Saturday, September 6, 2014

Unix Prog: Login Accounting

1. Login Accounting Strcture

struct utmpx is used to save basic information about the user login history.
 ubuntu@ip-172-31-23-227:~$ less /usr/include/x86_64-linux-gnu/bits/utmpx.h  
 ......  
 /* The structure describing an entry in the user accounting database. */  
 struct utmpx  
 {  
  short int ut_type;      /* Type of login. */  
  __pid_t ut_pid;        /* Process ID of login process. */  
  char ut_line[__UT_LINESIZE]; /* Devicename. */  
  char ut_id[4];        /* Inittab ID. */  
  char ut_user[__UT_NAMESIZE]; /* Username. */  
  char ut_host[__UT_HOSTSIZE]; /* Hostname for remote login. */  
  struct __exit_status ut_exit; /* Exit status of a process marked  
                   as DEAD_PROCESS. */  
   
 /* The fields ut_session and ut_tv must be the same size when compiled  
   32- and 64-bit. This allows files and shared memory to be shared  
   between 32- and 64-bit applications. */  
 #ifdef __WORDSIZE_TIME64_COMPAT32  
  __int32_t ut_session;     /* Session ID, used for windowing. */  
  struct  
  {  
   __int32_t tv_sec;      /* Seconds. */  
   __int32_t tv_usec;     /* Microseconds. */  
  } ut_tv;           /* Time entry was made. */  
 #else  
  long int ut_session;     /* Session ID, used for windowing. */  
  struct timeval ut_tv;     /* Time entry was made. */  
 #endif  
  __int32_t ut_addr_v6[4];   /* Internet address of remote host. */  
  char __glibc_reserved[20];      /* Reserved for future use. */  
 };  
 ......

2. utmp, wtmp
utmp binary file is used to record login history.
wtmp binary file is used to record user login and logout history.

When a user login, struct utmpx is filled and appended to utmp and wtmp file.
When a user logout, struct utmpx in utmp is erased and a new entry is appended to wtmp file.
 ubuntu@ip-172-31-23-227:~$ ls -lrt /run/utmp  
 -rw-rw-r-- 1 root utmp 4608 Sep 6 12:56 /run/utmp  
 ubuntu@ip-172-31-23-227:~$ ls -lrt /var/log/wtmp  
 -rw-rw-r-- 1 root utmp 3456 Sep 6 12:56 /var/log/wtmp

3. who, last

who command just list all users who currently logged into the system.
last command list the history of users login and logout in the past.

who command reads utmp file, last command reads wtmp file.
 ubuntu@ip-172-31-23-227:~$ who  
 ubuntu  pts/0    2014-09-06 12:56 (cpe-98-14-66-46.nyc.res.rr.com)  
 ubuntu@ip-172-31-23-227:~$ last  
 ubuntu  pts/0    cpe-98-14-66-46. Sat Sep 6 12:56  still logged in  
 ubuntu  pts/0    cpe-98-14-66-46. Thu Sep 4 00:50 - 01:34 (00:44)  
 ubuntu  pts/2    cpe-98-14-29-170 Mon Sep 1 23:56 - 01:17 (01:20)  
 ubuntu  pts/0    cpe-98-14-29-170 Mon Sep 1 21:54 - 01:15 (03:21)  
 ubuntu  pts/0    cpe-98-14-29-170 Mon Sep 1 13:27 - 14:56 (01:28)  
   
 wtmp begins Mon Sep 1 13:27:35 2014

Posted by at
Labels:
Location: 美利坚合众国纽约雷哥公园邮政编码: 11374

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)