watch Command

Purpose

Observes a program that might be untrustworthy.

Syntax

watch [-e Events] [-o File] [-X] Command [Parameter ... ]

Description

The watch command allows the root user or a member of the audit group to observe the actions of a program that are thought to be untrustworthy. The watch command starts the program you specify with the Command parameter, with or without any Parameter fields, and records all audit events or the audit events you specify with the -e flag.

The watch command observes all the processes that are created while the program runs, including any child process. The watch command continues until all processes exit, including the process it created, to observe all the events that occur.

The watch command formats the audit records and writes them to standard output or to a file you specify with the -o flag.

For the watch command to work, the auditing subsystem is not configured and enabled.

Flags

Item Description
-e Events Specifies the events to be audited. The Events parameter is a comma-separated list of audit events that are defined in the /etc/security/audit/events file. The default value is all events.
-o File Specifies the path name of the output file. If the -o flag is not used, output is written to standard output.
-X Prints long user names when used with other flags that display user names. The upper limit is determined by the max_logname object data manager (ODM) attribute in the predefined attribute (PdAt) and customized attributes (CuAt) object classes. If a user name is greater than the max_logname attribute, it is truncated to the number of characters as specified by the max_logname attribute, minus 1 character.

Security

Access Control: This command grants execute (x) access to the root user and members of the audit group. The setuid command is set for the root user. This setting allows access to other audit subsystem commands and files, and to the trusted computing base attribute.

Files Accessed:

Mode File
r /dev/audit
x /usr/sbin/auditstream
x /usr/sbin/auditselect
x /usr/sbin/auditpr
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in AIX® Version 7.1 Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To watch all files opened by the bar command, enter: 
    watch -e FILE_Open /usr/lpp/foo/bar -x
    This command opens the audit device and issues the /usr/lpp/foo/bar command. It then reads all records and selects and formats the files with the event type of FILE_Open.
  2. To watch the installation of the xyzproduct program, that might be untrustworthy, enter: 
    watch /usr/sbin/installp xyzproduct
    This command opens the audit device and issues the /usr/sbin/installp command. It then reads all records and formats them.

Files

Item Description
/usr/sbin/watch Contains the watch command.
/dev/audit Specifies the audit device from which the audit records are read.