Displaying All Executed Commands

8 01 2013

To view the latest accounting information:
$ lastcomm [command-name] [user-name] [terminal-name]

To view the complete record using lastcomm:
# umask 077 Avoid publicly-readable accounting data in /
# zcat `ls -tr /var/account/pacct.*.gz` > /var/tmp/pacct
# cat /var/account/pacct >> /var/tmp/pacct
# lastcomm -f /var/tmp/pacct
# rm /var/tmp/pacct

The GNU accounting utilities are a collection of programs for viewing the audit trail. The most important is lastcomm, which prints the following information for each process:
The command name, truncated to sixteen characters.

A set of flags indicating if the command used superuser privileges, was killed by a signal, dumped core, or ran after a fork without a subsequent exec (many daemons do this).

The user who ran the command.

The controlling terminal for the command (if any).

The CPU time used by the command.

The start time of the command.

Information about commands is listed in reverse chronological order, as determined by the time when each process exited (which is when the kernel writes the accounting records). Commands can be selected by combinations of the command name, user, or terminal; see lastcomm(1) for details.

The kernel records much more information than is displayed by lastcomm. The undocumented dump-acct command prints more detailed information for each process:

The command name (same as lastcomm).

The CPU time, split into user and system (kernel) times, expressed as a number of ticks. The sum of these two times corresponds to the value printed by lastcomm.

The elapsed (wall clock) time, also in ticks. This can be combined with the start time to determine the exit time.

The numerical user and group IDs. These are real, not effective IDs. The user ID corresponds to the username printed by lastcomm.

The average memory usage, in kilobytes.

A measure of the amount of I/O (always zero for Version 2.4 or earlier kernels).

The start time, with one second precision (lastcomm prints the time truncated to only one minute precision).




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: