It is at times a challenge for a system administrator to keep a close watch of the overall activity of all the users on a server. It is possible that a user with the shell access can manipulate the system. There are a few users who can clear their history or clear the ~/.bash_history file. But you can still monitor the commands executed by them.
The recommended procedure is to log user activity using process accounting. Process accounting enables a system administrator to view the commands executed by a user including the CPU and memory time. This gives a useful tool with system admin to detect the command with actual time when the command was executed.
You can use the psacct package which contains number of utilities for monitoring the server and the processes running on the server. I have already explained a utility called lastcomm in the post “Find / Detect Command History for users“.
The following is the list of utilities it includes:
- * The ac command displays statistics about how long users have been logged on.
- * The lastcomm command displays information about previous executed commands.
- * The sa command summarizes information about previously executed commmands.
- * The accton command turns process accounting on or off.
Howto psacct – Installation of psacct
You can install the psacct package using the following commands on various OS:
Use up2date command on RHEL4 or lesser versions
[[email protected] ~]# up2date psacct
Yum on RHEL5 or CentOS or Fedora
[[email protected] ~]# yum install psacct
Debian or Ubuntu use the apt-get command
[[email protected] ~]$ sudo apt-get install acct
Start the service and ensure it starts during boot
Once the package is installed start the service using the following command:
[[email protected] ~]# /etc/init.d/psacct start
On Debian/Ubuntu the service is started by default by creating /var/account/psacct file.
Ensure that the service starts during the reboot on CentOS/RHEL/Fedora server by using the following command:
[[email protected] ~]# chkconfig psacct on
Note: On SUSE & Debian/Ubuntu Linux the service for psacct is acct. So you need to start the service for acct.
In the upcoming articles we will discuss the different commands included in the package psacct
The following are a few articles which provides insights for the use of different utilities provided with psacct.