Some sketchy notes on the various ways one can keep track of exactly what’s going on with a Linux system.
Process accounting is the ability to very thoroughly record who does what on a system. This is very handy to track down problem users or intruders.
Install And Setup
For Red Hat type systems do something like this:
sudo yum install psacct
(Though I’m finding it already installed.)
On Red Hat type systems, check if it’s activated with:
sudo /etc/init.d/psacct status
And if it’s not, replace
For Debian type systems do something like this:
sudo apt-get install acct
Apparently to use this on Debian style distros, you need to create a
/var/account/pacct. I have no further details right now
and it should be investigated if needed.
Of course you’ll want to start with the "last" commands.
Looks through the weird binary file
/var/log/lastlog and prints a
report of when each user last logged in.
/var/log/wtmp and makes a list of all users who have
logged in since the file was created.
Checking For Idle Users
Another command to keep in mind is the
w command which, according to
the man page, "shows who is logged in and what they’re doing". It has
an interesting column labeld "IDLE" which seems interesting, but the
exact technical details of what it’s measuring are unclear to me.
Another approach for idle checking is to look at the time stamps of
/dev/pts/*. I’m not 100% sure what exactly they mean but it seems
an interesting place to look.
About Connections -
/var/log/wtmp to generate reports about connect times. The
command may be an acronym for "about connect".
Last Command History -
Reports on previously executed commands.
Arguments for this are pretty flexible. You can specify a user (
or a command (
awk) or a terminal (
lastcomm hans yum
Accounting On/Off -
This command turns on process accounting. I think the right way to start it is:
This might be wrong. Using
accton with no argument, in theory, turns
it off. I haven’t tested this thoroughly.
Summarize Accounting -
This command helps report on values collected by the process accounting features into the default acct file (wherever that is). It seems to focus on the cpu usage of various processes.
Audit Search -
This is a tool to query audit daemon logs. See
man auditd for what
an audit daemon is. There is also a tool called
aureport that is
similar. Audit functions are configured in
To see exactly what was typed during a session, check out pam_tty_audit. This can log pretty much every action a user does during a log in session. Probably best not to use this carelessly. Seems ideal for a honeypot.