acct
logs execution of all processes, and the users that execute them, recording statistics such as real time elapsed, and CPU time elapsed. I have seen it suggested that this might be useful in a forensic context, i.e. working out who executed what, and when. But as it just records the name of the process, I'm wondering what value it really adds.
If I execute
$ cp /usr/bin/cc vi
$ ./vi malware.c -o ls
$ ./ls
then the process accounting log will only contain entries named "cp", "vi", and "ls" - all innocuous.
Therefore process accounting appearas to offer limited security benefits. Any contrary opinions?
By themselves, these logs are not hugely useful as a security tool, but once you've established that you've been compromised, you can check the accounting logs to see what commands the attacker used, and possibly guage the extent of the damage. It may also shed light on the attacker's techniques, allowing you to try to protect yourself from similar attacks in the future.
It all comes down to practising security in layers - process accounting doesn't stop someone breaking in, but it can provide useful information in determing what happened in the event someone does break in, and can be a useful addition to your security toolkit.