seeking "special" account use details
If you look in /etc/passwd there are all sorts of login names other than the ones created for people. How do I discover:
Likewise, the server might launch other processes also as 'www:www'. Again, there are no 'login' events. While I can scan logs for activities resulting from many similar applications, I don't want to poll the log files. Also, I don't want to write real code that reads a syslog pipe parsing for the details that I seek. (gulp) I hope that isn't my only option. I'm enough of an antique that I remember the original AT&T® Unix™. In those days, there was magic associated with any user or group number '10' and below. (Those digits might be base-8 instead of base-10.) The details about that magic are lost in the myst of my memory. I'm also aware of techniques where a daemon process has its unique UID:GID for a variety of security and operational reasons. Merci d'avance, ~~~ 8d;-Dan |
Many accounts are created by default on installation for commonly used tools (such as www for web as you mentioned.)
If I wanted to find out which, if any, of these accounts were in use I would do the following: 1) Run "ps -fu <username>" to see if any processes are running under the given entry in password currently. 2) Run "find / -user <username>" (for "find / -user <uid>" to find if any files are owned by the given entry. 3) Run "last <username>" to see if there is any history of them ever having logged in. (As you note there are often cases where a user account is used without logging in. Also last relies on files that may be corrupted or overwritten so isn't perfect.) 4) Check other logs in /var/log (such as secure log, cron log) to see if it shows anything ever used them. 5) Check init scripts and see if any of them mention the account. If they do check to see whether they're actually linked to start at any given run level. (i.e. check /etc/init files then check for links to same from /etc/rc?.d where the ? is one of the run levels). By the way you can setup something called "logwatcher" to look for specific events in logs rather than having to write your own script. |
Thanks to MensaWater for their detailed comments. They provide an excellent recipe for discovering the information that I'm seeking.
My original post strikes me as a question someone might ask during a system or network security audit. Does anyone of my LQ colleagues know much about audit tools available in the linux world -- specifically ubuntu and Mint? Cheers, ~~~ 0;-Dan |
Quote:
Cheers, ~~~ 0;-Dan |
All times are GMT -5. The time now is 07:35 AM. |