Process accounting with lastcomm and sa
I searched RADIUS accounting logs, httpd logs and process accounting logs and I was able to pin-point the problem (and the user) within seconds: a faulty CGI provided a way for the root account to be removed.
One of the tools I used was lastcomm -- the command for showing last commands executed. This article covers the basics of enabling process accounting and shows a few examples of using lastcomm and sa to read and use the accounting data. These tools can help monitor user activity and system usage."
See also the Process Accounting HOWTO
The link for this article located at BSD Today is no longer available.