Analysis on the management and audit of Linux system account

　 1. Login account Management

The management of login user accounts under Linux is achieved through the utmp and wtmp tools. WTMP also records information about system reboots and system state changes. All data related to UTMP and wtmp are stored in the two files/var/run/utmp and/var/log/wtmp respectively. All two files are owned by the root user and access is set to 644, and the data in these files is encrypted. You can use the Dump-utmp tool to convert raw data into ASCII data, which allows system administrators to analyze user logins and information about system reboots and system state changes.

Related commands for login account management

The last command provides the time for each user to log in and out, along with information about the system reboot and running status changes. By default, last analyzes the/var/log/wtmp file and displays information about each connection and run state change. The last output could be too much for the viewer to cope with, typically last–5, to view the contents of the latest 5 records in/var/log/wtmp.

The main use of the WHO command is to report the user information currently logged in to the system. The WHO command provides information about the user logging into the system terminal equipment used, the user's address, the host name used, the window shown by x (if an X Windows system is used), whether the user accepts messages from other users, and the conversation request.

The AC command provides approximate statistics about user connections, and we can use AC commands with flags D and P. Flag D shows the total connection statistics for the day, and flag p shows the connection time for each user. This statistical approach is helpful in understanding the user situation associated with the intrusion detection and other activities.

The Lastlog command reads the/var/log/lastlog file and produces a report of the user's last logon message Lastlog command is also used to check for unusual logon records on Linux systems.

　　2. Audit of SYSTEM account

The Linux operating system can record every command of each user by setting up log files, but this feature is not turned on by default.

The process of opening this function:

# TOUCH/VAR/LOG/PACCT
# action/var/log/pact

You can also use your own files instead of/var/log/pacct this file. But the path and filename must be correct.

The SA command, like the AC command, is a statistical command. This command can get a rough picture of how each user or each command process is used, and provides consumption information for system resources. To a large extent, SA is also a billing command that is useful for identifying special users, especially for suspicious commands that are used by special users. In addition, because of the large amount of information, it is necessary to process scripts or programs to filter them.

Lastcomm command, unlike the SA command, the lastcomm command provides the output of each command, while printing the time stamp associated with executing each command. In this regard, Lastcomm is more secure than SA. If the system is compromised, do not trust the information recorded in Lastlog, Utmp, WTM, but do not ignore it, as the information may have been modified. It is also possible that someone has replaced the WHO procedure to deceive the people. In general, process accounting can work effectively after certain suspicious activities have been identified. Use Lastcomm to isolate user activity or execute commands at specific times.

　　3, the use of Logrorate audit document management

/var/log/utmp,/var/log/wtmp and/var/log/pacct files are Dynamic Data files. Wtmp and PACCT files are constantly increasing records at the end of the file. On a busy network, these files can become very large. Linux provides a program called Logrotate that allows administrators to manage these files.

Logrotate read the files in the/ETC/LOGROTATE.D directory. The administrator controls the operation of the Logrotate program through the script file in the directory. A typical script file is as follows:

{

Rotate 5

Weekly

Errors root@serve1r

Mail Root@server1

Copytruncate

Compress

Size 100k

}

The script file has the following meanings:

Rotate 5--retains a copy of the current backup and 5 old backups of the file.
weekly--processes files Once a week, usually the first day of the week.
errors--sends an error report to the mailing address.
mail--sends relevant information to the mailing address.
copytruncate--allows the process to continuously record, after the backup file is created, the active log file is emptied.
compress--uses the Gzip tool to compress old log files.
Size 100k--is automatically processed when the file exceeds 100k.