GagA// 0n D nEt

It is currently Tue Aug 21, 2018 10:15 pm

All times are UTC




Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: Tracking of activity on the Linux Server
PostPosted: Sat Jan 10, 2009 1:37 pm 
Offline

Joined: Wed Jul 18, 2007 1:14 am
Posts: 181
It is at times a challenge for a system administrator to keep a close watch of the overall activity of all the users on a server. It is possible that a user with the shell access can manipulate the system. There are a few users who can clear their history or clear the ~/.bash_history file. But you can still monitor the commands executed by them.

The recommended procedure is to log user activity using process accounting. Process accounting enables a system administrator to view the commands executed by a user including the CPU and memory time. This gives a useful tool with system admin to detect the command with actual time when the command was executed.

You can use the psacct package which contains number of utilities for monitoring the server and the processes running on the server. I have already explained a utility called lastcomm in the post "Detect Command History for all users".

The following is the list of utilities it includes:
Code:
    * The ac command displays statistics about how long users have been logged on.
    * The lastcomm command displays information about previous executed commands.
    * The accton command turns process accounting on or off.
    * The sa command summarizes information about previously executed commmands.


Installation of psacct

You can install the psacct package using the following commands on various OS:

Use up2date command on RHEL4 or lesser versions
Quote:
[[email protected] ~]# up2date psacct

Yum on RHEL5 or CentOS or Fedora
Quote:
[[email protected] ~]# yum install psacct

Debian or Ubuntu use the apt-get command
Quote:
[[email protected] ~]# apt-get install acct

Or
Quote:
[[email protected] ~]$ sudo apt-get install acct

Start the service and ensure it starts during boot

Once the package is installed start the service using the following command:
Quote:
[[email protected] ~]# /etc/init.d/psacct start

On Debian/Ubuntu the service is started by default by creating /var/account/psacct file.
Ensure that the service starts during the reboot on CentOS/RHEL/Fedora server by using the following command:
Quote:
[[email protected] ~]# chkconfig psacct on

Note: On SUSE & Debian/Ubuntu Linux the service for psacct is acct. So you need to start the service for acct.

Display statistics about users' connect time

The ac utility is used to display the connect time in hours based on the logins/logouts. There is a total of the time provided as well. If the command ac is fired without any options it will display just the total connect time:
Quote:

Code:
   total      120.40

To display the total for each day rather than a total use the following command:
Quote:

Code:
Jan  1   total        2.07
Jan  2   total       16.45
Jan  5   total        0.00
Jan  6   total       28.68
Jan  8   total        9.81
Jan  9   total       21.67
Today   total       41.85

To display total for each user other than the one logged in the system, use the following command:
Quote:

Code:
   root                                 0.01
   gagan                              102.05
   total      120.58

Find the history of previously executed command by a user

As mentioned in the post "Detect Command History for all users", you can use lastcomm to check the history of commands used by any user on the system. So if want to check the history of commands being executed by user gagan on my system, I will use the following command:
Quote:
[[email protected] ~]# lastcomm

Code:
su               S     gagan    stderr     0.00 secs Sat Jan 10 18:38
bash                   gagan    stderr     0.11 secs Sat Jan 10 18:38
gconftool-2            gagan    ??         0.00 secs Sat Jan 10 18:39
gconftool-2            gagan    ??         0.00 secs Sat Jan 10 18:39
ac                     gagan    stderr     0.00 secs Sat Jan 10 18:39
ac                     gagan    stderr     0.00 secs Sat Jan 10 18:39
ac                     gagan    stderr     0.00 secs Sat Jan 10 18:38
bash              F    gagan    stderr     0.00 secs Sat Jan 10 18:38
bash              F    gagan    stderr     0.04 secs Sat Jan 10 18:38
sed                    gagan    stderr     0.01 secs Sat Jan 10 18:38
bash              F    gagan    stderr     0.00 secs Sat Jan 10 18:38
bash              F    gagan    stderr     0.00 secs Sat Jan 10 18:38
uname                  gagan    stderr     0.00 secs Sat Jan 10 18:38
bash              F    gagan    stderr     0.00 secs Sat Jan 10 18:38
uname                  gagan    stderr     0.00 secs Sat Jan 10 18:38
bash              F    gagan    stderr     0.00 secs Sat Jan 10 18:38
dircolors              gagan    stderr     0.00 secs Sat Jan 10 18:38
bash              F    gagan    stderr     0.00 secs Sat Jan 10 18:38
lesspipe               gagan    stderr     0.00 secs Sat Jan 10 18:38
lesspipe          F    gagan    stderr     0.00 secs Sat Jan 10 18:38
dirname                gagan    stderr     0.00 secs Sat Jan 10 18:38
basename               gagan    stderr     0.00 secs Sat Jan 10 18:38
bogofilter             gagan    ??         0.00 secs Sat Jan 10 18:37
apt-check              gagan    ??         1.62 secs Sat Jan 10 18:36

