Process auditing refers to examining the process accounting logs and retrieving useful information.
You can use these logs to view the processes that have been executed, the amount of resources the processes used,
who executed the processes, and on which machine they were executed.
There are built-in utilities that will assist you in retrieving and viewing information on processes.
You can use the
command, which examines the logfile
in most-recent-first order, all processes executed.
This command also has the option to view all processes executed by a specific user, which could be helpful in analyzing exactly what an
attacker has done to your machine. The
provides a complete dump of the process accounting file,
although it is of little use unless you are very familiar with the file format.
Support is also provided for summarizing resource usage of all executed commands by issuing the
command, which summarizes accounting information on a per-process basis.
Processing Auditing Scenarios
Click the View Slide Show
link to see examples of use and output of these commands.
The next lesson describes user auditing.