|
|
| Previous | Table of Contents | Next |
The National Computer Security Center in Fort Meade, Maryland, defines an audit trail in its Rainbow series of security publications as follows:“A chronological record of system activities that is sufficient to enable the reconstruction, reviewing, and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a trans-action from its inception to final results.”
In layman’s terms, audit trails are any files that record the time users log in, from where they log in, what they try to do, and any other action an administrator might want to save for later analysis.
When used intelligently, audit trails can provide system administrators valuable information in tracking security violations and break-in attempts.
Unix is by far the most prevalent operating system in use on the Internet. Luckily for administrators, Unix provides a large number of auditing and logging tools and utilities. Many of these logs are generated automatically by utilities that are part of the default configuration of every Unix machine. Other logging utilities must be enabled and configured by the administrator.
The Unix operating system stores most of its logging in ASCII text files, through which you can easily sort with normal text-editing utilities. Some logs, however, are stored in various binary formats and require specialized utilities for their contents to be viewed.
lastlog
The lastlog file keeps track of each user’s most recent login time and each user’s originating destination. When a user logs in to a Unix system, the login program looks for the user’s UID in the lastlog file. If the program finds it, Unix displays the time and TTY of the user’s last login. Some versions of Unix display successful logins as well as unsuccessful login attempts.
BSDI BSD/386 1.1 unixbox (ttyp5) login: phrack Password: Last login: Sun Apr 2 16:35:49 from phrack.com
The login program then updates the lastlog file with the new login time and TTY, information. Further, the program updates the UTMP and WTMP files.
UTMP
The Unix operating system keeps track of users currently logged in to the system with a file called the UTMP. This file is constantly changing as users enter and leave the system. It does not keep a long historical tally of users who have been on the system; it only keeps track of those online at the exact moment.
UTMP might not contain entirely accurate information. Sporadic errors can cause a user’s shell to terminate without UTMP having been updated. UTMP is also not particularly reliable because it comes world-writable by default on many Unix platforms.
The normal user’s ability to modify this file makes it very easy for an intruder to hide from view.
The UTMP log is usually stored in the file /etc/utmp, although you might find it in other locations on some Unix versions. UTMP is usually viewed with commands such as who or w, but you can also access the file through other commands, such as finger, rwho, and users.
The following is sample output from the who command:
freeside % who phrack ttyp3 Apr 2 16:35 (phrack) user ttyp4 Apr 2 17:12 (fakehost.com) slip1 ttya0 Apr 2 17:13 ppp1 ttya1 Apr 2 16:29 ccr ttya6 Apr 2 16:35 ppp2 ttyb2 Apr 2 13:48 freeside %
WTMP
The WTMP file keeps track of logins and logouts. It is similar to the UTMP file but continually grows in length with each login or logout. In some Unix versions, programs such as ftp record access information in WTMP as well. WTMP also records the times of normal system shutdowns, such as those caused by the reboot or shutdown commands. Unix generally stores WTMP in the file /var/adm/wtmp.
The WTMP file is normally accessed by the last command. Unix displays output generated by the last command in reverse order—the most recent information appears first, followed by older entries. The last command also can generate reports based on name, TTY, or event (such as shutdown); or print only a specified number of entries.
freeside % last -10 slip1 ttya0 Sun Apr 2 17:13 still logged in user ttyp4 fakehost.com Sun Apr 2 17:12 still logged in Uaust ttya0 Sun Apr 2 17:10 - 17:11 (00:00) user2 ftp college.edu Sun Apr 2 17:07 - 17:11 (00:03) slip1 ttya3 Sun Apr 2 16:50 - 16:53 (00:03) slip2 ttyb5 Sun Apr 2 16:46 - 16:48 (00:01) aco ttya5 Sun Apr 2 16:45 - 17:09 (00:24) dzz ttyp4 slip00 Sun Apr 2 16:45 - 16:47 (00:02) ppp2 ttya3 Sun Apr 2 16:44 - 16:45 (00:00) dzz ftp slip00 Sun Apr 2 16:43 - 16:48 (00:04) freeside %
Another command, ac, formats the data stored in the WTMP file in a different way. It can generate its reports either by person (ac -p) or by day (ac -d). These reports might quickly alert the administrator to improper usage. An inactive account that suddenly starts logging numerous hours of connect time, for example, is easily spotted in an ac report.
freeside % ac -p ftp 573.56 foo 898.05 spot 125.62 rickm 39.24 faust 27.21 test 4.02 jj 178.77 cma 10.97 gre 10.73 erikb 12.39 sp 0.18 total 1880.73
The ac report can also be sorted by user and date combined. If the administrator feels, for example, that the utilization of 898.05 connect hours for the foo account looks out of place, that administrator can run a more specific ac report:
freeside % ac -dp foo Apr 1 total 10.30 Apr 2 total 12.50 Apr 3 total 8.20 Apr 4 total 815.04 Apr 5 total 12.01
The April 4 system usage is obviously out of character for the foo account. Logs, unfortunately, aren’t usually this easy to read. With the growing use of multiple login instances through applications such as X-windows, a single user can easily record several hundred hours worth of connect time in just a few days.
| Previous | Table of Contents | Next |