acct()¶
Intro¶
acct() - toggle process accounting on or off
Description¶
The acct() system call is used to enable or disable process accounting. It is typically used to start or stop the system writing process accounting information to the file specified in the "filename" argument. Process accounting information is stored in a file so that the activities of users on the system can be monitored.
Process accounting can be activated by setting the kernel parameter accounting
to 1. The kernel will begin writing accounting information to the file specified in the "filename" argument when acct() is called. When process accounting is enabled, all processes that terminate have an accounting record written to the accounting file. Accounting records can be read with the acct() system call.
Process accounting can be disabled by calling acct() with a null pointer in the "filename" argument.
Arguments¶
filename
:const char*
[K] - pathname of the accounting file to be written. If a null pointer is passed, process accounting will be disabled.
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
sys_acct¶
Type¶
Kprobe
Purpose¶
To monitor process accounting activity.
Example Use Case¶
An application like "process_tracker" that needs to monitor user activities on a system and keep track of when each process is started and when it is terminated. The acct() system call can be used to enable process accounting and record the process accounting information in the specified file.
Issues¶
If the accounting file becomes too large, the kernel may stop writing new records to it. This can be mitigated by periodically rotating the accounting file by calling mv on it and creating a new accounting file.
Related Events¶
- execve() - used to execute or start a process which may be recorded in the accounting file.
- exit() - used to terminate a process which may be recorded in the accounting file.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.