[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 6

watch Command

Purpose

Observes a program that may be untrustworthy.

Syntax

watch-e Events ] [  -o File ] Command Parameter ... ]

Description

The watch command permits the root user or a member of the audit group to observe the actions of a program that is thought to be untrustworthy. The watch command executes the program you specify with the Command parameter, with or without any Parameter fields, and records all audit events or the audit events you specify with the -e flag.

The watch command observes all the processes that are created while the program runs, including any child process. The watch command continues until all processes exit, including the process it created, to observe all the events that occur.

The watch command formats the audit records and writes them to standard output or to a file you specify with the -o flag.

For the watch command to work, the auditing subsystem must not have been configured and enabled.

Flags

-e Events Specifies the events to be audited. The Events parameter is a comma-separated list of audit events that are defined in the /etc/security/audit/events file. The default value is all events.
-o File Specifies the path name of the output file. If the -o flag is not used, output is written to standard output.

Security

Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user so it can access other audit subsystem commands and files, and have the trusted computing base attribute.

Files Accessed:

Mode File
r /dev/audit
x /usr/sbin/auditstream
x /usr/sbin/auditselect
x /usr/sbin/auditpr

Examples

  1. To watch all files opened by the bar command, enter:

    watch -e FILE_Open /usr/lpp/foo/bar -x

    This command opens the audit device and executes the /usr/lpp/foo/bar command. It then reads all records and selects and formats those with the event type of FILE_Open.

  2. To watch the installation of the xyzproduct program, that may be untrustworthy, enter:

    watch /usr/sbin/installp xyzproduct

    This command opens the audit device and executes the /usr/sbin/installp command. It then reads all records and formats them.

Files

/usr/sbin/watch Contains the watch command.
/dev/audit Specifies the audit device from which the audit records are read.

Related Information

The audit command, auditbin daemon, auditcat command, auditpr command, auditselect command, auditstream command, login command, logout command, su command.

The auditread subroutine.

For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to AIX 5L Version 5.2 Security Guide .

For more information about auditing, refer to Auditing Overview in AIX 5L Version 5.2 Security Guide.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]