Check when a user last logged in?
Assa...@gmail.com
user accounts. The problem is, I have no idea how to check when a
user last logged in!
Checking the modification date of the home folder will not work
because there are many users that use the same home folder. I had
heard SCO has some sort of built in way of checking for this, or that
there is a unix command that can do it.
Anybody out there able to help me out?
Thanks in advance!
Jean-Pierre Radley
| I'm trying to make a script that will remove/point out or delete old
| user accounts. The problem is, I have no idea how to check when a
| user last logged in!
|
| Checking the modification date of the home folder will not work
| because there are many users that use the same home folder. I had
| heard SCO has some sort of built in way of checking for this, or that
| there is a unix command that can do it.
Check the timestamp of the .lastlogin file in a user's home directory.
It seems rather idiotic to give several users the same $HOME. That
strikes me as having far more disadvantages that advantages.
But if that silly scheme was indeed adopted, then resort to:
userls -l user -x lastSuccessfulLoginTime
--
JP
Jeff Hyman
# last user_name | head -2
... or ...
# last user_name | head -2 | tail -1
- Jeff H
Jeff Hyman
Overkill:
#!/bin/ksh
###---------------------------------------------------------------------
user="logname_here" # Needed if executed from cron
LoginLog="/tmp/LoginLog" # Keep a log here
[ -t 1 ] && { echo "Last Login for User: \c" ; read user ; } ;
grep ${user} /etc/passwd > /dev/null 2>&1
case $? in
0) set `last ${user} | head -2 | tail -1` > /dev/null 2>&1
[ -t 1 ] && { echo "Last login for User ${1}: $5 $6 $7 $8" ; } ;
echo "Last login for User ${1}: $5 $6 $7 $8" >> ${LoginLog}
;;
*) [ -t 1 ] && { echo "No User ${user}" ; } ;
echo "No User ${user}" >> ${LoginLog}
;;
esac
###---------------------------------------------------------------------
Jean-Pierre Radley
Since the original poster is looking for "old user accounts", the 'last'
command is useless, because it will only provide login data for the
last one to seven days -- unless one has changed root's crontab to run
/etc/cleanup at some time other than early Sunday morining.
--
JP
Jeff Hyman
Interesting.... looks like I turned that OFF.
I personally like being able to use 'last' and go back in history.
Things do pop up from time-to-time especially around payroll
conflicts.... but thanks for the input.
- Jeff H
#! /bin/sh
# @(#) cleanup 69.1 98/02/16
---- clipped ----
# Clean up super-user log.
cp /usr/adm/sulog /usr/adm/Osulog
> /usr/adm/sulog
# If accounting isn't enabled, clean up wtmp and wtmpx,
# being careful not to create them if they don't exist.
if [ -x /usr/lib/acct/acct_enable ] && /usr/lib/acct/acct_enable -cs; then
: Do nothing - accounting will clean up wtmp and wtmpx
else
# Next 3 lines - Sun Apr 20 12:52:38 EDT 2003 - JBH
# I want the 'last' command to stick around so I can verifiy
# whos logged in or out.
sync
# [ -f /etc/wtmp ] && >/etc/wtmp
# [ -f /etc/wtmpx ] && >/etc/wtmpx
fi
# Clean up miscellaneous files.
find / -type f -name core -atime +7 -local -exec rm -f {} \;
Bill Campbell
If I were doing this, I would put something in the system
/etc/profile that added a record to a database of some kind,
postgresql, mysql, or a simple hash (bdb, gdbm, etc.) containing
the username, time, tty, and IP address if available. Then it
would be easy to simply select on usrname, max(logintime) to see
the last time somebody logged in.
Going a step further, an appropriate ``trap'' statement that
would add a record on logout could give more information.
