artif: new artifacts to collect utmp and utmpdump results

[mnrkbys]

New artifacts to collect /var/run/utmp and results of utmpdump command. utmpdump command may help to detect tampered log files.

[tclahr]

Can we use last -f instead? I think last is more common than utmpdump no? I mean, last is available on most unix-like system. I am not sure about utmpdump.

Also, I was thinking about expanding this artifact to parse rotated (and compressed) utmp/wtmp/btmp files. Compressed ones could be read by zcat (if available on the target system).

Parsing those files would be useful in situations like AIX, where there are no parsers for utmp/wtmp/btmp out there, so UAC could use the built-in last to parse all available files.

I will work on it and commit to your PR.

[mnrkbys]

I think you are absolutely right that the last command can be used on most UNIX-like systems.
And I don't know how many systems can use the utmpdump command either (at least, it isn't installed on macOS by default).

However, the timestamp output by the last command is local time.
On the other hand, utmpdump, as the name suggests, only dumps the file contents, so the timestamp is also in UTC.
So we can easily find the wiped entries as described in the following url.

https://sandflysecurity.com/blog/using-linux-utmpdump-for-forensics-and-detecting-log-file-tampering/

[Pierre-Gronau-ndaal]

I would Use both
utmp is offering sometimes more accuracy …