9.6. Checking for Suspicious Account Use, Multiple Systems
Problem
You want to scan multiple computers for unusual or dangerous usage of accounts.
Solution
Merge the lastlog databases from several systems, using Perl:
use DB_File; use Sys::Lastlog; use Sys::Hostname; my %omnilastlog; tie(%omnilastlog, "DB_File", "/share/omnilastlog"); my $ll = Sys::Lastlog->new( ); while (my ($user, $uid) = (getpwent( ))[0, 2]) { if (my $llent = $ll->getlluid($uid)) { $omnilastlog{$user} = pack("Na*", $llent->ll_time( ), join("\0", $llent->ll_line( ), $llent->ll_host( ), hostname)) if $llent->ll_time( ) > (exists($omnilastlog{$user}) ? unpack("N", $omnilastlog{$user}) : -1); } } untie(%omnilastlog); exit(0);
To read the merged lastlog database, omnilastlog, use another Perl script:
use DB_File; my %omnilastlog; tie(%omnilastlog, "DB_File", "/share/omnilastlog"); while (my ($user, $record) = each(%omnilastlog)) { my ($time, $rest) = unpack("Na*", $record); my ($line, $host_from, $host_to) = split("\0", $rest, -1); printf("%-8.8s %-16.16s -> %-16.16s %-8.8s %s\n", $user, $host_from, $host_to, $line, $time ? scalar(localtime($time)) : "**Never logged in**"); } untie(%omnilastlog); exit(0);
Discussion
Perusing the output from the lastlog , last, and lastb commands [Recipe 9.5] might be sufficient to monitor activity on a single system with a small number of users, but the technique doesn’t scale well in the following cases:
If accounts are shared among many systems, you probably want to know a user’s most ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.