Redhat Linux System Administration   «Prev  Next»
Lesson 4Process auditing
Objective Describe process auditing.
Process auditing refers to examining the process accounting logs and retrieving useful information.
You can use these logs to view the processes that have been executed, the amount of resources the processes used, who executed the processes, and on which machine they were executed. There are built-in utilities that will assist you in retrieving and viewing information on processes.
You can use the lastcomm command, which examines the logfile /var/log/pacct and displays, in most-recent-first order, all processes executed. This command also has the option to view all processes executed by a specific user, which could be helpful in analyzing exactly what an attacker has done to your machine. The dump-acct provides a complete dump of the process accounting file, although it is of little use unless you are very familiar with the file format. Support is also provided for summarizing resource usage of all executed commands by issuing the sa command, which summarizes accounting information on a per-process basis.
Processing Auditing Scenarios

Click the View Slide Show link to see examples of use and output of these commands.
View SlideShow
The next lesson describes user auditing.