audomon.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

audomon(1M) audomon(1M)

The calculated wake-up frequency at any time before the switch points is larger

than sp_freq . As the size of the audit trail or the ﬁle system’s free space approaches

the switch points, the wake-up frequency approaches sp_freq . sp_freq can be any

positive real number.

The default sp_freq is 1 (minute).

-w warning Specify that warning messages be sent before the switch points. warning is an

integer ranging from 0 through 100.

The higher the warning, the closer to the switch points warning messages are

issued. For example, warning set to 50 causes warning messages to be sent half-

way before the switch points are reached. warning set to 100 causes warning mes-

sages to be sent only after the designated switch points are reached and a switch is

not possible due to a missing backup trail.

By default, warning is 90.

Note: The warning message is not sent if the audit trail size grows beyond the

switch points in between two consecutive audomon wakeup intervals. In this case,

audomon only performs the switch to next audit trail.

-v Make audomon more verbose. This option causes

audomon to also print out the

next wake-up time.

-X string Specify a command line to run after a successful audit trail switch. When the trail

is switched from, for example, OldTrail to NewTrail,

audomon runs the command:

sh -c "string OldTrail"

The command string must be speciﬁed as an absolute path. Any shell meta-

characters and wildcards are not expanded by audomon, but are expanded by the

shell. The command is executed with a real uid and effective uid of 0 in a non-

chrooted environment.

The command must make minimal assumptions about the environment. For exam-

ple, the command needs to set environment variables such as

PATH, its working

directory, and its groups.

Note: To use this feature, do not explicitly specify the next audit trail using

audsys’s -x option (see audsys (1M)).

EXAMPLES

Example 1:

# audomon -p 20 -t 1 -w 90 -X "/usr/local/bin/rcp_audit_trail hostname"

The above command starts the audomon daemon with the following expected behaviors, assuming

auditing system was started using

# audsys -n -c /var/.audit/my_trail -s 1000

• audomon sleeps at least 1 minute at intervals.

• When the size of current audit trail reaches 1000 * 90% = 900 kbytes, or the ﬁle system that con-

tains the current audit trail has reached (100%-20%) * 90% = 72% full,

audomon starts printing

out warning messages to the console.

• When the size of current audit trail reaches 1000 kbytes, or the ﬁle system that contains the

current audit trail has reached 100% - 20% = 80% full,

audomon switches recording data to:

/var/.audit/my_trail.yyyymmdd_HHMM

where yyyymmdd_HHMM is replaced by the time when the switch has happened.

• After the switch succeeded,

audomon invokes the following command:

sh -c "/usr/local/bin/rcp_audit_trail hostname /var/.audit/my_trail"

to copy /var/.audit/my_trail to a remote system assuming that is what the given script

intends to do.

2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010