audomon.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

audomon(1M) audomon(1M)

NAME

audomon - audit overﬂow monitor daemon

SYNOPSIS

/usr/sbin/audomon

[ -p fss ][-t

sp_freq ][-w warning ][-v ][-o output ][

-X string ]

DESCRIPTION

audomon monitors the capacity of the current audit trail and the ﬁle system on which the audit trail is

located. audomon prints out warning messages when either capacity is approaching full.

audomon also

checks the audit trail and the ﬁle system against two switch points: FileSpaceSwitch (FSS) and Audit-

FileSwitch (AFS). If either switch point is reached, audit recording automatically switches to an alterna-

tive audit trail.

audomon also takes action at the switch point if there is a task speciﬁed with the

-X

option.

The FileSpaceSwitch (FSS) is speciﬁed as a percentage of the total disk space available. When the ﬁle

system reaches this percentage,

audomon looks for a backup audit trail. If the backup audit trail is

available, recording is switched from the audit trail to the backup trail. If the backup audit trail is not

available, then the auditing system creates a new audit trail with the same base name but a different

timestamp extension. The auditing system begins recording to the new audit trail.

The AuditFileSwitch (AFS) is speciﬁed (using

audsys) by the size of the audit trail. When the audit

trail reaches the speciﬁed size,

audomon looks for a backup audit trail. If a backup audit trail is avail-

able, recording is switched from the audit trail to the backup trail (see audsys (1M) for more information).

If a backup audit trail is not available, then the auditing system creates a new audit trail with the same

base name but a different timestamp extension. The auditing system begins recording to the new audit

trail.

audomon issues a warning message, when either switch point is approached.

audomon is typically spawned by /sbin/init.d/auditing

(as part of the init start-up process)

when the system is booted up if the parameter AUDITING is set to 1 in ﬁle

/etc/rc.config.d/auditing

. audomon can also be started any time by a privileged user. Once

invoked,

audomon monitors, periodically sleeping and "waking up" at intervals. Note that

audomon

does not produce any messages when the audit system is disabled.

audomon is restricted to privileged users.

Options

audomon recognizes the following options:

-o output Specify the ﬁle or tty to which warning messages are directed. By default, warning

messages are sent to the console.

Note that the warning messages apply to the diagnostic messages that

audomon

generates messages concerning the status of the audit system, as well as the mes-

sages that the scheduled task (see -X string below) may print out to the standard

output and error ﬁle. Error messages caused by wrong usage of audomon are sent

to the standard output (where audomon is invoked).

Note: The ﬁle given to the

-o option must exist and must be writable by the user

who started audomon (normally root during system startup) according to the

access() system call. See access (2).

-p fss Specify the FileSpaceSwitch by a number ranging from 0 to 100. When the ﬁle sys-

tem that contains the current audit trail has less than fss percent free space

remaining, audomon looks for a backup audit trail. If available, the backup trail is

designated as the new audit trail. If no backup trail is available, the auditing sys-

tem creates a new audit trail with the same base name but a different timestamp

extension and begins recording to it.

The fss parameter must be a larger number than the min_free parameter of the ﬁle

system to ensure that the switch takes place before min_free is reached. By default,

fss is 20 percent.

-t sp_freq Specify the wake-up switch-point frequency in minutes. The wake-up frequency is

calculated based on sp_freq and the current capacity of the audit trail and the ﬁle

system.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (4 pages)

PAGE 1
audomon(1M) audomon(1M) NAME audomon - audit overflow monitor daemon SYNOPSIS /usr/sbin/audomon [ -p fss ] [ -t sp_freq ] [ -w warning ] [ -v ] [ -o output ] [ -X string ] DESCRIPTION audomon monitors the capacity of the current audit trail and the file system on which the audit trail is located. audomon prints out warning messages when either capacity is approaching full. audomon also checks the audit trail and the file system against two switch points: FileSpaceSwitch (FSS) and AuditFileSwitch (AFS).
PAGE 2
audomon(1M) audomon(1M) The calculated wake-up frequency at any time before the switch points is larger than sp_freq . As the size of the audit trail or the file system’s free space approaches the switch points, the wake-up frequency approaches sp_freq . sp_freq can be any positive real number. The default sp_freq is 1 (minute). -w warning A Specify that warning messages be sent before the switch points. warning is an integer ranging from 0 through 100.
PAGE 3
audomon(1M) audomon(1M) Example 2: To stop audomon daemon that is already running, use: # kill ‘ps -e | awk ’$NF˜ /audomon/ {print $1}’‘ WARNINGS All modifications made to the audit system are lost upon reboot. To make the changes permanent, set AUDOMON_ARGS in /etc/rc.config.d/auditing. AUTHOR audomon was developed by HP. A SEE ALSO audsys(1M), audit(5).
PAGE 4
(Notes) A (Notes) aA 4 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2010