Process accounting is a security method in which an administrator may keep track of system resources used and their allocation among users, provide for system monitoring, and minimally track a user's commands.
Process accounting has both positive and negative points. One of the positives is that an intrusion may be narrowed down to the point of entry. A negative is the amount of logs generated by process accounting, and the disk space they may require. This section walks an administrator through the basics of process accounting.
If more fine-grained accounting is needed, refer to 章 16, 安全事件稽查.
Before using process accounting, it must be enabled using the following commands:
#
touch /var/account/acct
#
chmod 600 /var/account/acct
#
accton /var/account/acct
#
sysrc accounting_enable=yes
Once enabled, accounting will begin to track information
such as CPU statistics and executed
commands. All accounting logs are in a non-human readable
format which can be viewed using sa
. If
issued without any options, sa
prints
information relating to the number of per-user calls, the
total elapsed time in minutes, total CPU
and user time in minutes, and the average number of
I/O operations. Refer to sa(8) for
the list of available options which control the output.
To display the commands issued by users, use
lastcomm
. For example, this command
prints out all usage of ls
by trhodes
on the
ttyp1
terminal:
#
lastcomm ls trhodes ttyp1
Many other useful options exist and are explained in lastcomm(1), acct(5), and sa(8).
本文及其他文件,可由此下載: ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/。
若有 FreeBSD 方面疑問,請先閱讀
FreeBSD 相關文件,如不能解決的話,再洽詢
<questions@FreeBSD.org>。
關於本文件的問題,請洽詢
<doc@FreeBSD.org>。