Essential Linux Account Security and Intrusion Detection Checklist

Account and Password Files

Linux stores user account information in /etc/passwd with the format account:password:UID:GID:GECOS:directory:shell. Example entry for the root account: root:x:0:0:root:/root:/bin/bash List users that have a login shell (e.g., /bin/bash): cat /etc/passwd | grep /bin/bash Show accounts whose UID is 0: awk -F: '$3==0{print $1}' /etc/passwd Find users with sudo privileges: grep -v "^#\|^$" /etc/sudoers | grep "ALL=(ALL)" Accounts without a password can log in locally only.

Shadow File

Encrypted passwords and password‑policy fields are stored in /etc/shadow:

root:$6$oGs1PqhL2p3ZetrE$X7o7bzoouHQVSEmSgsYN5UD4.kMHx6qgbTqwNVC5oOAouXvcjQSt.Ft7ql1WpkopY0UV9ajBwUt1DpYxTCVvI/:16809:0:99999:7:::

Current Logins and Session Information

who

– displays all logged‑in users (local ttys and remote pts). w – shows logged‑in users together with their running commands. uptime – reports system uptime, number of users and load average.

Login Record Investigation

Use last to view successful logins and lastb for failed attempts. The binary log file /var/log/wtmp can be protected from tampering:

chattr +a /var/log/wtmp

Sudo Users

Inspect /etc/sudoers for privileged accounts.

Shell History Analysis

Increase the history size and prepend timestamps with the source IP address by editing /etc/profile:

# Save 10,000 commands
sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile

# Append timestamp and IP to each command
USER_IP=$(who -u am i 2>/dev/null | awk '{print $NF}' | tr -d '()')
if [ -z "$USER_IP" ]; then
    USER_IP=$(hostname)
fi
export HISTTIMEFORMAT="%F %T $USER_IP `whoami` "
shopt -s histappend
export PROMPT_COMMAND="history -a"
source /etc/profile

Clear the in‑memory history with history -c. To remove persisted entries, delete them from the user’s .bash_history file.

Port and Connection Checks

netstat -antlp | more

Process Investigation

Find a process by port or name: ps aux | grep 6666 Show the executable path of a PID: ls -l /proc/$PID/exe or file /proc/$PID/exe List open files for a PID: lsof -p $PID List files opened by a service name: lsof -c sshd Show network connections on a specific port: lsof -i :22 Display process start time: ps -p $PID -o lstart Force‑kill a process: kill -9 $PID If a suspicious process has no corresponding file on disk, it may be a memory‑resident malware.

Startup Script Examination

Runlevels 0‑6 define system states. Current runlevel can be queried with runlevel. Startup scripts are located in:

/etc/rc.local

/etc/rc.d/rc[0-6].d

/etc/init.d

To add a custom script you can either edit /etc/rc.local (insert commands before the exit 0 line and make the file executable) or create a symbolic link and register it with update-rc.d:

# Example: install a backdoor ELF as a boot script
ln -s /home/b4yi/kali-6666.elf /etc/init.d/backdoor
sudo update-rc.d backdoor defaults 99

Cron Job Auditing

List the current user’s cron jobs: crontab -l Important cron locations: /etc/crontab (root‑only editable) /var/spool/cron/ (per‑user crontabs)

/etc/cron.d/

/etc/cron.hourly/

, /etc/cron.daily/, /etc/cron.weekly/, /etc/cron.monthly/ View all scripts in the daily cron directory:

more /etc/cron.daily/*

File Integrity Checks

Search for suspicious files with find:

By name (wildcards allowed): find / -name a.Test By size (e.g., larger than 1 GB): find / -size +1000M By modification time (last 24 h): find / -mtime -1 -ls | more By owner: find / -user root -type f By access/modify/change times: -atime, -mtime,

-ctime

System Log Examination

Log files are stored under /var/log/. Key logs for security investigations include: /var/log/secure – authentication and authorization events (SSH, sudo, useradd, etc.) /var/log/wtmp – binary record of all logins, logouts, reboots /var/log/lastlog – binary record of each user’s last login time /var/log/cron – cron‑related activity /var/log/message – general system messages and errors /var/log/btmp – failed login attempts (view with lastb)

Typical log‑analysis commands:

# IPs that attempted a root brute‑force
grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr

# IPs with successful logins
grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr

# User‑add events
grep "useradd" /var/log/secure

# User‑del events
grep "userdel" /var/log/secure

# Show sudo usage
sudo -l

Reference Security Scripts

Open‑source Linux security audit tools (use as references):

https://github.com/grayddq/GScan

https://github.com/ppabc/security_check

https://github.com/T0xst/linux