AnsweredAssumed Answered

writing audit filter

Question asked by Wael AbdelWahab Champion on Nov 19, 2015
Latest reply on Nov 22, 2015 by Wael AbdelWahab

hello

I am trying to write audit filter to filter some unwanted events on Unix and windows platform.

I follow the articles audit.cfg File Filter Audit Records - CA Privileged Identity Manager - 12.9.01 - CA Technologies Documentation 

and auditrouteflt.cfg File Filter Audit Records Routing - CA Privileged Identity Manager - 12.9.01 - CA Technologies Documen…

 

the requirement is to filter and drop any events from specific system user like the following:

Windows:

we need to drop and audit event from the user NT AUTHORITY\SYSTEM

this is the example:

env config

er config audit.cfg line+("PROCESS;NT AUTHORITY\SYSTEM;*;*;*;*")

 

on UNIX :

we need to drop any event from the _CRON_

env config
er config audit.cfg line+("LOGIN;root;*;_CRONJOB_;*;O")
er config audit.cfg line+("LOGIN;root;*;*;SBIN_CRON;P")
er config auditrouteflt.cfg line+("LOGIN;root;*;_CRONJOB_;*;O")
er config auditrouteflt.cfg line+("LOGIN;root;*;*;SBIN_CRON;P")

 

did I write them correctly , as on the windows , it does not applied and the system still keep and route the activity of the NT AUTHORITY\SYSTEM ?

what is my wrong on those examples?

 

thanks guys

Outcomes