Security - Accounting 

ѵ<mailto:traxacun@unitel.co.kr>

Process Accounting ýۿ  ɵ ϰ Ѵ. ý
  ɰ    , Ǵ     
α׷, ҿ CPU ð  ϰ 踦   ִ.

μ   μ 踦 /var/adm/pacct Ѵ. ̰ 
 ڿ   Ǵ  μ Ѵ.   
ڰ ϴ ý̳  UNIX 񿡴   ϰ ɸ Ǹ, 
ü ý  Ͻų  ִ.   μ  μ
  ͸ ̹μ ϴµ,  ڰ , Ǵ 
μ , 뷮 ϱ޼ þ  ȴ. ڰ   
  ̿ ý Ʈ     Ǿ  ڰ ýۿ  
   Ǵ һ簡 Ͼ   ִ.  ڴ cron̳ ÷ 
  ־ Ѵ. 

BSD 迭 ανÿ Ȱȭ System  V 迭 ʱ⿡  
ŵǾ ִ.
μ  ý ͸   μ ҹ ħڰ 
 ۾ ߴ   ִ ߿ ܼ Ѵ. ׿   
 Ȱȭ Ǿ ־  Ѵٴ ڵ (,  ý ڿ  
ŭ  ؾ ϴ ڿԴ  ٰ̱⵵ ϴ), ý 
Ͽ Ʈ       ִٴ   ʿ 츦 ϰ 
  ؾ Ѵٰ ϴ ʵ ִ.

BSD迭 System V 迭 ý ٸ  ⺻ ʹ ϴ. ٸ 
͵  ̳ ɾ ణ ̰   ִ. 

μ   ý Ŀο ؼ Ǹ, ý () 
Ǿ Ѵ.
Linux Ŀ  1.3.37  ϸ, 1.3.37 
 ͳ    ġ  ޾ƾ Ѵ.
Linux   ش  Ű     ּҿ   
ִ.

 
       http://sunsite.unc.edu/pub/Linux/system/admin/quota-acct-modified.tgz


1. μ  

μ   adm (/var/adm) ġѴ.
   BSD 迭̳ System V 迭̳ ū ̰ .
 μ 迡   ̴.

- ɾ 
- CPU  ð
- μ  ð
- μ  ð
- μ  ð
- ڿ ׷ ID
- ޸ Ȱȭ ð
- TTY ʱȭ
- μ ÷
-   μ


2. μ  ϱ

SunOS /usr/lib/acct   ִ.

        /usr/lib/acct/startup /var/adm/pacct

rootθ ų  , startup  ⺻  /var/adm/pacct 
ȴ. ̸ ϰ   ϴ  θ н  ִ 
 .

Linux /sbin/acct   ִ.

        /sbin/accton /var/log/pacct

Linux SunOS  ġ ٸ   ִ. Դٰ Linux  
  ̵  ġ ٸ   ִ.   ġ ˾Ƶΰ
   ο ϸ   ִ  .

ý shutdown ų   μ       
ִ  .

SunOS ý  ũƮ /usr/lib/acct/shutacct ߰Ѵ.
shutacct /var/adm/wtmp ڵ带 μ  μ 
  Ǿ(kill -9   ),  Ǿ
   ִ.
׷ μ  reboot -q    ý   ġ
 ʰ ý  Űų poweroff ý Ű  
 Ѵ.(̰   ϵ   ʴ´.  ڰ ý
ۿ ħϿ  ý   Ǵ ý״ δ ˾
 ƴ)

Linux ý  ũƮ /sbin/accton ߰Ѵ.
accton ýۿ μ 谡 Ȱȭ Ǿ   ƹ   
  μ 踦 Ȱȭ Ų.


3.   ̿ϱ

  SunOS  μ 踦 ̿  ִ   Ϸ ɾ
 ũƮ  ִ.
           ޼     Ŀ         ϱ     ؼ 
/usr/lib/acct/runacct cron ؼ Ϸ翡   ϵ Ѵ.
  runacct runacct    ðκ   Ǵ ð 
  αϵ ϰ 踦 , α  ʱȭ ش.
  ̰ μ     ʴ´.    ũƮ 
̿ log-rotate ԰ ÿ ̰ ϴ  .
  runacct ؼ ۼ     ִ prdaily ũ
Ʈ ִ.

