sat_select(1M)sat_select(1M)NAMEsat_select - preselect events for the system audit trail to gather
SYNOPSISsat_select [ -h ] [ idtype ] [ -out ] [ -clearall | -out |
-on | -off (all | event) ] [ -copy id ]
sat_select [ filetype ] filename
DESCRIPTIONsat_select directs the system audit trail to collect records of a
particular idtype describing certain events and to ignore records
describing certain other events. Note that if no idtype is specified,
then the events will be default to global event mask. sat_select with no
arguments lists the audit events currently being collected.
The effect of multiple executions of sat_select is cumulative except when
multiple idtypes are used.
The auditable event types are described in the IRIX Admin: Backup,
Security, and Accounting. For a brief, online description, see the
comments in /usr/include/sys/sat.h.
See audit(1M) or the IRIX Admin: Backup, Security, and Accounting guide
for more information on configuring the audit subsystem.
If the audit daemon, satd(1M), isn't running, sat_select does not select
any audit events for auditing. This is to prevent inadvertently halting
the system, which can happen if an audit daemon is not running to remove
events from the queue.
OPTIONS-h Help is provided. The names of all possible audit events
are displayed.
idtype Is one of the followings:
-sg|-og gid|name subject|object group
-su|-ou uid|name subject|object user id
-sm|-om mac_label subject|object mac label
No idtype defaults to global event mask.
object in this context is a passive entity that contains or
receives information. Examples of objects are files,
directories, programs, etc.
subject refers to an active entity generally in the form of
a person, process or device that causes information to flow
among objects or changes the system state.
-out Print the names of all active audit events for idtype. The
event names are displayed in the same format that sat_select
uses for its command line arguments.
Page 1
sat_select(1M)sat_select(1M)-on all|event
Select the auditing events for a particular idtype. The
format of the event string is defined in the
sat_eventtostr(3) reference page. If all is given as the
event string, all event types are selected.
-off all|event
Ignore records containing the specified audit event of a
certain idtype. The format of the event string is defined in
the sat_eventtostr(3) reference page. If all is given as
the event string, all event types are ignored.
-copy id Copy the event mask from id to idtype.
-clearall Clears all active auditing event masks (global and id
specific).
filetype filename
Set events from filename for the filetype:
-F global events
-SG subject gid events
-SM subject label events
-SU subject user events
-OG object gid events
-OM object label events
-OU object user events
The filename for selecting subject user, group or label
events are sat_select.subject.user,
sat_select.subject.group and sat_select.subject.mac. The
options files for selecting object user, group or label
events are sat_select.object.user, sat_select.object.group
and sat_select.object.mac.
The file format for all except the global event file will
be:
<id> [<id>...]: -{-on|-off} event ...
The global event file will remain the same with only the
events lists. A special event case of all will also be
accepted in all files, ie. -F global events
FILES
/etc/init.d/audit system audit startup script
/etc/config/audit configuration file, on if auditing is enabled
/etc/config/sat_select.options
optional file for site-dependent sat_select options
EXAMPLES
1. To collect records describing all System V IPC events (creation,
change, access, or removal of semaphores, message queues, and shared
memory segments), in addition to whatever events were previously selected
for collection, give this command:
Page 2
sat_select(1M)sat_select(1M)sat_select-on sat_svipc_create -on sat_svipc_change \
-on sat_svipc_access -on sat_svipc_remove
2. To ignore records describing all events, regardless of what may have
been previously selected, but to collect records initiated by trusted
administrative programs such as login and su, give this command:
sat_select-off all -on sat_ae_audit -on sat_ae_identity \
-on sat_ae_custom
3. To collect records for all events generated by user <dodgy_user>
sat_select-su dodgy_user -on all
Alternatively you can use userid instead of username
sat_select-su userid -on all
4. To collect records describing events (access) to all objects of
label dbadmin. Note these events are additions to whatever events
that has been previously selected.
sat_select-om dbadmin -on sat_access_denied
Although labels are only used on the TRIX platform, this example
describes the use of the idtype associated with objects.
5. To save the current audit state in a file that sat_select can read:
sat_select-out > /etc/config/sat_select.options
6. To restore the audit state from a previously saved file:
sat_select `cat /etc/config/sat_select.options`
7. To read the subject user options from the configuration file:
sat_select-SU guest filename
SEE ALSOsat_interpret(1M), sat_reduce(1M), sat_summarize(1M), satd(1M),
satctl(2), sat_eventtostr(3).
Page 3
sat_select(1M)sat_select(1M)
IRIX Admin: Backup, Security, and Accounting
Page 4
