Process accounting is a security method in which an administrator may keep track of system resources used, their allocation among users, provide for system monitoring, and minimally track a user's commands.
This indeed has its own positive and negative points. One of the positives is that an intrusion may be narrowed down to the point of entry. A negative is the amount of logs generated by process accounting, and the disk space they may require. This section will walk an administrator through the basics of process accounting.
Before making use of process accounting, it must be enabled. To do this, execute the following commands:
# touch /var/account/acct
# accton /var/account/acct
# echo 'accounting_enable="YES"' >> /etc/rc.confOnce enabled, accounting will begin to track
CPU stats, commands, etc. All accounting
logs are in a non-human readable format and may be viewed
using the sa(8) utility. If issued without any
options, sa will print information
relating to the number of per user calls, the total elapsed
time in minutes, total CPU and user time
in minutes, average number of I/O operations, etc.
To view information about commands being issued, one
would use the lastcomm(1) utility. The
lastcomm command may be used to print out
commands issued by users on specific ttys(5), for
example:
# lastcomm ls
trhodes ttyp1Would print out all known usage of the
ls by trhodes on the
ttyp1 terminal.
Many other useful options exist and are explained in the lastcomm(1), acct(5) and sa(8) manual pages.
This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/
For questions about FreeBSD, read the
documentation before
contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.