satd(1M)satd(1M)NAMEsatd - reliably save the system audit trail
SYNOPSISsatd [ -iovy1 ] [ -f path ... ] [ -r replacement-mode ] [ -s file-size ]
[ -p percent-warn] [ -t replacement-percent]
DESCRIPTIONsatd saves its input data in the directories and/or files named in its
path arguments.
When one output path becomes full or the specified replacement percentage
has been reached, satd replaces the current output path with a path that
is not full. The method of replacement is configurable with the -r
option. The output path is also replaced if satd receives a SIGHUP
signal, for instance one sent with a kill -1 command.
If an output path becomes 90% (or the percent specified with the -p
option) full, warnings are displayed to the system console to notify the
administrator to move the audit trail to tape. If all of the output
paths become completely full, the system state is changed to single-user
mode after a very short grace period. During the grace period, satd
writes its records to /sat/satd.emergency-<n>, where <n> is an integer
that is incremented for each file created. The system uses the file
/sat/satd.reserve to maintain space for the emergency files.
See audit(1M) or the IRIX Admin: Backup, Security, and Accounting guide
for more information on configuring the audit subsystem.
OPTIONS-f path
Specify an output path, which can be a directory or a file. If the
output path is a directory, satd creates and fills uniquely named
files under that directory. (Files are named for the time of their
creation. For instance, file sat_199101231636 or sat_9101231636 (if
-y option has been specified) was created in 1991, on January 23 at
4:36 p.m.) If the output path is a file, satd writes to that file.
If at any time satd receives a SIGHUP signal, satd will stop writing
to the current file and create a new file with the new file name
incorporating the current time stamp.
When specifying several output paths in the command line, precede
each one with a -f (as in example 1) or put commas (but no white
space) between each pathname. Taken together, all of the output
paths specified in the command line are known as the path list.
If no output paths are specified and the -o option is not specified,
the audit trail records are not saved anywhere, and the system is
halted.
Page 1
satd(1M)satd(1M)
If a path given as a command line parameter is invalid for any
reason, a warning is printed, that path is omitted from the path
list, and satd continues operating with whatever specified paths are
valid.
If the specified path does not already exist, satd creates a file
with that name.
A file or directory is full when the filesystem on which it resides
has no more available space. If a directory is specified as an
output path, an audit file is constructed under that directory.
When the audit file is filled to a specified maximum size, it is
closed and a new audit file is created under that directory.
-i Input audit records from standard input instead of obtaining them
from the kernel audit subsystem.
-o Output audit records to standard output as well as to the output
paths specified with the -f option. Use this option to pipe the
audit trail to audit tools from satd.
If the -o option is given in the command line, and no output paths
are specified, the audit trail is copied to standard output, but it
is not saved to a mass storage device. If the -o option is absent
from the command line, and no output paths are specified, satd takes
records from the kernel audit subsystem, but discards them unused.
-p percent-warn
Warnings are displayed to the console when the output path is this
full. Specify an integer in the range of 1 to 100. Default is 90.
-r replacement-mode
The replacement mode can be either preference, rotation, or onepass.
The default replacement mode is preference. If the replacement mode
option appears more than once in the command line, satd prints an
error message and exits.
If the replacement mode is rotation, satd replaces output paths in a
circular order. When the current output path is full, satd writes
records to the next path in the list. When the last output path is
full, satd writes records to the first path again. If at any time
satd receives a SIGHUP signal, satd replaces the current output path
with the next path in the order of rotation.
If the replacement mode is preference, satd always uses the
available output path closest to the beginning of the path list.
When the current output path is full, satd tries to write records to
the first path again. satd only writes records to a path if all of
the paths preceding it in the list are full. If at any time satd
receives a SIGHUP signal, satd replaces the current output path with
the next path in the order of preference.
Page 2
satd(1M)satd(1M)
If the replacement mode is onepass, satd replaces output paths in a
linear order. It uses the output paths in the order they are
specified in the command line. If a SIGHUP signal is sent to satd
before the end of the path list is reached, satd starts again from
the beginning of the list. If satd reaches the end of the path list
before receiving a SIGHUP signal, it halts the system immediately.
