sat_select(1M) sat_select(1M)
sat_select - preselect events for the system audit trail to gather
sat_select [ -h ] [ idtype ] [ -out ] [ -clearall | -out |
-on | -off (all | event) ] [ -copy id ]
sat_select [ filetype ] filename
sat_select directs the system audit trail to collect records of a
particular idtype describing certain events and to ignore records
describing certain other events. Note that if no idtype is specified,
then the events will be default to global event mask. sat_select with no
arguments lists the audit events currently being collected.
The effect of multiple executions of sat_select is cumulative.
The auditable event types are described in the IRIX Admin: Backup,
Security, and Accounting. For a brief, online description, see the
comments in /usr/include/sys/sat.h.
See audit(1M) or the IRIX Admin: Backup, Security, and Accounting guide
for more information on configuring the audit subsystem.
If the audit daemon, satd(1M), isn't running, sat_select does not select
any audit events for auditing. This is to prevent inadvertently halting
the system, which can happen if an audit daemon is not running to remove
events from the queue.
-h Help is provided. The names of all possible audit events
are displayed.
idtype Is one of the followings:
-sg|-og gid|name subject|object group
-su|-ou uid|name subject|object user id
-sm|-om mac_label subject|object mac label
No idtype defaults to global event mask.
-out Print the names of all active audit events for idtype. The
event names are displayed in the same format that sat_select
uses for its command line arguments.
-on all|event
Select the auditing events for a particular idtype. The
format of the event string is defined in the
sat_eventtostr(3) reference page. If all is given as the
event string, all event types are selected.
Page 1
sat_select(1M) sat_select(1M)
-off all|event
Ignore records containing the specified audit event of a
certain idtype. The format of the event string is defined in
the sat_eventtostr(3) reference page. If all is given as
the event string, all event types are ignored.
-copy id Copy the event mask from id to idtype.
-clearall Clears all active auditing event masks (global and id
specific).
filetype filename
Set events from filename for the filetype:
-F global events
-SG subject gid events
-SM subject label events
-SU subject user events
-OG object gid events
-OM object label events
-OU object user events
The file format for all except the global event file will
be:
<id> [<id>...]: -{-on|-off} event ...
The global event file will remain the same with only the
events lists. A special event case of all will also be
accepted in all files, ie. -F global events
/etc/init.d/audit system audit startup script
/etc/config/audit configuration file, on if auditing is enabled
/etc/config/sat_select.options
optional file for site-dependent sat_select options
To collect records describing all System V IPC events (creation, change,
access, or removal of semaphores, message queues, and shared memory
segments), in addition to whatever events were previously selected for
collection, give this command:
sat_select -on sat_svipc_create -on sat_svipc_change \
-on sat_svipc_access -on sat_svipc_remove
To ignore records describing all events, regardless of what may have been
previously selected, but to collect records initiated by trusted
administrative programs such as login and su, give this command:
sat_select -off all -on sat_ae_audit -on sat_ae_identity \
-on sat_ae_custom
Page 2
sat_select(1M) sat_select(1M)
To save the current audit state in a file that sat_select can read:
sat_select -out > /etc/config/sat_select.options
To restore the audit state from a previously saved file:
sat_select `cat /etc/config/sat_select.options`
To read the subject user options from the configuration file:
sat_select -SU guest filename
sat_interpret(1M), sat_reduce(1M), sat_summarize(1M), satd(1M),
satctl(2), sat_eventtostr(3).
IRIX Admin: Backup, Security, and Accounting
P�P�P�Pa�a�a�ag�g�g�ge�e�e�e 3�3�3�3 [ Back ]
|
