Cover V04, I01
Article
Figure 1
Listing 1
Listing 2
Listing 3

jan95.tar


Login Surveillance on AIX

Thomas Richter

Monitoring user logins is important for the security of UNIX systems. System administrators need to know if someone has tried to gain unauthorized access -- if, for example, someone has experimented with passwords for a certain userid. AIX v3.2.5 maintains several files with information about logins and failed logins, including details like time and date, remote host name, and terminal names. It does not, however, provide automatic reporting facilities for that information. This article describes the files where AIX stores login information and introduces some tools which generate mail messages when suspicious activity has occurred.

Shadow Password File

The encoded user password stored in the world readable password file /etc/passwd poses a distinct security risk. Any bad guy could use the tftp command to copy this file (Wood 85; Farrow 91) either locally or remotely, and then use a password cracking program.

AIX maintains a shadow password file, /etc/security/passwd. This file contains the encrypted password and is used when the /etc/passwd file contains an exclamation mark (!) as the password for a userid. /etc/security/passwd is owned by user root and is read/writable by root only. This makes relevant user details accessible to general users while protecting the encoded password.

Figure 1 shows sample entries from /etc/passwd and /etc/security/passwd files. The first line is the user's entry in /etc/passwd; the next four lines are the user's entry in /etc/security/passwd. password is the encoded password and lastupdate contains the time and date of the last password change in seconds since 1 Jan 1970 (epoch). flags can be one of the following:

NOCHECK -- Password restrictions defined in /etc/security/login.cfg are not enforced. These restrictions define password aging, the character set, and the maximum number of repetition of characters in a password.

ADMCHG -- The password was last changed by a member of the security group. Password must be changed when the user logs in.

ADMIN -- Only root can change this password.

Log Files

AIX maintains several log files where login-related data is stored.

/etc/security/failedlogin contains all logins that failed for whatever reason, whether a wrong password or an invalid userid. This file contains binary data and does not record failed su commands. The contents of the file can be displayed with who /etc/security/failedlogin:

richter pts/4   Sep     09      10:50   (tiger)
root    pts/4   Sep     09      10:50   (tiger)
UNKNOWN pts/4   Sep     09      10:50   (tiger)

The output lists the userid, terminal, time and date, and the remote host if the login was from another machine. Unknown user ids are noted as UNKNOWN.

/var/adm/wtmp records all login and logout events. This file also includes entries caused by batch programs started via cron or at, as well as run-level changes caused by init. This file has the same format as /etc/security/failedlogin. This file must exist if entries are to be recorded.

/var/adm/sulog contains all invocations of the su command. It is an ASCII file and has entries like

SU 09/06 14:09 + pts/1 richter-root
SU 09/06 14:20 - pts/4 richter-root

Each line represents one invocation of su and contains date, time, terminal, success(+) or failure(-) of the command, the userid of the invoker (richter, in this case), and the authority that was gained (root). This file must exist if entries are to be recorded.

/etc/security/lastlog contains details, such as terminal, time, and date, of each user's last successful or failed login, as in the following:

richter:
time_last_login = 779093602
tty_last_login = hft/0
host_last_login = tiger
unsuccessful_login_count = 0
time_last_unsuccessful_login = 779039875
tty_last_unsuccessful_login = hft/0
host_last_unsuccessful_login = tiger

This is an ASCII file and owned by root. time is recorded in seconds since epoch. A successful login resets the field unsuccessful_login_count to zero.

All of these files except /etc/security/lastlog grow until manually reduced.

Reporting Tools

The tools I present here check /etc/security/failedlogin daily and mail the result to the system administrator. The lastlogin shell script (Listing 1) provides printable output from /etc/security/lastlog. The logins script (Listing 3) compress and retains /var/adm/sulog and /var/adm/wtmp on a monthly basis. The reason for keeping these files on hand is that it can sometimes take time for the effects of a security breach to show up. By referring to these files, a system administrator might be able to find a lately changed system binary and use the inode/file changed time to trace who was logged in at that time and which terminal or remote host was used.

