[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM: paranoiac logging module exists ?



Claude,

As far as I understand PAM (which is not very far), it is not possible
for PAM to do this.   PAM is only consulted during the log-in process,
and once this is finished, then PAM is no longer used.

I guess it would be possible to hack your preferred shell to
call some sort of PAM logging routine to record this information,
but as far as I know, there is no such logging routine.

So, it seems just as easy (or just as hard) to hack the bash/tcsh/*sh
source code to make it syslog() the information you want, though
it is going to generate a lot of data...

Before you do that, I suggest that you take a look at Process Accounting.
With process accounting, you can do a lot, but not all of what you want.

Process accounting records the time, date, username, tty, command
and amount of CPU time used by each process which has run on the system.

NB: It does not record all of the command line arguments, only the name
of the command.  This name does not include the full path either.
eg.  "less" not /usr/bin/less.

Also, it does not record the success or failure of the command.
It does however record if the process terminated with a coredump,
or if it was terminated by being killed with a SIGTERM signal.


If you use RedHat, then install the "psacct" package.

Note that it is not installed by default, and after you install it,
it is not run by default either.  To run it, I added the following
lines to my  /etc/rc.d/rc.local  file

if [ -x /sbin/accton  -a   -f /var/log/pacct ]
then
	echo "Starting process accounting..."
	accton 	/var/log/pacct
fi

To view the information, use the  "lastcomm" command.  Lastcomm accepts
various command line arguments so you can ask for only process
information on a certain tty, or a certain user, or ....

The  accton  command can also be used to turn process accounting
off, so you can disable it when you want to.  There is also
a command to summarise the accounting info.
It seems like its fairly straight-forward to write a  logrotate script
to restart the accounting and summarise it.  That's on my TO-DO list.

cheers,
/\ndy



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []