sat_echo(1M) sat_echo(1M)
sat_echo - echo standard input into the system audit trail
sat_echo { -F | -S } satevent
sat_echo inserts the data from its standard input into the system audit
trail. (Only the first 65535 bytes of standard input are used; the rest
are discarded.) Use sat_echo in shell scripts that enforce security
policy and must generate audit records.
Either -F or -S must be supplied, but not both at once. satevent is a
required argument.
The options are:
-F The action described by this audit record failed.
-S The action described by this audit record succeeded.
satevent The printed representation of an audit event type, as
described in sat_strtoevent(3). If you want to customize the
audit trail with the addition of event types specific to your
site, use the sat_ae_custom event type. If you need to
distinguish between different types of sat_ae_custom events,
structure the event specific data so that it begins with a
sub-event type.
Suppose a site security officer (SSO) wanted to make sure that the
auditor was made aware of any changes to system databases in /etc. After
the system was installed, the SSO would have created a master file
describing the /etc tree.
find /etc -print | xargs ls -dlM > /var/adm/etc-master
A shell script is run nightly that compares the current state of the /etc
tree with the state when the master was made. When discrepancies are
found, an audit record is generated.
find /etc -print | xargs ls -dlM > /tmp/etc-tonight
diff /var/adm/etc-master /tmp/etc-tonight > /tmp/etc-diff
if [ -s /tmp/etc-diff ]
sat_echo -F sat_ae_custom < /tmp/etc-diff
else
echo "Nightly /etc check shows no discrepancies." | \
sat_echo -S sat_ae_custom
fi
Page 1
sat_echo(1M) sat_echo(1M)
satwrite(2), sat_strtoevent(3).
P�P�P�Pa�a�a�ag�g�g�ge�e�e�e 2�2�2�2 [ Back ]
|
