From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-82111-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1KJ8py-0000Gc-RP
	for garchives@archives.gentoo.org; Wed, 16 Jul 2008 15:22:38 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 69C9DE02A0;
	Wed, 16 Jul 2008 15:22:37 +0000 (UTC)
Received: from xena.bway.net (xena.bway.net [216.220.96.26])
	by pigeon.gentoo.org (Postfix) with ESMTP id 3A893E02A0
	for <gentoo-user@lists.gentoo.org>; Wed, 16 Jul 2008 15:22:37 +0000 (UTC)
Received: (qmail 12572 invoked by uid 0); 16 Jul 2008 15:22:36 -0000
Received: from unknown (HELO www.bway.net) (216.220.96.11)
  by smtp.bway.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 16 Jul 2008 15:22:36 -0000
Date: Wed, 16 Jul 2008 11:22:36 -0400 (EDT)
From: "A. Khattri" <ajai@bway.net>
To: gentoo-user <gentoo-user@lists.gentoo.org>
Subject: Re: [gentoo-user] user command auditing
In-Reply-To: <1216196776.14717.7.camel@localhost>
Message-ID: <20080716111351.S3305@shell.bway.net>
References: <1216196776.14717.7.camel@localhost>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Archives-Salt: 7b991d7f-cd62-4585-982e-5c40558441c5
X-Archives-Hash: 7ff00f2f021c2c002ea754bf83292e8d

On Wed, 16 Jul 2008, Richard Marzan wrote:

> Is there a tool or a way of keeping track of which commands user's are
> executing on a system? I understand that history files can be wiped out
> and they don't really contain the time at which a command and it's
> arguments were run so I refrain from relying on it.

On traditional UNIX systems, system accounting logs (usually called 
acct) can be read via the lastcomm command. Im guessing that the 
sys-process/acct ebuild will give you those commands.

NOTE: You will also need kernel support for process/login accounting - 
look for "process accounting" in your kernel config and make sure it is 
switched on. (Natrually, you will need to rebuild your kernel / modules if 
it isn't switched on and reboot to activate it).


UPDATE: I just checked one of my kernels and the config option is called 
"BSD-style process accouting" - it lives in General Setup when configuring 
a kernel.


-- 
A
-- 
gentoo-user@lists.gentoo.org mailing list