In addition to logins and logouts, Unix can log every single command run by every single user. This special kind of logging is often called process accounting; normally, process accounting is used only in situations where users are billed for the amount of CPU time that they consume. The acct or pacct files can be used after a break-in to help determine which commands a user executed (provided that the log file is not deleted). This file can also be used for other purposes, such as seeing if anyone is using some old software you wish to delete, or who is playing games on the fileserver.
The lastcomm or acctcom programs display the contents of this file in a human-readable format:
lastcommsendmail F root _ _ 0.05 secs Sat Mar 11 13:28 mail S daemon _ _ 0.34 secs Sat Mar 11 13:28 send dfr _ _ 0.05 secs Sat Mar 11 13:28 post dfr ttysf 0.11 secs Sat Mar 11 13:28 sendmail F root _ _ 0.09 secs Sat Mar 11 13:28 sendmail F root _ _ 0.23 secs Sat Mar 11 13:28 sendmail F root _ _ 0.02 secs Sat Mar 11 13:28 anno dfr ttys1 0.14 secs Sat Mar 11 13:28 sendmail F root _ _ 0.03 secs Sat Mar 11 13:28 mail S daemon _ _ 0.30 secs Sat Mar 11 13:28 %
If you have an intruder on your system and he has not edited or deleted the /var/adm/acct file, lastcomm will provide you with a record of the commands that the intruder used. Unfortunately, Unix accounting does not record the arguments to the command typed by the intruder, nor the directory in which ...