Big Brother s Watching

Big Brother's Watching

The system manager and the administrator have considerable power over the Solaris systems. The only elements that they might not be able to see are those that have been privately encrypted; anything else is readily accessible. The superuser account (root) has unlimited access to all directories and files on the systemhence the title of this section. These privileges are not exclusive to UNIX or Solaristhe same is true of VMS, Novell NetWare, and so onbut they are necessary for effective system management and problem resolution.

This section takes a look at some of the information that the system manager can obtain about who's been doing what, when a user was last logged in and for how long, what commands were executed, and so on. In reality, though, a system manager often doesn't have the need or the time to go searching for a specific user 's command history of activityalthough it could be done to investigate possible abuse of the system. This is normally used to gather statistical information, for example, to see how many times the StarOffice package was used last month compared with the month before, or to determine whether a particular software package is being used at all.

The following subsections discuss the use of the system accounting software to obtain and collate the kind of management information that is required. They also examine the whodo command, which provides a snapshot of the commands being executed at the time.

Using the System Accounting Software to Your Advantage

The accounting software is capable of much more than just providing financial information based on computer usage. In fact, the concept of billing for computer time is fast becoming outdated , unless the company is using an external bureau for its computing needs. Most system managers charge customers an agreed fee, say, for a year; the fee is based on the cost of providing the service rather than how much CPU time is utilized.

The system manager can make better use of the data collated by the software and use the information derived from this data to see, for example, which software packages are actually being used and how much. This kind of information is invaluable for assessing license renewals or levels of support required.

Enabling the Accounting Software

The system accounting software is not enabled by default when the Solaris operating environment is installed. A number of steps must be performed to initiate the accounting software:

1. Become superuser (root).

2. The packages SUNWaccr and SUNWaccu must be installed before the accounting software can be used. Check the status using the pkginfo command. If these packages are not installed, add them using the pkgadd command or the admintool facility.

3. Install the script /etc/init.d/acct as the startup script for Run Level 2 so that the accounting software is activated when the system is restarted. This is achieved by creating a link in the /etc/rc2.d directory, as shown here:

    #ln /etc/init.d/acct /etc/rc2.d/S22acct 

4. Install the script /etc/init.d/acct as the stop script for Run Level 0 so that the accounting software is shut down cleanly when the system is stopped . This is achieved by creating a second link, this time in the /etc/rc0.d directory, as shown here:

    #ln  /etc/init.d/acct  /etc/rc0.d/K22acct 

5. Modify the crontab file for user adm to install the automatic management scripts. The following lines should be added to the crontab:

    0 * * * * /usr/lib/acct/ckpacct  30 2 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log  30 7 1 * * /usr/lib/acct/monacct 

   These entries are suggested defaults and can be amended, if required.

6. Modify the crontab file for user root to automatically run the command dodisk , the disk accounting program. The following line should be added to the crontab:

    30  22  *  *  4  /usr/lib/acct/dodisk 

   This entry is a suggested default and can be amended, if required.

7. Edit the file /etc/acct/holidays if it is to be used. Each line contains the date of a public holiday. These days will not be treated as normal working days by the accounting software.

8. The system accounting software will be started automatically the next time the system is restarted. Alternatively, it can be started immediately by running the following command as user root:

    #/etc/rc2.d/S22acct  start 

Where Is the Data Kept?

The system accounting software stores all its data in the /var/adm directory structure. In larger systems, it is still fairly common to have /var as a separate file system to protect the root file system (/) from becoming full. The importance of doing this has reduced considerably due to the high disk capacities available today, although some companies still do this as part of their configuration policy.

The main accounting file is /var/adm/pacct. This contains the active process accounting information. It is reset each day when the runacct program is run automatically via cron.

The directory /var/adm/acct also contains three further subdirectories, fiscal, nite, and sum. These subdirectories contain the following information:

• fiscal Reports by fiscal period. This is normally a monthly period, but it can be configured to suit the company's own reporting period. The reports are created when the monacct program is run automatically via cron.

• nite Daily binary summary files, a daily processed accounting record, and disk accounting information. These files are created daily when the runacct program is run automatically via cron.

• sum Cumulative summary accounting files and daily reports. These are merged when the monthly fiscal report is generated.

Some of the reports produced by the various accounting programs are available in ASCII text format and therefore are readable by any editor or can be used as part of a more general report on system activity. Other files are held in accounting data format designed to be accessed using programs such as acctcom, acctcms, and acctprc, located in the /usr/lib/acct directory. These programs extract processing and command information, the output of which also can be saved to ASCII files for further analysis.

