User Logins and Accounting

If your Mac OS X computer is shared among multiple users, keeping track of their activity should be a reasonably important priority. Although it's possible to limit the applications a user can run in Mac OS X (see Chapter 13, "Mail Server Security," for details), how to track their activity on the BSD subsystem isn't as obvious.

As noted earlier, there are three binary logfiles that track users: logged-in users ( utmp) , user login/logout history ( wtmp ), and each user's last login ( lastlog ). This section of the chapter will document the utilities that read these files and introduce the idea of an accounting log, which will track exactly what each user does at the command line.

Current Users: `who` and `w`

To display information about the currently logged-in users, use the w or who commands. Each displays roughly the same information, gleaned from /var/run/utmp , but in a slightly different format.

Executing who , for example, provides an output of username, controlling terminal, date, and remote hostname:

 #  who -Hu  USER     LINE     WHEN         IDLE     FROM jray     console  Nov 22 10:47 01:26 jray     ttyp1    Nov 22 11:21   . jray     ttyp2    Nov 22 11:28   . sally    ttyp3    Nov 22 11:29 00:43    (postoffice.ag.oh) jray     ttyp4    Nov 22 11:27 00:43 sally    ttyp5    Nov 22 11:28 00:43    (www.ag.ohio-stat) jray     ttyp6    Nov 22 11:35   .

NOTE

A terminal type of console indicates a login directly at the Mac OS X machine.

The syntax of who is who <options> [filename] . The options are defined in Table 19.4.

Table 19.4. `who` Command-Line Switches

Option	Description
`-m`	Displays information about only the active terminal.
`-T`	Prints a + or - after each username to indicate whether the terminal is writable (a la `write` `<username>` or `talk` `<username>` ).
`-u`	Prints idle time for each user.
`-H`	Displays column headings.
`am I`	Returns the real username of the person invoking the command.
`filename`	If a filename is given on the commandline, `who` reads the results from that file, such as `/var/log/wtmp` , and displays the login/logout records for the stored user records.

Like who , the w command produces output on the actively logged-in users, but includes uptime stats and is also capable of sorting by idle time, displaying the IP (rather than hostname) of logged-in users, and filtering the output by a single user account. w also purports to display the current active process running in each terminal, but this does not currently function in Mac OS X. (Check a Linux system to see what the output should look like.)

For example:

 #  w -i  11:55AM  up 1 day,  1:09, 8 users, load averages: 0.00, 0.00, 0.00 USER    TTY FROM              LOGIN@  IDLE WHAT jray     p7 dhcp024-210-090- 11:45AM     0 - jray     p1 -                Fri11AM     5 - jray     p6 -                Fri11AM     5 - jray     p2 -                Fri11AM 23:42 - sally    p3 postoffice.ag.oh Fri11AM 24:26 - jray     p4 -                Fri11AM 24:26 - sally    p5 www.ag.ohio-stat Fri11AM 24:26 - jray     co -                Fri10AM 25:09 -

The syntax of w is simply w <options> [username] . Table 19.5 describes the basic command options.

Table 19.5. `w` Command-Line Switches

Option	Description
`-H`	Suppresses heading.
`-i`	Sorts the output by idle time.
`-n`	Shows numeric IP addresses.
`username`	Filters the results for the specified username.

Login/Logout History: `last` and `lastlog`

The command last displays accounting information from /var/log/wtmp about who has logged in and out of the system, along with date and time of reboots, crashes, and shutdowns.

For example:

