Auditing Users

The next two sections describe a few of the commands used to view information about users who have logged into the system.

Monitoring Users and System Usage

As the system administrator, you’ll need to monitor system resources and watch for unusual activity. Having a method to monitor the system is useful when you suspect a breach in security. For example, you might want to monitor the login status of a particular user. Use the logins command to monitor a particular user’s activities, as follows:

Exercise 16.1 Monitoring a User’s Activity

1.
Become superuser.

2.
Display a user’s login status by using the logins command:

# logins -x -l username

For example, to monitor login status for the user calkins, type the following:

# logins -x -l calkins

The system displays the following information:

calkins       200     staff           10   Bill S. Calkins 
                   /export/home/calkins 
                   /bin/sh 
                   PS 030195 10 7 –1

Table 16.13 describes the information output of the logins command.

Table 16.13. Output from the logins Command
Field Description
calkins The login name
200 The UID
staff The primary group
10 The GID
Bill S. Calkins The comment field of the /etc/passwd file
/export/home/calkins The user’s home directory
/bin/sh The user’s default login shell
PS 030195 10 7 -1 The password aging information: the last date the password was changed, the number of days required between changes, the number of days allowed before a change is required, and the warning period

You’ll want to monitor user logins to ensure that their passwords are secure. A potential security problem is to have users without passwords (in other words, users who use a carriage return for a password). Periodically check user logins by using the following method:

Exercise 16.2 Checking for Users with Blank Passwords

1.
Become superuser.

2.
Display users who have no passwords by using the logins command:

# logins –p

The system responds with a list of users who do not have passwords.

Another good idea is to watch anyone who has tried to access the system but failed. You can save failed login attempts by creating the /var/adm/loginlog file with read and write permission for root only. After you create the loginlog file, all failed login activity is written to this file automatically after five failed attempts. This file does not exist by default; the system administrator must create it. To enable logging to this file as root, create the file as follows:

touch /var/adm/loginlog

The loginlog file contains one entry for each failed attempt. Each entry contains the user’s login name, the tty device, and the time of the failed attempt. If a person makes fewer than five unsuccessful attempts, none of the attempts is logged.

The following is an example of an entry in which someone tried to log in as root but failed:

# more /var/adm/loginlog 
root:/dev/pts/5:Wed Apr 11 11:36:40 2002 
root:/dev/pts/5:Wed Apr 11 11:36:47 2002 
root:/dev/pts/5:Wed Apr 11 11:36:54 2002 
root:/dev/pts/5:Wed Apr 11 11:37:02 2002

The loginlog file might grow quickly. To use the information in this file and to prevent the file from getting too large, you must check it and clear its contents occasionally. If this file shows a lot of activity, someone might be attempting to break into the computer system.

Checking Who Is Logged In

Use the Solaris who command to find out who is logged into a system. To obtain this information, the who command examines the /var/adm/utmpx and /var/adm/wtmpx files. The utmpx file contains user access and accounting information for the who command (as well as for the write and login commands). The wtmpx file contains the history of user access and accounting information for the utmpx file.

Without arguments, the who command lists the login account name, terminal device, login date and time, and where the user logged in. Here is an example:

# who 
root       pts/3        May 11 14:47    (10.64.178.2) 
root       pts/1        May 10 15:42    (sparc1.PDESIGNINC.COM) 
root       pts/2        May 10 15:53    (sparc1.PDESIGNINC.COM) 
root       pts/4        May 11 14:48    (pluto)

Table 16.14 lists some of the more common options used with the who command:

Table 16.14. Common Options Used with the who Command
Options Description
-a Processes /var/adm/utmpx or the named file with -b, -d, -l, -p, -r, -t, -T, and -u options turned on. The following example shows the output you’ll see with the -a option: 
who -aH 
NAME       LINE             TIME         IDLE  
 PID  COMMENTS 
   .       system boot      May 10 09:56 
   .       run-level 3      May 10 09:56 3       
 0  S 
rc2             .           May 10 09:56 old    
 70  id=  s2 term=0   exit=0 
rc3             .           May 10 09:57 old   
 270  id=  s3 term=0   exit=0 
sac             .           May 10 09:57 old   
 294  id=  sc 
LOGIN      console          May 10 09:57 0:13   295 
zsmon           .           May 10 09:57 old    297 
LOGIN      console          May 10 09:57 0:13  
 299    (:0) 
root     + pts/3            May 11 14:47       
 505    (10.64.178.2)  
root     + pts/1            May 10 15:42 0:13  
 366    (ovserv.PDESIGNINC.COM) 
root     + pts/2            May 10 15:53 22:02 
 378    (ovserv.PDESIGNINC.COM) 
root     + pts/4            May 11 14:48 0:13  
 518    (holl300s)

