svn commit: r53406 - head/en_US.ISO8859-1/books/handbook/security

Fukang Chen loader at FreeBSD.org
Mon Sep 16 01:55:48 UTC 2019 

Author: loader
Date: Mon Sep 16 01:55:47 2019
New Revision: 53406
URL: https://svnweb.freebsd.org/changeset/doc/53406

Log:
  Update the Process Accounting section.
  
  PR:		202203
  Reviewed by:	ian
  Submitted by:	ian
  Differential Revision:	https://reviews.freebsd.org/D20878

Modified:
  head/en_US.ISO8859-1/books/handbook/security/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Sat Sep 14 18:40:11 2019	(r53405)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Mon Sep 16 01:55:47 2019	(r53406)
@@ -3567,10 +3567,23 @@ UWWemqWuz3lAZuORQ9KX
       <para>Before using process accounting, it must be enabled using
 	the following commands:</para>
 
-      <screen>&prompt.root; <userinput>touch /var/account/acct</userinput>
-&prompt.root; <userinput>chmod 600 /var/account/acct</userinput>
-&prompt.root; <userinput>accton /var/account/acct</userinput>
-&prompt.root; <userinput>sysrc accounting_enable=yes</userinput></screen>
+      <screen>&prompt.root; <userinput>sysrc accounting_enable=yes</userinput>
+&prompt.root; <userinput>service accounting start</userinput></screen>
+
+      <para>The accounting information is stored in files located in
+	<filename>/var/account</filename>, which is automatically created,
+	if necessary, the first time the accounting service starts.
+	These files contain sensitive information, including all the
+	commands issued by all users.  Write access to the files is
+	limited to <systemitem class="username">root</systemitem>,
+	and read access is limited to <systemitem
+	  class="username">root</systemitem> and members of the
+	<systemitem class="groupname">wheel</systemitem> group.
+	To also prevent	members of <systemitem
+	  class="groupname">wheel</systemitem> from reading the files,
+	change the mode of the <filename>/var/account</filename>
+	directory to allow access only by <systemitem
+          class="username">root</systemitem>.</para>
 
       <para>Once enabled, accounting will begin to track information
 	such as <acronym>CPU</acronym> statistics and executed

More information about the svn-doc-head mailing list