Monitor User Activity2023/07/13 |
|
Install acct to monitor User Activity.
Histories of commands are kept in users' own history file but they are possible to edit or delete by users themselves, but psacct keeps all users' history files owned by root. |
|
| [1] | Install acct. |
|
root@dlp:~#
root@dlp:~# apt -y install acct systemctl enable acct
|
| [2] | Output histories of commands by lastcomm command like follows. |
|
root@dlp:~# lastcomm apt-get S root ttyS0 0.34 secs Thu Jul 13 00:40 dpkg root ttyS0 0.00 secs Thu Jul 13 00:40 dpkg root ttyS0 0.00 secs Thu Jul 13 00:40 dpkg root ttyS0 0.00 secs Thu Jul 13 00:40 dpkg root pts/0 0.00 secs Thu Jul 13 00:40 man-db.postinst root pts/0 0.00 secs Thu Jul 13 00:40 mandb S man pts/0 0.22 secs Thu Jul 13 00:40 acct.postinst root pts/0 0.00 secs Thu Jul 13 00:40 deb-systemd-inv root pts/0 0.01 secs Thu Jul 13 00:40 systemctl S root pts/0 0.00 secs Thu Jul 13 00:40 systemd-tty-ask S root pts/0 0.00 secs Thu Jul 13 00:40 accton S root __ 0.00 secs Thu Jul 13 00:40 ..... ..... |
| [4] | If you'd like to output histories for a user, run with [--user] option. |
|
root@dlp:~# lastcomm --user debian bash S debian ttyS0 0.01 secs Thu Jul 13 00:41 clear_console debian ttyS0 0.00 secs Thu Jul 13 00:42 exim4 SF debian __ 0.00 secs Thu Jul 13 00:42 sudo F debian __ 0.00 secs Thu Jul 13 00:42 sudo S debian ttyS0 0.05 secs Thu Jul 13 00:42 sudo F debian ttyS0 0.00 secs Thu Jul 13 00:42 cat debian ttyS0 0.00 secs Thu Jul 13 00:42 ssh debian ttyS0 0.06 secs Thu Jul 13 00:41 ssh debian ttyS0 0.00 secs Thu Jul 13 00:41 dircolors debian ttyS0 0.00 secs Thu Jul 13 00:41 id debian ttyS0 0.00 secs Thu Jul 13 00:41 |
| [5] | If you'd like to output histories for a command, run with [--command] option. |
|
root@dlp:~# lastcomm --command su su S root ttyS0 0.00 secs Thu Jul 13 00:42 su S bookworm ttyS0 0.02 secs Thu Jul 13 00:43 su S bookworm ttyS0 0.02 secs Thu Jul 13 00:43 su S root ttyS0 0.00 secs Thu Jul 13 00:41 |
| Sponsored Link |