Operating System - HP-UX
1833894 Members
1887 Online
110063 Solutions
New Discussion

HP-UX audit trail filtering

 
Roman Lobus
New Member

HP-UX audit trail filtering

Hello,

I'm trying to setup audit trails filtering based on feautures of DPMS filters.
File with rules contain several rules which intended to exclude some unneeded info
-----

[filter]
-file.pathname =~ /^\/usr\/lib/ || file.pathname =~ /^\/usr\/local\/lib/ || file.pathname =~ /^\/usr\/sbin/ || file.pathname =~ /^\/dev/ || file.pathname =~ /^\/sbin/ || file.pathname =~ /^\/usr\/bin/ || file.pathname =~ /^\/usr\/local\/bin/ || file.pathname =~ /^\/usr\/lib/ || file.pathname =~ /^\/usr\/local\/lib/ || file.pathname =~ /^\/lib/|| file.pathname =~ /^\/usr\/local\/etc/ || file.pathname =~ /^\/etc/ ;
-open.oflag=read-only

[filter]
exclude file.pathname =~ /^\/tmp/ || file.pathname =~ /^\/usr\/man/ || file.pathname =~ /^\/usr\/tmp/ || file.pathname =~ /^\/usr\/local\/doc/ || file.pathname =~ /^\/usr\/local\/share/ || file.pathname =~ /^\/usr\/share/
------------------------------------------
But it doesn't work as intended: exclude open call with read-only flag, exclude everything related to /tmp and other directories and leave everything behind that.

In situation when this file is separated into two files with one rule in each, it works but creates overhead because of pipe usage

# auditdp -S /etc/audit/dpms_filters/rule1 -r /var/.audit/trail -P | auditdp -p -S /etc/audit/dpms_filters/rule2

If there any solution to have only one file with rules?