:>> Adding these two fields seems like a lightweight way to get some
:>> additional logging useful for security analysis without alot of work.
:>Not only, for that. You remember the flock message ?
:>In the first version you only get a pid of the process, no name.
:>With lastcomm and a pid in struct acct it would be easier to detect.
:>> It looks like the only side-effect to adding these two fields is that
:>> existing progs that use the struct to read acct files would need to be
:>> recompiled.
If we first think what we want to add to struct acct and then
modify it. We should only need to update accounting utils once.
:>I vote for it, also we should reserve some spare longs in the accounting
:>record, for future extentions, or a length/version field.
:>In the later case we have to make some changes to the accounting utils,
:>but than it is possible to handle different versions of accounting records.
Here is a sample struct acct:
struct acct
{
char ac_comm[ACCT_COMM]; /* Accounting command name */
time_t ac_utime; /* Accounting user time */
time_t ac_stime; /* Accounting system time */
time_t ac_etime; /* Accounting elapsed time */
time_t ac_btime; /* Beginning time */
uid_t ac_uid; /* Accounting user ID */
gid_t ac_gid; /* Accounting group ID */
dev_t ac_tty; /* controlling tty */
char ac_flag; /* Accounting flag */
unsigned long ac_minflt; /* Accounting minor pagefaults */
unsigned long ac_majflt; /* Accounting major pagefaults */
long ac_exitcode; /* Accounting process exitcode */
int ac_pid; /* Accounting process ID */
int ac_ppid; /* Accounting process parent ID */
unsigned long ac_mmio; /* Accounting process I/O */
};
Propably we should record disk writes and reads separately.
:>> Ideally, the ac_comm field should be replaced with something that
:>> includes the command-line args, but I'll leave that discussion for
:>> another day. ;-)
:>Than we need variable sized records ...
...and something to separate records from each other in case of
incomplete or empty records. (One may get empty accounting
records for example if machine crashes in middle record write.)
Juha Virtanen
-- jiivee@iki.fi http://www.iki.fi/jiivee/