Network Security Hacks [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Network Security Hacks [Electronic resources] - نسخه متنی

Andrew Lockhart

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید







Hack 60 Log User Activity with Process Accounting

Keep a detailed audit trail of
what's being done on your systems.

Process accounting allows you to
keep detailed logs of every command a user runs, including CPU time
and memory used. From a security
standpoint, this means the system administrator can gather
information about what user ran which command and at what
time. This is not only very useful
in assessing a break-in or local root compromise, but can also be
used to spot attempted malicious behavior by normal users of the
system. (Remember that intrusions don't always come
from the outside.)

To enable process accounting, run these commands:

# mkdir /var/account
# touch /var/account/pacct && chmod 660 /var/account/pacct
# /sbin/accton /var/account/pacct

Alternatively, if you are running Red Hat or SuSE Linux and have the
process accounting package installed, you can run a startup script to
enable process accounting. On Red
Hat, try this:

# chkconfig psacct on
# /sbin/service psacct start

On SuSE, use these commands:

# chkconfig acct on
# /sbin/service acct start

The process accounting package provides several programs to make use
of the data that is being logged.
The ac

program analyzes total connect time
for users on the system.

Running it without any arguments prints out the number of hours
logged by the current user:

[andrew@colossus andrew]$ ac
total 106.23

If you want to display connect time for all users who have logged
onto the system, use the -p switch:

# ac -p
root 0.07
andrew 106.05
total 106.12

The lastcomm
command lets you
search the accounting logs by username, command name, or terminal:

# lastcomm andrew
ls andrew ?? 0.01 secs Mon Dec 15 05:58
rpmq andrew ?? 0.08 secs Mon Dec 15 05:58
sh andrew ?? 0.03 secs Mon Dec 15 05:44
gunzip andrew ?? 0.00 secs Mon Dec 15 05:44
# lastcomm bash
bash F andrew ?? 0.00 secs Mon Dec 15 06:44
bash F root stdout 0.01 secs Mon Dec 15 05:20
bash F root stdout 0.00 secs Mon Dec 15 05:20
bash F andrew ?? 0.00 secs Mon Dec 15 05:19

To summarize the accounting information, you can use the
sa
command. By default it
will list all the commands found in the accounting logs and print the
number of times that each one has been executed:

# sa
14 0.04re 0.03cp 0avio 1297k troff
7 0.03re 0.03cp 0avio 422k lastcomm
2 63.90re 0.01cp 0avio 983k info
14 34.02re 0.01cp 0avio 959k less
14 0.03re 0.01cp 0avio 1132k grotty
44 0.02re 0.01cp 0avio 432k gunzip

You can also use the -u flag to output per-user
statistics:

# sa -u
root 0.01 cpu 344k mem 0 io which
root 0.00 cpu 1094k mem 0 io bash
root 0.07 cpu 1434k mem 0 io rpmq
andrew 0.02 cpu 342k mem 0 io id
andrew 0.00 cpu 526k mem 0 io bash
andrew 0.01 cpu 526k mem 0 io bash
andrew 0.03 cpu 378k mem 0 io grep
andrew 0.01 cpu 354k mem 0 io id
andrew 0.01 cpu 526k mem 0 io bash
andrew 0.00 cpu 340k mem 0 io hostname

You can peruse the output of these commands every so often to look
for suspicious activity, such as increases in CPU usage or commands
that are known to be used for mischief.


/ 158