Subject : Accounting 관리

Solution Description:
=====================

Contents

	Intro
	General Info
	Install
	Common problems/Tips

Intro

The following is a collection of help information for setting up and
debugging accounting problems on SunOS 4.x (Solaris 1.x). The
accounting mechanisms provided by Sunos 4.x are based upon the System V
unix, as described in the System and Network Administration - page 197
onwards. (Also in more depth in the book 'AT&T Unix system V release
4:  System Administrators Guide and 'SunOS 5.0 Administering Security,
Performance, and Accounting').  One of these references should have
been referred to before this help synthesis is used.

There are a number of problems with the accounting package provided by
SunOS 4.x that are fixed in patch id 100407-05, therefore this patch
should be applied to all SunOS 4.x systems wishing to use accounting
before attempting to set it up. Because the accounting system used in
4.x is System V based, there are few differences when migrating to
Solaris 2.0 (SunOS 5.0).

General Info

The accounting binaries are all stored in /usr/lib/acct and 
the recorded information in /var/adm/acct. There are three 
directories under /var/adm/acct:

nite   - contains all the information from the last run of runacct
         normally the previous days records.

sum    - contains the daily stored accounting records

fiscal - contains the monthly stored accounting records.

When accounting is invoked, as each process runs, the kernel accumulates
totals for the processes system time, user time, elapsed time, memory
usage in pages, chars transferred and blocks of data written or read
(equivalent of page faults). These accumulated1 totals are updated at
certain 'tick' times (normally a 1/60th sec). When the process finally
exits, the totals are written out to the file /var/adm/pacct in the
form of an acct structure (see /usr/include/sys/acct.h). The rest of
the accounting is concerned with manipulating this information along,
with the login records stored in /var/adm/wtmp, and storing this
information in daily/monthly report files (in /var/adm/acct/sum and
/var/adm/acct/fiscal directories).

Install
-------

Most of the problems with accounting come at the install/setup stage. The 
following five steps show how to install and verify that accounting
is working.

1. Make sure patch 100407-07 has been installed on the system.  See that
the prefixed ".FCS" on a number of files in /usr/lib/acct of this patch
has been installed.

2. After initially setting up accounting by uncomment the line in rc:

example # grep acct /etc/rc
/usr/lib/acct/startup
 
and adding the following four lines to root crontab:

example# crontab -l
15 3 * * * find / -name .nfs\* -mtime +7 -exec rm -f {} \; -o -fstype nfs -prune
5 4 * * 6 /usr/lib/newsyslog >/dev/null 2>&1
0 * * * * /usr/lib/acct/ckpacct
0 1 * * 1-6 /usr/lib/acct/dodisk
0 2 * * 1-6 /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log
15 5 1 * * /usr/lib/acct/monacct

Run `/usr/lib/acct/startup` to start accounting, if not
already running. Check that accounting is running by repeatedly doing
an `ls -l /var/adm/pacct`. Each time the command is run the file
should have grown by a multiple of 32 bytes, e.g:

example# ls -l /var/adm/pacct
-rw-r--r--  1 root         1120 Nov 10 18:01 /var/adm/pacct
example# ls -l /var/adm/pacct
-rw-r--r--  1 root         1152 Nov 10 18:01 /var/adm/pacct

A 32-byte accounting record is added to this file each time a
process exits.

3. Edit /etc/holidays. The first non-comment line should give the
Prime/Non-prime times for the current year. This year date is set to
1990 by default and needs updating. Calculate the dates of any holidays
to be included as nonprime time. Note that the date as given as the
number of the day in the current year (1 to 365), and not as day/month
(as suggested on page 206 System and Network administration).

4. Now check that the entries added to crontab run okay. These four commands
are all bourne shell scripts, so can be run with a debug trace.  The
best way to do this is in a window system cut and paste the commands as
listed by `crontab -l`. In the other window type "sh -x" then cut the
command from the crontab entry and paste it onto the "sh -x" and run
the command. The shell debug trace should indicate any errors. Example
traces for all four commands are given here in Appendix A.

