home *** CD-ROM | disk | FTP | other *** search
/ IRIX Base Documentation 2001 May / SGI IRIX Base Documentation 2001 May.iso / usr / share / catman / a_man / cat1 / sat_select.z / sat_select
Encoding:
Text File  |  2001-04-17  |  10.4 KB  |  199 lines
  1.  
  2.  
  3.  
  4. ssssaaaatttt____sssseeeelllleeeecccctttt((((1111MMMM))))                                                  ssssaaaatttt____sssseeeelllleeeecccctttt((((1111MMMM))))
  5.  
  6.  
  7.  
  8. NNNNAAAAMMMMEEEE
  9.      sat_select - preselect events for the system audit trail to gather
  10.  
  11. SSSSYYYYNNNNOOOOPPPPSSSSIIIISSSS
  12.      ssssaaaatttt____sssseeeelllleeeecccctttt [ ----hhhh ] [ iiiiddddttttyyyyppppeeee ] [ ----oooouuuutttt ] [ ----cccclllleeeeaaaarrrraaaallllllll | ----oooouuuutttt |
  13.      ----oooonnnn | ----ooooffffffff (all | event) ] [ ----ccccooooppppyyyy id ]
  14.  
  15.      ssssaaaatttt____sssseeeelllleeeecccctttt [ ffffiiiilllleeeettttyyyyppppeeee ] filename
  16.  
  17. DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
  18.      _s_a_t__s_e_l_e_c_t directs the system audit trail to collect records of a
  19.      particular _i_d_t_y_p_e describing certain events and to ignore records
  20.      describing certain other events.  Note that if no _i_d_t_y_p_e is specified,
  21.      then the events will be default to global event mask.  _s_a_t__s_e_l_e_c_t with no
  22.      arguments lists the audit events currently being collected.
  23.  
  24.      The effect of multiple executions of _s_a_t__s_e_l_e_c_t is cumulative.
  25.  
  26.      The auditable event types are described in the _I_R_I_X _A_d_m_i_n: _B_a_c_k_u_p,
  27.      _S_e_c_u_r_i_t_y, _a_n_d _A_c_c_o_u_n_t_i_n_g.  For a brief, online description, see the
  28.      comments in /_u_s_r/_i_n_c_l_u_d_e/_s_y_s/_s_a_t._h.
  29.  
  30.      See _a_u_d_i_t(1M) or the _I_R_I_X _A_d_m_i_n: _B_a_c_k_u_p, _S_e_c_u_r_i_t_y, _a_n_d _A_c_c_o_u_n_t_i_n_g guide
  31.      for more information on configuring the audit subsystem.
  32.  
  33.      If the audit daemon, _s_a_t_d(1M), isn't running, _s_a_t__s_e_l_e_c_t does not select
  34.      any audit events for auditing.  This is to prevent inadvertently halting
  35.      the system, which can happen if an audit daemon is not running to remove
  36.      events from the queue.
  37.  
  38. OOOOPPPPTTTTIIIIOOOONNNNSSSS
  39.      ----hhhh           Help is provided.  The names of all possible audit _e_v_e_n_t_s
  40.                   are displayed.
  41.  
  42.      iiiiddddttttyyyyppppeeee       Is one of the followings:
  43.                    ----ssssgggg||||----oooogggg _g_i_d|_n_a_m_e   subject|object group
  44.                    ----ssssuuuu||||----oooouuuu _u_i_d|_n_a_m_e   subject|object user id
  45.                    ----ssssmmmm||||----oooommmm _m_a_c__l_a_b_e_l  subject|object mac label
  46.                   No iiiiddddttttyyyyppppeeee defaults to global event mask.
  47.  
  48.      ----oooouuuutttt         Print the names of all active audit _e_v_e_n_t_s for iiiiddddttttyyyyppppeeee.  The
  49.                   event names are displayed in the same format that _s_a_t__s_e_l_e_c_t
  50.                   uses for its command line arguments.
  51.  
