HPE Community
Operating System - HP-UX
1833771 Members
2437 Online
110063 Solutions
New Discussion

pacct and /var/adm/wtmp

 
Vanja
Frequent Advisor

‎02-16-2006 06:42 AM

‎02-16-2006 06:42 AM

pacct and /var/adm/wtmp

Trying to clear up some accounting issues.

1st SYSTEM
I have a system with accounting disabled:
# cat /etc/rc.config.d/acct
START_ACCT=0
#

The system still logs into /var/adm/btmp & /var/adm/wtmp all the bad and good login attempts. These files never get trimmed.

------------------------------------------
2nd SYSTEM:

I have accounting enabled:
# cat /etc/rc.config.d/acct
START_ACCT=1
#

I have the following entry in /var/spool/cron/crontabs/admin:

# cat /var/spool/cron/crontabs/adm
30 4 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log
0 22 * * * /usr/lib/acct/ckpacct
15 5 1 * * /usr/lib/acct/monacct
#

I'm using the cron entries per HP recommendation.

My question is why does the /var/adm/wtmps file get reset every day on the 2nd system. It seems to be the effect of the runacct script that runs in the cron every day. Seems to me that there would be a security disadvangate here if this file gets trimmed every day, because with the last command I can only get the logins for today. Also why does the /var/adm/wtmp file only holds root login information and doesn't hold logins for the other users.

1) What would be the recommended setup for system accounting trimming in the cron?
2) Is there a benefit to enabling accounting if I'm using auditing?
3) If my corporate security policy dictates an offline retention of 1 year for auditing files - which files should I be backing up?

If there is a good document on this let me know - the man pages are pretty confusing.

Thanks,


0 Kudos
Reply
1 REPLY 1
Jannik
Honored Contributor

‎02-16-2006 08:00 AM

‎02-16-2006 08:00 AM

Re: pacct and /var/adm/wtmp

This is a feature of the command:
/usr/lib/acct/runacct
It moves the information to /var/adm/acct and that is it. You just have to remember that login information will be lost.
You could copy the files before running the runacct or append them to a clear text file using a command like:
/usr/sbin/acct/fwtmp < /var/adm/wtmp >> /tmp/wtmp_append

Hope it helps :-)
jaton
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.