User Accounting   «Prev  Next»

Lesson 2System accounting in Red Hat Linux
ObjectiveThe objective of this lesson is to describe system accounting.

Systems Accounting in RedHat Linux

System accounting in Red Hat Linux, also referred to as process accounting, is a method of capturing detailed information about system activity. It's a mechanism that logs each executed command and its associated resources, providing a deep insight into system usage. The purpose of system accounting is multifaceted, encompassing several critical aspects of system management and administration:
  1. Auditing: System accounting allows for comprehensive auditing of all system activities. It keeps track of every command executed by every user, along with the CPU time and other resources utilized by these commands. This detailed log enables administrators to perform thorough audits of system activity, aiding in identifying any abnormal or suspicious activity.
  2. Performance Monitoring and Optimization: By providing detailed data on resource usage, system accounting aids in monitoring and analyzing the performance of the system. Administrators can use this data to identify resource-intensive processes, understand usage patterns, and optimize system performance.
  3. Troubleshooting: System accounting plays a critical role in troubleshooting system issues. When a problem occurs, the process accounting logs can provide valuable insights into the events leading up to the issue, making it easier to diagnose and resolve.
  4. Security: Process accounting contributes to maintaining system security. Detailed logs of all commands executed can help detect unauthorized activities or security breaches. If an intrusion occurs, the logs can provide vital information to understand the attacker's actions and potential impact.
  5. Capacity Planning: The resource usage data collected by system accounting assists in capacity planning. Understanding which processes consume the most resources and when peak usage times occur helps plan for system upgrades or modifications.
  6. User Accountability: System accounting promotes user accountability by recording each user's activities. This level of tracking discourages misuse and ensures that users can be held accountable for their actions.
  7. Forensics: In case of a security breach, system accounting records can serve as a valuable forensic tool to investigate the incident, identify the compromised components, and aid in recovery.

In essence, system accounting in Red Hat Linux is a powerful tool that provides system administrators with granular control over and knowledge of their systems. It serves an indispensable role in auditing, performance optimization, troubleshooting, security, and capacity planning.
System accounting involves the creation and maintenance of logs that
  1. keep track of processes executed,
  2. user activity, and
  3. network connections.
These logs will provide you with valuable information to aid with troubleshooting and attack analysis.
The standard Linux remote access facilities, for example telnet and ftp, maintain logs about who is connecting to what, from where, and when. There are also utilities that maintain logs of local network connections. The network connection logs are always maintained.
Whereas network connection logs are always maintained, process accounting logs, which track all executed process, are not. You must explicitly configure these logs into your machine. Fortunately, the Linux kernel provides these facilities so you can simply install them on your machine.
The downfall of system accounting is the huge size of the logfiles that are produced. Therefore, you will need to enable log rotation and archival procedures. An archival procedure is important because you may not detect an attack until months later; so, if possible, back up all your logs for reference. The next lesson describes process accounting.

Using the mkfs command to create a file system

It is possible to create a file system, for any supported file system type, on a disk or partition that you choose. This is done with the mkfs command. While this is most useful for creating file systems on hard disk partitions, you can create file systems on floppy disks or re-writable CDs as well. Here is an example of using mkfs to create a file system on a floppy disk:

# mkfs -t ext3 /dev/fd0
mke2fs 1.41.4 (27-Jan-2009)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
184 inodes, 1440 blocks
72 blocks (5.00%) reserved for the super user
First data block=1
1 block group
8192 blocks per group, 8192 fragments per group
184 inodes per group
Writing inode tables: done
Filesystem too small for a journal
Writing superblocks and filesystem accounting information: done
The filesystem will be automatically checked every 23 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

You can see the statistics that are output with the formatting done by the mkfs command. The number of inodes and blocks created are output. Likewise, the number of blocks per group and fragments per group are also output. You could now mount this file system (mount /mnt/floppy), change to it as your current directory (cd /mnt/floppy), and create files on it as you please.