  52.      ----oooonnnn _a_l_l|_e_v_e_n_t
  53.                   Select the auditing _e_v_e_n_t_s for a particular iiiiddddttttyyyyppppeeee. The
  54.                   format of the event string is defined in the
  55.                   _s_a_t__e_v_e_n_t_t_o_s_t_r(3) reference page.  If aaaallllllll is given as the
  56.                   event string, all event types are selected.
  57.  
  58.  
  59.  
  60.  
  61.  
  62.  
  63.                                                                         PPPPaaaaggggeeee 1111
  64.  
  65.  
  66.  
  67.  
  68.  
  69.  
  70. ssssaaaatttt____sssseeeelllleeeecccctttt((((1111MMMM))))                                                  ssssaaaatttt____sssseeeelllleeeecccctttt((((1111MMMM))))
  71.  
  72.  
  73.  
  74.      ----ooooffffffff _a_l_l|_e_v_e_n_t
  75.                   Ignore records containing the specified audit _e_v_e_n_t of a
  76.                   certain iiiiddddttttyyyyppppeeee. The format of the event string is defined in
  77.                   the _s_a_t__e_v_e_n_t_t_o_s_t_r(3) reference page.  If aaaallllllll is given as
  78.                   the event string, all event types are ignored.
  79.  
  80.      ----ccccooooppppyyyy _i_d     Copy the event mask from _i_d to iiiiddddttttyyyyppppeeee.
  81.  
  82.      ----cccclllleeeeaaaarrrraaaallllllll    Clears all active auditing event masks (global and id
  83.                   specific).
  84.  
  85.      ffffiiiilllleeeettttyyyyppppeeee _f_i_l_e_n_a_m_e
  86.                   Set events from _f_i_l_e_n_a_m_e for the ffffiiiilllleeeettttyyyyppppeeee:
  87.                    ----FFFF  _g_l_o_b_a_l _e_v_e_n_t_s
  88.                    ----SSSSGGGG _s_u_b_j_e_c_t _g_i_d _e_v_e_n_t_s
  89.                    ----SSSSMMMM _s_u_b_j_e_c_t _l_a_b_e_l _e_v_e_n_t_s
  90.                    ----SSSSUUUU _s_u_b_j_e_c_t _u_s_e_r _e_v_e_n_t_s
  91.                    ----OOOOGGGG _o_b_j_e_c_t _g_i_d _e_v_e_n_t_s
  92.                    ----OOOOMMMM _o_b_j_e_c_t _l_a_b_e_l _e_v_e_n_t_s
  93.                    ----OOOOUUUU _o_b_j_e_c_t _u_s_e_r _e_v_e_n_t_s
  94.                   The file format for all except the global event file will
  95.                   be:
  96.                        <<<<iiiidddd>>>> [<<<<iiiidddd>>>>...]: -{----oooonnnn|----ooooffffffff} event ...
  97.                   The global event file will remain the same with only the
  98.                   events lists. A special event case of aaaallllllll will also be
  99.                   accepted in all files, ie. -F global events
  100.  
  101. FFFFIIIILLLLEEEESSSS
  102.      /etc/init.d/audit   system audit startup script
  103.      /etc/config/audit   configuration file, oooonnnn if auditing is enabled
  104.      /etc/config/sat_select.options
  105.                          optional file for site-dependent _s_a_t__s_e_l_e_c_t options
  106.  
  107. EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
  108.      To collect records describing all System V IPC events (creation, change,
  109.      access, or removal of semaphores, message queues, and shared memory
  110.      segments), in addition to whatever events were previously selected for
  111.      collection, give this command:
  112.  
  113.                _ssss_aaaa_tttt______ssss_eeee_llll_eeee_cccc_tttt _----_oooo_nnnn _ssss_aaaa_tttt______ssss_vvvv_iiii_pppp_cccc______cccc_rrrr_eeee_aaaa_tttt_eeee _----_oooo_nnnn _ssss_aaaa_tttt______ssss_vvvv_iiii_pppp_cccc______cccc_hhhh_aaaa_nnnn_gggg_eeee _\\\\
  114.                _----_oooo_nnnn _ssss_aaaa_tttt______ssss_vvvv_iiii_pppp_cccc______aaaa_cccc_cccc_eeee_ssss_ssss _----_oooo_nnnn _ssss_aaaa_tttt______ssss_vvvv_iiii_pppp_cccc______rrrr_eeee_mmmm_oooo_vvvv_eeee
  115.  
