Jump to content

Audit Users on Linux


wildweaselmi
 Share

Recommended Posts

Wouldn't it be nice if you could keep track of what the users on your linux box is doing?



who





Run this command to install the ability

$ sudo apt-get install acct[/code]




Here are some commands to use once its installed in order to track whats going on.



[b]ac[/b] command prints out a report of connect time in hours based on the logins/logouts. A total is also printed out. If you type ac without any argument it will display total connect time:




$ ac

total 14.02






Display totals for each day rather than just one big total at the end:




$ ac -d

Jun 4 total 0.73

Jun 7 total 3.30

Jun 13 total 1.53

Jun 14 total 0.28

Jun 26 total 7.78

Jun 27 total 0.19

Today total 0.20






Display time totals for each user in addition to the usual everything-lumped-into-one value:




$ ac -p

dhosang 0.19

netadm1n 10.69

chermiller 3.14

total 14.02






Use lastcomm command which print out information about previously executed commands. You can search command using usernames, tty names, or by command names itself.



Display command executed by dhosang user:

$ lastcomm dhosang






For each entry the following information is printed. Take example of first output line:

userhelper S X dhosang pts/0 0.00 secs Mon Nov 27 23:58


  • userhelper is command name of the process

  • S and X are flags, as recorded by the system accounting routines. Following is the meaning of each flag:



    • S -- command executed by super-user

    • F -- command executed after a fork but without a following exec

    • D -- command terminated with the generation of a core file

    • X -- command was terminated with the signal SIGTERM

[*]dhosang the name of the user who ran the process
[*]prts/0 terminal name
[*]0.00 secs - time the process exited



Search the accounting logs by command name:

$ lastcomm rm

$ lastcomm passwd






Search the accounting logs by terminal name pts/1:

$ lastcomm pts/1






Use sa command to print summarizes information about previously executed commands. In addition, it condenses this data into a summary file named savacct which contains the number of times the command was called and the system resources used. The information can also be summarized on a per-user basis; sa will save this iinformation into a file named usracct.

# sa

$ sa

127 46.20re 0.09cp 0avio 1391k

18 0.13re 0.07cp 0avio 5629k /usr/share/webm*

22 45.95re 0.02cp 0avio 866k ***other*

3 0.01re 0.01cp 0avio 1577k dpkg-query

4 0.01re 0.00cp 0avio 1514k dpkg

6 0.00re 0.00cp 0avio 665k ps

38 0.06re 0.00cp 0avio 554k sh

12 0.00re 0.00cp 0avio 534k uname

6 0.00re 0.00cp 0avio 699k e2label

6 0.00re 0.00cp 0avio 547k df

6 0.00re 0.00cp 0avio 546k ifconfig

3 0.05re 0.00cp 0avio 570k vmstat

3 0.00re 0.00cp 0avio 534k ac




First line explained..
  • .13re "real time" in wall clock minutes

  • 0.07cp sum of system and user time in cpu minutes

  • 5629k cpu-time averaged core usage, in 1k units

  • /usr/share/webm command name




Display output per-user:




