Observes a program that may be untrustworthy.
watch [ -e Events ] [ -o File ] Command [ Parameter ... ]
The watch command permits the root user or a member of the audit group to observe the actions of a program that is thought to be untrustworthy. The watch command executes the program you specify with the Command parameter, with or without any Parameter fields, and records all audit events or the audit events you specify with the -e flag.
The watch command observes all the processes that are created while the program runs, including any child process. The watch command continues until all processes exit, including the process it created, to observe all the events that occur.
The watch command formats the audit records and writes them to standard output or to a file you specify with the -o flag.
For the watch command to work, the auditing subsystem must not have been configured and enabled.
Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user so it can access other audit subsystem commands and files, and have the trusted computing base attribute.
Mode | File |
---|---|
r | /dev/audit |
x | /usr/sbin/auditstream |
x | /usr/sbin/auditselect |
x | /usr/sbin/auditpr |
watch -e FILE_Open /usr/lpp/foo/bar -x
This command opens the audit device and executes the /usr/lpp/foo/bar command. It then reads all records and selects and formats those with the event type of FILE_Open.
watch /usr/sbin/installp xyzproduct
This command opens the audit device and executes the /usr/sbin/installp command. It then reads all records and formats them.
/usr/sbin/watch | Contains the watch command. |
/dev/audit | Specifies the audit device from which the audit records are read. |
The audit command, auditbin daemon, auditcat command, auditpr command, auditselect command, auditstream command, login command, logout command, su command.
The auditread subroutine.
To see the steps you must take to establish an Auditing System, refer to Setting Up Auditing in AIX 5L Version 5.1 System Management Guide: Operating System and Devices.
For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Security Administration in AIX 5L Version 5.1 System Management Concepts: Operating System and Devices.
For general information about auditing, refer to Auditing Overview in AIX 5L Version 5.1 System Management Concepts: Operating System and Devices.