Master Linux Auditing: Essential Commands and Log Analysis Techniques

0x00 Audit Commands

Linux provides five audit commands:

last: displays successful logins, shutdowns, reboots by formatting /var/log/wtmp.

lastb: shows failed login attempts by formatting /var/log/btmp.

lastlog: shows the last login time for each user by formatting /var/log/lastlog.

who: displays currently logged‑in users by formatting /var/log/utmp.

w: similar to who.

Usage examples (see manual pages):

1

last [-R] [-num] [-n num] [-adFiowx] [-f file] [-t YYYYMMDDHHMMSS] [name...] [tty ...]

2

lastb [-R] [-num] [-n num] [-f file] [-adFiowx] [name...] [tty ...]

3 who [OPTION]... [FILE | ARG1 ARG2] Parameter explanations:

View system login activity: last without options shows logins and reboots.

Focus on shutdown/reboot using -x option.

Focus on login events with -d option.

Show failed login information: lastb .

View current login status: who , w .

0x01 Log Viewing

Linux has three main log subsystems:

Connection time logs: written to /var/log/wtmp and /var/run/utmp by programs such as login; they record who logged in and when.

Process accounting: kernel writes records to pacct or acct when a process terminates.

Error logs: syslogd collects messages from daemons, user programs, and the kernel into /var/log/messages; network services like HTTP and FTP also keep detailed logs.

Log directory: /var/log (default).

View process logs: cat /var/log/messages

View service logs: cat /var/log/maillog

0x02 User Inspection

Linux stores user information in /etc/passwd, /etc/shadow, /etc/group, and /etc/group-.

View details (note: set empty password with passwd -d username ).

less /etc/passwd : check for new users.

grep :0 /etc/passwd : find privileged (root) users.

ls -l /etc/passwd : view modification time.

awk -F: '$3==0 {print $1}' /etc/passwd : list privileged users.

awk -F: 'length($2)==0 {print $1}' /etc/shadow : find accounts with empty passwords.

0x03 Process Inspection

Standard process view using ps (see man ps ).

ps -aux : list processes.

lsof -p pid : show files and ports opened by a process.

Check for hidden processes (three steps):

ps -ef | awk '{print }' | sort -n | uniq >1

ls /proc | sort -n | uniq >2

diff 1 2

0x04 Other Checks

File checks:

find / -uid 0 -print : locate files owned by privileged users.

find / -size +10000k -print : find files larger than 10 MB.

find / -name "..." -print : search by filename.

find / -name core -exec ls -l {} \; : locate core dumps.

md5sum -b filename : compute file MD5 checksum.

rpm -qf /bin/ls : verify file integrity (similar for other /bin files).

Network checks:

ip link | grep PROMISC : promiscuous mode may indicate a sniffer.

lsof -i : list open network sockets.

netstat -nap : view abnormal listening ports.

arp -a : display ARP table.

Scheduled tasks:

crontab -u root -l : list root's cron jobs.

cat /etc/crontab

ls -l /etc/cron.* : inspect cron files.

ls /var/spool/cron/

Backdoor inspection (without external tools): Check cron jobs, examine ~/.ssh/authorized_keys , list kernel modules with lsmod , list enabled services via chkconfig --list or systemctl list-units --type=service , look for suspicious ports or shells, and review startup scripts in /etc/rc.d and /etc/rc3.d .