Data Structures for audfilter(8dce)
Several audfilter operations add and remove guide data that is stored in a filter. A guide specifies action to take when a particular audit condition occurs. A single filter can contain multiple guides specifying various actions for different conditions. A guide is identified by a list of the three elements that make up the guide: audit conditions, audit actions, and event classes. Essentially, a guide specifies what (event classes) to audit, when (audit conditions), and how (audit actions). Note that event classes are definable by the administrator.
Audit Conditions
The possible audit conditions are as follows:
success
Audit only if the event succeeded.
denial
Audit only if the event failed due to access denials.
failure
Audit only if the event failed due to other reasons.
pending
The outcome has not yet been determined.
Audit Actions
The possible audit actions are as follows:
alarm
Sends the audit record to the system console.
all
Logs the event and signals the alarm. If all is set, the audfilter show commands return the action all, not {log alarm all}.
log
Logs the audit record either in the audit trail file of the audit daemon or a user-specified audit trail file.
none
Takes no audit action.