audomon(1M)audomon(1M)NAMEaudomon - audit overflow monitor daemon
SYNOPSIS
fss] sp_freq] warning] output] string]
DESCRIPTION
monitors the capacity of the current audit trail and the file system on
which the audit trail is located. prints out warning messages when
either capacity is approaching full. also checks the audit trail and
the file system against two switch points: FileSpaceSwitch (FSS) and
AuditFileSwitch (AFS). If either switch point is reached, audit
recording automatically switches to an alternative audit trail. also
takes action at the switch point if there is a task specified with the
option.
The FileSpaceSwitch (FSS) is specified as a percentage of the total
disk space available. When the file system reaches this percentage,
looks for a backup audit trail. If the backup audit trail is avail‐
able, recording is switched from the audit trail to the backup trail.
If the backup audit trail is not available, then the auditing system
creates a new audit trail with the same base name but a different time‐
stamp extension. The auditing system begins recording to the new audit
trail.
The AuditFileSwitch (AFS) is specified (using by the size of the audit
trail. When the audit trail reaches the specified size, looks for a
backup audit trail. If a backup audit trail is available, recording is
switched from the audit trail to the backup trail (see audsys(1M) for
more information). If a backup audit trail is not available, then the
auditing system creates a new audit trail with the same base name but a
different timestamp extension. The auditing system begins recording to
the new audit trail.
issues a warning message, when either switch point is approached.
is typically spawned by (as part of the start-up process) when the sys‐
tem is booted up if the parameter AUDITING is set to 1 in file can also
be started any time by a privileged user. Once invoked, monitors,
periodically sleeping and "waking up" at intervals. Note that does not
produce any messages when the audit system is disabled.
is restricted to privileged users.
Options
recognizes the following options:
Specify the file or tty to which warning messages are directed. By
default, warning messages are sent to the console.
Note that the warning messages apply to the diagnostic messages
that generates messages concerning the status of the audit sys‐
tem, as well as the messages that the scheduled task (see below)
may print out to the standard output and error file. Error mes‐
sages caused by wrong usage of are sent to the standard output
(where is invoked).
Note: The file given to the option must exist and must be
writable by the user who started (normally root during system
startup) according to the system call. See access(2).
Specify the
FileSpaceSwitch by a number ranging from 0 to 100. When the
file system that contains the current audit trail has less than
fss percent free space remaining, looks for a backup audit
trail. If available, the backup trail is designated as the new
audit trail. If no backup trail is available, the auditing sys‐
tem creates a new audit trail with the same base name but a dif‐
ferent timestamp extension and begins recording to it.
The fss parameter must be a larger number than the min_free
parameter of the file system to ensure that the switch takes
place before min_free is reached. By default, fss is 20 per‐
cent.
Specify the wake-up switch-point frequency in minutes.
The wake-up frequency is calculated based on sp_freq and the
current capacity of the audit trail and the file system.
The calculated wake-up frequency at any time before the switch
points is larger than sp_freq. As the size of the audit trail
or the file system's free space approaches the switch points,
the wake-up frequency approaches sp_freq. sp_freq can be any
positive real number.
The default sp_freq is 1 (minute).
Specify that warning messages be sent before the switch points.
warning is an integer ranging from 0 through 100.
The higher the warning, the closer to the switch points warning
messages are issued. For example, warning set to 50 causes
warning messages to be sent half-way before the switch points
are reached. warning set to 100 causes warning messages to be
sent only after the designated switch points are reached and a
switch is not possible due to a missing backup trail.
By default, warning is 90.
Note: The warning message is not sent if the audit trail size
grows beyond the switch points in between two consecutive
audomon wakeup intervals. In this case, only performs the
switch to next audit trail.
Make more verbose. This option causes to also print out the next
wake-up time.
Specify a command line to run after
a successful audit trail switch. When the trail is switched
from, for example, OldTrail to NewTrail, runs the command:
The command string must be specified as an absolute path. Any
shell meta-characters and wildcards are expanded by but are
expanded by the shell. The command is executed with a real uid
and effective uid of 0 in a non-chrooted environment.
The command must make minimal assumptions about the environment.
For example, the command needs to set environment variables such
as its working directory, and its groups.
Note: To use this feature, do not explicitly specify the next
audit trail using audsys(1M)).
EXAMPLES
Example 1:
The above command starts the daemon with the following expected
behaviors, assuming auditing system was started using
· sleeps at least 1 minute at intervals.
· When the size of current audit trail reaches 1000 * 90% = 900
kbytes, or the file system that contains the current audit
trail has reached (100%-20%) * 90% = 72% full, starts printing
out warning messages to the console.
· When the size of current audit trail reaches 1000 kbytes, or
the file system that contains the current audit trail has
reached 100% - 20% = 80% full, switches recording data to:
where yyyymmdd_HHMM is replaced by the time when the switch has
happened.
· After the switch succeeded, invokes the following command:
to copy to a remote system assuming that is what the given
script intends to do.
Example 2: To stop daemon that is already running, use:
WARNINGS
All modifications made to the audit system are lost upon reboot. To
make the changes permanent, set in
AUTHOR
was developed by HP.
SEE ALSOaudsys(1M), audit(5).
audomon(1M)