Reprinting Login Data

The lastlogin shell script reads /etc/security/lastlogin and reports on users according to various selection criteria. The command syntax is

lastlogin [-cnumber] [-ldays|-rdays|-udays] [-h hosts] [-t ttys] [-f file] [user...]

The following flags are supported:

-c number -- lists all users with an invalid login count greater than or equal to number.

-f file -- reads input from file; default is /etc/security/lastlog.

-h hostlist -- lists all users who logged on from a host in hostlist, which is a comma-separated list of host names. Default is any host.

-l units -- lists all users who have logged on during the last n units. If units is zero, lists the last-logged-on details of every entry. Displayed fields are time_last_login, tty_last_login, host_last_login, and unsuccessful_login_count.

-r units -- lists all users whose logon failed during the last n units. If units is zero, lists refused-logged-data for every entry. Displayed fields are time_last_unsuccessful_login, tty_last_unsuccessful_login, host_last_unsuccessful_login, and unsuccessful_login_count.

-t terminallist -- lists all users who logged on from a terminal in terminallist, which is a comma-separated list of terminal names. Default is any terminal.

-u units -- lists all users who have not logged on for more than n units. Displayed fields are time_last_login, tty_last_login, host_last_login, and unsuccessful_login_count.

units is a number optionally followed by one of the letters M, h, d, w or m, where M stands for minutes, h for hours, d for days, w for weeks and m for month. The specified number is calculated in that unit and converted into seconds.

All conditions must be satisfied for an entry to match, and only one of the flags l, r, or u can be specified. If no flag is specified, -l0 is assumed. User may be one or more user names, separated by blanks. If none is given, all user entries are checked.

terminallist and hostlist are mapped against unsuccessful terminal or host names if flag -r is specified, as follows:

User        Failed         Date             Time        Tty          Host

guest       1              08-Jul-94        10:30       pts/0        os2box
adm         0              22-Aug-94        16:01       pts/3        9.20.183.155
root        0              29-Aug-94        13:29       hft/0        tiger
richter     0              8-Sep-94         16:58       hft/0        tiger

The output of lastlogin -u10 -htiger is:

User        Failed         Date             Time        Tty          Host
root        0              29-Aug-94        13:29       hft/0        tiger

Time Conversion

/etc/security/lastlog stores the time in seconds since epoch. cvttime.c (Listing 2) converts seconds since epoch to a user-reabable format, similar to the output of the date command. Invoked without any parameters, it returns the current time in seconds since epoch (seconds since 1 Jan 1970). An optional flag, -f, determines which parts of the time/date should be printed. The format is the same as for the C library function strftime.

Logfiles Maintenance

The logins shell script (Listing 3) is invoked by cron once a day. It checks if a compressed file for the last month, sulog.MM.Z or wtmp.MM.Z (where MM stands for month), already exists in directory /var/adm/local. If this file does not exist or was created last year, the corresponding file /var/adm is compressed and stored in directory /var/adm/local. The original is then reduced to size zero. Note that these files must exist for entries to be made.

If the size of /etc/security/failedlogin is greater than zero, the file's content is mailed to the system administrator. The file is then also reduced to size zero.

Summary

These tools keep the login log files small and also maintain a backup copy of recent months for reference. lastlogin enables system administrators to query user account login data and to automatically monitor user accounts.

Bibliography

Wood 85. Wood, Patrick H., and Stephen G. Kochnan. UNIX System Security, Indianapolis, IN: Hayden Books, 1985.

Farrow 91. Farrow, Rik. UNIX System Security. Reading, MA: Addison Wesley, 1991.

IBM 88. IBM. File Reference (IBM RISC System/6000), GC23- 2200-04. 1988.

About the Author

Thomas Richter has studied mathematics and Computer Science at the University of Ulm, Germany. He has worked on various UNIX platforms as a software developer and C/C++ as main programming languages. His projects include compiler construction, device drivers, and network programming. He has also administered various UNIX machines for the last 8 years. He has worked for IBM UK for 18 months. In July 1994 he returned to Germany where he works on device drivers for development. He can be reached at richter@vnet.ibm.com.