Linux system account management and auditing

zhaozj2021-02-16  84

Rel = "file" href = "login account management .files / filelist.xml">

1,

1,

Login account management

The management of logotible user accounts under Linux is implemented by UTMP and WTMP. WTMP also records information about system restart and system state changes. All data related to UTMP and WTMP are saved in the / var / run / utmp and / var / log / wtmp. Both files belong to the root user and access is set to 644, and the data in these files is encrypted. You can use Dump-UTMP to convert the original data to ASCII data, which is convenient for system administrators to analyze users' login and system restart and system status changes.

Login account management related commands

The Last command provides time for each user login and exit, and there is information restart and information that is running. By default, the Last Analysis / VAR / LOG / WTMP file and display information for each connection and running status change. Last output may not be much smaller, and the typical usage is LAST-5, indicating the latest 5 records of / var / log / wtmp.

The main use of the who command is the user information currently logged in in the report system. The WHO command provides the following information: the user logs in to the system terminal device, the user's address, the host name used, the X display window (if used using an X Windows system), whether the user accepts other users of the message and talk request, etc. .

The AC command provides approximately statistics on the user connection, we can use the AC commands with flag D and P. The logo D shows a day's total connection statistics, and the logo P shows the connection time of each user. This method of statistics is very helpful for understanding the user's condition and other activities related to the detection intrusion.

The LastLog command reads the / var / log / lastlog file and generates the last login information of the user last login information is also used to check unusual login records in the Linux system.

2,

System account audit

The Linux operating system can record each command of each user by setting the log file, but this feature is not open by default.

Turn on this function:

# Touch / var / log / pACCT

# Action / VAR / log / PACT

You can also use your own file instead of / var / log / pACCT file. But the path and file name must be correct.

Sa commands, like the AC command, SA is a statistical command. This command can obtain a general case used by the process of each user or each command, and provides consumer information for system resources. To a large extent, SA is also a billing command that is very useful for identifying special users, especially those who are known for special users. In addition, since the amount of information is large, it is necessary to handle scripts or program screening.

Lastcomm command, different from the sa command, the lastcomm command provides output results of each command, and print out the time stamp related to executing each command. In this regard, LastComm is more secure than SA. If the system is invaded, please do not believe in information recorded in LastLog, UTMP, WTM, but do not ignore, because this information may be modified. In addition, some people have replaced the WHO program to hide the eyes and ears. Typically, the process accounting can function efficiently after some suspicious activity has been identified. Using LastComm can separate user activity or execute commands at a specific time.

3,

Use logRorate to manage audit files

/ var / log / uTMP, / var / log / wtmp and / var / log / pACCT file are dynamic data files. WTMP and PACCT files are constantly increasing records at the end of the file. These files will become large on a busy network. Linux provides a program called LogRotate that allows administrators to manage these files.

Logrotate reads the files in the /etc/logrotate.d directory. The administrator controls the operation of the Logrotate program through the script file in this directory. A typical script file is as follows: {

Rotate 5

WEEKLY

Errors root @ serve1r

Mail root @ Server1

COPYTRUNCATE

Compress

Size 100K

}

The meaning of the script file is as follows:

● Rotate 5 - Reserved the file a current backup and 5 old backups.

● Weekly - Processing files per week, usually the first day of the week.

● Errors - Send an error report to the email address.

● Mail - Sends related information to the email address.

● CopyTruncate - Allows the process to continuously record, after the backup file is created, empty the activity log file.

● Compress - compresses the old log files using the Gzip tool.

● SIZE 100K - Automatically handles when the file exceeds 100K.

转载请注明原文地址:https://www.9cbs.com/read-11979.html

New Post(0)