HP-UX Reference (11i v3 07/02) - 1M System Administration Commands A-M (vol 3)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

audomon(1M) audomon(1M)

The higher the warning, the closer to the switch points warning messages are issued.

For example, warning = 50 causes warning messages to be sent half-way before the

switch points are reached. warning = 100 causes warning messages to be sent only after

the designated switch points are reached and a switch is not possible due to a missing

backup trail.

By default, warning is 90.

-v Make audomon more verbose. This option causes

audomon to also print out the next

wake-up time.

-X string Specify a command line to run after a successful audit trail switch. When the trail is

switched from, say, OldTrail to NewTrail,

audomon runs the command:

sh -c "string OldTrail"

The command string must be speciﬁed as an absolute path. Any shell meta-characters

and wildcards are not expanded by audomon

, but are expanded by the shell. The com-

mand will be executed with a real uid and effective uid of 0 in a non-chrooted environ-

ment.

The command must make minimal assumptions about the environment (for example, it

needs to set environment variables such as

PATH, its working directory, its groups etc

as it needs).

Note: To use this feature, do not explicitly specify the next audit trail using audsys’s

-x option (see audsys(1M)).

EXAMPLES

Example 1:

# audomon -p 20 -t 1 -w 90 -X "/usr/local/bin/rcp_audit_trail hostname"

This starts audomon daemon with the following expected behaviors, assuming auditing system was

started using

# audsys -n -c /var/.audit/my_trail -s 1000

• audomon sleeps at least 1 minute at intervals;

• When the size of current audit trail reaches 1000 * 90% = 900 kbytes, or the ﬁle system that con-

tains the current audit trail has reached (100%-20%) * 90% = 72% full, audomon will start print-

ing out warning messages to the console;

• When the size of current audit trail reaches 1000 kbytes, or the ﬁle system that contains the

current audit trail has reached 100% - 20% = 80% full, audomon will switch recording data to:

/var/.audit/my_trail.

yyyymmddHHMM,

where yyyymmddHHMM is replaced by the time when the switch has happened;

• After the switch succeeded,

audomon will invoke:

sh -c "/usr/local/bin/rcp_audit_trail hostname

/var/.audit/my_trail"

to copy /var/.audit/my_trail to a remote system assuming that is what the given script

intends to do.

Example 2: To stop audomon daemon that is already running, use:

# kill ‘ps -e | awk ’$NF˜ /audomon/ {print $1}’‘

WARNINGS

All modiﬁcations made to the audit system are lost upon reboot. To make the changes permanent, set

AUDOMON_ARGS in /etc/rc.config.d/auditing.

AUTHOR

audomon was developed by HP.

HP-UX 11i Version 3: February 2007 − 2 − Hewlett-Packard Company 51