COMPUTER AND NETWORK
SYSTEM ADMINISTRATION
Summer 1996 - Lesson 24
Accounting
A. Four main types of accounting with standard UNIX systems
1. login accounting
2. process accounting
3. printer accounting
4. syslog logging
B. login accounting
1. utmp structure
- login accounting uses the structure defined in
- the SunOS utmp structure contains the following members:
ut_line[8] - name of the terminal on which the user logged in
ut_name[8] - name of the user who logged in
ut_host[16] - name of the host from which the user remotely
logged in
ut_time - time at which the user logged in, in seconds since
00:00 GMT, January 1, 1970
- the Solaris utmpx structure is an extension on utmp and contains the
following members:
ut_user[32] - user login name
ut_id[4] - inittab id
ut_line[32] - device name
ut_pid - process id
ut_type - type of entry
ut_exit - process termination/exit
timeval ut_tv - time entry was made
ut_session - session ID, used for windowing
pad[5] - reserved for future use
ut_syslen - significant length of ut_host
ut_host[257] - remote host name
2. log files
- the utmp structure is used to login info into 2 files
/etc/utmp (Linux: /var/run/utmp; SunOS 5.x: symlinked to /var/adm/utmp)
/var/adm/wtmp (Linux: /var/log/wtmp)
3. /etc/utmp (/var/adm/utmp; /var/run/utmp)
- records who is currently logged in
- whenever a user logs in, "login" fills in the entry
- when the user logs out, init clears the entry
- Xwindows can also stick entries in utmp
- note permissions in SunOS 4.x!
> edit utmp
4. /var/adm/wtmp (/var/log/wtmp)
- records all logins and logouts
- consists of a sequence of utmp entries
- whenever a user logs in, login appends a record identical to
the record it placed in utmp to the end of /var/adm/wtmp
- whenever a user logs out,init appends a record with ut_line
ut_time = time user logged out
- when the system is shut down, init appends a record with a
ut_line of ~
ut_name of shutdown
- when the system is rebooted, init appends a record with a
ut_line of ~
ut_name of reboot
- wtmp is appended by default if the file exists
- to stop login accounting, remove the wtmp file
- other servers also log to "wtmp" - like "ftp"
5. user commands to access files
- wtmp may be partially viewed with the 'last' command
root ttyp5 nu Thu Apr 6 13:30 - 13:37 (00:06)
casey ttyp5 zeta Thu Apr 6 13:27 - 13:30 (00:02)
kuncick ttyp5 delta Wed Apr 5 13:09 - 13:10 (00:01)
kuncick ttyp1 delta Wed Apr 5 13:08 - 13:09 (00:01)
kuncick ttyp0 annexcs2 Tue Apr 4 17:29 - 20:58 (03:29)
kuncick ttyp5 annexcs2 Sun Apr 2 14:24 - 21:11 (06:46)
bock ttyp5 sed Thu Mar 30 23:15 - 23:15 (00:00)
kuncick console Thu Mar 30 10:58 still logged in
reboot ~ Thu Mar 30 10:57
@@acct acctg o Thu Mar 30 10:58 - crash (23:59)
shutdown ~ Thu Mar 30 10:57
- wtmp may be summarized with the SunOS 4.x "ac" command
(show connect time)
- it grows without bound so may need to be periodically truncated
> doesn't grow that fast, example on sed the wtmp file goes
back to wtmp begins Sun Feb 13 1994 and is 1.2 Mbytes in size
> can be VERY useful for backtracking hackers, so keep old copies
squirreled away somewhere
- example: "ac" results on sed
leclair 2185.44
strozier 1449.61
scypher 931.61
rwhite 862.31
bynum 663.76
casey 560.30
huang 512.53
li 463.52
orendorf 355.20
goyal 343.92
zhao 340.91
franke 321.53
marma 314.27
ratliff 289.43
walters 281.58
