Process Accounting

For Red Hat type systems do something like this:

(Though I’m finding it already installed.)

On Red Hat type systems, check if it’s activated with:

And if it’s not, replace status with start.

For Debian type systems do something like this:

Apparently to use this on Debian style distros, you need to create a file called /var/account/pacct. I have no further details right now and it should be investigated if needed.

Of course you’ll want to start with the "last" commands.

Another command to keep in mind is the w command which, according to the man page, "shows who is logged in and what they’re doing". It has an interesting column labeld "IDLE" which seems interesting, but the exact technical details of what it’s measuring are unclear to me.

Another approach for idle checking is to look at the time stamps of /dev/pts/*. I’m not 100% sure what exactly they mean but it seems an interesting place to look.

Uses /var/log/wtmp to generate reports about connect times. The command may be an acronym for "about connect".

Reports on previously executed commands. lastcomm

Arguments for this are pretty flexible. You can specify a user (xed) or a command (awk) or a terminal (tty0).

This command turns on process accounting. I think the right way to start it is:

This might be wrong. Using accton with no argument, in theory, turns it off. I haven’t tested this thoroughly.

This command helps report on values collected by the process accounting features into the default acct file (wherever that is). It seems to focus on the cpu usage of various processes.

This is a tool to query audit daemon logs. See man auditd for what an audit daemon is. There is also a tool called aureport that is similar. Audit functions are configured in /etc/audit/.

To see exactly what was typed during a session, check out pam_tty_audit. This can log pretty much every action a user does during a log in session. Probably best not to use this carelessly. Seems ideal for a honeypot.