How to configure your audit system with satconfig ================================================= Functions Found in the Menu Bar ------------------------------- Load You are prompted to specify a file to load events from. Files generated with the satconfig 'save' function are correctly formatted; so is configuration file /etc/config/sat_select.options. Each event toggle is set to the value specified in the selected file. Save The current settings of the event toggles are saved in a file. You are prompted to specify the name of the file. Exit Finish up with the satconfig program. The 'exit' menu item acts the same as the 'quit' push button. Select Factory Default Events Set the event toggles to the standard values as shipped by Silicon Graphics. Select Local Default Events Set the event toggles to the values you last chose, either when you used the satconfig 'apply' push button, or when you edited /etc/config/sat_select.options. Select Current Events Set the event toggles to the values which are currently in use by the kernel audit subsystem. The 'select current events' menu item acts the same as the 'revert' push button. Select All Events Set all event toggles 'on'. If you press the 'apply' push button with all events selected, you will begin collecting a huge volume of audit information. Select No Events Set all event toggles 'off'. If you press the 'apply' push button with no events selected, you will, in effect, turn off the audit subsystem. Help With Version Display the satconfig version number. Help Using Program Display the information you're reading now. Help Choosing Events Display a brief summary of each event. Picking the Right Set of Audit Events ------------------------------------- Clicking on one of the event names in the scrolled check box window toggles the state of the event. When the event is selected to be audited, the toggle button appears to be depressed; the upper left corner is dark shadowed, and the center of the toggle button is set to the highlight color. When the event is not selected to be audited, the toggle button appears to pop out of the screen; the lower right corner is dark shadowed, and the center of the toggle button is set to the application's background color. Not all the event toggle buttons fit on the screen at once. Use the scroll bar(s) to reveal hidden event toggle buttons. The events you have chosen are not audited by the system until you finalize your changes with the push buttons at the bottom of the satconfig main window. Finalizing Your Changes ----------------------- Apply When you press the 'apply' push button, satconfig causes the kernel to begin collecting audit records for the events you have specified, and /etc/config/ sat_select.options is filled with the state values you chose for the audit events. Your choices will be automatically reapplied each time you reboot. Revert When you press the 'revert' push button, any changes you've made to the event toggle buttons are lost, and the toggles reflect the set of events currently being audited by the system. Quit The 'quit' push button closes down satconfig. Customizing satconfig --------------------- Colors, fonts, strings and screen layout are all determined by resources in /usr/lib/X11/app-defaults/Satconfig. The default resource values may be overridden by values in your $HOME/.Xresources file. All satconfig resources are standard to motif, so you can learn more about them in the motif manual pages or in any standard motif textbook. Troubleshooting --------------- Although satconfig may be used by any user, only the superuser can access the kernel components of the audit system. Ordinary users won't be able to apply changes to the system, nor will they have the privileges necessary to write changes out to the system configuration file /etc/config/sat_select.options. If satconfig presents you with a privilege error dialog window, exit the program, become superuser, and run satconfig again. Where to Look for Additional Information ---------------------------------------- sat_select(1m) command line functionality equivalent to satconfig