Keep a detailed audit trail of what’s being done on your Linux systems

By On 18 June 2015 In Linux

Interruptions can happen from both approved (insiders) and unapproved (outsiders) users. My own experience demonstrates that unhappy user can harm the system, especially when they have a shell access. A few users are little smart and remove history record, (for example, ~/.bash_history) however you can monitor all user executed commands.

audit_architecture

It is suggested that you log user action using process accounting. Process accounting permits you to view each command executed by a user including CPU and memory time. With process accounting sys admin always figure out which command executed at what time.

The psacct packages contains a few utilities for checking process activities, including ac, lastcomm, accton and sa.

  • The ac prints out a report of connect time (in hours) based on the logins/logouts.
  • The lastcomm prints out information about previously executed commands. If no arguments are specified, lastcomm will print info about all of the commands in the record file.
  • The accton command turns process accounting on or off.
  • The sa summarizes information about previously executed commands as recorded in the record file.

Install Package

Install package using following command:

# yum install psacct -y

Start Service

You need to start psacct service manually. Type the following start services:

# chkconfig psacct on
# /etc/init.d/psacct start

Display statistics about users

ac order shows statistic about how long user have been signed on. A total is likewise printed out. On the off chance that you write ac without any argument it will display total connect time:

# ac

Output:

 total      227.21

Print totals for every day instead of only one big total at the end.

# ac -d

Output:

 Mar 11  total        0.01
Apr  2  total       13.33
May 11  total        4.96
May 12  total       16.08
May 13  total        1.95
May 22  total        0.12
Jun  4  total        3.53
Jun  5  total        3.42
Jun  6  total       48.04
Jun  8  total      105.77
Jun  9  total       19.33
Today   total       10.80

Print time totals for each user in addition to the usual everything-lumped-into-one value.

# ac -p

Output:

        dennis                               0.43
        root                               226.94
        total      227.38

Previously executed user commands

lastcomm prints out data about already executed commands. In no arguments are determined, lastcomm will print information about the info of the command in the record file. If called with one or more of command-line, user-name, or terminal-name, just records containing those things will be shown.

Display command executed by Dennis user:

# lastcomm dennis

Output:

du                      dennis       pts/1      0.00 secs Tue Jun 16 12:20
df                      dennis       pts/1      0.00 secs Tue Jun 16 12:20
nmap                    dennis       pts/1      0.00 secs Tue Jun 16 12:19
ls                      dennis       pts/1      0.00 secs Tue Jun 16 12:19
vim               S     dennis     	 pts/0      0.05 secs Tue Jun 16 11:13
setup.sh          F    	dennis 	     pts/0      0.00 secs Tue Jun 16 11:23

For each entry the following information is printed. Take example of first output line:

vim               S     root     	 pts/0      0.05 secs Tue Jun 16 11:13

Where,
userhelper — command name of the process
S and X are flags, as recorded by the system accounting routines. Following is the meaning of each flag:
S — command executed by super-user
F — command executed after a fork but without a following exec
D — command terminated with the generation of a core file
X — command was terminated with the signal SIGTERM
dennis — the name of the user who ran the process
prts/0 — terminal name
0.00 secs — time the process exited

Search the accounting logs by command name:

# lastcomm df

Output:

cat                     root     pts/0      0.00 secs Tue Jun 16 11:23
cat                     root     pts/0      0.00 secs Tue Jun 16 11:23
cat                     root     pts/0      0.00 secs Tue Jun 16 11:23
cat                     root     pts/0      0.00 secs Tue Jun 16 11:23
cat                     root     pts/0      0.00 secs Tue Jun 16 11:23
cat                     root     pts/0      0.00 secs Tue Jun 16 11:23
cat                     root     pts/0      0.00 secs Tue Jun 16 11:23

Search the accounting logs by terminal name pts/1

 
# lastcomm pts/1

Output:

bash               F    root     pts/1      0.00 secs Tue Jun 16 12:15
id                      root     pts/1      0.00 secs Tue Jun 16 12:15
bash               F    root     pts/1      0.00 secs Tue Jun 16 12:15
consoletype             root     pts/1      0.00 secs Tue Jun 16 12:15
grep                    root     pts/1      0.00 secs Tue Jun 16 12:15
bash               F    root     pts/1      0.00 secs Tue Jun 16 12:15
dircolors               root     pts/1      0.00 secs Tue Jun 16 12:15
bash               F    root     pts/1      0.00 secs Tue Jun 16 12:15
tput                    root     pts/1      0.00 secs Tue Jun 16 12:15

Summarizes Accounting Information

# sa

 2458 1582964.17re       1.26cp     8304k
     223      41.70re       0.51cp    23686k   miniserv.pl*
       8 1326099.56re       0.37cp   111552k   yum
      39       0.28re       0.22cp    17147k   rpm
     113       0.14re       0.08cp    15006k   run-postinstall*
      14  255459.86re       0.03cp    17670k   ***other*
       3       0.02re       0.02cp    21499k   miniserv.pl
       2       0.01re       0.01cp     8877k   openssl
      81       0.01re       0.00cp     3073k   ps
      14       0.03re       0.00cp    14636k   perl
      24       0.03re       0.00cp     8469k   httpd
       2       3.71re       0.00cp    35904k   vim

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.