The next two sections describe a few of the commands used to view information about users who have logged into the system.
As the system administrator, you’ll need to monitor system resources and watch for unusual activity. Having a method to monitor the system is useful when you suspect a breach in security. For example, you might want to monitor the login status of a particular user. Use the logins command to monitor a particular user’s activities, as follows:
Exercise 16.1 Monitoring a User’s Activity
Table 16.13 describes the information output of the logins command.
You’ll want to monitor user logins to ensure that their passwords are secure. A potential security problem is to have users without passwords (in other words, users who use a carriage return for a password). Periodically check user logins by using the following method:
Exercise 16.2 Checking for Users with Blank Passwords
1. | |
2. |
Another good idea is to watch anyone who has tried to access the system but failed. You can save failed login attempts by creating the /var/adm/loginlog file with read and write permission for root only. After you create the loginlog file, all failed login activity is written to this file automatically after five failed attempts. This file does not exist by default; the system administrator must create it. To enable logging to this file as root, create the file as follows:
touch /var/adm/loginlog
The loginlog file contains one entry for each failed attempt. Each entry contains the user’s login name, the tty device, and the time of the failed attempt. If a person makes fewer than five unsuccessful attempts, none of the attempts is logged.
The following is an example of an entry in which someone tried to log in as root but failed:
# more /var/adm/loginlog root:/dev/pts/5:Wed Apr 11 11:36:40 2002 root:/dev/pts/5:Wed Apr 11 11:36:47 2002 root:/dev/pts/5:Wed Apr 11 11:36:54 2002 root:/dev/pts/5:Wed Apr 11 11:37:02 2002
The loginlog file might grow quickly. To use the information in this file and to prevent the file from getting too large, you must check it and clear its contents occasionally. If this file shows a lot of activity, someone might be attempting to break into the computer system.
Use the Solaris who command to find out who is logged into a system. To obtain this information, the who command examines the /var/adm/utmpx and /var/adm/wtmpx files. The utmpx file contains user access and accounting information for the who command (as well as for the write and login commands). The wtmpx file contains the history of user access and accounting information for the utmpx file.
Without arguments, the who command lists the login account name, terminal device, login date and time, and where the user logged in. Here is an example:
# who root pts/3 May 11 14:47 (10.64.178.2) root pts/1 May 10 15:42 (sparc1.PDESIGNINC.COM) root pts/2 May 10 15:53 (sparc1.PDESIGNINC.COM) root pts/4 May 11 14:48 (pluto)
Table 16.14 lists some of the more common options used with the who command:
The whodo command produces formatted and dated output from information in the /var/adm/utmpx, /tmp/ps_data, and /proc/pid files. It displays each user logged in and the active processes owned by that user. The output shows the date, time, and machine name. For each user logged in, the system displays the device name, UID, and login time, followed by a list of active processes associated with the UID. The process list includes the device name, process ID, CPU minutes and seconds used, and process name. The following is an example of the whodo command:
whodo
The system responds with this:
Thu May 11 15:16:56 EDT 2001 holl300s pts/3 root 14:47 pts/3 505 0:00 sh pts/3 536 0:00 whodo pts/1 root 15:42 pts/1 366 0:00 sh pts/1 514 0:00 rlogin pts/1 516 0:00 rlogin pts/2 root 15:53 pts/2 378 0:00 sh pts/4 root 14:48 pts/4 518 0:00 sh
Use the -l option with the whodo command to get a long listing:
whodo –l
The system responds with this:
1:11pm up 4 day(s), 18 hr(s), 20 min(s) 3 user(s) User tty login@ idle JCPU PCPU what root console Mon 9am 2days /usr/dt/bin/sdt_shell -c u root pts/4 Mon 9am 39 4 -ksh root pts/6 12:00pm 6 7 whodo –l
The fields displayed are the user’s login name; the name of the tty the user is on; the time of day the user logged in (in hours:minutes ); the idle time, which is the time since the user last typed anything (in hours:minutes ); the CPU time used by all processes and their children on that terminal (in minutes:seconds ); the CPU time used by the currently active processes (in minutes:seconds ); and the name and arguments of the current process.
The Solaris last command looks in the /var/adm/wtmpx file for information about users who have logged into the system. The last command displays the sessions of the specified users and terminals in chronological order. For each user, last displays the time when the session began, the duration of the session, and the terminal where the session took place. The last command also indicates whether the session is still active or was terminated by a reboot.
For example, the command last root console lists all of root’s sessions, as well as all sessions on the console terminal:
# last root console |more
The system responds with this:
root pts/2 10.64.178.2 Tue May 30 11:24 still logged in root pts/1 10.64.178.2 Fri May 26 14:26 - 15:47 (01:20) root pts/1 10.64.178.2 Fri May 26 11:07 - 13:37 (02:29) root pts/1 10.64.178.2 Fri May 26 10:12 - 10:23 (00:11) root pts/1 10.64.178.2 Fri May 26 09:40 - 09:42 (00:02) root console :0 Wed May 24 16:36 - 16:38 (00:01) root console :0 Wed May 24 16:20 - 16:36 (00:15) root pts/3 10.64.178.2 Wed May 24 13:52 - 14:22 (1+00:30) root pts/1 ultra5.PDESIGNINC Mon May 22 15:14 - 15:15 (00:00) root pts/2 sparc21.PDESIGNINC Wed May 10 15:53 - 15:47 (23:53)