TechRepublic: Mastering system accounting in LinuxNov 23, 2000, 16:37 (0 Talkback[s])
(Other stories by Jim McIntyre)
"One of the first skills a Linux administrator should develop is the ability to monitor user activity on a Linux system. This skill often provides a first line of defense in discovering unauthorized activity. This Daily Drill Down discusses the monitoring tools that are available as part of the Linux operating system and demonstrates how to employ system accounting procedures to enhance system security."
"Connection accounting is the process of tracking current user logins and logouts. ... Several programs are involved in providing information related to connection accounting. This eliminates the need to run a specific daemon to initiate connection accounting."
"Process accounting encompasses all the procedures and commands used to monitor process activity. The data for process accounting is logged in the /var/log/pacct file. This file should be owned by root and should have its file permissions set at 600 (rw-------). The /var/log/pacct file must exist before process accounting can be activated. ... The /var/log/pacct file may be replaced with any file you would like to use for process accounting. Just remember to create the file and to set the permissions correctly. The command to activate process accounting must be run at each reboot."
"The files /var/log/utmp, /var/log/wtmp, and /var/log/pacct function as dynamic database files. Two of these files, /var/log/wtmp and /var/log/pacct, grow by having entries appended to them. On a busy network, these files can become quite large. Linux provides a program called logrotate that allows administrators to manage these files."
Complete Story [ Free registration required ]