Audit dogs the unusual activity of Linux
Tuesday, March 03, 2009 by rain
A few unusual users try to move go all activities on the system are recorded (for instance ~/.bash_history) , nevertheless we can use the order that special tool will come to to monitor all users are carried out. Recommend chalk it up of your use process to record the activity of the user, you can examine the order that each user executes through process chalk it up, include CPU time and memory to take up.
Psacct program provided tool of surveillance of activity of a few processes: Ac, lastcomm, accton and Sa.
.ac commands the statistic of time of indication user join.
.lastcomm commands the order that indication system executes.
.accton command is used at open or shutting function of process chalk it up.
.sa commands the circumstance of chalk it up of statistical system process.
1) . Install Psacct or Acct software package
If you use RHEL, use Up2date commands:
# Up2date Psacct
If you use CentOS/Fedora Core Linux, use Yum commands:
$ Sudo Apt-get Install Acct
Or
# Apt-get Install Acct
2) . The Psacct/acct that start serves
On Ubuntu/Debian Linux system, pacct can be started automatically. (Installation bag can found on the system / Var/account/pacct file) . But in Red Hat/Fedora Core/Cent OS, you need a hand to use service of the Psacct that start. Knock below two commands found / Var/account/pacct file and service of the Pacct that start:
# Chkconfig Psacct On
# /etc/init.d/psacct Start
If you use Suse Linux, the name of the service is Acct, strike the command below:
# Chkconfig Acct On
# /etc/init.d/acct Start
We can understand now how to use these tools to monitor the command of the user and time.
3) . Indication user links the statistical information of line time
The command can be counted according to landing / the time connecting a line that quits number to print an user on screen (the unit is hour) . Time of add up to also can be printed come out. If you execute the Ac order that does not have any parameter, screen will show the time connecting a line of add up to:
$ Ac
Output: Total 95.08
Show time of the statistic that connect a line:
$ Ac -d
Output:
Nov 1 Total 8.65
Nov 2 Total 5.70
Nov 3 Total 13.43
Nov 4 Total 6.24
Nov 5 Total 10.70
Nov 6 Total 6.70
Nov 7 Total 10.30
. . . . .
. .
. . .
Nov 12 Total 3.42
Nov 13 Total 4.55
Today Total 0.52
The amount that shows each user connects line time and all user add up to to join line time:
$ Ac -p
Output:
Vivek 87.49Root 7.63Total 95.11
4) . Search the order that the user executed in the past
You can use Lastcomm command to print the order that gives an user to was carried out in the past. You also can carry user name, tty name or command name will search the order that executes before.
Show the order that Vivek user executed in the past for instance:
$ Lastcomm Vivek
Output:
Userhelper S X Vivek Pts/0 0.00 Secs Mon Nov 13 23:58Userhelper S Vivek Pts/0 0.00 Secs Mon Nov 13 23:45Rpmq Vivek Pts/0 0.01 Secs Mon Nov 13 23:45Rpmq Vivek Pts/0 0.00 Secs Mon Nov 13 23:45Rpmq Vivek Pts/0 0.01 Secs Mon Nov 13 23:45Gcc Vivek Pts/0 0.00 Secs Mon Nov 13 23:45Which Vivek Pts/0 0.00 Secs Mon Nov 13 23:44Bash F Vivek Pts/0 0.00 Secs Mon Nov 13 23:44Ls Vivek Pts/0 0.00 Secs Mon Nov 13 23:43Rm Vivek Pts/0 0.00 Secs Mon Nov 13 23:43Vi Vivek Pts/0 0.00 Secs Mon Nov 13 23:43Ping S Vivek Pts/0 0.00 Secs Mon Nov 13 23:42Ping S Vivek Pts/0 0.00 Secs Mon Nov 13 23:42Ping S Vivek Pts/0 0.00 Secs Mon Nov 13 23:42Cat Vivek Pts/0 0.00 Secs Mon Nov 13 23:42Netstat Vivek Pts/0 0.07 Secs Mon Nov 13 23:42Su S Vivek Pts/0 0.00 Secs Mon Nov 13 23:38
Each information is printed on screen come out, we are with be defeated by item of expenditure the first row exemple: Userhelper S X Vivek Pts/0 0.00 Secs Mon Nov 13 23:58
Analysis:
. Userhelper is the command name of the process
. S and X are mark information, by management of program of systematic chalk it up. The meaning of each mark is:
. . S- - the command is carried out by super user
. . F- - the command arises by Fork, but carry out without Exec()
. . D- - the command is stopped and found file of a Core.
