How to find the commands run by user before reboot in CentOS/RHEL?

Installing psacct (process accounting)

 

The psacct service is responsible for starting and stopping process accounting at system boot time and at system shutdown. This service is a wrapper that invokes the accton accounting control program. Using the process accounting tools, you can get basic information about who ran a specific command.

 

The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa.

 

Command Function
ac displays statistics about how long users have been logged on
lastcomm displays information about previous executed commands
accton  turns process accounting on or off
sa summarizes information about previously executed commmands
last, lastb show the listing of last logged in users

 

First, please make sure the package psacct is installed:

 

# yum install psacct

 

The main purpose is to mornitor process activities, including ac, lastcomm, accton and sa. If the package is installed, please enable psacct by running:

 

CentOS/RHEL 6

 

# service psacct start
# chkconfig psacct on

 

CentOS/RHEL 7

 

# systemctl start psacct
# systemctl enable psacct

 

To turn process accounting on or off use the below command:

 

# accton

 

Using the lastcomm

 

1. When any unexpected command is run by any user that is causing issue, first thing is to verify that command was executed on which terminal and what was the time to execute the command. For example:

# lastcomm 
top               S     root     pts/2      0.01 secs Wed Aug 26 21:08
ps                S     root     pts/2      0.06 secs Wed Aug 26 21:08

 

The above example demonstrates, what command is executed along with details like timestamp and on which terminal command was executed.

 

2. Let’s verify which user was login on pts/2 at the time of execution of above commands:-

# last
testuser pts/2        localhost        Wed Aug 26 20:52   still logged in   
root     pts/1        :0.0             Wed Aug 26 20:50   still logged in

 

As seen in the above output, testuser was loged in on terminal pts/2. That clearly says commands were executed by user testuser.

 

3. At the same time if required set below variable to get timestamp with history command.

# export HISTTIMEFORMAT='%F %T  '

 

After implementing above variable your history command will have output as below:-

# history
...
103  2015-08-26 21:08:54  ps -ef
104  2015-08-26 21:08:56  top

 

Other examples of lastcomm

 

1. To find out who run a specific command, provide the command name as a parameter to the “lastcomm” command. For example, to find out who run the “shutdown” command, use the below syntax:

# lastcomm --command shutdown

And it should show you who run the shutdown command.

 

2. To find out the commands run by a specific user, use the “–user” option as shown below:

# lastcomm --user [user_name]

 

3. You can also combine multiple options as shown below to find out a specific command run by a specific use only.

# lastcomm --user [username] --command [command]

 

This tool will not inform you of commands that are executed in the area of the shutdown or startup procedure. Additional, more thorough information can be gathered using auditd utility if it is enabled on the system.

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)