|
Previous | Table of Contents | Next |
Generating Reports
The lastcomm command supplies information on all commands executed on the system. It formats its output to show the command executed, the user who executed the command, what tty that user was using, the time to complete execution, and the time and date the command was executed.
The following output is a small portion of lastcomm data. Because process accounting stores every command executed by every user, normal output could continue scrolling for several minutes.
freeside % lastcomm whoami F root ttyp5 0.01 secs Sun Apr 2 17:17 sh F user ttyp4 0.00 secs Sun Apr 2 17:16 rm F user ttyp4 0.02 secs Sun Apr 2 17:16 sendmail F user ttyp4 0.00 secs Sun Apr 2 17:16 sendmail F phrack ttyp4 0.34 secs Sun Apr 2 17:16 sh F user ttyp4 0.03 secs Sun Apr 2 17:16 sh F user ttyp4 0.00 secs Sun Apr 2 17:16 sh F phrack ttyp5 0.02 secs Sun Apr 2 17:16 more F phrack ttyp5 0.05 secs Sun Apr 2 17:16 lastcomm FX phrack ttyp5 0.23 secs Sun Apr 2 17:16 sendmail F user ttyp4 0.20 secs Sun Apr 2 17:16 sh F user ttyp4 0.02 secs Sun Apr 2 17:16 rm F user ttyp4 0.02 secs Sun Apr 2 17:16 sendmail F user ttyp4 0.31 secs Sun Apr 2 17:16 sendmail F user ttyp4 0.00 secs Sun Apr 2 17:16 sh F user ttyp4 0.02 secs Sun Apr 2 17:16 sh F user ttyp4 0.02 secs Sun Apr 2 17:16 httpd SF www __ 0.05 secs Sun Apr 2 17:16 pico F ccr ttya6 0.05 secs Sun Apr 2 17:15
Careful examination of the preceding sample output reveals possible intruder activity. During the two-minute span shown in the sample, several usersroot, www, ccr, user, and phrackare running commands. Look closely at the output; the root command entry occurred at the same time and on the same tty as the phrack account. Because the phrack account did not execute an su or sudo command, more than likely the user of that account did something improper to become root. The fact that sendmail was the last command executed by the phrack account before this discrepancy indicates that the user might have exploited some kind of sendmail-based bug.
The sa command offers another useful command for generating reports from the process accounting logs. This command generates output based on CPU time consumed either by users (sa -m) or by commands (sa -s). The sa command helps administrators locate the source of users or commands that are allocating too many system resources.
freeside % sa m root 73271 500.85cpu 22747961tio 112295694k*sec daemon 1668 5.45cpu 817411tio 353179k*sec sys 4239 20.79cpu 4840469tio 411555k*sec gopherd 66 0.77cpu 17194tio 94396k*sec www 30935 119.68cpu 2674466tio 4345219k*sec bobs 8 0.23cpu 52076tio 60909k*sec erikb 447 2.43cpu 386568tio 389052k*sec rickm 5325 111.08cpu 7892131tio -4722301k*sec cma 121 0.78cpu 149312tio 111471k*sec faust 1349 11.47cpu 1355051tio 2629341k*sec jj 489 6.37cpu 1069151tio 1231814k*sec gre 4 0.11cpu 98032tio 13844k*sec foo 14574 87.25cpu 432077tio 4170422k*sec sqr 46641 877.97cpu 63720573tio 243279830k*sec nobody 209 4.69cpu 321321tio 1601114k*sec
Several other utilities can greatly help the system administrator conduct audits. Although these utilities might not make use of specific log files to generate their information, you can collect output from these utilities and use them in conjunction with other logs to create a much clearer picture of the true state of the system.
Previous | Table of Contents | Next |