Wednesday, July 14, 2010
acct: Unix System Accounting Enabled Pt 2
Accounting Data Flow:
The Figure to the right provides an overview of the flow of data in the accounting subsystem available with Solaris. Accounting data starts out as process data contained in the Unix kernel data structures. If accounting is turned on, then upon termination of each process, the kernel writes a process accounting (pacct) record which is appended to /var/adm/pacct. The pacct file format is described by the acct structure contained in /usr/include/sys/acct.h. pacct files can be processed outside of the daily periodic accounting run with the acctcom command.
wtmp and wtmpx are valuable files used by the accounting subsystem process. wtmp and wtmpx keep track of information about interactive logins, their tty's and originating hosts. The wtmp format is described by the utmp structure contained in /usr/include/utmp.h. The wtmpx format is described by the utmpx structure contained in /usr/include/utmpx.h. The information contained in the wtmpx file can be processed outside of the daily periodic accounting run with the last command.
The ckpacct script should be executed by adm's cron and checks both the size of the /var/adm/pacct file and the availability of space in the file system which contains /var/adm/pacct. If the pacct file is over the size threshold contained in the script then the pacct file is rolled over to /var/adm/pacctN where N is the next unused number is sequence for the pacct file set starting with 1. If the file system has less space than that described in the script, then ckpacct will turn the accounting system off by executing turnacct off. It is recommended to run ckpacct by adm's cron once per hour.
The daily periodic accounting run is accomplished by executing the runacct script. The runacct script should be run daily by adm's cron. An example of the crontab entry for runacct was provided in the Quick Start section. runacct processes and generates reports of the data contained in the pacct and wtmp files. runacct is a bourne shell script made up of eleven restartable states. The states are
* SETUP
* WTMPFIX
* CONNECT
* PROCESS
* MERGE
* FEES
* DISK
* MERGETACCT
* CMS
* USEREXIT
* and CLEANUP.
As runacct executes, it logs its progress by writing descriptive messages to /var/adm/acct/nite/active. /usr/adm/acct/nite/statefile and /usr/adm/acct/nite/lastdate contain the last known state and date, respectively, of the runacct script. To prevent execution of runacct for the same accounting period lock files are used. The lock files are /var/adm/acct/nite/lock and /var/adm/acct/nite/lock1.
In the event an error is encountered during execution, a message is logged on the console, mail is sent to the administrators (root and adm) and runacct exits. If a state aborts due to an error, review both statefile and active to determine the location and cause of the error. The error can be investigated and repaired with accounting utility programs such as fwtmp and wtmpfix. Accounting can then be restarted at the state where the error was encountered, thereby reducing the overhead involved if accounting had to be restarted from the beginning. To restart runacct it must be invoked with an argument, such as, runacct 1117. The argument should coorespond to the date when the error was encountered. This date should also be described in the lastdate file. The state described by statefile, will be the state where runacct will restart execution. This can be overidden by adding the state to the argument list, such as, runacct 1117 USEREXIT. Upon successful completion runacct will write COMPLETE into the statefile.
Labels:
Accounting,
Audit,
Security
No comments:
Post a Comment