$ sa -u

root 0.00 cpu 498k mem 0 io accton

root 0.00 cpu 554k mem 0 io acct

root 0.00 cpu 554k mem 0 io invoke-rc.d

root 0.00 cpu 554k mem 0 io acct.postinst

root 0.14 cpu 2218k mem 0 io dpkg

root 0.00 cpu 1091k mem 0 io touch

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 8130k mem 0 io apt-get *

root 0.00 cpu 1279k mem 0 io dpkg

root 0.00 cpu 1279k mem 0 io dpkg

root 0.00 cpu 1279k mem 0 io dpkg

root 0.93 cpu 2230k mem 0 io apt-get

netadm1n 0.08 cpu 1225k mem 0 io sudo

root 0.11 cpu 5214k mem 0 io /usr/share/webm *

netadm1n 0.00 cpu 534k mem 0 io ac

netadm1n 0.00 cpu 534k mem 0 io ac

netadm1n 0.00 cpu 534k mem 0 io ac

root 0.11 cpu 5214k mem 0 io /usr/share/webm *

netadm1n 0.00 cpu 628k mem 0 io lastcomm

root 0.00 cpu 0k mem 0 io kworker/2:0 *

root 0.00 cpu 0k mem 0 io kworker/u:3 *

root 0.00 cpu 0k mem 0 io kworker/1:0 *

root 0.00 cpu 0k mem 0 io kworker/u:2 *

root 0.00 cpu 0k mem 0 io kworker/3:0 *

root 0.00 cpu 0k mem 0 io kworker/0:0 *

root 0.00 cpu 0k mem 0 io kworker/0:3 *

root 0.10 cpu 5214k mem 0 io /usr/share/webm *

root 0.00 cpu 618k mem 0 io ps

root 0.00 cpu 554k mem 0 io sh

root 0.01 cpu 712k mem 0 io ps

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 699k mem 0 io e2label

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 699k mem 0 io e2label

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 547k mem 0 io df

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 547k mem 0 io df

root 0.00 cpu 554k mem 0 io sh

root 0.11 cpu 1577k mem 0 io dpkg-query

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 570k mem 0 io vmstat

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 546k mem 0 io ifconfig

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 546k mem 0 io ifconfig

root 0.00 cpu 554k mem 0 io sh

root 0.80 cpu 7704k mem 0 io /usr/share/webm *

root 0.10 cpu 5214k mem 0 io /usr/share/webm *

root 0.11 cpu 5214k mem 0 io /usr/share/webm *

root 0.10 cpu 5214k mem 0 io /usr/share/webm *

root 0.09 cpu 5214k mem 0 io /usr/share/webm *

root 0.00 cpu 0k mem 0 io flush-104:0 *

root 0.11 cpu 5214k mem 0 io /usr/share/webm *

root 0.00 cpu 618k mem 0 io ps

root 0.00 cpu 554k mem 0 io sh

root 0.01 cpu 712k mem 0 io ps

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 699k mem 0 io e2label

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 699k mem 0 io e2label

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 547k mem 0 io df

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 547k mem 0 io df

root 0.00 cpu 554k mem 0 io sh

root 0.10 cpu 1577k mem 0 io dpkg-query

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 570k mem 0 io vmstat

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 546k mem 0 io ifconfig

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 546k mem 0 io ifconfig

root 0.00 cpu 554k mem 0 io sh

root 0.78 cpu 7702k mem 0 io /usr/share/webm *

root 0.11 cpu 5214k mem 0 io /usr/share/webm *

root 0.11 cpu 5214k mem 0 io /usr/share/webm *

root 0.00 cpu 534k mem 0 io anacron

root 0.00 cpu 1235k mem 0 io start

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 685k mem 0 io cron *

root 0.00 cpu 534k mem 0 io anacron *

root 0.11 cpu 5214k mem 0 io /usr/share/webm *

root 0.11 cpu 5214k mem 0 io /usr/share/webm *

root 0.00 cpu 618k mem 0 io ps

root 0.00 cpu 554k mem 0 io sh

root 0.01 cpu 712k mem 0 io ps

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 699k mem 0 io e2label

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 699k mem 0 io e2label

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 547k mem 0 io df

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 547k mem 0 io df

root 0.00 cpu 554k mem 0 io sh

root 0.12 cpu 1577k mem 0 io dpkg-query

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 570k mem 0 io vmstat

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 546k mem 0 io ifconfig

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 546k mem 0 io ifconfig

root 0.00 cpu 554k mem 0 io sh

root 0.86 cpu 7702k mem 0 io /usr/share/webm *

root 0.11 cpu 5214k mem 0 io /usr/share/webm *

root 0.11 cpu 5214k mem 0 io /usr/share/webm *

root 0.10 cpu 5214k mem 0 io /usr/share/webm *

netadm1n 0.00 cpu 596k mem 0 io sa

netadm1n 0.00 cpu 536k mem 0 io sa

root 0.10 cpu 5214k mem 0 io /usr/share/webm *

root 0.00 cpu 618k mem 0 io ps

root 0.00 cpu 554k mem 0 io sh

root 0.02 cpu 712k mem 0 io ps

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 534k mem 0 io uname

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 699k mem 0 io e2label

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 699k mem 0 io e2label

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 547k mem 0 io df

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 547k mem 0 io df

root 0.00 cpu 554k mem 0 io sh

root 0.11 cpu 1577k mem 0 io dpkg-query

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 570k mem 0 io vmstat

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 546k mem 0 io ifconfig

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 546k mem 0 io ifconfig

root 0.00 cpu 554k mem 0 io sh

root 0.82 cpu 7704k mem 0 io /usr/share/webm *

root 0.11 cpu 5214k mem 0 io /usr/share/webm *

root 0.11 cpu 5214k mem 0 io /usr/share/webm *

root 0.00 cpu 554k mem 0 io which

root 0.07 cpu 7776k mem 0 io php5

root 0.00 cpu 554k mem 0 io maxlifetime

root 0.00 cpu 1201k mem 0 io find

root 0.00 cpu 554k mem 0 io sh

root 0.00 cpu 685k mem 0 io cron *

root 0.10 cpu 5214k mem 0 io /usr/share/webm *

root 0.10 cpu 5214k mem 0 io /usr/share/webm *






Display the number of processes and number of CPU minutes on a per-user basis:




$ sa -m

195 46.38re 0.14cp 0avio 1372k

root 187 46.05re 0.14cp 0avio 1403k

netadm1n 8 0.32re 0.00cp 0avio 648k


By looking at re, k, cp/cpu (see above for output explanation) time you can find out suspicious activity or the name of user/command who is eating up all CPU. An increase in CPU/memory usage (command) is indication of problem.



Link to comment
Share on other sites

Another helpful bit of information is to check failed login attempts



$grep 'Failed password' /var/log/auth.log














To change password for dhosang you would type






$sudo passwd dhosang


Enter new UNIX password:


Retype new UNIX password:


sudo passwd -e dhosang


[/code]




NOTE: the –e will force the user to change there password once they log in the first time with the temporary password you assigned.











You could also make sure they are typing there username in correctly. This command will show you all the users on your server



'
'.str_replace('
', '', 'cat /etc/passwd |grep "/home" |cut -d: -f1').'
'










You can also check the status of a users password by typing the following







'
'.str_replace('
', '', '


$sudo passwd -S dhosang


dhosang P 10/13/2011 0 99999 7 -1').'
'


Link to comment
Share on other sites

Thanks.. I use the following command to find password status instead








$ sudo chage -l dhosang


Last password change : Oct 13, 2011


Password expires : never


Password inactive : never


Account expires : never


Minimum number of days between password change : 0


Maximum number of days between password change : 99999


Number of days of warning before password expires : 7










I also check the the home user permissions by typing



ls -ld /home/username[/code]


Link to comment
Share on other sites

  • 1 month later...

I know this is simple but a couple of useful commands....





list all your users on your linux server



cat /etc/passwd






NOTE: If you wanted to catch all the non-system users, filter the users with a home directory







cat /etc/passwd | grep "/home" |cut -d: -f1[/code]

[/size]















cut -d: -f1



-d: means delimiter :



-f1 means display first field of line i.e. username.








If you don't see the user in the list, go ahead and add them







'
'.str_replace('
', '', '



sudo useradd username -m -s /bin/bash



sudo passwd username
').''


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...