9.39. Displaying All Executed Commands
Problem
You want to display information about executed commands, as recorded by process accounting.
Solution
To view the latest accounting information:
$ lastcomm [command-name
] [user-name
] [terminal-name
]
To view the complete record using lastcomm:
# umask 077 Avoid publicly-readable accounting data in /var/tmp
# zcat `ls -tr /var/account/pacct.*.gz` > /var/tmp/pacct
# cat /var/account/pacct >> /var/tmp/pacct
# lastcomm -f /var/tmp/pacct
# rm /var/tmp/pacct
For more detailed information:
# dump-acct [--reverse] /var/account/pacct
Discussion
The GNU accounting utilities are a collection of programs for viewing the audit trail. The most important is lastcomm, which prints the following information for each process:
The command name, truncated to sixteen characters.
A set of flags indicating if the command used superuser privileges, was killed by a signal, dumped core, or ran after a
fork
without a subsequentexec
(many daemons do this).The user who ran the command.
The controlling terminal for the command (if any).
The CPU time used by the command.
The start time of the command.
Warning
The latest version of lastcomm available at press time suffers from some unfortunate bugs. Terminals are printed incorrectly, usually as either “stdin” or “stdout”, and are not recognized when specified on the command line. The reported CPU times are slightly more than five times the actual values for Red Hat 8.0 kernels; they are correct for earlier versions and for SuSE. ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.