In addition to logins and logouts, UNIX can log every single command run by every single user. This special kind of logging is often called process accounting ; normally, process accounting is used only in situations where users are billed for the amount of CPU time that they consume. The acct or pacct file can be used after a break-in to help determine what commands a user executed (provided that the log file is not deleted.) This command can also be used for other purposes, such as seeing if anyone is using some old software you wish to delete, or who is playing games on the fileserver.
The lastcomm or acctcom program displays the contents of this file in a human-readable format:
% lastcomm sendmail F root __ 0.05 secs Sat Mar 11 13:28 mail S daemon __ 0.34 secs Sat Mar 11 13:28 send dfr __ 0.05 secs Sat Mar 11 13:28 post dfr ttysf 0.11 secs Sat Mar 11 13:28 sendmail F root __ 0.09 secs Sat Mar 11 13:28 sendmail F root __ 0.23 secs Sat Mar 11 13:28 sendmail F root __ 0.02 secs Sat Mar 11 13:28 anno dfr ttys1 0.14 secs Sat Mar 11 13:28 sendmail F root __ 0.03 secs Sat Mar 11 13:28 mail S daemon __ 0.30 secs Sat Mar 11 13:28 %
If you have an intruder on your system and he has not edited or deleted the /var/adm/acct file, lastcomm will provide you with a record of the commands that the intruder used.[5] Unfortunately, UNIX accounting does not record the arguments to the command typed by the intruder, nor the directory in which the command was executed. Thus, keep in mind that a program named vi and executed by a potential intruder might actually be a renamed version of cc - you have no way to tell for certain by examining this log file.
[5] lastcomm can work in two ways: by the system administrator to monitor attackers, or by an attacker to see if the administrator is monitoring him. For this reason, some administrators change the permission mode of the log file so that only the superuser can read its contents.
On systems that have even moderate use, the /var/adm/acct file grows very quickly - often more than one or two megabytes per day. For this reason, most sites that use accounting run the command sa or runacct on a nightly basis. The command processes the information in the acct or pacct file into a summary file, which is often kept in /var/adm/savacct .
On SVR4 systems, you start the accounting with the command:
# /usr/lib/acct/startup
The accounting file on these systems is usually /var/adm/pacct and it is read with the acctcom command. The acctcom command has more than 20 options, and can provide a variety of interesting summaries. You should check your manual entry to become familiar with the possibilities.
Accounting is performed by the UNIX kernel. Every time a process terminates, the kernel writes a 32-byte record to the /var/adm/acct file that includes:
Name of the user who ran the command
Name of the command
Amount of CPU time used
Time that the process exited
Flags, including:
S |
Command was executed by the superuser. |
---|---|
F |
Command ran after a fork, but without an exec. |
D |
Command generated a core file when it exited. |
X |
Command was terminated by signal |
You can turn on accounting by issuing the accton command:
# accton filename
Depending on your version of UNIX , you may find the accton command in /usr/etc or in /usr/lib/acct . The filename specifies where accounting information should be kept. It is typically /var/adm/acct or /var/adm/acct . The file is read with the lastcomm command.
Many versions of UNIX place a copy of any message printed on the system console in a file called / usr/adm/messages or /var/adm/messages . This can be particularly useful, as it does not require the use of special software for logging - only a call to printf in a C program or an echo statement in a shell script.
Here is a sample of the /var/adm/messages file from a computer running SunOS version 4.1:
Mar 14 14:30:58 bolt su: 'su root' succeeded for tanya on /dev/ttyrb Mar 14 14:33:59 bolt vmunix: /home: file system full Mar 14 14:33:59 bolt last message repeated 8 times Mar 14 14:33:59 bolt vmunix: /home: file system full Mar 14 14:33:59 bolt last message repeated 16 times
As you can see, the computer bolt is having a problem with a filled disk.