Acct: The Ultimate Keyfinder
Introduction
In a production environment, it can be useful to know what each person is doing. This is particularly helpful when a mistake happens and nobody admits to it (yes, it happens). Novice hackers (aka script kiddies) who call themselves hackers because they've put a keylogger on a machine might also be interested in this. However, the purpose is obviously not the same.
Two commands are useful:
- sa: obtains statistics on process launches
- lastcomm: obtains a list of commands launched by users
Installation
The installation is done as follows:
Configuration
- All log files will be written to this file:
- If you want to change the file, execute this action:
- For activation, edit the file /etc/default/acct:
Usage
lastcomm
- To list the commands used:
Warning
Beware, you can also see what the shell executes on startup
- List commands recently launched by a user:
- Search in history for who launched a given command and when:
- Find out which commands were launched directly from the physical terminal of the machine:
sa
- List commands that ran the longest:
- List commands that consume the most I/O:
- List all commands with the user who launched them:
- Consumption by user:
The output contains:
- Number of calls
- re: time spent
- cp: amount of CPU consumed (in seconds)
- avio: average number of I/O operations (very useful for diagnosing which process is using the disk)
- Memory consumed per second (k, this value is not very intuitive)