Audit Rules File Format

The rules file is a text file that is used by the audit commands. The rules file determines which files to validate and which file attributes of those files to ignore.

To create an audit rules file, see How to Create an Audit Rules File (Web Browser) and How to Import an Audit Rules File to the Change Manager Repository (Web Browser) or How to Import Audit Rules Files to the Change Manager Repository (Command Line).

Some lines are ignored by the manifest comparison tool. Ignored lines include blank lines, lines that consist only of white space, and comments that begin with #.

The rules file supports three directives: CHECK, IGNORE, and a subtree directive, which is an absolute path name plus optional pattern matching modifiers. The rules file uses the directives to create logical blocks.

Syntax

The syntax for the rules file is as follows:

[IGNOREattribute...]*
[CHECK] [attribute...]*

subtree1 [pattern...]*
[IGNORE attribute...]*
[CHECK] [attribute...]*

subtree2 [pattern...]*
subtree3 [pattern...]*
subtree4 [pattern...]*
[IGNORE attribute...]*
[CHECK] [attribute...]*
...

Rule Blocks

Rule blocks are composed of statements that are created by using directives and arguments. There are three types of blocks.

Global block

The first block in the file. The block is considered "global" if it specifies CHECK and IGNORE statements, but no previous subtree statement. A global block pertains to all subsequent blocks.

Local block

A block that specifies CHECK and IGNORE statements as well as a subtree directive. The rules in this block pertain to files and directories found in the specified subtree.

Heir block

A block that contains a null CHECK statement, no arguments. This block inherits the global CHECK statements and global IGNORE statements.

The order in which CHECK and IGNORE statements appear in blocks is important. The CHECK and IGNORE statements are processed in the order in which they are read, with later statements overriding earlier statements.

Subtree specifications must appear one per line. Each specification must begin with an absolute path name. Optionally, each specification can be followed by pattern-matching arguments.

When a file being tracked belongs to more than one subtree directive, the resolution is performed by doing the following:

• Applying the CHECK and IGNORE statements set in a global block. Note that all CHECK and IGNORE statements are processed in order.

• Finding the last subtree directive that matches the file.

• Processing the CHECK and IGNORE statements that belong to the last matching subtree directive. These statements are processed in the order in which they are read, overriding global settings.

Pattern Matching Statements

The syntax for the audit rules file enables you to perform ANDing and ORing operations.

AND Statement

For a given subtree directive, all pattern matching statements are logically ANDed with the subtree. Patterns have the following syntax:

• Wildcards are permitted for both the subtree and pattern matching statements.

• The exclamation point (!) character represents logical NOT.

• A pattern that terminates with a slash is a subtree. The absence of a slash indicates that the pattern is not a directory. The subtree itself does not require an end slash.

For example, the following subtree example includes the contents of /home/nickiso/src except for object files, core files, and all of the SCCS subtrees. Note that directory names that terminate with .o and directories named core are not excluded because the patterns specified do not terminate with /.

/home/nickiso/src !*.o !core !SCCS/
CHECK	all

OR Statement

Group multiple subtree directives together. Such subtree directives are logically ORed together.

/home/nickiso/src !*.o !core
/home/nickiso/Mail
/home/nickiso/docs *.sdw
CHECK	all
IGNORE	mtime lnmtime dirmtime

The files included in the previous example are as follows:

• Everything under /home/nickiso/src except for *.o and core files

• Everything under /home/nickiso/Mail

• All files under /home/nickiso/docs that end in *.sdw

For these files, all attributes are checked except for modification times.

File Attributes

The audit rules file uses CHECK and IGNORE statements to define which attributes to track or ignore. Each attribute has an associated keyword.

The attribute keywords are as follows:

• acl

• all

• contents

• dest

• devnode

• dirmtime

• gid

• lnmtime

• mode

• mtime

• size

• type

• uid

• xattrs

The all keyword refers to all file attributes. See Manifest File Format.

Rules File Example

# Global rules, track everything except dirmtime.
CHECK	all
IGNORE	dirmtime

# The files in /data* are expected to change, so don't bother
# tracking the attributes expected to change.
# Furthermore, by specifying "IGNORE contents," you save
# time and resources.
/data*
IGNORE	contents mtime size

/home/nickiso f* bar/
IGNORE	acl

# For /usr, apply the global rules.
/usr
CHECK

# Note: Since /usr/tmp follows the /usr block, the /usr/tmp
# subtree is subjected to the "IGNORE all."
/usr/tmp
/home/nickiso *.o
/home/nickiso core
/home/nickiso/proto
IGNORE	all

The following files are cataloged based on the sample rules file:

• All attributes, except for dirmtime, mtime, size, and contents, are tracked for files under the /data* subtrees.

• Files under the /usr subtree, except for /usr/tmp, are cataloged by using the global rules.

• If the /home/nickiso/foo.c file exists, its attributes, except for acl and dirmtime, are cataloged.

• All .o and core files under /home/nickiso, as well as the /home/nickiso/proto and /usr/tmp subtrees, are ignored.

• If the /home/nickiso/bar/foo.o file exists, it is ignored because it is subject to the last block.