Monitoring All Executed Commands

8 01 2013

Sometimes, investigating suspicious activity requires time travel—you need detailed information about what happened during some interval in the past. Process accounting can help.

The Linux kernel can record a wealth of information about processes as they exit. This feature originally was designed to support charging for resources such as CPU time (hence the name “process accounting”), but today it is used mostly as an audit trail for detective work.

The accton command enables process accounting, and specifies the file used for the audit trail, conventionally /var/account/pacct. This file must already exist, so manually create an empty file first if
necessary, carefully restricting access to prevent public viewing of the sensitive accounting data. If the filename is omitted, then the accton command disables process accounting.

Usually process accounting is enabled automatically at boot time. On SuSE and Red Hat 8.0 or later systems, the chkconfig command installs the necessary links to run the scripts acct and psacct (respectively) in the /etc/init.d directory. The behavior of earlier Red Hat versions is slightly different, and




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: