Layer7 Privileged Access Management

Expand all | Collapse all

writing audit filter

Jump to Best Answer
  • 1.  writing audit filter

    Posted 11-19-2015 03:25 AM

    hello

    I am trying to write audit filter to filter some unwanted events on Unix and windows platform.

    I follow the articles audit.cfg File Filter Audit Records - CA Privileged Identity Manager - 12.9.01 - CA Technologies Documentation 

    and auditrouteflt.cfg File Filter Audit Records Routing - CA Privileged Identity Manager - 12.9.01 - CA Technologies Documen…

     

    the requirement is to filter and drop any events from specific system user like the following:

    Windows:

    we need to drop and audit event from the user NT AUTHORITY\SYSTEM

    this is the example:

    env config

    er config audit.cfg line+("PROCESS;NT AUTHORITY\SYSTEM;*;*;*;*")

     

    on UNIX :

    we need to drop any event from the _CRON_

    env config
    er config audit.cfg line+("LOGIN;root;*;_CRONJOB_;*;O")
    er config audit.cfg line+("LOGIN;root;*;*;SBIN_CRON;P")
    er config auditrouteflt.cfg line+("LOGIN;root;*;_CRONJOB_;*;O")
    er config auditrouteflt.cfg line+("LOGIN;root;*;*;SBIN_CRON;P")

     

    did I write them correctly , as on the windows , it does not applied and the system still keep and route the activity of the NT AUTHORITY\SYSTEM ?

    what is my wrong on those examples?

     

    thanks guys



  • 2.  Re: writing audit filter
    Best Answer

    Posted 11-19-2015 09:37 AM

    Hello,

     

    I was able to test and get this line to work in my lab.

     

    PROCESS;*;NT AUTHORITY\SYSTEM;*;*;*

     

    I based that on this syntax.

    <class-name>;<object-name>;<user-name> or <group-name>;<program-path>;<access mode>;<authorization result>

     

    I was able to block events such as:

     

    19 Nov 2015 09:33:09 N PROCESS      NT AUTHORITY\SYSTEM Kill      600 10 \device\harddiskvolume2\program files\ca\accesscontrolserver\apms\accesscontrol\bin\agentmanager.exe C:\Windows\system32\conhost.exe   (OS user)

    Event type: Resource access

    Status: Access mask removal notification

    Class: PROCESS

    Resource: \device\harddiskvolume2\program files\ca\accesscontrolserver\apms\accesscontrol\bin\agentmanager.exe

    Access: Kill

    User name: NT AUTHORITY\SYSTEM

    Program: C:\Windows\system32\conhost.exe

    Date: 19 Nov 2015

    Time: 09:33

    Details: Attempting to terminate CA ControlMinder

    User Logon Session ID: a18b091b-a68b-4b50-9d42-fa4dd156c9a2

    Audit flags: OS user

     

    Let me know if that doesn't work for you.

     

    Thanks,

     

    Aaron Armagost

    Principal Support Engineer, CA Privileged Identity Manager



  • 3.  Re: writing audit filter

    Posted 11-22-2015 05:16 AM

    Thanks AaronArmagost , i will test it and tell you if anything go wrong