Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-16-2015, 04:47 AM
|
#1
|
Member
Registered: Jul 2014
Posts: 43
Rep:
|
History of failed commands.
I want to know the history of failed commands in Red Hat . i.e commands which were executed(manually or by any application) with exit value other than 0.
Last edited by gaurav_s; 04-16-2015 at 04:48 AM.
|
|
|
04-16-2015, 04:56 AM
|
#2
|
Moderator
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,148
|
The shell only stores the commands launched, but not their exit codes. Programs launched by applications are not logged at all, unless the application that starts those applications does logging itself.
|
|
1 members found this post helpful.
|
04-16-2015, 07:58 AM
|
#3
|
Moderator
Registered: Mar 2011
Location: USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 9,891
|
I think you'd have to write your own shell to provide this capability. You're not just talking about history of what you've entered, but history of the results.
What're you trying to do, catch people trying stuff so you know they're trying to get away with things?
|
|
|
04-16-2015, 11:16 AM
|
#4
|
Senior Member
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,789
|
If you have process accounting turned on, the exit code is part of the information that is recorded for every process. You would need to have the psacct package installed, but I believe it's part of the default installation. See the manpages for accton, sa, dump-acct, and related commands.
Note that a process accounting file can become quite large quite quickly.
|
|
|
04-16-2015, 12:24 PM
|
#5
|
Moderator
Registered: May 2001
Posts: 29,415
|
psacct provides rudimentary logging at best as it only logs argv[0] and no arguments (at least as I've seen it) so it won't ever be part of any audit trail.
The audit service logs exit codes.
Rootsh logs everything typed in a shell session including stderr/stdout.
|
|
1 members found this post helpful.
|
04-16-2015, 03:18 PM
|
#6
|
Senior Member
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,912
|
Quote:
Originally Posted by unSpawn
psacct provides rudimentary logging at best as it only logs argv[0] and no arguments (at least as I've seen it) so it won't ever be part of any audit trail.
The audit service logs exit codes.
Rootsh logs everything typed in a shell session including stderr/stdout.
|
It never did store the parameters to a command.
The problem is that there can be thousands of parameters, and then there are other parameters to commands that can be taken from the environment (for a few thousand more). The number of parameters is limited by ARG_MAX (amount of memory for arguments - on my system it is 4096, and each argument has memory assigned to it as well - up to about 2MB); which is a bit too large for a single accounting record... And they would have to be recorded before the command starts as the command can (and sometimes does) change the input parameters/environment.
Last edited by jpollard; 04-16-2015 at 03:21 PM.
|
|
|
04-16-2015, 06:44 PM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by jpollard
It never did store the parameters to a command.
|
Then I got that right, thanks for confirming.
Quote:
Originally Posted by jpollard
The problem is that there can be thousands of parameters,
|
Depends on how you look at it. For me the problem is different: still seeing 'psacct' suggested. Which sure is OK if one is doing sa* accounting but not if one is looking to start a comprehensive audit trail (given the latter being the more common question of the two on LQ).
|
|
|
04-16-2015, 07:58 PM
|
#8
|
Senior Member
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,912
|
Yes, accounting is what the pacct files were for, they do have exit status values though. One place
I worked used the exit status to resolve issues with the user - when project accounting was active for use in a chargeback system, the exit status could be used by the user to justify refunds (this was when charging for the use a Cray YMP 8 mainframe system; I got the thankless task of translating the pacct records into accounting charges - building sessions, accumulating values for memory and CPU use... yuk).
For other purposes, auditd is what you use - but again, the logging is much more complex. It can record the changes done to a file, by who, and what application. But it cannot record parameter or environment values for each process either - again, it would take far too much time and disk space.
It would be closer to say that the records are like strace - where strace only reports the system calls (and parameters) are for that specific system call, and the return status value. Even then strace can't report the contents of arrays (such as argv and environ lists) for the same reason (both too much data, plus too many different structures could be passed - so strace only lists basic parameters).
|
|
|
All times are GMT -5. The time now is 08:50 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|