Symantec Privileged Access Management

Expand all | Collapse all

writing audit filter

Jump to Best Answer
  • 1.  writing audit filter

    Posted 11-19-2015 03:25 AM


    I am trying to write audit filter to filter some unwanted events on Unix and windows platform.

    I follow the articles audit.cfg File Filter Audit Records - CA Privileged Identity Manager - 12.9.01 - CA Technologies Documentation 

    and auditrouteflt.cfg File Filter Audit Records Routing - CA Privileged Identity Manager - 12.9.01 - CA Technologies Documen…


    the requirement is to filter and drop any events from specific system user like the following:


    we need to drop and audit event from the user NT AUTHORITY\SYSTEM

    this is the example:

    env config

    er config audit.cfg line+("PROCESS;NT AUTHORITY\SYSTEM;*;*;*;*")


    on UNIX :

    we need to drop any event from the _CRON_

    env config
    er config audit.cfg line+("LOGIN;root;*;_CRONJOB_;*;O")
    er config audit.cfg line+("LOGIN;root;*;*;SBIN_CRON;P")
    er config auditrouteflt.cfg line+("LOGIN;root;*;_CRONJOB_;*;O")
    er config auditrouteflt.cfg line+("LOGIN;root;*;*;SBIN_CRON;P")


    did I write them correctly , as on the windows , it does not applied and the system still keep and route the activity of the NT AUTHORITY\SYSTEM ?

    what is my wrong on those examples?


    thanks guys

  • 2.  Re: writing audit filter
    Best Answer

    Posted 11-19-2015 09:37 AM



    I was able to test and get this line to work in my lab.




    I based that on this syntax.

    <class-name>;<object-name>;<user-name> or <group-name>;<program-path>;<access mode>;<authorization result>


    I was able to block events such as:


    19 Nov 2015 09:33:09 N PROCESS      NT AUTHORITY\SYSTEM Kill      600 10 \device\harddiskvolume2\program files\ca\accesscontrolserver\apms\accesscontrol\bin\agentmanager.exe C:\Windows\system32\conhost.exe   (OS user)

    Event type: Resource access

    Status: Access mask removal notification

    Class: PROCESS

    Resource: \device\harddiskvolume2\program files\ca\accesscontrolserver\apms\accesscontrol\bin\agentmanager.exe

    Access: Kill


    Program: C:\Windows\system32\conhost.exe

    Date: 19 Nov 2015

    Time: 09:33

    Details: Attempting to terminate CA ControlMinder

    User Logon Session ID: a18b091b-a68b-4b50-9d42-fa4dd156c9a2

    Audit flags: OS user


    Let me know if that doesn't work for you.




    Aaron Armagost

    Principal Support Engineer, CA Privileged Identity Manager

  • 3.  Re: writing audit filter

    Posted 11-22-2015 05:16 AM

    Thanks AaronArmagost , i will test it and tell you if anything go wrong