NAME
acct —
execution accounting file
SYNOPSIS
#include
<sys/acct.h>
DESCRIPTION
The kernel maintains the following acct information structure for all processes. If a process terminates or misbehaves in specific ways, and accounting is enabled, the kernel calls the acct(2) function call to prepare and append the record to the accounting file.
/*
* Accounting structures; these use a comp_t type which is a 3 bits base 8
* exponent, 13 bit fraction floating point number. Units are 1/AHZ
* seconds.
*/
typedef u_int16_t comp_t;
struct acct {
char ac_comm[24]; /* command name, incl NUL */
comp_t ac_utime; /* user time */
comp_t ac_stime; /* system time */
comp_t ac_etime; /* elapsed time */
comp_t ac_io; /* count of IO blocks */
time_t ac_btime; /* starting time */
uid_t ac_uid; /* user id */
gid_t ac_gid; /* group id */
u_int32_t ac_mem; /* average memory usage */
dev_t ac_tty; /* controlling tty, or -1 */
pid_t ac_pid; /* process id */
u_int32_t ac_flag; /* accounting flags */
#define AFORK 0x00000001 /* fork'd but not exec'd */
#define AMAP 0x00000004 /* killed by syscall or stack mapping violation */
#define ACORE 0x00000008 /* dumped core */
#define AXSIG 0x00000010 /* killed by a signal */
#define APLEDGE 0x00000020 /* killed due to pledge violation */
#define ATRAP 0x00000040 /* memory access violation */
#define AUNVEIL 0x00000080 /* unveil access violation */
#define APINSYS 0x00000200 /* killed by syscall pin violation */
#define ABTCFI 0x00000400 /* BT CFI violation */
};
/*
* 1/AHZ is the granularity of the data encoded in the comp_t fields.
* This is not necessarily equal to hz.
*/
#define AHZ 64
#ifdef _KERNEL
int acct_process(struct proc *p);
int acct_shutdown(void);
#endif
If a terminated or misbehaving process was created by an execve(2), the name of the executed file (at most ten characters of it) is saved in the field ac_comm and its status is saved by setting one or more of the following flags in ac_flag:
AFORK- A new process was created via fork(2) that was not followed by a call to execve(2).
AMAP- The process terminated abnormally due to a system call or stack mapping violation.
ACORE- The process terminated abnormally due to a signal and dumped core(5).
AXSIG- The process was killed by a signal(3).
APLEDGE- The process was killed due to a pledge(2) violation.
ATRAP- The process was killed due to a memory access violation detected by a processor trap.
AUNVEIL- The process attempted a file access that was prevented by unveil(2) restrictions. Note that this does not cause the process to terminate.
APINSYS- The command tried to execute a system call from the wrong system call instruction, see pinsyscalls(2).
ABTCFI- The command executed an indirect branch to a location that did not start
with a ‘
BTI’ instruction, and terminated with signalSIGILL, codeILL_BTCFI.
SEE ALSO
lastcomm(1), acct(2), execve(2), pledge(2), unveil(2), signal(3), core(5), accton(8), sa(8)
HISTORY
An acct file format first appeared in
Version 7 AT&T UNIX.