[plug] Monitor User Activity/Processes SOLUTION

[James Devenish]

In message <4164814C.1040109 at tigris.org>
on Thu, Oct 07, 2004 at 07:35:40AM +0800, Tim White wrote:
> The log file (/var/account/pacct) is also not in text format so
> requires a special tool to extract the data, not sure if this is good
> or bad but I'm guessing its to stop hackers trying to modify the data
> and to stop people extracting the information straight off the disk.

I suspect it is analogous to the UNIX accounting utilities, where the
in-memory data structures are simply dumped to disk. This allows
programmes to retrieve the unadulterated data in a direct machine-
manipulable format (rather than having to back-convert from an
intermediary text format -- you are probably already familiar with the
pain of parsing the textual output of `ps`). Some OSs also come with a
collection of utilities to provide you will periodic reports and
"billing" assistance, etc. You might also find that the amount of disk
usage is being tracked in terms of volumes, but if still want per-file
analysis, it is generally only provided as part of "security" modules
(e.g. as Bernard mentioned). One thing to note: if case of resource
exhaustion (disk space, memory), the host may shed the accounting info
in an early act of self-preservation. So perhaps don't expect to be able
to rely on it as forensic evidence during 'disaster' recovery.