Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Unix Operating Systems Software

Unix SAR? 18

Posted by Cliff from the following-the-process-audit-trail dept.
An Anonymous Coward asks: "This may appear to be a simple question at a first glance but I have been trying to find a solution for it for quite a while. I have been playing with different System Accounting utilities (i.e. SAR etc) and they all provide a wide range of useful information but I did not find any one that would be able to tell me the full path and the name of every process that a user runs in a Solaris machine. A loop with ps does not help because you may miss the processes that ran between each call to ps. Any one know how to extract this info? Is there a good System Accounting solution that does the trick? What is the best System Accounting solution available today?"
This discussion has been archived. No new comments can be posted.

Unix SAR? More

Unix SAR?

Comments Filter:

  • LKM (Score:3, Interesting)

    by tps12 ( 105590 ) on Monday May 06, 2002 @03:55PM (#3472109) Homepage Journal
    Sounds like prime territory for a loadable module. You basically just patch the fork/exec syscall(s) to record the new processes by uid. This not only ensures that nothing slips by, but it uses fewer resources during long periods with few new processes started.

    • Re:LKM (Score:1)

      by ader ( 1402 )
      You couldn't take five mins to knock up the code for that module, could you? I'm a bit busy for the next half hour, writing a quick single system image package.

      Ade_
      /

  • Turn on auditing (Score:5, Funny)

    by devphil ( 51341 ) on Monday May 06, 2002 @04:09PM (#3472223) Homepage


    Fire up yer browser, point it at the local AnswerBook2 server (or http://docs.sun.com/), and find the System Administrator Collection. Flip down to "SunSHIELD Basic Security Monitor Guide." Read about how to enable auditing.

    Then tell it to record full paths, flip the switch, and watch your hard drives fill up in seconds due to the massive amount of auditing information being logged.

  • Process accounting (Score:5, Informative)

    by booch ( 4157 ) <slashdot2010@cra ... m ['k.c' in gap]> on Monday May 06, 2002 @04:41PM (#3472462) Homepage
    $ man accton
    $ man acctprc
    $ man acctcms
    $ man -s 4 acct
    • $ man "enron accounting"
      No manual entry for "enron accounting"

      I just had to say it :)

    • Popularity Contest (Score:3, Interesting)

      by 4of12 ( 97621 )

      There has to be a way.

      I seem to recall something like sacct or something that run on my 4.2 BSD flavored boxes back in the 1980s that had exactly the kind of information you desire.

      It was in a research group at a university, and we didn't charge people for CPU time. [Does anyone really charge for CPU time anymore? It's gotten to be almost "too cheap to meter".]

      However, it was interesting because it told you about applications that really got a lot of usage. Apart from the usual suspects like /usr/bin/ls, the accounting information showed which home-grown programs were the most popular.

      A co-worker's XY plotting program ranked among the most used programs on the machine according to system accounting. That helped him gain credence in my advisor's eyes for spending time creating this tool, even though it was not directly related to our research.

      • "Does anyone really charge for CPU time anymore? It's gotten to be almost "too cheap to meter"."

        On a small scale, that's more-or-less true. However, if I'm not mistaken, you can 'buy' processing time on superc{ompute,luste}rs for computationally expensive tasks. For example, a science lab that needed lots of processing power for a few weeks (and it wasn't feasible to buy/build their own system) could 'purchase' those few weeks worth of CPU time on a big iron.

        Of course, I believe that you buy 100% CPU time for X amount of time, instead of being charged a 'total accumulated usage per month' kind of thing...
  • Gee, since when did google get redirected to ask slashdot?

    There's a neat thing called process accounting that exists on every unix I've used.


    atd | 0.0| 2.0| 2.0| 0| 0|1136.0| 0.0|Mon May 6 16:41:01 2002
    cron | 0.0| 0.0| 3.0| 0| 0|1176.0| 0.0|Mon May 6 16:41:01 2002
    pine | 22.0| 1.0|60000.0| 5646| 201|4668.0| 0.0|Mon May 6 16:31:04 2002
    bash | 16.0| 1.0|60152.0| 5646| 201|1964.0| 0.0|Mon May 6 16:31:03 2002
    sleep | 0.0| 0.0|1501.0| 0| 0| 984.0| 0.0|Mon May 6 16:40:53 2002
    uname | 0.0| 0.0| 2.0| 574| 500| 984.0| 0.0|Mon May 6 16:41:17 2002
    bash | 0.0| 0.0| 2.0| 574| 500|1888.0| 0.0|Mon May 6 16:41:17 2002
    bash | 1.0| 0.0| 1.0| 574| 500|1888.0| 0.0|Mon May 6 16:41:17 2002
    egrep | 1.0| 0.0| 7.0| 574| 500|1116.0| 0.0|Mon May 6 16:41:17 2002
    sleep | 0.0| 0.0|1501.0| 0| 0| 984.0| 0.0|Mon May 6 16:41:08 2002

    Wow, amazing. I'm not bothering logging command line or full path, but it's not exactly difficult to do. I'd reccomend sucking that file into a database table and summing it up nightly, since it'll grow fast.

  • The Sun BSM is pretty cool, think truss (strace for the Linux kids) to log file for all processes run by any user. And those kids think that
    ln -s /dev/null .bash_history (etc)
    will stop me watching them :> Muhahaha!

Slashdot Top Deals

"If it ain't broke, don't fix it." - Bert Lantz

Close