 %  last  jray      ttyp1    dhcp024-210-090- Sat Nov 23 13:01   still logged in ansci     ttyp3    dhcp35-112.ag.oh Fri Nov 22 14:16 - 15:13  (00:56) ohioline  ttyp3    dhcp35-112.ag.oh Fri Nov 22 14:15 - 14:15  (00:00) robyn     ttyp1    dhcp35-219.ag.oh Fri Nov 22 14:12 - 14:20  (00:08) ansci     ttyp1    dhcp35-112.ag.oh Fri Nov 22 12:45 - 13:26  (00:40) ansci     ttyp1    dhcp35-112.ag.oh Fri Nov 22 12:43 - 12:43  (00:00) ohioline  ttyp1    dhcp35-112.ag.oh Fri Nov 22 12:23 - 12:31  (00:08) robyn     ttyp1    dhcp35-219.ag.oh Fri Nov 22 11:39 - 11:56  (00:17) joe       ttyp1                     Fri Nov 22 11:38 - 11:39  (00:00) joe       ttyp1                     Fri Nov 22 11:38 - 11:38  (00:00) jray      ttyp2    despair.ag.ohio- Fri Nov 22 11:36   still logged in robyn     ttyp1    dhcp35-219.ag.oh Fri Nov 22 11:31 - 11:38  (00:06) robyn     ttyp1    dhcp35-219.ag.oh Fri Nov 22 11:28 - 11:29  (00:00) jray      ttyp0    despair.ag.ohio- Fri Nov 22 11:28   still logged in robyn     ttyp0    dhcp35-219.ag.oh Fri Nov 22 11:25 - 11:26  (00:01) jray      ttyp1    despair.ag.ohio- Thu Nov 21 15:11 - 15:39  (00:28) ohioline  ttyp1    dhcp35-112.ag.oh Thu Nov 21 14:31 - 14:32  (00:01)

Because the wtmp can become very large on an active machine, last has a number of filtering options for narrowing your output down to a specific user or host. The last syntax is last <options> [username] . The command-line switches for these features are documented in Table 19.6.

Table 19.6. `last` Command-Line Switches

Option	Description
`-f` `<filename>`	Reads from an alternative file, rather than `/var/log/wtmp` .
`-n` `<number of lines>`	Limits the output to the specified number of lines.
`-t` `<tty filter>`	Filters the results for a specific TTY (for example, `-t console` would display all direct logins).
`-h` `<hostname or ip>`	Filters based on a hostname or IP address.
`username`	If given, only records matching the given `username` will be displayed.

A similar log to wtmp resides in /var/log/lastlog , which provides a record of the last time each system user has logged in to the machine. Unfortunately, Apple does not provide the corresponding lastlog utility to read this file with Mac OS X. Although the same information can be fetched by reading through the output of last , this provides an alternative source that isn't dependent on the wmtp for its output. If you want you use the lastlog file, a simple reader is provided at http://www.macosxunleashed.com/downloads/lastlog.c. The source, originally written for Solaris, has been slightly modified to run on Mac OS X.

The lastlog utility can be compiled ( assuming Apple's Developer Tools are installed) with gcc -o lastlog lastlog.c . The resulting executable ( lastlog ) displays the entire contents of /var/log/lastlog or limits the output to a single user by using the syntax lastlog [username] :

 %  ./lastlog  User       TTY      Date -------------------------------------------- root       console  Sat Aug 17 02:22:17 2002 jray       ttyp6    Sat Nov 23 13:14:43 2002 test       console  Sun Sep 15 11:24:24 2002

Unfortunately, the user logs discussed so far, although they let you keep track of the who, when, and where of user activity, do not provide information about what the users are doing. For that, you'll need to enable user accounting on Mac OS X.

Tracking User Activity: `accton` and `acct`

If a user on your system causes a problem (such as attacking a remote system from a Mac OS X account), you can use wtmp to find out who was logged in at the same time of the attack, but on a system with hundreds of accounts there may be a few dozen simultaneous logins at the time of attack, or even if you identify the attacker you may be required to produce forensic evidence to back up your accusations.

System-level accounting can be activated via the accton command. By default, accounting is not provided as a startup option either through the Mac OS X interface or any of the Library/StartupItems . If you want to enable full-time accounting, you have to add it as a new startup item.

