Summary: Central Last Logging

From: John B. Folkerts 703-614-8086 (folkerjb@acq.osd.mil)
Date: Tue Nov 29 1994 - 09:45:50 CST


Posted last week:

>Does anyone have a method for centrally logging logins (to include machine
>name info)? I have tcpd running and I see several connects from other
>hosts, I'd like to easily cross-check these attempted connects with logins.
>Other than actually modifying login (because we don't have source),
>can login update a global wtmp? We have syslogs going to a single
>loghost which is more secure than other machins on the net. I'd like
>to have that same feeling about wtmp.
>
>Also, does anyone have a way of pruning wtmp without erasing?
>
> John Folkerts

Answers to Question #1: (which, by the way, is referring to logging successful
                logins, not repeated failed attempts, etc...)

---------------------------------------------
From: ken@cpatl.com

Sun's C2 package does this, up set up you secure host, export a disk that can
only be viewed by the audit user and configure C2 / praudit to only monitor
login's ( or failed login's or logout's etc )...

---------------------------------------------
From: Christian Sebeke (cs@lfi.uni-hannover.de)

currently I am evaluating the login program that comes with the
logdaemon package (ask archie for logdaemon-4.4.tar.Z). It sends
auth.debug messages logging any unsuccessful logins. They may be
logged on the loghost via /etc/syslog.conf: auth.debug
ifdef(`LOGHOST', /usr/adm/authlog, @loghost) additionally it is
configurable to restrict logins from specific domains, for specific
users, etc .... check it out.

---------------------------------------------
=============================================
---------------------------------------------

Answers to Question #2:

From: Christian Sebeke (cs@lfi.uni-hannover.de)

There is a Perl script wtmp.trim.pl I have in my archive. It is
Copyright 1993 Rahul Dhesi, <dhesi@rahul.net>. It is appended
(available at various sites under wtmp.trim.gz). Unfortunately I have
not had the time to try it yet. You don't have Perl? Get hold of it
soon. It compiles easyly even with the standard Sun cc.

---------------------------------------------

From: Jim McLean-Lipinski (jrml@dps.state.vt.us)

/********************************************************************/
/* */
/* Name: wtmp_trim.c */
/* Author: Sue Spence sues@pass.bt.co.uk */
/* Platform: SunOS 4.1.x */
/* */
/* Usage: wtmp_trim [cutoff_period in days] */
/* */
/* Description: This utility will trim the size of the wtmp file */
/* by removing all entries which are older than the */
/* CUTOFF_PERIOD value. The original wtmp file is */
/* copied to /tmp first. If no cutoff_period is */
/* given on the command line the default is 180 days. */
/* */
/* NOTE: This software is in the public domain, no warranty */
/* expressed or implied. */
/* */
/********************************************************************/

#include <stdio.h>
#include <sys/types.h>
#include <fcntl.h>
#include <utmp.h>
#include <time.h>
#include <errno.h>

#define CUTOFF_PERIOD (time_t) (180) /* in days */

int main(argc, argv)
int argc;
char **argv;
{
    struct utmp wtmp_rec;
    int old_fd, new_fd;
    int wtmp_rec_sz = sizeof(wtmp_rec);
    time_t cutoff_period, cutoff_time;

    if (argc > 1)
        cutoff_period = (time_t) atoi(argv[1]);
    else
        cutoff_period = CUTOFF_PERIOD;

    /*
     * Move wtmp to /tmp/wtmp
     */
    if (system("cp /var/adm/wtmp /tmp/wtmp") < 0) {
        fprintf(stderr, "Error copying wtmp to /tmp. Exiting.\n");
        exit(1);
    }

    /*
     * Calculate the cutoff time in time_t
     */
     cutoff_time = time(NULL) - (cutoff_period * 24 * 3600);
     fprintf(stdout, "\nCutoff date is %s\n",
asctime(localtime(&cutoff_time)));

    /*
     * Open new wtmp for writing
     */
    if ((new_fd = open("/var/adm/wtmp", O_WRONLY | O_TRUNC)) < 0) {
        fprintf(stderr, "Error %d opening new wtmp file. Exiting.\n",
                errno);
        exit(1);
    }
    /*
     * Open old wtmp for reading
     */
    if ((old_fd = open("/tmp/wtmp", O_RDONLY)) < 0) {
        fprintf(stderr, "Error %d opening /tmp/wtmp file. Exiting.\n",
                errno);
        exit(1);
    }

    /*
     * Start from top of file, compare dates to see if
     * they fall within the cutoff_time.
     * When they do, start a loop which copies the rest of
     * the old wtmp file to the new one.
     */
    while (read(old_fd, &wtmp_rec, wtmp_rec_sz) == wtmp_rec_sz) {
        if (wtmp_rec.ut_time >= cutoff_time) {
            do {
                if (write(new_fd, &wtmp_rec, wtmp_rec_sz) != wtmp_rec_sz) {
                    fprintf(stderr,
                            "Error %d writing record to new wtmp file.\n",
                            errno);
                    exit(1);
                }
            } while (read(old_fd, &wtmp_rec, wtmp_rec_sz) == wtmp_rec_sz );
        }
    }
    exit(0);
}

--------------------------------------

Thanks, everyone, for the very useful responses!

John Folkerts
folkerts@acq.osd.mil



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:09:16 CDT