I will explain what each field mean over here by taking the first line of this output:
Code:
su               S     gagan    stderr     0.00 secs Sat Jan 10 18:38

here,
Code:
    * su is command name of the process
    * S and X are flags, as recorded by the system accounting routines. Following is the meaning of each flag:
          o S -- command executed by super-user
          o F -- command executed after a fork but without a following exec
          o D -- command terminated with the generation of a core file
          o X -- command was terminated with the signal SIGTERM
    * gagan the name of the user who ran the process
    * stderr terminal name (it can also be pts/0 or something like it)
    * 0.00 secs - time the process exited
    * And last is the actual time when the command was fired.

You can use this command to check using command filtering. So in case you want to find out the users who used the rm command, you can use the following command:
Quote:
[[email protected] ~]# lastcomm rm

Code:
rm                     gagan    ??         0.00 secs Sat Jan 10 18:50
rm                     gagan    ??         0.00 secs Sat Jan 10 18:50
rm                     gagan    ??         0.00 secs Sat Jan 10 18:50
rm                     gagan    ??         0.00 secs Sat Jan 10 18:50
rm                     smmsp    ??         0.00 secs Sat Jan 10 18:43

You can also search accounting logs by using the terminal name
Quote:
[[email protected] ~]# lastcomm pts/1


Summarize accounting information

The sa command can be used to summarize the information about the commands executed previously. It condenses this data into a file named savacct which contains the number of times the command was executed and the system resources used. Moreover the sa command can be used to summarize the information per-user basis. This information is saved in the file named usracct.
Quote:

Code:
     245     257.42re       1.80cp         0avio      6667k
      23     241.10re       1.57cp         0avio      3557k   ***other*
       3       1.44re       0.12cp         0avio     43675k   soffice.bin
       2       0.08re       0.06cp         0avio       445k   foo2zjs
       4       0.08re       0.02cp         0avio      4203k   gs
       3       0.04re       0.01cp         0avio      6121k   javaldx
       6       0.02re       0.01cp         0avio    164373k   java
       6       0.08re       0.01cp         0avio       734k   cat

The output is explained taking the example of a line in the above output:
Code:
       6       0.08re       0.01cp         0avio       734k   cat

here,
Code:
    * 0.08re "real time" in wall clock minutes
    * 0.01cp sum of system and user time in cpu minutes
    * 734k cpu-time averaged core usage, in 1k units
    * cat command name

You can use this command to display the output in per-user basis. The following is the command:
Quote:

Code:
root       0.00 cpu      392k mem      0 io accton         
root       0.00 cpu      443k mem      0 io acct           
root       0.00 cpu      443k mem      0 io invoke-rc.d     
root       0.00 cpu      443k mem      0 io acct.postinst   
root       0.13 cpu     2033k mem      0 io dpkg           
root       0.00 cpu      765k mem      0 io touch           
root       0.00 cpu      443k mem      0 io sh             
root       0.00 cpu     5032k mem      0 io apt-get         *
root       0.78 cpu     1341k mem      0 io apt-get         
gagan      1.62 cpu     1850k mem      0 io apt-check       
root       0.00 cpu      443k mem      0 io acct           
root       0.00 cpu      443k mem      0 io acct           
root       0.00 cpu      427k mem      0 io ac             
postgres   0.00 cpu    10466k mem      0 io postgres        *

To display the number of processes and number of CPU minutes on a per-user basis, use the following:
Quote:

Code:
root                                   44     231.51re       0.86cp         0avio      1515k
smmsp                                  28      11.04re       0.68cp         0avio       517k
gagan                                 124      13.63re       0.17cp         0avio     11038k
lp                                     56       1.24re       0.09cp         0avio      1125k
postgres                               25       0.00re       0.00cp         0avio     10466k


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group