Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
181182183184185186187188189190
9.5.2 Monitoring and Managing Audit Trails
The audit overflow monitor daemon (audomon) is used to monitor and manage audit
trails. The audomon daemon is started automatically when auditing is started at system
boot time (AUDITING=1 in /sbin/init.d/auditing). The audomon daemon can
also be started by a privileged user. Once started, the audomon daemon monitors the
capacity of the current audit trail and the file system it resides on. The following is an
example of how to start the audomon daemon:
# audomon -p 20 -t 1 -w 90 -X "/user/local/bin/rcp_audit_trail hostname"
This command starts the audomon daemon with the following behavior, assuming the
auditing system was started with the following command:
# audsys -n -N 2 -c /var/.audit/my_trail -s 400
audomon sleeps at least one minute intervals
When the size of the current audit trail reaches 4500 Kb, or the file system that the
audit trail resides becomes 80% full, the audomon daemon stops recording data
to the current audit trail and starts recording a new audit trail:
/var/.audit/my_trail.yyyymmddHHMM
After the switch to the new audit trail succeeds, the audomon daemon invokes the
following command:
sh -c "/usr/local/bin/rcp_audit_trail hostname /var/.audit/my_trail"
This script is site specific and may be used to copy the old audit trail, perform data
backup or archival functions, and create audit reports. For more information about
the audomon daemon, see audomon(1).
CAUTION:
If the file system containing the audit trail is full, any non root process that generates
audit data will block inside the kernel. Also, if a non root process is connected to
the system terminal, it will be terminated. For details see the WARNINGS section
of audsys(1M).
The root file system should not be used for storing audit trails to avoid filling up the
root file system and causing processes to fail or hang.
TIP: HP recommends that you write a script to carry out your long term strategy for
data storage and pass it to the audomon daemon using the -X option.
The audomon command recognizes the following options:
-p fss The minimum percentage of space left on the file system that contains
the primary audit log file before the auditing system switches to the
auxiliary log file. The default fss value is 20%.
9.5 Audit Trails 181