System
Difficulty: Beginner
3 min read

Acct: Process Accounting on Linux

Complete guide to installing and configuring acct (GNU Accounting Tool) to monitor and record process usage on a Linux system.

Back to tutorials
What is acct?
The acct (or psacct) tool records the activity of every process on the system, providing detailed information about the commands executed, the user, the CPU time, and the time of execution. It is an invaluable tool for auditing and monitoring.

Why Use acct?

  • Security Auditing: Full traceability of executed commands, useful for post-incident investigations.
  • Resource Tracking: Analysis of CPU and memory consumption per user or per process.
  • Activity Monitoring: Visibility into the activity of users and system services.

Prerequisites

  • Operating system: A Linux distribution (Debian, Ubuntu, CentOS, RHEL).
  • Privileges: Root access or sudo privileges.

Installing acct

Step 1: Installing the package

The package name varies depending on the distribution:

# For Debian / Ubuntu
sudo apt-get update
sudo apt-get install -y acct

# For CentOS / RHEL
sudo yum install -y psacct

Step 2: Enabling the service

Once installed, the service must be enabled and started:

sudo systemctl start acct
sudo systemctl enable acct
# On CentOS/RHEL, the service is named psacct
sudo systemctl start psacct
sudo systemctl enable psacct

Verify that the service is indeed active:

sudo systemctl status acct # or psacct
Service enabled
The acct service is now running and recording process activity.

Main acct commands

Several commands let you make use of the collected data.

lastcomm: Most recently executed commands

Displays the list of executed commands, from the most recent to the oldest.

lastcomm

To filter by user or by command:

# Commands executed by the user 'morgann'
lastcomm morgann

# All executions of the 'ls' command
lastcomm ls

sa: Summary per command

The sa command provides a summary of the collected information, aggregated by command.

# Basic summary
sa

# Sort by the number of calls
sa -n

# Display information per user
sa -m

ac: Connection time per user

Displays the total connection time of users in hours.

# Total time per user
ac -p

# Total time for all users
ac

Log Files and Rotation

The data is stored by default in /var/log/account/pacct. This file can grow quickly.

Configuring rotation

It is crucial to set up log rotation with logrotate. Create a /etc/logrotate.d/acct file:

sudo nano /etc/logrotate.d/acct

File contents:

/var/log/account/pacct {
    weekly
    rotate 4
    compress
    missingok
    notifempty
    create 0644 root root
}
Managing disk space
Without rotation, the acct log file can fill up your root partition. Do not skip this step!

Conclusion

The acct or psacct tool is an excellent way to strengthen the security and monitoring of your Linux systems. It provides essential traceability for auditing and performance analysis. Its installation and configuration are simple, but do not forget to manage its log rotation for worry-free use in production.

Written by

Morgann Riu

Cybersecurity and Linux administration expert. I share my knowledge through free tutorials and training to help system administrators and developers secure their infrastructures.

My profile LinkedIn GitHub

Share this tutorial

X LinkedIn WhatsApp

Did you enjoy this article?

Comments

Recommended for you

Sécurité

Auditd : Surveillance et Audit sur Linux

 Linux

Crontab : Planification de tâches automatiques sous Linux

 Sécurité

Lynis : Audit de sécurité pour Linux

 Blog · Sécurité

Checklist sécurité : 10 points à vérifier sur tout serveur Linux

In-depth article on the topic

Checklist Sécurité Linux

30 points essentiels pour sécuriser un serveur Linux. Recevez aussi les nouveaux tutoriels par email.

Pas de spam. Désabonnement en 1 clic.