Monitor user activity in Linux
On Linux-based systems, process accounting offers useful information to assist you in monitoring user activities. Process accounting is a way of keeping track of and summarizing processes and commands on a system. Monitoring user activity in Linux systems is crucial for ensuring system security, optimizing resource usage, and identifying potential issues. By keeping track of user actions, administrators can gain valuable insights into system behavior, detect unauthorized activities, and troubleshoot performance problems.[1]
Psacct / Acct
With psacct, admin can enable process accounting, view accounting records, and analyze data using tools like sar and sadf. Acct complements psacct by providing additional features such as command monitoring and file access tracking.[2]
- psacct tracks the system resources utilized by users and processes. It collects detailed information such as CPU usage, memory consumption, disk I/O, and executed commands.
- acct is another utility that provides process accounting capabilities in Linux systems. It captures user activities by monitoring commands executed, system calls made, and file access operations
The main features of psacct are
- Resource Monitoring − psacct tracks the resource usage of processes, enabling administrators to monitor CPU, memory, and disk usage at a granular level.
- Command Execution Tracking − It records the commands executed by users, providing visibility into the actions performed on the system.
- Reporting and Analysis − psacct offers tools to generate reports and analyze the collected data, allowing administrators to make informed decisions based on system usage patterns
Key features of acct include −
- Command Execution Logging − acct records the commands executed by users, including their arguments and execution times.
- System Call Tracing − It captures system calls made by processes, providing insights into the interactions between user programs and the operating system.
- File Access Monitoring − acct logs file operations, giving visibility into file reads, writes, and deletions performed by users or processes.
Installing and Configuring Psacct and Acct
# install and configure psacct
$sudo apt-get install psacct #Ubuntu
# The main configuration file for psacct is usually located at /etc/psacct/psacct.conf
# Enable and start psacct
$sudo systemctl enable psacct
$sudo systemctl start psacct
# Installing and Configuring Acct
$sudo apt-get install acct #Ubuntu
#Enabling Acct
$sudo systemctl start acct
# Start acct action
$sudo /usr/sbin/accton on # default log location is /var/log/account/pacct
# Stop acct action
$sudo /usr/sbin/accton off
Usages
| psacct | acct | ||
|---|---|---|---|
| view user summary statistics | sudo sa -u | display the list of last executed commands by the specified user | lastcomm |
| view the commands executed by a specific user | sudo sa -u <username> | view the commands executed by a specific user | lastcomm <username> |
| display a detailed process summary | sudo sa -m | file access monitoring | ac -d |
| view CPU utilization statistics | sudo sar -u | view user connect time statistics | ac |
| convert process accounting data to a text file | sudo sadf -p /var/log/account/pacct > accounting_data.txt | list account activity information | sudo sa |
| generate reports | sudo accton /var/log/account/pacct | list account activity information by user | sa -u |
| to get the highest percentage of users | sa -c | ||
*The sar command (System Activity Reporter) provides system activity reports based on process accounting data
*The sadf command (System Accounting Data Formatter) converts process accounting data to a human-readable format
*The accton command is used to generate reports