Skip to content

Acct: The Ultimate Keyfinder

Introduction

In a production environment, it can be useful to know what each person is doing. This is particularly helpful when a mistake happens and nobody admits to it (yes, it happens). Novice hackers (aka script kiddies) who call themselves hackers because they've put a keylogger on a machine might also be interested in this. However, the purpose is obviously not the same.

Two commands are useful:

  • sa: obtains statistics on process launches
  • lastcomm: obtains a list of commands launched by users

Installation

The installation is done as follows:

1
apt-get install acct

Configuration

  • All log files will be written to this file:
1
/var/log/account/pacct
  • If you want to change the file, execute this action:
1
accton FileName
  • For activation, edit the file /etc/default/acct:
1
2
3
4
5
# Activate acct
ACCT_ENABLE="1"

# Amount of days that the logs are kept.
ACCT_LOGGING="30"

Usage

lastcomm

  • To list the commands used:
1
lastcomm

Warning

Beware, you can also see what the shell executes on startup

  • List commands recently launched by a user:
1
lastcomm user
  • Search in history for who launched a given command and when:
1
lastcomm apachectl
  • Find out which commands were launched directly from the physical terminal of the machine:
1
lastcomm --tty tty1

sa

  • List commands that ran the longest:
1
sa --sort-real-time | head
  • List commands that consume the most I/O:
1
sa -d | head
  • List all commands with the user who launched them:
1
sa -u
  • Consumption by user:
1
sa -m

The output contains:

  • Number of calls
  • re: time spent
  • cp: amount of CPU consumed (in seconds)
  • avio: average number of I/O operations (very useful for diagnosing which process is using the disk)
  • Memory consumed per second (k, this value is not very intuitive)

References

https://tldp.org/HOWTO/Process-Accounting/pa.html