Linux系统中的utmp和wtmp文件的不同之处


因为最近对Linux系统的审计感兴趣(其实也因为任务在身),所以需要了解如何定位“凶手”——从众多的登录用户中找出执行了恶意/非法命令的那个人。

除了对Bash的history做审计之外(重新编译Bash,启用syslog功能),还要能找出具体的那个人——在执行sudo/su命令之前的那个用户,涉及到了两个命令:(logname)和(who am i)。又扯出了utmp和wtmp这两个文件,就有了下面的内容。

确定搜索关键字:

http://search.aol.com/aol/search?q=linux+utmp+wtmp+difference

参考链接:
Difference /var/run/utmp vs /var/log/wtmp Files In Linux

Logging is an essential part of the Linux based operating systems. The system maintains loga for activities on the system. Logs of users logged in and logged out are also maintained by the system. The files /var/run/utmp and /var/log/wtmp contains logs for logins and logouts. These two files are binary files. You cannot see them with any text editor or pager like ‘less’. Some commands use these files for their output.

/var/run/utmp file

This file contains information about the users who are currently logged onto the system. ‘who’ command uses this file to display the logged in users:

$ who
root tty1 2012-12-26 11:53
raghu tty8 2012-12-26 03:00 (:0)
raghu pts/0 2012-12-26 11:02 (:0.0)

According to the utmp manual page

The utmp file allows one to discover information about who is currently using the system. There may be more users currently using the system, because not all programs use utmp logging.

/var/log/wtmp file

This file is like history for utmp file, i.e. it maintains the logs of all logged in and logged out users (in the past). The ‘last’ command uses this file to display listing of last logged in users.

$ last
raghu pts/0 :0.0 Wed Dec 26 11:02 still logged in
raghu tty8 :0 Wed Dec 26 03:00 still logged in
reboot system boot 3.5.0-17-generic Wed Dec 26 03:00 - 11:30 (08:29)
raghu pts/0 :0.0 Wed Dec 26 02:18 - 02:20 (00:01)
raghu tty8 :0 Tue Dec 25 18:36 - down (07:44)
reboot system boot 3.5.0-17-generic Tue Dec 25 18:35 - 02:21 (07:45)
raghu pts/0 :0.0 Tue Dec 25 14:36 - 14:38 (00:02)
raghu pts/0 :0.0 Tue Dec 25 13:33 - 14:14 (00:40)
root pts/0 :0.0 Tue Dec 25 13:25 - 13:25 (00:00)
root pts/0 :0.0 Tue Dec 25 13:23 - 13:23 (00:00)
root pts/0 :0.0 Tue Dec 25 13:21 - 13:21 (00:00)

---output truncated---

wtmp begins Mon Nov 5 21:10:35 2012

According to the wtmp manual page

The wtmp file records all logins and logouts. Its format is exactly like utmp except that a null username indicates a logout on the associated terminal. Furthermore, the terminal name ~ with username shutdown or reboot indicates a system shutdown or reboot and the pair of terminal names |/} logs the old/new system time when date(1) changes it. wtmp is maintained by login(1), init(8), and some versions of getty(8) (e.g., mingetty(8) or agetty(8)). None of these programs creates the file, so if it is removed, record-keeping is turned off.

/var/log/btmp file

Another important file related to users logins is /var/log/btmp. This file contains bad login attempts{/var/log/btmp 文件记录的是登录失败的情况,可以使用lastb命令进行查看}. This file is used by ‘lastb’ command:

$ lastb
raghu tty8 :0 Fri Dec 21 06:36 - 06:36 (00:00)
root tty1 Tue Dec 11 14:14 - 14:14 (00:00)
raghu tty7 :0 Mon Dec 10 18:51 - 18:51 (00:00)

==

NAME
       utmp, wtmp - login records

SYNOPSIS
       #include <utmp.h>

DESCRIPTION
       The utmp file allows one to discover information about who is currently using the system.  There may be more users currently using the system, because not all programs use utmp logging.

       Warning: utmp must not be writable by the user  class  "other",  because many system programs(foolishly) depend on its integrity.  You risk faked system logfiles and modifications of system
       files if you leave utmp writable to any user other than the owner and group owner of the file.
       {utmp文件允许用户发现当前有哪些人正在使用这个系统,但是也有可能有漏掉的,以为不是所有的程序都使用utmp进行log记录。警告:utmp一定不能被设置为对other可写,因为有那么一些傻逼程序依赖于utmp文件的完整性,所以如果你将utmp文件设置为可写了之后等价于将整个系统置于风险之中!who命令使用该文件来显示相关信息}
       ==
       The wtmp file records all logins and logouts.  Its format is exactly like utmp except that a null username indicates a logout on the associated terminal.  Furthermore, the terminal name ~ with username shutdown or reboot indicates a system shutdown or reboot and the pair of terminal names |/} logs the old/new system time when date(1) changes it.  wtmp is maintained by login(1), init(8), and some versions of getty(8) (e.g., mingetty(8) or agetty(8)).  None of these programs creates the file, so if it is removed, record-keeping is turned off.{wtmp文件记录所有的login和logout操作,它的格式其实和utmp很像,只是有些许区别:不同的符号代表不同的意义。wtmp这个文件是由login/init/和某些版本的getty来维护的,但它们并不创建wtmp文件,所以一旦wtmp文件被删除,它们的记录也就被关闭了。last命令用该文件来显示历史上的用户登陆情况}

FILES
       /var/run/utmp
       /var/log/wtmp

SEE ALSO
       ac(1), date(1), last(1), login(1), who(1), getutent(3), getutmp(3), login(3), logout(3), logwtmp(3), updwtmp(3), init(8)

==

参考链接:

logname命令和getlogin()函数都是从utmp文件中获取信息的,但是,utmp这个文件又是可以被修改的,所以其实getlogin()和getpwuid(getuid())都不可信,虽然说utmp这个文件只能被提升了权限之后的用户(sudo/su之后)修改,但是总有那么一些程序比如screen等(被设置了setgid了的程序)可以对其内容进行配置/修改,而且历史上utmp文件有时候会崩溃,所以,别信这个了它不安全。

而且getlogin()这个函数还有个本地提权的漏洞:CVE-2003-0388,连exp都存在好久了(但是我在多个版本的Linux系统上测试了都没成功,因为没有实体机(tty1而不是pts/0)的缘故?)。


Linux-PAM Pam_Wheel Module getlogin() Username Spoofing Privileged Escalation Vulnerability
Bugtraq ID: 7929
Class: Access Validation Error
CVE: CVE-2003-0388
Remote: No
Local: Yes
Published: Jun 16 2003 12:00AM
Updated: Jul 11 2009 10:06PM
Credit: The discovery of this vulnerability has been credited to Karol Wiesek ([email protected]).
Vulnerable: RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Linux-PAM Linux-PAM 0.77

=EOF=


《 “Linux系统中的utmp和wtmp文件的不同之处” 》 有 13 条评论

  1. Docker中的w/uptime等命令无法显示当前登录用户,last命令无法显示历史登录用户;因为对应的「/var/run/utmp」和「/var/log/wtmp」文件存在,但内容为空,也不会进行更新,而 w/uptime/last 等命令依赖于这些文件中的内容。

  2. python修改linux日志
    https://github.com/re4lity/logtamper
    `
    躲避管理员w查看
    python logtamper.py -m 1 -u b4dboy -i 192.168.0.188

    清除指定ip的登录日志
    python logtamper.py -m 2 -u b4dboy -i 192.168.0.188

    修改上次登录时间地点
    python logtamper.py -m 3 -u b4dboy -i 192.168.0.188 -t tty1 -d 2014:05:28:10:11:12
    `

  3. 一系列可以在渗透测试时使用的辅助脚本(A collection of scripts which may come in handy during your freedom fighting activities.)
    https://github.com/JusticeRage/freedomfighting
    `
    nojail.py, 一个用Python写的日志清除工具
    share.sh, 一个安全的文件共享脚本
    autojack.py, 一个终端记录器
    listurl.py, 一个站点克隆脚本
    ersh.py, 一个加密的反弹shell
    `

  4. 安全运维之如何找到隐匿于last和w命令中的ssh登录痕迹
    https://mp.weixin.qq.com/s/kGknc9bG9Eonk8xQadIbmw
    `
    在我最近的一些安全应急响应经历中,遇到了入侵者利用一些小的有意思tricks——将自己的ssh登录痕迹隐匿于w和last命令中,这对于一些经验不足或者没有相关意识的运维管理人员来说,可能不会发现这些已经发生的非法登录行为,亦或者既使觉察出有点异常,但却不理解为啥能将ssh登录痕迹隐匿于w和last命令(这种隐匿不涉及修改相关日志文件)。

    本文将会为大家介绍和阐述这种隐匿登录痕迹的手法以及如何确切的发现他们的痕迹。

    1)为什么w和last都没有记录呢?

    这是因为w 命令显示信息来源于utmp,last 来源于wtmp,并不是所有程序登录的时候都会调用utmp 和wtmp 日志记录接口,只有交互式会话,才会调用utmp 和 wtmp的日志记录接口,比如 通过tty 或者pts或者图形界面登录的都会调用utmp 和wtmp 日志记录接口,然后我们在使用w 和last 命令的时候就会发现登录信息

    2)ssh -lroot 192.168.12.51 /usr/bin/bash 为什么不属于交互式会话

    ssh -lroot 192.168.12.51 /usr/bin/bash 其实就相当于登录之后直接调用bash这个名,此时系统没有为其分配tty,不算一个完整交互式会话,只不过bash 接受输入,然后有输出,让我们误以为是交互式会话,其实不然,你可以将/usr/bin/bash 替换成/usr/bin/ls 试一下,就是简单执行一下就退出了。

    还有一种看起来更像是交互式会话的,但实际却不是的一种登录技巧,这种方式也会将登录行为隐匿于w 和 last 命令:
    ssh -T [email protected] /usr/bin/bash -i
    -T 表示不分配伪终端 (正常的会话,在分配伪终端之后才会调用utmp和wtmp的日志接口)
    /usr/bin/bash -i 表示在登录之后 调用bash命令
    -i 表示是交互式shell

    2、如何发现隐匿的ssh登录行为
    如果是隐匿的ssh正在进行,可以通过lsof 或者 netstat 或者ps 命令发现。

    其实像scp 、sftp 等也涉及到ssh登录,但却不会在w 和last中留下日志的程序,也都是因为他们不输入交互式会话。
    `
    https://news.ycombinator.com/item?id=1937139
    https://unix.stackexchange.com/questions/20070/user-logged-in-by-sftp-does-not-show-up-in-w

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注