To compile with support for this option, use the configure option
./configure --enable-login-watch
      samhain can be
      compiled to monitor login/logout events of system users. For
      initialization, the system 
      utmp file is searched for
      users currently logged in. To recognize changes (i.e. logouts
      or logins), the system 
      wtmp file is then
      used.
Optionally, it is possible to perform further checks for login events. All these additional checks are off by default. The following checks are provided:
Report on the first login from a host or a domain / subnet. This option is configured with the directive:
              LoginCheckFirst = 
              no|yes|domain 
            
If set to yes, samhain will issue a report when a user logs in from some host they haven't logged in from before. If set to domain, the domain (or C-class subnet, if the host cannot be resolved) is checked instead of the host.
Report unusual login times. This option will only take effect once a user has logged in several times, and a database of login times has been built which can be analyzed for statistical outlier detection. Since this is based on statistics, it will inevitably cause false positives (legitimate logins reported as outliers). This option is configured with the directive:
              LoginCheckOutlier = 
              no|yes|paranoid 
            
If set to yes, samhain will issue a report when a login time is found to be an outlier with 99 per cent probability. If set to paranoid, the required outlier probability is lowered to 95 per cent, resulting in more reports and more false positives (legitimate logins reported as outliers).
Report login events occuring outside some given date restrictions. This option is configured with the directive:
              LoginCheckDate = 
              date 
            
Possible values for 
            dateare: 
            always, 
            never, and 
            workdays|saturday|sunday(list of time
            ranges), e.g.
            workdays(8:00-10:00,13:00-16:00) or
            saturday(08:10-17:20). To set date restriction for
            workdays (Mo-Fr) and saturday and/or sunday, use
            LoginCheckDate multiple times. The internal time
            resolution is ten minutes, i.e. 8:09 will be
            interpreted as 8:00.
Report login events occuring outside some date restrictions defined for the given individual user. This option, if defined for a given user, overrides the global setting above, and is configured with the directive:
              LoginCheckUserDate = 
              user:date 
            
Here, 
            usermust be the login name
            for a user, and 
            datehas to be given as in
            the global option.
This facility is configured in the Utmp section of the configuration file:
[Utmp] # # activate (0 for switching off) # LoginCheckActive=1 # # interval between checks (in seconds) # LoginCheckInterval=600 # # these are the severities (see section Section 1.1) # SeverityLogin=info SeverityLogout=info # # multiple logins by same user # SeverityLoginMulti=crit