In addition to logins and logouts, Unix can log every single command run by every single user. This special kind of logging is often called process accounting; normally, process accounting is used only in situations where users are billed for the amount of CPU time that they consume. The acct or pacct files can be used after a break-in to help determine which commands a user executed (provided that the log file is not deleted). This file can also be used for other purposes, such as seeing if anyone is using some old software you wish to delete, or who is playing games on the fileserver.
The lastcomm or acctcom programs display the contents of this file in a human-readable format:
% lastcomm sendmail F root _ _ 0.05 secs Sat Mar 11 13:28 mail S daemon _ _ 0.34 secs Sat Mar 11 13:28 send dfr _ _ 0.05 secs Sat Mar 11 13:28 post dfr ttysf 0.11 secs Sat Mar 11 13:28 sendmail F root _ _ 0.09 secs Sat Mar 11 13:28 sendmail F root _ _ 0.23 secs Sat Mar 11 13:28 sendmail F root _ _ 0.02 secs Sat Mar 11 13:28 anno dfr ttys1 0.14 secs Sat Mar 11 13:28 sendmail F root _ _ 0.03 secs Sat Mar 11 13:28 mail S daemon _ _ 0.30 secs Sat Mar 11 13:28 %
If you have an intruder on your system and he has not edited or deleted the /var/adm/acct file, lastcomm will provide you with a record of the commands that the intruder used. Unfortunately, Unix accounting does not record the arguments to the command typed by the intruder, nor the directory in which the command was executed. Thus, keep in mind that a program named vi executed by a potential intruder might actually be a renamed version of cc?you have no way to tell for certain by examining this log file.
 lastcomm can work in two ways: by the system administrator to monitor attackers, or by an intruder to see if the administrator is monitoring him. For this reason, some administrators change the permission mode of the log file so that only the superuser can read its contents.
On systems that are used even moderately, the /var/adm/acct file grows very quickly?often more than one or two megabytes per day. For this reason, most sites that use accounting run the commands sa or runacct on a nightly basis. The command processes the information in the acct or pacct files into a summary file, which is often kept in /var/adm/savacct .
On SVR4 systems, you start accounting with the command:
The accounting file on these systems is usually /var/adm/pacct, and it is read with the acctcom command. The acctcom command has more than 20 options, and can provide a variety of interesting summaries. You should check your system's manpage to become familiar with the possibilities and any related commands.
Accounting is performed by the Unix kernel. Every time a process terminates, the kernel writes a 32-byte record to the /var/adm/acct file that includes:
Name of the user who ran the command
Name of the command
Amount of CPU time used
Time that the process exited
Flags, which include:
Command was executed by the superuser
Command ran after a fork, but without an exec
Command generated a core file when it exited
Command was terminated by signal
Because accounting records are written when processes terminate, reading accounting logs can be tricky on systems with long-lived processes. The logs will usually be chronological in order of termination, not execution.
You can turn on accounting by issuing the accton command:
# accton filename
Depending on your version of Unix, you may find the accton command in /usr/etc, /usr/sbin, or /usr/lib/acct. The filename specifies where accounting information should be kept. It is typically /var/adm/acct. The file is read with the lastcomm command.
Many versions of Unix place a copy of any message printed on the system console in a file called /var/log/messages or /var/adm/messages. This can be particularly useful, as it does not require the use of special software for logging?only a call to printf in a C program or an echo statement in a shell script.
Here is a sample of the messages file from a computer running SunOS Version 4.1:
Mar 14 14:30:58 bolt su: 'su root' succeeded for tanya on /dev/ttyrb Mar 14 14:33:59 bolt vmunix: /home: file system full Mar 14 14:33:59 bolt last message repeated 8 times Mar 14 14:33:59 bolt vmunix: /home: file system full Mar 14 14:33:59 bolt last message repeated 16 times
As you can see, the computer bolt is having a problem with a filled disk.