*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->IRIX man pages -> sat_interpret (1)              


sat_interpret(1M)					     sat_interpret(1M)

NAME    [Toc]    [Back]

     sat_interpret - convert audit records from	binary to English

SYNOPSIS    [Toc]    [Back]

     sat_interpret [ -bdflnu ] [ file ]

DESCRIPTION    [Toc]    [Back]

     sat_interpret takes binary	audit records from standard input or
     optionally	a file and prints the records to standard output in English.

     The auditing subsystem was	changed	with Irix 6.5, and audit records
     written on	Irix 6.5 or later systems are shown in a different format than
     records that were written under previous release levels of	Irix.

     To	illustrate the output format of	sat_interpret, the following is	an
     example of	an Irix	6.5 audit record:

		  TIME			  = (09/23/1998,15:18:18)
		  SYSCALL		  = open
		  SATID			  = root
		  COMMAND		  = acctcvt
		  CWD			  = /etc/config
		  DEVICE		  = 15,8
		  PARENT_PID		  = 80109
		  PID			  = 89479
		  UGID			  = root,sys
		  UGID			  = root,sys
		  GID_LIST		  = root,sys,daemon,bin,adm,mail,sysadm,rje
		  PATHNAME		  = /lib32/rld
		  LOOKUP		  = /lib32//rld
		  FILE			  = 1136896,0,49
		  UGID			  = root,sys
		  MODE			  = rwxr-xr-x

     Below is an example of the	same event using linear	mode, although your
     line wrapping may be different:

	  sat_open_ro,Success TIME=(09/23/1998,15:18:18) SYSCALL=open SATID=root
	  COMMAND=acctcvt CWD=/etc/config DEVICE=15,8 PARENT
	  _PID=80109 PID=89479 UGID=root,sys UGID=root,sys GID_LIST=root,daemo
	  n,bin,adm,mail,sysadm,rje, CAP_SET=(all= CAP_SETUID+pi CAP_AUDIT_CON
	  OOKUP=/lib32//rld FILE=1136896,0,49 UGID=root,sys MODE=rwxr-xr-x

     The following is an example of a audit record that	was generated on an
     Irix 6.4 or earlier system:

									Page 1

sat_interpret(1M)					     sat_interpret(1M)

	  Event	type	   = sat_open_ro
	  Outcome	   = Success
	  Sequence number  = 1
	  Time of event	   = Mon Dec 09	18:06:27.43 PST	1991
	  System call	   = open
	  Error	status	   = 0 (No error)
	  Process ID	   = 55	(chkconfig)
	  Parent process   = 54
	  Curr working dir = /
	  Process label	   = dblow (msenlow/minthigh)
	  SAT ID	   = root
	  User id	   = root
	  Group	id	   = sys
	  Terminal dev.	   = 127, 255
	  File descriptor  = 3
	  Open flags	   = O_RDONLY
	  Created	   = No
	  Pathname information:
	    Device/Inode   = (22, 32)/920
	    Owner	   = root
	    Group	   = sys
	    Mode bits	   = 0100644 (-rw-r--r--)
	    Label	   = dblow (msenlow/minthigh)
	    Requested name = "/etc/config/verbose"
	    Actual name	   = "/etc//config//verbose"

     Below is an example of the	same event displayed in	brief mode:

	  Mon Dec  9 18:06:27.43 PST 1991
	  +sat_open_ro (open), Success
	  Process 55 (chkconfig), ppid 54, tty NODEV, cwd /
	  SAT ID root, uid root, gid sys, label	dblow
	  file descriptor 3, O_RDONLY, not created
	  Pathname information:
	    920	  -rw-r--r--  root   sys    /etc/config/verbose	[dblow]
	    Actual name: /etc//config//verbose

     Below is an example of the	same event displayed in	linear mode, although
     your line wrapping	may differ from	what is	shown here:

	  sat_open_ro (open) + (ok) pid:55 chkconfig sreuid:root,root,r
	  oot regid:sys,sys,sys	label:dblow fd:3,(O_RDONLY),exists path

OPTIONS    [Toc]    [Back]

     -b	  ``Brief'' mode.  Display the record header and pathname output in a
	  space-saving format.	This mode is terse, but	it is much easier to
	  view multiple	records	on a screen.

