« Sed is your friend
Find Large Files »

Viewing Login History

Reviewing when accounts logged in is also an important step in observing any suspicious behaviour on your systems. This information is recorded to a binary database logfile called /var/log/wtmp. This file cannot be viewed using a normal text editor as it’s not a plaintext file; it also should not be rotated as other log files because it retains roughly the same size at all times. wtmp takes care of itself and as new data is written to the file, old data is removed.

To view a history of user logins, use the last command, optionally specifying a username to look at specifically (the default is to show information on all accounts):

# last joe

This will show when joe logged in; it will indicate what console or terminal they logged in at, the XFree86 display name if applicable, and the date/time of the login. By looking at this information, you can see if any anomolies appear; ie. accounts being logged in when an individual would normally be sleeping, or access outside of work hours, etc.

To view the last login, some systems provide the lastlog tool (most Linux systems do, OS X does not). lastlog displays pretty much the same information as last, but restricts the output to the absolute latest login. For instance:

# lastlog -u joe

This command will display the last login for the user joe. By default, lastlog displays the last login for all users on the system. Another useful command is lastb which displays the last bad login attempt for users. However, most systems do not enable this by default. The log file used here is /var/log/btmp which probably does not exist on the system. To create the file, execute as root:

# touch /var/log/btmp
# chmod 640 /var/log/btmp

This will create the file and make it read/write only by the user root. Double-check the ownership and permissions of /var/log/wtmp and make sure that /var/log/btmp has the same. In most cases, the file should be owned by user and group root. Once this file is created, the system will start to record bad login attempts to the file, and they can be viewed with the lastb command. To view the list of bad login attempts, use:

# lastb joe

By default, lastb shows all of the bad login attempts; if you want to view the bad login attempts for a particular account, give lastb the username to check, as shown above.
Retrieved from “http://linsec.ca/User_Auditing”

from: http://linsec.ca/User_Auditing

This entry was posted on Thursday, September 6th, 2007 at 2:01 pm and is filed under Linux. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

No Comments yet »

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Powered by WordPress RSS XMLRSS Feed - Syndicate this Site and comments feed
linux GNUpowered by Apache tomcatMySQL ABPHP - The Language the Web Runs on

^Top^ Gare CalhounGare CalhounGare CalhounGare CalhounGare Calhoun