Process Accounting

Process accounting records which commands were executed by which users at what time. It’s an essential addition to any Linux box in use by more than one user, and after my current logging “solution” (.bash_history) failed me (a user deleted his after walling /dev/urandom), I decided to enable it. Here’s how to do so on Debian systems:

sudo aptitude install acct

That’s it. Just one package. No reconfiguration or recompiling of anything. Using it:

504> sudo lastcomm somebody
sh               S     somebody ??         0.00 secs Tue Mar 16 17:00
znc                    somebody ??         0.00 secs Tue Mar 16 17:00
sh               S     somebody ??         0.00 secs Tue Mar 16 16:50
znc                    somebody ??         0.00 secs Tue Mar 16 16:50
sh               S     somebody ??         0.00 secs Tue Mar 16 16:40
znc                    somebody ??         0.00 secs Tue Mar 16 16:40

From this data, I can see that user somebody (yes, he’s a real user, and that is his username) has a cron job that runs every ten minutes, executing a shell script which starts znc.

What if I want to see who used wall recently? Easy.

508> sudo lastcomm | grep wall
wall                 X fahad    stdin      0.00 secs Tue Mar 16 17:16

From this data, it can be inferred that fahad (that’s me, by the way) ran wall, and closed it at 17:16. The X signifies that it was terminated with a SIGTERM (Ctrl+C).

Logs kept by process accounting are superior to .bash_history logs by far, because they are kept by the kernel in a location the user cannot write to. There is no escape. Do note, however, that users with root access can edit these logs, or, worst case scenario, simply delete them.

Tags: debian, linux, security