NAME
audomon — audit overflow monitor daemon
SYNOPSIS
/usr/sbin/audomon
[-p
fss]
[-t
sp_freq]
[-w
warning]
[-v]
[-o
output_tty]
[-X
string]
DESCRIPTION
audomon
monitors the capacity of the current audit trail
and the file system on which the audit trail
is located. It prints out warning messages
when either is approaching full. It also checks
the audit trail and the file system against
two switch points:
FileSpaceSwitch
(FSS)
and
AuditFileSwitch
(AFS)
If either is reached, audit recording automatically
switches to an alternative audit trail.
audomon
also takes action at the switch point
if there is a task specified with the
-X
option.
The
FileSpaceSwitch
(FSS)
is specified as a percentage of the total disk space
available. When the file system reaches this percentage,
audomon
looks for a backup audit trail.
If it is available, recording is switched from
the audit trail to the backup trail.
If it is not available, the auditing system will create
a new audit trail with the same base name but a different
timestamp extension and begin recording to it.
The
AuditFileSwitch (AFS)
is specified (using
audsys)
by the size of the audit trail.
When the audit trail reaches the specified size,
audomon
looks for a backup audit trail.
If one is available, recording is switched from
the audit trail to the backup trail
(see
audsys(1M)
for more information).
If it is not available, the auditing system will
create a new audit trail with the same base name but a different
timestamp extension and begin recording to it.
audomon
issues a warning message,
when either switch point is approached.
audomon
is typically spawned by
/sbin/init.d/auditing
(as part of the
init
start-up process) when the system is booted up
if the parameter
AUDITING
is set to 1 in file
/etc/rc.config.d/auditing.
It can also be started any time by a privileged user.
Once invoked,
audomon
monitors, periodically sleeping and ``waking up'' at intervals.
Note that
audomon
does not produce any messages when the audit system is disabled.
audomon
is restricted to privileged users.
Options
- -o output_tty
Specify the tty to which warning messages are directed.
By default, warning messages are sent to the console.
Note that this applies to the diagnostic messages
audomon
generates messages concerning the status of the audit system,
as well as the messages that the scheduled task
(see
-X string
below)
may print out to the stardard output and error file.
Error messages caused by wrong usage of
audomon
are sent to the standard output (where
audomon
is invoked).
- -p fss
Specify the
FileSpaceSwitch
by a number ranging from 0 to 100. When
the file system that contains the current audit trail has less than
fss
percent free space remaining,
audomon
looks for a backup audit trail. If available,
the backup trail is designated as
the new audit trail.
If no backup trail is available, the
auditing system will create a new audit trail with
the same base name but a different timestamp extension
and begin recording to it.
The
fss
parameter must be a larger number than the
min_free
parameter of the file system to ensure that
the switch takes place before
min_free
is reached.
By default,
fss
is 20 percent.
- -t sp_freq
Specify the wake-up switch-point frequency in minutes.
The wake-up frequency is calculated based on
sp_freq
and the current capacity of the audit trail
and the file system.
The calculated wake-up frequency
at any time before the switch points is larger than
sp_freq.
As the size of the audit trail or
the file system's free space approaches the switch points,
the wake-up frequency approaches
sp_freq.
sp_freq
can be any positive real number.
The default
sp_freq
is 1 (minute).
- -w warning
Specify that warning messages be sent before the switch points.
warning
is an integer ranging from 0 through 100.
The higher the
warning,
the closer to the switch points warning messages are issued.
For example,
warning
= 50 causes warning messages to be sent half-way
before the switch points are reached.
warning
= 100 causes warning messages to be sent
only after the designated switch points are reached and
a switch is not possible due to a missing backup trail.
By default,
warning
is 90.
- -v
Make
audomon
more verbose. This option causes
audomon
to also print out the next wake-up time.
- -X string
Specify a command line to run after
a successful audit trail switch.
When the trail is switched from, say, OldTrail to NewTrail,
audomon
runs the command:
sh -c "string OldTrail"
The command string must be specified as an absolute path.
Any shell meta-characters and wildcards are
not
expanded by
audomon,
but are expanded by the shell.
The command will be executed with a real uid and
effective uid of 0 in a non-chrooted environment.
The command must make minimal assumptions about
the environment (for example, it needs to set environment
variables such as
PATH,
its working directory, its groups
etc as it needs).
Note: To use this feature, do not explicitly specify the next audit trail
using
audsys's -x option (see
audsys(1M)).
EXAMPLES
Example 1:
# audomon -p 20 -t 1 -w 90 -X "/usr/local/bin/rcp_audit_trail hostname"
This starts
audomon
daemon with the following expected behaviors,
assuming auditing system was started using
# audsys -n -c /var/.audit/my_trail -s 1000
audomon
sleeps at least 1 minute at intervals;
When the size of current audit trail reaches
1000 * 90% = 900 kbytes,
or the file system
that contains the current audit trail
has reached (100%-20%) * 90% = 72% full,
audomon
will start printing out warning messages to the console;
When the size of current audit trail reaches 1000 kbytes,
or the file system that contains the current audit trail
has reached 100% - 20% = 80% full,
audomon
will switch recording data to:
/var/.audit/my_trail.yyyymmddHHMM,
where
yyyymmddHHMM
is replaced by the time when the switch has happened;
After the switch succeeded,
audomon
will invoke:
sh -c "/usr/local/bin/rcp_audit_trail hostname /var/.audit/my_trail"
to copy
/var/.audit/my_trail
to a remote system assuming that is what the given script intends to do.
Example 2:
To stop
audomon
daemon that is already running, use:
# kill `ps -e | awk '$NF~ /audomon/ {print $1}'`
WARNINGS
All modifications made to the audit system are lost upon reboot.
To make the changes permanent, set
AUDOMON_ARGS
in
/etc/rc.config.d/auditing.
AUTHOR
audomon
was developed by HP.
Printable version
