PSADMIN.org - Why last and lastlog are important for production Servers?

Translation
Translation may not be accurate. Thanks to Google Anyway* To Change between languages go to English and change again.

FeedBurner
Get Postings by Email without Account.

Statistics
Postings: 65 PeopleSoft Blog Feeds: 15 PeopleSoft Job Feeds: 16 Oracle Feeds: 12 Registered Members: 184 Unique Visitors: 317992

Why last and lastlog are important for production Servers?

Written by RD

Thursday, 28 August 2008

The unix commands “last” and “lastlog” give very valuable information which every system admin should collect from ALL production servers and record. This gives the list of users who logged into the system and from which IP.

The out put of the command list is like below:

This command also provides information on if there was anyone gave a reboot command and when and from where. This report is very useful from the SOX point of view. Every admin should collect the report from the production servers and store it in the printed form or in a table of a database which is not part of production OLAP database.

It is advisable to collect this report from the system on a daily basis and store. Before storing one should spend a few minutes to go through see if there are any unauthorized accesses from anyone. Also one should pay attention from where the logins are coming. If your company is abcompany.com and for example if you see any login from xyzmarxist.ru, then you should wakeup immediately to change the password for the user id and if it is possible lock the account.

Also one should execute the command lastlog on the production server and store the outputs. This command can be executed only as a super user. If you do not have a super user access, then you should ask the system admin to run this command through cron and forward it to your email also if you are the one responsible for SOX compliance.

lastlog

The user ids which show **Never logged in** should remain never logged in. If you are not using or not going to use some of the user ids like ‘mysql’ or ‘apache’ and installed the packages related to them, one should try to uninstall those packages or remove those ids from production servers.

Certain user ids which never used for login, they are required. For example the user ids like sshd or mail etc. Do not try to remove such user ids.

Even if you run apache web server and have mysql database, those user ids should remain never logged in. Normally those userids, login will not be possible unless someone altered such user ids.

Add as favourites (0) |

Quote this article on your site | Views: 444 | Print

Comments (2)

	1. 08-29-2008 13:04
	Can you tell me on how do I put it in Cron to collect information? Guest

SureshK

	2. 08-29-2008 20:33
	You can try like this: 8 12,23 * * * `/usr/bin/lastlog \| mailx -s "LoginLOG Details of servername" This e-mail address is being protected from spam bots, you need JavaScript enabled to view it ` http://psadmin.org Registered

Write Comment

Thankyou for your comments. Feel free to comment if there are any mistake in the postings also. If you have a Blog or website, feel free to provide the link. We will take a peak. Just ensure to Refresh your browser for a new security code to be displayed prior to clicking on the 'Send' button. Keep in mind that the above process only applies if you simply entered the wrong security code.
Name:
Homepage
BBCode:
Comment:
Code:*
	I wish to be contacted by email regarding additional comments

Copy Right: AKOComments v.1.4.6

Last Updated ( Friday, 29 August 2008 )

Next >

[ Back ]

xkcd and whatever..?