Process accounting is a security method in which an administrator may keep track of
system resources used, their allocation among users, provide for system monitoring, and
minimally track a user's commands.
This indeed has its own positive and negative points. One of the positives is that an
intrusion may be narrowed down to the point of entry. A negative is the amount of logs
generated by process accounting, and the disk space they may require. This section will
walk an administrator through the basics of process accounting.
Before making use of process accounting, it must be enabled. To do this, execute the
following commands:
# touch /var/account/acct
# accton /var/account/acct
# echo 'accounting_enable="YES"' >> /etc/rc.conf
Once enabled, accounting will begin to track CPU
stats, commands, etc. All accounting logs are in a non-human readable format and may be
viewed using the sa(8) utility. If
issued without any options, sa will print information relating
to the number of per user calls, the total elapsed time in minutes, total CPU and user time in minutes, average number of I/O operations,
etc.
To view information about commands being issued, one would use the lastcomm(1) utility.
The lastcomm command may be used to print out commands issued by
users on specific ttys(5), for
example:
# lastcomm ls
trhodes ttyp1
Would print out all known usage of the ls by trhodes on the ttyp1 terminal.
Many other useful options exist and are explained in the lastcomm(1), acct(5) and sa(8) manual
pages.