Common Usage Statistics

The system manager needs statistical information about the activity on the system for a variety of reasons. The best place to get this information is from the accounting report located in the fiscal directory. This is an ASCII format report that can be easily manipulated and searched, using either an editor or a shell script. A number of fiscal reports can be searched to provide information on trends. Figure 8.2 shows a graph created by using the output from three fiscal reports to display the trend in usage for the shells and the StarOffice suite as well as the sudo command.

Using acctcom

The acctcom command is used to display a summary of process accounting records. This command displays information only about processes that have already terminated . The ps or whodo commands can be used to obtain information about current processes.

For example, to obtain a detailed listing of commands that have been executed today by user jephilc , the program acctcom is used. This program, by default, reads the current accounting file /var/adm/pacct and produces a list of command information as shown in Listing 8.4.

Listing 8.4 The Output from the acctcom Command Showing the Command Usage for a Specific User

 #acctcom -u jephilc  ACCOUNTING RECORDS FROM:  Mon Oct 30 10:45:58 2000  COMMAND                           START    END          REAL     CPU     MEAN  NAME       USER     TTYNAME       TIME     TIME       (SECS)   (SECS) SIZE(K)  touch      jephilc   ?            10:50:14 10:50:14     0.07     0.01  584.00  cat        jephilc   ?            10:50:14 10:50:34     0.10     0.02  650.00  head       jephilc   ?            10:50:34 10:50:34     0.06      .01  704.00  touch      jephilc   ?            10:50:34 10:50:34     0.02     0.01  748.00  ksh        jephilc   ?            10:50:38 10:50:38     0.11     0.02 1528.00  dtfile     jephilc   ?            11:09:40 11:09:40     0.01     0.01 2672.00  sh         jephilc   ?            10:25:42 11:12:06  2784.64     0.03 1690.67  dtterm     jephilc   ?            10:25:40 11:12:07  2787.20     2.65 2816.00  sh         jephilc   ?            11:12:13 11:18:45   392.24     0.02 2272.00  dtterm     jephilc   ?            11:12:13 11:18:46   393.04     0.94 3366.13  sqlplus    jephilc   pts/22       14:56:45 15:08:42   717.44     0.07 3113.14  Xsupport   jephilc   pts/22       15:59:48 16:04:32   284.80     0.13 3819.69  ls         jephilc   pts/22       16:22:07 16:22:07     0.01     0.01 1416.00  cp         jephilc   pts/22       16:22:13 16:22:13     0.02     0.01 1024.00  more       jephilc   pts/22       16:22:22 16:22:22     0.01     0.01 1368.00  soffice    jephilc   pts/22       16:22:51 16:25:48   177.76     0.11 3350.55  sh         jephilc   ?            11:18:50 22:21:31  39761.92     0.06 1065.33  sh         jephilc   ?            22:21:38 22:34:04   746.24     0.02 2414.00  dtterm     jephilc   ?            22:21:36 22:34:04   748.16     0.71 3303.21  sdtimage   jephilc   ?            23:15:50 23:17:57   127.76     1.34 4468.54  sh         jephilc   ?            09:05:34 23:26:24  51650.56     0.08  948.00  dtterm     jephilc   ?            09:05:31 23:27:02  51691.52     2.51 1844.02  ls         jephilc   pts/4        23:34:25 23:34:25     0.01     0.01  780.00  more       jephilc   pts/4        23:34:32 23:34:32     0.01     0.01 1016.00  # 

This example shows the command usage for a specific user. When executed for all users, this command is particularly useful for diagnosing bottlenecks in the system because it is fairly easy to establish exactly what commands were being executed at the time the system suffered from poor performance.

Is Anyone Using This Expensive Package?

One of the best uses of the accounting software that I have personally come across is using the software to determine whether a particular software product is being used and, if so, to what extent. It could be that the product was very expensive to purchase, was requested as a high priority, and demanded full technical support. However, on running the relevant query, the system manager can interrogate a number of monthly reports and find out exactly how many invocations of that piece of software have actually occurred. Sometimes it turns out that the software hasn't been used for months, yet the system manager has been paying for full technical supportand even when it was used, it was only by one user, who has since left the company.

This scenario is not typical, but it demonstrates the need for the system manager to keep a "watching brief " on the usage of software products. The information obtained from such analysis can prove extremely useful when deciding on future support and licensing requirements, and it can be instrumental in providing the justification for whichever decision is taken.

Using the whodo Command

The whodo command also provides information on commands, but this command details processes that are currently running. The output from the command is easier to read than the output of ps: It provides a snapshot of what is currently being executed, as opposed to commands such as acctcom that list historical information about commands that have previously run (and completed).

The whodo command, in conjunction with the ps command, is also useful for investigating why a system might be suffering from poor response.