How to keep a detailed audit trail of what’s being done on your Linux systems

by on November 14, 2006 · 58 comments· LAST UPDATED September 3, 2007

in , ,

Intrusions can take place from both authorized (insiders) and unauthorized (outsiders) users. My personal experience shows that unhappy user can damage the system, especially when they have a shell access. Some users are little smart and removes history file (such as ~/.bash_history) but you can monitor all user executed commands.

It is recommended that you log user activity using process accounting. Process accounting allows you to view every command executed by a user including CPU and memory time. With process accounting sys admin always find out which command executed at what time :)

The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa.

  • The ac command displays statistics about how long users have been logged on.
  • The lastcomm command displays information about previous executed commands.
  • The accton command turns process accounting on or off.
  • The sa command summarizes information about previously executed commmands.

Task: Install psacct or acct package

Use up2date command if you are using RHEL ver 4.0 or less
# up2date psacct
Use yum command if you are using CentOS/Fedora Linux / RHEL 5:
# yum install psacct
Use apt-get command if you are using Ubuntu / Debian Linux:
$ sudo apt-get install acct OR # apt-get install acct

Task: Start psacct/acct service

By default service is started on Ubuntu / Debian Linux by creating /var/account/pacct file. But under Red Hat /Fedora Core/Cent OS you need to start psacct service manually. Type the following two commands to create /var/account/pacct file and start services:
# chkconfig psacct on
# /etc/init.d/psacct start

If you are using Suse Linux, the name of service is acct. Type the following commands:
# chkconfig acct on
# /etc/init.d/acct start

Now let us see how to utilize these utilities to monitor user commands and time.

Task: Display statistics about users' connect time

ac command prints out a report of connect time in hours based on the logins/logouts. A total is also printed out. If you type ac without any argument it will display total connect time:
$ acOutput:

total       95.08

Display totals for each day rather than just one big total at the end:
$ ac -dOutput:

Nov  1  total        8.65
Nov  2  total        5.70
Nov  3  total       13.43
Nov  4  total        6.24
Nov  5  total       10.70
Nov  6  total        6.70
Nov  7  total       10.30
.....
..
...
Nov 12  total        3.42
Nov 13  total        4.55
Today   total        0.52

Display time totals for each user in addition to the usual everything-lumped-into-one value:
$ ac -pOutput:

        vivek                             87.49
        root                                 7.63
        total       95.11

Task: find out information about previously executed user commands

Use lastcomm command which print out information about previously executed commands. You can search command using usernames, tty names, or by command names itself.

Display command executed by vivek user:
$ lastcomm vivekOutput:

userhelper        S   X vivek  pts/0      0.00 secs Mon Nov 13 23:58
userhelper        S     vivek  pts/0      0.00 secs Mon Nov 13 23:45
rpmq                    vivek  pts/0      0.01 secs Mon Nov 13 23:45
rpmq                    vivek  pts/0      0.00 secs Mon Nov 13 23:45
rpmq                    vivek  pts/0      0.01 secs Mon Nov 13 23:45
gcc                     vivek  pts/0      0.00 secs Mon Nov 13 23:45
which                   vivek  pts/0      0.00 secs Mon Nov 13 23:44
bash               F    vivek  pts/0      0.00 secs Mon Nov 13 23:44
ls                      vivek  pts/0      0.00 secs Mon Nov 13 23:43
rm                      vivek  pts/0      0.00 secs Mon Nov 13 23:43
vi                      vivek  pts/0      0.00 secs Mon Nov 13 23:43
ping              S     vivek  pts/0      0.00 secs Mon Nov 13 23:42
ping              S     vivek  pts/0      0.00 secs Mon Nov 13 23:42
ping              S     vivek  pts/0      0.00 secs Mon Nov 13 23:42
cat                     vivek  pts/0      0.00 secs Mon Nov 13 23:42
netstat                 vivek  pts/0      0.07 secs Mon Nov 13 23:42
su                S     vivek  pts/0      0.00 secs Mon Nov 13 23:38

For each entry the following information is printed. Take example of first output line:
userhelper S X vivek pts/0 0.00 secs Mon Nov 13 23:58
Where,

  • userhelper is command name of the process
  • S and X are flags, as recorded by the system accounting routines. Following is the meaning of each flag:
    • S -- command executed by super-user
    • F -- command executed after a fork but without a following exec
    • D -- command terminated with the generation of a core file
    • X -- command was terminated with the signal SIGTERM
  • vivek the name of the user who ran the process
  • prts/0 terminal name
  • 0.00 secs - time the process exited

