NAME
audomon — audit overflow monitor daemon
SYNOPSIS
/usr/sbin/audomon
[-p
fss]
[-t
sp_freq]
[-w
warning]
[-v]
[-o
output_tty]
DESCRIPTION
audomon
monitors the capacity of the current audit file
and the file system on which the audit file is located,
and prints out warning messages when either is approaching full.
It also checks the audit file and the file system
against 2 switch points:
FileSpaceSwitch
(FSS)
and
AuditFileSwitch
(AFS)
and if either is reached, audit recording automatically switches
to the backup audit file if it is available.
The
FileSpaceSwitch
(FSS)
is specified as a percentage of the total disk space available.
When the file system reaches this percentage,
audomon
looks for a backup audit file.
If it is available,
recording is switched from the audit file to the backup file.
The
AuditFileSwitch
(AFS)
is specified (using
audsys(1M))
by the size of the audit file.
When the audit file reaches the specified size,
audomon
looks for a backup audit file.
If it is available, recording is switched
from the audit file to the backup file (see
audsys(1M)
for further information on use of this parameter).
If either switch point is reached but no backup file is available,
audomon
issues a warning message.
audomon
is typically spawned by
/sbin/init.d/auditing
(as part of the
init(1M)
start-up process) when the system is booted up.
Once invoked,
audomon
monitors, periodically sleeping and ``waking up'' at intervals.
Note that
audomon
does not produce any messages when the audit system is disabled.
audomon
is restricted to privileged users.
Options
- -p fss
Specify the
FileSpaceSwitch
by a number ranging from 0 to 100.
When the audit file's file system has less than
fss
percent free space remaining,
audomon
looks for a backup file.
If available, the backup file is designated as the new audit file.
If no backup file is available,
audomon
issues a warning message.
The
fss
parameter should be a larger number than the
min_free
parameter of the file system to ensure that the switch takes place before
min_free
is reached.
By default,
fss
is 20 percent.
- -t sp_freq
Specify the wake-up switch-point frequency in minutes.
The wake-up frequency at any other time is calculated based on
sp_freq
and the current capacity of the audit file and the file system.
The calculated wake-up frequency at any time
before the switch points is larger than
sp_freq.
As the size of the audit file or the file system's free space
approaches the switch points, the wake-up frequency approaches
sp_freq.
sp_freq
can be any positive real number.
Default
sp_freq
is 1 (minute).
- -w warning
Specify that warning messages be sent before the switch points.
warning
is an integer ranging from 0 through 100.
The higher the
warning,
the closer to the switch points warning messages are issued.
For example,
warning
= 50 causes warning messages to be sent half-way
before the switch points are reached.
warning
= 100 causes warning messages to be sent
only after the designated switch points are reached and
a switch is not possible due to a missing backup file.
By default,
warning
is 90.
- -v
Make audomon more verbose.
This option causes
audomon
to also print out the next wake-up time.
- -o output_tty
Specify the tty to which warning messages are directed.
By default, warning messages are sent to the console.
Note that this applies only to the diagnostic messages
audomon
generates concerning the status of the audit system.
Error messages caused by wrong usage of
audomon
are sent to the standard output (where
audomon
is invoked).
WARNINGS
All modifications made to the audit system are lost upon reboot.
To make the changes permanent, set
AUDOMON_ARGS
in
/etc/rc.config.d/auditing.
AUTHOR
audomon
was developed by HP.
