[Technical exchange sharing] audit trail of unusual activities of Linux

Some abnormal users try to remove all activity records (such as ~/.bash_history) on the system, but we can use specialized tools to monitor all user-executed commands. It is recommended that you use process accounting to record the activity of a user, and you can view the commands that each user executes, including CPU time and memory consumption, through process accounting.

The PSACCT program provides several process activity monitoring tools: AC, Lastcomm, Accton, and SA.

The. AC command displays the user's connection time statistics.

The. Lastcomm command displays the commands that the system executes.

The. Accton command is used to turn the process accounting feature on or off.

The. SA command counts the status of the system process accounting.

1). Install the PSACCT or ACCT package

If you are using Rhel, use the up2date command:

# up2date Psacct

If you use Centos/fedora Core Linux, use the yum command:

$ sudo apt-get install acct or # Apt-get Install acct

2). Start the PSACCT/ACCT service

On Ubuntu/debian Linux systems, PACCT can be started automatically. (The installation package creates a/VAR/ACCOUNT/PACCT file on the system). But on the red Hat/fedora core/cent OS, you need to start the PSACCT service manually. Create the/var/account/pacct file and start the Pacct service by typing the following two commands:

# chkconfig Psacct on #/ETC/INIT.D/PSACCT start

If you use SuSE Linux, the service name is acct, and the following command is typed:

# chkconfig Acct on #/ETC/INIT.D/ACCT Start

Now we can learn how to use these tools to monitor the user's commands and time.

3). Displays statistics of user connection time

The command can print the user's connection time (in hours) on the screen based on the number of logins/exits. The total time can also be printed out. If you perform an AC command without any parameters, the screen will display the total connection time:

$ AC Output: Total 95.08 displays each day's connection statistics time: $ ac-d Output: 1 total 8.65 Nov 2 5.70 Nov 3 Total 13.43 Nov 4 Total 6.24 Nov 5 Total 10.70 Nov 6 Total 6.70 7-10.30 ... ... Nov Total 3.42-Total 4.55 Today total 0.52

Displays the total connection time for each user and the total connection time for all users:

$ ac-p Output: Vivek 87.49 root 7.63 Total 95.11

4). Find the commands the user has performed in the past

You can use the Lastcomm command to print out commands that the user has executed in the past. You can also search for previously executed commands by user name, TTY name, or command name.

For example, show the commands that Vivek users have performed in the past:

$ lastcomm Vivek Output: Userhelper S X Vivek pts/0 0.00 secs Mon Nov 23:58 userhelper S vivek pts/0 0.00 secs Mon Nov 13 2 3:45 RPMQ Vivek pts/0 0.01 secs Mon Nov 23:45 rpmq Vivek pts/0 0.00 secs 23:45 Mon Nov rpmq Vivek pts/0 0.01 secs Mo N Nov 23:45 gcc vivek pts/0 0.00 secs Mon Nov 23:45 which Vivek pts/0 0.00 secs Mon Nov 23:44 bash F Vivek pts/0 0.00 secs Mon Nov 23:44 ls vivek pts/0 0.00 secs Mon Nov 23:43 RM Vivek pts/0 0.00 secs Mon Nov 23:43 VI Vivek PT s/0 0.00 secs Mon Nov 23:43 ping s Vivek pts/0 0.00 secs Mon Nov 23:42 ping S Vivek pts/0 0.00 secs Mon Nov 13 23:42 Ping S Vivek pts/0 0.00 secs Mon Nov 23:42 cat Vivek pts/0 0.00 secs Mon-Nov-23:42 netstat vivek pts/0 0.07 secs Mo n Nov 23:42 su S vivek pts/0 0.00 secs Mon Nov 13 23:38

Each line of information is printed on the screen, and we take the first line of output as an example:

Userhelper S X Vivek pts/0 0.00 secs Mon Nov 13 23:58

Analysis:

. Userhelper is the command name of the process

. s and x are flag information that is managed by the System accounting program. The meaning of each symbol is:

.. S--commands are executed by the super user

.. F--command is generated by fork, but no exec (execute)

.. D--The command terminates and creates a core file.

