2004.02_Admin Workshop-Tracing Users on Your Computer.pdf
(
6886 KB
)
Pobierz
Layout 1
SYSADMIN
Admin Workshop: Tracing Users
Who is Who?
Admins need to be able to trace what user logged onto the
system when and from where. This allows you to protect your
computers from abuse and trace intrusions should the worst
come to the worst.
BY MARC ANDRÉ SELIG
an extremely practical thing.
When I need to manage the
cluster at the university remotely, I can
log on to the network and install a Send-
mail update without even leaving my
couch. A computer in Pennsylvania
takes care of filtering spam for me, and
of course I can just as easily program
that computer from my home.
Unfortunately, malevolent hackers
enjoy the same kind of freedom. Once a
hacker has the creden-
tials for a Unix system –
in the form of a user
account and matching
password, or a crypto-
graphic key – he or she
can typically log on from
any location. And as long
as Unix administrators
insist on using (or play-
ing games on) Windows
machines, there is
always a danger of
worms and trojans grab-
bing credentials.
Virtual private net-
works help restrict the
attackers, but VPNs are
unwieldy and hard to set
up, and that rules them
out for many small busi-
nesses and home users.
Admins thus check who
has been using their
machines, and where
these logins come from.
This is the only way to
detect irregularities and
chase off intruders.
Who is Online?
The
who
command (see Figure 1) pro-
vides a quick overview of the current
users. Besides the username and origin,
the command also outputs the date and
time of the login and the (virtual) con-
sole where the user is working. Three
people are logged on in our example:
baier
is working at the console, she is
running an X server (
:0
) and a whole
bunch of other terminals (
pts/
X). We can
assume that these are Xterm windows.
In addition to
baier
, there is an
account called
wwwadm
which logged
on via a host called
zpidsu5.uni-trier.de
,
and
mas
via
acb6ae4b.ipt.aol.com
; this is
obviously a dial-up line.
How long here?
The
w
command (see Figure 2) is a close
relative to who, and available on most
Linux systems. Besides being shorter to
type,
w
also displays the uptime, and the
current command line for each PTY
(pseudo terminal).
Both of these tradi-
tional tools,
who
and
w
,
display only the active
users. The
last
command
(see Figure 3) is a logical
extension of this, as it
shows the most recent
logins. The command
searches back entries to
the point where account-
ing was initialized on the
system and can easily
return thousands of
entries.
It would be difficult to
manage mass entries on
a heavily used system.
But thankfully,
last
pro-
vides two useful filters:
for one thing, you can
restrict the list to a single
username, or a single ter-
minal (such as
tty1
for
the Linux console) in
some cases. For another,
a parameter such as
-20
tells
last
to restrict
the output to the twenty
Figure 1: The
who
command outputs a list with the users currently logged on to the sys-
tem. Baier is running an X server on the console (
:0
), while
wwwadm
and
mas
have
logged on remotely
Figure 2: The
w
command on Linux provides more detail than
who
, also showing the
uptime and load for the computer
Figure 3: If you are interested in the history, a call to
last
will show a list of logins with
their origin and duration
62
February 2004
www.linux-magazine.com
Insider Tips: Tracing Users
M
odern computer networks are
(latest) login entries. These filters can be combined:
last -5
mas
will list the last five logins for the user
mas
(see Figure 3).
who
and
last
reference special protocol files to obtain this
information. The file
utmp
records the active users, and is
stored in
/var/run
on modern Linux systems. The system uses
wtmp
to log login and logout data; this file is typically in
/var/log
. But the exact position of both files will depend on the
philosophy and the age of the Linux distribution;
/var/spool
,
/var/adm
and
/etc
are typical locations.
How it works
wtmp
contains a long list of logons and logouts (in binary for-
mat). The data entry is created by
init
,
agetty
, or
login
for
console logins, and
init
records logouts, reboots etc.
In contrast to this,
utmp
contains exactly one entry for each
user. The entry is a record of the last login. Depending on how
up-to-date the C library is,
utmp
may look fairly large: tradi-
tionally, the file is long enough to contain an entry for every
possible user. That is quite large, considering that over 65,000
users are permitted. To prevent all this space going to waste,
the file is sparse – the unused areas are simply padded with
null bytes, and not stored on the hard disk. This trick also
accelerates access to the file.
Programs should not access
wtmp
and
utmp
directly. Well-
behaved programs will use the library functions
utmpname()
,
setutent()
,
getutent()
, and
getutid()
instead. Incidentally, some
Unix variants use
wtmpx
and
utmpx
, rather than
wtmp
and
utmp
, to store the data in an extended format. This does not
make sense in Linux’ case as the original file formats fulfill the
requirements placed on them.
Access privileges are typically organized to allow any user to
read the databases, while write access is restricted to specific
processes. Write access is assigned to
init
for logouts, and run-
level changes (these include the boot process and shutdowns),
the
getty
processes and
sshd
for hardware-based and virtual
TTYs,
login
for successful login attempts,
sessreg
for GUI-based
logins that use
xdm
and the like, and GUI-based terminals
such as
xterm
for many environments.
It is typically unnecessary to define complex user groups to
provide access controls for
utmp
and
wtmp
. The login program
accesses the database before dropping its root privileges and
assuming the privileges of the user logging on.
SUSE LINUX
complete Business
independence
I decide how
my company is run.
And what software we run.
More Logfiles
The databases mentioned so far give information on numerous
activities that take place on a system. They assume processes
will be conventional and update the files as expected.
Also, the data must comply with a precisely defined struc-
ture. The maximum length of the hostname used for logging
on is typically tightly restricted. Abbreviated hostnames, such
as
pd90249e0.dip.t-
in Figure 3 are okay, but useless for inci-
dent response or forensics.
Sometimes you really do need more information – parti-
cularly in the case of complex login procedures that use
cryptographic authentication, where detailed error reporting is
essential. This kind of information typically ends up in a cen-
tral logfile, referred to as the syslog. We will be looking at the
syslog next month.
Enhancing your Business with SUSE
LINUX’s complete solutions for your
Desktop, Server and Groupware
needs. SUSE LINUX is engineered to
reduce your ever increasing admi-
nistration workload. With its intuitive
interfaces and prompt software
updates, you’ll always be in control.
Learn more at:
■
www.suse.co.uk
www.suse.com
Plik z chomika:
Kapy97
Inne pliki z tego folderu:
2010.01_Web Wall-Protecting Web Servers with Mod_Selinux and Sepostgresql.pdf
(482 KB)
2010.01_Rate Limiting-Making Sure Your Application is Available.pdf
(480 KB)
2010.01_Box of Legends-the Sys Admin's Daily Grind-Archivemail.pdf
(558 KB)
2009.12_Wireshark-Dissecting Network Traffic.pdf
(483 KB)
2009.12_Scan Free-Exploring the Openvas Vulnerability Scanner.pdf
(590 KB)
Inne foldery tego chomika:
Beginners
Business News
Comment
Community
Community Notebook
Zgłoś jeśli
naruszono regulamin