Subject : Accounting °ü¸®
Solution Description:
=====================
Contents
Intro
General Info
Install
Common problems/Tips
Intro
The following is a collection of help information for setting up and
debugging accounting problems on SunOS 4.x (Solaris 1.x). The
accounting mechanisms provided by Sunos 4.x are based upon the System V
unix, as described in the System and Network Administration - page 197
onwards. (Also in more depth in the book 'AT&T Unix system V release
4: System Administrators Guide and 'SunOS 5.0 Administering Security,
Performance, and Accounting'). One of these references should have
been referred to before this help synthesis is used.
There are a number of problems with the accounting package provided by
SunOS 4.x that are fixed in patch id 100407-05, therefore this patch
should be applied to all SunOS 4.x systems wishing to use accounting
before attempting to set it up. Because the accounting system used in
4.x is System V based, there are few differences when migrating to
Solaris 2.0 (SunOS 5.0).
General Info
The accounting binaries are all stored in /usr/lib/acct and
the recorded information in /var/adm/acct. There are three
directories under /var/adm/acct:
nite - contains all the information from the last run of runacct
normally the previous days records.
sum - contains the daily stored accounting records
fiscal - contains the monthly stored accounting records.
When accounting is invoked, as each process runs, the kernel accumulates
totals for the processes system time, user time, elapsed time, memory
usage in pages, chars transferred and blocks of data written or read
(equivalent of page faults). These accumulated1 totals are updated at
certain 'tick' times (normally a 1/60th sec). When the process finally
exits, the totals are written out to the file /var/adm/pacct in the
form of an acct structure (see /usr/include/sys/acct.h). The rest of
the accounting is concerned with manipulating this information along,
with the login records stored in /var/adm/wtmp, and storing this
information in daily/monthly report files (in /var/adm/acct/sum and
/var/adm/acct/fiscal directories).
Install
-------
Most of the problems with accounting come at the install/setup stage. The
following five steps show how to install and verify that accounting
is working.
1. Make sure patch 100407-07 has been installed on the system. See that
the prefixed ".FCS" on a number of files in /usr/lib/acct of this patch
has been installed.
2. After initially setting up accounting by uncomment the line in rc:
example # grep acct /etc/rc
/usr/lib/acct/startup
and adding the following four lines to root crontab:
example# crontab -l
15 3 * * * find / -name .nfs\* -mtime +7 -exec rm -f {} \; -o -fstype nfs -prune
5 4 * * 6 /usr/lib/newsyslog >/dev/null 2>&1
0 * * * * /usr/lib/acct/ckpacct
0 1 * * 1-6 /usr/lib/acct/dodisk
0 2 * * 1-6 /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log
15 5 1 * * /usr/lib/acct/monacct
Run `/usr/lib/acct/startup` to start accounting, if not
already running. Check that accounting is running by repeatedly doing
an `ls -l /var/adm/pacct`. Each time the command is run the file
should have grown by a multiple of 32 bytes, e.g:
example# ls -l /var/adm/pacct
-rw-r--r-- 1 root 1120 Nov 10 18:01 /var/adm/pacct
example# ls -l /var/adm/pacct
-rw-r--r-- 1 root 1152 Nov 10 18:01 /var/adm/pacct
A 32-byte accounting record is added to this file each time a
process exits.
3. Edit /etc/holidays. The first non-comment line should give the
Prime/Non-prime times for the current year. This year date is set to
1990 by default and needs updating. Calculate the dates of any holidays
to be included as nonprime time. Note that the date as given as the
number of the day in the current year (1 to 365), and not as day/month
(as suggested on page 206 System and Network administration).
4. Now check that the entries added to crontab run okay. These four commands
are all bourne shell scripts, so can be run with a debug trace. The
best way to do this is in a window system cut and paste the commands as
listed by `crontab -l`. In the other window type "sh -x" then cut the
command from the crontab entry and paste it onto the "sh -x" and run
the command. The shell debug trace should indicate any errors. Example
traces for all four commands are given here in Appendix A.
5. If no problems occur a report file will appear in /var/adm/acct/sum
directory, e.g:
example# ls /var/adm/acct/sum
cms daycms rprt1026 rprt1112 tacct1026 tacct1112
cmsprev loginlog rprt1111 tacct tacct1111 tacctprev
example#
Run prdaily to view the current set of accounting results from the
last invocation of runacct. It's generally a good idea to add
'/usr/lib/acct' to the path of the sysadminuser to make running
accounting commands easier.
If all is okay, remove the current accounting night information
and let the crontab entries collect the daily accounting information.
example# rm -f /var/adm/acct/nite/*
Common Problems/Tips
--------------------
1. Restarting the runacct command.
If there are problems when running accounting, carry out the following
steps before running `runacct` again. This is because runacct will only
run once per day.
example# cd /var/adm/acct/nite
example# rm lastdate
example# rm lock*
If previous is not done, the following error will occur when running
runacct:
example# cd /var/adm/acct/nite
example# more active*
ERROR: acctg already run for Wed Nov 11 16:57:13 GMT 1992: check /var/adm/acct/nite/lastdate
2. runacct continuing previous runs
Problems can arise with accounting because runacct will try to continue
a previous aborted run when restarted. It does this by using the
information stored in /var/adm/acct/nite/statefile, when a date
argument is supplied to runacct. A space in the redirection "2>" to
"2 >" in the crontab entry will erroneously cause this behavior. When
runacct has successfully run, the single word "COMPLETE" should appear
in the statefile.
3. pacct file not growing in size.
If thisfile is not growing in size, run startup with `sh -x
/usr/lib/acct/startup` and compare with the debug trace given in
Appendix A. Also check /var/adm/messages. Accounting will stop if the
root (/var) filesystem goes over 90% used, (as measured by `df /var`).
