Linux Account Security Checklist: Detect Intrusions & Harden Your System

Account Security

Key user information files: /etc/passwd – format: account:password:UID:GID:GECOS:directory:shell

# Format example
# username:password:UID:GID:GECOS:home:shell
root:x:0:0:root:/root:/bin/bash

View login-enabled users:

# Show users with /bin/bash shell
cat /etc/passwd | grep /bin/bash
# Show UID=0 users
awk -F: '$3==0{print $1}' /etc/passwd
# Show sudo‑enabled users
more /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)"

Shadow file ( /etc/shadow) stores encrypted passwords and password aging information.

# Example entry
root:$6$oGs1PqhL2p3ZetrE$X7o7bzoouHQVSEmSgsYN5UD4.kMHx6qgbTqwNVC5oOAouXvcjQSt.Ft7ql1WpkopY0UV9ajBwUt1DpYxTCVvI/:16809:0:99999:7:::

Check current logged‑in users and session duration:

who        # list all logged‑in users (local tty and remote pts)
w          # show logged‑in users and their running commands
uptime     # show system uptime, load and number of users

Investigate login records with last and lastb (failed logins). If the log file /var/log/wtmp is removed, protect it with:

chattr +a /var/log/wtmp   # make the file immutable for append only

List sudo users:

/etc/sudoers

Intrusion Investigation

Query privileged (UID 0) accounts and remote‑login capable accounts:

# Privileged users
awk -F: '$3==0{print $1}' /etc/passwd
# Accounts with password hashes in /etc/shadow
awk '/\$1|\$6/{print $1}' /etc/shadow

Disable or delete suspicious accounts:

# Disable account (password field starts with '!')
usermod -L user
# Delete account
userdel user
# Delete account and its home directory
userdel -r user

Review command history via .bash_history in each user's home directory and enrich it with timestamps and IP addresses by modifying /etc/profile:

# Increase history size
sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile
# Append timestamp and IP to each command
USER_IP=$(who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g')
if [ "$USER_IP" = "" ]; then USER_IP=$(hostname); fi
export HISTTIMEFORMAT="%F %T $USER_IP `whoami` "
shopt -s histappend
export PROMPT_COMMAND="history -a"
source /etc/profile

Clear history (does not erase the file):

history -c
# Manually delete entries from .bash_profile if needed

Port and Process Inspection

# Show listening ports and associated processes
netstat -antlp | more
# Find a specific PID
ps aux | grep 6666
# Locate executable of a PID
ls -l /proc/$PID/exe   # or file /proc/$PID/exe
# List open files for a PID or service
lsof -p 6071
lsof -c sshd
lsof -i :22
# Show process start time
ps -p 6071 -o lstart
# Kill a rogue process
kill -9 6071

Startup Scripts and Runlevels

Runlevel meanings (0‑6): 0 shutdown, 1 single‑user (safe mode), 2 minimal CLI, 3 full CLI, 4 reserved, 5 graphical, 6 reboot.

runlevel

Startup configuration files:

/etc/rc.local
/etc/rc.d/rc[0~6].d

Two ways to add scripts:

Add script between exit 0 in /etc/rc.local and make it executable.

Use update-rc.d to create SysV links in /etc/init.d and /etc/rc.d/rc*.d.

# Example: add backdoor script
ln -s /home/b4yi/kali-6666.elf /etc/init.d/backdoor
sudo update-rc.d backdoor defaults 99

Cron Job Investigation

Common cron locations:

/etc/crontab            # root‑only editable
/var/spool/cron/       # per‑user crontabs
/etc/cron.d/           # same format as /etc/crontab
/etc/cron.hourly/      /etc/cron.daily/      /etc/cron.weekly/      /etc/cron.monthly/

List and remove current user’s cron jobs:

crontab -l   # list
crontab -r   # remove

File Change Detection

Search by name, size or timestamps:

# By name (wildcards allowed)
find / -name a.Test
# By size >1000M
find / -size +1000M
# Files modified within the last day
find / -mtime -1 -ls | more
# Files older than 50 days
find ./ -mtime +50 -ls
# By owner or group
find ./ -user root -type f

System Log Review

Log directory: /var/log/. Essential logs include secure, history, cron, message, wtmp, lastlog, utmp, etc.

Typical analysis commands:

# Identify IPs attempting root brute‑force
grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr
# List successful logins
grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr
# Show useradd and userdel events
grep "useradd" /var/log/secure
grep "userdel" /var/log/secure
# Show sudo usage
sudo -l

Additional Resources

Linux security scanning scripts:

GScan

security_check

linux