sat_interpret(1M) sat_interpret(1M) NAME sat_interpret - convert audit records from binary to English SYNOPSIS sat_interpret [ -bdflnu ] [ -s delimeter ] [ -z timezone ] [ file ] DESCRIPTION sat_interpret takes binary audit records from standard input or optionally a file and prints the records to standard output in English. The auditing subsystem was changed with Irix 6.5, and audit records written on Irix 6.5 or later systems are shown in a different format than records that were written under previous release levels of Irix. To illustrate the output format of sat_interpret, the following is an example of an Irix 6.5 audit record: sat_open_ro,Success TIME = (09/23/1998,15:18:18) SYSCALL = open SATID = root COMMAND = acctcvt CWD = /etc/config DEVICE = 15,8 PARENT_PID = 80109 PID = 89479 UGID = root,sys UGID = root,sys GID_LIST = root,sys,daemon,bin,adm,mail,sysadm,rje CAP_SET = (all= CAP_SETUID+pi CAP_AUDIT_CONTROL+pi) DESCRIPTOR_LIST = 3 OPENMODE = (O_RDONLY) PATHNAME = /lib32/rld LOOKUP = /lib32//rld FILE = 1136896,0,49 UGID = root,sys MODE = rwxr-xr-x Below is an example of the same event using linear mode, although your line wrapping may be different: sat_open_ro,Success TIME=(09/23/1998,15:18:18) SYSCALL=open SATID=root COMMAND=acctcvt CWD=/etc/config DEVICE=15,8 PARENT _PID=80109 PID=89479 UGID=root,sys UGID=root,sys GID_LIST=root,daemo n,bin,adm,mail,sysadm,rje, CAP_SET=(all= CAP_SETUID+pi CAP_AUDIT_CON TROL+pi) DESCRIPTOR_LIST=3 OPENMODE=(O_RDONLY) PATHNAME=/lib32/rld L OOKUP=/lib32//rld FILE=1136896,0,49 UGID=root,sys MODE=rwxr-xr-x The following is an example of a audit record that was generated on an Irix 6.4 or earlier system: Event type = sat_open_ro Outcome = Success Sequence number = 1 Time of event = Mon Dec 09 18:06:27.43 PST 1991 System call = open Error status = 0 (No error) Process ID = 55 (chkconfig) Parent process = 54 Curr working dir = / Process label = dblow (msenlow/minthigh) SAT ID = root User id = root Group id = sys Terminal dev. = 127, 255 File descriptor = 3 Open flags = O_RDONLY Created = No Pathname information: Device/Inode = (22, 32)/920 Owner = root Group = sys Mode bits = 0100644 (-rw-r--r--) Label = dblow (msenlow/minthigh) Requested name = "/etc/config/verbose" Actual name = "/etc//config//verbose" Below is an example of the same event displayed in brief mode: Mon Dec 9 18:06:27.43 PST 1991 +sat_open_ro (open), Success Process 55 (chkconfig), ppid 54, tty NODEV, cwd / SAT ID root, uid root, gid sys, label dblow file descriptor 3, O_RDONLY, not created Pathname information: 920 -rw-r--r-- root sys /etc/config/verbose [dblow] Actual name: /etc//config//verbose Below is an example of the same event displayed in linear mode, although your line wrapping may differ from what is shown here: sat_open_ro (open) + (ok) pid:55 chkconfig sreuid:root,root,r oot regid:sys,sys,sys label:dblow fd:3,(O_RDONLY),exists path :920,-rw-r--r--,root,sys,dblow,"/etc/config/verbose","/etc//c onfig//verbose" OPTIONS -b ``Brief'' mode. Display the record header and pathname output in a space-saving format. This mode is terse, but it is much easier to view multiple records on a screen. If the event was successful, the event name is preceded by a `+' character. If the event failed, it is preceded by a `-'. This makes it easy to scan for successes or failures. The rest of the fields are self-explanatory, as they say. This option only affects the output format for audit records generated under Irix 6.4 or earlier systems. For records generated under Irix 6.5 or later systems, this option has no affect. -d Debug mode. Prints out generally uninteresting information about the file offset of the record, record and header size, and so on. -f File descriptors are mapped to the filenames to which they apply whenever possible. -l Linear mode. Display the record in a very terse, one line per record format. -n Normalize process IDs. The first process ID encountered is mapped to one, the second to two, and so on. Inode numbers are not printed, a "-" is printed instead. This option is handy for audit trail comparisons. -s The character(s) following -s is the field delimiter. Default is space. Only work in linear mode (-l option specified), silently ignored in any other mode. Space(s) must be quoted. No special character is supported. -u Write unbuffered output. (The default is buffered output.) This option is useful if the output is being piped to another filter. -z timezone Override the timezone recorded in the audit file. No error checking is done on the timezone specified. See timezone(4) for allowable syntax of the timezone. EXAMPLE sat_interpret is ordinarily used in combination with other audit filters. To filter all records generated by guest and display them, execute this sequence: sat_reduce -u guest sat_xxxxxxxxxxxx | sat_interpret | more NOTES Information about user names and group names is stored in the record header while label names are retrieved from the local workstation. This means the user and group names reported are those from the machine where the records were generated, while the label names are from the machine sat_interpret was run on. It is possible for a pathname to exceed the maximum allowable pathname length, PATH_MAX. When this occurs, the pathname, as shown in the audit record, is truncated, and the printed pathname starts with the character string, "/<truncated>/". This is then followed by the last element of the path name. Truncating the pathname may cause some difficulty in determining the actual full pathname for extremely long pathnames, however, all of the information needed for auditing purposes is available by reading previous audit records. Affected audit record tokens are the following: CWD, PATHNAME, and LOOKUP. Examples of tokens where the pathname has been truncated are shown below: CWD = /<truncated>/mycwd ... PATHNAME = /<truncated>/mypath ... LOOKUP = //<truncated>//lastlookup SEE ALSO audit(1M), sat_reduce(1M), sat_select(1M), sat_summarize(1M), satd(1M). IRIX Admin: Backup, Security, and Accounting Page 4