5. If no problems occur a report file will appear in /var/adm/acct/sum
directory, e.g:

example# ls /var/adm/acct/sum
cms             daycms          rprt1026        rprt1112        tacct1026       tacct1112
cmsprev         loginlog        rprt1111        tacct           tacct1111       tacctprev
example# 

Run prdaily to view the current set of accounting results from the 
last invocation of runacct. It's generally a good idea to add 
'/usr/lib/acct' to the path of the sysadminuser to make running 
accounting commands easier. 

If all is okay, remove the current accounting night information 
and let the crontab entries collect the daily accounting information.

example# rm -f /var/adm/acct/nite/*

Common Problems/Tips
--------------------

1. Restarting the runacct command.

If there are problems when running accounting, carry out the following
steps before running `runacct` again. This is because runacct will only
run once per day.

example# cd /var/adm/acct/nite
example# rm lastdate
example# rm lock*

If previous is not done, the following error will occur when running 
runacct:

example# cd /var/adm/acct/nite
example# more active*
ERROR: acctg already run for Wed Nov 11 16:57:13 GMT 1992: check /var/adm/acct/nite/lastdate

2. runacct continuing previous runs

Problems can arise with accounting because runacct will try to continue
a previous aborted run when restarted. It does this by using the
information stored in /var/adm/acct/nite/statefile, when a date
argument is supplied to runacct. A space in the redirection "2>" to 
"2 >" in the crontab entry will erroneously cause this behavior. When
runacct has successfully run, the single word "COMPLETE" should appear
in the statefile.

3. pacct file not growing in size.

If thisfile is not growing in size, run startup with `sh -x
/usr/lib/acct/startup` and compare with the debug trace given in
Appendix A. Also check /var/adm/messages. Accounting will stop if the
root (/var) filesystem goes over 90% used, (as measured by `df /var`).
The following error message will appear:

Nov 11 12:48:33 skippy vmunix: Accounting suspended

When space is freed in this filesystem and goes below the 90% threshold, 
accounting will automatically start. The following message will appear 
in /var/adm/messages:

Nov 12 12:21:42 skippy vmunix: Accounting suspended

4. console appears as ? in TTYNAM output

There is a known bug (1039044) which causes the console device 
to be written as major/minor device number 1,0 in the pacct file 
rather than 0,0.To generate the name "Console" in accounting 
output do the following as root:

example# mknod /dev/Console c 1 0

Note the capital 'C' on console so as not to overwrite the 
true console device, /dev/console.

5. How is accounting information collatedon a network basis?

The accounting mechanism runs on a per machine basis and 
currently does not support the concept of network accounting. 
Write scripts to accumulate the accounting reports for several
machines on a network.

6. Mysterious uid  65535 appears in accounting reports.

This is caused by having usernames with greater than 
eight characters in the username. The user accounts used by 
C2 security ("AUpwdauthd") will cause this. Use pwck 
to check /etc/passwd for correctness and change login 
names to <=8 characters. If running C2, accept that commands run
as "AUpwdauthd" will appear under uid 65535.

7. accton: accounting is busy: cannot turn accounting ON

The above error will appear when accounting is turned on 
(/usr/lib/acct/startup) andis not configured into the 
current kernel. Check for the following line in the kernel 
config file, and make sure it is uncommented.

/sys/sun4c/conf/GENERIC:options	SYSACCT		# process acc...

The GENERIC kernel has this configured by default, whereas 
GENERIC_SMALL has it commented out.

