ACCT(5) - File Formats Manual

ACCT(5) - File Formats Manual #

ACCT(5) - File Formats Manual

NAME #

acct - execution accounting file

SYNOPSIS #

#include <sys/acct.h>

DESCRIPTION #

The kernel maintains the following acct information structure for all processes. If a process terminates or misbehaves in specific ways, and accounting is enabled, the kernel calls the acct(2) function call to prepare and append the record to the accounting file.

/*
 * Accounting structures; these use a comp_t type which is a 3 bits base 8
 * exponent, 13 bit fraction floating point number.  Units are 1/AHZ
 * seconds.
 */
typedef u_int16_t comp_t;

struct acct {
	char	  ac_comm[24];	/* command name, incl NUL */
	comp_t	  ac_utime;	/* user time */
	comp_t	  ac_stime;	/* system time */
	comp_t	  ac_etime;	/* elapsed time */
	comp_t	  ac_io;	/* count of IO blocks */
	time_t	  ac_btime;	/* starting time */
	uid_t	  ac_uid;	/* user id */
	gid_t	  ac_gid;	/* group id */
	u_int32_t ac_mem;	/* average memory usage */
	dev_t	  ac_tty;	/* controlling tty, or -1 */
	pid_t	  ac_pid;	/* process id */

	u_int32_t ac_flag;	/* accounting flags */
#define	AFORK	0x00000001	/* fork'd but not exec'd */
#define	AMAP	0x00000004	/* killed by syscall or stack mapping violation */
#define	ACORE	0x00000008	/* dumped core */
#define	AXSIG	0x00000010	/* killed by a signal */
#define	APLEDGE	0x00000020	/* killed due to pledge violation */
#define	ATRAP	0x00000040	/* memory access violation */
#define	AUNVEIL	0x00000080	/* unveil access violation */
#define APINSYS 0x00000200      /* killed by syscall pin violation */
#define ABTCFI  0x00000400      /* BT CFI violation */
};

/*
 * 1/AHZ is the granularity of the data encoded in the comp_t fields.
 * This is not necessarily equal to hz.
 */
#define	AHZ	64

#ifdef _KERNEL
int	acct_process(struct proc *p);
int	acct_shutdown(void);
#endif

If a terminated or misbehaving process was created by an execve(2), the name of the executed file (at most ten characters of it) is saved in the field ac_comm and its status is saved by setting one or more of the following flags in ac_flag:

AFORK

A new process was created via fork(2) that was not followed by a call to execve(2).

AMAP

The process terminated abnormally due to a system call or stack mapping violation.

ACORE

The process terminated abnormally due to a signal and dumped core(5).

AXSIG

The process was killed by a signal(3).

APLEDGE

The process was killed due to a pledge(2) violation.

ATRAP

The process was killed due to a memory access violation detected by a processor trap.

AUNVEIL

The process attempted a file access that was prevented by unveil(2) restrictions. Note that this does not cause the process to terminate.

APINSYS

The command tried to execute a system call from the wrong system call instruction, see pinsyscalls(2).

ABTCFI

The command executed an indirect branch to a location that did not start with a ‘BTI’ instruction, and terminated with signal SIGILL, code ILL_BTCFI.

SEE ALSO #

lastcomm(1), acct(2), execve(2), pledge(2), unveil(2), signal(3), core(5), accton(8), sa(8)

HISTORY #

An acct file format first appeared in Version7 AT&T UNIX.

OpenBSD 7.5 - February 25, 2024