        /usr/lib/acct/prdaily mmdd

  prdaily Էϸ  ֱ α׵  ش. mmdd  Ư 
 μ 踦   Ѵ.(ش ڿ runacct Ǿ߸ 
ϸ, ׷   prdaily 
ش    ٴ  ش)

        /usr/lib/acct/prdaily 0816

 8 16 16:28 1999  DAILY REPORT FOR purple  1


from   8 16 09:31:49 1999
to     8 16 16:18:46 1999
1       runacct
1       acctcon

TOTAL DURATION IS 407 MINUTES
LINE         MINUTES  PERCENT  # SESS  # ON  # OFF
/dev/pts/6   0        0        0       0     0
/dev/pts/7   0        0        0       0     0
ftp26597     1        0        2       1     0
ftp27552     2        0        2       1     0
pts/1        0        0        0       0     1
pts/2        0        0        0       0     1
pts/5        0        0        0       0     1
pts/6        30       7        5       5     5
pts/7        1        0        1       1     1
pts/4        0        0        0       0     1
TOTALS       33       --       10      8     10


 8 16 16:28 1999  DAILY USAGE REPORT FOR purple  1

       LOGIN   CPU(MINS)    KCORE-MINS  CONNECT(MINS)  DISK   # OF   # OF  # DISK FEE
  UID  NAME  PRIME NPRIME  PRIME NPRIME PRIME NPRIME  BLOCKS  PROCS  SESS  SAMPLE
  0    TOTAL   1     0    59593  0      33    0       0      1781    8     0      0
  0    root    0     0    567    0      30    0       0      1597    6     0      0
  5    uucp    0     0    15     0      0     0       0      98      1     0      0
  105  trax    0     0    0      0      2     0       0      0       1     0      0
  700  oracle  1     0    59004  0      0     0       0      73      0     0      0



 8 16 16:18 1999  DAILY COMMAND SUMMARY  1


                                     TOTAL COMMAND SUMMARY
COMMAND   NUMBER      TOTAL       TOTAL       TOTAL   MEAN    MEAN     HOG         CHARS   BLOCKS
NAME        CMDS    KCOREMIN     CPU-MIN   REAL-MIN  SIZE-K  CPU-MIN  FACTOR      TRNSFD    READ

TOTALS      1781    59651.32      1.17       315.97 50918.78   0.00   0.00    121530952     856

oracle        10    58953.90      0.64       199.35 92743.41   0.06  0.00      15964296     0
proc_his       6      173.97      0.13         0.15 1311.36   0.02   0.90     47779976      12
sh           367       82.82      0.06        33.36 1453.01   0.00  0.00       461811       19
sadc         165       70.26      0.08        11.10  869.18   0.00  0.01       4136304      0
date         333       48.32      0.04         0.04 1300.13   0.00  0.95        54975       1
in.ftpd        2       40.32      0.03         2.37 1439.86   0.01  0.01      29487104      317
sqlplus        6       29.88      0.01         1.23 2676.18   0.00  0.01        369464      1
sar          165       28.44      0.03        11.14 1115.35   0.00  0.00       4204128      26


 8 16 16:18 1999  MONTHLY TOTAL COMMAND SUMMARY  1


                                     TOTAL COMMAND SUMMARY
COMMAND   NUMBER      TOTAL       TOTAL       TOTAL   MEAN    MEAN     HOG         CHARS    BLOCKS
NAME        CMDS    KCOREMIN     CPU-MIN   REAL-MIN  SIZE-K  CPU-MIN  FACTOR      TRNSFD     READ

TOTALS      1781    59651.32      1.17       315.97 50918.78   0.00   0.00    121530952     856

oracle        10    58953.90      0.64       199.35 92743.41   0.06  0.00      15964296     0
proc_his       6      173.97      0.13         0.15 1311.36   0.02   0.90     47779976      12
sh           367       82.82      0.06        33.36 1453.01   0.00  0.00       461811       19
sadc         165       70.26      0.08        11.10  869.18   0.00  0.01       4136304      0
date         333       48.32      0.04         0.04 1300.13   0.00  0.95        54975       1
in.ftpd        2       40.32      0.03         2.37 1439.86   0.01  0.01      29487104      317
sqlplus        6       29.88      0.01         1.23 2676.18   0.00  0.01        369464      1
sar          165       28.44      0.03        11.14 1115.35   0.00  0.00       4204128      26
proc_day       4       19.88      0.02         0.02 1282.67   0.00  0.90       5834702      4


 8 16 16:20 1999  LAST LOGIN  1

00-00-00  adm      00-00-00  noaccess 00-00-00  sys
00-00-00  bin      00-00-00  nobody   00-00-00  uucp
00-00-00  daemon   00-00-00  nobody4  99-08-09  oracle
00-00-00  listen   00-00-00  nuucp    99-08-16  traxacun
00-00-00  lp       00-00-00  rose     99-08-16  purple
00-00-00  inyashio 00-00-00  smtp     99-08-16  root


̿      ִ.   ͹̳ε  ð,   
 ۾ ð, ɾ   ,  ,   αϵ   
.
̿   ؼ ش ý  ۾  δ, μ
 ۾  δ ľ  ְ, ̸  ý   ȿ
   ֵ   ִ.