. . X- - the command is stopped by SIGTERM signal.
. Vivek is name of executive jussive user
. Name of Prts/0 terminal
. 0.00 Secs- - the process quits time
You can search daily record of process chalk it up through executing the order below:
$ Lastcomm Rm
$ Lastcomm Passwd
Output:
Rm S Root Pts/0 0.00 Secs Tue Nov 14 00:39Rm S Root Pts/0 0.00 Secs Tue Nov 14 00:39Rm S Root Pts/0 0.00 Secs Tue Nov 14 00:38Rm S Root Pts/0 0.00 Secs Tue Nov 14 00:38Rm S Root Pts/0 0.00 Secs Tue Nov 14 00:36Rm S Root Pts/0 0.00 Secs Tue Nov 14 00:36Rm S Root Pts/0 0.00 Secs Tue Nov 14 00:35Rm S Root Pts/0 0.00 Secs Tue Nov 14 00:35Rm Vivek Pts/0 0.00 Secs Tue Nov 14 00:30Rm Vivek Pts/1 0.00 Secs Tue Nov 14 00:30Rm Vivek Pts/1 0.00 Secs Tue Nov 14 00:29Rm Vivek Pts/1 0.00 Secs Tue Nov 14 00:29
You can carry terminal name Pts/1 searchs daily record of process chalk it up as key word:
$ Lastcomm Pts/1
5) . Information of statistical chalk it up
You can use Sa to command the past that print carries out jussive statistic information. Additional, sa command saved to call Savacct the file, the file included the number that commands the number that is called and resource are used. And the statistical information that Sa still provides each user, these information save the file that is called Usracct in in the center.
# Sa
Output:
579 222.81re 0.16cp 7220k
4 0.36re 0.12cp 31156k Up2date
8 0.02re 0.02cp 16976k Rpmq
8 0.01re 0.01cp 2148k Netstat
11 0.04re 0.00cp 8463k Grep
18 100.71re 0.00cp 11111k ***other*
8 0.00re 0.00cp 14500k Troff
5 12.32re 0.00cp 10696k Smtpd
2 8.46re 0.00cp 13510k Bash
8 9.52re 0.00cp 1018k Less
The exemple of the first behavior that outputs with the result:
4 0.36re 0.12cp 31156k Up2date
Analysis:
. Unit of " of 0.36re " actual time is minute.
. 0.12cp system and user time number (CPU time, the unit is minute)
. 31156K core uses the average CPU time that takes, an unit size is 1K
. Up2date commands a name
Show each user:
# Sa -u
Output:
Root 0.00 Cpu 595k Mem AcctonRoot 0.00 Cpu 12488k Mem InitlogRoot 0.00 Cpu 12488k Mem InitlogRoot 0.00 Cpu 12482k Mem TouchRoot 0.00 Cpu 13226k Mem PsacctRoot 0.00 Cpu 595k Mem ConsoletypeRoot 0.00 Cpu 13192k Mem Psacct *Root 0.00 Cpu 13226k Mem PsacctRoot 0.00 Cpu 12492k Mem ChkconfigPostfix 0.02 Cpu 10696k Mem SmtpdVivek 0.00 Cpu 19328k Mem UserhelperVivek 0.00 Cpu 13018k Mem IdVivek 0.00 Cpu 13460k Mem Bash *Lighttpd 0.00 Cpu 48240k Mem Php *
Above the process amount that showed each user and CPU time number
# Sa -m
Output:
667 231.96re 0.17cp 7471kRoot 544 51.61re 0.16cp 7174kVivek 103 17.43re 0.01cp 8228kPostfix 18 162.92re 0.00cp 7529kLighttpd 2 0.00re 0.00cp 48536k
6) . Who to find out to be in take up CPU
You can be passed examine Re, k, cp/cpu(sees above output explains) time will find out questionable activity, or a certain user / the command took up all CPU time. If CPU/Memeory uses number (command) increasing ceaselessly, can show command existence issue.
All commands above and software package are additionally OK also the Unix in other kind move on operating system platform, for instance Solaris is mixed *BSD operating system.
Referenced
How To Keep A Detailed Audit Trail Of What ' S Being Done On Your Linux Systems