HPE Community
Operating System - HP-UX
1830143 Members
25567 Online
109999 Solutions
New Discussion

Login record problem

 
Wendy_9
Frequent Advisor

‎07-22-2003 07:52 PM

‎07-22-2003 07:52 PM

Login record problem

Hi,

I have encountered an inconsistence problem for the unsuccessful login record.

1/ From getprpw command, I have find that account root has last unsuccessful login: Mon Jul 21 14:25:46 2003.
2/ But, from lastb command, I cannot find any unsuccessful login of root on 21 Jul 2003.

Why the above case occur and the unsuccessful record of root is different when I get from different command?

Thanks

Regards,
Wendy
0 Kudos
Reply
10 REPLIES 10
Steven E. Protter
Exalted Contributor

‎07-22-2003 08:03 PM

‎07-22-2003 08:03 PM

Re: Login record problem

These results should be consistent.

Do you have a cron job truncating the log files?

More omniously, is there someone else messing with your log files?

http://us-support.external.hp.com/emse/bin/doc.pl?searchtext=getprpw++lastb+different+results+trusted+system&submit.x=13&submit.y=6&from=forums&hpl=1&todo=search&searchcriteria=allwords&searchcategory=ALL&rn=25&presort=rank

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Kevin Wright
Honored Contributor

‎07-22-2003 08:05 PM

‎07-22-2003 08:05 PM

Re: Login record problem

perhaps your btmp file is corrupt.
0 Kudos
Reply
twang
Honored Contributor

‎07-22-2003 08:07 PM

‎07-22-2003 08:07 PM

Re: Login record problem

Can you ensure that wtmp file is not corrupted?
what I suggest is either try using wtmpfix to take a copy of the current wtmp, and take a look at this file:
# /usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/outfile then read the file


0 Kudos
Reply
Con O'Kelly
Honored Contributor

‎07-22-2003 08:08 PM

‎07-22-2003 08:08 PM

Re: Login record problem

Hi Wendy

The commands getprpw & lastb get their information from 2 different sources.
getprpw from the file /tcb/files/auth/r/root.
lastb from /var/adm/btmp.

One possibility is that the /var/adm/btmp file has been cycled. For example, maybe there's a cron(?) script that purges it when reaches a certain size.

Check the first entry in btmp by doing :
# lastb | tail.

Cheers
Con
0 Kudos
Reply
Con O'Kelly
Honored Contributor

‎07-22-2003 08:16 PM

‎07-22-2003 08:16 PM

Re: Login record problem

Hi again!!

Actually one other possibility. Are you "suing" to root. I don't think btmp logs failed su's but getprpw will get this info.

Check your /var/adm/sulog and you may well see the unsuccessful su to root on Jul 21.


Cheers
Con
0 Kudos
Reply
Wendy_9
Frequent Advisor

‎07-22-2003 08:23 PM

‎07-22-2003 08:23 PM

Re: Login record problem

Hi all,

There is no cronjob to purge btmp file. All record start from last year to now can be find from btmp.

Therefore, I do not know why the case occur. Any idea??

Regards,
Wendy

PS. The system is a trusted system.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎07-22-2003 08:28 PM

‎07-22-2003 08:28 PM

Re: Login record problem

The log files should be cleared periodically, but thats housekeeping.

The source of the files is different, but the data should be recorded.

I just converted a system to trusted(I should be sleeping). Is it possible you converted the system recently, perhaps after the bad root login. I doubt it but had to ask.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Wendy_9
Frequent Advisor

‎07-22-2003 08:28 PM

‎07-22-2003 08:28 PM

Re: Login record problem

Hi,

I cannot find there is anyone su to root from sulog on that day.

I want to know if the user unsuccessful su to root, any record can be find from sulog.

Regards,
Wendy
0 Kudos
Reply
Con O'Kelly
Honored Contributor

‎07-22-2003 08:32 PM

‎07-22-2003 08:32 PM

Re: Login record problem

Hi Wendy

Did you su to root??
For example:
# su - root

If you type an incoorect password, this will show up as unsuccessful login in getprpw but will not be recorded /var/adm/btmp, therefore lastb will not show unsuccessful login.

You need to look at /var/adm/sulog.

What is the output of
cat /var/adm/sulog | grep root

Cheers
Con
0 Kudos
Reply
Wendy_9
Frequent Advisor

‎07-22-2003 10:28 PM

‎07-22-2003 10:28 PM

Re: Login record problem

Hi,

I have tried the normal user account. I find that the unsuccessful su login can also show on sulog. Then, anyone has another idea for the case.

Thanks

Regards,
Wendy
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.