Provided by: chkrootkit_0.55-4_amd64
chklastlog - check lastlog file for deleted entries
chklastlog looks for users whose login has been erased from the lastlog database.
chklastlog reads all entries from /var/log/wtmp (a database of information about logins and logouts) and checks that every user found in this file has an entry in /var/log/lastlog. It lists any users with logins in wtmp but no lastlogin information. This may suggest the user account has been compromised and the attacker has tried to cover their tracks. chklastlog needs to be able to read /var/log/wtmp and /var/log/lastlogin. Normally these files are world-readable so no special privileges are required.
/var/log/wtmp database of logins and logouts. /var/log/lastlog database which contains info on the last login of each user.
wtmp may itself be incomplete because not all programmes record their activity using utmp logging. See wtmp(8). chklastlog will not detect missing entries if the user has logged in after the lastlog entry was deleted. This program was originally designed to run on SunOS 4.x systems. On other systems the output is undefined. Oct 23, 2021 CHKLASTLOG(8)