Welcome to the MacNN Forums.

absmiths · May 30, 2002, 12:42 PM

How can I see an audit of how and when users have logged into my machine? I would like to just verify that noone has connected when I didn't suspect it.

johann · May 30, 2002, 01:28 PM

in the terminal type 'last'

does that help?

absmiths · May 30, 2002, 03:56 PM

<blockquote>quote:<hr />Originally posted by johann:
in the terminal type 'last'

does that help?<hr /></blockquote>Yes, that's very nice. Does this data come from a file somewhere? Some of the domain names are too long and I would like to see all of them.

Nevermind, I guess it uses /var/log/wtmp, but I can't make much sense of it.

[ 05-30-2002, 03:58 PM: Message edited by: absmiths ]

Camelot · Jun 2, 2002, 02:13 AM

<blockquote>quote:<hr />Originally posted by absmiths:
 <blockquote>quote:<hr />Originally posted by johann:
in the terminal type 'last'

does that help?<hr /></blockquote>Yes, that's very nice. Does this data come from a file somewhere? Some of the domain names are too long and I would like to see all of them.

Nevermind, I guess it uses /var/log/wtmp, but I can't make much sense of it.<hr /></blockquote>/var/log/wtmp is indeed the file, but you're not supposed to be able to make sense or it. If it were a plain text file (for example, in the same format as the output of the 'last' command) it would be too easy for a hacker to edit the file and remove all trace of his login.

petej · Jun 3, 2002, 12:42 PM

It's not that hard anyway. The format of wtmp is well-documented, and it's pretty easy to remove records. Since the records are fixed-length, you can even use the dd command to edit out parts you want to hide, so you don't have to write a program.