How to monitor user activity using system and process accounting?

7:58 PM

he command 'who -uwH' and 'w' provides information about the users currently on the machine, and their processes.
  • The 'lastlog' command reads the /var/log/lastlog file to produce a record of the last time a user logged in.
  • The 'last' command provides per user login and logout times, as well as information on system reboots and run-level changes.
[root@unknown000c294e077b ~]# last -i
root     pts/0        192.168.1.10     Tue Sep 20 01:01   still logged in
root     tty1         0.0.0.0          Sun Sep 18 09:40 - 12:49  (03:09)
root     pts/0        192.168.1.10     Sat Sep 17 11:40 - 13:51  (02:10)
rsharma  pts/0        192.168.18.67    Tue Sep 13 06:02 - 06:18  (00:15)
rsharma  pts/0        192.168.1.10     Sun Sep 11 13:28 - 13:31  (00:03)
  • 'lastb' shows bad login attempts:
[root@unknown000c294e077b ~]# lastb -i
roo      ssh:notty    192.168.1.10     Tue Sep 20 01:01 - 01:01  (00:00)
roo      ssh:notty    192.168.1.10     Tue Sep 20 01:01 - 01:01  (00:00)
  • 'ac' prints out a report of connect time (in hours) based on the logins/logouts. The system's default login accounting file is /var/log/wtmp.
  • Total connect time by users:
[root@unknown000c294e077b ~]# ac -p
        rsharma                             10.78
        root                                33.59
        total       44.37
  • Total connect time by day:
[root@unknown000c294e077b ~]# ac -d
Oct 17  total        0.01
Sep 11  total       11.70
Sep 13  total       21.34
Sep 17  total        4.37
Sep 18  total        6.29
Today   total        0.92
  • 'aureport' command gives columnar output and summary information for the /var/log/audit/adit.log
[root@unknown000c294e077b ~]# aureport

Summary Report
======================
Range of time in logs: 10/17/2009 04:37:19.866 - 09/20/2011 13:21:42.080
Selected time for report: 10/17/2009 04:37:19 - 09/20/2011 13:21:42.080
Number of changes in configuration: 20
Number of changes to accounts, groups, or roles: 9
Number of logins: 22
Number of failed logins: 3
Number of authentications: 29
Number of failed authentications: 6
  • Psacctd is a very usefull daemon to trace and follow activity of each users present on your server. Follow the instructions below if psacct is not already installed on your server:
[root@unknown000c294e077b ~]#yum install psacct
[root@unknown000c294e077b ~]# chkconfig psacct on
[root@unknown000c294e077b ~]#service psacct start OR # /etc/init.d/psacct start
  • The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa.
  • 'lastcomm' command shows information about previously executed commands. Lastcomm provide more information than history command line. Also, some users can remove history file (such as ~/.bash_history) or clear history using command history -c. However; 'lastcomm' or 'sa' command uses the record file acct which is owned by root and users can not edit it.
[root@unknown000c294e077b ~]# lastcomm rsharma
bash              S     rsharma  pts/0      0.01 secs Tue Sep 20 01:29
vi                      rsharma  pts/0      0.00 secs Tue Sep 20 01:31
touch                   rsharma  pts/0      0.00 secs Tue Sep 20 01:31
mkdir                   rsharma  pts/0      0.00 secs Tue Sep 20 01:31
su                S     rsharma  pts/0      0.00 secs Tue Sep 20 01:29
    S and X are flags, as recorded by the system accounting routines. Following is the meaning of each flag:
    S -- command executed by super-user
    F -- command executed after a fork but without a following exec
  • Using lastcomm to search with command name:
[root@unknown000c294e077b ~]# lastcomm su
su                S     root     pts/0      0.00 secs Tue Sep 20 01:29
su                S     rsharma  pts/0      0.00 secs Tue Sep 20 01:29
su                      rsharma  pts/0      0.00 secs Tue Sep 20 01:29
su                S     root     pts/0      0.00 secs Tue Sep 20 01:28
  • 'sa' command summarizes information about previously executed commands. It shows the number of times the command was called and the system resources used. The information can also be summarized on a per-user basis:
  • Following command prints the number of processes and the number of CPU minutes by user.
[root@unknown000c294e077b ~]# sa -m
                                     1151      25.59re       0.01cp      964k
root                                 1112      19.70re       0.01cp      963k
rsharma                                38       3.90re       0.00cp      976k
sshd                                    1       1.99re       0.00cp     2102k
Icon
Process accounting using Psacct does not track internal commands or the commands executed withing a shell. Also, accounting records are written only after the process ends, and only record the last command executed by that process.

Share This Story

Tags:

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor Aenean massa.

You Might Also Like

0 comments

Contact Form

Name

Email *

Message *

Translate

Wikipedia

Search results