Process Accounting

Process accounting records which commands were executed by which users at what time. It’s an essential addition to any Linux box in use by more than one user, and after my current logging “solution” (.bash_history) failed me (a user deleted his after walling /dev/urandom), I decided to enable it. Here’s how to do so on Debian systems:

sudo aptitude install acct

That’s it. Just one package. No reconfiguration or recompiling of anything. Using it:

504> sudo lastcomm somebody
sh               S     somebody ??         0.00 secs Tue Mar 16 17:00
znc                    somebody ??         0.00 secs Tue Mar 16 17:00
sh               S     somebody ??         0.00 secs Tue Mar 16 16:50
znc                    somebody ??         0.00 secs Tue Mar 16 16:50
sh               S     somebody ??         0.00 secs Tue Mar 16 16:40
znc                    somebody ??         0.00 secs Tue Mar 16 16:40

From this data, I can see that user somebody (yes, he’s a real user, and that is his username) has a cron job that runs every ten minutes, executing a shell script which starts znc.

What if I want to see who used wall recently? Easy.

508> sudo lastcomm | grep wall
wall                 X fahad    stdin      0.00 secs Tue Mar 16 17:16

From this data, it can be inferred that fahad (that’s me, by the way) ran wall, and closed it at 17:16. The X signifies that it was terminated with a SIGTERM (Ctrl+C).

Logs kept by process accounting are superior to .bash_history logs by far, because they are kept by the kernel in a location the user cannot write to. There is no escape. Do note, however, that users with root access can edit these logs, or, worst case scenario, simply delete them.

Advertisements

Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: