Hack 60 Log User Activity with Process Accounting


figs/moderate.gif figs/hack60.gif

Keep a detailed audit trail of what's being done on your systems.

Process accounting allows you to keep detailed logs of every command a user runs, including CPU time and memory used. From a security standpoint, this means the system administrator can gather information about what user ran which command and at what time. This is not only very useful in assessing a break-in or local root compromise, but can also be used to spot attempted malicious behavior by normal users of the system. (Remember that intrusions don't always come from the outside.)

To enable process accounting, run these commands:

# mkdir /var/account # touch /var/account/pacct && chmod 660 /var/account/pacct # /sbin/accton /var/account/pacct

Alternatively, if you are running Red Hat or SuSE Linux and have the process accounting package installed, you can run a startup script to enable process accounting. On Red Hat, try this:

# chkconfig psacct on # /sbin/service psacct start

On SuSE, use these commands:

# chkconfig acct on # /sbin/service acct start

The process accounting package provides several programs to make use of the data that is being logged. The ac program analyzes total connect time for users on the system.

Running it without any arguments prints out the number of hours logged by the current user:

[andrew@colossus andrew]$ ac         total      106.23

If you want to display connect time for all users who have logged onto the system, use the -p switch:

# ac -p         root                                 0.07         andrew                             106.05         total      106.12

The lastcomm command lets you search the accounting logs by username, command name, or terminal:

# lastcomm andrew ls                      andrew   ??         0.01 secs Mon Dec 15 05:58 rpmq                    andrew   ??         0.08 secs Mon Dec 15 05:58 sh                      andrew   ??         0.03 secs Mon Dec 15 05:44 gunzip                  andrew   ??         0.00 secs Mon Dec 15 05:44 # lastcomm bash  bash               F    andrew   ??         0.00 secs Mon Dec 15 06:44 bash               F    root     stdout     0.01 secs Mon Dec 15 05:20 bash               F    root     stdout     0.00 secs Mon Dec 15 05:20 bash               F    andrew   ??         0.00 secs Mon Dec 15 05:19

To summarize the accounting information, you can use the sa command. By default it will list all the commands found in the accounting logs and print the number of times that each one has been executed:

# sa       14       0.04re       0.03cp         0avio      1297k   troff        7       0.03re       0.03cp         0avio       422k   lastcomm        2      63.90re       0.01cp         0avio       983k   info       14      34.02re       0.01cp         0avio       959k   less       14       0.03re       0.01cp         0avio      1132k   grotty       44       0.02re       0.01cp         0avio       432k   gunzip

You can also use the -u flag to output per-user statistics:

# sa -u root       0.01 cpu      344k mem      0 io which             root       0.00 cpu     1094k mem      0 io bash root       0.07 cpu     1434k mem      0 io rpmq andrew     0.02 cpu      342k mem      0 io id                andrew     0.00 cpu      526k mem      0 io bash andrew     0.01 cpu      526k mem      0 io bash andrew     0.03 cpu      378k mem      0 io grep              andrew     0.01 cpu      354k mem      0 io id                andrew     0.01 cpu      526k mem      0 io bash andrew     0.00 cpu      340k mem      0 io hostname

You can peruse the output of these commands every so often to look for suspicious activity, such as increases in CPU usage or commands that are known to be used for mischief.



Network Security Hacks
Network Security Hacks: Tips & Tools for Protecting Your Privacy
ISBN: 0596527632
EAN: 2147483647
Year: 2006
Pages: 158

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net