usr/sbin/audfilter -c

/usr/sbin/audfilter

{-p|-P}[

-C compartment ][-m mntpnt ][-s syscall ]

/usr/sbin/audfilter -z

DESCRIPTION

audfilter makes request to the audfilterd daemon to load, clear or display audit ﬁltering policy as

speciﬁed in the /etc/audit/filter.conf

ﬁle (see ﬁlter.conf (4)). The request is issued to the dae-

mon via a Unix domain socket connection. The daemon determines whether it can satisfy the request and

returns the appropriate results to the requesting process. The

audfilterd daemon must be started

before using

audfilter.

This command is restricted to users possessing the authorization (

hpux.security.audit.config,

*).

Options

audfilterd recognizes the following options:

-c Request to put the current rule-based audit ﬁltering policy as speciﬁed in

/etc/audit/filter.conf

into effect. Rules are parsed into an efﬁcient internal format.

Note that a given set of rules may be expressed in many different ways, but they are all parsed

into the same internal format.

A success or failure status will be reported for the request.

-C compartment

Restrict the display for the given compartment. This option must be speciﬁed with the

-p or

-P option.

-m mntpnt

Restrict the display for the given mount point. This option must be speciﬁed with the

-p or -P

option.

-p Request to display the audit ﬁltering policy currently in effect. The rules are not displayed the

same way as they were written, but in the order they are evaluated (that is, in the internal for-

mat). See also the descriptions of the -C , -m and -s options and WARNINGS .

-P Request to display audit ﬁltering policy in preview mode as speciﬁed in the

/etc/audit/filter.conf

ﬁle. This option parses the /etc/audit/filter.conf

ﬁle, checking for syntax and semantic errors, but makes no changes to the system. The rules

will not be displayed the same way as they are written, but in the order they will be evaluated

(that is, in the internal format). See also the descriptions of the -C , -m

and -s options and

WARNINGS .

-s syscall

Restrict the display to the given system call. This option must be used with the -p or -P

option.

-z Request to clear the audit ﬁltering policy currently in effect. Upon success, it effectively dis-

ables ﬁner grained audit ﬁltering feature.

RETURN VALUE

The

audfilter command returns 0 for success and non-zero for errors.

WARNINGS

The way the rules get displayed may change without notice.

AUTHOR

audfilter was developed by the Hewlett-Packard Company.

FILES

/etc/audit/filter.conf

Conﬁguration ﬁle that contains rule-based audit ﬁltering policy.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (2 pages)

PAGE 1
audfilter(1M) audfilter(1M) NAME audfilter - load, clear or display audit filtering policy SYNOPSIS /usr/sbin/audfilter -c /usr/sbin/audfilter {-p|-P} [-C compartment ] [-m mntpnt ] [-s syscall ] /usr/sbin/audfilter -z DESCRIPTION audfilter makes request to the audfilterd daemon to load, clear or display audit filtering policy as specified in the /etc/audit/filter.conf file (see filter.conf (4)). The request is issued to the daemon via a Unix domain socket connection.
PAGE 2
audfilter(1M) audfilter(1M) SEE ALSO audfilterd(1M), filter.conf(4).