log execution of certain commands on linux

Question

I have to maintain a system (debian) on which several users are allowed to install programs - so I would like to log, for example, if anyone executes "apt-get install" or "apt-get purge", so I can keep track of manually installed packages..

I'm looking for a general way to achieve this; it's not just APT, but several programs/scripts etc.

Any ideas?

/edit

a google-search with few different keywords brought up this:

https://serverfault.com/questions/201221/how-to-log-every-linux-command-to-a-logserver

https://stackoverflow.com/questions/15698590/how-to-capture-all-the-commands-typed-in-unix-linux-by-any-user

http://sourceforge.net/projects/rootsh/

Answer 1

This is exactly what the GNU Accounting Utilities (acct) are designed for.

See:

• acct(2)
• acct(5)
• http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html

Answer 2

Maybe this can work for your needs, if the users uses sudo for installing packages try this:

$ sudo cat auth.log | grep sudo(or apt-get or any other program/script)

You can also print the results to a file and create a cronjob for this.

EDIT:

Disable "sudo su" for simplifying the logging.

1. Use visudo for editing the sudoers file.
2. Add a line like this one: Cmnd_Alias  SUCMD = /bin/su
3. Be sure to use !SUCMD for the user or system privileges: %sudo ALL=(ALL) ALL,!SUCMD

Answer 3

Snoopy is simple to start with.

If you need more (in terms of reliability or 'uncircumventiability'), you should look towards proper auditing solutions.

Disclosure: Snoopy maintainer here.