Recipe 9.5 Checking for Suspicious Account Use

9.5.1 Problem

You want to discover unusual or dangerous usage of accounts on your system: dormant user accounts, recent logins to system accounts, etc.

9.5.2 Solution

To print information about the last login for each user:

$ lastlog [-u username]

To print the entire login history:

$ last [username]

To print failed login attempts:

$ lastb [username]

To enable recording of bad logins:

# touch /var/log/btmp
# chown --reference=/var/log/wtmp /var/log/btmp
# chmod --reference=/var/log/wtmp /var/log/btmp

9.5.3 Discussion

Attackers look for inactive accounts that are still enabled, in the hope that intrusions will escape detection for long periods of time. If Joe retired and left the organization last year, will anyone notice if his account becomes compromised? Certainly not Joe! To avoid problems like this, examine all accounts on your system for unexpected usage patterns.

Linux systems record each user's last login time in the database /var/log/lastlog. The terminal (or X Window System display name) and remote system name, if any, are also noted. The lastlog command prints this information in a convenient, human-readable format.

/var/log/lastlog is a database, not a log file. It does not grow continuously, and therefore should not be rotated. The apparent size of the file (e.g., as displayed by ls -l) is often much larger than the actual size, because the file contains "holes" for ranges of unassigned user IDs.

Access is restricted to the superuser by recent versions of Red Hat (8.0 or later). If this seems too paranoid for your system, it is safe to make the file world-readable:

# chmod a+r /var/log/lastlog

In contrast, the btmp log file will grow slowly (unless you are under attack!), but it should be rotated like other log files. You can either add btmp to the wtmp entry in /etc/logrotate.conf, or add a similar entry in a separate file in the /etc/logrotate.d directory. [Recipe 9.30]

A history of all logins and logouts (interspersed with system events like shutdowns, reboots, runlevel changes, etc.) is recorded in the log file /var/log/wtmp. The last command scans this log file to produce a report of all login sessions, in reverse chronological order, sorted by login time.

Failed login attempts can also be recorded in the log file /var/log/btmp, but this is not done by default. To enable recording of bad logins, create the btmp file manually, using the same owner, group, and permissions as for the wtmp file. The lastb command prints a history of bad logins.

The preceding methods do not scale well to multiple systems, so see our more general solution. [Recipe 9.6]

9.5.4 See Also

lastlog(1), last(1), lastb(1).

    Chapter 9. Testing and Monitoring