How to keep a detailed audit trail of what's being done on your Linux systems
Intrusions can take place from both authorized and unauthorized users.
My personal experience shows that unhappy user can damage the system,
especially if they have a shell access. Some users are little smart and
removes history file (such as ~/.bash_history) but you can monitor all
user executed commands.
shows how to log user activity using process accounting. It allows you
to view every command executed by a user including CPU and memory time.
You can easily find out which commands used to take down your system
with these utilities.