Enter the name of the template file to be created or modified.
Use <F3> to select from a list of templates; several are
included on the system.
You can select based on five criteria: events, times,
users, groups, and files.
If All is chosen for a category, all events, times, and so
forth are selected. If you choose Select, you are prompted
to select the desired criteria:
The audit events can be selected or all collected.
Events not selected cause those records
to be omitted from the output.
Depending on the template you selected, the events will have a
``Y'' or ``N'' in brackets. To toggle an event from
yes to no, use
<Space>. When you are satisfied, press <Enter> to save your changes.
The start and stop times for collection.
Press <F3> to get a calendar.
If a security-related event was suspected between certain times of the day, you
could use this feature to select those records that were generated during
that time period. This would concentrate the analysis on those
records that are likely to reveal what has happened.
Both users and groups of users can be singled out for audit.
You can highlight a user name and press <Enter>, or
use <Space> to mark multiple users and
press <Enter> when the list is complete.
If a certain user account was the target of a penetration,
you could select only those records that were generated from
user or group IDs that matched that user.
This permits the record search to be concentrated on suspected accounts.
Files (object names) can also be used to select audit records from the
output. You can highlight a filename and press <Enter>, or use the
<Space> to mark multiple files and press <Enter> when the list is complete.
For records that contain multiple object
names, if a specified name matches any object in the record,
the record is selected. The object names must be specified as absolute
pathnames because all object names are resolved from relative to absolute
names by the reduction program.
Any combination of the above criteria can be used. For
example, time interval, user ID, and object name can be
combined for a single session. If a record is within the specified time
interval that was generated by a selected user, and has one of the
selected objects in the record, then it is selected for output.
There is a precedence for record selection that governs the combination of
the selection criteria. If the audit event type is not specified, the record is
not selected, regardless of other criteria. Similarly, if time stamp selection
is enabled and the record does not meet the criteria, the record is not
selected. If the record passes the selection criteria for event type and
time, then the record is selected if it has
a user ID (login, effective, or real),
group ID (effective or real), or an object in the record that is specified in
the report template. If no users, groups, and objects are specified, only
event type and time selection is performed.