Acct: The Ultimate Keyfinder

Introduction link

In a production environment, it can be useful to know what each person is doing. This is particularly helpful when a mistake happens and nobody admits to it (yes, it happens). Novice hackers (aka script kiddies) who call themselves hackers because they’ve put a keylogger on a machine might also be interested in this. However, the purpose is obviously not the same.

Two commands are useful:

• sa: obtains statistics on process launches
• lastcomm: obtains a list of commands launched by users

Installation link

The installation is done as follows:

  apt-get install acct
  

Configuration link

• All log files will be written to this file:

  /var/log/account/pacct
  

• If you want to change the file, execute this action:

  accton FileName
  

• For activation, edit the file /etc/default/acct:

  # Activate acct
ACCT_ENABLE="1"

# Amount of days that the logs are kept.
ACCT_LOGGING="30"
  

Usage link

lastcomm link

• To list the commands used:

  lastcomm
  

• List commands recently launched by a user:

  lastcomm user
  

• Search in history for who launched a given command and when:

  lastcomm apachectl
  

• Find out which commands were launched directly from the physical terminal of the machine:

  lastcomm --tty tty1
  

sa link

• List commands that ran the longest:

  sa --sort-real-time | head
  

• List commands that consume the most I/O:

  sa -d | head
  

• List all commands with the user who launched them:

  sa -u
  

• Consumption by user:

  sa -m
  

The output contains:

• Number of calls
• re: time spent
• cp: amount of CPU consumed (in seconds)
• avio: average number of I/O operations (very useful for diagnosing which process is using the disk)
• Memory consumed per second (k, this value is not very intuitive)

References link

https://tldp.org/HOWTO/Process-Accounting/pa.html