Users and Groups

User Account and Group Analysis in Incident Response (Linux Systems)

When investigating a potential compromise on a Linux system, analyzing user accounts and group memberships is essential for detecting unauthorized access, privilege escalation, and persistence mechanisms. Below is a systematic approach to investigating and remediating compromised user accounts.

---

Critical Files for User and Group Management

1. /etc/passwd:

   • Purpose: Contains basic user account information.

   • Fields:

     • Username: e.g., root.

     • Password placeholder (x): Points to /etc/shadow.

     • UID/GID: User and group IDs.

     • Home Directory: User’s home directory.

     • Shell: Default shell (e.g., /bin/bash, /bin/false).

   • Command:

     cat /etc/passwd

2. /etc/shadow:

   • Purpose: Stores hashed passwords and password policies.

   • Fields:

     • Encrypted Password: e.g., $6$random_salt$hashed_password.

     • Password Policy: Expiration and change intervals.

   • Command:

     cat /etc/shadow

3. /etc/group:

   • Purpose: Defines group memberships.

   • Fields:

     • Group Name: e.g., sudo.

     • GID: Group ID.

     • Members: Users in the group.

   • Command:

     cat /etc/group

4. /etc/sudoers:

   • Purpose: Configures sudo privileges.

   • Command:

     cat /etc/sudoers

---

Steps for Incident Response

1. Detect Suspicious Users

Attackers may create or modify accounts for persistence.

• List All Users:

  cat /etc/passwd

• Check for Suspicious Usernames: Look for generic or unexpected names like admin, support, backup.

• Verify User Shells: Identify accounts with interactive shells (/bin/bash) and flag suspicious ones.

  awk -F: '$NF !~ "nologin|false" {print $1, $NF}' /etc/passwd

• Identify Recent Changes:

  grep useradd /var/log/auth.log
  grep passwd /var/log/auth.log

2. Analyze User Permissions

• Group Memberships: Review privileged groups (sudo, adm, root) and their members.

  cat /etc/group

• Sudo Privileges: Check users with sudo access.

  cat /etc/sudoers

• Recent Group Modifications:

  grep groupadd /var/log/auth.log
  grep usermod /var/log/auth.log

3. Identify Users with SSH Access

• Valid Login Users:

  awk -F: '$NF !~ "nologin|false" {print $1}' /etc/passwd

• Review SSH Configuration: Check AllowUsers and AllowGroups directives in sshd_config.

  grep AllowUsers /etc/ssh/sshd_config

• Active SSH Sessions: List currently logged-in users via SSH.

  last | grep ssh

4. Identify Unauthorized Logins

• Failed Login Attempts:

  grep "Failed password" /var/log/auth.log

• Successful Logins:

  grep "Accepted password" /var/log/auth.log

---

Eradication and Remediation

1. Remove Malicious Users

Delete unauthorized accounts and their home directories.

userdel -r <username>

2. Remove Unauthorized Group Memberships

Revoke privileged group access.

gpasswd -d <username> <group>

3. Revoke Sudo Privileges

Edit the sudoers file securely:

visudo

Remove unauthorized sudo entries.

4. Change Compromised User Passwords

Force legitimate users to reset their passwords.

passwd <username>

5. Regenerate SSH Keys

• Delete Old Keys:

  rm ~/.ssh/authorized_keys

• Generate New Keys:

  ssh-keygen

---

Key Commands

Task	Command
List all users	cat /etc/passwd
Check for suspicious usernames	`awk -F: '$NF !~ "nologin
Review privileged groups	cat /etc/group
List sudo users	cat /etc/sudoers
Find recent user changes	grep useradd /var/log/auth.log
Failed login attempts	grep "Failed password" /var/log/auth.log
Successful SSH logins	grep "Accepted password" /var/log/auth.log

---

Key Points

By systematically reviewing user accounts, group memberships, and login activity, you can detect and respond to compromised accounts effectively. Regular monitoring and hardening user management practices are essential to prevent unauthorized access and maintain system integrity.