SANS Digital Forensics and Incident Response Blog

Unix System Accounting and Process Accounting

Accounting reports created by the system accounting service present the *NIX administrator with the information to assess current resource assignments, set resource limits and quotas, and predict future resource requirements. This information is also valuable to the forensic analyst and allows for the monitoring of system resourcing. This data can be a means of finding what processes and resources have been used and by which user.

When the system accounting has been enabled on a *NIX system, the collection of statistical data will begin when the system starts or a least from the moment that the accounting service is initiated. The standard data collected by system accounting will include the following categories:

  • Connect session statistics
  • Disk space utilization
  • Printer use
  • Process use

The accounting system process starts with the collection of statistical data from which summary reports can be created. These reports can assist in system performance analysis and offer the criteria necessary to establish an impartial customer charge back billing system or many other functions related to the monitoring of the system. A number of the individual categories of statistics collected have been listed in the sections that follow.

Connect Session Statistics

Connect session statistics allow an organization to bill, track or charge access based on the tangible connect time. Connect-session accounting data, associated with user login and logout, is composed by the init and login commands. When a user logs into the *NIX system, the login program makes an entry in the "wtmp" file. This file will contain the following user information:

  • Date of login/logout
  • Time of login/logout
  • Terminal port
  • User name

This data may be can be utilized in the production of reports containing information valuable to the computer forensic investigator, system security tester and system administrator. Some of the information that can be extracted includes:

  • Connect time seconds used,
  • Date and starting time of connect session,
  • Device address of connect session,
  • Login name,
  • Number of prime connect time seconds used,
  • Number of nonprime connect time seconds used,
  • Number of seconds elapsed from Jan 01st 1970 to the connect-session start time,
  • Process Usage,
  • User ID (UID) associated with the connect-session.

It is also possible to gather statistics about individual processes using system accounting. Some areas that may be collected include:

  • Elapsed time and processor time consumed by the process,
  • First eight characters of the name of the command,
  • I/O (Input/output) statistics,
  • Memory usage,
  • Number of characters transferred,
  • Number of disk blocks read or written by the process ,
  • User and group numbers under which the process runs.

Many *NIX systems maintain statistical information in a "pacct" or process account database or accounting file. This database is commonly found in the "/var/adm/pacct" file, but like many *NIX log files, this will vary from system to system. The accounting file used by many of the system and process accounting commands. When a process terminates, the kernel writes information explicit to the particular process into the "pacct" file. This file consists of the following information:

  • Command used to start the process
  • Process execution time
  • Process owner's user ID

When system accounting is installed and running on a *NIX system, commands to display, report, and summarize process information will be available. Commands such as "ckpacct" can be used by the administrator or system security tester to ensure that the process accounting file ("pacct") remains under a set size and thus is stopped from either growing too large or possibly impacting system performance in other ways.

Disk Space Utilization

System accounting provides the ability for the system security tester to receive information concerning the disk utilization of the users. As it is possible to restrict users to a specified disk usage limit, the system security tester may need to validate usage through a disk quota system. This may be monitored and tested to ensure users are adhering to limits. This allows an unwary client to be charged fees that are correctly associated with another account. Disk usage commands perform three basic functions:

  • Collect disk usage by filesystem,
  • Gather disk statistics and maintain them in a format that may be used by other system accounting commands for further reporting,
  • Report disk usage by user.

Note: it is necessary to be aware that users can avoid charges and quota restrictions for disk usage by changing the ownership of their files to that of another user. The "chown" command provides a simple method for users to change ownership of files. Coupled with the ability to set access permissions (such as through the use of the "chmod" command), a user could create a file owned by another party that they could still access.

Printer Usage

Printer usage data is stored in the "qacct" file (this is commonly located in "/var/adm/qacct" on many systems though this varies). The "qacct" file is created using an ASCII format. The qdaemon writes ASCII data to the "qacct" file following the completion of a print job. This file records printer queue data from each print session and should at a minimum contain the following fields:

  • User Name
  • User number(UID)
  • Number of pages printed

Automatic Accounting Commands

To accumulate accounting data, the *NIX system needs to have a number of command entries installed into the "crontab" file (e.g. the "/var/spool/cron/crontabs/adm" file on many *NIX'es but this will change from system to system). The cron file of the adm user is configured to own the whole of the accounting files and processes. These commands have been designed to be run using cron in a batch mode. It is still possible to execute these commands manually from a command line or script.

  • ckpacct Controls the size of the /var/adm/pacct file. When the /var/adm/pacct file grows larger than a specified number of blocks (default = 1000 blocks), it turns off accounting and moves the file off to a location equal to /var/adm/pacctx (x is the number of the file). Then ckpacct creates a new /var/adm/pacct for statistic storage. When the amount of free space on the filesystem falls below a designated threshold (default = 500 blocks), ckpacct automatically turns off process accounting. Once the free space exceeds the threshold, ckpacct restarts process accounting.
  • dodisk Dodisk produces disk usage accounting records by using the diskusg, acctdusg, and acctdisk commands. By default, dodisk creates disk accounting records on the special files. These special filenames are usually maintained in "/etc/fstab" or "/etc/filesystems".
  • monacct Uses the daily reports created by the commands above to produce monthly summary reports.
  • runacct Maintains the daily accounting procedures. This command works with the acctmerg command to produce the daily summary report files sorted by user name.
  • sa1 System accounting data is collected and maintained in binary format in the file /var/adm/sa/sa{dd}, where {dd} is the day of the month.
  • sa2 The sa2 command removes reports from the "../sa/sa{dd}" file that have been there over a week. It is also used to write a daily summary report of system activity to the "../sa/sa{dd}" file.

Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC and completed the GSE as well. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial lawand ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.


Posted March 25, 2010 at 9:07 PM | Permalink | Reply


Why read this here when I could just read the version from 6 months ago?

Posted March 25, 2010 at 9:50 PM | Permalink | Reply


This looks very familiar''''

Posted March 25, 2010 at 10:54 PM | Permalink | Reply


Isn't this a repost?

Posted March 26, 2010 at 4:40 PM | Permalink | Reply

Dave Hull

Repost indeed. Sorry folks.

Posted March 26, 2010 at 11:22 PM | Permalink | Reply

Craig S Wright

Sorry, I missed that.
I posted several entries at the same time and got one from my other set.

Posted March 29, 2010 at 5:39 AM | Permalink | Reply

Dave Hull

No worries, Craig. I'm sure there are folks who hadn't seen the material previously and benefited from the dupe.

Posted November 11, 2013 at 5:23 AM | Permalink | Reply


NIX administrator is very nice which can manage the accounting process and the innovative thinking really deserves appreciation. This lovely blog consist of informative words which is very useful to others.