HPE Community
Operating System - HP-UX
1825889 Members
3317 Online
109689 Solutions
New Discussion

Re: Determining last user logon

 
SOLVED
Go to solution
Clifton Smith
Occasional Advisor

‎10-18-2004 05:03 AM

‎10-18-2004 05:03 AM

Determining last user logon

I administer a trusted system (all password entries in /tcb/files/auth/*), and need some way to determine the last logon of all users in /etc/passwd for a particular system.

Is there any way to use the u_suclog field in the tcb encrypted file or ANY other way to determine for each user in /etc/passwd when their last logon was? We are going to use this for clean up purposes on the system..... Any assistance is GREATLY appreciated..
0 Kudos
Reply
10 REPLIES 10
Slawomir Gora
Honored Contributor

‎10-18-2004 05:10 AM

‎10-18-2004 05:10 AM

Re: Determining last user logon

Hi,

you can use command for each user:

last user_name | head -n1
Reply
Rodney Hills
Honored Contributor

‎10-18-2004 05:10 AM

‎10-18-2004 05:10 AM

Re: Determining last user logon

Would the "last" command work for you?

I've merged the output of "last" with "/etc/passwd" via a perl program and have generated such lists for myself.

-- Rod Hills
There be dragons...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎10-18-2004 05:14 AM

‎10-18-2004 05:14 AM

Re: Determining last user logon

IF the user logged on since the last time the /var/adm/wtmp file was cleared.

last

will show it.

If not, passwd -sa might provide some useful data or some other variation, though this may only show the last time they changed their password. That isn't useless, may be helpful.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎10-18-2004 05:16 AM

‎10-18-2004 05:16 AM

Re: Determining last user logon

last userid

last userid |head -1

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Reply
Rodney Hills
Honored Contributor

‎10-18-2004 05:19 AM

‎10-18-2004 05:19 AM

Solution

Re: Determining last user logon

Here is the perl program I used-

#!/usr/local/bin/perl
# Show last logins for every user in /etc/passwd
#
open(LASTLOGIN,"last|") || die "Can not run 'last' command\n";
while () {
next if $_ eq "";
if (/^wtmp begin/) {$begin=$_ ; next};
($name,$tty,$date)=/(\S+)\s+(\S+)\s+(\S+\s+\S+\s+\S+)/;
$user{$name}=$date unless $user{$name};
}
print $begin;
close(LASTLOGIN);
open(PASSWD,"/etc/passwd") || die "Can not open '/etc/passwd'\n";
while () {
next if /^\+/;
($name,$rest)=split(":");
$user{$name}="**NOT USED**" unless $user{$name};
}
foreach $name (sort keys(%user)) {
printf "%-10s %s\n",$name,$user{$name};
}


HTH

-- Rod Hills
There be dragons...
Reply
Clifton Smith
Occasional Advisor

‎10-18-2004 06:08 AM

‎10-18-2004 06:08 AM

Re: Determining last user logon

Rod - Thanks !! This is just what I needed..... I would like to press my luck to ask one more thing, however. I am not very familiar with Perl, and I would like to know how to narrow down the search in /etc/passwd to users with a specific word in their logon path.. For instance, in the POSIX world, it would look something like "grep (string) /etc/passwd". I am unfamiliar with how to insert this into the Perl script that you have submitted. Are you, or anyone in this thread, familiar enough with Perl to add some insight?

Thanks
0 Kudos
Reply
Rodney Hills
Honored Contributor

‎10-18-2004 06:28 AM

‎10-18-2004 06:28 AM

Re: Determining last user logon

If you look at the line

next if /^\+/;

This statement skips those lines that begin with "+". What ever regular expression can be used. Example-

To ignore users who are using ksh.
next if /bin\/ksh/;

You could also replace the follwing split statement with-
($user,$pswd,$uid,$gid,$comment,$path,$shell)=split(":",$_);

Then do comparisons on the a field-
next unless $comment=~/test/;

Would only keep entries with "test" in the comment field (note "unless" clause).

Perl is the swiss army knife for system admins.

HTH

-- Rod Hills
There be dragons...
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎10-18-2004 06:34 AM

‎10-18-2004 06:34 AM

Re: Determining last user logon

An easier, and quicker way to get the last login is:

# /usr/lbin/getprpw -m ulogint user_id

0 Kudos
Reply
Slawomir Gora
Honored Contributor

‎10-18-2004 07:01 PM

‎10-18-2004 07:01 PM

Re: Determining last user logon

Hi,

you can use shell script:


#!/bin/sh

for user in `cat /etc/passwd | awk -F':' '{print $1}'`
do
RES=`last $user | head -n1`
[ "$RES" = "" ] || echo $RES
done
0 Kudos
Reply
doug hosking
Esteemed Contributor

‎10-19-2004 10:47 AM

‎10-19-2004 10:47 AM

Re: Determining last user logon

Patrick, did you mean slogint instead of ulogint? (successful vs. unsuccessful)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.