1.\" $OpenBSD: acct.5,v 1.27 2024/02/25 00:07:14 deraadt Exp $ 2.\" $NetBSD: acct.5,v 1.4 1995/10/22 01:40:10 ghudson Exp $ 3.\" 4.\" Copyright (c) 1991, 1993 5.\" The Regents of the University of California. All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. Neither the name of the University nor the names of its contributors 16.\" may be used to endorse or promote products derived from this software 17.\" without specific prior written permission. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" @(#)acct.5 8.1 (Berkeley) 6/5/93 32.\" 33.Dd $Mdocdate: February 25 2024 $ 34.Dt ACCT 5 35.Os 36.Sh NAME 37.Nm acct 38.Nd execution accounting file 39.Sh SYNOPSIS 40.In sys/acct.h 41.Sh DESCRIPTION 42The kernel maintains the following 43.Fa acct 44information structure for all 45processes. 46If a process terminates or misbehaves in specific ways, 47and accounting is enabled, the kernel calls the 48.Xr acct 2 49function call to prepare and append the record 50to the accounting file. 51.Bd -literal 52/* 53 * Accounting structures; these use a comp_t type which is a 3 bits base 8 54 * exponent, 13 bit fraction floating point number. Units are 1/AHZ 55 * seconds. 56 */ 57typedef u_int16_t comp_t; 58 59struct acct { 60 char ac_comm[24]; /* command name, incl NUL */ 61 comp_t ac_utime; /* user time */ 62 comp_t ac_stime; /* system time */ 63 comp_t ac_etime; /* elapsed time */ 64 comp_t ac_io; /* count of IO blocks */ 65 time_t ac_btime; /* starting time */ 66 uid_t ac_uid; /* user id */ 67 gid_t ac_gid; /* group id */ 68 u_int32_t ac_mem; /* average memory usage */ 69 dev_t ac_tty; /* controlling tty, or -1 */ 70 pid_t ac_pid; /* process id */ 71 72 u_int32_t ac_flag; /* accounting flags */ 73#define AFORK 0x00000001 /* fork'd but not exec'd */ 74#define AMAP 0x00000004 /* killed by syscall or stack mapping violation */ 75#define ACORE 0x00000008 /* dumped core */ 76#define AXSIG 0x00000010 /* killed by a signal */ 77#define APLEDGE 0x00000020 /* killed due to pledge violation */ 78#define ATRAP 0x00000040 /* memory access violation */ 79#define AUNVEIL 0x00000080 /* unveil access violation */ 80#define APINSYS 0x00000200 /* killed by syscall pin violation */ 81#define ABTCFI 0x00000400 /* BT CFI violation */ 82}; 83 84/* 85 * 1/AHZ is the granularity of the data encoded in the comp_t fields. 86 * This is not necessarily equal to hz. 87 */ 88#define AHZ 64 89 90#ifdef _KERNEL 91int acct_process(struct proc *p); 92int acct_shutdown(void); 93#endif 94.Ed 95.Pp 96If a terminated or misbehaving process was created by an 97.Xr execve 2 , 98the name of the executed file (at most ten characters of it) 99is saved in the field 100.Fa ac_comm 101and its status is saved by setting one or more of the following flags in 102.Fa ac_flag : 103.Bl -tag -width "AUNVEIL" 104.It Dv AFORK 105A new process was created via 106.Xr fork 2 107that was not followed by a call to 108.Xr execve 2 . 109.It Dv AMAP 110The process terminated abnormally due to a system call or stack mapping 111violation. 112.It Dv ACORE 113The process terminated abnormally due to a signal and dumped 114.Xr core 5 . 115.It Dv AXSIG 116The process was killed by a 117.Xr signal 3 . 118.It Dv APLEDGE 119The process was killed due to a 120.Xr pledge 2 121violation. 122.It Dv ATRAP 123The process was killed due to a memory access violation 124detected by a processor trap. 125.It Dv AUNVEIL 126The process attempted a file access that was prevented by 127.Xr unveil 2 128restrictions. 129Note that this does not cause the process to terminate. 130.It Dv APINSYS 131The command tried to execute a system call from the wrong 132system call instruction, see 133.Xr pinsyscalls 2 . 134.It Dv ABTCFI 135The command executed an indirect branch to a location that did not 136start with a 137.Ql BTI 138instruction, and terminated with signal 139.Dv SIGILL , 140.Va code 141.Dv ILL_BTCFI . 142.El 143.Sh SEE ALSO 144.Xr lastcomm 1 , 145.Xr acct 2 , 146.Xr execve 2 , 147.Xr pledge 2 , 148.Xr unveil 2 , 149.Xr signal 3 , 150.Xr core 5 , 151.Xr accton 8 , 152.Xr sa 8 153.Sh HISTORY 154An 155.Nm 156file format first appeared in 157.At v7 . 158