									Page 2

sat_interpret(1M)					     sat_interpret(1M)

	  If the event was successful, the event name is preceded by a `+'
	  character.  If the event failed, it is preceded by a `-'.  This
	  makes	it easy	to scan	for successes or failures.  The	rest of	the
	  fields are self-explanatory, as they say.

	  This option only affects the output format for audit records
	  generated under Irix 6.4 or earlier systems.	For records generated
	  under	Irix 6.5 or later systems, this	option has no affect.

     -d	  Debug	mode.  Prints out generally uninteresting information about
	  the file offset of the record, record	and header size, and so	on.

     -f	  File descriptors are mapped to the filenames to which	they apply
	  whenever possible.

     -l	  Linear mode.	Display	the record in a	very terse, one	line per
	  record format.

     -n	  Normalize process IDs.  The first process ID encountered is mapped
	  to one, the second to	two, and so on.	 Inode numbers are not
	  printed, a "-" is printed instead.  This option is handy for audit
	  trail	comparisons.

     -u	  Write	unbuffered output.  (The default is buffered output.)  This
	  option is useful if the output is being piped	to another filter.

     -z	timezone
	  Override the timezone	recorded in the	audit file.  No	error checking
	  is done on the timezone specified.  See timezone(4) for allowable
	  syntax of the	timezone.

EXAMPLE    [Toc]    [Back]

     sat_interpret is ordinarily used in combination with other	audit filters.
     To	filter all records generated by	guest and display them,	execute	this

	  sat_reduce -u	guest sat_xxxxxxxxxxxx | sat_interpret | more

NOTES    [Toc]    [Back]

     Information about user names and group names is stored in the record
     header while label	names are retrieved from the local workstation.	 This
     means the user and	group names reported are those from the	machine	where
     the records were generated, while the label names are from	the machine
     sat_interpret was run on.

     It	is possible for	a pathname to exceed the maximum allowable pathname
     length, PATH_MAX. When this occurs, the pathname, as shown	in the audit
     record, is	truncated, and the printed pathname starts with	the character
     string, "/<truncated>/".  This is then followed by	the last element of
     the path name.  Truncating	the pathname may cause some difficulty in
     determining the actual full pathname for extremely	long pathnames,

									Page 3

sat_interpret(1M)					     sat_interpret(1M)

     however, all of the information needed for	auditing purposes is available
     by	reading	previous audit records.	 Affected audit	record tokens are the
     following:	 CWD, PATHNAME,	and LOOKUP.  Examples of tokens	where the
     pathname has been truncated are shown below:

	       CWD			 = /<truncated>/mycwd

	       PATHNAME			 = /<truncated>/mypath

	       LOOKUP			 = //<truncated>//lastlookup

SEE ALSO    [Toc]    [Back]

     audit(1M),	sat_reduce(1M),	sat_select(1M),	sat_summarize(1M), satd(1M).

     IRIX Admin: Backup, Security, and Accounting

									PPPPaaaaggggeeee 4444
[ Back ]
 Similar pages
Name OS Title
number NetBSD convert Arabic numerals to English
number OpenBSD convert Arabic numerals to English
sat_summarize IRIX generate statistics on a stream of audit records
sat_reduce IRIX filter interesting records from the system audit trail
sat_eventtostr IRIX convert an audit event index to/from an audit event string
wtmpfix Tru64 Modify connect time accounting records to change formats and to make corrections in the records
acctwtmp Tru64 Modify connect time accounting records to change formats and to make corrections in the records
fwtmp Tru64 Modify connect time accounting records to change formats and to make corrections in the records
pfa2pfb IRIX convert PostScript Type 1 font from ASCII to binary encoding
English IRIX use nice English (or awk) names for ugly punctuation variables
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service