linux实时记录用户操作记录,linux 记录用户操作记录

方法：

1.利用script， 添加exec /usr/bin/script -a -f -q /tmp/test/script-`date +%Y%m%d%k%M`.lst 到 /etc/profile里，不过当su 切换用户的时候，有权限受限问题，可以先给/tmp/test/下的文件赋予全部权限。

2.添加以下脚本到/etc/profile

export HISTTIMEFORMAT="[%Y.%m.%d %H:%M:%S]"

PS1="

history

USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`

if [ "$USER_IP" = "" ]

then

USER_IP=`hostname`

fi

if [ ! -d /tmp/record ]

then

mkdir /tmp/record

chmod 777 /tmp/record

fi

if [ ! -d /tmp/record/${LOGNAME} ]

then

mkdir /tmp/dbasky/${LOGNAME}

chmod 300 /tmp/record/${LOGNAME}

fi

export HISTSIZE=4096

DT=`date "+%Y%m%d_%H%M%S"`

export HISTFILE="/tmp/record/${LOGNAME}/${USER_IP} record.$DT"

chmod 600 /tmp/record/${LOGNAME}/*record* 2>/dev/null

3. 安装psacct工具

Installing psacct or acct Packages

psacctoracctboth are similar packages and there is not much difference between them, but thepsacctpackage only available for rpm based distributions such asRHEL,CentOSandFedora, whereasacctpackage available for distributions likeUbuntu,DebianandLinux Mint.

To installpsacctpackage under rpm based distributions issue the followingyumcommand.

# yum install psacct

To installacctpackage usingapt-getcommand underUbuntu/Debian/Linux Mint.

$ sudo apt-get install acct OR # apt-get install acct

Starting psacct or acct service

By defaultpsacctservice is in disabled mode and you need to start it manually underRHEL/CentOS/Fedorasystems. Use the following command to check the status of service.

# /etc/init.d/psacct status Process accounting is disabled.

You see the status showing as disabled, so let’s start it manually using the following both commands. These two commands will create a/var/account/pacctfile and start services.

# chkconfig psacct on # /etc/init.d/psacct start Starting process accounting: [ OK ]

After starting service, check the status again, you will get status as enabled as shown below.

# /etc/init.d/psacct status Process accounting is enabled.

UnderUbuntu,DebianandMintservice is started automatically, you don’t need to start it again.

Display Statistics of Users Connect Time

accommand without specifying any argument will displays total statistics of connect time in hours based on the user logins/logouts from the currentwtmpfile.

# actotal 1814.03

Display Statistics of Users Day-wise

Using command “ac -d” will prints out the total login time in hours by day-wise.

# ac -dSep 17 total 5.23 Sep 18 total 15.20 Sep 24 total 3.21 Sep 25 total 2.27 Sep 26 total 2.64 Sep 27 total 6.19 Oct 1 total 6.41 Oct 3 total 2.42 Oct 4 total 2.52 Oct 5 total 6.11 Oct 8 total 12.98 Oct 9 total 22.65 Oct 11 total 16.18

Display Time Totals for each User

Using command “ac -p” will print the total login time of each user in hours.

# ac -proot 1645.18 tecmint 168.96 total 1814.14

Display Individual User Time

To get the total login statistics time of user “tecmint” in hours, use the command as.

# ac tecminttotal 168.96

Display Day-Wise Logn Time of User

The following command will prints the day-wise total login time of user “tecmint” in hours.

# ac -d tecmintOct 11 total 8.01 Oct 12 total 24.00 Oct 15 total 70.50 Oct 16 total 23.57 Oct 17 total 24.00 Oct 18 total 18.70 Nov 20 total 0.18

Print All Account Activity Information

The “sa” command is used to print the summary of commands that were executed by users.

# sa2 9.86re 0.00cp 2466k sshd* 8 1.05re 0.00cp 1064k man 2 10.08re 0.00cp 2562k sshd 12 0.00re 0.00cp 1298k psacct 2 0.00re 0.00cp 1575k troff 14 0.00re 0.00cp 503k ac 10 0.00re 0.00cp 1264k psacct* 10 0.00re 0.00cp 466k consoletype 9 0.00re 0.00cp 509k sa 8 0.02re 0.00cp 769k udisks-helper-a 6 0.00re 0.00cp 1057k touch 6 0.00re 0.00cp 592k gzip 6 0.00re 0.00cp 465k accton 4 1.05re 0.00cp 1264k sh* 4 0.00re 0.00cp 1264k nroff* 2 1.05re 0.00cp 1264k sh 2 1.05re 0.00cp 1120k less 2 0.00re 0.00cp 1346k groff 2 0.00re 0.00cp 1383k grotty 2 0.00re 0.00cp 1053k mktemp 2 0.00re 0.00cp 1030k iconv 2 0.00re 0.00cp 1023k rm 2 0.00re 0.00cp 1020k cat 2 0.00re 0.00cp 1018k locale 2 0.00re 0.00cp 802k gtbl

Where

9.86reis a “real time” as per wall clock minutes

0.01cpis a sum of system/user time in cpu minutes

2466kis a cpu-time averaged core usage, i.e.1kunits

sshdcommand name

Print Individual User Information

To get the information of individual user, use the options-u.

