Where does the process accounting feature pull data from?

security unix linux shell

I recently discovered the process accounting feature in Unix systems. Basically it appears to be a legacy resource usage recording system that was just never removed.

Since the dawn of time (actually dating back from the time when people had to actually pay real money per computer cycle they used) Unix and it's clones has had a system called Process Accounting (acct) built in. This allowed the system administrators to know exactly what their users were doing and so could bill them accordingly. The acct facilities still exist in most Unix and Linux systems to this day.- @Majenko

From the cyber security perspective this is pretty interesting since users can delete bash history and (aside from this) there is (or so I thought) no history by default for borne shell commands.

By doing:

sudo apt-get install acct
sudo /etc/init.d/acct start
sudo lastcomm

...and many other associated commands and options we can get records like:

mandb             F    man      pts/4      0.00 secs Mon Dec  6 13:33
mandb             F    man      pts/4      0.00 secs Mon Dec  6 13:33
acct.postinst          root     pts/4      0.00 secs Mon Dec  6 13:33
systemctl              root     pts/4      0.00 secs Mon Dec  6 13:33
systemd-tty-ask  S     root     pts/4      0.00 secs Mon Dec  6 13:33
accton           S     root     __         0.00 secs Mon Dec  6 13:33

Which is basically a powerful, extensive shell history including all types of shells. But I'm having trouble learning much more about how this works. Where is the data this command draws from? I'm trying to learn more about how easily an attacker could access and delete this data, or where we can access it to back it up.


Solution 1:

acct(5), or acct - process accounting file, says this:

If the kernel is built with the process accounting option enabled (CONFIG_BSD_PROCESS_ACCT), then calling acct(2) starts process accounting, for example:

acct("/var/log/pacct");

When process accounting is enabled, the kernel writes a record to the accounting file as each process on the system terminates. This record contains information about the terminated process, and is defined in <sys/acct.h>.

The typical default location of the file is /var/log/account/pacct, where the data will be saved.

Unfortunately, this file is not a plain text file, so don't try viewing it with more or tail commands. Instead, use the dump-acct command to view it.

Related

What was the SquashFS compression method?
Can I specify PBKDF2 rounds to use with LUKS/dm-crypt?
Why does Windows 7 mouse freeze after resuming from sleep?
Using an SD card for backup?
How does one enable/disable inline bot use in Telegram chats?
"Read-only file system" when I try to touch in Mac OS Catalina
Win10 - Files associations in search results are broken
How to get NFS Server on Windows 10?
Moving user folder to drive D
Is there a keyboard shortcut for "Save to Your Library" in Spotify's desktop app?
Proving $\ell^p$ is complete
What is the parametric equation of a rotated Ellipse (given the angle of rotation)