-------------------
total 12720.32
6. /var/adm/lastlog
- records the most recent login-date for every user logged in
- is a sequence of lastlog structure entries
- defined in and contains:
ll_time - time logged in
ll_line - terminal on which the user logged
ll_host - name of the host from which the user remotely
logged in
- the file appears to be large since it uses UID as offset
for lseek, but is really much smaller
- used by the finger command
C. process accounting
1. structure of accounting record is in
ac_uid - accounting user ID
ac_gid - accounting group ID
ac_tty - control typewriter
ac_btime - beginning time
ac_utime - accounting user time
ac_stime - accounting system time
ac_etime - accounting elapsed time
ac_mem - average memory usage
ac_io - chars transferred
ac_rw - blocks read or written
ac_comm[8] - accounting command name
2. accounting management
- must be configured into kernel
SunOS 4.x: options SYSACCT
Linux: ? (currently stubbed, I believe)
- must turn accounting on (usally at boot)
/etc/rc: /usr/lib/acct/startup
- this is a script that basically calls: accton
- the file /var/adm/pacct (or other named accounting file)
must exist
3. log files
/var/adm/pacct
- may grow several mbytes per day
- use the 'sa' command to:
summarize into usracct and
truncate pacct
example: /usr/etc/sa -sm > /usr/adm/user_acct
> condenses by user and merges into a summary file
to ongoing accouting may be performed
> prints number of processes and number of CPU minutes for
each user
root 239461 1467.96cpu 229165616tio 174507948k*sec
ayala 120897 153.78cpu 24458002tio 8569180k*sec
nobody 88722 35.72cpu 15564618tio 384545k*sec
bin 75131 184.53cpu 50404162tio 4195338k*sec
lloyd 52119 112.78cpu 37252833tio 19821697k*sec
healy 51933 1833.79cpu 180641905tio 148176008k*sec
reynolds 48571 81.71cpu 26177964tio 12638144k*sec
casebeer 42653 93.83cpu 19329479tio 19691828k*sec
bicsak 27498 35.09cpu 12911078tio 8382788k*sec
pardue 23722 97.15cpu 20082970tio 29483545k*sec
stepp 20940 47.66cpu 15030497tio 6314386k*sec
sukkert 19376 53.89cpu 27370651tio 9097737k*sec
4. problems with process accounting
- the file system cannot get full or accounting is turned off
- only logs when a process completes
- if a process calls exec then the process name in the accounting
record will be the new command name
- was really designed for billing purposes not for security
5. user commands
- view pacct file with lastcomm or acctcom
- acctcom is more flexible
- example: acctcom -b -u kuncick
COMMAND START END REAL CPUMEAN
NAME USER TTYNAME TIME TIME (SECS) (SECS) SIZE(K)
man kuncick ttyp1 12:04:30 12:04:32 2.58 0.03 0.00
sh kuncick ttyp1 12:04:31 12:04:33 2.47 0.03 0.00
more kuncick ttyp1 12:04:31 12:04:33 2.40 0.15 0.00
man kuncick ttyp1 12:04:27 12:04:28 1.32 0.18 0.00
acctcom kuncick ttyp1 12:04:20 12:04:20 0.10 0.02 0.00
man kuncick ttyp1 12:04:11 12:04:14 3.28 0.05 0.00
sh kuncick ttyp1 12:04:12 12:04:14 2.57 0.02 0.00
more kuncick ttyp1 12:04:12 12:04:14 2.42 0.07 0.00
acctcom kuncick ttyp1 12:04:02 12:04:03 1.83 1.02 0.00
- note that commands are in order of end time not start time
D. printer accounting
1. standard UNIX printer accounting
- is not very useful
- page counts are approximations
- no quotas are enforced just accounting
2. CS dept. method (thanks to Dr. Bellenot and others)
- hp3:sd=/usr/localspool/hp3
:lp=/dev/null
:if=/usr/hp3/lwif