Essential Linux Account Security & Intrusion Detection Checklist

Account Security

Key system files: /etc/passwd – format:

account:password:UID:GID:GECOS:directory:shell

/etc/shadow

– stores encrypted passwords and password aging information.

# Format: account:password:UID:GID:GECOS:directory:shell
# Example entry
root:x:0:0:root:/root:/bin/bash

View users with login shells: cat /etc/passwd | grep /bin/bash Find UID 0 users: awk -F: '$3==0{print $1}' /etc/passwd List sudo‑enabled users:

more /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)"

Check current logged‑in users and uptime:

who        # list all logged‑in users (local and remote)
w          # show logged‑in users and their commands
uptime     # show how long the system has been up and load

Intrusion Investigation

Inspect recent successful logins: last Inspect recent failed logins: sudo lastb Show each user's last login: lastlog Lock the /var/log/wtmp file to prevent tampering before an attack:

chattr +a /var/log/wtmp

Privilege and Account Management

List privileged (UID 0) accounts: awk -F: '$3==0{print $1}' /etc/passwd Identify accounts with remote login capability: awk '/\$1|\$6/{print $1}' /etc/shadow Remove unnecessary sudo rights:

more /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)"

Disable or delete suspicious accounts:

usermod -L user      # lock account (password field starts with '!')
userdel user         # delete user
userdel -r user      # delete user and home directory

Command History Auditing

Examine .bash_history of each user to see executed commands and augment with IP and timestamp:

# Increase history size
sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile
# Append IP and timestamp to each entry
USER_IP=$(who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g')
if [ "$USER_IP" = "" ]; then
  USER_IP=$(hostname)
fi
export HISTTIMEFORMAT="%F %T $USER_IP `whoami` "
shopt -s histappend
export PROMPT_COMMAND="history -a"
source /etc/profile

Clear in‑memory history (does not delete the file): history -c Manually delete the persisted history file if needed:

rm -f ~/.bash_history

Port and Process Inspection

Show listening ports and associated processes: netstat -antlp | more Find a process by PID and view its executable path:

ps aux | grep 6666
ls -l /proc/$PID/exe

List open files for a process: lsof -p 6071 List files opened by a service name (e.g., sshd): lsof -c sshd List files opened on a specific port (e.g., 22): lsof -i :22 Show process start time: ps -p 6071 -o lstart Terminate a rogue process:

kill -9 6071

Startup Script and Runlevel Review

Runlevel meanings (0–6) and how to query the current runlevel: runlevel Common startup script locations:

/etc/rc.local

/etc/rc.d/rc[0-6].d

Adding a custom script to startup:

Place executable script in /etc/rc.local before the exit 0 line.

Or use update-rc.d to create symlinks in /etc/rc.d/rc*.d with a desired order number (0‑99).

# Example: create a link to a backdoor script and enable it at runlevel 99
ln -s /home/b4yi/kali-6666.elf /etc/init.d/backdoor
sudo update-rc.d backdoor defaults 99

Cron Job Auditing

Key cron locations to inspect for malicious scripts: crontab -l – current user’s crontab

/var/spool/cron/crontabs/root

/etc/crontab

(root‑only editable)

/etc/cron.d/

/etc/cron.hourly/

, /etc/cron.daily/, /etc/cron.weekly/,

/etc/cron.monthly/

# View all files in a cron directory
more /etc/cron.daily/*

File Search Techniques

Search by name, size, or timestamps:

# By name (wildcards allowed)
find / -name "a.Test"
# By size greater than 1000M
find / -size +1000M
# Files modified within the last day
find / -mtime -1 -ls | more
# Files older than 50 days
find . -mtime +50 -ls

Search by owner or group:

# Files owned by root
find . -user root -type f
# Files without an owner
find . -nouser

System Log Examination

Log directory: /var/log/. Important logs include: secure – authentication and authorization events. history – command history. wtmp – all login/logout events. lastlog – last login time per user. cron – cron‑related activity. message – general system messages and errors.

Example log analysis commands:

# Find IPs attempting root password brute‑force
grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr
# Find successful login IPs
grep "Accepted" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr
# Identify useradd events
grep "useradd" /var/log/secure
# Identify userdel events
grep "userdel" /var/log/secure

Additional Resources

Open‑source Linux security scanning scripts:

GScan

security_check

linux