know who did what ?

accton and lastcomm :-

accounting on and last commands can enable you to monitor users on your system.

as root you would have to implement this as follows:-

#accton /var/account/pacct

to see the commands that are executed

use lastcomm command (o/p for all users)

ex:-
celsius@gmladmin:~$ lastcomm
ifconfig root ?? 0.00 secs Tue Nov 23 02:16
ifconfig root ?? 0.00 secs Tue Nov 23 02:16
ifconfig root ?? 0.00 secs Tue Nov 23 02:16
apt-check celsius ?? 1.40 secs Tue Nov 23 02:16
dbus-launch SF root ?? 0.00 secs Tue Nov 23 02:16
ifconfig root ?? 0.00 secs Tue Nov 23 02:16
lsb_release celsius ?? 0.05 secs Tue Nov 23 02:16
gconfd-2 root ?? 0.15 secs Tue Nov 23 02:16
dbus-daemon F root ?? 0.00 secs Tue Nov 23 02:16
synaptic F root ?? 0.03 secs Tue Nov 23 02:16
synaptic F root ?? 0.00 secs Tue Nov 23 02:16
sh root ?? 0.00 secs Tue Nov 23 02:16
touch root ?? 0.00 secs Tue Nov 23 02:16
dpkg root ?? 0.20 secs Tue Nov 23 02:16
acct.postinst root ?? 0.00 secs Tue Nov 23 02:16
invoke-rc.d root ?? 0.00 secs Tue Nov 23 02:16
acct root ?? 0.00 secs Tue Nov 23 02:16
accton S root ?? 0.00 secs Tue Nov 23 02:16


#lastcomm --user username

ex:-
celsius@gmladmin:~$ lastcomm --user celsius
lastcomm celsius stderr 0.00 secs Tue Nov 23 02:16
apt-check celsius ?? 1.40 secs Tue Nov 23 02:16
lsb_release celsius ?? 0.05 secs Tue Nov 23 02:16


to turn off accounting:- execute accton without a filename, ex:- #accton

NB:- the acct package must be installed

tested in ubuntu 10.04