Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 8 Feb 2010 18:26:35 -0800
From:      Vincent Poy <vincepoy@gmail.com>
To:        Ed Schouten <ed@80386.nl>, freebsd-current@freebsd.org
Subject:   Re: HEADS UP: <utmp.h> gone. All welcome <utmpx.h>.
Message-ID:  <429af92e1002081826j630557e9vcd8111b91b67660@mail.gmail.com>
In-Reply-To: <429af92e1002031704s2145570bo708439e9c87f6c80@mail.gmail.com>
References:  <429af92e1002011500q59b9ae09g908154ae63881ff5@mail.gmail.com> <20100201233216.GL77705@hoeg.nl> <429af92e1002031704s2145570bo708439e9c87f6c80@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
 Hello Ed:

On Mon, Feb 1, 2010 at 3:32 PM, Ed Schouten <ed@80386.nl> wrote:

> Right now there is no way to convert lastlog files. The point is that
> unlike you mentioned, the wtmp is actually the only important log file.
> All information could in theory be derived from it. You could convert
> wtmp files and use last -f to scroll through history to figure out when
> someone logged in.
>

The problem with figuring out when someone last logged in is that newsyslog
with the default newsyslog.conf would rotate the wtmp files once a month so
that there would be one
wtmp followed by  wtmp.0, wtmp.1, wtmp.2, wtmp.3 so it will only hold the
last months worth of data so if the person logs in anytime more than 5
months, they won't be in the wtmp.

> From an administrative point of view, you just want to be able to
> inspect log files in case it turns out a couple of months earlier
> something bad happened with your system (getting hacked, etc). lastlog
> is a nice feature, but it should just be considered being a bonus.
The thing with something bad happening with the system is usually looking at
data that far back will not really help since if it took a admin that long
to figure it out, then there is a bigger issue at hand because the system
probably is heavily compromised already as when we had hacks, usually we
have to get to it in real-time or atleast within a few hours or otherwise
the system will really be history.  I just meant that traditionally, when
you finger a username, it will show if they have ever logged into their
account from the time their account had been created since there are some
users who logs in once every 6 months and finger will show their last login
info but last won't as the wtmp* files won't due to it rotating monthly and
it only goes up to 3 for the backups.

> I have been thinking about possibly extending the utmpx interface to
> include an application name string for login entries, like "sshd" or
> "ftpd".
With utmp, it will always show the pty for ssh/rlogin/telnet sessions and
ftp when it's a ftp session as:

user1       ftp      10.12.21.156           Fri Aug 20 13:17 - 13:17 (00:00)

user1       ttyp0  10.12.21.156           Fri Aug 20 13:16 - 13:17 (00:00)

while the new format is:
 user1                10.12.21.156            Wed Feb  3 14:22 - 14:22
(00:00)
 user1      pts/12  10.12.21.156            Tue Feb  2 20:47 - 20:48
(00:00)

So it's really only user based ftp sessions aren't showing up with the ftp
part in the utmpx output.  I guess it's just something new to get use to
that a blank just means a ftp session.
In regards to ftp, anonymous ftp is not showing up anywhere in last

In utmp, it looked like this:

ftp          ftp        10.12.21.156            Wed Feb 3 16:18 - 16:18
(00:00)

So atleast if someone somehow hacked the system by anonymous ftp, you would
atleast be able to track them down,  as syslog is not logging anonymous ftp
logins.

 Cheers,
Vince
Vincent Poy, Ph.D. - Astrophysics



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?429af92e1002081826j630557e9vcd8111b91b67660>