sat_interpret(1M) sat_interpret(1M)
sat_interpret - convert audit records from binary to English
sat_interpret [ -bdflnu ] [ file ]
sat_interpret takes binary audit records from standard input or
optionally a file and prints the records to standard output in English.
The auditing subsystem was changed with Irix 6.5, and audit records
written on Irix 6.5 or later systems are shown in a different format than
records that were written under previous release levels of Irix.
To illustrate the output format of sat_interpret, the following is an
example of an Irix 6.5 audit record:
sat_open_ro,Success
TIME = (09/23/1998,15:18:18)
SYSCALL = open
SATID = root
COMMAND = acctcvt
CWD = /etc/config
DEVICE = 15,8
PARENT_PID = 80109
PID = 89479
UGID = root,sys
UGID = root,sys
GID_LIST = root,sys,daemon,bin,adm,mail,sysadm,rje
CAP_SET = (all= CAP_SETUID+pi CAP_AUDIT_CONTROL+pi)
DESCRIPTOR_LIST = 3
OPENMODE = (O_RDONLY)
PATHNAME = /lib32/rld
LOOKUP = /lib32//rld
FILE = 1136896,0,49
UGID = root,sys
MODE = rwxr-xr-x
Below is an example of the same event using linear mode, although your
line wrapping may be different:
sat_open_ro,Success TIME=(09/23/1998,15:18:18) SYSCALL=open SATID=root
COMMAND=acctcvt CWD=/etc/config DEVICE=15,8 PARENT
_PID=80109 PID=89479 UGID=root,sys UGID=root,sys GID_LIST=root,daemo
n,bin,adm,mail,sysadm,rje, CAP_SET=(all= CAP_SETUID+pi CAP_AUDIT_CON
TROL+pi) DESCRIPTOR_LIST=3 OPENMODE=(O_RDONLY) PATHNAME=/lib32/rld L
OOKUP=/lib32//rld FILE=1136896,0,49 UGID=root,sys MODE=rwxr-xr-x
The following is an example of a audit record that was generated on an
Irix 6.4 or earlier system:
Page 1
sat_interpret(1M) sat_interpret(1M)
Event type = sat_open_ro
Outcome = Success
Sequence number = 1
Time of event = Mon Dec 09 18:06:27.43 PST 1991
System call = open
Error status = 0 (No error)
Process ID = 55 (chkconfig)
Parent process = 54
Curr working dir = /
Process label = dblow (msenlow/minthigh)
SAT ID = root
User id = root
Group id = sys
Terminal dev. = 127, 255
File descriptor = 3
Open flags = O_RDONLY
Created = No
Pathname information:
Device/Inode = (22, 32)/920
Owner = root
Group = sys
Mode bits = 0100644 (-rw-r--r--)
Label = dblow (msenlow/minthigh)
Requested name = "/etc/config/verbose"
Actual name = "/etc//config//verbose"
Below is an example of the same event displayed in brief mode:
Mon Dec 9 18:06:27.43 PST 1991
+sat_open_ro (open), Success
Process 55 (chkconfig), ppid 54, tty NODEV, cwd /
SAT ID root, uid root, gid sys, label dblow
file descriptor 3, O_RDONLY, not created
Pathname information:
920 -rw-r--r-- root sys /etc/config/verbose [dblow]
Actual name: /etc//config//verbose
Below is an example of the same event displayed in linear mode, although
your line wrapping may differ from what is shown here:
sat_open_ro (open) + (ok) pid:55 chkconfig sreuid:root,root,r
oot regid:sys,sys,sys label:dblow fd:3,(O_RDONLY),exists path
:920,-rw-r--r--,root,sys,dblow,"/etc/config/verbose","/etc//c
onfig//verbose"
-b ``Brief'' mode. Display the record header and pathname output in a
space-saving format. This mode is terse, but it is much easier to
view multiple records on a screen.
Page 2
sat_interpret(1M) sat_interpret(1M)
If the event was successful, the event name is preceded by a `+'
character. If the event failed, it is preceded by a `-'. This
makes it easy to scan for successes or failures. The rest of the
fields are self-explanatory, as they say.
This option only affects the output format for audit records
generated under Irix 6.4 or earlier systems. For records generated
under Irix 6.5 or later systems, this option has no affect.
-d Debug mode. Prints out generally uninteresting information about
the file offset of the record, record and header size, and so on.
-f File descriptors are mapped to the filenames to which they apply
whenever possible.
-l Linear mode. Display the record in a very terse, one line per
record format.
-n Normalize process IDs. The first process ID encountered is mapped
to one, the second to two, and so on. Inode numbers are not
printed, a "-" is printed instead. This option is handy for audit
trail comparisons.
-u Write unbuffered output. (The default is buffered output.) This
option is useful if the output is being piped to another filter.
-z timezone
Override the timezone recorded in the audit file. No error checking
is done on the timezone specified. See timezone(4) for allowable
syntax of the timezone.
sat_interpret is ordinarily used in combination with other audit filters.
To filter all records generated by guest and display them, execute this
sequence:
sat_reduce -u guest sat_xxxxxxxxxxxx | sat_interpret | more
Information about user names and group names is stored in the record
header while label names are retrieved from the local workstation. This
means the user and group names reported are those from the machine where
the records were generated, while the label names are from the machine
sat_interpret was run on.
It is possible for a pathname to exceed the maximum allowable pathname
length, PATH_MAX. When this occurs, the pathname, as shown in the audit
record, is truncated, and the printed pathname starts with the character
string, "/<truncated>/". This is then followed by the last element of
the path name. Truncating the pathname may cause some difficulty in
determining the actual full pathname for extremely long pathnames,
Page 3
sat_interpret(1M) sat_interpret(1M)
however, all of the information needed for auditing purposes is available
by reading previous audit records. Affected audit record tokens are the
following: CWD, PATHNAME, and LOOKUP. Examples of tokens where the
pathname has been truncated are shown below:
CWD = /<truncated>/mycwd
...
PATHNAME = /<truncated>/mypath
...
LOOKUP = //<truncated>//lastlookup
audit(1M), sat_reduce(1M), sat_select(1M), sat_summarize(1M), satd(1M).
IRIX Admin: Backup, Security, and Accounting
P�P�P�Pa�a�a�ag�g�g�ge�e�e�e 4�4�4�4 [ Back ]
|
