![]() Read the following manual pages using the man command or help command: Summing upĪnd this is how you keep a detailed audit track under Linux for command executed and other stuff that sysadmin requires to maintain system integrity and security. Please note that the above commands and packages are available on other UNIX-like oses such as Sun Solaris and *BSD oses. An increase in CPU/memory usage (command) is indication of problem. Show the number of processes and number of CPU minutes on a per-user basis, run:īy looking at re, k, cp/cpu (see above for output explanation) time, you can find the suspicious activity or the name of the user/command eating up all CPU. 31156k cpu-time averaged core usage, in 1k units.0.12cp sum of system and user time in cpu minutes.0.36re “real time” in wall clock minutes.The sa will save this information into a file named usracct. The information can also be summarized on a per-user basis. In addition, it condenses this data into a summary file named savacct which contains the number of times the command was called and the system resources used. Use the sa command to display or summarizes information about previously executed Linux commands. $ lastcomm pts/1 Summarizes accounting information under Linux Of course, one can search the accounting logs by terminal name such as pts/1. Rm vivek pts/1 0.00 secs Tue Nov 14 00:29 Rm vivek pts/1 0.00 secs Tue Nov 14 00:30 Rm vivek pts/0 0.00 secs Tue Nov 14 00:30 ![]() Rm S root pts/0 0.00 secs Tue Nov 14 00:35 Rm S root pts/0 0.00 secs Tue Nov 14 00:36 Rm S root pts/0 0.00 secs Tue Nov 14 00:38 Rm S root pts/0 0.00 secs Tue Nov 14 00:39 For instance, find a detailed audit trail of what’s being done on your Linux systems for the rm command and passwd command: Search the accounting logs by command name. vivek the name of the user who ran the process.X - command was terminated with the signal SIGTERM.D - command terminated with the generation of a core file.F - command executed after a fork but without a following exec.S and X are flags, as recorded by the system accounting routines.userhelper is command name of the process.Su S vivek pts/0 0.00 secs Mon Nov 13 23:38įor each entry the following information is printed. Netstat vivek pts/0 0.07 secs Mon Nov 13 23:42 Ping S vivek pts/0 0.00 secs Mon Nov 13 23:42Ĭat vivek pts/0 0.00 secs Mon Nov 13 23:42 Vi vivek pts/0 0.00 secs Mon Nov 13 23:43 Rm vivek pts/0 0.00 secs Mon Nov 13 23:43 Ls vivek pts/0 0.00 secs Mon Nov 13 23:43 Which vivek pts/0 0.00 secs Mon Nov 13 23:44īash F vivek pts/0 0.00 secs Mon Nov 13 23:44 Gcc vivek pts/0 0.00 secs Mon Nov 13 23:45 Rpmq vivek pts/0 0.00 secs Mon Nov 13 23:45 Rpmq vivek pts/0 0.01 secs Mon Nov 13 23:45 Userhelper S vivek pts/0 0.00 secs Mon Nov 13 23:45 Userhelper S X vivek pts/0 0.00 secs Mon Nov 13 23:58 For example, display command executed by a user named ‘vivek’, run: You can search command using usernames, tty names, or by command names itself. Use the lastcomm command to print out information about previously executed commands on your Linux machine. Total 95.11 Task: find out information about previously executed user commands You can display time totals for each user in addition to the usual everything-lumped-into-one value, run: Run:ĭisplay totals for each day rather than just one big total at the end, type: If you type ac without any argument it will display total connect time. ![]() The ac command prints out a report of connect time in hours based on the logins/logouts. Task: Display statistics about users’ connect time Now let us see how to utilize these utilities to monitor user commands and time. # Latest version of SUSE/OpenSUSE users try # If you are using Suse/OpenSUSE Linux, the name of service is acct. The latest version of RHEL and co needs the following commands: Type the following two commands to create /var/account/pacct or /var/log/account/pacct file and start services: But under Red Hat /Fedora Core/Cent OS you need to start psacct service manually. Enabling psacct/acct service under Linuxīy default the service is started on Ubuntu / Debian Linux by creating /var/account/pacct file. Processing triggers for systemd ( 245.4-4ubuntu3.17 ). Processing triggers for install-info (6.7.0.dfsg.2- 5 ). Processing triggers for man-db (2.9.1- 1 ). Update-rc.d: warning: stop runlevel arguments ( 1 ) do not match acct Default-Stop values ( 0 1 6 ) Update-rc.d: warning: start and stop actions are no longer supported falling back to defaults 130950 files and directories currently installed. Selecting previously unselected package acct. Get: 1 1./ubuntu focal/main amd64 acct amd64 6.6.4- 2 The following NEW packages will be installed:Ġ upgraded, 1 newly installed, 0 to remove and 0 not upgraded.Īfter this operation, 337 kB of additional disk space will be used. The following package was automatically installed and is no longer required:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |