Secure OS Software for Linux
Showing results for 
Search instead for 
Did you mean: 

psacct process accounting misses some commands

Mark McDonald_2
Trusted Contributor

psacct process accounting misses some commands


I need to enable some sort of process accounting to track what users are doing.

I am testing psacct, but it does not seem to log all commands.

for example, I just ran:
"echo hacker:x:66:666: etc" >> /etc/passwd

there is no sign of the echo command in lastcomm.

where would I expect this sort of command to show up?

Also there are some application shell scripts that also need ot be recorded. can I get these to be reported via lastcomm?

Honored Contributor

Re: psacct process accounting misses some commands

The bash shell has several internal commands, "echo" is one of them. The shell can execute internal commands without starting a new process, so the process accounting system never sees them.

To track what happens inside the shell, you will need auditing at the system call and/or filesystem level. With such an audit subsystem properly configured, you would see an audit log message which would contain information like "at