Observes a program that may be untrustworthy.
watch [ -e Events ] [ -o File ] Command [ Parameter ... ]
The watch command permits the root user or a member of the audit group to observe the actions of a program that is thought to be untrustworthy. The watch command executes the program you specify with the Command parameter, with or without any Parameter fields, and records all audit events or the audit events you specify with the -e flag.
The watch command observes all the processes that are created while the program runs, including any child process. The watch command continues until all processes exit, including the process it created, to observe all the events that occur.
The watch command formats the audit records and writes them to standard output or to a file you specify with the -o flag.
For the watch command to work, the auditing subsystem must not have been configured and enabled.
Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user so it can access other audit subsystem commands and files, and have the trusted computing base attribute.
Files Accessed:
Mode | File |
---|---|
r | /dev/audit |
x | /usr/sbin/auditstream |
x | /usr/sbin/auditselect |
x | /usr/sbin/auditpr |
watch -e FILE_Open /usr/lpp/foo/bar -x
This command opens the audit device and executes the /usr/lpp/foo/bar command. It then reads all records and selects and formats those with the event type of FILE_Open.
watch /usr/sbin/installp xyzproduct
This command opens the audit device and executes the /usr/sbin/installp command. It then reads all records and formats them.
/usr/sbin/watch | Contains the watch command. |
/dev/audit | Specifies the audit device from which the audit records are read. |
The audit command, auditbin daemon, auditcat command, auditpr command, auditselect command, auditstream command, login command, logout command, su command.
The auditread subroutine.
For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to AIX 5L Version 5.2 Security Guide .
For more information about auditing, refer to Auditing Overview in AIX 5L Version 5.2 Security Guide.