System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

How to generate a report with the last login date of all accounts (non-trusted system)

Manuel Urena
Advisor

How to generate a report with the last login date of all accounts (non-trusted system)

I need to come up with a method to obtain the information on an HP-UX non-trusted system of when the users on my system last logged in. And I'm not talking about using the last(1) command or enabling auditing/accounting.

What I'm after is to find out how login(1) works when it displays something like:

"Last login: Tue Apr 12 13:45:05 2011 from hq-it-8skk8f1.h"

I think the login(1) program reads wtmp and get this information from it. And it does it so fast!
Using last(1) on a user account not only takes forever but also lists all the entries (not the last one) so it makes it unpractical/cumbersome for the type of report I'm trying to generate.

How does login(1) works so that it can display this information when one logins?

Is it using getut(3) or something like that?

Could you please help?

Thanks,

Manuel
6 REPLIES
James R. Ferguson
Acclaimed Contributor

Re: How to generate a report with the last login date of all accounts (non-trusted system)

Hi Manuel:

As far as I know, the information you see comes from the '/var/adm/wtmp' file and would likely be sought using the 'getutent()' library routines.

The likely difference between the speed you get during login when compared to running 'last(1M)' is that (1) you are not doing very slow I/O to your terminal; and (2) with 'last()' although the reading is backwards through the file it is through the entire file.

If the only thing of interest is the most recent login information, reading backwards until a match for the login name is found, followed by an immediate return of that information without further I/O would be very quick.

Regards!

...JRF...
Manuel Urena
Advisor

Re: How to generate a report with the last login date of all accounts (non-trusted system)

Hi James:

Many thanks for your insightful answer.

I've got a question. In wtmp how do you know how to distinguish between LOGIN/LOGOUT events?

By looking at wtmp(4)it's not completely clear to me how one could distinguish a LOGIN event from a LOGOUT.

Do you know how to tell?

Thanks for your help,

Manuel
James R. Ferguson
Acclaimed Contributor

Re: How to generate a report with the last login date of all accounts (non-trusted system)

Hi (again) Manuel:

If I recall correctly you want to match up 'ut_type' of 7 (USER_PROCESS) and 8 (DEAD_PROCESS). You can see this if you do:

# /usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/mywtmp

...and examine '/tmp/mywtmp'.

Look at '/usr/include/utmp.h' too.

Regards!

...JRF...
Manuel Urena
Advisor

Re: How to generate a report with the last login date of all accounts (non-trusted system)

Thank you James!

Actually somebody in HP suggested that I could also use:

# last -1

But the advantage to use fwtmp(1M) IMHO is that you get the nice epoch time and you could do nice things like:

if curr_epoch_time - last_logged_in_epoch_time > 90*86400 ; then
print "User hasn't logged in the last 90 days"
fi

So basically by only grabbing entries of type 7, tac(1)'ing the file, parsing the file and exiting as soon as a username match is found, could possibly do the trick.

Thanks again!

Manuel

James R. Ferguson
Acclaimed Contributor

Re: How to generate a report with the last login date of all accounts (non-trusted system)

Hi (again) Manuel:

> So basically by only grabbing entries of type 7, tac(1)'ing the file, parsing the file and exiting as soon as a username match is found, could possibly do the trick.

That should work. A nice use of 'tac' (from the open-source world) too!

Regards!

...JRF...
Manuel Urena
Advisor

Re: How to generate a report with the last login date of all accounts (non-trusted system)

Hi all,

After poking around with this I decided to create a small C program to grab what I wanted from /var/adm/wtmp. I used and modified code from Miquel van Smoorenburg's last(1) Linux implementation.

Makefile contents:

CC = cc
CFLAGS = +w1 -s -D _LARGEFILE_SOURCE

The program returns a semicolon delimited field single line, with ut_user, ut_type, ut_time and ctime(ut_time) of the last time the user provided in argv[1], logged into the system according to the WTMP_FILE.

Return values for main/program:
0 -> a record was found
1 -> no record was found
2 -> WTMP_FILE/Usage error may have occured

Example:

# ./lastLogged root
root;7;1307634320;Thu Jun 9 11:45:20 2011

Hopefully it will be useful for somebody else.

Thanks,

Manuel