Wednesday, December 7, 2011

FreeBSD Turn On Process Accounting – Track System Resources Used By Users

I've already written about Linux process accounting under Linux ( see how to keep a detailed audit trail of what's being done on your Linux systems). You can easily setup process accounting under FreeBSD.

FreeBSD Process Accounting

FreeBSD process accounting is a security method in which you can keep track of system resources used, their allocation among users, provide for system monitoring, and minimally track a user's commands.

Turn On FreeBSD Process Accounting

Login as root user and type the following commands. First, turn on FreeBSD accounting service:
echo 'accounting_enable="YES"' >> /etc/rc.conf
Create /var/account/acct accounting file, type:
# touch /var/account/acct
Turn on accounting for current session, enter:
# accton /var/account/acct

How do I start FreeBSD accounting service?

# /etc/rc.d/accounting start

How do I stop FreeBSD accounting service?

# /etc/rc.d/accounting stop

How do I restart FreeBSD accounting service?

# /etc/rc.d/accounting restart

lastcomm -- show last commands executed

lastcomm is really good tool to get information about previously executed commands. Simply type lastcomm to display information about all the command recorded during the current accounting file's lifetime:
lastcomm
lastcomm | less
lastcomm | grep pw

Sample output:
lastcomm         -       root             ttyp0     0.002 secs Thu Jan  8 03:16
lastcomm         -       root             ttyp0     0.008 secs Thu Jan  8 03:16
ls               -       root             ttyp0     0.001 secs Thu Jan  8 03:15
tail             -X      root             ttyp0     0.001 secs Thu Jan  8 03:15
ifconfig         -       root             ttyp0     0.001 secs Thu Jan  8 03:15
w                -       root             ttyp0     0.002 secs Thu Jan  8 03:15
vnstat           -       root             ttyp0     0.001 secs Thu Jan  8 03:15
ls               -       root             ttyp0     0.001 secs Thu Jan  8 03:15
csh              -F      root             ttyp0     0.001 secs Thu Jan  8 03:15
hostname         -       root             ttyp0     0.001 secs Thu Jan  8 03:15
csh              -F      root             ttyp0     0.000 secs Thu Jan  8 03:15
pt_chown         -       root             __        0.001 secs Thu Jan  8 03:15
sshd             -F      sshd             __        0.004 secs Thu Jan  8 03:15
sendmail         -F      root             __        0.004 secs Thu Jan  8 03:15
mail.local       -       root             __        0.002 secs Thu Jan  8 03:15
sendmail         -F      root             __        0.004 secs Thu Jan  8 03:15
cron             -F      root             __        0.003 secs Thu Jan  8 03:15
sendmail         -       munin            __        0.010 secs Thu Jan  8 03:15
sh               -       munin            __        0.003 secs Thu Jan  8 03:15
sh               -       munin            __        0.002 secs Thu Jan  8 03:15
perl             -       munin            __        0.104 secs Thu Jan  8 03:15
perl             -       munin            __        0.672 secs Thu Jan  8 03:15
fgrep            -       munin            __        0.002 secs Thu Jan  8 03:15

Understanding lastcomm command output

For each process entry, the following are printed:
  • The name of the user who ran the process.
  • Flags, as accumulated by the accounting facilities in the system. The flags are encoded as follows:
    1. S indicates the command was executed by the super-user.
    2. F indicates the command ran after a fork but without a following exec().
    3. D indicates the command terminated with the generation of a core file.
    4. X indicates the command was terminated with a signal.
  • The command name under which the process was called.
  • The amount of CPU, wall , system, or user time used by the process (in seconds).
  • The time the process started or exited.

List all users who executed rm command

lastcomm rm

List all users who executed rm command on tty called ttyp0

lastcomm rm ttyp0

List all the executions of commands named foo by user admin on the terminal ttyd0

lastcomm foo root ttyd0

sa -- print system accounting statistics

The sa utility reports on, cleans up, and generally maintains system accounting files.
sa
Sample output:
1135246    1737.686re       47.19cp        0avio    11025k
   15919      20.148re       20.04cp        0avio    11857k   cc1
  193358       7.504re        3.35cp        0avio     3865k   sed
  497113      42.365re        3.06cp        0avio      393k   sh*
     726      13.337re        2.64cp        2avio     1729k   perl
   42784     354.746re        2.52cp        0avio    22328k   sh
     172      45.643re        1.26cp      816avio       94k   rsync*
     191      50.127re        1.12cp      622avio      354k   rsync
The labels used in the output indicate the following
  • avio : Average number of I/O operations per execution
  • cp : Sum of user and system time, in minutes
  • cpu : Same as cp
  • k : CPU-time averaged core usage, in 1k units
  • k*sec : CPU storage integral, in 1k-core seconds
  • re : Real time, in minutes
  • s : System time, in minutes
  • tio : Total number of I/O operations
  • u : User time, in minutes
sa command comes with lots of other options. Please read man page for further details.

ac -- connect time accounting

A record of individual login and logout are written in /var/log/wtmp. The ac command examines these records and writes the accumulated connect time (in hours) for all logins to the standard output.

Print individual users' totals

ac -p

Display totals for the given individuals only

ac vivek
ac root

Further readings:

man pages:
man sa
man lastcomm
man ac

Reference:
http://www.cyberciti.biz/tips/freebsd-process-accounting-tutorial.html

No comments: