Process Accounting: The acct/pacct File

In addition to logins and logouts, Unix can log every single command run by every single user. This special kind of logging is often called process accounting; normally, process accounting is used only in situations where users are billed for the amount of CPU time that they consume. The acct or pacct files can be used after a break-in to help determine which commands a user executed (provided that the log file is not deleted). This file can also be used for other purposes, such as seeing if anyone is using some old software you wish to delete, or who is playing games on the fileserver.

The lastcomm or acctcom programs display the contents of this file in a human-readable format:

% lastcomm
sendmail    F    root     _  _         0.05 secs Sat Mar 11 13:28
mail       S     daemon   _  _         0.34 secs Sat Mar 11 13:28
send             dfr      _  _         0.05 secs Sat Mar 11 13:28
post             dfr      ttysf      0.11 secs Sat Mar 11 13:28
sendmail    F    root     _  _         0.09 secs Sat Mar 11 13:28
sendmail    F    root     _  _         0.23 secs Sat Mar 11 13:28
sendmail    F    root     _  _         0.02 secs Sat Mar 11 13:28
anno             dfr      ttys1      0.14 secs Sat Mar 11 13:28
sendmail    F    root     _  _         0.03 secs Sat Mar 11 13:28
mail       S     daemon   _  _         0.30 secs Sat Mar 11 13:28
%

If you have an intruder on your system and he has not edited or deleted the /var/adm/acct file, lastcomm will provide you with a record of the commands that the intruder used.[317] Unfortunately, Unix accounting does not record the arguments to the command typed by the intruder, nor the directory in which ...

Get Practical UNIX and Internet Security, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.