.. X--The command is terminated by the sigterm signal.

. Vivek is the user name to execute the command

. prts/0 Terminal Name

. 0.00 secs--Process exit time

You can search the process accounting log by executing the following command:

$ lastcomm RM $ lastcomm passwd Output: RM s root pts/0 0.00 secs Tue Nov 00:39 rm S root pts/0 0.00 secs Tue Nov 14 00:39 RM S Root pts/0 0.00 secs Tue Nov 00:38 rm s root pts/0 0.00 secs Tue Nov 00:38 rm s root pts/0 0.00 secs Tue Nov 14 00:36 RM S Root pts/0 0.00 secs Tue Nov 00:36 rm s Root pts/0 0.00 secs Tue Nov 00:35 rm s Root pts/0 0.00 secs Tue Nov 00:35 RM Vivek pts/0 0.00 secs Tue Nov 00:30 RM Vivek PTS/1 0.00 secs Tue Nov 00:30 RM Vivek PTS/1 0.00 secs Tue Nov 00:29 RM Vivek PTS/1 0.00 secs Tue Nov 14 00:29

You can search the process accounting log by using the terminal name PTS/1 as the keyword:

$ Lastcomm PTS/1

5). Statistics Accounting information

You can use the SA command to print statistics about past execution commands. In addition, the SA command holds a file called Savacct, which contains the number of times the command was invoked and the number of times the resource was used. And SA also provides statistical information for each user, which is stored in a file called Usracct.

# SA output: 579 222.81re 0.16CP 7220k 4 0.36re 0.12cp 31156k up2date 8 0.02re 0.02cp 16976k rpmq 8 0.01re 0.01cp 2148k Netsta T 0.04re 0.00cp 8463k grep 100.71re 0.00cp 11111k ***other* 8 0.00re 0.00cp 14500k troff 5 12.32re 0.00cp 10696k SMT PD 2 8.46re 0.00cp 13510k bash 8 9.52re 0.00cp 1018k Less

Example of first behavior with result output:

4 0.36re 0.12CP 31156k up2date

Analysis:

. 0.36re "Real Time" units are minutes.

. Total 0.12CP system and User time (CPU time in minutes)

. 31156K core uses the average CPU time, the size of a unit is 1K

. Up2date command name

Show each User:

# sa-u Output: Root 0.00 CPU 595k MEM Accton root 0.00 CPU 12488k mem Initlog root 0.00 CPU 12488k mem Initlog root 0.00 CPU 12482k Mem Touch Root 0.00 CPU 13226k mem PSACCT root 0.00 CPU 595k mem Consoletype root 0.00 CPU 13192k MEM Psacct * Root 0.00 CPU 13226k MEM PSACCT root 0.00 CPU 12492k mem chkconfig postfix 0.02 CPU 10696k MEM SMTPD vivek 0.00 CPU 19328k MEM Userhelper Vivek 0.00 CPU 13018k MEM ID vivek 0.00 CPU 13460k MEM Bash * lighttpd 0.00 CPU 48240k MEM php *

Above shows the number of processes per user and CPU time

# sa-m Output: 667 231.96re 0.17cp 7471k root 544 51.61re 0.16CP 7174k Vivek 103 17.43re 0.01CP 8228k postfix 0.0 162.92re 0CP 7529k lighttpd 2 0.00re 0.00cp 48536k

6). Find out who is consuming CPU

You can find out the suspicious activity by looking at Re, K, cp/cpu (see above output explanation), or a user/command takes up all the CPU time. If the Cpu/memeory use Number (command) is increasing, you can indicate that there is a problem with the command.

All of the above commands and packages can also run on other Unix-like operating system platforms, such as the Solaris and *BSD operating systems.

No Brothers not programmed

[Technical exchange sharing] audit trail of unusual activities of Linux