1

I've been thinking of enabling process accounting on a production server as a proactive security measure to monitor what's being ran on the system.

Looking at the initial documentation it appears that enabling process accounting on a busy system might result in a significant amount of disk space being used to log and store the system process information.

Anyone know what are the best recommendations on enabling process monitoring? Also any considerations on the setup, especially since this is a production server.

Ideally, I'd just want to log any shell commands including PHP exec(), system(), passthru(). etc..

-Tony

Alpha01
  • 406
  • 3
  • 11

1 Answers1

1

You might want to try Linux Audit, or psacct/acct. I haven't used either of these systems, so I can't say much their about efficacy.

If all you want to do is make your user's .bash_history persistent, give this howto a look.

If you are concerned about disk space issues, you might want to consider a central log server. You can also tweak the logrotate settings to accommodate the pace of the logs.

As for my considerations on setting up process monitoring on your production server... unless you have done this before and know exactly what you're doing, I'd recommend thoroughly testing this on a development or staging machine first. A production server is not the place to be trying new things, at least in my opinion.

  • I'm going to try the psacct/acct route since it appears that they are part of the gnu process accounting utility set. – Alpha01 May 13 '11 at 02:13
  • It looks like the psacct/acct (sa) utilities only log the program that was ran and not the actual command with arguments. Ideally I wanted to find a userland application and not something that hooks directly to the kernel like Linux Audit, grsecurity :-( – Alpha01 May 20 '11 at 18:49
  • It's a bit of a hack, but maybe try making your user's .bash_history persistent and immutable. –  May 20 '11 at 21:25
  • I thought of that, however I have a couple of apache instances running with different users and the user's shell has been set to /sbin/nologin . If I go this route, I won't be able to login any shell commands (ran via PHP) for those users. -Alpha01 – Alpha01 May 23 '11 at 19:22