Date: Mon, 16 Sep 2019 01:55:48 +0000 (UTC) From: Fukang Chen <loader@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r53406 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <201909160155.x8G1tmC3042016@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: loader Date: Mon Sep 16 01:55:47 2019 New Revision: 53406 URL: https://svnweb.freebsd.org/changeset/doc/53406 Log: Update the Process Accounting section. PR: 202203 Reviewed by: ian Submitted by: ian Differential Revision: https://reviews.freebsd.org/D20878 Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Sat Sep 14 18:40:11 2019 (r53405) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Mon Sep 16 01:55:47 2019 (r53406) @@ -3567,10 +3567,23 @@ UWWemqWuz3lAZuORQ9KX <para>Before using process accounting, it must be enabled using the following commands:</para> - <screen>&prompt.root; <userinput>touch /var/account/acct</userinput> -&prompt.root; <userinput>chmod 600 /var/account/acct</userinput> -&prompt.root; <userinput>accton /var/account/acct</userinput> -&prompt.root; <userinput>sysrc accounting_enable=yes</userinput></screen> + <screen>&prompt.root; <userinput>sysrc accounting_enable=yes</userinput> +&prompt.root; <userinput>service accounting start</userinput></screen> + + <para>The accounting information is stored in files located in + <filename>/var/account</filename>, which is automatically created, + if necessary, the first time the accounting service starts. + These files contain sensitive information, including all the + commands issued by all users. Write access to the files is + limited to <systemitem class="username">root</systemitem>, + and read access is limited to <systemitem + class="username">root</systemitem> and members of the + <systemitem class="groupname">wheel</systemitem> group. + To also prevent members of <systemitem + class="groupname">wheel</systemitem> from reading the files, + change the mode of the <filename>/var/account</filename> + directory to allow access only by <systemitem + class="username">root</systemitem>.</para> <para>Once enabled, accounting will begin to track information such as <acronym>CPU</acronym> statistics and executed
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201909160155.x8G1tmC3042016>