使用lastcomm命令查看用户命令历史
使用lastcomm需要启用记账(Accounting)功能。
需要安装bos.acct文件集
执行如下命令为文件和目录设置所需的权限:
●cd /var/adm
●/usr/sbin/acct/nulladm wtmp pacct
启停记账功能:
●启动记账功能:执行/usr/bin/su - adm -c /usr/sbin/acct/startup
●停止记账功能:执行/usr/bin/su - adm -c /usr/sbin/acct/shutacct
如果要在系统启动时自动启动记账功能:
●修改/etc/rc文件,加入:/usr/bin/su - adm -c /usr/sbin/acct/startup
●使用lastcomm命令,其用法为:lastcomm [ Command ] [ Name ] [ Terminal ],Command为要过滤出来的执行命令,Name为发起命令的用户名,Terminal为用户执行命令时使用的终端设备名
执行样例:
CODE
[H50:root:/var/adm] lastcomm pts/2
sh S nobody pts/2 0.20 secs Wed Mar 10 11:50
lastcomm nobody pts/2 0.05 secs Wed Mar 10 12:00
who nobody pts/2 0.01 secs Wed Mar 10 12:00
lastcomm nobody pts/2 0.11 secs Wed Mar 10 12:00
netstat nobody pts/2 0.02 secs Wed Mar 10 12:00
clear nobody pts/2 0.01 secs Wed Mar 10 11:59
more nobody pts/2 0.02 secs Wed Mar 10 11:59
vi nobody pts/2 0.02 secs Wed Mar 10 11:59
sh F nobody pts/2 0.02 secs Wed Mar 10 11:59
more nobody pts/2 0.01 secs Wed Mar 10 11:59
ls nobody pts/2 0.01 secs Wed Mar 10 11:59
vi nobody pts/2 0.02 secs Wed Mar 10 11:59
sh F nobody pts/2 0.01 secs Wed Mar 10 11:59
more nobody pts/2 0.01 secs Wed Mar 10 11:59
ls nobody pts/2 0.02 secs Wed Mar 10 11:59
sh F nobody pts/2 0.02 secs Wed Mar 10 11:59
more nobody pts/2 0.01 secs Wed Mar 10 11:59
ls nobody pts/2 0.01 secs Wed Mar 10 11:59
man nobody pts/2 0.02 secs Wed Mar 10 11:58
sh nobody pts/2 0.01 secs Wed Mar 10 11:58
more nobody pts/2 0.02 secs Wed Mar 10 11:58
sh F nobody pts/2 0.02 secs Wed Mar 10 11:57
more nobody pts/2 0.01 secs Wed Mar 10 11:57
注意:使用此功能后,对于命令操作频繁的系统,应定期观察/var文件系统的空间使用情况,必要时用> /var/adm/pacct清空命令历史记录
使用lastcomm需要启用记账(Accounting)功能。
需要安装bos.acct文件集
执行如下命令为文件和目录设置所需的权限:
●cd /var/adm
●/usr/sbin/acct/nulladm wtmp pacct
启停记账功能:
●启动记账功能:执行/usr/bin/su - adm -c /usr/sbin/acct/startup
●停止记账功能:执行/usr/bin/su - adm -c /usr/sbin/acct/shutacct
如果要在系统启动时自动启动记账功能:
●修改/etc/rc文件,加入:/usr/bin/su - adm -c /usr/sbin/acct/startup
●使用lastcomm命令,其用法为:lastcomm [ Command ] [ Name ] [ Terminal ],Command为要过滤出来的执行命令,Name为发起命令的用户名,Terminal为用户执行命令时使用的终端设备名
执行样例:
CODE
[H50:root:/var/adm] lastcomm pts/2
sh S nobody pts/2 0.20 secs Wed Mar 10 11:50
lastcomm nobody pts/2 0.05 secs Wed Mar 10 12:00
who nobody pts/2 0.01 secs Wed Mar 10 12:00
lastcomm nobody pts/2 0.11 secs Wed Mar 10 12:00
netstat nobody pts/2 0.02 secs Wed Mar 10 12:00
clear nobody pts/2 0.01 secs Wed Mar 10 11:59
more nobody pts/2 0.02 secs Wed Mar 10 11:59
vi nobody pts/2 0.02 secs Wed Mar 10 11:59
sh F nobody pts/2 0.02 secs Wed Mar 10 11:59
more nobody pts/2 0.01 secs Wed Mar 10 11:59
ls nobody pts/2 0.01 secs Wed Mar 10 11:59
vi nobody pts/2 0.02 secs Wed Mar 10 11:59
sh F nobody pts/2 0.01 secs Wed Mar 10 11:59
more nobody pts/2 0.01 secs Wed Mar 10 11:59
ls nobody pts/2 0.02 secs Wed Mar 10 11:59
sh F nobody pts/2 0.02 secs Wed Mar 10 11:59
more nobody pts/2 0.01 secs Wed Mar 10 11:59
ls nobody pts/2 0.01 secs Wed Mar 10 11:59
man nobody pts/2 0.02 secs Wed Mar 10 11:58
sh nobody pts/2 0.01 secs Wed Mar 10 11:58
more nobody pts/2 0.02 secs Wed Mar 10 11:58
sh F nobody pts/2 0.02 secs Wed Mar 10 11:57
more nobody pts/2 0.01 secs Wed Mar 10 11:57
注意:使用此功能后,对于命令操作频繁的系统,应定期观察/var文件系统的空间使用情况,必要时用> /var/adm/pacct清空命令历史记录
编辑回复