Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

artif: new artifacts to collect utmp and utmpdump results #298

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

mnrkbys
Copy link
Contributor

@mnrkbys mnrkbys commented Dec 9, 2024

New artifacts to collect /var/run/utmp and results of utmpdump command. utmpdump command may help to detect tampered log files.

New artifacts to collect /var/run/utmp and results of utmpdump command.
utmpdump command may help to detect tampered log files.
@tclahr
Copy link
Owner

tclahr commented Dec 10, 2024

Can we use last -f instead? I think last is more common than utmpdump no? I mean, last is available on most unix-like system. I am not sure about utmpdump.

Also, I was thinking about expanding this artifact to parse rotated (and compressed) utmp/wtmp/btmp files. Compressed ones could be read by zcat (if available on the target system).

Parsing those files would be useful in situations like AIX, where there are no parsers for utmp/wtmp/btmp out there, so UAC could use the built-in last to parse all available files.

I will work on it and commit to your PR.

@mnrkbys
Copy link
Contributor Author

mnrkbys commented Dec 12, 2024

I think you are absolutely right that the last command can be used on most UNIX-like systems.
And I don't know how many systems can use the utmpdump command either (at least, it isn't installed on macOS by default).

However, the timestamp output by the last command is local time.
On the other hand, utmpdump, as the name suggests, only dumps the file contents, so the timestamp is also in UTC.
So we can easily find the wiped entries as described in the following url.

https://sandflysecurity.com/blog/using-linux-utmpdump-for-forensics-and-detecting-log-file-tampering/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants