netbsd-users: Re: Last users today

Subject: Re: Last users today
To: NetBSD User's Discussion List <netbsd-users@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: netbsd-users
Date: 01/23/2002 00:42:19
[ On Tuesday, January 22, 2002 at 21:00:07 (-0500), Andrew Brown wrote: ]
> Subject: Re: Last users today
>
> >> I'd like to add a section to my daily security output, listing all users who
> >> have, or are, logged in during the day. Unfortunately, there doesn't seem to
> >> be any facility in last(1) for that. How would I go about solving this in a
> >> simple way? It might even be an area of future improvement in last. =)
> >
> >Assuming you have newsyslog configured to roll your wtmp file over at
> >midnight, but not to compress it, and that /etc/daily runs sometime
> >after midnight, then adding the following to /etc/daily.local will do
> >the trick:
> >
> >	/usr/sbin/ac -d -w /var/log/wtmp.0
> 
> since the requirement was for "users who have, or are, logged in
> during the day", will this emit the names of users who have been
> logged in for three months?

Well, yeah, there is that problem of sessions that traverse the log
rotation time.  It's potentially solved in any number of ways, including
by strict policy of requiring everyone to logout at least once per day.
Obviously "last" cannot fair any better without finding some solution to
this problem either, at least not unless you never rotate /var/log/wtmp,
or do so only on reboot, or similar.

I don't know what NetBSD's re-implementation of 'ac' does with partial
records for a session, but of course an ideal solution would have the
procedure of rotating /var/log/wtmp at midnight write summary ("closing
balance") records to the old file, and "opening balance" records to the
new file, for every session that traverses the rotate time.  I wrote
programs to implement such procedures on various SysV implementations
back when connect-time accounting was important to me.  It's pretty
simple to simulate a logout and login across the log files if you don't
care to know when a session actually started, but rather only to
summarise the time it has been connected from period to period.

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>