Lesson 4 | Process auditing |
Objective | Describe process auditing. |
Process Auditing in Red Hat Linux
Process auditing refers to examining the process accounting logs and retrieving useful information.
You can use these logs to view the processes that have been executed, the amount of resources the processes used, who executed the processes, and on which machine they were executed. There are built-in utilities that will assist you in retrieving and viewing information on processes.
You can use the lastcomm
command, which examines the logfile /var/log/pacct
and displays, in most-recent-first order, all processes executed. This command also has the option to view all processes executed by a specific user, which could be helpful in analyzing exactly what an attacker has done to your machine. The dump-acct
provides a complete dump of the process accounting file, although it is of little use unless you are very familiar with the file format. Support is also provided for summarizing resource usage of all executed commands by issuing the sa
command, which summarizes accounting information on a per-process basis.
Processing Auditing Scenarios
The slide show below displays examples and output of these commands.
The next lesson describes user auditing.