System Administration Guide
Chapter 6, Using the Audit Manager

Creating or modifying a report template

Creating or modifying a report template

In the Audit Manager, select Report Create or Report Modify. Enter the name of the template file to be created or modified. Use <F3> to select from a list of templates; several are included on the system.

You can select based on five criteria: events, times, users, groups, and files. If All is chosen for a category, all events, times, and so forth are selected. If you choose Select, you are prompted to select the desired criteria:

The audit events can be selected or all collected. Events not selected cause those records to be omitted from the output. Depending on the template you selected, the events will have a ``Y'' or ``N'' in brackets. To toggle an event from yes to no, use <Space>. When you are satisfied, press <Enter> to save your changes.

The start and stop times for collection. Press <F3> to get a calendar. If a security-related event was suspected between certain times of the day, you could use this feature to select those records that were generated during that time period. This would concentrate the analysis on those records that are likely to reveal what has happened.

Both users and groups of users can be singled out for audit. You can highlight a user name and press <Enter>, or use <Space> to mark multiple users and press <Enter> when the list is complete. If a certain user account was the target of a penetration, you could select only those records that were generated from user or group IDs that matched that user. This permits the record search to be concentrated on suspected accounts.

Files (object names) can also be used to select audit records from the output. You can highlight a filename and press <Enter>, or use the <Space> to mark multiple files and press <Enter> when the list is complete. For records that contain multiple object names, if a specified name matches any object in the record, the record is selected. The object names must be specified as absolute pathnames because all object names are resolved from relative to absolute names by the reduction program.
Any combination of the above criteria can be used. For example, time interval, user ID, and object name can be combined for a single session. If a record is within the specified time interval that was generated by a selected user, and has one of the selected objects in the record, then it is selected for output.

There is a precedence for record selection that governs the combination of the selection criteria. If the audit event type is not specified, the record is not selected, regardless of other criteria. Similarly, if time stamp selection is enabled and the record does not meet the criteria, the record is not selected. If the record passes the selection criteria for event type and time, then the record is selected if it has a user ID (login, effective, or real), group ID (effective or real), or an object in the record that is specified in the report template. If no users, groups, and objects are specified, only event type and time selection is performed.