Here is an example filter to search for all files which are either directories or links, or any kind of file owned by mark, in group cfengine.
control:
actionsequence = ( files )
files:
/tmp filter=testfilteralias action=alert r=inf
/cfengine filter=testfilteralias action=fixall r=inf mode=644
filters:
{ testfilteralias
Owner: "mark"
Group: "cfengine"
Type: "dir|link"
Result: "Type|(Owner.Group)" # Both owner AND group required correct
}
Find all ELF executables using data from the Unix file command.
Caution, this takes a long time if used indescriminately.
control:
actionsequence = ( files )
files:
/tmp filter=testfilteralias action=alert r=inf
/cfengine filter=testfilteralias action=fixall r=inf mode=644
filters:
{ testfilteralias
ExecRegex: "/bin/file (.*ELF.*)"
Result: "ExecRegex"
}
Here is an example which warns of any process coupled to a terminal started in November:
control:
actionsequence = ( processes )
filters:
{ filteralias
FromSTime: "date(2000,11,0,0,0,0)"
ToSTime: "date(2000,11,30,0,0,0)"
TTY: ".*pt.*"
Result: "TTY.STime"
}
processes:
"." filter=filteralias action=warn
Go to the first, previous, next, last section, table of contents.