Original address: http://www.sudu.cn/info/index.php? OP = article & id = 17049
1. Logon account management
In Linux, you can use utmp and wtmp to manage user accounts. Wtmp also records information about system restart and system status changes. All data related to utmp and wtmp are stored in the/var/run/utmp and/var/log/wtmp files respectively. Both files belong to the root user and have 644 access permissions. The data in these files is encrypted. You can use the dump-utmp tool to convert the original data to ASCII data, so that the system administrator can analyze the user's logon, system restart, and system status changes.
Logon account management commands
The last command provides the logon time and exit time for each user, as well as information about system restart and running status change. By default, the last analysis/var/log/wtmp file displays the information of each connection and running status change. The last output may be too much information that the viewer cannot cope with. The typical usage is last-5, which indicates viewing the content of the latest five records in/var/log/wtmp.
The WHO command is mainly used to report the information of users currently logged on to the system. The WHO command provides the following information: the user logs on to the used system terminal device, user address, host name, and window displayed on X (if X Windows is used) whether the user accepts messages and chat requests from other users.
The AC command provides approximate statistics about user connections. We can use the AC command with the flag D and P. Mark D shows the total connection statistics for one day, and Mark P shows the connection time of each user. This statistical method is helpful for understanding the user information related to intrusion detection and other activities.
The lastlog command reads the/var/log/lastlog file and generates the user's last logon information. The lastlog command is also used to check unusual logon records in Linux systems.
2. SYSTEM account audit
In Linux, you can set a log file to record each command of each user. However, this function is disabled by default.
The process of enabling this function:
# Touch/var/log/pacct
# Action/var/log/pact
You can also use your own file to replace the/var/log/pacct file. But the path and file name must be correct.
The SA command is a statistical command like the AC command. This command can obtain the general usage information of each user or the process of each command, and provides the consumption information of system resources. To a large extent, SA is a billing command, which is very useful for identifying special users, especially suspicious commands used by known special users. In addition, because of the large amount of information, you need to process scripts or programs to filter the information.
The lastcomm command, unlike the SA command, provides the output result of each command and prints the timestamps related to executing each command. In this regard, lastcomm is more secure than SA. If the system is infiltrated, do not trust the information recorded in lastlog, utmp, and WTM, but do not ignore it because the information may have been modified. Someone may have replaced the WHO program to hide their ears. Generally, process accounting works effectively after suspicious activities are identified. Lastcomm can be used to isolate user activities or execute commands at specific times.
3. Use logrorate to manage audit files
/Var/log/utmp,/var/log/wtmp, And/var/log/pacct files are dynamic data files. The wtmp and pacct files are constantly added at the end of the file. On a busy network, these files become very large. Linux provides a program named logrotate that allows administrators to manage these files.
Logrotate reads files in the/etc/logrotate. d directory. The Administrator uses the script file in the directory to control the operation of the logrotate program. A typical script file is as follows:
{
Rotate 5
Weekly
Errors
Mail
Copytruncate
Compress
Size 100 K
}
The script file has the following meanings:
● Rotate 5 -- retain the current backup and five old backup copies of the file.
● Weekly-processes files once a week, usually the first day of a week.
● Errors -- sends an error report to the email address.
● Mail -- send related information to the email address.
● Copytruncate: allows the process to record continuously. After the backup file is created, the active log file is cleared.
● Compress-use the gzip tool to compress old log files.
● Size 100 k -- automatic processing when the file exceeds 100 K.