June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
9.6. Checking for Suspicious Account Use, Multiple Systems
Problem
You want to scan multiple computers for unusual or dangerous usage of accounts.
Solution
Merge the lastlog databases from several systems, using Perl:
use DB_File;
use Sys::Lastlog;
use Sys::Hostname;
my %omnilastlog;
tie(%omnilastlog, "DB_File", "/share/omnilastlog");
my $ll = Sys::Lastlog->new( );
while (my ($user, $uid) = (getpwent( ))[0, 2]) {
if (my $llent = $ll->getlluid($uid)) {
$omnilastlog{$user} = pack("Na*", $llent->ll_time( ),
join("\0", $llent->ll_line( ),
$llent->ll_host( ),
hostname))
if $llent->ll_time( ) >
(exists($omnilastlog{$user}) ?
unpack("N", $omnilastlog{$user}) : -1);
}
}
untie(%omnilastlog);
exit(0);To read the merged lastlog database, omnilastlog, use another Perl script:
use DB_File;
my %omnilastlog;
tie(%omnilastlog, "DB_File", "/share/omnilastlog");
while (my ($user, $record) = each(%omnilastlog)) {
my ($time, $rest) = unpack("Na*", $record);
my ($line, $host_from, $host_to) = split("\0", $rest, -1);
printf("%-8.8s %-16.16s -> %-16.16s %-8.8s %s\n",
$user, $host_from, $host_to, $line,
$time ? scalar(localtime($time)) : "**Never logged in**");
}
untie(%omnilastlog);
exit(0);Discussion
Perusing the output from the lastlog , last, and lastb commands [Recipe 9.5] might be sufficient to monitor activity on a single system with a small number of users, but the technique doesn’t scale well in the following cases:
If accounts are shared among many systems, you probably want to know a user’s most ...