LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 07-10-2014, 11:47 AM   #1
SaintDanBert
Senior Member
 
Registered: Jan 2009
Location: "North Shore" Louisiana USA
Distribution: Mint-20.1 with Cinnamon
Posts: 1,770
Blog Entries: 3

Rep: Reputation: 108Reputation: 108
seeking "special" account use details


If you look in /etc/passwd there are all sorts of login names other than the ones created for people. How do I discover:
  • when and why each of these accounts exist?
  • which of these are actually in use on my system(s) vs. created by default of just-in-case?
  • alert or log or both when and if they get used?
There are all sorts of "alert on login" threads around the net. Starting a process running as a designated user does not provoke the 'login' event. For example, a web server might run as user 'www:www' and get started a system start. There is no 'login' event for this.
Likewise, the server might launch other processes also as 'www:www'. Again, there are no 'login' events.

While I can scan logs for activities resulting from many similar applications, I don't want to poll the log files. Also, I don't want to write real code that reads a syslog pipe parsing for the details that I seek. (gulp) I hope that isn't my only option.

I'm enough of an antique that I remember the original AT&T® Unix™. In those days, there was magic associated with any user or group number '10' and below. (Those digits might be base-8 instead of base-10.) The details about that magic are lost in the myst of my memory. I'm also aware of techniques where a daemon process has its unique UID:GID for a variety of security and operational reasons.

Merci d'avance,
~~~ 8d;-Dan
 
Old 07-11-2014, 09:36 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669
Many accounts are created by default on installation for commonly used tools (such as www for web as you mentioned.)

If I wanted to find out which, if any, of these accounts were in use I would do the following:
1) Run "ps -fu <username>" to see if any processes are running under the given entry in password currently.
2) Run "find / -user <username>" (for "find / -user <uid>" to find if any files are owned by the given entry.
3) Run "last <username>" to see if there is any history of them ever having logged in. (As you note there are often cases where a user account is used without logging in. Also last relies on files that may be corrupted or overwritten so isn't perfect.)
4) Check other logs in /var/log (such as secure log, cron log) to see if it shows anything ever used them.
5) Check init scripts and see if any of them mention the account. If they do check to see whether they're actually linked to start at any given run level. (i.e. check /etc/init files then check for links to same from /etc/rc?.d where the ? is one of the run levels).

By the way you can setup something called "logwatcher" to look for specific events in logs rather than having to write your own script.
 
1 members found this post helpful.
Old 07-11-2014, 12:09 PM   #3
SaintDanBert
Senior Member
 
Registered: Jan 2009
Location: "North Shore" Louisiana USA
Distribution: Mint-20.1 with Cinnamon
Posts: 1,770

Original Poster
Blog Entries: 3

Rep: Reputation: 108Reputation: 108
Thanks to MensaWater for their detailed comments. They provide an excellent recipe for discovering the information that I'm seeking.

My original post strikes me as a question someone might ask during a system or network security audit. Does anyone of my LQ colleagues know much about audit tools available in the linux world -- specifically ubuntu and Mint?

Cheers,
~~~ 0;-Dan
 
Old 07-11-2014, 12:16 PM   #4
SaintDanBert
Senior Member
 
Registered: Jan 2009
Location: "North Shore" Louisiana USA
Distribution: Mint-20.1 with Cinnamon
Posts: 1,770

Original Poster
Blog Entries: 3

Rep: Reputation: 108Reputation: 108
Quote:
Originally Posted by MensaWater View Post
Many accounts are created by default on installation for commonly used tools (such as www for web as you mentioned.)

If I wanted to find out which, if any, of these accounts were in use I would do the following:
...
... a numbered list of commands to gather information ...
...
It might not be obvious to some readers, but many of the commands might best get launched using sudo {command} so that they run as superuser. As an alternative, one might use sudo -i to open a superuser login shell.

Cheers,
~~~ 0;-Dan
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
seeking "home office" or "small business" server advice SaintDanBert Linux - Server 10 05-04-2014 05:12 PM
[SOLVED] How can i get hardware details without "having root privileges"/"using dmidecode" RaviTezu Linux - Newbie 2 01-07-2013 08:32 AM
seeking linux workstation oriented "audit" or "inventory" utility SaintDanBert Linux - Software 2 02-08-2012 05:02 AM
seeking conversion to/from winXX tablet "journal" and X11 tablet "xournal" ink SaintDanBert Linux - Software 0 01-12-2010 05:14 PM
Seeking for "Synchronise" and "patients" projects/scripts of Visual Basic LAN-Dominator.nl Programming 2 07-05-2008 07:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration