How to keep a detailed audit trail of what’s being done on your Linux systems
The ac command displays statistics about how long users have been logged on.
The lastcomm command displays information about previous executed commands.
The accton command turns process accounting on or off.
The sa command summarizes information about previously executed commmands.
Task: Install psacct or acct package# up2date psacct Use yum command if you are using CentOS/Fedora Linux / RHEL 5:# yum install psacct Use apt-get command if you are using Ubuntu / Debian Linux:$ sudo apt-get install acctOR# apt-get install acctUse yum command if you are using CentOS/Fedora Linux / RHEL 5:# yum install psacct Use apt-get command if you are using Ubuntu / Debian Linux:$ sudo apt-get install acctOR# apt-get install acctUse apt-get command if you are using Ubuntu / Debian Linux:$ sudo apt-get install acctOR# apt-get install acctTask: Start psacct/acct service# chkconfig psacct on# /etc/init.d/psacct start If you are using Suse Linux, the name of service is acct. Type the following commands:# chkconfig acct on# /etc/init.d/acct startIf you are using Suse Linux, the name of service is acct. Type the following commands:# chkconfig acct on# /etc/init.d/acct startTask: Display statistics about users' connect time$ acOutput: total 95.08$ ac -dOutput: Nov 1 total 8.65 Nov 2 total 5.70 Nov 3 total 13.43 Nov 4 total 6.24 Nov 5 total 10.70 Nov 6 total 6.70 Nov 7 total 10.30 ..... .. ... Nov 12 total 3.42 Nov 13 total 4.55 Today total 0.52$ ac -pOutput: vivek 87.49 root 7.63 total 95.11 Task: find out information about previously executed user commands$ lastcomm vivekOutput: userhelper S X vivek pts/0 0.00 secs Mon Nov 13 23:58 userhelper S vivek pts/0 0.00 secs Mon Nov 13 23:45 rpmq vivek pts/0 0.01 secs Mon Nov 13 23:45 rpmq vivek pts/0 0.00 secs Mon Nov 13 23:45 rpmq vivek pts/0 0.01 secs Mon Nov 13 23:45 gcc vivek pts/0 0.00 secs Mon Nov 13 23:45 which vivek pts/0 0.00 secs Mon Nov 13 23:44 bash F vivek pts/0 0.00 secs Mon Nov 13 23:44 ls vivek pts/0 0.00 secs Mon Nov 13 23:43 rm vivek pts/0 0.00 secs Mon Nov 13 23:43 vi vivek pts/0 0.00 secs Mon Nov 13 23:43 ping S vivek pts/0 0.00 secs Mon Nov 13 23:42 ping S vivek pts/0 0.00 secs Mon Nov 13 23:42 ping S vivek pts/0 0.00 secs Mon Nov 13 23:42 cat vivek pts/0 0.00 secs Mon Nov 13 23:42 netstat vivek pts/0 0.07 secs Mon Nov 13 23:42 su S vivek pts/0 0.00 secs Mon Nov 13 23:38userhelper S X vivek pts/0 0.00 secs Mon Nov 13 23:58 Where, Where,
userhelper is command name of the process
S and X are flags, as recorded by the system accounting routines. Following is the meaning of each flag:
S -- command executed by super-user
F -- command executed after a fork but without a following exec
D -- command terminated with the generation of a core file
X -- command was terminated with the signal SIGTERM
vivek the name of the user who ran the process
prts/0 terminal name
0.00 secs - time the process exited
$ lastcomm rm$ lastcomm passwdOutput: rm S root pts/0 0.00 secs Tue Nov 14 00:39 rm S root pts/0 0.00 secs Tue Nov 14 00:39 rm S root pts/0 0.00 secs Tue Nov 14 00:38 rm S root pts/0 0.00 secs Tue Nov 14 00:38 rm S root pts/0 0.00 secs Tue Nov 14 00:36 rm S root pts/0 0.00 secs Tue Nov 14 00:36 rm S root pts/0 0.00 secs Tue Nov 14 00:35 rm S root pts/0 0.00 secs Tue Nov 14 00:35 rm vivek pts/0 0.00 secs Tue Nov 14 00:30 rm vivek pts/1 0.00 secs Tue Nov 14 00:30 rm vivek pts/1 0.00 secs Tue Nov 14 00:29 rm vivek pts/1 0.00 secs Tue Nov 14 00:29$ lastcomm pts/1Task: summarizes accounting information# saOutput: 579 222.81re 0.16cp 7220k 4 0.36re 0.12cp 31156k up2date 8 0.02re 0.02cp 16976k rpmq 8 0.01re 0.01cp 2148k netstat 11 0.04re 0.00cp 8463k grep 18 100.71re 0.00cp 11111k ***other* 8 0.00re 0.00cp 14500k troff 5 12.32re 0.00cp 10696k smtpd 2 8.46re 0.00cp 13510k bash 8 9.52re 0.00cp 1018k less4 0.36re 0.12cp 31156k up2date Where, Where,
0.36re
"real time" in wall clock minutes
0.12cp
sum of system and user time in cpu minutes
31156k
cpu-time averaged core usage, in 1k units
up2date
command name
# sa -uOutput: root 0.00 cpu 595k mem accton root 0.00 cpu 12488k mem initlog root 0.00 cpu 12488k mem initlog root 0.00 cpu 12482k mem touch root 0.00 cpu 13226k mem psacct root 0.00 cpu 595k mem consoletype root 0.00 cpu 13192k mem psacct * root 0.00 cpu 13226k mem psacct root 0.00 cpu 12492k mem chkconfig postfix 0.02 cpu 10696k mem smtpd vivek 0.00 cpu 19328k mem userhelper vivek 0.00 cpu 13018k mem id vivek 0.00 cpu 13460k mem bash * lighttpd 0.00 cpu 48240k mem php *# sa -mOutput: 667 231.96re 0.17cp 7471k root 544 51.61re 0.16cp 7174k vivek 103 17.43re 0.01cp 8228k postfix 18 162.92re 0.00cp 7529k lighttpd 2 0.00re 0.00cp 48536k Task: Find out who is eating CPU
No comments:
Post a Comment