Recipe 9.39 Displaying All Executed Commands

9.39.1 Problem

You want to display information about executed commands, as recorded by process accounting.

9.39.2 Solution

To view the latest accounting information:

$ lastcomm [command-name] [user-name] [terminal-name]

To view the complete record using lastcomm:

 # umask 077                                  Avoid publicly-readable accounting data in /var/tmp # zcat `ls -tr /var/account/pacct.*.gz` > /var/tmp/pacct # cat /var/account/pacct >> /var/tmp/pacct # lastcomm -f /var/tmp/pacct # rm /var/tmp/pacct

For more detailed information:

# dump-acct [--reverse] /var/account/pacct

9.39.3 Discussion

The GNU accounting utilities are a collection of programs for viewing the audit trail. The most important is lastcomm, which prints the following information for each process:

The command name, truncated to sixteen characters.
A set of flags indicating if the command used superuser privileges, was killed by a signal, dumped core, or ran after a fork without a subsequent exec (many daemons do this).
The user who ran the command.
The controlling terminal for the command (if any).
The CPU time used by the command.
The start time of the command.

The latest version of lastcomm available at press time suffers from some unfortunate bugs. Terminals are printed incorrectly, usually as either "stdin" or "stdout", and are not recognized when specified on the command line. The reported CPU times are slightly more than five times the actual values for Red Hat 8.0 kernels; they are correct for earlier versions and for SuSE.

Some documentation errors should also be noted. The "X" flag means that the command was killed by any signal, not just SIGTERM. The last column is the start time, not the exit time for the command.

If you encounter these problems with lastcomm, upgrade to a more recent version if available.

Information about commands is listed in reverse chronological order, as determined by the time when each process exited (which is when the kernel writes the accounting records). Commands can be selected by combinations of the command name, user, or terminal; see lastcomm(1) for details.

lastcomm can read an alternative log file with the -f option, but it cannot read from a pipe, because it needs to seek within the accounting file, so the following will not work:

Fails: $ zcat pacct.gz | lastcomm -f /dev/stdin

The kernel records much more information than is displayed by lastcomm. The undocumented dump-acct command prints more detailed information for each process:

The command name (same as lastcomm).
The CPU time, split into user and system (kernel) times, expressed as a number of ticks. The sum of these two times corresponds to the value printed by lastcomm.
The elapsed (wall clock) time, also in ticks. This can be combined with the start time to determine the exit time.
The numerical user and group IDs. These are real, not effective IDs. The user ID corresponds to the username printed by lastcomm.
The average memory usage, in kilobytes.
A measure of the amount of I/O (always zero for Version 2.4 or earlier kernels).
The start time, with one second precision (lastcomm prints the time truncated to only one minute precision).

A tick is the most basic unit of time used by the kernel, and represents the granularity of the clock. It is defined as 1/HZ, where HZ is the system timer interrupt frequency. The traditional value of HZ is 100, which leads to a ten millisecond tick.^[14]

^[14] Known in Linux lore as a jiffy.

Red Hat 8.0 kernels increased HZ to 512 for better time resolution, with a correspondingly shorter tick. The tickadj command prints the current value of the tick, in microseconds:

$ tickadj  tick = 10000

By default, dump-acct lists commands in chronological order; use the -r or reverse options for behavior similar to lastcomm. One or more accounting files must be explicitly specified on the command line for dump-acct.

9.39.4 See Also

lastcomm(1).