Tuesday, October 9, 2012

Accounting and auditing in AIX

Process accounting, as the name implies, records information about each and every processes executed on the system. This data can then be combined to produce reports on individual command usage and user usage. The reports can be used to track resource usage, productivity, assess process scheduling, and for billing purposes.

The data can also be refined to determine what commands were being executed on the system at a particular time, by which user, and which commands a particular user was executing at a particular time. This information can be invaluable when doing system forensics, such as researching potential security breaches, or employee misuse of the system

When enabled, the kernel writes a record of every completed process to the /usr/adm/pacct file. The record includes:
  • Data on the user ID
  • Command name
  • CPU and memory usage
  • Start and stop time
  • Disk reads and writes
  • Character I/O

Check to see if the fileset for process accounting is installed on your server, if its not then please install it from your CD or from IBM's website

# lslpp -L bos.acct
  Fileset                      Level  State  Type  Description (Uninstaller)
  ----------------------------------------------------------------------------
  bos.acct                  5.3.12.2    C     F    Accounting Services

Once you're done with that, then proceed with setting up process accounting directories, files and permissions

#touch /var/adm/pacct
#chmod 666 /var/adm/pacct
#su – adm -c /usr/lib/acct/nulladm /var/tmp/wtmp /var/adm/pacct
#su – root -c /usr/sbin/acct/startup     #ensure process start-up is persistent across reboots

2. Verify accounting has started

# ls -l /var/adm/pacct
-rw-rw-r--    1 adm      adm           68160 Oct 09 18:03 /var/adm/pacct

3. Display selected process accounting record summaries

# man acctcom
# acctcom

3. Edit the adm crontab to housekeep pacct file if exceed 10000 disk blocks

# crontab -e adm

#=================================================================
#      PROCESS ACCOUNTING:
#  runacct at 11:10 every night
#  dodisk at 11:00 every night
#  ckpacct every hour on the hour
#  monthly accounting 4:15 the first of every month
#=================================================================
#10 23 * * * /usr/lib/acct/runacct 2>/usr/adm/acct/nite/accterr > /dev/console
#0 23 * * * /usr/lib/acct/dodisk > /dev/console 2>&1
0 * * * * /usr/lib/acct/ckpacct > /dev/console 2>&1
#15 4 1 * * /usr/lib/acct/monacct > /dev/console 2>&1
#=================================================================

/usr/lib/acct/ckpacct checks the /var/adm/pacct file for size. If it exceeds 1000 disk blocks, ckpacct calls "turnacct switch" to close the current pacct file, renames it to a unique name (like pacct1), and then opens a new pacct file. This is to keep the pacct files to a manageable size. "ckpacct" also checks the amount of freespace in /var/adm and, if this dips below 500 blocks, process accounting is turned off with "turnacct off."

Note: ckpacct switches the pacct file in the event its size exceeds 1000 disk blocks. This is a legacy value. While that used to be considered a lot of disk space, it's still less than a floppy drive now. Feel free to override the default value by calling it as "ckpacct 400000" in crontab.

No comments:

Post a Comment