user command auditing
>Is there a tool or a way of keeping track of which commands user's are
>executing on a system?
There is a .bash_history file in user's home folders. It contains all commands executed by this user.
On Wed, Jul 16, 2008 at 7:22 PM, A. Khattri <email@example.com> wrote:
On Wed, 16 Jul 2008, Richard Marzan wrote:
*I understand that history files can be wiped out
and they don't really contain the time at which a command and it's
arguments were run so I refrain from relying on it.
On traditional UNIX systems, system accounting logs (usually called acct) can be read via the lastcomm command. Im guessing that the sys-process/acct ebuild will give you those commands.
NOTE: You will also need kernel support for process/login accounting - look for "process accounting" in your kernel config and make sure it is switched on. (Natrually, you will need to rebuild your kernel / modules if it isn't switched on and reboot to activate it).
UPDATE: I just checked one of my kernels and the config option is called "BSD-style process accouting" - it lives in General Setup when configuring a kernel.
firstname.lastname@example.org mailing list