From owner-trustedbsd-audit@FreeBSD.ORG  Sun Jun  4 09:23:40 2006
Return-Path: <owner-trustedbsd-audit@FreeBSD.ORG>
X-Original-To: trustedbsd-audit@freebsd.org
Delivered-To: trustedbsd-audit@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C524F16A500
	for <trustedbsd-audit@freebsd.org>;
	Sun,  4 Jun 2006 09:23:40 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7B26243D46
	for <trustedbsd-audit@freebsd.org>;
	Sun,  4 Jun 2006 09:23:40 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id 07D0A46C44;
	Sun,  4 Jun 2006 05:23:40 -0400 (EDT)
Date: Sun, 4 Jun 2006 10:23:39 +0100 (BST)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Patrick Dung <patrick_dkt@yahoo.com.hk>
In-Reply-To: <20060506183741.17216.qmail@web54306.mail.yahoo.com>
Message-ID: <20060604102038.K90662@fledge.watson.org>
References: <20060506183741.17216.qmail@web54306.mail.yahoo.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: trustedbsd-audit@freebsd.org
Subject: Re: Any good way to log all commands execuated by users?
X-BeenThere: trustedbsd-audit@FreeBSD.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TrustedBSD Audit Discussion List <trustedbsd-audit.FreeBSD.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-audit>, 
	<mailto:trustedbsd-audit-request@FreeBSD.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/trustedbsd-audit>
List-Post: <mailto:trustedbsd-audit@FreeBSD.org>
List-Help: <mailto:trustedbsd-audit-request@FreeBSD.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-audit>, 
	<mailto:trustedbsd-audit-request@FreeBSD.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Jun 2006 09:23:43 -0000

On Sat, 6 May 2006, Patrick Dung wrote:

> Is it possible to log all commands run by the users?
>
> I found openbsm is included in Freebsd-current, but i can't figure a good 
> way to log command run by users. Logging all stat/read access to files is 
> not a good idea, this will generate a hugh log file and slows down the 
> server.

Patrick,

Sorry for the delay in responding, I was at BSDCan when you wrote that e-mail 
and am only now just catching up!

The typical way to do this is to turn on process accounting, which generates 
one log record per execution (only, after the program executes, not before), 
captures CPU usage information, how the program exited, etc.  Command line 
arguments are not captured.  accounting_enabled="YES" and a reboot turn it on, 
and acct(2) describes what it does.  You can use lastcomm(1) to review the 
basic accounting logs.

With audit, you can also capture similar information by setting the 'ex'audit 
class flag for users, or globally.  However, full support for execve() logging 
is not complete yet, currently we don't audit the command line arguments. 
This will follow in the near future.

Robert N M Watson