HPE Community
Operating System - HP-UX
1833433 Members
3090 Online
110052 Solutions
New Discussion

Can I get the full timestamp from btmp?

 
SOLVED
Go to solution
Gary Cooper_1
Esteemed Contributor

‎05-16-2002 04:26 AM

‎05-16-2002 04:26 AM

Can I get the full timestamp from btmp?

HP-UX 10.20
When I use listb to see the failed login attempts, it only gives the timestamp in:
DDD MMM dd hh:mm
Is it possible to get access to the year and also the second?

Also, the following is an extract from SecurityFocus Online (http://online.securityfocus.com/bid/3289/discussion):

"The version of 'login' shipped with HP-UX 10.26 does not record unsuccessful login attempts in 'btmp'. The btmp file is used to record bad logins."

Although I'm not using 10.26, I would be very interested to know the difference between "unsuccessful login attempts" and "bad logins"?

Thanks,

Gary Cooper
0 Kudos
Reply
5 REPLIES 5
John Palmer
Honored Contributor

‎05-16-2002 04:35 AM

‎05-16-2002 04:35 AM

Re: Can I get the full timestamp from btmp?

Hi Gary,

btmp contains the binary date so you can get year and second but not with lastb.

You could try /usr/sbin/acct/fwtmp < btmp

fwtmp prints pretty much all information from a wtmp/btmp format file. You could use it to get the data and mybe awk to format it.

As to "unsuccessful login attempts" and "bad logins", I'd consider them to be the same thing.

Regards,
John
0 Kudos
Reply
Robin Wakefield
Honored Contributor

‎05-16-2002 04:37 AM

‎05-16-2002 04:37 AM

Re: Can I get the full timestamp from btmp?

Hi Gary,

Try:

/usr/sbin/acct/fwtmp < btmp

- this gives you more date info.

Rgds, Robin
0 Kudos
Reply
Gary Cooper_1
Esteemed Contributor

‎05-16-2002 05:45 AM

‎05-16-2002 05:45 AM

Re: Can I get the full timestamp from btmp?

The fwtmp tip is exactly what I wanted, but I'm still a little concerned by the comment on the Security Focus web site, that I won't be seeing the whole picture.

Comments appreciated.

Thanks,

Gary
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎05-16-2002 05:54 AM

‎05-16-2002 05:54 AM

Re: Can I get the full timestamp from btmp?

What the article might have been trying to say is that "bad login" means the login id that the user is using does not exist in the system whereby "unsuccessful login" means the userid is valid but the password authentication failed. Either way both will be recorded in btmp. Try login as a "bogus" login and a "valid" id with both given a wrong password and btmp will capture both. I do not know if this behavior is true or not in 10.26.
0 Kudos
Reply
Robin Wakefield
Honored Contributor

‎05-16-2002 07:42 AM

‎05-16-2002 07:42 AM

Solution

Re: Can I get the full timestamp from btmp?

Hi Gary,

This is the patch that fixed it, maybe you're at a later patch level:

http://europe-support.external.hp.com/wpsl/bin/doc.pl/sid=658c55b00b9d8dd500/screen=wpslDisplayPatch?HW=s800&OS=10.26&PACH_NAM=PHCO_17719

Rgds, Robin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.