Search the accounting logs by command name:
$ lastcomm rm
$ lastcomm passwd
Output:

rm                S     root     pts/0      0.00 secs Tue Nov 14 00:39
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:39
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:38
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:38
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:36
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:36
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:35
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:35
rm                      vivek    pts/0      0.00 secs Tue Nov 14 00:30
rm                      vivek    pts/1      0.00 secs Tue Nov 14 00:30
rm                      vivek    pts/1      0.00 secs Tue Nov 14 00:29
rm                      vivek    pts/1      0.00 secs Tue Nov 14 00:29

Search the accounting logs by terminal name pts/1
$ lastcomm pts/1

Task: summarizes accounting information

Use sa command to print summarizes information about previously executed commands. In addition, it condenses this data into a summary file named savacct which contains the number of times the command was called and the system resources used. The information can also be summarized on a per-user basis; sa will save this iinformation into a file named usracct.
# saOutput:

     579     222.81re       0.16cp     7220k
       4       0.36re       0.12cp    31156k   up2date
       8       0.02re       0.02cp    16976k   rpmq
       8       0.01re       0.01cp     2148k   netstat
      11       0.04re       0.00cp     8463k   grep
      18     100.71re       0.00cp    11111k   ***other*
       8       0.00re       0.00cp    14500k   troff
       5      12.32re       0.00cp    10696k   smtpd
       2       8.46re       0.00cp    13510k   bash
       8       9.52re       0.00cp     1018k   less

Take example of first line:
4 0.36re 0.12cp 31156k up2date
Where,

  • 0.36re "real time" in wall clock minutes
  • 0.12cp sum of system and user time in cpu minutes
  • 31156k cpu-time averaged core usage, in 1k units
  • up2date command name

Display output per-user:
# sa -uOutput:

root       0.00 cpu      595k mem accton
root       0.00 cpu    12488k mem initlog
root       0.00 cpu    12488k mem initlog
root       0.00 cpu    12482k mem touch
root       0.00 cpu    13226k mem psacct
root       0.00 cpu      595k mem consoletype
root       0.00 cpu    13192k mem psacct           *
root       0.00 cpu    13226k mem psacct
root       0.00 cpu    12492k mem chkconfig
postfix    0.02 cpu    10696k mem smtpd
vivek      0.00 cpu    19328k mem userhelper
vivek      0.00 cpu    13018k mem id
vivek      0.00 cpu    13460k mem bash             *
lighttpd   0.00 cpu    48240k mem php              *

Display the number of processes and number of CPU minutes on a per-user basis
# sa -mOutput:

                                      667     231.96re       0.17cp     7471k
root                                  544      51.61re       0.16cp     7174k
vivek                                 103      17.43re       0.01cp     8228k
postfix                                18     162.92re       0.00cp     7529k
lighttpd                                2       0.00re       0.00cp    48536k

Task: Find out who is eating CPU

By looking at re, k, cp/cpu (see above for output explanation) time you can find out suspicious activity or the name of user/command who is eating up all CPU. An increase in CPU/memory usage (command) is indication of problem.

Please note that above commands and packages also available on other UNIX like oses such as Sun Solaris and *BSD oses.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 58 comments… read them below or add one }

1 Andreas Roedl November 14, 2006 at 7:37 pm

It’s “sa”, not “su”…

Reply

2 GeorgeB November 14, 2006 at 8:07 pm

I think there’s an error at
Display output per-user:

Display the number of processes and number of CPU minutes on a per-user basis

shouldn’t be sa -u and sa -m ?

Reply

3 nixCraft November 15, 2006 at 2:42 am

@Andreas and GeorgeB,

Typo is fixed.

Thanks for heads up!

Reply

4 Steve November 15, 2006 at 6:34 pm

So why is Solaris a “Unix like” OS. Last time I looked it was based on System V.

Reply

5 nixCraft November 16, 2006 at 1:36 am

So why is Solaris a “Unix like” OS

It is certified as a version of Unix. Late 1990s Sun replaced the BSD-derived SunOS 4 with a version of UNIX System V Release 4 (SVR4),

When I say UNIX like means other all oses such as OpenBSD, AIX, Linux, FreeBSD etc.

