HPE Community
Operating System - HP-UX
1820636 Members
1777 Online
109626 Solutions
New Discussion юеВ

How to generate a report with the last login date of all accounts (non-trusted system)

 
Manuel Urena
Advisor

тАО06-09-2011 10:17 AM

тАО06-09-2011 10:17 AM

How to generate a report with the last login date of all accounts (non-trusted system)

I need to come up with a method to obtain the information on an HP-UX non-trusted system of when the users on my system last logged in. And I'm not talking about using the last(1) command or enabling auditing/accounting.

What I'm after is to find out how login(1) works when it displays something like:

"Last login: Tue Apr 12 13:45:05 2011 from hq-it-8skk8f1.h"

I think the login(1) program reads wtmp and get this information from it. And it does it so fast!
Using last(1) on a user account not only takes forever but also lists all the entries (not the last one) so it makes it unpractical/cumbersome for the type of report I'm trying to generate.

How does login(1) works so that it can display this information when one logins?

Is it using getut(3) or something like that?

Could you please help?

Thanks,

Manuel
0 Kudos
Reply
6 REPLIES 6
James R. Ferguson
Acclaimed Contributor

тАО06-09-2011 10:57 AM

тАО06-09-2011 10:57 AM

Re: How to generate a report with the last login date of all accounts (non-trusted system)

Hi Manuel:

As far as I know, the information you see comes from the '/var/adm/wtmp' file and would likely be sought using the 'getutent()' library routines.

The likely difference between the speed you get during login when compared to running 'last(1M)' is that (1) you are not doing very slow I/O to your terminal; and (2) with 'last()' although the reading is backwards through the file it is through the entire file.

If the only thing of interest is the most recent login information, reading backwards until a match for the login name is found, followed by an immediate return of that information without further I/O would be very quick.

Regards!

...JRF...
0 Kudos
Reply
Manuel Urena
Advisor

тАО06-09-2011 11:54 AM

тАО06-09-2011 11:54 AM

Re: How to generate a report with the last login date of all accounts (non-trusted system)

Hi James:

Many thanks for your insightful answer.

I've got a question. In wtmp how do you know how to distinguish between LOGIN/LOGOUT events?

By looking at wtmp(4)it's not completely clear to me how one could distinguish a LOGIN event from a LOGOUT.

Do you know how to tell?

Thanks for your help,

Manuel
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО06-09-2011 12:14 PM

тАО06-09-2011 12:14 PM

Re: How to generate a report with the last login date of all accounts (non-trusted system)

Hi (again) Manuel:

If I recall correctly you want to match up 'ut_type' of 7 (USER_PROCESS) and 8 (DEAD_PROCESS). You can see this if you do:

# /usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/mywtmp

...and examine '/tmp/mywtmp'.

Look at '/usr/include/utmp.h' too.

Regards!

...JRF...
0 Kudos
Reply
Manuel Urena
Advisor

тАО06-09-2011 01:11 PM

тАО06-09-2011 01:11 PM

Re: How to generate a report with the last login date of all accounts (non-trusted system)

Thank you James!

Actually somebody in HP suggested that I could also use:

# last -1

But the advantage to use fwtmp(1M) IMHO is that you get the nice epoch time and you could do nice things like:

if curr_epoch_time - last_logged_in_epoch_time > 90*86400 ; then
print "User hasn't logged in the last 90 days"
fi

So basically by only grabbing entries of type 7, tac(1)'ing the file, parsing the file and exiting as soon as a username match is found, could possibly do the trick.

Thanks again!

Manuel
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО06-09-2011 01:21 PM

тАО06-09-2011 01:21 PM

Re: How to generate a report with the last login date of all accounts (non-trusted system)

Hi (again) Manuel:

> So basically by only grabbing entries of type 7, tac(1)'ing the file, parsing the file and exiting as soon as a username match is found, could possibly do the trick.

That should work. A nice use of 'tac' (from the open-source world) too!

Regards!

...JRF...
0 Kudos
Reply
Manuel Urena
Advisor

тАО06-14-2011 07:48 AM

тАО06-14-2011 07:48 AM

Re: How to generate a report with the last login date of all accounts (non-trusted system)

Hi all,

After poking around with this I decided to create a small C program to grab what I wanted from /var/adm/wtmp. I used and modified code from Miquel van Smoorenburg's last(1) Linux implementation.

Makefile contents:

CC = cc
CFLAGS = +w1 -s -D _LARGEFILE_SOURCE

The program returns a semicolon delimited field single line, with ut_user, ut_type, ut_time and ctime(ut_time) of the last time the user provided in argv[1], logged into the system according to the WTMP_FILE.

Return values for main/program:
0 -> a record was found
1 -> no record was found
2 -> WTMP_FILE/Usage error may have occured

Example:

# ./lastLogged root
root;7;1307634320;Thu Jun 9 11:45:20 2011

Hopefully it will be useful for somebody else.

Thanks,

Manuel
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.