Mel - To answer your question, it's very unlikely that something is changing the last successful login date in the TCB DB. There's a couple of reasons for this.
First, the TCB DB is limited to root access. That is, all files and directories below /tcb only have root permissions. So no else could be doing this (and root certainly doesn't have anything running in cron to do this). And second, why would it only be changed for these few users? If someone could change them, why wouldn't they do it to other users as well? Seems to me that if you wanted to mess with a system, even if you wanted to do it this way, you wouldn't pick on a couple of low access accounts. If you could get access to do this, you'd want to go straight for the root account or some other high profile ID. As I said before, it's just a couple of accounts on these systems. One has well over 100 accounts the other about 40 or so.
I have developed a plan of attack though. What I aim to do the next time this happens (this may take a couple of days), before I unlock the account, I will go in to the TCB DB and get the last login date for the locked account. I can then convert it to a calendar date and see when they last logged in, according to the TCB DB, which is what would be used to count inactivity. THEN, I would have a good idea if there is a problem with the system or not. My suspicion is that there's an error in a patch somewhere that for whatever reason, thinks these accounts aren't being accessed. Doing this will prove that one way or another. Right now, the dates are valid/current. If/when one gets locked again, I can validate it again. If is less than 30 days old AND the system says it is locked due to inactivity, then I'll have an issue to take to support.
Thoughts?
I'll post whatever I find here so we will all have current info.
Thanks to anyone who has any suggestions!
-Gonzo
If you do nothing else in with your life, make friends with a dog.
