This document discusses implementing process accounting on a BSD system. The paths may be slightly different on a Linux system, but it's otherwise the same. "Over a year ago, I had an interesting job of tracking down how a root superuser . . .
This document discusses implementing process accounting on a BSD system. The paths may be slightly different on a Linux system, but it's otherwise the same. "Over a year ago, I had an interesting job of tracking down how a root superuser account vanished. Once I was on the system, it appeared that the issue was not malicious and I enjoyed the detective work tracking down the problem.

I searched RADIUS accounting logs, httpd logs and process accounting logs and I was able to pin-point the problem (and the user) within seconds: a faulty CGI provided a way for the root account to be removed.

One of the tools I used was lastcomm -- the command for showing last commands executed. This article covers the basics of enabling process accounting and shows a few examples of using lastcomm and sa to read and use the accounting data. These tools can help monitor user activity and system usage."

See also the Process Accounting HOWTO

The link for this article located at BSD Today is no longer available.