NAME

       chklastlog - check lastlog file for deleted entries

SYNOPSIS

       chklastlog looks for users whose login has been erased from the lastlog database.

DESCRIPTION

       chklastlog  reads  all  entries from /var/log/wtmp (a database of information about logins
       and  logouts)  and  checks  that  every  user  found  in  this  file  has  an   entry   in
       /var/log/lastlog.   It  lists  any users with logins in wtmp but no lastlogin information.
       This may suggest the user account has been compromised and the attacker has tried to cover
       their tracks.

       chklastlog  needs to be able to read /var/log/wtmp and /var/log/lastlogin.  Normally these
       files are world-readable so no special privileges are required.

FILES

       /var/log/wtmp
              database of logins and logouts.

       /var/log/lastlog
              database which contains info on the last login of each user.

SEE ALSO

       wtmp(5), who(1), lastlog(8), last(1)

LIMITATIONS

       wtmp may itself be incomplete because not all programmes record their activity using  utmp
       logging. See wtmp(8).

       chklastlog  will  not  detect  missing entries if the user has logged in after the lastlog
       entry was deleted.

       This program was originally designed to run on SunOS 4.x systems.  On  other  systems  the
       output is undefined.

                                           Oct 23, 2021                             CHKLASTLOG(8)