Find / Detect Command History for users

Find / Detect Command History for users

psacct is an important utility which can be used to detected the command history for all the users in a real time environment. The actual command to find this out if lastcomm.

This utility (psacct) is present on all RHEL servers, but disabled at the startup. You need to start psacct via the init.d initialization script or enable it in the chkconfig.

[[email protected] ~]# lastcomm

Output:

lastcomm root pts/0 0.00 secs Wed Jul 9 17:05
man tester pts/2 0.00 secs Wed Jul 9 16:53
sh tester pts/2 0.00 secs Wed Jul 9 16:53
sh F tester pts/2 0.00 secs Wed Jul 9 16:53
less tester pts/2 0.00 secs Wed Jul 9 16:53
crond SF root __ 0.00 secs Wed Jul 9 17:01
run-parts root __ 0.00 secs Wed Jul 9 17:01
crond SF root __ 0.00 secs Wed Jul 9 17:00
sadc root __ 0.00 secs Wed Jul 9 17:00

The above command will display all the command history from all the users.

The output of lastcomm in particular can be very important to investigate the command history.

For each entry in the output for psacct, the following information is printed:

+ command name of the process
+ flags, as recorded by the system accounting routines:
S -- command executed by super-user
F -- command executed after a fork but without a following exec
C -- command run in PDP-11 compatibility mode (VAX only)
D -- command terminated with the generation of a core file
X -- command was terminated with the signal SIGTERM
+ the name of the user who ran the process
+ time the process exited

You can use –strict-match option to find the exact details.

For example, in order to find the details of all rm command executed by all the users, you can use the following command:

[[email protected] ~]# lastcomm –strict-match rm

Output:

rm tester pts/2 0.00 secs Wed Jul 9 16:53
rm tester pts/2 0.00 secs Wed Jul 9 16:53
rm root pts/0 0.00 secs Wed Jul 9 16:48
rm tester pts/2 0.00 secs Wed Jul 9 16:42

The psacct package contains several utilities for monitoring process activities. These include ac, lastcomm, accton, and sa.

    ac – displays statistics about how long users have been logged on.
    lastcomm – displays information about previously executed commands.
    accton – turns process accounting on or off.
    sa – summarizes information about previously executed commands.

We will discuss these commands in more details in upcoming articles.

Find / Detect Command History for users

The following are a few articles which provides insights for the use of different utilities provided with psacct.

Howto psacct
Howto psacct – ac
Howto psacct – lastcomm
Howto psacct – sa

No Comments

Post a Comment

Time limit is exhausted. Please reload CAPTCHA.