Where does the process accounting feature pull data from?

I recently discovered the process accounting feature in Unix systems. Basically it appears to be a legacy resource usage recording system that was just never removed.

Since the dawn of time (actually dating back from the time when people had to actually pay real money per computer cycle they used) Unix and it's clones has had a system called Process Accounting (acct) built in. This allowed the system administrators to know exactly what their users were doing and so could bill them accordingly. The acct facilities still exist in most Unix and Linux systems to this day.- @Majenko

From the cyber security perspective this is pretty interesting since users can delete bash history and (aside from this) there is (or so I thought) no history by default for borne shell commands.

By doing:

sudo apt-get install acct
sudo /etc/init.d/acct start
sudo lastcomm

...and many other associated commands and options we can get records like:

mandb             F    man      pts/4      0.00 secs Mon Dec  6 13:33
mandb             F    man      pts/4      0.00 secs Mon Dec  6 13:33
acct.postinst          root     pts/4      0.00 secs Mon Dec  6 13:33
systemctl              root     pts/4      0.00 secs Mon Dec  6 13:33
systemd-tty-ask  S     root     pts/4      0.00 secs Mon Dec  6 13:33
accton           S     root     __         0.00 secs Mon Dec  6 13:33

Which is basically a powerful, extensive shell history including all types of shells. But I'm having trouble learning much more about how this works. Where is the data this command draws from? I'm trying to learn more about how easily an attacker could access and delete this data, or where we can access it to back it up.


Solution 1:

acct(5), or acct - process accounting file, says this:

If the kernel is built with the process accounting option enabled (CONFIG_BSD_PROCESS_ACCT), then calling acct(2) starts process accounting, for example:

acct("/var/log/pacct");

When process accounting is enabled, the kernel writes a record to the accounting file as each process on the system terminates. This record contains information about the terminated process, and is defined in <sys/acct.h>.

The typical default location of the file is /var/log/account/pacct, where the data will be saved.

Unfortunately, this file is not a plain text file, so don't try viewing it with more or tail commands. Instead, use the dump-acct command to view it.