Process accounting is a security method in which an administrator may keep track of system resources used, their allocation among users, provide for system monitoring, and minimally track a user's commands.
This indeed has its own positive and negative points. One of the positives is that an intrusion may be narrowed down to the point of entry. A negative is the amount of logs generated by process accounting, and the disk space they may require. This section will walk an administrator through the basics of process accounting.
Before making use of process accounting, it must be enabled. To do this, execute the following commands:
#
touch /var/account/acct
#
accton /var/account/acct
#
echo 'accounting_enable="YES"' >> /etc/rc.conf
Once enabled, accounting will begin to track
CPU stats, commands, etc. All accounting
logs are in a non-human readable format and may be viewed
using the sa(8) utility. If issued without any options,
sa
will print information relating to the
number of per user calls, the total elapsed time in minutes,
total CPU and user time in minutes, average
number of I/O operations, etc.
To view information about commands being issued, one
would use the lastcomm(1) utility. The
lastcomm
may be used to print out commands
issued by users on specific ttys(5), for example:
#
lastcomm ls trhodes ttyp1
Would print out all known usage of the ls
by trhodes
on the ttyp1 terminal.
Many other useful options exist and are explained in the lastcomm(1), acct(5) and sa(8) manual pages.
All FreeBSD documents are available for download at https://download.freebsd.org/ftp/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.