If your Mac OS X computer is shared among multiple users, keeping track of their activity should be a reasonably important priority. Although it's possible to limit the applications a user can run in Mac OS X (see Chapter 13, "Mail Server Security," for details), how to track their activity on the BSD subsystem isn't as obvious.
As noted earlier, there are three binary logfiles that track users: logged-in users ( utmp) , user login/logout history ( wtmp ), and each user's last login ( lastlog ). This section of the chapter will document the utilities that read these files and introduce the idea of an accounting log, which will track exactly what each user does at the command line.
To display information about the currently logged-in users, use the w or who commands. Each displays roughly the same information, gleaned from /var/run/utmp , but in a slightly different format.
Executing who , for example, provides an output of username, controlling terminal, date, and remote hostname:
# who -Hu USER LINE WHEN IDLE FROM jray console Nov 22 10:47 01:26 jray ttyp1 Nov 22 11:21 . jray ttyp2 Nov 22 11:28 . sally ttyp3 Nov 22 11:29 00:43 (postoffice.ag.oh) jray ttyp4 Nov 22 11:27 00:43 sally ttyp5 Nov 22 11:28 00:43 (www.ag.ohio-stat) jray ttyp6 Nov 22 11:35 .
NOTEA terminal type of console indicates a login directly at the Mac OS X machine. |
The syntax of who is who <options> [filename] . The options are defined in Table 19.4.
Option | Description |
---|---|
-m | Displays information about only the active terminal. |
-T | Prints a + or - after each username to indicate whether the terminal is writable (a la write <username> or talk <username> ). |
-u | Prints idle time for each user. |
-H | Displays column headings. |
am I | Returns the real username of the person invoking the command. |
filename | If a filename is given on the commandline, who reads the results from that file, such as /var/log/wtmp , and displays the login/logout records for the stored user records. |
Like who , the w command produces output on the actively logged-in users, but includes uptime stats and is also capable of sorting by idle time, displaying the IP (rather than hostname) of logged-in users, and filtering the output by a single user account. w also purports to display the current active process running in each terminal, but this does not currently function in Mac OS X. (Check a Linux system to see what the output should look like.)
For example:
# w -i 11:55AM up 1 day, 1:09, 8 users, load averages: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE WHAT jray p7 dhcp024-210-090- 11:45AM 0 - jray p1 - Fri11AM 5 - jray p6 - Fri11AM 5 - jray p2 - Fri11AM 23:42 - sally p3 postoffice.ag.oh Fri11AM 24:26 - jray p4 - Fri11AM 24:26 - sally p5 www.ag.ohio-stat Fri11AM 24:26 - jray co - Fri10AM 25:09 -
The syntax of w is simply w <options> [username] . Table 19.5 describes the basic command options.
Option | Description |
---|---|
-H | Suppresses heading. |
-i | Sorts the output by idle time. |
-n | Shows numeric IP addresses. |
username | Filters the results for the specified username. |
The command last displays accounting information from /var/log/wtmp about who has logged in and out of the system, along with date and time of reboots, crashes, and shutdowns.
For example:
% last jray ttyp1 dhcp024-210-090- Sat Nov 23 13:01 still logged in ansci ttyp3 dhcp35-112.ag.oh Fri Nov 22 14:16 - 15:13 (00:56) ohioline ttyp3 dhcp35-112.ag.oh Fri Nov 22 14:15 - 14:15 (00:00) robyn ttyp1 dhcp35-219.ag.oh Fri Nov 22 14:12 - 14:20 (00:08) ansci ttyp1 dhcp35-112.ag.oh Fri Nov 22 12:45 - 13:26 (00:40) ansci ttyp1 dhcp35-112.ag.oh Fri Nov 22 12:43 - 12:43 (00:00) ohioline ttyp1 dhcp35-112.ag.oh Fri Nov 22 12:23 - 12:31 (00:08) robyn ttyp1 dhcp35-219.ag.oh Fri Nov 22 11:39 - 11:56 (00:17) joe ttyp1 Fri Nov 22 11:38 - 11:39 (00:00) joe ttyp1 Fri Nov 22 11:38 - 11:38 (00:00) jray ttyp2 despair.ag.ohio- Fri Nov 22 11:36 still logged in robyn ttyp1 dhcp35-219.ag.oh Fri Nov 22 11:31 - 11:38 (00:06) robyn ttyp1 dhcp35-219.ag.oh Fri Nov 22 11:28 - 11:29 (00:00) jray ttyp0 despair.ag.ohio- Fri Nov 22 11:28 still logged in robyn ttyp0 dhcp35-219.ag.oh Fri Nov 22 11:25 - 11:26 (00:01) jray ttyp1 despair.ag.ohio- Thu Nov 21 15:11 - 15:39 (00:28) ohioline ttyp1 dhcp35-112.ag.oh Thu Nov 21 14:31 - 14:32 (00:01)
Because the wtmp can become very large on an active machine, last has a number of filtering options for narrowing your output down to a specific user or host. The last syntax is last <options> [username] . The command-line switches for these features are documented in Table 19.6.
Option | Description |
---|---|
-f <filename> | Reads from an alternative file, rather than /var/log/wtmp . |
-n <number of lines> | Limits the output to the specified number of lines. |
-t <tty filter> | Filters the results for a specific TTY (for example, -t console would display all direct logins). |
-h <hostname or ip> | Filters based on a hostname or IP address. |
username | If given, only records matching the given username will be displayed. |
A similar log to wtmp resides in /var/log/lastlog , which provides a record of the last time each system user has logged in to the machine. Unfortunately, Apple does not provide the corresponding lastlog utility to read this file with Mac OS X. Although the same information can be fetched by reading through the output of last , this provides an alternative source that isn't dependent on the wmtp for its output. If you want you use the lastlog file, a simple reader is provided at http://www.macosxunleashed.com/downloads/lastlog.c. The source, originally written for Solaris, has been slightly modified to run on Mac OS X.
