Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 10.1 The Basic Log FilesChapter 10
Auditing and Logging
Next: 10.3 Program-Specific Log Files
 

10.2 The acct/pacct Process Accounting File

In addition to logins and logouts, UNIX can log every single command run by every single user. This special kind of logging is often called process accounting; normally, process accounting is used only in situations where users are billed for the amount of CPU time that they consume. The acct or pacct file can be used after a break-in to help determine what commands a user executed (provided that the log file is not deleted.) This command can also be used for other purposes, such as seeing if anyone is using some old software you wish to delete, or who is playing games on the fileserver.

The lastcomm or acctcom program displays the contents of this file in a human-readable format:

% lastcomm
sendmail    F    root     __         0.05 secs Sat Mar 11 13:28
mail       S     daemon   __         0.34 secs Sat Mar 11 13:28
send             dfr      __         0.05 secs Sat Mar 11 13:28
post             dfr      ttysf      0.11 secs Sat Mar 11 13:28
sendmail    F    root     __         0.09 secs Sat Mar 11 13:28
sendmail    F    root     __         0.23 secs Sat Mar 11 13:28
sendmail    F    root     __         0.02 secs Sat Mar 11 13:28
anno             dfr      ttys1      0.14 secs Sat Mar 11 13:28
sendmail    F    root     __         0.03 secs Sat Mar 11 13:28
mail       S     daemon   __         0.30 secs Sat Mar 11 13:28
%

If you have an intruder on your system and he has not edited or deleted the /var/adm/acct file, lastcomm will provide you with a record of the commands that the intruder used.[5] Unfortunately, UNIX accounting does not record the arguments to the command typed by the intruder, nor the directory in which the command was executed. Thus, keep in mind that a program named vi and executed by a potential intruder might actually be a renamed version of cc - you have no way to tell for certain by examining this log file.

[5] lastcomm can work in two ways: by the system administrator to monitor attackers, or by an attacker to see if the administrator is monitoring him. For this reason, some administrators change the permission mode of the log file so that only the superuser can read its contents.

On systems that have even moderate use, the /var/adm/acct file grows very quickly - often more than one or two megabytes per day. For this reason, most sites that use accounting run the command sa or runacct on a nightly basis. The command processes the information in the acct or pacct file into a summary file, which is often kept in /var/adm/savacct.

10.2.1 Accounting with System V

On SVR4 systems, you start the accounting with the command:

# /usr/lib/acct/startup

The accounting file on these systems is usually /var/adm/pacct and it is read with the acctcom command. The acctcom command has more than 20 options, and can provide a variety of interesting summaries. You should check your manual entry to become familiar with the possibilities.

Accounting is performed by the UNIX kernel. Every time a process terminates, the kernel writes a 32-byte record to the /var/adm/acct file that includes:

S

Command was executed by the superuser.

F

Command ran after a fork, but without an exec.

D

Command generated a core file when it exited.

X

Command was terminated by signal

10.2.2 Accounting with BSD

You can turn on accounting by issuing the accton command:

# accton filename

Depending on your version of UNIX, you may find the accton command in /usr/etcor in /usr/lib/acct. The filename specifies where accounting information should be kept. It is typically /var/adm/acct or /var/adm/acct. The file is read with the lastcomm command.

10.2.3 messages Log File

Many versions of UNIX place a copy of any message printed on the system console in a file called /usr/adm/messages or /var/adm/messages. This can be particularly useful, as it does not require the use of special software for logging - only a call to printf in a C program or an echo statement in a shell script.

Here is a sample of the /var/adm/messages file from a computer running SunOS version 4.1:

Mar 14 14:30:58 bolt su: 'su root' succeeded for tanya on /dev/ttyrb
Mar 14 14:33:59 bolt vmunix: /home: file system full
Mar 14 14:33:59 bolt last message repeated 8 times
Mar 14 14:33:59 bolt vmunix: /home: file system full
Mar 14 14:33:59 bolt last message repeated 16 times

As you can see, the computer bolt is having a problem with a filled disk.


Previous: 10.1 The Basic Log FilesPractical UNIX & Internet SecurityNext: 10.3 Program-Specific Log Files
10.1 The Basic Log FilesBook Index10.3 Program-Specific Log Files