On Tue, Apr 13, 2010 at 11:36 AM, Matt Lawrence <[email protected]> wrote:
> On Tue, 13 Apr 2010, Aleksey Tsalolikhin wrote:
>
>> You might want to look into process accounting - this way you'll have
>> a record of
>> all processes, including any commands ran. Might be too much data for you to
>> sift through...
>
> Yeah, that would be way too much. This isn't a situation where there is a
> problem with a malicious user, just one that did something to cause the
> system to misbehave and can't remember exactly what. Command line logging
> with a timestamp is quite adequate for this situation.
I understand. Have you checked this user's shell command history?
You might want to set this variable in your users' bash shell:
HISTTIMEFORMAT
If this variable is set and not null, its value is used
as a format string for strftime(3) to print the time stamp associated
with each history entry displayed by the history builtin. If this
vari-
able is set, time stamps are written to the history file
so they may be preserved across shell sessions.
This will tell you when command was run. Caveat: once you set this
variable, and run "history", you'll see timestamps next to commands --
but ignore the commands PRIOR to setting the variable, they'll be
bogus rather than blank.
Best,
-at
_______________________________________________
Tech mailing list
[email protected]
http://lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
