On Wed, 16 Jul 2008, Richard Marzan wrote:
Is there a tool or a way of keeping track of which commands user's are executing on a system? I understand that history files can be wiped out and they don't really contain the time at which a command and it's arguments were run so I refrain from relying on it.
On traditional UNIX systems, system accounting logs (usually called acct) can be read via the lastcomm command. Im guessing that the sys-process/acct ebuild will give you those commands.
NOTE: You will also need kernel support for process/login accounting - look for "process accounting" in your kernel config and make sure it is switched on. (Natrually, you will need to rebuild your kernel / modules if it isn't switched on and reboot to activate it).
UPDATE: I just checked one of my kernels and the config option is called "BSD-style process accouting" - it lives in General Setup when configuring a kernel.
-- A -- gentoo-user@lists.gentoo.org mailing list
