draper7 has asked for the wisdom of the Perl Monks concerning the following question:

Hey everyone, I'm wondering if it is possible to monitor file execution. For example, determine if a user executed the kill command/what did it kill. I've pondered the possibility of scanning shell history but that's not real reliable. I also thought about alias's but that no good. I must be missing something simple.
Thanx.

--
He returned to his room, closed the door, and meditated in a high mental state throughout the night.
----

Replies are listed 'Best First'.
Re: Monitoring File Execution
by andreychek (Parson) on Jun 25, 2001 at 20:53 UTC
    If you are using some variant of UNIX/Linux, there is something called "Process Accounting". It is capable of logging every process, and does so when the process terminates.

    It actually comes with RedHat 7.1 (I don't know about previous versions), and the package is called psacct.. so you can just do a 
    rpm -qa|grep psacct

    [download]
    to see if it's installed.

    As far as documentation goes, you can try: 
    man accton
man acct
man sa

    [download]
    And to keep things on topic for this site, by all means, you could use a perl script to dig through the log file to generate usage information and statistics for you if 'sa' doesn't do what you are looking for :-)

    As a side note -- process accounting is often something used on only the most secure of sites. Not all users would be fond of having their every command logged. It can border on being Big Brother. However, I'm not saying you shouldn't do it, and there are definitely times where it is useful or necessary.
    -Eric
[reply]
[d/l]
[select]
      Hey, thanks for the reply and pointing me in the right direction. Sorry about the off topic question :-).

      --
      He returned to his room, closed the door, and meditated in a high mental state throughout the night.
      ---
[reply]
        No problem at all. I wouldn't worry about it being offtopic.. I'm somewhat new here, but it seems to me that anything capable of even involving Perl can be considered on topic. Simply mention the word Perl in your post and your fine ;-)

        Good luck!
        -Eric
[reply]
Re: Monitoring File Execution
by scain (Curate) on Jun 25, 2001 at 20:27 UTC
    What exactly do you want to monitor? If it is only kill, and you have sys admin privliges on the machine, you could write a wrapper for kill that would write to a log file when it is executed, then alias the wrapper to kill. If you want somethine else, be a little more specific.

    Scott

[reply]
      I really need just to monitor the kill command. But I'm unsure about writing a wrapper/alias. If this is too off topic, don't worry about it. I'll eventually figure out something :-).
      Thanks,
      --
      He returned to his room, closed the door, and meditated in a high mental state throughout the night.
      ---
[reply]
        draper7,

        What OS are you working in? If it is Linux, I would suggest that you follow andreychek suggestion and look into process accounting, as that would be a cleaner approach than writing your own script.

        Nevertheless, the way I see a script like this working would look like this in psuedocode 

        get args from command line
do some checking for validity of the arguments
  (ie, is it a valid process number, does the user own the process, ar
+e the flags/signals valid)
open log file
  write info about user, processid, process name, whatever
close log file
system("kill",$args,$processid)

        [download]
        More than that I can't do without spending a lot more time on it.

        Scott

[reply]
[d/l]
      Of course, if your users are familiar with perl or C, they can bypass the wrapper. Wrapping up libc's kill() would be a little more complicated :)
[reply]

Back to Seekers of Perl Wisdom