[gentoo-user] user command auditing

[gentoo-user] user command auditing

[Richard Marzan]

Is there a tool or a way of keeping track of which commands user's are
executing on a system? I understand that history files can be wiped out
and they don't really contain the time at which a command and it's
arguments were run so I refrain from relying on it.


Regards,
Richard

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] user command auditing

[A. Khattri]

On Wed, 16 Jul 2008, Richard Marzan wrote:

> Is there a tool or a way of keeping track of which commands user's are
> executing on a system? I understand that history files can be wiped out
> and they don't really contain the time at which a command and it's
> arguments were run so I refrain from relying on it.

On traditional UNIX systems, system accounting logs (usually called 
acct) can be read via the lastcomm command. Im guessing that the 
sys-process/acct ebuild will give you those commands.

NOTE: You will also need kernel support for process/login accounting - 
look for "process accounting" in your kernel config and make sure it is 
switched on. (Natrually, you will need to rebuild your kernel / modules if 
it isn't switched on and reboot to activate it).


UPDATE: I just checked one of my kernels and the config option is called 
"BSD-style process accouting" - it lives in General Setup when configuring 
a kernel.


-- 
A
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] user command auditing

[Andrew Tchernoivanov]

[-- Attachment #1: Type: text/plain, Size: 1202 bytes --]

 >Is there a tool or a way of keeping track of which commands user's are
>executing on a system?

There is a .bash_history file in user's home folders. It contains all
commands executed by this user.

On Wed, Jul 16, 2008 at 7:22 PM, A. Khattri <ajai@bway.net> wrote:

> On Wed, 16 Jul 2008, Richard Marzan wrote:
>
>  I understand that history files can be wiped out
>> and they don't really contain the time at which a command and it's
>> arguments were run so I refrain from relying on it.
>>
>
> On traditional UNIX systems, system accounting logs (usually called acct)
> can be read via the lastcomm command. Im guessing that the sys-process/acct
> ebuild will give you those commands.
>
> NOTE: You will also need kernel support for process/login accounting - look
> for "process accounting" in your kernel config and make sure it is switched
> on. (Natrually, you will need to rebuild your kernel / modules if it isn't
> switched on and reboot to activate it).
>
>
> UPDATE: I just checked one of my kernels and the config option is called
> "BSD-style process accouting" - it lives in General Setup when configuring a
> kernel.
>
>
> --
> A
> --
> gentoo-user@lists.gentoo.org mailing list
>
>

[-- Attachment #2: Type: text/html, Size: 1852 bytes --]

Re: [gentoo-user] user command auditing

[Dale]

Andrew Tchernoivanov wrote:
> >Is there a tool or a way of keeping track of which commands user's are
> >executing on a system?
>
> There is a .bash_history file in user's home folders. It contains all 
> commands executed by this user.
>

But as the OP said, it can be edited or deleted so he can not rely on it.

Dale

:-)  :-) 
-- 
gentoo-user@lists.gentoo.org mailing list