Process accounting allows you to keep detailed logs of every command a user runs, including CPU time and memory used. From a security standpoint, this means the system administrator can gather information about what user ran which command and at what time. This is not only very useful in assessing a break-in or local root compromise, but can also be used to spot attempted malicious behavior by normal users of the system.
To summarize the accounting information, you can use the sa command. By default it will list all the commands found in the accounting logs and print the number of times that each one has been executed:
# sa 14 0.04re 0.03cp 0avio 1297k troff 7 0.03re 0.03cp 0avio 422k lastcomm 2 63.90re 0.01cp 0avio 983k info 14 34.02re 0.01cp 0avio 959k less 14 0.03re 0.01cp 0avio 1132k grotty 44 0.02re 0.01cp 0avio 432k gunzip
sa Command Examples
1. To summarize accounting information:
# sa
2. To list all and not to sort:
# sa -a # sa --list-all-names
3. To Sort the output by the sum of user and system time divided by the number of calls.
# sa -b # sa --sort-sys-user-div-calls
4. To Print percentages of total time for the commandâs user, system, and real time values:
# sa -c # sa --percentages
5. To assume that all answers to interactive queries as affirmative.
# sa -f # sa --not-interactive
6. To don’t read the information in the systemâs default savacct file:
# sa -i # sa --dont-read-summary-file
7. To print seconds per call:
# sa -j # sa --print-seconds
8. To Sort the output by cpu time average memory usage:
# sa -k # sa --sort-cpu-avmem
9. To Print and sort the output by the cpu-storage integral:
# sa -K # sa --sort-ksec
10. To Print separate columns for system and user time:
# sa -l # sa --separate-times
11. To Print the number of processes and number of CPU minutes on a per-user basis.
# sa -m # sa --user-summary
12. To Sort the output by the number of calls:
# sa -n # sa --sort-num-calls
13. To Sort output items in reverse order:
# sa -r # sa --reverse-sort
14. To Merge the summarized accounting data into the summary files savacct and usracct:
# sa -s # sa --merge
15. To print the ratio of real time to the sum of system and user times:
# sa -t # sa --print-ratio
16. To print the userid and command name:
# sa -u # sa --print-users
17. To Print commands which were executed num times or fewer and await a reply from the terminal:
# sa -v 10 # sa --threshold 10
18. To see the version:
# sa -V # sa --version
19. To get the help:
# sa -h # sa --help
To keep monitoring the system, we first install the acct package on the system. For a few other Linux distributions, the package to be used would be psacct if acct is not compatible. Once the tool is installed and running, it starts maintaining a log of activities on the system. We can then watch these logs using the commands discussed in the above section.