Debian 13 trixie
Sponsored Link

Monitor User Activity2025/08/17
 

Install acct to monitor User Activity.
Histories of commands are kept in users' own history file but they are possible to edit or delete by users themselves, but psacct keeps all users' history files owned by root.

[1] Install acct.
root@dlp:~#
apt -y install acct
root@dlp:~#
systemctl enable acct
[2] Output histories of commands by lastcomm command like follows.
root@dlp:~#
lastcomm 

su               S     root     ttyS0      0.00 secs Sat Aug 16 10:59
bash             S     debian   ttyS0      0.01 secs Sat Aug 16 10:59
clear_console          debian   ttyS0      0.00 secs Sat Aug 16 10:59
bash              F    debian   ttyS0      0.00 secs Sat Aug 16 10:59
dircolors              debian   ttyS0      0.00 secs Sat Aug 16 10:59
run-parts              debian   ttyS0      0.00 secs Sat Aug 16 10:59
id                     debian   ttyS0      0.00 secs Sat Aug 16 10:59
unix_chkpwd      S     root     ttyS0      0.00 secs Sat Aug 16 10:59
su               S     root     ttyS0      0.00 secs Sat Aug 16 10:58
bash             S     trixie   ttyS0      0.01 secs Sat Aug 16 10:58
clear_console          trixie   ttyS0      0.00 secs Sat Aug 16 10:59
ls                     trixie   ttyS0      0.00 secs Sat Aug 16 10:59
su               S     trixie   ttyS0      0.00 secs Sat Aug 16 10:59
bash             S     root     ttyS0      0.00 secs Sat Aug 16 10:59
.....
.....
[4] If you'd like to output histories for a user, run with [--user] option.
root@dlp:~#
lastcomm --user debian 

bash             S     debian   ttyS0      0.01 secs Sat Aug 16 10:59
clear_console          debian   ttyS0      0.00 secs Sat Aug 16 10:59
bash              F    debian   ttyS0      0.00 secs Sat Aug 16 10:59
dircolors              debian   ttyS0      0.00 secs Sat Aug 16 10:59
run-parts              debian   ttyS0      0.00 secs Sat Aug 16 10:59
id                     debian   ttyS0      0.00 secs Sat Aug 16 10:59
bash             S     debian   ttyS0      0.02 secs Sat Aug 16 10:58
clear_console          debian   ttyS0      0.00 secs Sat Aug 16 10:58
dpkg-query             debian   ttyS0      0.00 secs Sat Aug 16 10:58
sh                     debian   ttyS0      0.00 secs Sat Aug 16 10:58
pager                  debian   ttyS0      0.00 secs Sat Aug 16 10:58
ls                     debian   ttyS0      0.00 secs Sat Aug 16 10:58
systemctl              debian   ttyS0      0.00 secs Sat Aug 16 10:58
less                   debian   ttyS0      0.02 secs Sat Aug 16 10:58
bash              F    debian   ttyS0      0.00 secs Sat Aug 16 10:58
cat                    debian   ttyS0      0.00 secs Sat Aug 16 10:58
dircolors              debian   ttyS0      0.00 secs Sat Aug 16 10:58
run-parts              debian   ttyS0      0.00 secs Sat Aug 16 10:58
id                     debian   ttyS0      0.00 secs Sat Aug 16 10:58
[5] If you'd like to output histories for a command, run with [--command] option.
root@dlp:~#
lastcomm --command su 

su               S     root     ttyS0      0.00 secs Sat Aug 16 10:59
su               S     root     ttyS0      0.00 secs Sat Aug 16 10:58
su               S     trixie   ttyS0      0.00 secs Sat Aug 16 10:59
su               S     root     ttyS0      0.00 secs Sat Aug 16 10:58
Matched Content