Generating Reports

The lastcomm command supplies information on all commands executed on the system. It formats its output to show the command executed, the user who executed the command, what tty that user was using, the time to complete execution, and the time and date the command was executed.

The following output is a small portion of lastcomm data. Because process accounting stores every command executed by every user, normal output could continue scrolling for several minutes.

freeside % lastcomm
whoami     F     root     ttyp5      0.01 secs Sun Apr  2 17:17
sh         F     user     ttyp4      0.00 secs Sun Apr  2 17:16
rm         F     user     ttyp4      0.02 secs Sun Apr  2 17:16
sendmail   F     user     ttyp4      0.00 secs Sun Apr  2 17:16
sendmail   F     phrack   ttyp4      0.34 secs Sun Apr  2 17:16
sh         F     user     ttyp4      0.03 secs Sun Apr  2 17:16
sh         F     user     ttyp4      0.00 secs Sun Apr  2 17:16
sh         F     phrack   ttyp5      0.02 secs Sun Apr  2 17:16
more       F     phrack   ttyp5      0.05 secs Sun Apr  2 17:16
lastcomm   FX    phrack   ttyp5      0.23 secs Sun Apr  2 17:16
sendmail   F     user     ttyp4      0.20 secs Sun Apr  2 17:16
sh         F     user     ttyp4      0.02 secs Sun Apr  2 17:16
rm         F     user     ttyp4      0.02 secs Sun Apr  2 17:16
sendmail   F     user     ttyp4      0.31 secs Sun Apr  2 17:16
sendmail   F     user     ttyp4      0.00 secs Sun Apr  2 17:16
sh         F     user     ttyp4      0.02 secs Sun Apr  2 17:16
sh         F     user     ttyp4      0.02 secs Sun Apr  2 17:16
httpd      SF    www      __         0.05 secs Sun Apr  2 17:16
pico       F     ccr      ttya6      0.05 secs Sun Apr  2 17:15

Careful examination of the preceding sample output reveals possible intruder activity. During the two-minute span shown in the sample, several users—root, www, ccr, user, and phrack—are running commands. Look closely at the output; the root command entry occurred at the same time and on the same tty as the phrack account. Because the phrack account did not execute an su or sudo command, more than likely the user of that account did something improper to become root. The fact that sendmail was the last command executed by the phrack account before this discrepancy indicates that the user might have exploited some kind of sendmail-based bug.

The sa command offers another useful command for generating reports from the process accounting logs. This command generates output based on CPU time consumed either by users (sa -m) or by commands (sa -s). The sa command helps administrators locate the source of users or commands that are allocating too many system resources.

freeside % sa —m
root      73271    500.85cpu   22747961tio    112295694k*sec
daemon     1668      5.45cpu     817411tio       353179k*sec
sys        4239     20.79cpu    4840469tio       411555k*sec
gopherd      66      0.77cpu      17194tio        94396k*sec
www       30935    119.68cpu    2674466tio      4345219k*sec
bobs          8      0.23cpu      52076tio        60909k*sec
erikb       447      2.43cpu     386568tio       389052k*sec
rickm      5325    111.08cpu    7892131tio     -4722301k*sec
cma         121      0.78cpu     149312tio       111471k*sec
faust      1349     11.47cpu    1355051tio      2629341k*sec
jj          489      6.37cpu    1069151tio      1231814k*sec
gre           4      0.11cpu      98032tio        13844k*sec
foo       14574     87.25cpu     432077tio      4170422k*sec
sqr       46641    877.97cpu   63720573tio    243279830k*sec
nobody      209      4.69cpu     321321tio      1601114k*sec

Useful Utilities in Auditing

Several other utilities can greatly help the system administrator conduct audits. Although these utilities might not make use of specific log files to generate their information, you can collect output from these utilities and use them in conjunction with other logs to create a much clearer picture of the true state of the system.