9.5. Checking for Suspicious Account Use
Problem
You want to discover unusual or dangerous usage of accounts on your system: dormant user accounts, recent logins to system accounts, etc.
Solution
To print information about the last login for each user:
$ lastlog [-u username]To print the entire login history:
$ last [username]To print failed login attempts:
$ lastb [username]To enable recording of bad logins:
# touch /var/log/btmp # chown --reference=/var/log/wtmp /var/log/btmp # chmod --reference=/var/log/wtmp /var/log/btmp
Discussion
Attackers look for inactive accounts that are still enabled, in the hope that intrusions will escape detection for long periods of time. If Joe retired and left the organization last year, will anyone notice if his account becomes compromised? Certainly not Joe! To avoid problems like this, examine all accounts on your system for unexpected usage patterns.
Linux systems record each user’s last login time in the database /var/log/lastlog . The terminal (or X Window System display name) and remote system name, if any, are also noted. The lastlog command prints this information in a convenient, human-readable format.
Note
/var/log/lastlog is a database, not a log file. It does not grow continuously, and therefore should not be rotated. The apparent size of the file (e.g., as displayed by ls -l) is often much larger than the actual size, because the file contains “holes” for ranges of unassigned user IDs.
Access is restricted to the superuser by recent ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