==================================================================

Appendix A: Execution trace of various accounting script
            produced by setting "set -x" in the script.

example# sh -x /usr/lib/acct/startup
PATH=/usr/lib/acct:/bin:/usr/bin:/etc
+ acctwtmp acctg on 
+ turnacct on 
+ remove 

example# sh -x  /usr/lib/acct/ckpacct
PATH=/usr/lib/acct:/bin:/usr/bin:/etc
+ trap rm -f /var/adm/cklock*; exit 0 0 1 2 3 9 15 
+ export PATH 
_max=500
_MIN_BLKS=500
+ cd /var/adm 
+ cp /dev/null cklock 
+ chmod 400 cklock 
+ ln cklock cklock1 
+ test 0 -ne 0 
+ sync 
+ sync 
+ egrep + df[0-9]  
/usr 
+ awk {print $4} 
_blocks=7336
+ [ 7336 -lt 500 -a -f /tmp/acctoff ] 
+ [ 7336 -lt 500 ] 
+ [ -f /tmp/acctoff ] 
+ sed s/	.*// 
+ du -s pacct 
_cursize=1
+ [ 500 -lt 1 ] 
+ rm -f /var/adm/cklock /var/adm/cklock1 
+ exit 0 
example# 

example# sh -x /usr/lib/acct/dodisk
_dir=/var/adm
_pickup=acct/nite
PATH=/usr/lib/acct:/bin:/usr/bin:/etc:
+ export PATH 
+ getopts o i 
+ expr 1 - 1 
+ shift 0 
+ cd /var/adm 
+ [  =  ] 
+ [ 0 -lt 1 ] 
+ sed -n /4.2/s/\([^    ]*\)[   ].*/\1/p 
args=/dev/sd0a
/dev/sd0g
/dev/sd0h
+ diskusg /dev/sd0a /dev/sd0g /dev/sd0h 
+ sort +0n +1 -o dtmp dtmp 
+ acctdisk 
+ chmod 644 disktmp 
+ chown root disktmp 
+ mv disktmp acct/nite/disktacct 

example# sh -x /usr/lib/acct/runacct 2> /usr/adm/acct/nite/fd2log
_adm=/var/adm
_nite=/var/adm/acct/nite
_sum=/var/adm/acct/sum
_wtmp=/var/adm/wtmp
+ export PATH 
PATH=/usr/lib/acct:/bin:/usr/bin:/etc:/usr/ucb
_statefile=/var/adm/acct/nite/statefile
_active=/var/adm/acct/nite/active
_lastdate=/var/adm/acct/nite/lastdate
_errormsg=************ ACCT ERRORS : see  /var/adm/acct/nite/active********
_MIN_BLKS=500
+ cd /var/adm 
+ date 
+ chmod 400 /var/adm/acct/nite/lock1 
+ ln /var/adm/acct/nite/lock1 /var/adm/acct/nite/lock 
+ test 0 -ne 0 
+ egrep [0-9] 
+ df /usr 
+ awk {print $4} 
_blocks=36366
+ [ 36366 -le 500 ] 
_date=2
+ cat /var/adm/acct/nite/statefile 
cat: /var/adm/acct/nite/statefile: No such file or directory
+ echo restarting acctg for 2 at  
+ logger -p daemon.err ********** SYSTEM ACCOUNTING RESTARTED  ********** 
+ [ 1 ] 
+ cat /var/adm/acct/nite/statefile 
cat: /var/adm/acct/nite/statefile: No such file or directory
+ logger -p daemon.err ************ ACCT ERRORS : see  /var/adm/acct/nite/active******** 
+ mail adm root 
+ echo ************ ACCT ERRORS : see  /var/adm/acct/nite/active******** 
+ echo ERROR: invalid state, check /var/adm/acct/nite/statefile 
+ rm -f /var/adm/acct/nite/lock /var/adm/acct/nite/lock1 
+ mv /var/adm/acct/nite/active /var/adm/acct/nite/active2 
+ exit 1 
example# 


----------------------------------------------------------------------------

Revision History

작성일자 : 97.03.10
작성자 : 이민호

수정일자 :
수정자 :