Date: Sun, 4 Jun 2006 10:23:39 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Patrick Dung <patrick_dkt@yahoo.com.hk> Cc: trustedbsd-audit@freebsd.org Subject: Re: Any good way to log all commands execuated by users? Message-ID: <20060604102038.K90662@fledge.watson.org> In-Reply-To: <20060506183741.17216.qmail@web54306.mail.yahoo.com> References: <20060506183741.17216.qmail@web54306.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 6 May 2006, Patrick Dung wrote: > Is it possible to log all commands run by the users? > > I found openbsm is included in Freebsd-current, but i can't figure a good > way to log command run by users. Logging all stat/read access to files is > not a good idea, this will generate a hugh log file and slows down the > server. Patrick, Sorry for the delay in responding, I was at BSDCan when you wrote that e-mail and am only now just catching up! The typical way to do this is to turn on process accounting, which generates one log record per execution (only, after the program executes, not before), captures CPU usage information, how the program exited, etc. Command line arguments are not captured. accounting_enabled="YES" and a reboot turn it on, and acct(2) describes what it does. You can use lastcomm(1) to review the basic accounting logs. With audit, you can also capture similar information by setting the 'ex'audit class flag for users, or globally. However, full support for execve() logging is not complete yet, currently we don't audit the command line arguments. This will follow in the near future. Robert N M Watson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060604102038.K90662>