Reply

6 Lokesh November 17, 2006 at 12:09 pm

Hi,

Any command to flush old data like daily basis ?

Reply

7 shomi March 30, 2014 at 11:02 pm

Keep the data in /tmp and setup a cron job to delete it at midnight.

Reply

8 nixCraft November 17, 2006 at 12:59 pm

Lokesh,

Sorry but I don’t get your question…

Reply

9 Dominic White November 19, 2006 at 12:46 am

On Debian/Ubuntu systems it is in the ‘acct’ package and can be installed with ‘apt-get install acct’.

Reply

10 Lokesh November 20, 2006 at 11:10 am

Hi,

Iam planning to take daily audit output , once after taking data of audit report i need to remove old data and take next day report only with out old data.

Plze let me know , if u need more info.

Thanx
Lok

Reply

11 Tim November 20, 2006 at 6:58 pm

Is there a way to prevent this information from being modified? I assume that somebody who roots a machine would clear/alter the accounting records. Is there a way to have this send, say, over a serial link to another machine in realtime?

Reply

12 Jp December 21, 2006 at 6:26 am

Hi

This is reagrding lastcomm in Linux.
userhelper S X vivek pts/0 0.00 secs Mon Nov 13 23:58
userhelper S vivek pts/0 0.00 secs Mon Nov 13 23:45
rpmq vivek pts/0 0.01 secs Mon Nov 13 23:45

what is this 0.00 or 0.00 or 0.01 secs its CPU time or actual time.
What is Nov 12 23:45 etc

Regards
JP

Reply

13 nixCraft December 22, 2006 at 4:12 am

Hello,

0.00 secs Mon Nov 13 23:58 ===> time the process exited

HTH

Reply

14 Manoj January 31, 2007 at 5:39 am

The lastcomm command will not display the path from which command was executed as well as the argument passed to the command

Reply

15 ipman February 6, 2007 at 5:44 pm

Unfortunately it looks like it doesn’t record the command unless it completes. So if you dump the box, you won’t be able to find the command that might have cause it to crash.

Reply

16 KM April 11, 2007 at 8:55 am

Hi…

I am installing psacct on my CentOS box. lastcomm and sa commands give no output. Infact in /var/account there is only a single file created pacct which too is 0 bytes. Am i missing some other configuration.

Note: kernel version is 2.6.15.1
/ and /usr/local are read only partitions.
/var has read-write permissions.

Warm Regards
KM.

Reply

17 nixCraft April 11, 2007 at 2:22 pm

Don’t forget to run following two commands:
chkconfig psacct on
/etc/init.d/psacct start

After that wait for some time and run a few commands. Try again. Lemee know

Reply

18 Unca Xitron July 3, 2007 at 9:33 pm

Any idea how to get a non-truncated command to print out? Example:

/home/charlie/my_favorite/command/in/the/world

…will display as something like…

/home/charlie/my_fav

Does the acct process store the command as typed so that there I might be able to find a way to access it in the pacct file? Also, is there any way to open this pacct data file in some sort of editor to see what all is stored in it?

Thanks!

Unca Xitron

Reply

19 Soumen August 20, 2007 at 10:15 am

I am using SLES 9. I would like to get a log when my users have changed their password. How do I do it.

In fact I found this available with SLES 10 in the /var/log/messages file. But not finding the same in SLES 9. Please help.

Regards,

Soumen.

Reply

20 Koushik September 6, 2007 at 7:03 am

To clear the file which saves the pacct information run this command.

rm -f /var/account/pacct

We have to re-initialize the pacct command as explained in the tutorial after executing this command.

Cheers
Koushik

Reply

21 Weiyi Yang September 18, 2007 at 3:44 pm

Can I trace back the variables in the command, say, instead of only knowing someone ran ping, but also know which ip address she ran ping against?

Reply

22 Danny September 27, 2007 at 9:29 pm

This only seems to track the command and not the arguments used to run the command:

Eg. rm -rf / would only show rm which is not much of any use.

Am I missing something?
Danny

Reply

23 Sajindra October 10, 2007 at 11:57 am

Is there any way that we can log the arguments as well using this ? Can anyone suggest an alternative way of tracking users and the commands they have run?