, startup shutacct turnacct ̿ϴ  ũƮ̴.  ũƮ
  μ  迡    ӽ   ϵ         α 
/var/adm/wtmp   Ѵ.
 ũƮ /var/adm/wtmp 'acctg on'  'acctg off' α 
 ⵵ Ѵ.
turnacct  on, off, switch Ű带 ´. 'turnacct on' 
 踦 ȰȭŰ,  'turnacct off' μ  踦 ȰȭŲ
. 'trunacct switch'  ٲٴ  Ѵ.

turnacct ũƮ̴. nulladm  ̿  /var/adm/pacct  0 
Ʈ ʱȭŰ, accton  ̿ μ 踦 ȰȭŲ.
accton  μ  迡 ؼ ġ  ۵Ѵ. Ȱȭ Ǿ 
 ϸ  ϸ,  ŵǾ     ȰȭŲ
.

startup ũƮ   .

        turnacct on
        rm -f /var/adm/acct/sum/wtmp*
        rm -f /var/adm/acct/sum/pacct*
        rm -f /var/adm/acct/nite/lock*

μ    ȰȭŰ,    ϵ ϴ  
Ѵ.
turnacct   lotateŰ ο   Ѵ.

        case "$1" in
        on)
                if test ! -r pacct
                then
                        cat /dev/null > pacct
                fi
                accton pacct
                ;;
        off)
                accton

μ     0  Ʈ   ϰ, 
   ִ 쿡 μ   ȰȭŲ.

shutacct ũƮ μ    ȰȭŰ  ܼ Ҹ 
Ѵ.

Linux   Ϸ  ǰ,  ܼȭ Ǿ ִ. μ
   Ȱȭ Ȱȭ accton ɿ ؼ ȴ.( 
 ũƮ  ʴ´)

Linux prdaily     ִ  ũƮ . 
 踦 ؼ ִ Ǹ α׷ ִ. sa Linux 
 μ 踦 Ͽ ش.

        %sa -a

      77       1.02re       0.06cp         0avio       350k
       3       0.03re       0.03cp         0avio       287k   modprobe
       4       0.01re       0.01cp         0avio       513k   troff
       6       0.23re       0.00cp         0avio       321k   man
       4       0.02re       0.00cp         0avio       374k   info
       6       0.22re       0.00cp         0avio       355k   less
       4       0.01re       0.00cp         0avio       381k   grotty
       7       0.23re       0.00cp         0avio       413k   sh

ȭ鿡 Ÿ    .

- cpu : cpu ð ý۰   
- re  : cpuð  ǽð(real time)
- k   : core 뿡   cpu ð
- avio :  ð   (I/O) Ƚ
- tio : (I/O) Ƚ  Ѱ
- u   : cpu ð ȯ  cpu ð
- s   : cpu ð ȯ ý ð

μ 谡 Ȱȭ Ǿ      ִ  ɾ 
ٷ lastcomm̴. μ     Ǿ , /var/adm/pacct 
 ٴ  Ѵ.
sa п پ  Ѵ. ڼ   Ŵ  
϶. 
SunOS sa1, sa2, sadc system activity report Ű ִ. ̰ 
ýۿ   ٸ    Linux saʹ  ̸, 
   ڿ  ̴.

        %lastcomm

sh       S  uucp     __             0.01 secs Mon Aug 16 17:11
uudemon.    uucp     __             0.01 secs Mon Aug 16 17:11
uuxqt       uucp     __             0.01 secs Mon Aug 16 17:11
uusched     uucp     __             0.00 secs Mon Aug 16 17:11
vi          root     pts/4          0.02 secs Mon Aug 16 17:10
sh       S  root     __             0.01 secs Mon Aug 16 17:10
sh        F root     __             0.00 secs Mon Aug 16 17:10
sar         root     __             0.02 secs Mon Aug 16 17:10
sadc        root     __             0.02 secs Mon Aug 16 17:10
date        root     wscons         0.01 secs Mon Aug 16 17:10

lastcomm    ɾ , ͹̳,  ɾ ð 
  ִ.
uucp  ؼ  ̴.   ؼ Ǵ 쳪 ׶
 Ǵ ۾   ͹̳ ſ '--'  Ÿ. pts/4 ش 
͹̳ ȣ̴. wscons UNIX ӽ ܼ  տ  ۾ߴٴ  
ǹѴ.

ý  踦  sar sadc   ɾ root  
 ְ, cron ؼ  ׶ ɵ̴. ̿  ɵ 
root   ɾ ƴϴ.


S F  ÷װ ִ.  ÷ ǹ̴  .

  - S : Set UID α׷ μ 
  - F :  μ 

Ư ڿ    ɾ  ְų  Ư ͹̳θ  
 쿡   Ѵ.

        %lastcomm root
        %lastcomm pts/4
        %lastcomm root pts/6
        %lastcomm date

ù ° root ڿ   ɾ ָ,  ° 4 
̳ο  ɾ鿡 ؼ,  ° root ڰ 6 ͹̳ο 
 ɾ ش.  'date' ɾ   
ڿ ͹̳ ش.
̰   μ  Ͽ Ѵ.

acctcom -  ɾ  
