sat_reduce(1M)sat_reduce(1M)NAMEsat_reduce - filter interesting records from the system audit trail
SYNOPSISsat_reduce [-a date-and-time] [-A date-and-time]
[(-c | -C) command-name ... ]
[(-s | -S) syscall-name ... ]
[(-u | -U) user-name ... ]
[(-e | -E) event ...]
[(-l | -L) label ...]
[(-n | -N) named-object ... ]
[-f] [-p] [-P] [-v] [infile ...]
DESCRIPTIONsat_reduce examines an input stream of binary audit data, selects records
that match the criteria specified by its run time arguments, and prints
the chosen records in binary to standard output.
OPTIONS-a date-and-time
Select records antecedent to (before) the specified date and
time. The date and time are expressed in the mmddhhmm[[cc]yy]
format described in the date(1) manual page.
-A date-and-time
Select records after the specified date and time. The date
and time are expressed in the mmddhhmm[[cc]yy] format
described in the date(1) manual page.
-c command-name
Select records generated by the specified command name.
-C command-name
Select records generated commands other than the specified
command name.
-s syscall-name
Select records generated by the specified system call name.
-S syscall-name
Select records generated commands other than the specified
system call name.
-u user-name
Select records containing the specified user name.
-U user-name
Select records lacking the specified user name.
Page 1
sat_reduce(1M)sat_reduce(1M)-e event Select records containing the specified audit event. The
format of the event string is defined in the
sat_eventtostr(3L) manual page.
-E event Select records lacking the specified audit event. The format
of the event string is defined in the sat_eventtostr(3L)
manual page.
-l label Select records for which the user is at the specified label.
The format of the label string is defined in the
mac_from_text(3C) manual page.
-L label Select records for which the user is not at the specified
label. The format of the label string is defined in the
mac_from_text(3C) manual page.
-n named-object
Select records whose pathname field contains the specified
named object. A regular expression, as defined in the
regex(3G) manual page, can be used to specify the named
object.
-N named-object
Select records whose pathname field lacks the specified named
object. A regular expression, as defined in the regex(3G)
manual page, can be used to specify the named-object.
-f Apply the restrictions of the -a and -A options to the file
header, eliminating those files from consideration which fall
outside the range of times specified.
-p Select records describing user actions permitted by the system
security policy. This option requires no argument.
-P Select records describing user actions prohibited by the
system security policy, that is, records describing deliberate
or inadvertent attempted violations of security policy. This
option requires no argument.
-v Verbose diagnostic notes are printed to standard error.
infile Data is taken from the specified infiles. If no infiles are
specified, data is taken from standard input. The format of
infile must be identical to the output generated by satd(1M)
and sat_reduce(1M).
DEFAULTS
If many record selection conditions are presented on the command line,
they all must be true for a record to be chosen.
Page 2
sat_reduce(1M)sat_reduce(1M)
If -a is not specified, records are selected starting with the beginning
of the system audit trail. If -A is not specified, records are selected
ending with the conclusion of the system audit trail. If -f is not
specified, every record of all of the infiles will be checked.
If neither -c nor -C are specified, sat_reduce selects records describing
actions by any command. If both -c and -C are specified, sat_reduce
prints a warning and a usage string to standard error, then exits. If
more than one -c argument is specified, sat_reduce selects records
describing actions by any command specified by one of the -c arguments.
If more than one -C argument is specified, sat_reduce selects records
describing actions by commands specified by none of the -C arguments.
If neither -s nor -S are specified, sat_reduce selects records describing
actions by any system call. If both -s and -S are specified, sat_reduce
prints a warning and a usage string to standard error, then exits. If
more than one -s argument is specified, sat_reduce selects records
describing actions by any system call specified by one of the -s
arguments. If more than one -S argument is specified, sat_reduce selects
records describing actions by system calls specified by none of the -S
arguments.
If neither -u nor -U are specified, sat_reduce selects records describing
actions by any user. If both -u and -U are specified, sat_reduce prints
a warning and a usage string to standard error, then exits. If more than
one -u argument is specified, sat_reduce selects records describing
actions by any user specified by one of the -u arguments. If more than
one -U argument is specified, sat_reduce selects records describing
actions by users specified by none of the -U arguments.
If neither -e nor -E are specified, sat_reduce selects records containing
any audit event. If both -e and -E are specified, sat_reduce prints a
warning and a usage string to standard error, then exits. If more than
one -e argument is specified, sat_reduce selects records that contain
audit events specified by any of the -e arguments. If more than one -E
argument is specified, sat_reduce selects records that contain audit
events specified by none of the -E arguments.
If neither -l nor -L are specified, sat_reduce selects records describing
actions by users at any label. If both -l and -L are specified,
sat_reduce prints a warning and a usage string to standard error, then
exits. If more than one -l argument is specified, sat_reduce selects
records describing actions by users at a label specified by any of the -l
arguments. If more than one -L argument is specified, sat_reduce selects
records describing actions by users at a label specified by none of the
-L arguments.
If neither -n nor -N are specified, sat_reduce selects records with
pathnames containing any named object. If both -n and -N are specified,
sat_reduce prints a warning and a usage string to standard error, then
exits. If more than one -n argument is specified, sat_reduce selects
records with pathnames containing a named object specified by any of the
Page 3
sat_reduce(1M)sat_reduce(1M)-n arguments. If more than one -N argument is specified, sat_reduce
selects records with pathnames containing a named object specified by
none of the -N arguments.
If neither -p nor -P are specified, sat_reduce selects both records
describing permitted actions and records describing attempts at
prohibited actions. If both -p and -P are specified, sat_reduce selects
no records at all.
EXAMPLESsat_reduce is commonly used in combination with other audit filters. In
the following example, the Auditor wishes to obtain only the audit
records generated between July 1 of this year and July 31 of this year,
and display their human readable interpretation:
satd -f /usr/adm/sat -o | sat_reduce-A 06302359 -a 08010000 |
sat_interpret
If the Auditor wishes to read audit records stored previously in a file
named /sat_fs/july_31 and retain only the records describing the actions
of users named "sneakyguy" and "maybecrooked", and further to retain only
those actions that indicate attempted violations of system security
policy, the correct command is:
sat_reduce-u "sneakyguy maybecrooked" -P < /sat_fs/july_31 |
sat_interpret
NOTESsat_reduce replaces sat_reduce31, which is no longer supported and should
only be used to view old logfiles.
SEE ALSOaudit(1M), date(1), mac_from_text(3C), sat_interpret(1M), sat_select(1M),
sat_summarize(1M), satd(1M), regex(3G), sat_eventtostr(3L).
IRIX Admin: Backup, Security, and Accounting
Page 4
