LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-25-2009, 01:58 AM   #1
mikepeters76
Member
 
Registered: Apr 2009
Location: Sydney, Australia
Distribution: Ubuntus, Fedora, openSUSE, and Vector Lite 6.0
Posts: 46

Rep: Reputation: 16
process logging without using process accounting


I would like to log when a process starts and when it finishes whenever a user starts the process. What ways can this be done? I would prefer not to have to install process accounting for linux.

Thanks Mike
 
Old 05-25-2009, 09:08 AM   #2
saavik
Member
 
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES / FC/ OES / CentOS
Posts: 614

Rep: Reputation: 32
maye some sort of

Quote:
ps -faxu | grep XXX | echo "?????"
 
Old 05-25-2009, 10:18 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by mikepeters76 View Post
I would like to log when a process starts and when it finishes whenever a user starts the process.
Why (accounting, suspicion, auditing)?
What kind of user (no shell, unprivileged, wheel group, privileged)?
What kind of process (service, daemon, cronjob, at, userland one-off, background process)?


Quote:
Originally Posted by mikepeters76 View Post
I would prefer not to have to install process accounting for linux.
Any reason why not?
 
Old 05-26-2009, 07:29 AM   #4
mikepeters76
Member
 
Registered: Apr 2009
Location: Sydney, Australia
Distribution: Ubuntus, Fedora, openSUSE, and Vector Lite 6.0
Posts: 46

Original Poster
Rep: Reputation: 16
Saavik thanks but I want the tracking to be constant while I am not logged in. I just want to look at the logs when I log in in the morning.

unSpawn:
Quote:
Why (accounting, suspicion, auditing)?
Accounting, I want to know how long particular users use an app, for example gimp. How often it is started and how long the application is running.
Quote:
What kind of user (no shell, unprivileged, wheel group, privileged)?
I have root, but I want the logging to be with no shell.
Quote:
What kind of process (service, daemon, cronjob, at, userland one-off, background process)?
Like I said it is a userland one-off like gimp.
 
Old 05-27-2009, 03:44 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
You didn't respond to me asking why you would prefer not to have psacct installed. Other methods would be either relatively slow or inaccurate (shell or d|inotify-based), provide excessive logging (rootsh or equivalant) or otherwise disproportional (syscall logging basically). IMHO for this task it is the ideal tool.
 
Old 05-27-2009, 11:37 PM   #6
mikepeters76
Member
 
Registered: Apr 2009
Location: Sydney, Australia
Distribution: Ubuntus, Fedora, openSUSE, and Vector Lite 6.0
Posts: 46

Original Poster
Rep: Reputation: 16
two words: "change control". Accounting is not installed, I would like some sort of indication in the interim while the change control goes through - which will at least take 2 weeks. I will get it installed.

I don't mind slow, I was thinking nohup or some sort of syslogd equivalent. Is that what you mean with shell and syscall? I don't seem to have d|inotify installed either???
 
Old 05-28-2009, 12:11 AM   #7
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,348

Rep: Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749
One quick 'n dirty method (if you don't have access to the src code) is to rename the actual app to myapp, then put a short shell script called app in its place
Code:
start=`date`
echo "APP app started $now" >> /var/app.log
/path/to/myapp
stop=`date`
echo "APP app stopped $now" >> /var/app.log
remember to

chmod +x app # the shell script
 
Old 05-28-2009, 02:22 AM   #8
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 21,103

Rep: Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117
Presumes your users aren't smart enough to directly call the real exec. And there aren't too many scripts you need to write.
A systemtap probe would work, but if you can't get accounting past the change control pixies, a debug kernel would be no chance.
 
Old 05-28-2009, 11:11 PM   #9
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,348

Rep: Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749
Like I said, quick 'n dirty. Also, because you rename the actual app, the users won't know what its now called unless they have a good reason to to 'check' and discover the 'app' is now a shell script, especially as I said to call it the exact same name, sans .sh extension.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Evaluating What Users Do on the Computer with Process Accounting LXer Syndicated Linux News 0 12-10-2006 06:54 PM
User and Process Accounting Log Files lafinhyena Linux - Newbie 0 05-19-2004 03:57 AM
Process Accounting. unixpirate Linux - Software 0 02-25-2003 09:37 AM
Process Accounting??? pir2 Linux - General 2 06-19-2002 07:56 PM
Turning on process accounting accton: desbyleo Linux - General 0 03-02-2002 06:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration