|Lesson 5 || User auditing |
|Objective|| Describe user auditing in Redhat Linux.|
Examining System Logs in Redhat Linux
User auditing refers to examining the system logs to determine information about user access. It is similar to process auditing in that it provides detailed information; however, this information is based on users instead of processes.
You should maintain long-term statistics, by summarizing and combining statistics after you rotate the logs.
User auditing examines user access and provides you information on what users have done, where they have connected from, when they have connected, and how long they stayed connected.
Support is provided for examining the resource usage of a particular user, based on the process accounting logs. The
sa command provides you summarized accounting information on a per-user basis.
dump-utmp command provides a raw dump of the
utmp file; however, it is of little use unless you are very familiar with the file format.
There are also commands that will aid you in determining when and how long users stay online. You can use the
--user-summary argument to identify how long users remain online.
ac command lists how long different users have stayed connected to the system since the logs were last rotated.
lastcomm command provides listings of when users connected, where they connected from, and for how long. This command lists login sessions, optionally of a specified user, in most-recent-first order.
The SlideShow below shows you examples of these commands and the output they generate.