SUMMARY: Displaying last login time for a user
From: Chris Knorr (cknorr_at_trapsystems.com)
Date: Fri, 29 Jul 2005 10:26:25 -0400 To: firstname.lastname@example.org
How do you determine the last time any of the users on my Tru64 Unix V5.1B
system have logged in.
I got a lot of useful responses to this, all were useful in different wants.
I ultimately ended up using a script written by Chris Wincentsen that uses
It certainly looks from the reference page like lastlogin should do what you
Since /usr/sbin/acct/lastlogin is in fact just a shell script, you should be
able to read it and figure out what it's doing. From a quick read, it looks
like it expects to find the information that it needs in the
file, which it looks like it creates if it's not present. This of course
begs the question of how that file is supposed to be kept up to date; I
suspect you need to run accounting to have the data that the lastlogin
script wants present in that file, but I could be off base, I have never had
to actually create and maintain accounting on a system myself.
The data you want is probably somewhere in the wtmp file, since in most
cases, that's where the accounting data is kept by the basic tools, but
getting it into other useful forms is a challenge if you haven't mastered
the ins and outs of the Berkeley UNIX accounting that's at the core of the
Tru64 UNIX implementation.
Not an exact answer for you, but this may help. I assume that you are using
C2 (enhanced) security, so "edauth -g" will get you all of the information
for a user. Then, look at the "u_suclog" field. This will give the last
successful login time, relative to the start of the epoch, for instance
perl -e 'print localtime(1121952221)."\n"'
will convert that time to something useful:
Thu Jul 21 08:23:41 2005
The "last" command can be used to read the /var/adm/wtmp file,
which also shows login duration times.
If you have Enhanced Security enabled and haven't disabled login logging in
the Enhanced Security default file, the information you're looking for is in
the Enhanced Security account database, auth.db. You can look at this
database with the edauth tool, but you'll have to convert the times from
time_t format. See the Security manual and the man pages for edauth,
prpasswd, and default.
If you don't have Enhanced Security enabled or it's enabled but you have to
disable login logging, try enabling the audit subsystem. You can configure
the audit subsystem to log all kinds of neat stuff, including logins and
logouts. See the Security manual for more information on the audit