Linux Security Cookbook [Electronic resources] نسخه متنی

Recipe 9.38 Monitoring All Executed Commands

9.38.1 Problem

You want to record information
about executed commands, a.k.a., process accounting.

9.38.2 Solution

Prepare to enable process accounting:

# umask 077                                    Be sure that the accounting data isn't publicly readable
# touch /var/account/pacct                     Create the log file if necessary

Enable it:

# accton /var/account/pacct

or:

# /etc/init.d/psacct start     Red Hat
# /etc/init.d/acct start                       SuSE

or:

# service psacct start         Red Hat

To disable it:

# accton                       Note: no filename

or:

# /etc/init.d/psacct stop      Red Hat
# /etc/init.d/acct stop                        SuSE

or:

# service psacct stop          Red Hat

To enable process accounting automatically at boot time:

# chkconfig psacct on          Red Hat
# chkconfig acct on                            SuSE

By default, the process accounting RPM is not installed
for Red Hat 8.0 or SuSE 8.0, but both distributions include it. The
package name is psacct for Red Hat, and acct
for SuSE.

9.38.3 Discussion

Sometimes, investigating suspicious activity requires time
travelyou need detailed information about what happened during
some interval in the past. Process accounting
can help.

The Linux kernel can record
a wealth of information about processes as they exit. This feature
originally was designed to support charging for resources such as CPU
time (hence the name "process
accounting"), but today it is used mostly as an
audit trail for detective work.

The accton
command enables process accounting, and
specifies the file used for the audit trail, conventionally
/var/account/pacct.
This file must already exist, so manually create an empty file first
if necessary, carefully restricting access to prevent public viewing
of the sensitive accounting data. If the filename is omitted, then
the accton command disables process accounting.

Usually process accounting is enabled automatically at boot time. On
SuSE and Red Hat 8.0 or later systems, the
chkconfig command installs the necessary links to
run the scripts acct and psacct
(respectively) in the /etc/init.d directory. The
behavior of earlier Red Hat versions is slightly different, and less
flexible: the boot script /etc/init.d/rc.sysinit
always enables process accounting if the
psacct RPM is installed, and the accounting files
are stored in /var/log instead of
/var/account.

Accounting data will accumulate fairly rapidly on a busy system, so
the log files must be aggressively rotated [Recipe 9.30]: the daily rotation specified by
/etc/logrotate.d/psacct on Red Hat systems is
typical. SuSE does not provide a
logrotate
script, but you can install one in
/etc/logrotate.d/acct:

/var/account/pacct {
prerotate
/usr/sbin/accton
endscript
compress
notifempty
daily
rotate 31
create 0600 root root
postrotate
/usr/sbin/accton /var/account/pacct
endscript
}

The prerotate and
postrotate scripts use the
accton command to disable accounting temporarily
while the log files are being rotated. Compressed log files are
retained for a month.

An alternative is to use the
sa command with
the -s option to truncate the current log file and
write a summary of totals by command name or user ID in the files
savacct and usracct,
respectively (in the same directory as pacct).
The logrotate method is more suitable for
sleuthing, since it preserves more information.

9.38.4 See Also

accton(8), sa(8).