The history command in Linux is useful to recall previously used commands. It, however, won’t show the specific details like which command was used when and by whom.
For that, a useful command is lastcomm. It is a part of acct : a GNU accounting utilities package which essentially is for user and system management. This example uses Linux Mint but acct can be installed and used on other Linux distributions too.
So first install it from the Terminal by typing:
Once installed, first enable the accounting service:
Then run lastcomm. On its own, lastcomm will show a long list of all the commands executed by various users (including system users) with the most recent ones at the top. The first column shows the command instances, the next shows the users who executed it followed by the terminal session and the time at which the command was finished. The last column shows the time stamp.
Also, certain commands will have the S, F, X, C or D letters next to them. S is if the commands were executed by super user while F means the command was executed through a fork (i.e through a new process). X is for indicating that the command was exited using SIGTERM, while D signifies that a core file was generated when the command was terminated. C is for compatibility mode.
The long output from lastcomm can, however, be filtered to get the details of specific commands from specific users and from particiular terminal sessions.
Filter using command name:
So to know if a particular command was ever used before and when:
Example: To know if the rm command was used before:
Example: To know when was the last time shutdown command was used:
This will show the details of that executed command along with the users who ran it and the timestamp.
Filter based on specific users:
The lastcomm command can also be used to filter based on specific users. This is useful when you need to know various commands run only by a particular user.
The syntax for that is:
This will show all the commands run by that specific user with the recent commands at the top. Also, if a command was run with root privileges (sudo), then lastcomm will display these commands as run by root.
You can also use grep to filter the output from before to show only commands from specific users when using the –command parameter.
Filter based on terminal:
Other than that, lastcomm also supports filtering command details through virtual terminals. So, if there are various active terminal sessions and you need to know what commands are being run from a specific terminal, the syntax is:
Finally, there is always the man command to know more about lastcomm:
This is a useful command for user management.
All done.