Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ sat_select(1M) — IRIX 6.5.3f

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

sat_interpret(1M)

sat_reduce(1M)

sat_summarize(1M)

satd(1M)

satctl(2)

sat_eventtostr(3)



satselect(1M)                                                  satselect(1M)



NAME
     sat_select - preselect events for the system audit trail to gather

SYNOPSIS
     satselect [ -h ] [ -out ] [( -on | -off ) event ... ]

DESCRIPTION
     sat_select directs the system audit trail to collect records describing
     certain events and to ignore records describing certain other events.
     sat_select with no arguments lists the audit events currently being
     collected.

     The effect of multiple executions of sat_select is cumulative.

     The auditable event types are described in the IRIX Admin: Backup,
     Security, and Accounting.  For a brief, online description, see the
     comments in /usr/include/sys/sat.h.

     See audit(1M) or the IRIX Admin: Backup, Security, and Accounting guide
     for more information on configuring the audit subsystem.

     If the audit daemon, satd(1M), isn't running, sat_select does not select
     any audit events for auditing.  This is to prevent inadvertently halting
     the system, which can happen if an audit daemon is not running to remove
     events from the queue.

OPTIONS
     -h           Help is provided.  The names of all possible audit events
                  are displayed.

     -out         The names of all active audit events are displayed in same
                  format that sat_select uses for its command line arguments.

     -on event    Select records containing the specified audit event.  The
                  format of the event string is defined in the
                  sat_eventtostr(3) reference page.  If all is given as the
                  event string, all event types are selected.

     -off event   Ignore records containing the specified audit event.  The
                  format of the event string is defined in the
                  sat_eventtostr(3) reference page.  If all is given as the
                  event string, all event types are ignored.

FILES
     /etc/init.d/audit   system audit startup script
     /etc/config/audit   configuration file, on if auditing is enabled
     /etc/config/sat_select.options
                         optional file for site-dependent sat_select options







                                                                        Page 1





satselect(1M)                                                  satselect(1M)



EXAMPLES
     To collect records describing all System V IPC events (creation, change,
     access, or removal of semaphores, message queues, and shared memory
     segments), in addition to whatever events were previously selected for
     collection, give this command:

          satselect -on satsvipccreate -on satsvipcchange \
          -on satsvipcaccess -on satsvipcremove

     To ignore records describing all events, regardless of what may have been
     previously selected, but to collect records initiated by trusted
     administrative programs such as login and su, give this command:

          satselect -off all -on sataeaudit -on sataeidentity \
          -on sataecustom

     To save the current audit state in a file that sat_select can read:

          satselect -out > /etc/config/satselect.options

     To restore the audit state from a previously saved file:

          satselect `cat /etc/config/satselect.options`


SEE ALSO
     sat_interpret(1M), sat_reduce(1M), sat_summarize(1M), satd(1M),
     satctl(2), sat_eventtostr(3).

     IRIX Admin: Backup, Security, and Accounting

























                                                                        Page 2



Typewritten Software • bear@typewritten.org • Edmonds, WA 98026