Bill
--
INTERNET: bi...@celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
Voice: (206) 236-1676 Mercer Island, WA 98040-0820
Fax: (206) 232-9186
Marijuana will be legal some day, because the many law students
who now smoke pot will someday become congressmen and legalize
it in order to protect themselves. -- Lenny Bruce
John DuBois
You need to use the TCB database, which records this information on a per-user
basis outside of the user's home directory. See:
ftp://ftp.armory.com/pub/scripts/lastlogin
(note the dependencies given at the top of the program -
none of which affect the TCB reports)
The help (search for "TCB" in it):
ftp://ftp.armory.com/pub/scripts/help_pages/lastlogin
Example: To get a list of all real users who haven't logged in in at least a
year:
lastlogin -onb -a -u'(t-b) > 86400*365'
What I actually use to identify long-time-since-login users is this utility,
which in turn uses lastlogin:
ftp://ftp.armory.com/pub/admin/oldusers
(note the larger dependency list!)
Help page:
ftp://ftp.armory.com/pub/admin/help_pages/oldusers
John
--
John DuBois spc...@armory.com KC6QKZ/AE http://www.armory.com/~spcecdt/
Steve M. Fabac, Jr.
Just to contribute my modifications for the groups approval/use:
I modify /etc/cleanup to keep a 10 week rotating log of wtmp
and wtmpx. I have modified this for a 26 week rotation for
a client when requested (as shown):
-rw------- 1 adm adm 324 Aug 3 04:50 /etc/wtmp1
-rw------- 1 adm adm 736 Aug 3 04:50 /etc/wtmpx1
-rw------- 1 adm adm 3528 Jul 27 04:50 /etc/wtmp25
-rw------- 1 adm adm 19136 Jul 27 04:50 /etc/wtmpx25
...
-rw------- 1 adm adm 29808 Mar 2 04:50 /etc/wtmpx4
-rw------- 1 adm adm 2412 Feb 24 04:50 /etc/wtmp3
-rw------- 1 adm adm 22080 Feb 24 04:50 /etc/wtmpx3
-rw------- 1 adm adm 3060 Feb 17 04:50 /etc/wtmp2
-rw------- 1 adm adm 28704 Feb 17 04:50 /etc/wtmpx2
lrwxrwxrwx 1 root root 36 Oct 2 2006 /etc/wtmp -> /var/opt/K/SCO/Unix/5.0.7Hw/etc/wtm
lrwxrwxrwx 1 root root 37 Oct 2 2006 /etc/wtmpx -> /var/opt/K/SCO/Unix/5.0.7Hw/etc/wtmp
*** Begin modifications
# If accounting isn't enabled, clean up wtmp and wtmpx,
# being careful not to create them if they don't exist.
if [ -x /usr/lib/acct/acct_enable ] && /usr/lib/acct/acct_enable -cs; then
: Do nothing - accounting will clean up wtmp and wtmpx
else
# [ -f /etc/wtmp ] && >/etc/wtmp
# [ -f /etc/wtmpx ] && >/etc/wtmpx
count=1
[ -f /etc/wtmp[0-9]* ] && {
for i in /etc/wtmp[0-9]*
do
count=`expr $count + 1`
done
}
[ "26" = "$count" ] && {
new=`/bin/ls -t /etc/wtmp[0-9]* | /bin/head -1 | /usr/bin/awk ' {
bob = index($0, "p")
print substr($0, bob + 1 , 2) } '`
new=`expr $new + 1`
[ "26" = $new ] && new=1
cp /etc/wtmp /etc/wtmp$new
cp /etc/wtmpx /etc/wtmpx$new
} || {
cp /etc/wtmp /etc/wtmp$count
cp /etc/wtmpx /etc/wtmpx$count
}
> /etc/wtmp
> /etc/wtmpx
fi
# Clean up miscellaneous files.
**** End modifications
The above may be overly complex and could likely be re-written, it
works and that's all I care about.
--
Steve Fabac
S.M. Fabac & Associates
816/765-1670
Jeff Hyman
Thanks John,
I'll check this out.
- Jeff H
Jeff Hyman
Learning alot on this one. Do 'last' and '/etc/profile'
have limitations ? Specifically where do they "not" record
a login event ? I kinda know the answer, but not all the
answer. csh, ftp ? If not, where do they keep a "log"
of events ?
- Jeff H