auditd.rc(4) CLIX auditd.rc(4)
NAME
auditd.rc - The auditd configuration file
DESCRIPTION
The /usr/adm/auditd.rc file contains configuration information directives
for the auditd audit log command. These directives may appear in any
order, and do not necessarily have to appear at all. All directives are
followed by multi-line specifications. These specifications are valid
until the next directive or the end-of-file is encountered.
The directives which may appear in this file are as follows:
# This is a comment line. The auditd command ignores these lines.
alarm Any name that appears after this line is the name of a file, if
touched, that is to be reported to the console. Only one
pathname per line is permitted. Regular expressions (see ed(1)
for more information) may be used in specifying files.
amail After this line, place the mail path of the user to notify in
case of an alarm. If more than one mail path is listed, only the
first one is used. The rest are ignored. If this directive is
not included, then alarms are mailed to the root user on the
local system.
nologf After this line, list the names of files, if touched, that are
not to be logged by auditd. Regular expressions may be used in
specifying files. The nologf and logf directives are mutually
exclusive.
logf After this line, list the names of files, if touched, that are to
be logged by auditd. If a file does not appear in this list, it
will not be logged. Regular expressions may be used in
specifying files. The nologf and logf directives are mutually
exclusive.
nologp After this line, list the names of programs that are not to be
logged by auditd. Regular expressions may be used in specifying
process names. The nologp and logp directives are mutually
exclusive.
logp After this line, list the names of the programs that are to be
logged by auditd. If a program is not in the list, it is not
logged. Regular expressions may be used in specifying program
names. The nologp and logp directives are mutually exclusive.
EXAMPLES
In the following sample audit.rc file, the alarm, nologf, and nologp
2/94 - Intergraph Corporation 1
auditd.rc(4) CLIX auditd.rc(4)
directives are specified. This file specifies that if any files in the
/usr/src/[sS]ecret directory are touched, a message is to be sent to the
console. With the nologf directive, auditd does not report any use of
files in the /usr/lib/nodes/heard directory. The line after the nologp
directive tells auditd not to log the ps, mailx, and login processes.
#tell me if anyone touches these files
alarm
/usr/src/[sS]ecret/*
/etc/passwd
#I don't care if anyone touches these files
nologf
/usr/lib/nodes/heard/*
#I don't care if these processes touch anything
nologp
ps
mailx
login
FILES
/usr/adm/auditd.rc The auditd configuration file.
RELATED INFORMATION
Commands: ed(1), auditd(8), auditr(8)
2 Intergraph Corporation - 2/94