• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • How to keep a track of all the commands run by any user in Linux

    What if you want to know what were the commands which were executed by any user on any Linux server

    Method 1

    Check the .bash_history file in user's home location.

    NOTE: You will not be able to see the commands executed in the currently logged in session unless the user logs out.
    # less /home/deepak/.bash_history
    man yum
    yum deplist httpd
    sud iptables -L
    sudo iptables -L
    sudo iptables --list
    less /etc/sysconfig/iptables
    sudo less /etc/sysconfig/iptables
    sudo iptables --list WEBSHPHERE
    sudo iptables --list INPUT
    cd test


    Method 2

    There are two other commands which can be used for the same purpose namely lastcomm and sa which comes under the package psacct.

    So make sure your machine has psacct installed.
    $ rpm -q psacct
    psacct-6.3.2-44.el5

    If the package is missing you can isntall it using yum
    # yum install psacct
    Now lets look at the files which are installed under this package





    $ rpm -ql psacct-6.3.2-44.el5
    /etc/logrotate.d/psacct
    /etc/rc.d/init.d/psacct
    /sbin/accton
    /usr/bin/ac
    /usr/bin/lastcomm
    /usr/sbin/accton
    /usr/sbin/dump-acct
    /usr/sbin/dump-utmp
    /usr/sbin/sa
    /usr/share/info/accounting.info.gz
    /usr/share/man/man1/ac.1.gz
    /usr/share/man/man1/lastcomm.1.gz
    /usr/share/man/man8/accton.8.gz
    /usr/share/man/man8/sa.8.gz
    /var/account
    /var/account/pacct

    As you can there are many other executable files installed but the two commands which we are going to concentrate for this article are sa and lastcomm

    lastcomm prints out information about previously executed commands.  If no arguments are specified, lastcomm will print info about all of the commands in acct (the record file).
    # lastcomm --user deepak
    sshd              SF    deepak __         0.00 secs Thu Jun 12 03:08
    bash                    deepak pts/11     0.01 secs Thu Jun 12 03:08
    clear                   deepak pts/11     0.00 secs Thu Jun 12 03:30
    bash-prompt-xte         deepak pts/11     0.00 secs Thu Jun 12 03:30
    man                     deepak pts/11     0.00 secs Thu Jun 12 03:14
    sh                      deepak pts/11     0.00 secs Thu Jun 12 03:14
    less                    deepak pts/11     0.00 secs Thu Jun 12 03:14
    bzip2                   deepak pts/11     0.00 secs Thu Jun 12 03:14
    gunzip                  deepak pts/11     0.00 secs Thu Jun 12 03:14
    bash-prompt-xte         deepak pts/11     0.00 secs Thu Jun 12 03:12
    bash-prompt-xte         deepak pts/11     0.00 secs Thu Jun 12 03:12
    lastcomm                deepak pts/11     0.00 secs Thu Jun 12 03:12
    bash-prompt-xte         deepak pts/11     0.00 secs Thu Jun 12 03:09
    bash-prompt-xte         deepak pts/11     0.00 secs Thu Jun 12 03:09
    date                    deepak pts/11     0.00 secs Thu Jun 12 03:09




    For each entry the following information is printed:
              + command name of the process
              + flags, as recorded by the system accounting routines:
                   S -- command executed by super-user
                   F -- command executed after a fork but without a following exec
                   C -- command run in PDP-11 compatibility mode (VAX only)
                   D -- command terminated with the generation of a core file
                   X -- command was terminated with the signal SIGTERM
              + the name of the user who ran the process
              + time the process exited

    lets sort out our output with unique commands ran by user deepak along with count
    # lastcomm --user root | awk -F " " '{ print $1 }' | sort | uniq --count
          3 ac
          1 accton
       3537 awk
        650 basename
         17 bash
          4 bzip2
      11030 cat
          5 chmod
          1 clear
        325 consoletype
          1 cp
       1591 crond
        663 cut
          1 date
          4 egrep
       2754 ethtool
         42 find
          5 finger


    list the time and the user details who ran rm command
    # lastcomm rm
    rm                      deepak pts/11     0.00 secs Thu Jun 12 03:35
    rm                      deepak pts/11     0.00 secs Thu Jun 12 03:35
    rm                      root     pts/5      0.00 secs Thu Jun 12 02:59
    rm                      root     pts/5      0.00 secs Thu Jun 12 02:59
    rm                      root     __         0.00 secs Wed Jun 11 23:53
    rm                      root     __         0.00 secs Wed Jun 11 23:53
    rm                      root     pts/5      0.00 secs Wed Jun 11 05:59
    rm                      root     pts/5      0.00 secs Wed Jun 11 05:59
    rm                      root     pts/5      0.00 secs Wed Jun 11 05:59
    rm                      root     pts/5      0.00 secs Wed Jun 11 05:59
    rm                      root     pts/5      0.00 secs Wed Jun 11 05:58
    rm                      root     pts/5      0.00 secs Wed Jun 11 05:58




    Method 3

    sa summarizes information about previously executed commands as recorded in the acct file.  In addition, it condenses this data into a summary file named savacct which contains the number of times the command was called and the system resources used.  The information can also be summarized on a per-user basis; sa will save this information into a file named usracct.
    # sa -u | grep root |awk -F " " '{ print $6}' |sort | uniq --count
         1 accton
        423 awk
         78 basename
          9 bash-prompt-xte
       1306 cat
          5 chmod
         38 consoletype
        188 crond
         78 cut
        532 dhclient-script
        325 ethtool
         41 find
        336 free
          2 gconftool-2
        593 grep

    I would appreciate if you can post any other relevant command in the comment section.

    Related Articles:
    How to track all the successful and failed login attempts by users in Linux
    How to check last login time for users in Linux
    How to create user without useradd command in Linux
    How to give permission to user to run some commands in Linux

    Deepak Prasad

    is a techie and an author who is still trying to survive in this IT generation with very little knowledge he has on Linux/Unix, VMware, SAN Storage, Automation, networking etc

    You can follow him on Facebook or Google+


    Do you also have something to share here?
    Join GoLinuxHub Team as an Author, Click here for more information
    How to keep a track of all the commands run by any user in Linux How to keep a track of all the commands run by any user in Linux Reviewed by Deepak Prasad on Friday, June 13, 2014 Rating: 5

    2 comments:

    1. for lastcomm and sa command to run we need to install psacct tools (yum install psacct).

      ReplyDelete
      Replies
      1. aah I had missed it, slipped off my mind but article is updated. Thanks and appreciate your feedback

        Delete

    Powered by Blogger.