The lastlog utility can be compiled ( assuming Apple's Developer Tools are installed) with gcc -o lastlog lastlog.c . The resulting executable ( lastlog ) displays the entire contents of /var/log/lastlog or limits the output to a single user by using the syntax lastlog [username] :
% ./lastlog User TTY Date -------------------------------------------- root console Sat Aug 17 02:22:17 2002 jray ttyp6 Sat Nov 23 13:14:43 2002 test console Sun Sep 15 11:24:24 2002
Unfortunately, the user logs discussed so far, although they let you keep track of the who, when, and where of user activity, do not provide information about what the users are doing. For that, you'll need to enable user accounting on Mac OS X.
If a user on your system causes a problem (such as attacking a remote system from a Mac OS X account), you can use wtmp to find out who was logged in at the same time of the attack, but on a system with hundreds of accounts there may be a few dozen simultaneous logins at the time of attack, or even if you identify the attacker you may be required to produce forensic evidence to back up your accusations.
System-level accounting can be activated via the accton command. By default, accounting is not provided as a startup option either through the Mac OS X interface or any of the Library/StartupItems . If you want to enable full-time accounting, you have to add it as a new startup item.
The accton command takes a single parameter: the pathname of the logfile to use. If the command is given without a filename, accounting is disabled. The default logfile location is /var/account/acct , which must be created before logging can be used:
# mkdir -p /var/account # touch /var/account/acct # chown -R root:admin /var/account # chmod -R 660 /var/account
After setting up the directory and logfile, start accounting with accton /var/account/acct :
# accton /var/account/acct
Finally, you can perform reporting on the log by using lastcomm . For example, here is a brief excerpt of the accounting log:
Mail -S jray __ 201.25 secs Fri Nov 22 03:20 (22:15:28.00) iTunes -S jray __ 2.84 secs Sat Nov 23 01:36 (0:00:08.97) cddafs.uti -S root __ 0.02 secs Sat Nov 23 01:36 (0:00:00.14) cddafs.uti -S root __ 0.00 secs Sat Nov 23 01:36 (0:00:00.00) cddafs.uti -S root __ 0.03 secs Sat Nov 23 01:36 (0:00:00.47) Terminal -S jray __ 3.16 secs Fri Nov 22 23:01 (3:34:24.00) tcsh -S jray ttyp1 0.09 secs Fri Nov 22 23:01 (3:34:16.00) nslookup -X jray ttyp1 0.02 secs Sat Nov 23 01:12 (0:24:56.00) login -SX jray ttyp1 0.97 secs Fri Nov 22 23:01 (3:34:16.00) sh -S root __ 0.05 secs Fri Nov 22 03:15 (0:00:06.30) rm -S root __ 0.00 secs Fri Nov 22 03:15 (0:00:00.00) sh -SF root __ 0.00 secs Fri Nov 22 03:15 (0:00:04.83) cat -S root __ 0.00 secs Fri Nov 22 03:15 (0:00:04.80) sh -SF root __ 0.02 secs Fri Nov 22 03:15 (0:00:04.83) cp -S root __ 0.00 secs Fri Nov 22 03:15 (0:00:00.00) cat -S root __ 0.00 secs Fri Nov 22 03:15 (0:00:00.00)
Each line consists of the command executed, flags indicating the state of the process, the user, the controlling terminal, the CPU time used by the process, when the process was started, and, finally, the elapsed execution time of the process.
The process flags can be any combination of the following:
S . The process was run as the super user.
F . The process is the result of a fork.
D . The process terminated and wrote a core file (usually indicating a crash).
X . The process was terminated by a signal (such as is sent by the kill command).
The lastcomm utility syntax is lastcomm [-f file] [command <command> ] [user <user> ] [terminal <terminal> ] . Table 19.7 describes these command-line options and their purposes.
Option | Description |
---|---|
-f <filename> | Read from an alternative accounting logfile, rather than /var/account/acct . |
command <command> | Filter the output for a specified command. |
user <user> | Filter the output for a specified user. |
terminal <terminal> | Filter the output for a specified terminal. |
For example, to view a history of the use of emacs on my machine, I could type:
# lastcomm emacs emacs -S root ttyp2 0.67 secs Mon Nov 18 23:45 (0:00:27.25) emacs -S root ttyp2 0.67 secs Mon Nov 18 23:43 (0:00:25.91) emacs - jray ttyp2 0.62 secs Mon Nov 18 23:43 (0:00:15.86) emacs - jray ttyp2 0.53 secs Mon Nov 18 23:43 (0:00:02.66)
The accounting log will grow very quickly; it will contain entries for commands that are executed via cron , spawned by other processes, or run from the Mac OS X Finder. On a busy system, you could easily see hundreds of entries per minute.
To start accton at boot-time, create a new folder named Accounting in /Library/StartupItems . Into this folder, add two files: StartupParameters. plist and Accounting , with the following contents:
StartupParameters.plist: { Description = "System Accounting"; Provides = ("Process Accounting"); OrderPreference = "None"; Messages = { start = "Starting Accounting"; }; } Accounting: #!/bin/sh ## # Start Process Accounting ## . /etc/rc.common if [ "${ACCOUNTING:=-NO-}" = "-YES-" ]; then ConsoleMessage "Starting Accounting" /usr/sbin/accton /var/account/acct fi
Finally, add the line ACCOUNTING=-YES- to /etc/hostconfig to turn the automatic startup on.
Top |