Regards
Sajindra

Reply

24 Brein March 10, 2008 at 9:30 pm

Thanks for the usefull howto,
as stated above, i’m also missing the ability to log the variables given to a command, this would be very usefull in my opinion.
greets

Reply

25 Gokdeniz Karadag July 9, 2008 at 6:36 pm

@danny, @brein and others;

There is a package called “snoopy” it wraps “exec” calls and logs any command that has been run, it logs user, command and parameters. It does not log shell builtins like cd and ls, as they do not call exec.

Reply

26 Dick Heth August 30, 2008 at 5:26 pm

I have a similar configuration to KM(15) above and have the same issues and problems he reported. Is there something I am missing? Below are some things I did on this machine and the results

[root@sandbox ~]# ac dheth
total 306.91
[root@sandbox ~]# /etc/init.d/psacct status
Process accounting is enabled.
[root@sandbox ~]# passwd dheth
Changing password for user dheth.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@sandbox ~]# lastcomm passwd
[root@sandbox ~]# lastcomm –help
Usage: lastcomm [-hV] [-f file] [command] … [user] … [terminal] …
[--file ] [--strict-match] [--print-controls]
[--user ] [--tty ] [--command ] [--debug]
[--version] [--help]

The system’s default process accounting file is /var/account/pacct.
[root@sandbox ~]# lastcomm –debug|more
[root@sandbox ~]# lastcomm –version
lastcomm: GNU Accounting Utilities (release 6.3.2)
[root@sandbox ~]# ac –version
ac: GNU Accounting Utilities (release 6.3.2)
[root@sandbox ~]# uname -a
Linux sandbox.****.com 2.6.9-023stab046.2-enterprise #1 SMP Mon Dec 10 15:22:33 MSK 2007 i686 i686 i386 GNU/Linux

Reply

27 pbt February 6, 2009 at 9:05 am

I ran
accton /var/log/pacct

on all the machines I have. But while on one machine “sa -m” is showing correct output,
other machines are giving error as follows :
sa -m
sa: ERROR — print_stats_nicely called with num_calls == 0
Why is this happening ? Anything wrong?
pbt

Reply

28 Pedro Cora May 25, 2009 at 3:05 pm

Hi there. I now that this is a really old post, but I need to ask something.

For how long the lastcomm will store commands? Lets say I’ll install a linux box today and start the psacct service. In 4 months, commands from the first days of the machile will be there? Or it only keeps something like the last 30 commands?

Regards,

Pedro

Reply

29 Abdellah Tantan July 15, 2009 at 4:57 pm

The accounting process is easy to use but SUDO audit file can give you a better audit trail. Sudo lists everything you need to know about what has been done on the machine, including the user who became the super user and the arguments were passed to the command, timestamp, etc the downside of SUDO log file is that it is not easy to work with, at least in my experience.

Nice tutorial

Regards,

Abdellah

Reply

30 Rahul Panwar August 28, 2009 at 10:05 am

I started the “psacct” service, but still “accton” is not showing any output while other commands are working like sa, lastcomm & ac.
Where am i doing wrong?

Reply

31 Fahim August 31, 2009 at 8:18 am

Hi,

Im interested to know is there a way to log all keystrokes including typos & complete command parameters with this say $rm -rf /* or custom scripts such as $./foo 10.0.0.1
My requirement is to log *EVERYTHING* the command and its associated flags and parameters.

Thanks

Reply

32 Deleriux September 5, 2009 at 11:35 pm

A more suitable way on modern distros (Centos 5 + ) is to install the pam_tty_audit pam module and place it into a pam stack for say, login or sshd.

This will produce a key by key typing of what was pressed inside the session. (including, up, down backspace, etc)

You can use ausearch to look through it.

I.E “ausearch -ts recent -m tty -i”

Reply

33 Fahim September 22, 2009 at 2:36 am

Hi,
pam_tty_audit is kool, but problem is that it logs only root level stuff. Is there anyway to make it log user level tty input without patching it?

Thanks

Reply

34 Deleriux September 22, 2009 at 10:16 pm

Yeah, pass it something like:

session required pam_tty_audit.so enable=*

To the pam stack.

