1. log in account management in Linux login user account management via the utmp and wtmp these two tools.
Wtmp also records the system reset and system state information about the changes. All the utmp and wtmp-relevant data have been saved in/var/run/utmp and/var/log/wtmp both files. These two files are relegated to the root user and access permissions are set to 644, the data in these files are encrypted. You can use this tool to original dump-utmp data converted to ASCII data for system administrators to analyze user logon and system reset and system state information about the changes. Login to account management related command last command provides each user logging in and out of time, there are also system restart and run state changes. By default, the last analysis/var/log/wtmp file and displays each connection and run the state change. Last output information that may be too much to see who cannot cope with, the typical usage is to last – 5, view the latest/var/log/wtmp 5 records. The main use of the who command is reporting system currently logged in user information. Who command provides the following information: user login into use of the system of terminal equipment, the user's address, host name, used by the X display window (if using the XWindows system), the user accepts the other user's messages and chat requests, etc. Ac command provides statistics about user connections, we can use the labels of d and p ac command. Mark d displays the day of total connection statistics, mark p shows each time a user's connection. This statistical information to understand and detect intrusion related user information and other activities. Lastlog command reads the file and produces/var/log/lastlog user last logon information report lastlog command is also used in the Linux system checks unusual log records. 2. System account audit Linux operating system by setting the log file to each user of each order record, but this feature is not turned on by default. Turn on this feature of the process: # touch/var/log/pacct # action/var/log/pact can also use your own file to replace/var/log/pacct this file. However, it must be the path and file name are correct. Sa command and ac command, sa is a statistics command. The command to get each user or each command of the process used, and provides information on the consumption of system resources. To a large extent, sa is a accounting command, identify a particular user, particularly known for special users suspect command is very useful. In addition, because the amount is large, need to deal with a script or program to filter the information. Lastcomm command, and sa command, lastcomm command provides the output of each command, print out and executing each command the time stamp. On this point and said that more than sa lastcomm security. If the system is intrusion, do not believe in the lastlog, utmp, wtm's information in the records, but also not ignored because this information may be modified. Additionally there may be someone who is replaced to deceive the public. In General, has identified some suspicious activity, process accounting can effectively play its role. Use the lastcomm can isolate user activities or execute commands at a specific time. 3. use logrorate on audit file management/var/log/utmp,/var/log/wtmp and/var/log/pacct file is dynamic data files. Wtmp and pacct file is a file tail increasing record. On a busy network, these files become large. Linux provides a program called logrotate, it allows administrators to manage these files. Logrotate read/etc/logrotate.d directory files. Administrator through the directory of the script files that control the operation of the logrotate program. A typical script files: {rotate5 weekly errors root @ serve1r mail root @ server1 copytruncate compress size100k} script files have the following meanings: ● rotate5 — to keep the file with a copy of the current backup and 5 copies of old backups. • Weekly-the weekly address files one at a time, usually the first day of the week. • Errors-to e-mail address to send the error report. ● Mail — send to e-mail address. ● Copytruncate — allows a process to continuously records, backup files are created, the activity log file empty. ● Gzip compress — use the tools on the old log file is compressed. ● Size100k — when the files are automatically processed exceeded 100k.
No comments:
Post a Comment