HPE Community
Operating System - HP-UX
1849212 Members
7403 Online
104041 Solutions
New Discussion

Re: Tracking user login

 
bhoang
Advisor

‎02-16-2001 02:23 PM

‎02-16-2001 02:23 PM

Tracking user login

Is there a command that I can use to check if a user has login at a certain date?
0 Kudos
Reply
8 REPLIES 8
James R. Ferguson
Acclaimed Contributor

‎02-16-2001 02:32 PM

‎02-16-2001 02:32 PM

Re: Tracking user login

Hi:

Yes, use 'last' (see 'man last'). If /var/adm/wtmp is present, then this file will contain a record of all logins. Do this:

# last

If /var/adm/wtmp isn't present, then you will need to first touch it to start collecting this information. Permissions should be 644 owned by root. Trim (or create) the file by redirecting /dev/null into it:

# /dev/null > /var/adm/wtmp

Bad login attempts are (corresponding) kept in /var/adm/btmp and are interrogated with 'lastb' [see same man as above].

...JRF...
0 Kudos
Reply
Jitendra_1
Trusted Contributor

‎02-16-2001 02:32 PM

‎02-16-2001 02:32 PM

Re: Tracking user login

"last" will show you all the details of users logged in and logged out.
Learning is the Key!
0 Kudos
Reply
bhoang
Advisor

‎02-16-2001 02:39 PM

‎02-16-2001 02:39 PM

Re: Tracking user login

Hi all,
I did use the Last command but it only shows me
the last two days. What command can I use to see if the user has login on, say the first of
the month.
TIA
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎02-16-2001 02:48 PM

‎02-16-2001 02:48 PM

Re: Tracking user login

Hi:

The file grows without bounds and is usually trimmed (dev/null > /var/adm/wtmp). In this case, the data you seek is gone.

...JRF...
0 Kudos
Reply
Josee Bourget-Thuma
Frequent Advisor

‎02-16-2001 05:16 PM

‎02-16-2001 05:16 PM

Re: Tracking user login

Hi Bach,

You will also find records of ftp login as well as records of those who "su" and which account they "su" to in /var/adm/syslog/syslog.log.

Take care,
Josee


Failure is not an option.
0 Kudos
Reply
Philip Chan_1
Respected Contributor

‎02-18-2001 05:58 PM

‎02-18-2001 05:58 PM

Re: Tracking user login

Hi Bach,

Besides the "last" command there is another option you could try,

1. Via SAM convert your system to "trusted" mode
2. Go into SAM -> auditing and security -> audited event
3. Make sure auditing is turned on, and the login event type should include both "success" and "failure" events

After all you can view the good and bad login attempts via the "view audit log" option.

Don't know why on your system the "last" command losted its historical data. It is the simplest way to achieve what you want so use this one if possible.

Rgds,
Philip

0 Kudos
Reply
Shannon Petry
Honored Contributor

‎02-19-2001 06:28 AM

‎02-19-2001 06:28 AM

Re: Tracking user login

One of the best tools, and least used tools is the berkely accounting package.

Read up on the man pages for runacct, pacct, and their references.

I use accounting on ALL seats. I get a monthly report on all users, each time they have logged in, for how long, what applications they ran, etc...

It's built in and free, as well as supported by HP-UX, SunOS, AIX, Irix, SCO/Unix and Linux. It gives you tons of information, most of which you wont need, but some that you do need is priceless!

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Don Bentz
Regular Advisor

‎02-20-2001 06:16 AM

‎02-20-2001 06:16 AM

Re: Tracking user login

If the information prior to the last 2 days is important, you could restore /var/adm/wtmp to another file and use the '-f' option to the 'last' command to specify the 'old' data's collection file. BE SURE YOU DON'T restore over the top of you active file (/var/adm/wtmp).
Insecurity is our friend. It keeps you dependent.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.