Reply

35 Fahim September 22, 2009 at 11:45 pm

Thanks Deleriux, I tried that but no luck :S. It seems im getting it wrong somewhere:

[fimz@localhost ~]$ sudo vim /etc/pam.d/sshd
[fimz@localhost ~]$ cat /etc/pam.d/sshd
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_tty_audit.so disable=* enable=*
[fimz@localhost ~]$ date
Wed Sep 23 11:29:16 NZST 2009
[fimz@localhost ~]$ sudo su -
[root@localhost ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
login as: fimz
fimz@X.Y.2.3′s password:
Last login: Wed Sep 23 11:24:02 2009 from it029481.xyz.org
[fimz@localhost ~]$
[fimz@localhost ~]$ ls
Desktop
[fimz@localhost ~]$ ls -a
. .bashrc .gconfd .gtkrc-1.2-gnome2 .redhat
.. Desktop .gnome .ICEauthority .Trash
.bash_history .dmrc .gnome2 .metacity .viminfo
.bash_logout .eggcups .gnome2_private .mozilla
.bash_profile .gconf .gstreamer-0.10 .nautilus
[fimz@localhost ~]$ ls -l
total 8
drwxr-xr-x 2 fimz fimz 4096 Sep 10 16:02 Desktop
[fimz@localhost ~]$ mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
[fimz@localhost ~]$ date
Wed Sep 23 11:31:05 NZST 2009

[fimz@localhost ~]$ sudo grep mount /var/log/*
/var/log/secure:Sep 23 11:31:56 localhost sudo: fimz : TTY=pts/1 ; PWD=/home/fimz ; USER=root ; COMMAND=/bin/grep mount /var/log/acpid /var/log/anaconda.log /var/log/anaconda.syslog /var/log/anaconda.xlog /var/log/audit /var/log/boot.log /var/log/boot.log.1 /var/log/boot.log.2 /var/log/btmp /var/log/conman /var/log/conman.old /var/log/cron /var/log/cron.1 /var/log/cron.2 /var/log/cups /var/log/dmesg /var/log/faillog /var/log/gdm /var/log/httpd /var/log/lastlog /var/log/mail /var/log/maillog /var/log/maillog.1 /var/log/maillog.2 /var/log/messages /var/log/messages.1 /var/log/messages.2 /var/log/news /var/log/pm /var/log/ppp /var/log/prelink /var/log/rpmpkgs /var/log/rpmpkgs.1 /var/log/rpmpkgs.2 /var/log/samba /var/log/scrollkeeper.log /var/log/secure /var/log/secure.1 /var/log/secure.2 /var/log/setroubleshoot /var/log/spooler /var/log/spooler.1 /var/log/spooler.2 /var/log/squid /var/log/tallylog /var/log/vbox /var/log/wtmp /var/log/Xorg.0.log /var/log/Xorg.0.log.old /var/log/yum.log

I was expecting it to log to messages, but apparently its not!

Reply

36 Deleriux September 23, 2009 at 12:14 pm

You should probably remove disable=* as it makes the thing a little ambiguous.

Reply

37 RogerD July 29, 2010 at 9:14 pm

I’m running with pam_tty_audit and it appears it only logs root level key events, regardless of the settings in the session entry. It seems to ignore the disable= and enable= settings. The man page has the example of enabling root, but specifying a different user (ex enable=username ) still logs root only.

Reply

38 Deleriux September 23, 2009 at 12:15 pm

Oh, and to check audit you need to run something such as

ausearch -ts recent -m tty

Reply

39 Bostjan Skufca February 10, 2010 at 2:10 am

Try snoopy logger. I’ve just updated it and it works ok for me now.
https://sourceforge.net/projects/snoopylogger/

Reply

40 jav March 15, 2010 at 2:42 pm

Snoopy compiles and loads, but so far it seems to work only to log root commands, and I modified snoopy.h
#define SNOOPY_ROOT_ONLY 0
with both 0 or 1, makes no difference, keeps logging only root commands.

Reply

41 Bostjan Skufca March 18, 2010 at 8:57 pm

@jav:

Weird. Can you compile and run this program once as root and once as non-privileged user on your system? Source here:
http://source.a2o.si/tmp/snoopy/test-getuid.c

Compiled for Linux 32bit here:
http://source.a2o.si/tmp/snoopy/test-getuid

Post the results on sourceforge issue tracker please (in order not to bloat this blog post with irrelevant comments)
Tnx!

