From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1KJCPa-0008SZ-84 for garchives@archives.gentoo.org; Wed, 16 Jul 2008 19:11:38 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D6E06E0205; Wed, 16 Jul 2008 19:11:35 +0000 (UTC) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.224]) by pigeon.gentoo.org (Postfix) with ESMTP id 98F8CE0205 for ; Wed, 16 Jul 2008 19:11:35 +0000 (UTC) Received: by wx-out-0506.google.com with SMTP id i28so2555349wxd.10 for ; Wed, 16 Jul 2008 12:11:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type:references; bh=AF2GWyxgx1wMY8N/X5JTPv2AsK0TozNItxxytHaGfR0=; b=vGFoPkwBGzaEzqlWDZcqkPIB5170yZ0wlw/YnlOJBfRO/hTS++4lMXPzXeRIOtPZyH DzFYE7Sqk/HPvKhN+Q3bswWZmpq8afQx8NNqnywaPczYi+dMW29bnIj5c1+8k5zxIGOp BTyyOxxUr2MWlprCijx4McYeshQwd9o3ZNk+w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=YiIyQB3uQXvTKTg3Yy6IaOwGKT5XqItd71Dnnp83GPNoTHXD192j6WuDilwlOBmCG/ HRjn2D7sVuNXs9XDJLrGiSUGY2Zdp0s1mFftho2S6wRX0raE9CE/FPgg1cQD3VpzGaRJ 6LzHYc6pZCN9X0GZyBVM4hu5xBuOT7vmNrTUQ= Received: by 10.100.141.5 with SMTP id o5mr2644881and.33.1216235495067; Wed, 16 Jul 2008 12:11:35 -0700 (PDT) Received: by 10.100.153.3 with HTTP; Wed, 16 Jul 2008 12:11:35 -0700 (PDT) Message-ID: Date: Wed, 16 Jul 2008 23:11:35 +0400 From: "Andrew Tchernoivanov" To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] user command auditing In-Reply-To: <20080716111351.S3305@shell.bway.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_27695_32251992.1216235495066" References: <1216196776.14717.7.camel@localhost> <20080716111351.S3305@shell.bway.net> X-Archives-Salt: 99a94819-8405-4821-a520-8c5d3f85a98d X-Archives-Hash: acebddd83a9d582250b698c412dc3981 ------=_Part_27695_32251992.1216235495066 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline >Is there a tool or a way of keeping track of which commands user's are >executing on a system? There is a .bash_history file in user's home folders. It contains all commands executed by this user. On Wed, Jul 16, 2008 at 7:22 PM, A. Khattri wrote: > On Wed, 16 Jul 2008, Richard Marzan wrote: > > I understand that history files can be wiped out >> and they don't really contain the time at which a command and it's >> arguments were run so I refrain from relying on it. >> > > On traditional UNIX systems, system accounting logs (usually called acct) > can be read via the lastcomm command. Im guessing that the sys-process/acct > ebuild will give you those commands. > > NOTE: You will also need kernel support for process/login accounting - look > for "process accounting" in your kernel config and make sure it is switched > on. (Natrually, you will need to rebuild your kernel / modules if it isn't > switched on and reboot to activate it). > > > UPDATE: I just checked one of my kernels and the config option is called > "BSD-style process accouting" - it lives in General Setup when configuring a > kernel. > > > -- > A > -- > gentoo-user@lists.gentoo.org mailing list > > ------=_Part_27695_32251992.1216235495066 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline
>Is there a tool or a way of keeping track of which commands user's are
>executing on a system?

There is a .bash_history file in user's home folders. It contains all commands executed by this user.

On Wed, Jul 16, 2008 at 7:22 PM, A. Khattri <ajai@bway.net> wrote:
On Wed, 16 Jul 2008, Richard Marzan wrote:

 I understand that history files can be wiped out
and they don't really contain the time at which a command and it's
arguments were run so I refrain from relying on it.

On traditional UNIX systems, system accounting logs (usually called acct) can be read via the lastcomm command. Im guessing that the sys-process/acct ebuild will give you those commands.

NOTE: You will also need kernel support for process/login accounting - look for "process accounting" in your kernel config and make sure it is switched on. (Natrually, you will need to rebuild your kernel / modules if it isn't switched on and reboot to activate it).


UPDATE: I just checked one of my kernels and the config option is called "BSD-style process accouting" - it lives in General Setup when configuring a kernel.


--
A
--
gentoo-user@lists.gentoo.org mailing list


------=_Part_27695_32251992.1216235495066-- -- gentoo-user@lists.gentoo.org mailing list