satd(1M) satd(1M) NAME satd - reliably save the system audit trail SYNOPSIS satd [ -iovy1 ] [ -f path ... ] [ -r replacement-mode ] [ -s file-size ] [ -p percent-warn] [ -t replacement-percent] DESCRIPTION satd saves its input data in the directories and/or files named in its path arguments. When one output path becomes full or the specified replacement percentage has been reached, satd replaces the current output path with a path that is not full. The method of replacement is configurable with the -r option. The output path is also replaced if satd receives a SIGHUP signal, for instance one sent with a kill -1 command. If an output path becomes 90% (or the percent specified with the -p option) full, warnings are displayed to the system console to notify the administrator to move the audit trail to tape. If all of the output paths become completely full, the system state is changed to single-user mode after a very short grace period. During the grace period, satd writes its records to /sat/satd.emergency-<n>, where <n> is an integer that is incremented for each file created. The system uses the file /sat/satd.reserve to maintain space for the emergency files. See audit(1M) or the IRIX Admin: Backup, Security, and Accounting guide for more information on configuring the audit subsystem. OPTIONS -f path Specify an output path, which can be a directory or a file. If the output path is a directory, satd creates and fills uniquely named files under that directory. (Files are named for the time of their creation. For instance, file sat_199101231636 or sat_9101231636 (if -y option has been specified) was created in 1991, on January 23 at 4:36 p.m.) If the output path is a file, satd writes to that file. If at any time satd receives a SIGHUP signal, satd will stop writing to the current file and create a new file with the new file name incorporating the current time stamp. When specifying several output paths in the command line, precede each one with a -f (as in example 1) or put commas (but no white space) between each pathname. Taken together, all of the output paths specified in the command line are known as the path list. If no output paths are specified and the -o option is not specified, the audit trail records are not saved anywhere, and the system is halted. If a path given as a command line parameter is invalid for any reason, a warning is printed, that path is omitted from the path list, and satd continues operating with whatever specified paths are valid. If the specified path does not already exist, satd creates a file with that name. A file or directory is full when the filesystem on which it resides has no more available space. If a directory is specified as an output path, an audit file is constructed under that directory. When the audit file is filled to a specified maximum size, it is closed and a new audit file is created under that directory. -i Input audit records from standard input instead of obtaining them from the kernel audit subsystem. -o Output audit records to standard output as well as to the output paths specified with the -f option. Use this option to pipe the audit trail to audit tools from satd. If the -o option is given in the command line, and no output paths are specified, the audit trail is copied to standard output, but it is not saved to a mass storage device. If the -o option is absent from the command line, and no output paths are specified, satd takes records from the kernel audit subsystem, but discards them unused. -p percent-warn Warnings are displayed to the console when the output path is this full. Specify an integer in the range of 1 to 100. Default is 90. -r replacement-mode The replacement mode can be either preference, rotation, or onepass. The default replacement mode is preference. If the replacement mode option appears more than once in the command line, satd prints an error message and exits. If the replacement mode is rotation, satd replaces output paths in a circular order. When the current output path is full, satd writes records to the next path in the list. When the last output path is full, satd writes records to the first path again. If at any time satd receives a SIGHUP signal, satd replaces the current output path with the next path in the order of rotation. If the replacement mode is preference, satd always uses the available output path closest to the beginning of the path list. When the current output path is full, satd tries to write records to the first path again. satd only writes records to a path if all of the paths preceding it in the list are full. If at any time satd receives a SIGHUP signal, satd replaces the current output path with the next path in the order of preference. If the replacement mode is onepass, satd replaces output paths in a linear order. It uses the output paths in the order they are specified in the command line. If a SIGHUP signal is sent to satd before the end of the path list is reached, satd starts again from the beginning of the list. If satd reaches the end of the path list before receiving a SIGHUP signal, it halts the system immediately. -s file-size The size of the audit file in Kilobytes can be specified to be greater than the default of 4 Megabytes. For example -s 5000 specifies a maximum audit file size of 5 Megabytes. -t replacement-percent when the specified percentage of fullness has been reached. satd replaces the current output path with a path that is not full. Specify an integer in the range of 1 to 100. Default is 100. -v Verbose indications of activity are printed to standard error. -y Use a two-digit-year (sat_YYDDMMhhmm) for satd output files. Default satd output files are in four-digit-year file format (sat_YYYYDDMMhhmm). -1 Input data is consumed until the first time a satread system call returns with less data read than requested. When the first partial buffer is read, satd exits. The -1 option is used in debug and testing to flush the kernel audit buffers. FILES /sat/satd.emergency-0 "emergency" audit file, -0 through -9 /sat/satd.reserve file to reserve 250,000 bytes for above /etc/init.d/audit system audit startup script /etc/config/audit configuration file, on if auditing is enabled /etc/config/satd.options optional file for site-dependent satd options /var/adm/sat default directory, specified in /etc/init.d/audit DIAGNOSTICS satd - ignoring path <pathname> The specified output path doesn't exist or is not usable. satd ignores it and trying the next entry in the path list. path is neither directory, nor disk file The specified output path can't be used because it isn't one of the object types understood by satd. satd ignores the path and tries the next entry in the path list. Onepass path search complete All the entries in the output path have been used. Since satd has nowhere to put its audit records, it exits. Preference path search fails None of the entries in the output path are available for use. Since satd has nowhere to put its audit records, it exits. Rotation path search fails None of the entries in the output path are available for use. Since satd has nowhere to put its audit records, it exits. can't fstatfs <pathname> The specified output path doesn't exist or is in an unreadable directory. satd ignores it and tries the next entry in the path list. path N percent full The auditor is advised to prepare to move the output file to permanent storage, because the output path will become full soon. can't open <pathname> The specified output path can't be opened for write access, either because it doesn't exist, or because it has restrictive permissions. opening path <pathname> The specified output path is being opened for use. This message is only seen if satd was invoked with the -v option (verbose mode). closing directory file <pathname> The filenamed in this message is being closed. If room remains in the filesystem, a new file is opened in the same directory. The auditor is advised to move the output file to permanent storage. null path pointer An internal error has been encountered in satd. opened full path <pathname> The specified output path was opened, but it cannot be written because there is no space on the device. It is closed, and the next entry in the path list is tried. Valid directory path but can't open file An internal error has been encountered in satd. satd - sighup received A SIGHUP signal was caught, informing satd to replace the current output path with another path from the list. The new path is chosen in accordance with the replacement strategy specified by the auditor with the -r command line option. This message is only seen if satd was invoked with the -v option (verbose mode). satd - X asked but Y written Although satd tried to write X bytes of data, it succeeded in writing only Y bytes. Only use one replacement strategy at a time More than one -r option was provided as a command line option. The three replacement strategies (onepass, preference, and rotation) are mutually exclusive. Reinvoke satd with consistent command line arguments. Can't read sat buffer Audit records can't be obtained from the kernel sat subsystem, probably due to insufficient privilege or access rights. Can't write sat buffer Even though satd was invoked with the -o command line option, it cannot write audit records to standard output. Can't send sat buffer Even though the output path has been opened successfully and is not full, satd cannot write audit records to the path. SEE ALSO kill(1), mkdir(1), mknod(1M), sat_interpret(1M), sat_reduce(1M), sat_select(1M), sat_summarize(1M), satread(2). Page 5