Note that the –H option is used to display the column header.
-b Indicates the time and date of the last reboot, as shown in the following example: 
who –b

The system responds with this: 
.       system boot  May 10 09:56

-m Outputs only information about the current terminal, as follows: 
who –m

The system responds with this: 
root       pts/3        May 11 14:47    (10.64.178
.2)

-n <x> Takes a numeric argument, <x>, which specifies the number of users to display per line. <x> must be at least 1. The -n option can be used only with the -q option (described next).
-q (“Quick who.”) Displays only the names and the number of users currently logged on. When this option is used, all other options are ignored. The following is an example of the -q and -n options: 
who -q -n2

The system responds with this: 
root     root 
root     root 
# users=4

-r Indicates the current run level of the init process: 
who –r

The system responds with this: 
.       run-level 3  May 10 09:56     3      0  S

-s Lists only the name, line, and time fields. This is the default when no options are specified.

The whodo Command

The whodo command produces formatted and dated output from information in the /var/adm/utmpx, /tmp/ps_data, and /proc/pid files. It displays each user logged in and the active processes owned by that user. The output shows the date, time, and machine name. For each user logged in, the system displays the device name, UID, and login time, followed by a list of active processes associated with the UID. The process list includes the device name, process ID, CPU minutes and seconds used, and process name. The following is an example of the whodo command:

whodo

The system responds with this:

Thu May 11 15:16:56 EDT 2001 
holl300s 

pts/3        root     14:47 
    pts/3          505    0:00 sh 
    pts/3          536    0:00 whodo 

pts/1        root     15:42 
    pts/1          366    0:00 sh 
    pts/1          514    0:00 rlogin 
    pts/1          516    0:00 rlogin 

pts/2        root     15:53 
    pts/2          378    0:00 sh 

pts/4        root     14:48 
    pts/4          518    0:00 sh

Use the -l option with the whodo command to get a long listing:

whodo –l

The system responds with this:

  1:11pm  up 4 day(s), 18 hr(s), 20 min(s)  3 user(s) 
User     tty           login@  idle   JCPU   PCPU  what 
root     console      Mon 9am 2days                /usr/dt/bin/sdt_shell -c        u 
root     pts/4        Mon 9am    39      4         -ksh 
root     pts/6        12:00pm     6      7         whodo –l

The fields displayed are the user’s login name; the name of the tty the user is on; the time of day the user logged in (in hours:minutes ); the idle time, which is the time since the user last typed anything (in hours:minutes ); the CPU time used by all processes and their children on that terminal (in minutes:seconds ); the CPU time used by the currently active processes (in minutes:seconds ); and the name and arguments of the current process.

The last Command

The Solaris last command looks in the /var/adm/wtmpx file for information about users who have logged into the system. The last command displays the sessions of the specified users and terminals in chronological order. For each user, last displays the time when the session began, the duration of the session, and the terminal where the session took place. The last command also indicates whether the session is still active or was terminated by a reboot.

For example, the command last root console lists all of root’s sessions, as well as all sessions on the console terminal:

# last root console |more

The system responds with this:

root   pts/2   10.64.178.2         Tue May 30 11:24   still logged in 
root   pts/1   10.64.178.2         Fri May 26 14:26 - 15:47  (01:20) 
root   pts/1   10.64.178.2         Fri May 26 11:07 - 13:37  (02:29) 
root   pts/1   10.64.178.2         Fri May 26 10:12 - 10:23  (00:11) 
root   pts/1   10.64.178.2         Fri May 26 09:40 - 09:42  (00:02) 
root   console :0                  Wed May 24 16:36 - 16:38  (00:01) 
root   console :0                  Wed May 24 16:20 - 16:36  (00:15) 
root   pts/3   10.64.178.2         Wed May 24 13:52 - 14:22 (1+00:30) 
root   pts/1   ultra5.PDESIGNINC   Mon May 22 15:14 - 15:15  (00:00) 
root   pts/2   sparc21.PDESIGNINC  Wed May 10 15:53 - 15:47  (23:53)

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset