artif: new artifacts to collect utmp and utmpdump results #298
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
New artifacts to collect /var/run/utmp and results of utmpdump command. utmpdump command may help to detect tampered log files.
|
Can we use Also, I was thinking about expanding this artifact to parse rotated (and compressed) utmp/wtmp/btmp files. Compressed ones could be read by zcat (if available on the target system). Parsing those files would be useful in situations like AIX, where there are no parsers for utmp/wtmp/btmp out there, so UAC could use the built-in I will work on it and commit to your PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New artifacts to collect /var/run/utmp and results of utmpdump command. utmpdump command may help to detect tampered log files.