Recipe 9.38 Monitoring All Executed Commands

9.38.1 Problem

You want to record information about executed commands, a.k.a., process accounting.

9.38.2 Solution

Prepare to enable process accounting:

# umask 077                                    Be sure that the accounting data isn't publicly readable
# touch /var/account/pacct                     Create the log file if necessary

Enable it:

# accton /var/account/pacct

or:

# /etc/init.d/psacct start     Red Hat
# /etc/init.d/acct start                       SuSE

or:

# service psacct start         Red Hat

To disable it:

# accton                       Note: no filename

or:

# /etc/init.d/psacct stop      Red Hat
# /etc/init.d/acct stop                        SuSE

or:

# service psacct stop          Red Hat

To enable process accounting automatically at boot time:

# chkconfig psacct on          Red Hat
# chkconfig acct on                            SuSE

By default, the process accounting RPM is not installed for Red Hat 8.0 or SuSE 8.0, but both distributions include it. The package name is psacct for Red Hat, and acct for SuSE.

9.38.3 Discussion

Sometimes, investigating suspicious activity requires time travel—you need detailed information about what happened during some interval in the past. Process accounting can help.

The Linux kernel can record a wealth of information about processes as they exit. This feature originally was designed to support charging for resources such as CPU time (hence the name "process accounting"), but today it is used mostly as an audit trail for detective work.

The accton command enables process accounting, and specifies the file used for the audit trail, conventionally /var/account/pacct. This file must already exist, so manually create an empty file first if necessary, carefully restricting access to prevent public viewing of the sensitive accounting data. If the filename is omitted, then the accton command disables process accounting.

Usually process accounting is enabled automatically at boot time. On SuSE and Red Hat 8.0 or later systems, the chkconfig command installs the necessary links to run the scripts acct and psacct (respectively) in the /etc/init.d directory. The behavior of earlier Red Hat versions is slightly different, and less flexible: the boot script /etc/init.d/rc.sysinit always enables process accounting if the psacct RPM is installed, and the accounting files are stored in /var/log instead of /var/account.

Accounting data will accumulate fairly rapidly on a busy system, so the log files must be aggressively rotated [Recipe 9.30]: the daily rotation specified by /etc/logrotate.d/psacct on Red Hat systems is typical. SuSE does not provide a logrotate script, but you can install one in /etc/logrotate.d/acct:

/var/account/pacct {
    prerotate
        /usr/sbin/accton
    endscript
    compress
    notifempty
    daily
    rotate 31
    create 0600 root root
    postrotate
        /usr/sbin/accton /var/account/pacct
    endscript
}

The prerotate and postrotate scripts use the accton command to disable accounting temporarily while the log files are being rotated. Compressed log files are retained for a month.

An alternative is to use the sa command with the -s option to truncate the current log file and write a summary of totals by command name or user ID in the files savacct and usracct, respectively (in the same directory as pacct). The logrotate method is more suitable for sleuthing, since it preserves more information.

9.38.4 See Also

accton(8), sa(8).