System accounting involves the creation and maintenance of logs that
- keep track of processes executed,
- user activity, and
- network connections.
These logs will provide you with valuable information to aid with troubleshooting and attack analysis.
The standard Linux remote access facilities, for example
telnet
and
ftp
, maintain logs about who is connecting
to what, from where, and when.
There are also utilities that maintain logs of local network connections. The network connection logs are always maintained.
Whereas network connection logs are always maintained, process accounting logs, which track all executed process, are not.
You must explicitly configure these logs into your machine. Fortunately, the Linux kernel provides these facilities so you can simply install them on your machine.
The downfall of system accounting is the huge size of the logfiles that are produced.
Therefore, you will need to enable log rotation and archival procedures. An archival procedure is important because you may not detect an attack until months later; so, if possible, back up all your logs for reference.
The next lesson describes process accounting.
It is possible to create a file system, for any supported file system type, on a disk or partition that you choose.
This is done with the mkfs command. While this is most useful for creating file systems on hard disk partitions, you can create file systems on floppy disks or re-writable CDs as well.
Here is an example of using mkfs to create a file system on a floppy disk: