Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > A

audomon(1M)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

NAME

audomon — audit overflow monitor daemon

SYNOPSIS

/usr/sbin/audomon [-p fss] [-t sp_freq] [-w warning] [-v] [-o output_tty] [-X string]

DESCRIPTION

audomon monitors the capacity of the current audit trail and the file system on which the audit trail is located. It prints out warning messages when either is approaching full. It also checks the audit trail and the file system against two switch points: FileSpaceSwitch (FSS) and AuditFileSwitch (AFS) If either is reached, audit recording automatically switches to an alternative audit trail. audomon also takes action at the switch point if there is a task specified with the -X option.

The FileSpaceSwitch (FSS) is specified as a percentage of the total disk space available. When the file system reaches this percentage, audomon looks for a backup audit trail. If it is available, recording is switched from the audit trail to the backup trail. If it is not available, the auditing system will create a new audit trail with the same base name but a different timestamp extension and begin recording to it.

The AuditFileSwitch (AFS) is specified (using audsys) by the size of the audit trail. When the audit trail reaches the specified size, audomon looks for a backup audit trail. If one is available, recording is switched from the audit trail to the backup trail (see audsys(1M) for more information). If it is not available, the auditing system will create a new audit trail with the same base name but a different timestamp extension and begin recording to it.

audomon issues a warning message, when either switch point is approached.

audomon is typically spawned by /sbin/init.d/auditing (as part of the init start-up process) when the system is booted up if the parameter AUDITING is set to 1 in file /etc/rc.config.d/auditing. It can also be started any time by a privileged user. Once invoked, audomon monitors, periodically sleeping and ``waking up'' at intervals. Note that audomon does not produce any messages when the audit system is disabled.

audomon is restricted to privileged users.

Options

-o output_tty

Specify the tty to which warning messages are directed. By default, warning messages are sent to the console.

Note that this applies to the diagnostic messages audomon generates messages concerning the status of the audit system, as well as the messages that the scheduled task (see -X string below) may print out to the stardard output and error file. Error messages caused by wrong usage of audomon are sent to the standard output (where audomon is invoked).

-p fss

Specify the FileSpaceSwitch by a number ranging from 0 to 100. When the file system that contains the current audit trail has less than fss percent free space remaining, audomon looks for a backup audit trail. If available, the backup trail is designated as the new audit trail. If no backup trail is available, the auditing system will create a new audit trail with the same base name but a different timestamp extension and begin recording to it.

The fss parameter must be a larger number than the min_free parameter of the file system to ensure that the switch takes place before min_free is reached. By default, fss is 20 percent.

-t sp_freq

Specify the wake-up switch-point frequency in minutes. The wake-up frequency is calculated based on sp_freq and the current capacity of the audit trail and the file system.

The calculated wake-up frequency at any time before the switch points is larger than sp_freq. As the size of the audit trail or the file system's free space approaches the switch points, the wake-up frequency approaches sp_freq. sp_freq can be any positive real number.

The default sp_freq is 1 (minute).

-w warning

Specify that warning messages be sent before the switch points. warning is an integer ranging from 0 through 100.

The higher the warning, the closer to the switch points warning messages are issued. For example, warning = 50 causes warning messages to be sent half-way before the switch points are reached. warning = 100 causes warning messages to be sent only after the designated switch points are reached and a switch is not possible due to a missing backup trail.

By default, warning is 90.

-v

Make audomon more verbose. This option causes audomon to also print out the next wake-up time.

-X string

Specify a command line to run after a successful audit trail switch. When the trail is switched from, say, OldTrail to NewTrail, audomon runs the command:

sh -c "string OldTrail"

The command string must be specified as an absolute path. Any shell meta-characters and wildcards are not expanded by audomon, but are expanded by the shell. The command will be executed with a real uid and effective uid of 0 in a non-chrooted environment.

The command must make minimal assumptions about the environment (for example, it needs to set environment variables such as PATH, its working directory, its groups etc as it needs).

Note: To use this feature, do not explicitly specify the next audit trail using audsys's -x option (see audsys(1M)).

EXAMPLES

Example 1:

# audomon -p 20 -t 1 -w 90 -X "/usr/local/bin/rcp_audit_trail hostname"

  • This starts audomon daemon with the following expected behaviors, assuming auditing system was started using

# audsys -n -c /var/.audit/my_trail -s 1000

  • audomon sleeps at least 1 minute at intervals;

  • When the size of current audit trail reaches 1000 * 90% = 900 kbytes, or the file system that contains the current audit trail has reached (100%-20%) * 90% = 72% full, audomon will start printing out warning messages to the console;

  • When the size of current audit trail reaches 1000 kbytes, or the file system that contains the current audit trail has reached 100% - 20% = 80% full, audomon will switch recording data to:

    /var/.audit/my_trail.yyyymmddHHMM,

    where yyyymmddHHMM is replaced by the time when the switch has happened;

  • After the switch succeeded, audomon will invoke:

    sh -c "/usr/local/bin/rcp_audit_trail hostname /var/.audit/my_trail"

    to copy /var/.audit/my_trail to a remote system assuming that is what the given script intends to do.

Example 2: To stop audomon daemon that is already running, use:

# kill `ps -e | awk '$NF~ /audomon/ {print $1}'`

WARNINGS

All modifications made to the audit system are lost upon reboot. To make the changes permanent, set AUDOMON_ARGS in /etc/rc.config.d/auditing.

AUTHOR

audomon was developed by HP.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.