Re: Strange results from userls
- From: "Steve M. Fabac, Jr." <smfabac@xxxxxxx>
- Date: Tue, 06 Jun 2006 21:12:48 GMT
John DuBois wrote:
In article <4484A356.CF99E95@xxxxxxx>,
Steve M. Fabac, Jr. <smfabac@xxxxxxx> wrote:
I am trying to whip up a simple script to report on user accounts
that have had a failed login attempt at a later date than the
last successful login on the account.
i would run the script after 06:00 hours to report
all accounts that were subject to unsuccessful
login attempts after normal business hours.
Someone had suggested userls -A to print all tcb information
on all the accounts. This looked promising and so I
put together userls.sh (below) to isolate the two attributes
that are important: lastUnsuccessfulLoginTime and
lastSuccessfulLoginTime
As I ran the script and developed the test for unsuccessful
later than successful, I see that the values returned by
userls are bogus: They do not accurately list the last
successful login and last unsuccessful login.
When userls is asked to print the last successful login time, it instead prints
the time of last successful password change. I've bugreported it.
Meanwhile, you might use this. It reads the TCB database directly, so it isn't
tripped up by userls.
ftp://ftp.armory.com/pub/scripts/lastlogin
I added a 'u' option to make comparisons like the one you want easier:
lastlogin -on -Sa -u'b<u'
will print the names of users whose last-login time is earlier than their
last-successful-login time. It requires gawk.
John
--
John DuBois spcecdt@xxxxxxxxxx KC6QKZ/AE http://www.armory.com/~spcecdt/
John,
Thank you for your reply. I downloaded your lastlogin and gawk and installed them
in /usr/local/bin.
I read the "help" information ( /usr/local/bin/lastlogin -h | less ) and it is hard
to grasp (for me).
I did find the example: " lastlogin -onbu -Sa -u'b<u && (t-u) < 86400*3' "
and added -H and -U and ran the command with the results below:
# /usr/local/bin/lastlogin -onbuU -H -Sa -u'b<u && (t-u) < 86400*10'
User TCB-Lastlog Last Failed FailTTY
rodger Fri May 12 13:58 Tue Jun 06 12:27 ttyp3
I then used scoadmin -> accountmanager -> User Login Controls and see that
SCO thinks that the last Successful Login is May 19 09:47:50
+---------------- unix: User Login Controls: rodger -----------------+ p ||
|+-- | ||--+|
| Us | Location Time || |
| | Last Successful Login: ttyp3 Fri May 19 09:47:50 CDT 2006 || |
| St | Last Failed Login: ttyp3 Tue Jun 06 12:27:28 CDT 2006 || |
|+-- | Last Logout: UNKNOWN UNKNOWN ||-+ |
|| | || ^ |
|| | || | |
|| | Failed login attempts 1 || | |
|| | since last successful login: || | |
|| | || | |
|| | Failed login attempts allowed |5___________| [*] default of 5 || | |
|| | before account is locked: || | |
|| | || * |
||* | Current Account Lock Status: Not Locked [ ] Lock Account || * |
|| | || | |
|| | || |
However, checking my rolling logs of wtmp I see:
# ls -lt /etc/*wtmp* | head -5
-rw------- 1 root sys 25380 Jun 4 05:17 /etc/wtmp10
-rw------- 1 root sys 259440 Jun 4 05:17 /etc/wtmpx10
-rw-rw---- 1 root adm 33048 May 28 05:17 /etc/wtmp9
-rw-rw---- 1 root adm 33300 May 21 05:17 /etc/wtmp8
-rw-rw---- 1 root adm 30132 May 14 05:17 /etc/wtmp7
# last -w /etc/wtmp10 |grep rodger | head -3
# last -w /etc/wtmp9 |grep rodger | head -3
# last -w /etc/wtmp8 |grep rodger | head -3
# last -w /etc/wtmp7 |grep rodger | head -3
rodger p3 ttyp3 8641 Fri May 12 13:58 00:07
rodger p4 ttyp4 6584 Thu May 11 14:16 02:42
rodger p16 ttyp16 22669 Thu May 11 10:56 01:34
Agreeing with the results from lastlogin.
# ls -la /u/rodger
total 336
drwxr-xr-x 2 rodger group 512 Jun 6 12:27 .
drwxrwxrwx 53 ericm root 3584 Jun 1 01:57 ..
-rw------- 1 rodger group 775 May 7 2004 .kshrc
-r-------- 1 rodger auth 0 May 12 13:58 .lastlogin
-rw------- 1 rodger group 1697 May 7 2004 .profile
Just a few questions about lastlogin that cropped up because
I don't under stand the program fully:
# /usr/local/bin/lastlogin
Oops... got unknown home 'sh:' from statf output:
sh: statf: not found
sh: statf: not found
root (Superuser): Never logged in.
#
# /usr/local/bin/lastlogin -onbuUs -H -Sa -u'b<u && (t-u) < 86400*100'
lastlogin: Could not read activity database file "/usr/adm/activity": No such file or directoryUser TCB-Lastlog Last Failed FailTT SSH Login
marsha - Tue May 16 15:35 ttyp3 -
smf Thu Mar 23 14:17 Thu Mar 23 14:33 ttyp12 -
steve - Wed Apr 12 15:03 tty01 -
rodger Fri May 12 13:58 Tue Jun 06 12:27 ttyp3 -
faxadm - Wed Mar 29 12:03 ttyp2 -
But "grep sshd /usr/adm/syslog | grep smf | tail -200 and scanning for
ssh password logins (normally by public key) for me, I see that I logged in
on May 5.
May 5 18:54:02 unix sshd[16212]: Accepted password for smf from 65.66.153.231 port 4588 ssh2
May 5 20:28:18 unix sshd[8625]: Accepted password for smf from 65.66.153.231 port 4628 ssh2
May 5 20:54:26 unix sshd[15114]: Accepted publickey for smf from 65.66.153.231 port 4637 ssh2
May 5 21:51:10 unix sshd[28726]: Accepted publickey for smf from 65.66.153.231 port 4659 ssh2
And finally, I checked the lastlogin code but unlike your nidleout program, I did not find
a model for the /etc/default/lastlogin file that the help speaks of.
Your lastlogin program is very extensive and looks like it will do what we need
to spot abandoned login attempts on user accounts. Thank you for your work.
Now if I can just get you interested in porting npassed-2.05 to SCO 5.0.7 (or if
we can request SCO include it in the Skunkware) I'll be happy.
--
Steve Fabac
S.M. Fabac & Associates
816/765-1670
.
- References:
- Strange results from userls
- From: Steve M. Fabac, Jr.
- Re: Strange results from userls
- From: John DuBois
- Strange results from userls
- Prev by Date: Re: 506 clock rollover at 498 days?
- Next by Date: Re: 506 clock rollover at 498 days?
- Previous by thread: Re: Strange results from userls
- Next by thread: Re: Strange results from userls
- Index(es):
Relevant Pages
|
|
