Slashdot Mirror
Unix SAR?
An Anonymous Coward asks: "This may appear to be a simple question at a first glance but I have been trying to find a solution for it for quite a while. I have been playing with different System Accounting utilities (i.e. SAR etc) and they all provide a wide range of useful information but I did not find any one that would be able to tell me the full path and the name of every process that a user runs in a Solaris machine. A loop with ps does not help because you may miss the processes that ran between each call to ps. Any one know how to extract this info? Is there a good System Accounting solution that does the trick? What is the best System Accounting solution available today?"
Sounds like prime territory for a loadable module. You basically just patch the fork/exec syscall(s) to record the new processes by uid. This not only ensures that nothing slips by, but it uses fewer resources during long periods with few new processes started.
Karma: Good (despite my invention of the Karma: sig)
Fire up yer browser, point it at the local AnswerBook2 server (or http://docs.sun.com/), and find the System Administrator Collection. Flip down to "SunSHIELD Basic Security Monitor Guide." Read about how to enable auditing.
Then tell it to record full paths, flip the switch, and watch your hard drives fill up in seconds due to the massive amount of auditing information being logged.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
$ man accton
$ man acctprc
$ man acctcms
$ man -s 4 acct
Software sucks. Open Source sucks less.
There's a neat thing called process accounting that exists on every unix I've used.
Wow, amazing. I'm not bothering logging command line or full path, but it's not exactly difficult to do. I'd reccomend sucking that file into a database table and summing it up nightly, since it'll grow fast.
There has to be a way.
I seem to recall something like sacct or something that run on my 4.2 BSD flavored boxes back in the 1980s that had exactly the kind of information you desire.
It was in a research group at a university, and we didn't charge people for CPU time. [Does anyone really charge for CPU time anymore? It's gotten to be almost "too cheap to meter".]
However, it was interesting because it told you about applications that really got a lot of usage. Apart from the usual suspects like /usr/bin/ls, the accounting information showed which home-grown programs were the most popular.
A co-worker's XY plotting program ranked among the most used programs on the machine according to system accounting. That helped him gain credence in my advisor's eyes for spending time creating this tool, even though it was not directly related to our research.
"Provided by the management for your protection."
Hey retard, do you know the fucking TT tag? Use it when pasting Unix console stuff. Let me show you, fucktard:
atd | 0.0| 2.0| 2.0| 0| 0|1136.0| 0.0|Mon May 6 16:41:01 2002
cron | 0.0| 0.0| 3.0| 0| 0|1176.0| 0.0|Mon May 6 16:41:01 2002
pine | 22.0| 1.0|60000.0| 5646| 201|4668.0| 0.0|Mon May 6 16:31:04 2002
bash | 16.0| 1.0|60152.0| 5646| 201|1964.0| 0.0|Mon May 6 16:31:03 2002
sleep | 0.0| 0.0|1501.0| 0| 0| 984.0| 0.0|Mon May 6 16:40:53 2002
uname | 0.0| 0.0| 2.0| 574| 500| 984.0| 0.0|Mon May 6 16:41:17 2002
bash | 0.0| 0.0| 2.0| 574| 500|1888.0| 0.0|Mon May 6 16:41:17 2002
bash | 1.0| 0.0| 1.0| 574| 500|1888.0| 0.0|Mon May 6 16:41:17 2002
egrep | 1.0| 0.0| 7.0| 574| 500|1116.0| 0.0|Mon May 6 16:41:17 2002
sleep | 0.0| 0.0|1501.0| 0| 0| 984.0| 0.0|Mon May 6 16:41:08 2002
Now, boys and fags. Here is how you use it. Open the tag like so:
<TT>
Put fixed width shit here
</TT>
Then close the tag.
Fucking stool licking freak.
I hate fixed width crap being displayed on crud fonts. IT PISSES ME OFF.
THIS HAS BEEN A PUBLIC SERVICE ANNOUNCEMENT. ALL TROLLING MODERATORS, FUCK OFF AND READ.
Crank up it's security, baby. I hope you have an extra disk array for the log.
Gee, since when did google get redirected to ask slashdot?
532.8 days ago.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
If you're pasting preformatted crap, use the <pre> tag. Because HTML treats multiple spaces as 1 otherwise, which is why the pretty | in your post don't line up.
Poopstain sniffer.
Slob Mold-a is probably too stupid to realize the usefulness of the pre tag. It is faggoty it is not allowed in comments. All the faggot lameness filters make trolling more challenging (and fun for the trolls) and makes it harder to post normal shit.
What a faggot ridden fuck-pile this butt-hole has become. If -1 isn't good enough to rid the lameness, and page widening continues unabated, fucking the lameness fag filters here suck, and the moderation system is clearly useless because -1 isn't enough?
FAGS.
The Sun BSM is pretty cool, think truss (strace for the Linux kids) to log file for all processes run by any user. And those kids think that /dev/null .bash_history (etc) :> Muhahaha!
ln -s
will stop me watching them
Tim Brown