Wednesday, July 14, 2010
acct: Unix System Accounting Enabled Pt 1
Unix accounting, when enabled, can provide useful information about who is using your system and their overall resource consumption in basic terms. By implementing the suggested modifications you can magically transform the accounting system into a more useful billing and security auditing subsystem. Use of the user exit provided in the runacct script is quite possibly the most useful modification to the accounting system. The user exit script, runacct.local, should be created and could contain all necessary local file archives and manipulations. By using the information provided by the Unix accounting system with the recommended modifications, one can provide useful reports on system utilization and provide additional audit trails for billing and security inquiries.
Quick Start:
Quick Start:
The Unix accounting system is made up of scripts and utility programs, each of which performs a specific function in creating, processing, or reporting accounting data. These are located in /usr/lib/acct. When maintaining the accounting system, the /usr/lib/acct directory should be placed in your path. Additionally, adding yourself to the adm group will provide access to accounting directories and data files without the need to access these by using superuser or adm user privileges (su - root or su - adm).
On a new system or a system with accounting disabled there are three easy steps to starting the accounting system. The three steps to perform are
1. start process accounting with turnacct on
2. place ckpacct in adm's cron entry
0 * * * * /usr/lib/acct/ckpacct
3. place runacct in adm's cron entry
50 23 * * * /usr/lib/acct/runacct > /var/adm/acct/nite/fd2log 2>&1
It is recommended to perform the above as user adm. Performing them as root will work, but file permissions may not be set properly requiring superuser privileges for access to accounting files and directories. The accounting system is designed to give the proper privileges to adm to perform the accounting functions, including enabling or disabling process accounting in the kernel and setup of proper permissions for accounting files including those created by the runacct script.
To determine if turnacct was successful, check for the existence of the /var/adm/pacct file. As processes are created and complete, the kernel will write a process accounting record to /var/adm/pacct. As you issue commands you should see /var/adm/pacct grow in size. More details about the pacct file, the ckpacct and runacct scripts are discussed in subsequent paragraphs.
If you plan to run Unix accounting on a large system or have requirements of keeping several months of accounting data online, you may want to consider creating a separate file system for storage of accounting files. /var/adm/acct is the toplevel directory which contains accounting data files and reports except for /var/adm/wtmp, /var/adm/wtmpx (these are sometimes found in /etc) and the current process accounting data files located in the /var/adm/pacct* files. Creating a separate file system for /var/adm/acct is recommended if you enable Unix accounting
Labels:
Accounting,
Audit,
Security
These topic is very invigorating. I enjoyed reading this post a lot and will be looking forward to more such interesting posts from you. accounting system
ReplyDelete