LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   process logging without using process accounting (https://www.linuxquestions.org/questions/linux-security-4/process-logging-without-using-process-accounting-728288/)

mikepeters76 05-25-2009 01:58 AM
process logging without using process accounting
 
I would like to log when a process starts and when it finishes whenever a user starts the process. What ways can this be done? I would prefer not to have to install process accounting for linux.

Thanks Mike

saavik 05-25-2009 09:08 AM
maye some sort of

Quote:
ps -faxu | grep XXX | echo "?????"

unSpawn 05-25-2009 10:18 AM
Quote:
Originally Posted by mikepeters76 (Post 3551735)
I would like to log when a process starts and when it finishes whenever a user starts the process.
Why (accounting, suspicion, auditing)?
What kind of user (no shell, unprivileged, wheel group, privileged)?
What kind of process (service, daemon, cronjob, at, userland one-off, background process)?


Quote:
Originally Posted by mikepeters76 (Post 3551735)
I would prefer not to have to install process accounting for linux.
Any reason why not?

mikepeters76 05-26-2009 07:29 AM
Saavik thanks but I want the tracking to be constant while I am not logged in. I just want to look at the logs when I log in in the morning.

unSpawn:
Quote:
Why (accounting, suspicion, auditing)?
Accounting, I want to know how long particular users use an app, for example gimp. How often it is started and how long the application is running.
Quote:
What kind of user (no shell, unprivileged, wheel group, privileged)?
I have root, but I want the logging to be with no shell.
Quote:
What kind of process (service, daemon, cronjob, at, userland one-off, background process)?
Like I said it is a userland one-off like gimp.

unSpawn 05-27-2009 03:44 AM
You didn't respond to me asking why you would prefer not to have psacct installed. Other methods would be either relatively slow or inaccurate (shell or d|inotify-based), provide excessive logging (rootsh or equivalant) or otherwise disproportional (syscall logging basically). IMHO for this task it is the ideal tool.

mikepeters76 05-27-2009 11:37 PM
two words: "change control". Accounting is not installed, I would like some sort of indication in the interim while the change control goes through - which will at least take 2 weeks. I will get it installed.

I don't mind slow, I was thinking nohup or some sort of syslogd equivalent. Is that what you mean with shell and syscall? I don't seem to have d|inotify installed either???

chrism01 05-28-2009 12:11 AM
One quick 'n dirty method (if you don't have access to the src code) is to rename the actual app to myapp, then put a short shell script called app in its place
Code:
start=`date`
echo "APP app started $now" >> /var/app.log
/path/to/myapp
stop=`date`
echo "APP app stopped $now" >> /var/app.log
remember to

chmod +x app # the shell script

syg00 05-28-2009 02:22 AM
Presumes your users aren't smart enough to directly call the real exec. And there aren't too many scripts you need to write.
A systemtap probe would work, but if you can't get accounting past the change control pixies, a debug kernel would be no chance.

chrism01 05-28-2009 11:11 PM
Like I said, quick 'n dirty. Also, because you rename the actual app, the users won't know what its now called unless they have a good reason to to 'check' and discover the 'app' is now a shell script, especially as I said to call it the exact same name, sans .sh extension.


All times are GMT -5. The time now is 12:11 AM.