Lesson 5 | User auditing |
Objective | Describe user auditing in Redhat Linux. |
Examining System Logs in Redhat Linux
User auditing refers to examining the system logs to determine information about user access. It is similar to process auditing in that it provides detailed information; however, this information is based on users instead of processes.
You should maintain long-term statistics, by summarizing and combining statistics after you rotate the logs.
User auditing examines user access and provides you information on what users have done, where they have connected from, when they have connected, and how long they stayed connected.
Support is provided for examining the resource usage of a particular user, based on the process accounting logs. The sa
command provides you summarized accounting information on a per-user basis.
The dump-utmp command
provides a raw dump of the utmp
file; however, it is of little use unless you are very familiar with the file format.
There are also commands that will aid you in determining when and how long users stay online. You can use the --user-summary
argument to identify how long users remain online.
Also, the ac command
lists how long different users have stayed connected to the system since the logs were last rotated.
The lastcomm
command provides listings of when users connected, where they connected from, and for how long. This command lists login sessions, optionally of a specified user, in most-recent-first order.
The SlideShow below shows you examples of these commands and the output they generate.