11. Monitoring login/logout events

To compile with support for this option, use the configure option

./configure --enable-login-watch

samhain can be compiled to monitor login/logout events of system users. For initialization, the system utmp file is searched for users currently logged in. To recognize changes (i.e. logouts or logins), the system wtmp file is then used.

Optionally, it is possible to perform further checks for login events. All these additional checks are off by default. The following checks are provided:

First login

Report on the first login from a host or a domain / subnet. This option is configured with the directive:

LoginCheckFirst = no|yes|domain

If set to yes, samhain will issue a report when a user logs in from some host they haven't logged in from before. If set to domain, the domain (or C-class subnet, if the host cannot be resolved) is checked instead of the host.

Statistical outlier

Report unusual login times. This option will only take effect once a user has logged in several times, and a database of login times has been built which can be analyzed for statistical outlier detection. Since this is based on statistics, it will inevitably cause false positives (legitimate logins reported as outliers). This option is configured with the directive:

LoginCheckOutlier = no|yes|paranoid

If set to yes, samhain will issue a report when a login time is found to be an outlier with 99 per cent probability. If set to paranoid, the required outlier probability is lowered to 95 per cent, resulting in more reports and more false positives (legitimate logins reported as outliers).

Login date (global)

Report login events occuring outside some given date restrictions. This option is configured with the directive:

LoginCheckDate = date

Possible values for dateare: always, never, and workdays|saturday|sunday(list of time ranges), e.g. workdays(8:00-10:00,13:00-16:00) or saturday(08:10-17:20). To set date restriction for workdays (Mo-Fr) and saturday and/or sunday, use LoginCheckDate multiple times. The internal time resolution is ten minutes, i.e. 8:09 will be interpreted as 8:00.

Login date (individual)

Report login events occuring outside some date restrictions defined for the given individual user. This option, if defined for a given user, overrides the global setting above, and is configured with the directive:

LoginCheckUserDate = user:date

Here, usermust be the login name for a user, and datehas to be given as in the global option.

This facility is configured in the Utmp section of the configuration file:

	[Utmp]  
	#  
	# activate (0 for switching off) 
	# 
	LoginCheckActive=1 
	#  
	# interval between checks (in seconds)
	# 
	LoginCheckInterval=600 
	#  
	# these are the severities (see section Section 1.1) 
	# 
	SeverityLogin=info 
	SeverityLogout=info 
	#  
	# multiple logins by same user 
	# 
	SeverityLoginMulti=crit