Process Accounting (pacct)
What is this artifact?
Process accounting is a feature in *nix operating systems that record process executions by user into binary files stored on disk. Not always enabled.
Where can it be found?
Binary will be named pacct or acct if enabled. Location varies by OS flavor.
/var/account/pacct
red hat, CentOS, Fedora
/var/account/acct
FreeBSD, OpenBSD
/var/log/account/pacct
Debian, Ubuntu
/var/adm/pacct
Solaris, AIX
/var/log/pacct
What information does it contain?
Different flavors can contain different levels of support for pacct. At minimum you will get users, timestampt and binary name.
File name of executed binary
timestamp of execution
user context
tty the execution occurred from (tty stands for teletype or terminal. They are interchangeable)
CPU time used by the process
execution flags
PID and PPID
process duration
Investigative Pro-Tips:
Can be used to demonstrate historical process execution by user
Artifact is in binary format and can be parsed with lastcomm
Assumptions to be careful about:
Feature is not always enabled/available/
pacct will not include command line flags or directory user executed it from, only binary name.
Timestamp for execution doesn't include seconds.
Information recoreded in pacct can very by OS flavor.
Tools How To:
Parse
Parse the extracted pacct file to reveal contents.
The lastcomm command displays information, in reverse chronological order, about all previously executed commands that are still recorded in the /var/adm/pacct summary file. You need to run the /usr/sbin/acct/startup command before you can execute the lastcomm command.
Enable lastcomm
Under Red Hat / CentOS Linux, you can enter following command to start accounting service:
Under Ubuntu / Debian Linux, you need to enter following command to start accounting service:
Misc
Last updated