# sa -uroot 0.00 cpu 465k mem accton root 0.00 cpu 1057k mem touch root 0.00 cpu 1298k mem psacct root 0.00 cpu 466k mem consoletype root 0.00 cpu 1264k mem psacct * root 0.00 cpu 1298k mem psacct root 0.00 cpu 466k mem consoletype root 0.00 cpu 1264k mem psacct * root 0.00 cpu 1298k mem psacct root 0.00 cpu 466k mem consoletype root 0.00 cpu 1264k mem psacct * root 0.00 cpu 465k mem accton root 0.00 cpu 1057k mem touch

Print Number of Processes

This command prints the total number of processes and CPU minutes. If you see continue increase in these numbers, then its time to look into the system about what is happening.

# sa -msshd 2 9.86re 0.00cp 2466k root 127 14.29re 0.00cp 909k

Print Sort by Percentage

The command “sa -c” displays the highest percentage of users.

# sa -c132 100.00% 24.16re 100.00% 0.01cp 100.00% 923k 2 1.52% 9.86re 40.83% 0.00cp 53.33% 2466k sshd* 8 6.06% 1.05re 4.34% 0.00cp 20.00% 1064k man 2 1.52% 10.08re 41.73% 0.00cp 13.33% 2562k sshd 12 9.09% 0.00re 0.01% 0.00cp 6.67% 1298k psacct 2 1.52% 0.00re 0.00% 0.00cp 6.67% 1575k troff 18 13.64% 0.00re 0.00% 0.00cp 0.00% 509k sa 14 10.61% 0.00re 0.00% 0.00cp 0.00% 503k ac 10 7.58% 0.00re 0.00% 0.00cp 0.00% 1264k psacct* 10 7.58% 0.00re 0.00% 0.00cp 0.00% 466k consoletype 8 6.06% 0.02re 0.07% 0.00cp 0.00% 769k udisks-helper-a 6 4.55% 0.00re 0.00% 0.00cp 0.00% 1057k touch 6 4.55% 0.00re 0.00% 0.00cp 0.00% 592k gzip 6 4.55% 0.00re 0.00% 0.00cp 0.00% 465k accton 4 3.03% 1.05re 4.34% 0.00cp 0.00% 1264k sh* 4 3.03% 0.00re 0.00% 0.00cp 0.00% 1264k nroff* 2 1.52% 1.05re 4.34% 0.00cp 0.00% 1264k sh 2 1.52% 1.05re 4.34% 0.00cp 0.00% 1120k less 2 1.52% 0.00re 0.00% 0.00cp 0.00% 1346k groff 2 1.52% 0.00re 0.00% 0.00cp 0.00% 1383k grotty 2 1.52% 0.00re 0.00% 0.00cp 0.00% 1053k mktemp

List Last Executed Commands of User

The ‘latcomm‘ command is used to search and display previously executed user commands information. You can also search commands of individual usernames. For example, we see commands of user (tecmint).

# lastcomm tecmintsu tecmint pts/0 0.00 secs Wed Feb 13 15:56 ls tecmint pts/0 0.00 secs Wed Feb 13 15:56 ls tecmint pts/0 0.00 secs Wed Feb 13 15:56 ls tecmint pts/0 0.00 secs Wed Feb 13 15:56 bash F tecmint pts/0 0.00 secs Wed Feb 13 15:56 id tecmint pts/0 0.00 secs Wed Feb 13 15:56 grep tecmint pts/0 0.00 secs Wed Feb 13 15:56 grep tecmint pts/0 0.00 secs Wed Feb 13 15:56 bash F tecmint pts/0 0.00 secs Wed Feb 13 15:56 dircolors tecmint pts/0 0.00 secs Wed Feb 13 15:56 bash F tecmint pts/0 0.00 secs Wed Feb 13 15:56 tput tecmint pts/0 0.00 secs Wed Feb 13 15:56 tty tecmint pts/0 0.00 secs Wed Feb 13 15:56 bash F tecmint pts/0 0.00 secs Wed Feb 13 15:56 id tecmint pts/0 0.00 secs Wed Feb 13 15:56 bash F tecmint pts/0 0.00 secs Wed Feb 13 15:56 id tecmint pts/0 0.00 secs Wed Feb 13 15:56

Search Logs for Commands

With the help of thelastcommcommand you will be able to view individual use of an each commands.

# lastcomm lsls tecmint pts/0 0.00 secs Wed Feb 13 15:56 ls tecmint pts/0 0.00 secs Wed Feb 13 15:56 ls tecmint pts/0 0.00 secs Wed Feb 13 15: