As a system administrator, it pays to know what's happening on your systems.
Sure, you spend time reading your logs, but do you take advantage of the other information-gathering utilities available to you? Silently, in the background, your system tracks all kinds of neat information. If you know enough to peek under the system hood, you can get a very good view of what is occurring on the system at any given point in time.
9.7.1 Who's on First?
Have you ever needed to know who logged into a system and for how long? Use the users command to see who's logged in now:
% users dru biko
Perhaps you prefer to know who is on which terminal. Try who. Here, the H includes column headers and the u shows each user's idle time:
% who -Hu NAME LINE TIME IDLE FROM dru ttyv1 Jan 25 08:59 01:00 biko ttyv5 Jan 25 09:57 . dru ttyp0 Jan 25 09:58 00:02 (hostname)
Feel free to experiment with who's switches to find an output that suits your needs. Here, dru and biko have logged in physically at this system's keyboard using virtual terminals 1 and 5. dru has also logged in over the first psuedoterminal (over the network) from the specified hostname.
To find out what everyone is doing, use w:
% w 10:07AM up 1:20, 9 users, load averages: 0.02, 0.02, 0.09 USER TTY FROM LOGIN@ IDLE WHAT dru v1 - 8:59AM 1:08 pine biko v5 - 9:57AM - w dru p0 hostname 9:58AM 4 -csh (csh)
Notice that as a regular user, I was easily able to find out who is logged in, where they are, and what they're currently doing. If you don't want regular users knowing what commands other users are currently running, see [Hack #57] .
9.7.2 When Did That Happen?
You're not limited to finding out what's happening at this particular moment. Use lastlogin to see the most recent time at which each of your users logged in:
% lastlogin dru ttyv1 Sun Jan 25 08:59:36 2004 biko ttyv5 Sun Jan 25 09:57:18 2004 dlavigne ttyv6 Sat Jan 24 09:48:32 2004 dru ttyp0 hostname Sun Jan 25 09:58:50 2004 rembackup ttyp0 hostname Fri Jan 23 01:00:00 2004
For a slightly different output, last can show who is still logged in:
% last | grep still dru ttyp0 hostname Sun Jan 25 09:58 still logged in dru ttyv1 Sun Jan 25 08:59 still logged in biko ttyv5 Sun Jan 25 09:57 still logged in
Do you need a record of system shutdowns or reboots? The /var/log/wtmp database holds this information. Use last to view the desired statistics:
% last reboot reboot ~ Tue Jan 20 15:37 reboot ~ Tue Nov 25 07:24 reboot ~ Sun Aug 3 09:05 wtmp begins Tue Jul 1 15:27:26 EDT 2003 % last shutdown shutdown ~ Wed Dec 24 22:14 wtmp begins Tue Jul 1 15:27:26 EDT 2003
9.7.3 Details, Details
Another option to consider is enabling system accounting, which maintains a database of extremely detailed statistics of every process and subprocess that has been executed on a system.
# touch /var/account/acct # accton /var/account/acct
Note that the accton command will fail if you don't specify the name of the accounting log or if that log doesn't already exist. Also, in a queer case of logic, typing accton with no arguments really turns accounting off.
Once accounting is enabled, use lastcomm to view the contents of /var/account/acct:
% lastcomm lastcomm - dlavigne ttyv6 0.00 secs Sun Jan 25 11:33 man - dlavigne ttyv6 0.00 secs Sun Jan 25 11:33 sh - dlavigne ttyv6 0.00 secs Sun Jan 25 11:33 sh -F dlavigne ttyv6 0.00 secs Sun Jan 25 11:33 less - dlavigne ttyv6 0.00 secs Sun Jan 25 11:33 col - dlavigne ttyv6 0.00 secs Sun Jan 25 11:33 groff - dlavigne ttyv6 0.00 secs Sun Jan 25 11:33 grotty - dlavigne ttyv6 0.00 secs Sun Jan 25 11:33 troff - dlavigne ttyv6 0.08 secs Sun Jan 25 11:33 tbl - dlavigne ttyv6 0.00 secs Sun Jan 25 11:33 zcat - dlavigne ttyv6 0.00 secs Sun Jan 25 11:33 cron -F root __ 0.00 secs Sun Jan 25 11:33 sh - operator __ 0.00 secs Sun Jan 25 11:33 sh - operator __ 0.00 secs Sun Jan 25 11:33 dd - operator __ 0.00 secs Sun Jan 25 11:33 mv - operator __ 0.00 secs Sun Jan 25 11:33 mv - operator __ 0.00 secs Sun Jan 25 11:33 mv - operator __ 0.00 secs Sun Jan 25 11:33 rm - operator __ 0.00 secs Sun Jan 25 11:33 jot - operator __ 0.00 secs Sun Jan 25 11:33 accton - root ttyv0 0.00 secs Sun Jan 25 11:32
This comes from a quiet system one minute after enabling accounting. A cron job happened to be running at the time, hence the operator lines. The user dlavigne6 also opened up a manpage during that period. Note all of the processes involved before man actually started.
Depending upon your security requirements, you may not want users to have access to such detailed information. After all, lastcomm will show every process run by every user. Tightening permissions will fix that:
# chmod 600 /var/account/acct # su dlavigne % lastcomm lastcomm: /var/account/acct: Permission denied
Also, if you're planning on using lastcomm as an extra audit trail, consider changing this file's flags [Hack #56] . You'll also want to have plenty of disk space on the filesystem holding the database.
Finally, to enable system accounting when the system boots, add this line to /etc/rc.conf:
9.7.4 See Also