Wednesday, July 14, 2010
acct: Unix System Accounting Enabled Pt 4
Useful runacct Modifications:
runacct generates several default reports, summarizes accounting data into a few binary data files, and removes several raw data input files. Each of these processes should be reviewed by the system administrator for usefulness for the site. If a component of runacct is determined to not be useful to a site it should be removed or commented out. It is recommended if modifications are made to accounting scripts that a copy of the original script be retained for comparison and debugging purposes. Modifications can easily be maintained by a source code management system, such as, rcs.
Preserve Raw Data:
The most important and useful modification to runacct is the preservation of the raw pacct and wtmpx data files. These files provide the audit trail for both billing and security. It is standard procedure for runacct to remove all pacct files by the completion of the script. These files, if preserved from deletion and archived, can provide supporting documentation for billing inquiries and can provide clues for suspected security intrusions. It is recommended to keep and archive the raw input pacct* and wtmpx files for security and accounting system auditing purposes. The user exit capability (see the USEREXIT state) in the runacct script can be used to accomplish this archiving task. A sample user exit script, called runacct.local, is provided in Listing 1.
Mail Recipient Configuration:
Another useful accounting modification is the modification of the recipient list of mail from the runacct script. This can easily be done by creating an environment variable called _maillist and calling mailx ${_maillist} instead of the default mailx root adm. Add the following line in the environment variable section:
Listing 1 is an example runacct.local script to preserve the pacct* and wtmpx files in /var/adm/acct/sum/YYYYMMDD. YYYYMMDD represents the four digit year, the month and day of the accounting run. This new subdirectory is created by the script and will help in the organization and manageability of these files.
runacct generates several default reports, summarizes accounting data into a few binary data files, and removes several raw data input files. Each of these processes should be reviewed by the system administrator for usefulness for the site. If a component of runacct is determined to not be useful to a site it should be removed or commented out. It is recommended if modifications are made to accounting scripts that a copy of the original script be retained for comparison and debugging purposes. Modifications can easily be maintained by a source code management system, such as, rcs.
Preserve Raw Data:
The most important and useful modification to runacct is the preservation of the raw pacct and wtmpx data files. These files provide the audit trail for both billing and security. It is standard procedure for runacct to remove all pacct files by the completion of the script. These files, if preserved from deletion and archived, can provide supporting documentation for billing inquiries and can provide clues for suspected security intrusions. It is recommended to keep and archive the raw input pacct* and wtmpx files for security and accounting system auditing purposes. The user exit capability (see the USEREXIT state) in the runacct script can be used to accomplish this archiving task. A sample user exit script, called runacct.local, is provided in Listing 1.
Mail Recipient Configuration:
Another useful accounting modification is the modification of the recipient list of mail from the runacct script. This can easily be done by creating an environment variable called _maillist and calling mailx ${_maillist} instead of the default mailx root adm. Add the following line in the environment variable section:
_maillist="root adm"
Replace all instances of
mailx root adm
with
mailx ${_maillist}
Of course, now change the mail recipient list to those users you want notified of an error in runacct.
USEREXIT environment
Additionally, the USEREXIT state has two deficiencies. First, the environment of the runacct script is not passed when the /usr/lib/acct/runacct.local script is called. Second, the exit status of the runacct.local script is not checked. The following runacct changes are recommended. Change
USEREXIT)
# "any installation dependant accounting programs should be run here"
[ -s /usr/lib/acct/runacct.local ] && /usr/lib/acct/runacct.local
echo "CLEANUP" > ${_statefile}
;;
to
USEREXIT)
# "any installation dependant accounting programs should be run here"
if [ -s /usr/lib/acct/runacct.local ]
then
. /usr/lib/acct/runacct.local
if [ ${?} -ne 0 ]
then
_errmsg="\n\n***** Accounting error with runacct.local *******\n\n\n"
(date ; echo "$_errmsg" ) | logger -p daemon.err
echo "$_errmsg" | mailx adm root
echo "ERROR: problem with runacct.local, run aborted" >> ${_active}
rm -f ${_nite}/lock*
exit 1
fi
fi
Labels:
Accounting,
Audit,
Security
No comments:
Post a Comment