I want to know the history of failed commands in Red Hat . i.e commands which were executed(manually or by any application) with exit value other than 0.

The shell only stores the commands launched, but not their exit codes. Programs launched by applications are not logged at all, unless the application that starts those applications does logging itself.

1 members found this post helpful.

I think you'd have to write your own shell to provide this capability. You're not just talking about history of what you've entered, but history of the results.

What're you trying to do, catch people trying stuff so you know they're trying to get away with things?

If you have process accounting turned on, the exit code is part of the information that is recorded for every process. You would need to have the psacct package installed, but I believe it's part of the default installation. See the manpages for accton, sa, dump-acct, and related commands.

Note that a process accounting file can become quite large quite quickly.

psacct provides rudimentary logging at best as it only logs argv[0] and no arguments (at least as I've seen it) so it won't ever be part of any audit trail.
The audit service logs exit codes.
Rootsh logs everything typed in a shell session including stderr/stdout.

1 members found this post helpful.

It never did store the parameters to a command.

The problem is that there can be thousands of parameters, and then there are other parameters to commands that can be taken from the environment (for a few thousand more). The number of parameters is limited by ARG_MAX (amount of memory for arguments - on my system it is 4096, and each argument has memory assigned to it as well - up to about 2MB); which is a bit too large for a single accounting record... And they would have to be recorded before the command starts as the command can (and sometimes does) change the input parameters/environment.

Then I got that right, thanks for confirming.


Depends on how you look at it. For me the problem is different: still seeing 'psacct' suggested. Which sure is OK if one is doing sa* accounting but not if one is looking to start a comprehensive audit trail (given the latter being the more common question of the two on LQ).

Yes, accounting is what the pacct files were for, they do have exit status values though. One place
I worked used the exit status to resolve issues with the user - when project accounting was active for use in a chargeback system, the exit status could be used by the user to justify refunds (this was when charging for the use a Cray YMP 8 mainframe system; I got the thankless task of translating the pacct records into accounting charges - building sessions, accumulating values for memory and CPU use... yuk).

For other purposes, auditd is what you use - but again, the logging is much more complex. It can record the changes done to a file, by who, and what application. But it cannot record parameter or environment values for each process either - again, it would take far too much time and disk space.

It would be closer to say that the records are like strace - where strace only reports the system calls (and parameters) are for that specific system call, and the return status value. Even then strace can't report the contents of arrays (such as argv and environ lists) for the same reason (both too much data, plus too many different structures could be passed - so strace only lists basic parameters).