[plug] Monitor User Activity/Processes SOLUTION
Tim White
weirdo at tigris.org
Thu Oct 7 07:35:40 WST 2004
I found a solution in the debian package acct, no kernel changes and it
logs all users and has filters. It tells you the following information:
command name of the process, flags(as recorded by the system accounting
routines)[1], the name of the user who ran the process, time the process
exited.
As well as other misc data. See a sample[2], it seems to only record it
when the proc ends. The log file (/var/account/pacct) is also not in
text format so requires a special tool to extract the data, not sure if
this is good or bad but I'm guessing its to stop hackers trying to
modify the data and to stop people extracting the information straight
off the disk.
Tim
[1]
S -- command executed by super-user
F -- command executed after a fork but without a
following exec
C -- command run in PDP-11 compatibility mode (VAX only)
D -- command terminated with the generation of a core file
X -- command was terminated with the signal SIGTERM
[2]
man tim stdout 0.08 secs Thu Oct 7 07:28
sh tim stdout 0.00 secs Thu Oct 7 07:28
pager tim stdout 0.01 secs Thu Oct 7 07:29
ps tim ?? 0.01 secs Thu Oct 7 07:29
date tim ?? 0.00 secs Thu Oct 7 07:29
sleep tim ?? 0.00 secs Thu Oct 7 07:28
mozilla-thunder F tim ?? 0.00 secs Thu Oct 7 07:28
nroff tim stdout 0.00 secs Thu Oct 7 07:28
groff tim stdout 0.01 secs Thu Oct 7 07:28
grotty tim stdout 0.02 secs Thu Oct 7 07:28
troff tim stdout 0.06 secs Thu Oct 7 07:28
tbl tim stdout 0.00 secs Thu Oct 7 07:28
sh F tim stdout 0.00 secs Thu Oct 7 07:28
zsoelim tim stdout 0.00 secs Thu Oct 7 07:28
nroff F tim stdout 0.00 secs Thu Oct 7 07:28
locale tim stdout 0.00 secs Thu Oct 7 07:28
sh tim stdout 0.00 secs Thu Oct 7 07:28
gzip tim stdout 0.00 secs Thu Oct 7 07:28
sh tim stdout 0.00 secs Thu Oct 7 07:28
gzip tim stdout 0.00 secs Thu Oct 7 07:28
bash F tim stdout 0.00 secs Thu Oct 7 07:28
bash F tim stdout 0.00 secs Thu Oct 7 07:28
bash F tim stdout 0.00 secs Thu Oct 7 07:28
bash F tim stdout 0.00 secs Thu Oct 7 07:28
ls tim stdout 0.00 secs Thu Oct 7 07:28
bash F tim stdout 0.00 secs Thu Oct 7 07:28
manpath tim stdout 0.00 secs Thu Oct 7 07:28
uname tim stdout 0.00 secs Thu Oct 7 07:28
ps tim ?? 0.01 secs Thu Oct 7 07:28
date tim ?? 0.00 secs Thu Oct 7 07:28
sleep tim ?? 0.00 secs Thu Oct 7 07:27
apt-cache tim stdout 0.02 secs Thu Oct 7 07:28
ps tim ?? 0.00 secs Thu Oct 7 07:27
date tim ?? 0.00 secs Thu Oct 7 07:27
sleep tim ?? 0.00 secs Thu Oct 7 07:26
man tim stdout 0.08 secs Thu Oct 7 07:27
sh tim stdout 0.00 secs Thu Oct 7 07:27
pager tim stdout 0.00 secs Thu Oct 7 07:27
nroff tim stdout 0.00 secs Thu Oct 7 07:27
groff tim stdout 0.01 secs Thu Oct 7 07:27
troff tim stdout 0.07 secs Thu Oct 7 07:27
grotty tim stdout 0.02 secs Thu Oct 7 07:27
tbl tim stdout 0.00 secs Thu Oct 7 07:27
sh F tim stdout 0.00 secs Thu Oct 7 07:27
zsoelim tim stdout 0.00 secs Thu Oct 7 07:27
nroff F tim stdout 0.00 secs Thu Oct 7 07:27
locale tim stdout 0.00 secs Thu Oct 7 07:27
sh tim stdout 0.00 secs Thu Oct 7 07:27
gzip tim stdout 0.00 secs Thu Oct 7 07:27
sh tim stdout 0.00 secs Thu Oct 7 07:27
gzip tim stdout 0.00 secs Thu Oct 7 07:27
ls tim stdout 0.00 secs Thu Oct 7 07:27
lastcomm tim stdout 0.00 secs Thu Oct 7 07:27
ls tim stdout 0.00 secs Thu Oct 7 07:27
More information about the plug
mailing list