To compile with support for this option, use the configure option
./configure --enable-login-watch
samhain can be
compiled to monitor login/logout events of system users. For
initialization, the system
utmp
file is searched for
users currently logged in. To recognize changes (i.e. logouts
or logins), the system
wtmp
file is then
used.
Optionally, it is possible to perform further checks for login events. All these additional checks are off by default. The following checks are provided:
- First login
Report on the first login from a host or a domain / subnet. This option is configured with the directive:
LoginCheckFirst =
no|yes|domain
If set to yes, samhain will issue a report when a user logs in from some host they haven't logged in from before. If set to domain, the domain (or C-class subnet, if the host cannot be resolved) is checked instead of the host.
- Statistical outlier
Report unusual login times. This option will only take effect once a user has logged in several times, and a database of login times has been built which can be analyzed for statistical outlier detection. Since this is based on statistics, it will inevitably cause false positives (legitimate logins reported as outliers). This option is configured with the directive:
LoginCheckOutlier =
no|yes|paranoid
If set to yes, samhain will issue a report when a login time is found to be an outlier with 99 per cent probability. If set to paranoid, the required outlier probability is lowered to 95 per cent, resulting in more reports and more false positives (legitimate logins reported as outliers).
- Login date (global)
Report login events occuring outside some given date restrictions. This option is configured with the directive:
LoginCheckDate =
date
Possible values for
date
are: always, never, and workdays|saturday|sunday(list of time ranges), e.g. workdays(8:00-10:00,13:00-16:00) or saturday(08:10-17:20). To set date restriction for workdays (Mo-Fr) and saturday and/or sunday, use LoginCheckDate multiple times. The internal time resolution is ten minutes, i.e. 8:09 will be interpreted as 8:00.- Login date (individual)
Report login events occuring outside some date restrictions defined for the given individual user. This option, if defined for a given user, overrides the global setting above, and is configured with the directive:
LoginCheckUserDate =
user:date
Here,
user
must be the login name for a user, anddate
has to be given as in the global option.
This facility is configured in the Utmp section of the configuration file:
[Utmp] # # activate (0 for switching off) # LoginCheckActive=1 # # interval between checks (in seconds) # LoginCheckInterval=600 # # these are the severities (see section Section 1.1) # SeverityLogin=info SeverityLogout=info # # multiple logins by same user # SeverityLoginMulti=crit