Desired goals
The current design inputs Solaris wtmpx records. No state is saved, so the wtmpx records for the desired period of analysis must be available and are read. Next, the login records are sorted by storing them into some special containers. These containers are STL maps, or key-data pairs. The important part of the login records (the user, the originating host, and the time ) are stored into a structure and then read into a map whose key is the user. The data for this map is itself a map whose key is the originating host and whose data is a list of login records. So we can search for a user and get the list of unique hosts that that user has logged in from. In the current proof of concept status, idle parameters are ignored and the report from map consists of an alphabetical list of users who have logged in from "new" hosts in the last 7 days. The achilles heel of the current implementation has to do with the equivalencing of hosts. Upon startup, a list of regular expressions is read in and compiled. For each login, the originating host is compared against this list of regular expressions. If a match is found, the key for the map of host to login records is set to be the regular expression matched by the hostname, not the hostname itself. In this way, similar addresses such as dyn-235-190 and dyn-226-195 can be equivalenced by the regular expression "dyn-.*\\.sdsu\\.edu$". Unfortunately, this is computationally very expensive. As an example, it currently takes about 15 minutes of CPU time to process