Reply

42 Vince March 22, 2010 at 11:45 pm

I’m not totally sure yet, but support for process accounting has to be also enabled in the kernel to make all features of acct work.
=> CONFIG_BSD_PROCESS_ACCT

Reply

43 rea April 7, 2010 at 9:42 am

hi, i just installed snoopy on fedora 12. but i dont know how to view log. where snoopy`s log file located? could u explain me pls/ i read instruction file but nothing found something that help me. sry my bad english

Reply

44 praveen c February 17, 2011 at 9:01 am

Hi,

I gone through the entire comments but nobody clearly spacifying..is there any tool for tracking the user executed commands and path of the file/folder.

Like [root@nisslave pravi]# pwd
/home/pravi
[root@nisslave pravi]# cat test
dfasdf
[root@nisslave pravi]#

Reply

45 Bostjan Skufca February 17, 2011 at 11:23 am

@praveen c: “pwd” is a shell built-in command and is not executed. However snoopy does exactly what you have described.

Reply

46 Ankit Sharma March 28, 2011 at 5:08 am

I’ve taken a project to work upon tracing of runtime activities on unix system
into a log file. Like, to implement a program which will show the log of everything
happened in past, including many requirements, like applications i used (with the time of access),
kind of files/directories i opened, closed, created, deleted(with the time), etc.
.
Please suggest me something to do it in a better way.

Reply

47 Chuong April 27, 2011 at 5:06 am

rm vivek pts/0 0.00 secs Tue Nov 14 00:30
rm vivek pts/1 0.00 secs Tue Nov 14 00:30
rm vivek pts/1 0.00 secs Tue Nov 14 00:29
rm vivek pts/1 0.00 secs Tue Nov 14 00:29

vivek is remove many files. The command just showing “rm” command, So how could i know what did he remove ??????

Please help

Reply

48 mj February 29, 2012 at 3:24 am

ankit, let me know if you have done with your project. I am also doing the same project and I really need help in that.

Reply

49 Peter June 4, 2011 at 4:35 am

Just knowing the command (by itself) the user ran is useless. You absolutely need it’s arguments, and the parent process’s CWD. Other than that, it’s a “cute” toy, and little else.

Reply

50 jalal hajigholamali August 26, 2011 at 5:57 am

Thanks for the useful how to,

Reply

51 mj February 29, 2012 at 2:57 am

I need to implement a program in shell programming which will show me the log of everything happened in past. It should show me who has logged in and list its activities. It can include many requirements. Kind of applications he/she used (with the time of access), kind of files/directories he has opened, closed, created, deleted (with the time) and many more information. please help me for the same.
MJ

Reply

52 Francois Scheurer June 6, 2012 at 10:53 am

I wrote a method to log all ‘bash’ commands/builtins into a text-file or a ‘syslog’ server without using a patch or a special executable tool.

It is very easy to deploy, as it is a simple shellscript that need to be called once at the initialization of the ‘bash’.

see the method here

cheers
Francois Scheurer

Reply

53 john October 24, 2012 at 9:13 am

how to install accounting package on cygwin?please help?

Reply

54 shahzaib.cb October 30, 2012 at 5:19 pm

Hello,
i want to know which ip logged into my centos server and deleted my data. Is there a command or some script you can provide me ? I’ve lost my client’s all data but unable to track ip log, which used command “rm -Rf ” to remove client’s data. Help will be highly appreciated. THanks

Reply

55 bob December 31, 2012 at 3:38 pm

Hi This is good, but it is not enough as context change and knowing that a file was deleted doesn’t explain why it was.
How can I record both the command line and the screen result ?
Cherry on the cake would be to export in real time the output to syslog so that user can’t modify it.
That would be superbe !

Reply

56 Russ Hopson January 28, 2013 at 9:15 pm

I have a question about how far back the ‘ac -p’ command goes. Is it for the current month? I have been using the a cronjob to process the wtmp file each month for accounting purposes but I’m looking for some alternate ways to do this. I would really like to be able to organize my individual user logins by the groups they are in but it does not seem like this information is tracked by wtmp.

Thanks for any assistance you can offer.

Reply

57 archit May 24, 2013 at 10:06 am

is there any way to analyse log without going to all log files , it is very tedious , will aurport or ausearch work or they work only with log generated by auditd ?

Reply

58 SNBanerjee May 31, 2013 at 8:06 pm

Hi,

My question is also simple. Is it possible to capture the arguments after rm command or kill command through lastcomm?

like I am doing rm -rf myfolder
rm -f myfile
kill -9 123456789

so I want the lastcomm should capture both the rm/kill commands & the argument.

Thanks in advance

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , ,

Previous post:

Next post: