Wednesday, May 7, 2008

Lastlog script for Solaris

I've done research on implementing a 'lastlog' command on Solaris. On Solaris, lastlog data is stored at /var/adm/lastlog. Here is a modified perl script:


# month names for common usage

@months = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug',
'Sep', 'Oct', 'Nov', 'Dec');

while (($name, $junk, $uid) = getpwent) {
$names{$uid} = $name;


for ($uid = 0; read(LASTL, $record, 28); $uid++) {
($time, $line, $host) = unpack('l A8 A16', $record);
next unless $time;

$host = "($host)" if $host;
($sec, $min, $hour, $mday, $mon, $year) = localtime($time);

printf "%-9s%-8s%s %2d %4d %s\n",
$names{$uid}, $line, $months[$mon], $mday, 1900+$year, $host;

The original script I based the above on is located here.

The script above is confirmed to work in Solaris 9 and Solaris 10, provided perl is available.

'last' (located at /var/adm/wtmpx) and lastlog serve different purposes. The 'last' logging writes an entry for every login by every user. As such, the file will continually grow until it is rotated. For busy systems, the file may be rotated often. 'lastlog', on the other hand, only tracks the last login for a given account (technically, uid). Since lastlog does not keep track of all logins, the lastlog file does not continue to grow, and does not need to be rotated.

The difference is important if 'last' gets rotated frequently, but you need to identify inactive accounts. If the user has not logged in since the 'last' audit file was last rotated, that user will have no entries in the current file. While it is possible to look through rotated /var/adm/wtmpx files, provided they still exist, doing so is a hassle, particularly when lastlog has the information in one file.

1 comment:

Brian said...

Thanks for sharing this very readable script.

I added the following lines to truncate the unpacked strings at the first null, to avoid buffer garbage on the output. There may be a better way: I'm not a Perl expert.

$line =~ s/\000.*//g;
$host =~ s/\000.*//g;

I placed them right after the "next unless" line.