How to keep a detailed audit trail of what’s being done on your Linux systems
Intrusions can take place from both authorized (insiders) and unauthorized (outsiders) users. My personal experience shows that unhappy user can damage the system, especially when they have a shell access. Some users are little smart and removes history file (such as ~/.bash_history) but you can monitor all user executed commands.
It is recommended that you log user activity using process accounting. Process accounting allows you to view every command executed by a user including CPU and memory time. With process accounting sys admin always find out which command executed at what time 
The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa.
- The ac command displays statistics about how long users have been logged on.
- The lastcomm command displays information about previous executed commands.
- The accton command turns process accounting on or off.
- The sa command summarizes information about previously executed commmands.
Task: Install psacct or acct package
Use up2date command if you are using RHEL ver 4.0 or less
# up2date psacct
Use yum command if you are using CentOS/Fedora Linux / RHEL 5:
# yum install psacct
Use apt-get command if you are using Ubuntu / Debian Linux:
$ sudo apt-get install acct OR # apt-get install acct
Task: Start psacct/acct service
By default service is started on Ubuntu / Debian Linux by creating /var/account/pacct file. But under Red Hat /Fedora Core/Cent OS you need to start psacct service manually. Type the following two commands to create /var/account/pacct file and start services:
# chkconfig psacct on
# /etc/init.d/psacct start
If you are using Suse Linux, the name of service is acct. Type the following commands:
# chkconfig acct on
# /etc/init.d/acct start
Now let us see how to utilize these utilities to monitor user commands and time.
Task: Display statistics about users’ connect time
ac command prints out a report of connect time in hours based on the logins/logouts. A total is also printed out. If you type ac without any argument it will display total connect time:
$ acOutput:
total 95.08
Display totals for each day rather than just one big total at the end:
$ ac -dOutput:
Nov 1 total 8.65 Nov 2 total 5.70 Nov 3 total 13.43 Nov 4 total 6.24 Nov 5 total 10.70 Nov 6 total 6.70 Nov 7 total 10.30 ..... .. ... Nov 12 total 3.42 Nov 13 total 4.55 Today total 0.52
Display time totals for each user in addition to the usual everything-lumped-into-one value:
$ ac -pOutput:
vivek 87.49
root 7.63
total 95.11
Task: find out information about previously executed user commands
Use lastcomm command which print out information about previously executed commands. You can search command using usernames, tty names, or by command names itself.
Display command executed by vivek user:
$ lastcomm vivek Search the accounting logs by command name:
$ lastcomm rm
$ lastcomm passwd
Task: summarizes accounting information
Use sa command to print summarizes information about previously executed commands. In addition, it condenses this data into a summary file named savacct which contains the number of times the command was called and the system resources used. The information can also be summarized on a per-user basis; sa will save this iinformation into a file named usracct.
# saOutput:
579 222.81re 0.16cp 7220k
Display output per-user:
# sa -u
Display the number of processes and number of CPU minutes on a per-user basis
# sa -m
Task: Find out who is eating CPU
By looking at re, k, cp/cpu (see above for output explanation) time you can find out suspicious activity or the name of user/command who is eating up all CPU. An increase in CPU/memory usage (command) is indication of problem.
Please note that above commands and packages also available on other UNIX like oses such as Sun Solaris and *BSD oses.
Courtesy: http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html
0 Responses.