satselect(1M) satselect(1M)
NAME
sat_select - preselect events for the system audit trail to gather
SYNOPSIS
satselect [ -h ] [ -out ] [( -on | -off ) event ... ]
DESCRIPTION
sat_select directs the system audit trail to collect records describing
certain events and to ignore records describing certain other events.
sat_select with no arguments lists the audit events currently being
collected.
The effect of multiple executions of sat_select is cumulative.
The auditable event types are described in the IRIX Admin: Backup,
Security, and Accounting. For a brief, online description, see the
comments in /usr/include/sys/sat.h.
See audit(1M) or the IRIX Admin: Backup, Security, and Accounting guide
for more information on configuring the audit subsystem.
If the audit daemon, satd(1M), isn't running, sat_select does not select
any audit events for auditing. This is to prevent inadvertently halting
the system, which can happen if an audit daemon is not running to remove
events from the queue.
OPTIONS
-h Help is provided. The names of all possible audit events
are displayed.
-out The names of all active audit events are displayed in same
format that sat_select uses for its command line arguments.
-on event Select records containing the specified audit event. The
format of the event string is defined in the
sat_eventtostr(3) reference page. If all is given as the
event string, all event types are selected.
-off event Ignore records containing the specified audit event. The
format of the event string is defined in the
sat_eventtostr(3) reference page. If all is given as the
event string, all event types are ignored.
FILES
/etc/init.d/audit system audit startup script
/etc/config/audit configuration file, on if auditing is enabled
/etc/config/sat_select.options
optional file for site-dependent sat_select options
Page 1
satselect(1M) satselect(1M)
EXAMPLES
To collect records describing all System V IPC events (creation, change,
access, or removal of semaphores, message queues, and shared memory
segments), in addition to whatever events were previously selected for
collection, give this command:
satselect -on satsvipccreate -on satsvipcchange \
-on satsvipcaccess -on satsvipcremove
To ignore records describing all events, regardless of what may have been
previously selected, but to collect records initiated by trusted
administrative programs such as login and su, give this command:
satselect -off all -on sataeaudit -on sataeidentity \
-on sataecustom
To save the current audit state in a file that sat_select can read:
satselect -out > /etc/config/satselect.options
To restore the audit state from a previously saved file:
satselect `cat /etc/config/satselect.options`
SEE ALSO
sat_interpret(1M), sat_reduce(1M), sat_summarize(1M), satd(1M),
satctl(2), sat_eventtostr(3).
IRIX Admin: Backup, Security, and Accounting
Page 2