21.2 Process Accounting: The acct/pacct File
In addition to logins and logouts, Unix can log every single command
run by every single user. This special kind of logging is often
called process
accounting; normally, process accounting is used only in
situations where users are billed for the amount of CPU time that
they consume. The acct
or pacct files can be used after a break-in to
help determine which commands a user executed (provided that the log
file is not deleted). This file can also be used for other purposes,
such as seeing if anyone is using some old software you wish to
delete, or who is playing games on the fileserver.
The lastcomm or acctcom
programs display the contents of this file in a human-readable
format:
% lastcomm
sendmail F root _ _ 0.05 secs Sat Mar 11 13:28
mail S daemon _ _ 0.34 secs Sat Mar 11 13:28
send dfr _ _ 0.05 secs Sat Mar 11 13:28
post dfr ttysf 0.11 secs Sat Mar 11 13:28
sendmail F root _ _ 0.09 secs Sat Mar 11 13:28
sendmail F root _ _ 0.23 secs Sat Mar 11 13:28
sendmail F root _ _ 0.02 secs Sat Mar 11 13:28
anno dfr ttys1 0.14 secs Sat Mar 11 13:28
sendmail F root _ _ 0.03 secs Sat Mar 11 13:28
mail S daemon _ _ 0.30 secs Sat Mar 11 13:28
%
If you have an intruder on your system and he has not edited or
deleted the /var/adm/acct file,
lastcomm will provide you with a record of the
commands that the intruder used.
Unfortunately, Unix accounting does not record the arguments to the
command typed by the intruder, nor the directory in which the command
was executed. Thus, keep in mind that a program named
vi executed by a potential intruder might
actually be a renamed version of cc—you
have no way to tell for certain by examining this log file.
On systems that are used even moderately, the
/var/adm/acct file grows very
quickly—often more than one or two megabytes per day. For this
reason, most sites that use accounting run the commands
sa or
runacct on a nightly basis. The command
processes the information in the acct or
pacct files into a summary file, which is often
kept in /var/adm/savacct .
21.2.1 Accounting with System V
On SVR4 systems, you start accounting with the
command:
# /usr/lib/acct/startup
The accounting file on these systems is usually
/var/adm/pacct, and it is read with the
acctcom command. The
acctcom command has more than 20 options, and
can provide a variety of interesting summaries. You should check your
system's manpage to become familiar with the
possibilities and any related commands.
Accounting is performed by the Unix kernel. Every time a process
terminates, the kernel writes a 32-byte record to the
/var/adm/acct file that includes:
Because accounting records are written when processes terminate,
reading accounting logs can be tricky on systems with long-lived
processes. The logs will usually be chronological in order of
termination, not execution.
21.2.2 Accounting with BSD and Linux
You can turn on accounting by issuing the
accton command:
# accton filename
Depending on your version of Unix, you may find the
accton command in /usr/etc,
/usr/sbin, or
/usr/lib/acct. The filename specifies where
accounting information should be kept. It is typically
/var/adm/acct. The file is read with the
lastcomm command.
21.2.3 messages Log File
Many versions of Unix place a copy of any
message printed on the system console in a file called
/var/log/messages or
/var/adm/messages. This can be particularly
useful, as it does not require the use of special software for
logging—only a call to printf in a C
program or an echo statement in a shell script.
Here is a sample of the messages file from a
computer running SunOS Version 4.1:
Mar 14 14:30:58 bolt su: 'su root' succeeded for tanya on /dev/ttyrb
Mar 14 14:33:59 bolt vmunix: /home: file system full
Mar 14 14:33:59 bolt last message repeated 8 times
Mar 14 14:33:59 bolt vmunix: /home: file system full
Mar 14 14:33:59 bolt last message repeated 16 times
As you can see, the computer bolt is having a
problem with a filled disk.
|