HPE Community
Operating System - Linux
1832473 Members
2596 Online
110043 Solutions
New Discussion

Re: process tracking and auditing

 
SOLVED
Go to solution
Maaz
Valued Contributor

‎05-07-2006 06:11 AM

‎05-07-2006 06:11 AM

process tracking and auditing

Dear Gurus
OS: rhel 4

how can initiallize the /var/log/wtmp ? that is i have check it via last command, and now I want that all old info will be de delete .. ?

how to enable auditing on a file/folder ? say I wana audit/track who has access the /secret directory

Regards
Maaz
0 Kudos
5 REPLIES 5
Manuel Wolfshant
Trusted Contributor

‎05-07-2006 12:12 PM

‎05-07-2006 12:12 PM

Solution

Re: process tracking and auditing

wtmp is automatically created/maintained/used. The command "last" will only read from this file. The file is part of the log rotate process, the previous version can be found as wtmp.1. In order to use it, you have to pass it as parameter to the command "last", as in
last -f /var/log/wtmp.1


In order to audit the access, the standard way in RHEL is by using the auditd daemon. You should start by installing the "audit" package (audit-1.0.12-1.EL4 is the most current version at the time) and reading the man pages of auditd. After that, adjust /etc/auditd.conf, /etc/audit.rules per your needs and use the various audit* utilities to monitor access.
0 Kudos
Mike Stroyan
Honored Contributor

‎05-08-2006 03:22 AM

‎05-08-2006 03:22 AM

Re: process tracking and auditing

The logrotate setting for /var/log/wtmp is in /etc/logrotate.conf. It is unusual in that it is handled in the toplevel config file instead of a specific file under /etc/logrotate.d. The config for /var/log/wtmp sets it aside once a month, then creates a new empty file with 0664 permissions, user root, group utmp. You could do that manually with-
# mv /var/log/wtmp /var/log/wtmp.1
# touch /var/log/wtmp
# chmod 0664 /var/log/wtmp
# chown root:wtmp /var/log/wtmp
0 Kudos
Maaz
Valued Contributor

‎05-12-2006 06:59 AM

‎05-12-2006 06:59 AM

Re: process tracking and auditing

i turned on the process account via
#accton /var/account/pacct

then issued some command and check it via
#lastcomm --user maaz
OK
but after a very short time
#tail -f /var/log/messages
May 12 22:36:53 system1 kernel: Process accounting paused
#lastcomm --user maaz, only shoes old command, that is new command are not shown by lastcomm output

plz help
Regards
Maaz
0 Kudos
Maaz
Valued Contributor

‎05-26-2006 07:25 AM

‎05-26-2006 07:25 AM

Re: process tracking and auditing

/var is almost full. I found that if /var is near to full then kenel process tracking will aoutomatically paused.
I move /var to biger/larger partition.. and its DONE ;)
0 Kudos
Manuel Wolfshant
Trusted Contributor

‎05-26-2006 09:15 AM

‎05-26-2006 09:15 AM

Re: process tracking and auditing

Wrong approach, maaz. you should make sure that the files auditd writes to do never exceed a certain limited size. You can do that with the help of /etc/audit.conf + the logrotate cron job.
You should also setup size limits for all other logs. You should use /etc/logrotate.conf for that. Do not be shy but creative and add your own scripts to /etc/logrotate.d
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.