Wednesday, July 14, 2010
acct: Unix System Accounting Enabled Pt 5
Project Accounting:
If access to accounting source code can be obtained, another useful modification to the accounting system would be to retain the group id (gid) component of the pacct data when it is summarized and converted to tacct data. In the PROCESS state, the acctprc command summarizes process accounting (pacct) data into total accounting (tacct) data. In this process the group id is stripped out of the data and leads to a loss of information in the tacct file. A modification of acctdef.h, acctprc.c and acctmerg.c to retain the gid in the tacct structure and the cooresponding summarizing of data by user and by group would provide project accounting capabilities in Unix accounting. (The author is working with several vendors to adopt this project accounting modification.)
Billing and Security Auditing Capabilities:
When Unix accounting is enabled, additional auditing capabilites are available if the pacct* and wtmpx files are retained from deletion from the standard accounting process. If you preserved the pacct files and a user complains about a specific charge he may have incurred by running on your system, a more detailed report about the resource usage consumption can be generated with the acctcom command. This same information can be used as clues for a suspected security intrusion. Output 1 is a sample accounting report generated by acctcom from preserved Solaris pacct data.
If the wtmpx file is preserved you can use this information to provide additional clues as to how long a suspected intruder has been lurking about your system. If a security intrusion is detected on a specific users account (victor, for example) and the host where the suspected intruder comes from remains constant (unknown.fake.edu, for example), you can use the last command and the preserved wtmpx files to determine how long the suspected intrusion has been occuring. Output 2 is a sample session that uses the preserved daily wtmpx records to generate a report of all the login activity for user victor.
If access to accounting source code can be obtained, another useful modification to the accounting system would be to retain the group id (gid) component of the pacct data when it is summarized and converted to tacct data. In the PROCESS state, the acctprc command summarizes process accounting (pacct) data into total accounting (tacct) data. In this process the group id is stripped out of the data and leads to a loss of information in the tacct file. A modification of acctdef.h, acctprc.c and acctmerg.c to retain the gid in the tacct structure and the cooresponding summarizing of data by user and by group would provide project accounting capabilities in Unix accounting. (The author is working with several vendors to adopt this project accounting modification.)
Billing and Security Auditing Capabilities:
When Unix accounting is enabled, additional auditing capabilites are available if the pacct* and wtmpx files are retained from deletion from the standard accounting process. If you preserved the pacct files and a user complains about a specific charge he may have incurred by running on your system, a more detailed report about the resource usage consumption can be generated with the acctcom command. This same information can be used as clues for a suspected security intrusion. Output 1 is a sample accounting report generated by acctcom from preserved Solaris pacct data.
If the wtmpx file is preserved you can use this information to provide additional clues as to how long a suspected intruder has been lurking about your system. If a security intrusion is detected on a specific users account (victor, for example) and the host where the suspected intruder comes from remains constant (unknown.fake.edu, for example), you can use the last command and the preserved wtmpx files to determine how long the suspected intrusion has been occuring. Output 2 is a sample session that uses the preserved daily wtmpx records to generate a report of all the login activity for user victor.
Labels:
Accounting,
Audit,
Security
No comments:
Post a Comment