-s file-size
The size of the audit file in Kilobytes can be specified to be
greater than the default of 4 Megabytes. For example -s 5000
specifies a maximum audit file size of 5 Megabytes.
-t replacement-percent
when the specified percentage of fullness has been reached. satd
replaces the current output path with a path that is not full.
Specify an integer in the range of 1 to 100. Default is 100.
-v Verbose indications of activity are printed to standard error.
-y Use a two-digit-year (sat_YYDDMMhhmm) for satd output files.
Default satd output files are in four-digit-year file format
(sat_YYYYDDMMhhmm).
-1 Input data is consumed until the first time a satread system call
returns with less data read than requested. When the first partial
buffer is read, satd exits. The -1 option is used in debug and
testing to flush the kernel audit buffers.
FILES
/sat/satd.emergency-0 "emergency" audit file, -0 through -9
/sat/satd.reserve file to reserve 250,000 bytes for above
/etc/init.d/audit system audit startup script
/etc/config/audit configuration file, on if auditing is enabled
/etc/config/satd.options optional file for site-dependent satd options
/var/adm/sat default directory, specified in
/etc/init.d/audit
DIAGNOSTICSsatd - ignoring path <pathname>
The specified output path doesn't exist or is not usable. satd
ignores it and trying the next entry in the path list.
path is neither directory, nor disk file
The specified output path can't be used because it isn't one of the
object types understood by satd. satd ignores the path and tries
the next entry in the path list.
Onepass path search complete
All the entries in the output path have been used. Since satd has
nowhere to put its audit records, it exits.
Page 3
satd(1M)satd(1M)
Preference path search fails
None of the entries in the output path are available for use. Since
satd has nowhere to put its audit records, it exits.
Rotation path search fails
None of the entries in the output path are available for use. Since
satd has nowhere to put its audit records, it exits.
can't fstatfs <pathname>
The specified output path doesn't exist or is in an unreadable
directory. satd ignores it and tries the next entry in the path
list.
path N percent full
The auditor is advised to prepare to move the output file to
permanent storage, because the output path will become full soon.
can't open <pathname>
The specified output path can't be opened for write access, either
because it doesn't exist, or because it has restrictive permissions.
opening path <pathname>
The specified output path is being opened for use. This message is
only seen if satd was invoked with the -v option (verbose mode).
closing directory file <pathname>
The filenamed in this message is being closed. If room remains in
the filesystem, a new file is opened in the same directory. The
auditor is advised to move the output file to permanent storage.
null path pointer
An internal error has been encountered in satd.
opened full path <pathname>
The specified output path was opened, but it cannot be written
because there is no space on the device. It is closed, and the next
entry in the path list is tried.
Valid directory path but can't open file
An internal error has been encountered in satd.
satd - sighup received
A SIGHUP signal was caught, informing satd to replace the current
output path with another path from the list. The new path is chosen
in accordance with the replacement strategy specified by the auditor
with the -r command line option. This message is only seen if satd
was invoked with the -v option (verbose mode).
satd - X asked but Y written
Although satd tried to write X bytes of data, it succeeded in
writing only Y bytes.
Page 4
satd(1M)satd(1M)
Only use one replacement strategy at a time
More than one -r option was provided as a command line option. The
three replacement strategies (onepass, preference, and rotation) are
mutually exclusive. Reinvoke satd with consistent command line
arguments.
Can't read sat buffer
Audit records can't be obtained from the kernel sat subsystem,
probably due to insufficient privilege or access rights.
Can't write sat buffer
Even though satd was invoked with the -o command line option, it
cannot write audit records to standard output.
Can't send sat buffer
Even though the output path has been opened successfully and is not
full, satd cannot write audit records to the path.
SEE ALSOkill(1), mkdir(1), mknod(1M), sat_interpret(1M), sat_reduce(1M),
sat_select(1M), sat_summarize(1M), satread(2).
Page 5
