Any good way to log all commands execuated by users?
Robert Watson
rwatson at FreeBSD.org
Sun Jun 4 02:23:43 PDT 2006
On Sat, 6 May 2006, Patrick Dung wrote:
> Is it possible to log all commands run by the users?
>
> I found openbsm is included in Freebsd-current, but i can't figure a good
> way to log command run by users. Logging all stat/read access to files is
> not a good idea, this will generate a hugh log file and slows down the
> server.
Patrick,
Sorry for the delay in responding, I was at BSDCan when you wrote that e-mail
and am only now just catching up!
The typical way to do this is to turn on process accounting, which generates
one log record per execution (only, after the program executes, not before),
captures CPU usage information, how the program exited, etc. Command line
arguments are not captured. accounting_enabled="YES" and a reboot turn it on,
and acct(2) describes what it does. You can use lastcomm(1) to review the
basic accounting logs.
With audit, you can also capture similar information by setting the 'ex'audit
class flag for users, or globally. However, full support for execve() logging
is not complete yet, currently we don't audit the command line arguments.
This will follow in the near future.
Robert N M Watson
More information about the trustedbsd-audit
mailing list