From owner-freebsd-current@FreeBSD.ORG Tue Feb 9 02:26:36 2010 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7FD441065693 for ; Tue, 9 Feb 2010 02:26:36 +0000 (UTC) (envelope-from vincepoy@gmail.com) Received: from mail-yx0-f199.google.com (mail-yx0-f199.google.com [209.85.210.199]) by mx1.freebsd.org (Postfix) with ESMTP id 3A5CF8FC1D for ; Tue, 9 Feb 2010 02:26:35 +0000 (UTC) Received: by yxe37 with SMTP id 37so2698369yxe.27 for ; Mon, 08 Feb 2010 18:26:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=5p3LCriojoKOopoNme/DF938zNyvUoqKJr7H9pSypbg=; b=FV7Me0uiHNrQ+mhk4hOj/obAxcih4+Wax9n5OMULJmp6DilF4gCifp0ydGuznpPY78 c7h49trARwa8yVGNnEFPUz3WFhH7ZtKbLSpEY83UpiQcwyFaWjt53PKk7K95LH1cmeJx zdEaZ3if01zUZIgBYLJk6yCJAVwTV+hNjqEi0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=UOF4Nq2YU29yaSRORlRPAM0c1/gS4Wxmr8YoJjRj+d9IRkHEifkCBvtYoq70d6hXDU u43x3s9hy1O9fpFmxnuLk0WRBYbTESU7n0TBzipL/jdITqLLixh35flotX92GaNa1ObO D2JoikIZ2z2dX863dsthKZ72Mh8zFRE6gTCwY= MIME-Version: 1.0 Received: by 10.150.48.30 with SMTP id v30mr4874769ybv.162.1265682395413; Mon, 08 Feb 2010 18:26:35 -0800 (PST) In-Reply-To: <429af92e1002031704s2145570bo708439e9c87f6c80@mail.gmail.com> References: <429af92e1002011500q59b9ae09g908154ae63881ff5@mail.gmail.com> <20100201233216.GL77705@hoeg.nl> <429af92e1002031704s2145570bo708439e9c87f6c80@mail.gmail.com> Date: Mon, 8 Feb 2010 18:26:35 -0800 Message-ID: <429af92e1002081826j630557e9vcd8111b91b67660@mail.gmail.com> From: Vincent Poy To: Ed Schouten , freebsd-current@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: HEADS UP: gone. All welcome . X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Feb 2010 02:26:36 -0000 Hello Ed: On Mon, Feb 1, 2010 at 3:32 PM, Ed Schouten wrote: > Right now there is no way to convert lastlog files. The point is that > unlike you mentioned, the wtmp is actually the only important log file. > All information could in theory be derived from it. You could convert > wtmp files and use last -f to scroll through history to figure out when > someone logged in. > The problem with figuring out when someone last logged in is that newsyslog with the default newsyslog.conf would rotate the wtmp files once a month so that there would be one wtmp followed by wtmp.0, wtmp.1, wtmp.2, wtmp.3 so it will only hold the last months worth of data so if the person logs in anytime more than 5 months, they won't be in the wtmp. > From an administrative point of view, you just want to be able to > inspect log files in case it turns out a couple of months earlier > something bad happened with your system (getting hacked, etc). lastlog > is a nice feature, but it should just be considered being a bonus. The thing with something bad happening with the system is usually looking at data that far back will not really help since if it took a admin that long to figure it out, then there is a bigger issue at hand because the system probably is heavily compromised already as when we had hacks, usually we have to get to it in real-time or atleast within a few hours or otherwise the system will really be history. I just meant that traditionally, when you finger a username, it will show if they have ever logged into their account from the time their account had been created since there are some users who logs in once every 6 months and finger will show their last login info but last won't as the wtmp* files won't due to it rotating monthly and it only goes up to 3 for the backups. > I have been thinking about possibly extending the utmpx interface to > include an application name string for login entries, like "sshd" or > "ftpd". With utmp, it will always show the pty for ssh/rlogin/telnet sessions and ftp when it's a ftp session as: user1 ftp 10.12.21.156 Fri Aug 20 13:17 - 13:17 (00:00) user1 ttyp0 10.12.21.156 Fri Aug 20 13:16 - 13:17 (00:00) while the new format is: user1 10.12.21.156 Wed Feb 3 14:22 - 14:22 (00:00) user1 pts/12 10.12.21.156 Tue Feb 2 20:47 - 20:48 (00:00) So it's really only user based ftp sessions aren't showing up with the ftp part in the utmpx output. I guess it's just something new to get use to that a blank just means a ftp session. In regards to ftp, anonymous ftp is not showing up anywhere in last In utmp, it looked like this: ftp ftp 10.12.21.156 Wed Feb 3 16:18 - 16:18 (00:00) So atleast if someone somehow hacked the system by anonymous ftp, you would atleast be able to track them down, as syslog is not logging anonymous ftp logins. Cheers, Vince Vincent Poy, Ph.D. - Astrophysics