未加星标

IDG Contributor Network: Using Unix commands to profile your users

字体大小 | |
[系统(linux) 所属分类 系统(linux) | 发布者 店小二05 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏

User profiles aren't restricted to what shells your users use, what groups they are members of, and what privileges they have been allocated. While these factors are important, so are when they log in, how much disk space they are using, and what they're actually doing on your systems. Periodic reviews of your users can help you get a better feel for how they use your systems and can sometimes help you to pinpoint problems.

Unix provides a lot of commands that can help pull together a quick picture of how your users are set up and when they are active.

Recent logins

The last command will show you recent logins for any particular user or for everyone. Depending on when the source file for this information (your wtmp file) rolls over, this might represent months of user logins.

$ last
shs pts/0 192.123.76.32 Fri Jan 6 15:58 still logged in
shs pts/0 192.123.76.32 Fri Jan 6 13:28 - 15:57 (02:29)
jck pts/0 the.planet.net Thu Jan 5 21:49 - 21:49 (00:00)
tbg pts/0 10.11.174.132 Tue Jan 3 13:06 - 13:09 (00:02)
wtbg pts/0 10.12.123.88 Mon Jan 2 01:56 - 01:56 (00:00)
jcc pts/1 208.167.254.36 Fri Dec 30 08:02 - 08:02 (00:00)

Pulling up reports on how many times your users have logged in on a server recently can give you an idea how active they are. Viewing when they log in might give you an entirely different perspective. This kind of command will show you the earliest time of the day that someone logged in.

# last tbg | grep -v begins | grep pts | awk '{print $7}' | sort | head -1

03:10

A similar command will show you the latest time that someone logged in.

# last ec2-user | grep -v begins | awk '{print $7}' | sort | tail -1
22:52

You can generate a report showing the last login for each user on your system with a script like this:

while IFS=: read user _; do
last "$user" | head -n 1
done </etc/passwd

It will display a line for every user in your /etc/passwd file. Those who have never logged in will result in blanks lines. On some systems, that could be a very sparse report. To omit the blanks lines, you can run the script like this:

$ ./bin/showLastLogins | grep pts

Or, if you prefer, you can add the pseudo-terminal specification to the script itself to remove the blank lines.

while IFS=: read user _; do
last "$user" | grep pts | head -n 1
done </etc/passwd

The output will look something like this:

<span style="font-family: Courier New,monospace;">$ showLastLogins</span>

<span style="font-family: Courier New,monospace;">tbg pts/0 10.11.174.132 Tue Jan 3 13:06 - 13:09 (00:02)</span>

<span style="font-family: Courier New,monospace;">abc pts/0 192.123.76.32 Sat Dec 24 08:28 - 08:30 (00:02)</span>

<span style="font-family: Courier New,monospace;">jcc pts/0 the.planet.net Thu Jan 5 21:49 - 21:49 (00:00)</span>

<span style="font-family: Courier New,monospace;">shs pts/1 192.161.76.32 Fri Jan 6 16:23 still logged in</span>

<span style="font-family: Courier New,monospace;">tpb pts/11 static-71-179-54 Tue Nov 15 10:49 - 10:49 (00:00)</span>

If you want, instead, to produce a report showing only the accounts for which there have been no recent logins, you can use a script like this one. Just keep in mind that you're going to see a lot of system accounts. In general, user accounts will be displayed last since the /etc/passwd file is being processed top to bottom.

#!/bin/bash
while IFS=: read user _; do
cnt=`last "$user" | wc -l`
if [ $cnt == 2 ]; then
echo $user
fi
done </etc/passwd

Depending on the type of work your users do, middle of the night logins might be fairly standard or very unusual -- even suspect. Knowing what to expect, on the other hand, is generally always useful.

Origin of logins

Where your users are logging in from can also provide useful information. For some organizations, logins are nearly always from on-site machines. For others, logins from external IP addresses, even international IP addresses might be the norm.

Here's an example of a command that will list the source IP addresses and counts of logins from information provided by the last command.

$ last tbg | grep -v begins | grep pts | awk '{print $3}' | sort | uniq -c

22 10.23.167.11

1 10.23.174.132

2 104.235.21.191

16 188.143.232.62

Group memberships

You can pull group memberships from the /etc/passwd and /etc/group files, but the groups command makes fetching that information even easier.

$ groups tbg
ec2-user : tbg admins wheel User Privileges

When trying to ascertain what privileges a user might have on some particular system, you should never overlook the /etc/sudoers file. If enabled, wheel group membership might allow a user to run any command as root using sudo.

## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL User Activity

You can get a feel for the kind of work your users are doing by reviewing their command history, but you're probably going to find yourself looking at far too much data or looking at a data summary that doesn't give a lot of insight. Still, a command like this can provide some insights.

# cat ~tbg/.bash_history | awk '{print $1}' | sort | uniq -c 1 alias 21 cd 10 clear 1 cp 1 date 12 echo 7 fix 4 history 24 ls 1 man 1 mkdir 11 mv 10 pwd 1 set 16 setpos 1 touch 92 vi

Looking for possible malicious activity would require a lot more insight. For one thing, history files can be edited by users, so they're more of a convenience than a source of evidence. For another, the volume of data can make finding what you're looking for quite difficult. Commands like that shown above aren't going to show you what files are being edited -- obviously a critical piece of information if you're trying to do a deep dive on someone's activity on your system. And you aren't likely to notice if someone has temporarily aliased "ls" to a very different command.

This article is published as part of the IDG Contributor Network.Want to Join?

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

分页:12
转载请注明
本文标题:IDG Contributor Network: Using Unix commands to profile your users
本站链接:http://www.codesec.net/view/522226.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(68)