  116.  
  117.      To ignore records describing all events, regardless of what may have been
  118.      previously selected, but to collect records initiated by trusted
  119.      administrative programs such as _l_o_g_i_n and _s_u, give this command:
  120.  
  121.                _ssss_aaaa_tttt______ssss_eeee_llll_eeee_cccc_tttt _----_oooo_ffff_ffff _aaaa_llll_llll _----_oooo_nnnn _ssss_aaaa_tttt______aaaa_eeee______aaaa_uuuu_dddd_iiii_tttt _----_oooo_nnnn _ssss_aaaa_tttt______aaaa_eeee______iiii_dddd_eeee_nnnn_tttt_iiii_tttt_yyyy _\\\\
  122.                _----_oooo_nnnn _ssss_aaaa_tttt______aaaa_eeee______cccc_uuuu_ssss_tttt_oooo_mmmm
  123.  
  124.  
  125.  
  126.  
  127.  
  128.  
  129.                                                                         PPPPaaaaggggeeee 2222
  130.  
  131.  
  132.  
  133.  
  134.  
  135.  
  136. ssssaaaatttt____sssseeeelllleeeecccctttt((((1111MMMM))))                                                  ssssaaaatttt____sssseeeelllleeeecccctttt((((1111MMMM))))
  137.  
  138.  
  139.  
  140.      To save the current audit state in a file that _s_a_t__s_e_l_e_c_t can read:
  141.  
  142.                _ssss_aaaa_tttt______ssss_eeee_llll_eeee_cccc_tttt _----_oooo_uuuu_tttt _>>>> _////_eeee_tttt_cccc_////_cccc_oooo_nnnn_ffff_iiii_gggg_////_ssss_aaaa_tttt______ssss_eeee_llll_eeee_cccc_tttt_...._oooo_pppp_tttt_iiii_oooo_nnnn_ssss
  143.  
  144.  
  145.      To restore the audit state from a previously saved file:
  146.  
  147.                _ssss_aaaa_tttt______ssss_eeee_llll_eeee_cccc_tttt _````_cccc_aaaa_tttt _////_eeee_tttt_cccc_////_cccc_oooo_nnnn_ffff_iiii_gggg_////_ssss_aaaa_tttt______ssss_eeee_llll_eeee_cccc_tttt_...._oooo_pppp_tttt_iiii_oooo_nnnn_ssss_````
  148.  
  149.  
  150.      To read the subject user options from the configuration file:
  151.  
  152.                _ssss_aaaa_tttt______ssss_eeee_llll_eeee_cccc_tttt _----_SSSS_UUUU _gggg_uuuu_eeee_ssss_tttt _f_i_l_e_n_a_m_e
  153.  
  154. SSSSEEEEEEEE AAAALLLLSSSSOOOO
  155.      sat_interpret(1M), sat_reduce(1M), sat_summarize(1M), satd(1M),
  156.      satctl(2), sat_eventtostr(3).
  157.  
  158.      _I_R_I_X _A_d_m_i_n: _B_a_c_k_u_p, _S_e_c_u_r_i_t_y, _a_n_d _A_c_c_o_u_n_t_i_n_g
  159.  
  160.  
  161.  
  162.  
  163.  
  164.  
  165.  
  166.  
  167.  
  168.  
  169.  
  170.  
  171.  
  172.  
  173.  
  174.  
  175.  
  176.  
  177.  
  178.  
  179.  
  180.  
  181.  
  182.  
  183.  
  184.  
  185.  
  186.  
  187.  
  188.  
  189.  
  190.  
  191.  
  192.  
  193.  
  194.  
  195.                                                                         PPPPaaaaggggeeee 3333
  196.  
  197.  
  198.  
  199.