sat_select(1M) sat_select(1M) NAME sat_select - preselect events for the system audit trail to gather SYNOPSIS sat_select [ -h ] [ idtype ] [ -out ] [ -clearall | -out | -on | -off (all | event) ] [ -copy id ] sat_select [ filetype ] filename DESCRIPTION sat_select directs the system audit trail to collect records of a particular idtype describing certain events and to ignore records describing certain other events. Note that if no idtype is specified, then the events will be default to global event mask. sat_select with no arguments lists the audit events currently being collected. The effect of multiple executions of sat_select is cumulative except when multiple idtypes are used. The auditable event types are described in the IRIX Admin: Backup, Security, and Accounting. For a brief, online description, see the comments in /usr/include/sys/sat.h. See audit(1M) or the IRIX Admin: Backup, Security, and Accounting guide for more information on configuring the audit subsystem. If the audit daemon, satd(1M), isn't running, sat_select does not select any audit events for auditing. This is to prevent inadvertently halting the system, which can happen if an audit daemon is not running to remove events from the queue. OPTIONS -h Help is provided. The names of all possible audit events are displayed. idtype Is one of the followings: -sg|-og gid|name subject|object group -su|-ou uid|name subject|object user id -sm|-om mac_label subject|object mac label No idtype defaults to global event mask. object in this context is a passive entity that contains or receives information. Examples of objects are files, directories, programs, etc. subject refers to an active entity generally in the form of a person, process or device that causes information to flow among objects or changes the system state. -out Print the names of all active audit events for idtype. The event names are displayed in the same format that sat_select uses for its command line arguments. -on all|event Select the auditing events for a particular idtype. The format of the event string is defined in the sat_eventtostr(3) reference page. If all is given as the event string, all event types are selected. -off all|event Ignore records containing the specified audit event of a certain idtype. The format of the event string is defined in the sat_eventtostr(3) reference page. If all is given as the event string, all event types are ignored. -copy id Copy the event mask from id to idtype. -clearall Clears all active auditing event masks (global and id specific). filetype filename Set events from filename for the filetype: -F global events -SG subject gid events -SM subject label events -SU subject user events -OG object gid events -OM object label events -OU object user events The filename for selecting subject user, group or label events are sat_select.subject.user, sat_select.subject.group and sat_select.subject.mac. The options files for selecting object user, group or label events are sat_select.object.user, sat_select.object.group and sat_select.object.mac. The file format for all except the global event file will be: <id> [<id>...]: -{-on|-off} event ... The global event file will remain the same with only the events lists. A special event case of all will also be accepted in all files, ie. -F global events FILES /etc/init.d/audit system audit startup script /etc/config/audit configuration file, on if auditing is enabled /etc/config/sat_select.options optional file for site-dependent sat_select options EXAMPLES 1. To collect records describing all System V IPC events (creation, change, access, or removal of semaphores, message queues, and shared memory segments), in addition to whatever events were previously selected for collection, give this command: sat_select -on sat_svipc_create -on sat_svipc_change \ -on sat_svipc_access -on sat_svipc_remove 2. To ignore records describing all events, regardless of what may have been previously selected, but to collect records initiated by trusted administrative programs such as login and su, give this command: sat_select -off all -on sat_ae_audit -on sat_ae_identity \ -on sat_ae_custom 3. To collect records for all events generated by user <dodgy_user> sat_select -su dodgy_user -on all Alternatively you can use userid instead of username sat_select -su userid -on all 4. To collect records describing events (access) to all objects of label dbadmin. Note these events are additions to whatever events that has been previously selected. sat_select -om dbadmin -on sat_access_denied Although labels are only used on the TRIX platform, this example describes the use of the idtype associated with objects. 5. To save the current audit state in a file that sat_select can read: sat_select -out > /etc/config/sat_select.options 6. To restore the audit state from a previously saved file: sat_select `cat /etc/config/sat_select.options` 7. To read the subject user options from the configuration file: sat_select -SU guest filename SEE ALSO sat_interpret(1M), sat_reduce(1M), sat_summarize(1M), satd(1M), satctl(2), sat_eventtostr(3). IRIX Admin: Backup, Security, and Accounting Page 4