June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
9.39. Displaying All Executed Commands
Problem
You want to display information about executed commands, as recorded by process accounting.
Solution
To view the latest accounting information:
$ lastcomm [command-name] [user-name] [terminal-name]
To view the complete record using lastcomm:
# umask 077 Avoid publicly-readable accounting data in /var/tmp
# zcat `ls -tr /var/account/pacct.*.gz` > /var/tmp/pacct
# cat /var/account/pacct >> /var/tmp/pacct
# lastcomm -f /var/tmp/pacct
# rm /var/tmp/pacctFor more detailed information:
# dump-acct [--reverse] /var/account/pacct
Discussion
The GNU accounting utilities are a collection of programs for viewing the audit trail. The most important is lastcomm, which prints the following information for each process:
The command name, truncated to sixteen characters.
A set of flags indicating if the command used superuser privileges, was killed by a signal, dumped core, or ran after a
forkwithout a subsequentexec(many daemons do this).The user who ran the command.
The controlling terminal for the command (if any).
The CPU time used by the command.
The start time of the command.
Warning
The latest version of lastcomm available at press time suffers from some unfortunate bugs. Terminals are printed incorrectly, usually as either “stdin” or “stdout”, and are not recognized when specified on the command line. The reported CPU times are slightly more than five times the actual values for Red Hat 8.0 kernels; they are correct for earlier versions and for SuSE. ...