4.8 Enable System Accounting - Check if contents of /var/spool/cron/crontabs/sys (/usr/lib/sa/sa2) are OK.

Information

System accounting gathers baseline system data (CPU utilization, disk I/O, etc.) every 20 minutes. The data may be accessed with the sar command, or by reviewing the nightly report files named /var/adm/sa/sar*.

Note - The sys id must be added to /etc/cron.allow to run the system accounting commands.

Solution

Perform the following to implement the recommended state-
svcadm enable -r svc:/system/sar
EDITOR=ed crontab -e sys << END_ENTRIES $a 0,20,40 * * * * /usr/lib/sa/sa1 45 23 * * * /usr/lib/sa/sa2 -s 0:00 -e 23:59 -i 1200 -A . w q END_ENTRIES
chown sys:sys /var/adm/sa/*
chmod go-wx /var/adm/sa/*

Note - This data is only archived for one week before being automatically removed by the regular nightly cron job. Administrators may wish to archive the /var/adm/sa directory on a regular basis to preserve this data for longer periods.

The sys account must be permitted to use the cron(1M) facility for system accounting to function properly. See Item 6.9 Restrict at/cron to Authorized Users.

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: 0e2c5aac83c45fac3c5bc0c4714cc964452a9072e04865f79a506878996bd4eb