Installing psacct (process accounting)
The psacct service is responsible for starting and stopping process accounting at system boot time and at system shutdown. This service is a wrapper that invokes the accton accounting control program. Using the process accounting tools, you can get basic information about who ran a specific command.
The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa.
| Command | Function |
|---|---|
| ac | displays statistics about how long users have been logged on |
| lastcomm | displays information about previous executed commands |
| accton | turns process accounting on or off |
| sa | summarizes information about previously executed commmands |
| last, lastb | show the listing of last logged in users |
First, please make sure the package psacct is installed:
# yum install psacct
The main purpose is to mornitor process activities, including ac, lastcomm, accton and sa. If the package is installed, please enable psacct by running:
CentOS/RHEL 6
# service psacct start # chkconfig psacct on
CentOS/RHEL 7
# systemctl start psacct # systemctl enable psacct
To turn process accounting on or off use the below command:
# accton
Using the lastcomm
1. When any unexpected command is run by any user that is causing issue, first thing is to verify that command was executed on which terminal and what was the time to execute the command. For example:
# lastcomm top S root pts/2 0.01 secs Wed Aug 26 21:08 ps S root pts/2 0.06 secs Wed Aug 26 21:08
The above example demonstrates, what command is executed along with details like timestamp and on which terminal command was executed.
2. Let’s verify which user was login on pts/2 at the time of execution of above commands:-
# last testuser pts/2 localhost Wed Aug 26 20:52 still logged in root pts/1 :0.0 Wed Aug 26 20:50 still logged in
As seen in the above output, testuser was loged in on terminal pts/2. That clearly says commands were executed by user testuser.
3. At the same time if required set below variable to get timestamp with history command.
# export HISTTIMEFORMAT='%F %T '
After implementing above variable your history command will have output as below:-
# history ... 103 2015-08-26 21:08:54 ps -ef 104 2015-08-26 21:08:56 top
Other examples of lastcomm
1. To find out who run a specific command, provide the command name as a parameter to the “lastcomm” command. For example, to find out who run the “shutdown” command, use the below syntax:
# lastcomm --command shutdown
And it should show you who run the shutdown command.
2. To find out the commands run by a specific user, use the “–user” option as shown below:
# lastcomm --user [user_name]
3. You can also combine multiple options as shown below to find out a specific command run by a specific use only.
# lastcomm --user [username] --command [command]
This tool will not inform you of commands that are executed in the area of the shutdown or startup procedure. Additional, more thorough information can be gathered using auditd utility if it is enabled on the system.