The following error message will appear:
Nov 11 12:48:33 skippy vmunix: Accounting suspended
When space is freed in this filesystem and goes below the 90% threshold,
accounting will automatically start. The following message will appear
in /var/adm/messages:
Nov 12 12:21:42 skippy vmunix: Accounting suspended
4. console appears as ? in TTYNAM output
There is a known bug (1039044) which causes the console device
to be written as major/minor device number 1,0 in the pacct file
rather than 0,0.To generate the name "Console" in accounting
output do the following as root:
example# mknod /dev/Console c 1 0
Note the capital 'C' on console so as not to overwrite the
true console device, /dev/console.
5. How is accounting information collatedon a network basis?
The accounting mechanism runs on a per machine basis and
currently does not support the concept of network accounting.
Write scripts to accumulate the accounting reports for several
machines on a network.
6. Mysterious uid 65535 appears in accounting reports.
This is caused by having usernames with greater than
eight characters in the username. The user accounts used by
C2 security ("AUpwdauthd") will cause this. Use pwck
to check /etc/passwd for correctness and change login
names to <=8 characters. If running C2, accept that commands run
as "AUpwdauthd" will appear under uid 65535.
7. accton: accounting is busy: cannot turn accounting ON
The above error will appear when accounting is turned on
(/usr/lib/acct/startup) andis not configured into the
current kernel. Check for the following line in the kernel
config file, and make sure it is uncommented.
/sys/sun4c/conf/GENERIC:options SYSACCT # process acc...
The GENERIC kernel has this configured by default, whereas
GENERIC_SMALL has it commented out.
==================================================================
Appendix A: Execution trace of various accounting script
produced by setting "set -x" in the script.
example# sh -x /usr/lib/acct/startup
PATH=/usr/lib/acct:/bin:/usr/bin:/etc
+ acctwtmp acctg on
+ turnacct on
+ remove
example# sh -x /usr/lib/acct/ckpacct
PATH=/usr/lib/acct:/bin:/usr/bin:/etc
+ trap rm -f /var/adm/cklock*; exit 0 0 1 2 3 9 15
+ export PATH
_max=500
_MIN_BLKS=500
+ cd /var/adm
+ cp /dev/null cklock
+ chmod 400 cklock
+ ln cklock cklock1
+ test 0 -ne 0
+ sync
+ sync
+ egrep + df[0-9]
/usr
+ awk {print $4}
_blocks=7336
+ [ 7336 -lt 500 -a -f /tmp/acctoff ]
+ [ 7336 -lt 500 ]
+ [ -f /tmp/acctoff ]
+ sed s/ .*//
+ du -s pacct
_cursize=1
+ [ 500 -lt 1 ]
+ rm -f /var/adm/cklock /var/adm/cklock1
+ exit 0
example#
example# sh -x /usr/lib/acct/dodisk
_dir=/var/adm
_pickup=acct/nite
PATH=/usr/lib/acct:/bin:/usr/bin:/etc:
+ export PATH
+ getopts o i
+ expr 1 - 1
+ shift 0
+ cd /var/adm
+ [ = ]
+ [ 0 -lt 1 ]
+ sed -n /4.2/s/\([^ ]*\)[ ].*/\1/p
args=/dev/sd0a
/dev/sd0g
/dev/sd0h
+ diskusg /dev/sd0a /dev/sd0g /dev/sd0h
+ sort +0n +1 -o dtmp dtmp
+ acctdisk
+ chmod 644 disktmp
+ chown root disktmp
+ mv disktmp acct/nite/disktacct
example# sh -x /usr/lib/acct/runacct 2> /usr/adm/acct/nite/fd2log
_adm=/var/adm
_nite=/var/adm/acct/nite
_sum=/var/adm/acct/sum
_wtmp=/var/adm/wtmp
+ export PATH
PATH=/usr/lib/acct:/bin:/usr/bin:/etc:/usr/ucb
_statefile=/var/adm/acct/nite/statefile
_active=/var/adm/acct/nite/active
_lastdate=/var/adm/acct/nite/lastdate
_errormsg=************ ACCT ERRORS : see /var/adm/acct/nite/active********
_MIN_BLKS=500
+ cd /var/adm
+ date
+ chmod 400 /var/adm/acct/nite/lock1
+ ln /var/adm/acct/nite/lock1 /var/adm/acct/nite/lock
+ test 0 -ne 0
+ egrep [0-9]
+ df /usr
+ awk {print $4}
_blocks=36366
+ [ 36366 -le 500 ]
_date=2
+ cat /var/adm/acct/nite/statefile
cat: /var/adm/acct/nite/statefile: No such file or directory
+ echo restarting acctg for 2 at
+ logger -p daemon.err ********** SYSTEM ACCOUNTING RESTARTED **********
+ [ 1 ]
+ cat /var/adm/acct/nite/statefile
cat: /var/adm/acct/nite/statefile: No such file or directory
+ logger -p daemon.err ************ ACCT ERRORS : see /var/adm/acct/nite/active********
+ mail adm root
+ echo ************ ACCT ERRORS : see /var/adm/acct/nite/active********
+ echo ERROR: invalid state, check /var/adm/acct/nite/statefile
+ rm -f /var/adm/acct/nite/lock /var/adm/acct/nite/lock1
+ mv /var/adm/acct/nite/active /var/adm/acct/nite/active2
+ exit 1
example#
----------------------------------------------------------------------------
Revision History
ÀÛ¼ºÀÏÀÚ : 97.03.10
ÀÛ¼ºÀÚ : À̹ÎÈ£
¼öÁ¤ÀÏÀÚ :
¼öÁ¤ÀÚ :