Observes a program that might be untrustworthy.
The watch command allows the root user or a member of the audit group to observe the actions of a program that are thought to be untrustworthy. The watch command starts the program you specify with the Command parameter, with or without any Parameter fields, and records all audit events or the audit events you specify with the -e flag.
The watch command observes all the processes that are created while the program runs, including any child process. The watch command continues until all processes exit, including the process it created, to observe all the events that occur.
The watch command formats the audit records and writes them to standard output or to a file you specify with the -o flag.
For the watch command to work, the auditing subsystem is not configured and enabled.
Item | Description |
---|---|
-e Events | Specifies the events to be audited. The Events parameter is a comma-separated list of audit events that are defined in the /etc/security/audit/events file. The default value is all events. |
-o File | Specifies the path name of the output file. If the -o flag is not used, output is written to standard output. |
-X | Prints long user names when used with other flags that display user names. The upper limit is determined by the max_logname object data manager (ODM) attribute in the predefined attribute (PdAt) and customized attributes (CuAt) object classes. If a user name is greater than the max_logname attribute, it is truncated to the number of characters as specified by the max_logname attribute, minus 1 character. |
Access Control: This command grants execute (x) access to the root user and members of the audit group. The setuid command is set for the root user. This setting allows access to other audit subsystem commands and files, and to the trusted computing base attribute.
Files Accessed:
Mode | File |
---|---|
r | /dev/audit |
x | /usr/sbin/auditstream |
x | /usr/sbin/auditselect |
x | /usr/sbin/auditpr |
watch -e FILE_Open /usr/lpp/foo/bar -x
This
command opens the audit device and issues the /usr/lpp/foo/bar command.
It then reads all records and selects and formats the files with the
event type of FILE_Open.watch /usr/sbin/installp xyzproduct
This
command opens the audit device and issues the /usr/sbin/installp command.
It then reads all records and formats them.Item | Description |
---|---|
/usr/sbin/watch | Contains the watch command. |
/dev/audit | Specifies the audit device from which the audit records are read. |