Scroll to navigation

CHKLASTLOG(8) System Manager's Manual CHKLASTLOG(8)

NAME

chklastlog - check lastlog file for deleted entries

SYNOPSIS

chklastlog looks for users whose login has been erased from the lastlog database.

DESCRIPTION

chklastlog reads all entries from /var/log/wtmp (a database of information about logins and logouts) and checks that every user found in this file has an entry in /var/log/lastlog. It lists any users with logins in wtmp but no lastlogin information. This may suggest the user account has been compromised and the attacker has tried to cover their tracks.

chklastlog needs to be able to read /var/log/wtmp and /var/log/lastlogin. Normally these files are world-readable so no special privileges are required.

FILES

/var/log/wtmp
database of logins and logouts.

/var/log/lastlog
database which contains info on the last login of each user.

SEE ALSO

wtmp(5), who(1), lastlog(8), last(1)

LIMITATIONS

wtmp may itself be incomplete because not all programmes record their activity using utmp logging. See wtmp(8).

chklastlog will not detect missing entries if the user has logged in after the lastlog entry was deleted.

This program was originally designed to run on SunOS 4.x systems. On other systems the output is undefined.

October 23, 2021