To compile with support for this option, use the configure option
./configure --enable-login-watch
samhain can be
compiled to monitor login/logout events of system users. For
initialization, the system
utmp file is searched for
users currently logged in. To recognize changes (i.e. logouts
or logins), the system
wtmp file is then
used.
Optionally, it is possible to perform further checks for login events. All these additional checks are off by default. The following checks are provided:
Report on the first login from a host or a domain / subnet. This option is configured with the directive:
LoginCheckFirst =
no|yes|domain
If set to yes, samhain will issue a report when a user logs in from some host they haven't logged in from before. If set to domain, the domain (or C-class subnet, if the host cannot be resolved) is checked instead of the host.
Report unusual login times. This option will only take effect once a user has logged in several times, and a database of login times has been built which can be analyzed for statistical outlier detection. Since this is based on statistics, it will inevitably cause false positives (legitimate logins reported as outliers). This option is configured with the directive:
LoginCheckOutlier =
no|yes|paranoid
If set to yes, samhain will issue a report when a login time is found to be an outlier with 99 per cent probability. If set to paranoid, the required outlier probability is lowered to 95 per cent, resulting in more reports and more false positives (legitimate logins reported as outliers).
Report login events occuring outside some given date restrictions. This option is configured with the directive:
LoginCheckDate =
date
Possible values for
dateare:
always,
never, and
workdays|saturday|sunday(list of time
ranges), e.g.
workdays(8:00-10:00,13:00-16:00) or
saturday(08:10-17:20). To set date restriction for
workdays (Mo-Fr) and saturday and/or sunday, use
LoginCheckDate multiple times. The internal time
resolution is ten minutes, i.e. 8:09 will be
interpreted as 8:00.
Report login events occuring outside some date restrictions defined for the given individual user. This option, if defined for a given user, overrides the global setting above, and is configured with the directive:
LoginCheckUserDate =
user:date
Here,
usermust be the login name
for a user, and
datehas to be given as in
the global option.
This facility is configured in the Utmp section of the configuration file:
[Utmp] # # activate (0 for switching off) # LoginCheckActive=1 # # interval between checks (in seconds) # LoginCheckInterval=600 # # these are the severities (see section Section 1.1) # SeverityLogin=info SeverityLogout=info # # multiple logins by same user # SeverityLoginMulti=crit