Users and Groups

User Account and Group Analysis in Incident Response (Linux Systems)

When investigating a potential compromise on a Linux system, analyzing user accounts and group memberships is essential for detecting unauthorized access, privilege escalation, and persistence mechanisms. Below is a systematic approach to investigating and remediating compromised user accounts.

Critical Files for User and Group Management

  1. /etc/passwd:

    • Purpose: Contains basic user account information.

    • Fields:

      • Username: e.g., root.

      • Password placeholder (x): Points to /etc/shadow.

      • UID/GID: User and group IDs.

      • Home Directory: User’s home directory.

      • Shell: Default shell (e.g., /bin/bash, /bin/false).

    • Command:

      cat /etc/passwd

  2. /etc/shadow:

    • Purpose: Stores hashed passwords and password policies.

    • Fields:

      • Encrypted Password: e.g., $6$random_salt$hashed_password.

      • Password Policy: Expiration and change intervals.

    • Command:

      cat /etc/shadow

  3. /etc/group:

    • Purpose: Defines group memberships.

    • Fields:

      • Group Name: e.g., sudo.

      • GID: Group ID.

      • Members: Users in the group.

    • Command:

      cat /etc/group

  4. /etc/sudoers:

    • Purpose: Configures sudo privileges.

    • Command:

      cat /etc/sudoers

Steps for Incident Response

1. Detect Suspicious Users

Attackers may create or modify accounts for persistence.

  • List All Users:

    cat /etc/passwd

  • Check for Suspicious Usernames: Look for generic or unexpected names like admin, support, backup.

  • Verify User Shells: Identify accounts with interactive shells (/bin/bash) and flag suspicious ones.

    awk -F: '$NF !~ "nologin|false" {print $1, $NF}' /etc/passwd

  • Identify Recent Changes:

    grep useradd /var/log/auth.log
grep passwd /var/log/auth.log

2. Analyze User Permissions

  • Group Memberships: Review privileged groups (sudo, adm, root) and their members.

    cat /etc/group

  • Sudo Privileges: Check users with sudo access.

    cat /etc/sudoers

  • Recent Group Modifications:

    grep groupadd /var/log/auth.log
grep usermod /var/log/auth.log

3. Identify Users with SSH Access

  • Valid Login Users:

    awk -F: '$NF !~ "nologin|false" {print $1}' /etc/passwd

  • Review SSH Configuration: Check AllowUsers and AllowGroups directives in sshd_config.

    grep AllowUsers /etc/ssh/sshd_config

  • Active SSH Sessions: List currently logged-in users via SSH.

    last | grep ssh

4. Identify Unauthorized Logins

  • Failed Login Attempts:

    grep "Failed password" /var/log/auth.log

  • Successful Logins:

    grep "Accepted password" /var/log/auth.log

Eradication and Remediation

1. Remove Malicious Users

Delete unauthorized accounts and their home directories.

userdel -r <username>

2. Remove Unauthorized Group Memberships

Revoke privileged group access.

gpasswd -d <username> <group>

3. Revoke Sudo Privileges

Edit the sudoers file securely:

visudo

Remove unauthorized sudo entries.

4. Change Compromised User Passwords

Force legitimate users to reset their passwords.

passwd <username>

5. Regenerate SSH Keys

  • Delete Old Keys:

    rm ~/.ssh/authorized_keys

  • Generate New Keys:

    ssh-keygen

Key Commands

Task

Command

List all users

cat /etc/passwd

Check for suspicious usernames

`awk -F: '$NF !~ "nologin

Review privileged groups

cat /etc/group

List sudo users

cat /etc/sudoers

Find recent user changes

grep useradd /var/log/auth.log

Failed login attempts

grep "Failed password" /var/log/auth.log

Successful SSH logins

grep "Accepted password" /var/log/auth.log

Key Points

By systematically reviewing user accounts, group memberships, and login activity, you can detect and respond to compromised accounts effectively. Regular monitoring and hardening user management practices are essential to prevent unauthorized access and maintain system integrity.

Previous3 Important ThingsNextProcesses

Last updated