Date: Mon, 8 Feb 2010 18:26:35 -0800 From: Vincent Poy <vincepoy@gmail.com> To: Ed Schouten <ed@80386.nl>, freebsd-current@freebsd.org Subject: Re: HEADS UP: <utmp.h> gone. All welcome <utmpx.h>. Message-ID: <429af92e1002081826j630557e9vcd8111b91b67660@mail.gmail.com> In-Reply-To: <429af92e1002031704s2145570bo708439e9c87f6c80@mail.gmail.com> References: <429af92e1002011500q59b9ae09g908154ae63881ff5@mail.gmail.com> <20100201233216.GL77705@hoeg.nl> <429af92e1002031704s2145570bo708439e9c87f6c80@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Ed: On Mon, Feb 1, 2010 at 3:32 PM, Ed Schouten <ed@80386.nl> wrote: > Right now there is no way to convert lastlog files. The point is that > unlike you mentioned, the wtmp is actually the only important log file. > All information could in theory be derived from it. You could convert > wtmp files and use last -f to scroll through history to figure out when > someone logged in. > The problem with figuring out when someone last logged in is that newsyslog with the default newsyslog.conf would rotate the wtmp files once a month so that there would be one wtmp followed by wtmp.0, wtmp.1, wtmp.2, wtmp.3 so it will only hold the last months worth of data so if the person logs in anytime more than 5 months, they won't be in the wtmp. > From an administrative point of view, you just want to be able to > inspect log files in case it turns out a couple of months earlier > something bad happened with your system (getting hacked, etc). lastlog > is a nice feature, but it should just be considered being a bonus. The thing with something bad happening with the system is usually looking at data that far back will not really help since if it took a admin that long to figure it out, then there is a bigger issue at hand because the system probably is heavily compromised already as when we had hacks, usually we have to get to it in real-time or atleast within a few hours or otherwise the system will really be history. I just meant that traditionally, when you finger a username, it will show if they have ever logged into their account from the time their account had been created since there are some users who logs in once every 6 months and finger will show their last login info but last won't as the wtmp* files won't due to it rotating monthly and it only goes up to 3 for the backups. > I have been thinking about possibly extending the utmpx interface to > include an application name string for login entries, like "sshd" or > "ftpd". With utmp, it will always show the pty for ssh/rlogin/telnet sessions and ftp when it's a ftp session as: user1 ftp 10.12.21.156 Fri Aug 20 13:17 - 13:17 (00:00) user1 ttyp0 10.12.21.156 Fri Aug 20 13:16 - 13:17 (00:00) while the new format is: user1 10.12.21.156 Wed Feb 3 14:22 - 14:22 (00:00) user1 pts/12 10.12.21.156 Tue Feb 2 20:47 - 20:48 (00:00) So it's really only user based ftp sessions aren't showing up with the ftp part in the utmpx output. I guess it's just something new to get use to that a blank just means a ftp session. In regards to ftp, anonymous ftp is not showing up anywhere in last In utmp, it looked like this: ftp ftp 10.12.21.156 Wed Feb 3 16:18 - 16:18 (00:00) So atleast if someone somehow hacked the system by anonymous ftp, you would atleast be able to track them down, as syslog is not logging anonymous ftp logins. Cheers, Vince Vincent Poy, Ph.D. - Astrophysics
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?429af92e1002081826j630557e9vcd8111b91b67660>