The accton command takes a single parameter: the pathname of the logfile to use. If the command is given without a filename, accounting is disabled. The default logfile location is /var/account/acct , which must be created before logging can be used:

 #  mkdir -p /var/account  #  touch /var/account/acct  #  chown -R root:admin /var/account   # chmod -R 660 /var/account

After setting up the directory and logfile, start accounting with accton /var/account/acct :

 #  accton /var/account/acct

Finally, you can perform reporting on the log by using lastcomm . For example, here is a brief excerpt of the accounting log:

 Mail       -S      jray     __       201.25 secs Fri Nov 22 03:20 (22:15:28.00) iTunes     -S      jray     __         2.84 secs Sat Nov 23 01:36 (0:00:08.97) cddafs.uti -S      root     __         0.02 secs Sat Nov 23 01:36 (0:00:00.14) cddafs.uti -S      root     __         0.00 secs Sat Nov 23 01:36 (0:00:00.00) cddafs.uti -S      root     __         0.03 secs Sat Nov 23 01:36 (0:00:00.47) Terminal   -S      jray     __         3.16 secs Fri Nov 22 23:01 (3:34:24.00) tcsh       -S      jray     ttyp1      0.09 secs Fri Nov 22 23:01 (3:34:16.00) nslookup   -X      jray     ttyp1      0.02 secs Sat Nov 23 01:12 (0:24:56.00) login      -SX     jray     ttyp1      0.97 secs Fri Nov 22 23:01 (3:34:16.00) sh         -S      root     __         0.05 secs Fri Nov 22 03:15 (0:00:06.30) rm         -S      root     __         0.00 secs Fri Nov 22 03:15 (0:00:00.00) sh         -SF     root     __         0.00 secs Fri Nov 22 03:15 (0:00:04.83) cat        -S      root     __         0.00 secs Fri Nov 22 03:15 (0:00:04.80) sh         -SF     root     __         0.02 secs Fri Nov 22 03:15 (0:00:04.83) cp         -S      root     __         0.00 secs Fri Nov 22 03:15 (0:00:00.00) cat        -S      root     __         0.00 secs Fri Nov 22 03:15 (0:00:00.00)

Each line consists of the command executed, flags indicating the state of the process, the user, the controlling terminal, the CPU time used by the process, when the process was started, and, finally, the elapsed execution time of the process.

The process flags can be any combination of the following:

S . The process was run as the super user.
F . The process is the result of a fork.
D . The process terminated and wrote a core file (usually indicating a crash).
X . The process was terminated by a signal (such as is sent by the kill command).

The lastcomm utility syntax is lastcomm [-f file] [command <command> ] [user <user> ] [terminal <terminal> ] . Table 19.7 describes these command-line options and their purposes.

Table 19.7. `lastcomm` Command-Line Switches

Option	Description
`-f` `<filename>`	Read from an alternative accounting logfile, rather than `/var/account/acct` .
`command` `<command>`	Filter the output for a specified command.
`user` `<user>`	Filter the output for a specified user.
`terminal` `<terminal>`	Filter the output for a specified terminal.

For example, to view a history of the use of emacs on my machine, I could type:

 #  lastcomm emacs  emacs      -S      root     ttyp2      0.67 secs Mon Nov 18 23:45 (0:00:27.25) emacs      -S      root     ttyp2      0.67 secs Mon Nov 18 23:43 (0:00:25.91) emacs      -       jray     ttyp2      0.62 secs Mon Nov 18 23:43 (0:00:15.86) emacs      -       jray     ttyp2      0.53 secs Mon Nov 18 23:43 (0:00:02.66)

The accounting log will grow very quickly; it will contain entries for commands that are executed via cron , spawned by other processes, or run from the Mac OS X Finder. On a busy system, you could easily see hundreds of entries per minute.

Starting `accton` at Bootup

To start accton at boot-time, create a new folder named Accounting in /Library/StartupItems . Into this folder, add two files: StartupParameters. plist and Accounting , with the following contents:

 StartupParameters.plist: {   Description     = "System Accounting";   Provides        = ("Process Accounting");   OrderPreference = "None";   Messages =   {     start = "Starting Accounting";   }; } Accounting: #!/bin/sh ## # Start Process Accounting ## . /etc/rc.common if [ "${ACCOUNTING:=-NO-}" = "-YES-" ]; then     ConsoleMessage "Starting Accounting"     /usr/sbin/accton /var/account/acct fi

Finally, add the line ACCOUNTING=-YES- to /etc/hostconfig to turn the automatic startup on.

Top

User Logins and Accounting