Process Accounting (pacct)

What is this artifact?

Process accounting is a feature in *nix operating systems that record process executions by user into binary files stored on disk. Not always enabled.

Practical UNIX and Internet Security, 3rd EditionO’Reilly Online Learning

Where can it be found?

Binary will be named pacct or acct if enabled. Location varies by OS flavor.

/var/account/pacct
- red hat, CentOS, Fedora
/var/account/acct
- FreeBSD, OpenBSD
/var/log/account/pacct
- Debian, Ubuntu
/var/adm/pacct
- Solaris, AIX
/var/log/pacct

What information does it contain?

Different flavors can contain different levels of support for pacct. At minimum you will get users, timestampt and binary name.

File name of executed binary
timestamp of execution
user context
tty the execution occurred from (tty stands for teletype or terminal. They are interchangeable)
CPU time used by the process
execution flags
PID and PPID
process duration

What is TTY in Linux?It's FOSS

Investigative Pro-Tips:

Can be used to demonstrate historical process execution by user
Artifact is in binary format and can be parsed with lastcomm

Assumptions to be careful about:

Feature is not always enabled/available/
pacct will not include command line flags or directory user executed it from, only binary name.
Timestamp for execution doesn't include seconds.
Information recoreded in pacct can very by OS flavor.

Tools How To:

Parse

Parse the extracted pacct file to reveal contents.

#Use lastcomm to specify extracted pacct file
lastcomm --pid -f pacct_file

The lastcomm command displays information, in reverse chronological order, about all previously executed commands that are still recorded in the /var/adm/pacct summary file. You need to run the /usr/sbin/acct/startup command before you can execute the lastcomm command.

lastcomm Commandwww.ibm.com

Enable lastcomm

sudo /usr/sbin/accton on

Managing process accounting on LinuxNetwork World

Under Red Hat / CentOS Linux, you can enter following command to start accounting service:

chkconfig psacct on
/etc/init.d/psacct

Under Ubuntu / Debian Linux, you need to enter following command to start accounting service:

update-rc.d acct defaults
/etc/init.d/acct start

Understanding /var/account/pacct OR /var/account/acct - Acct File FormatnixCraft

Misc

Previousexample page Nextmlocate.db

Last updated 2 years ago

hashtagWhat is this artifact?

hashtagWhere can it be found?

hashtagWhat information does it contain?

hashtagInvestigative Pro-Tips:

hashtagAssumptions to be careful about:

hashtagTools How To:

hashtagParse

hashtagEnable lastcomm

hashtagMisc