[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 6


watch Command

Purpose

Observes a program that may be untrustworthy.

Syntax

watch-e Events ] [  -o File ] Command Parameter ... ]

Description

The watch command permits the root user or a member of the audit group to observe the actions of a program that is thought to be untrustworthy. The watch command executes the program you specify with the Command parameter, with or without any Parameter fields, and records all audit events or the audit events you specify with the -e flag.

The watch command observes all the processes that are created while the program runs, including any child process. The watch command continues until all processes exit, including the process it created, to observe all the events that occur.

The watch command formats the audit records and writes them to standard output or to a file you specify with the -o flag.

For the watch command to work, the auditing subsystem must not have been configured and enabled.

Flags


-e Events Specifies the events to be audited. The Events parameter is a comma-separated list of audit events that are defined in the /etc/security/audit/events file. The default value is all events.
-o File Specifies the path name of the output file. If the -o flag is not used, output is written to standard output.

Security

Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user so it can access other audit subsystem commands and files, and have the trusted computing base attribute.

Files Accessed:

Mode File
r /dev/audit
x /usr/sbin/auditstream
x /usr/sbin/auditselect
x /usr/sbin/auditpr

Examples

  1. To watch all files opened by the bar command, enter:

    watch -e FILE_Open /usr/lpp/foo/bar -x
    

    This command opens the audit device and executes the /usr/lpp/foo/bar command. It then reads all records and selects and formats those with the event type of FILE_Open.

  2. To watch the installation of the xyzproduct program, that may be untrustworthy, enter:

    watch /usr/sbin/installp xyzproduct
    

    This command opens the audit device and executes the /usr/sbin/installp command. It then reads all records and formats them.

Files


/usr/sbin/watch Contains the watch command.
/dev/audit Specifies the audit device from which the audit records are read.

Related Information

The audit command, auditbin daemon, auditcat command, auditpr command, auditselect command, auditstream command, login command, logout command, su command.

The auditread subroutine.

To see the steps you must take to establish an Auditing System, refer to Setting Up Auditing in AIX 5L Version 5.1 System Management Guide: Operating System and Devices.

For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Security Administration in AIX 5L Version 5.1 System Management Concepts: Operating System and Devices.

For general information about auditing, refer to Auditing Overview in AIX 5L Version 5.1 System Management Concepts: Operating System and Devices.


[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]