Question : issue on lastlogin and tty-time's accounting reports on  aix 6.1

HI
I have setup accounting on aix 6.1 but in daily report rprtmmdd I always get multiples' false positive' about users that never log on the system when they do. See this example for user s03frgu0

rprt lastlogin says 00-00-00
00-00-00  s03frgu0


lsuser s03frgu0 says Fri, 02 Jul 2010 14:49:13 GMT
s03frgu0 id=821 pgrp=system groups=system,staff,sys,db2tgadm,cics,cicsterm,dba,eis,accent,spufis home=/home/s03frgu0 shell=/usr/bin/ksh gecos=Fran Guerra auditclasses=general,objects,cron,files,rbac login=true su=true rlogin=true daemon=true admin=true sugroups=system admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=3 pwdwarntime=10 account_locked=false minage=6 maxage=6 maxexpired=2 minalpha=2 minother=2 mindiff=3 maxrepeats=2 minlen=6 histexpire=52 histsize=25 pwdchecks= dictionlist= dce_export=false fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_login=1278082153 time_last_unsuccessful_login=1278082108 tty_last_login=/dev/pts/115 tty_last_unsuccessful_login=192_168_12_52_1 host_last_login=bsa630_boot host_last_unsuccessful_login=192.168.12.52:1 unsuccessful_login_count=0 roles=

DO I have something wrong in my configuration?

Other question:

On 3part of rprt report: tty/pty I get a LOT of :


ftp91778        0       0       1       1       1
ftp91782        0       0       1       1       1
ftp91783        0       0       1       1       1
ftp91792        0       0       1       1       1
ftp91796        0       0       1       1       1
ftp93064        0       0       1       1       1
and

rsh10027        0       0       1       1       1
rsh10027        0       0       1       1       1
rsh10158        0       0       1       1       1
rsh10158        0       0       1       1       1
rsh10158        0       0       1       1       1

it seems ftp sessions and rsh sessions. Question:
How can I disable Connect-time report in my accounting setup?

thanks
Israel.

Answer : issue on lastlogin and tty-time's accounting reports on  aix 6.1

Hi,

1) LAST LOGIN would always report on all users found in /etc/password or via NIS, with 00-00-00 indicating that there was no actual login.

These data are produced by /usr/sbin/acct/lastlogin, and later processed by prdaily.

2) These data come from wtmp. runacct will store them in a file "lineuse" (/var/adm/acct/nite/lineuse) which is also later processed by prdaily.

prdaily is not customizeable by  flags or parameters, but since it is a script one could modify it.

This is by no means recommended, but possible.

ad 1)

Look at /usr/sbin/acct/prdaily for (somewhere near line 130)

if [ -z "$WFLAG" -a -z "$XFLAG" ]
then
       pr -h "$HDR4" -3 ${_sum}/loginlog
else
       pr -h "$HDR4" -1 ${_sum}/loginlog
fi

Just preceeding the above add the line

cat ${_sum}/loginlog | grep -v "^00-00-00" >  ${_sum}/loginlog.tmp  ; mv ${_sum}/loginlog.tmp  ${_sum}/loginlog  

ad 2)

Look at /usr/sbin/acct/prdaily for (somewhere near line 116)

(cat reboots; echo ""; cat lineuse) | pr -h "$HDR"

Change the above to

(cat reboots; echo ""; cat lineuse | grep -v "^ftp" | grep -v "^rsh") | pr -h "$HDR"

Please be aware that the displayed TOTAL will no longer be correct (as it is already contained in lineuse). Maybe you should grep it out.

If you don't need the tty/pty report at all, comment out the whole line

Please let me repeat -

Make the above changes only (only!) if you know what you're doing and if you really need those modifications.

And please be aware too that these changes will most probably not "survive" an AIX upgrade!

Good luck!

wmp