.\" Copyright (c) DFN-CERT, Univ. of Hamburg 1994
.\"
.\" Univ. Hamburg, Dept. of Computer Science
.\" DFN-CERT
.\" Vogt-Koelln-Strasse 30
.\" 22527 Hamburg
.\" Germany
.TH CHKLASTLOG 8  "Oct 23, 2021"
.SH NAME
chklastlog \- check lastlog file for deleted entries

.SH SYNOPSIS
.B chklastlog
looks for users whose login has been erased from the
.I lastlog
database.

.SH DESCRIPTION
.B chklastlog
reads all entries from
.I /var/log/wtmp
(a database of information about logins and logouts) and checks that every user
found in this file has an entry in
.IR /var/log/lastlog .
It lists any users with logins in
.I wtmp
but no
.I lastlogin
information. This may suggest the user account has been compromised
and the attacker has tried to cover their tracks.

.B chklastlog
needs to be able to read
.I /var/log/wtmp
and
.IR /var/log/lastlogin .
Normally these files are world-readable so no special privileges are
required.

.SH FILES
.TP
.I /var/log/wtmp
database of logins and logouts.

.TP
.I /var/log/lastlog
database which contains info on the last login of each user.

.SH SEE ALSO
.IR wtmp (5),
.IR who (1),
.IR lastlog (8),
.IR last (1)

.SH LIMITATIONS
.I wtmp
may itself be incomplete because not all programmes record their
activity using utmp logging. See
.IR wtmp (8).

.B chklastlog
will not detect missing entries if the user has
logged in after the lastlog entry was deleted.

This program was originally designed to run on SunOS 4.x systems. On
other systems the output is undefined.