[RESOLVED] - last command not showing all logons

Support for security such as Firewalls and securing linux
Post Reply
User avatar
warron.french
Posts: 560
Joined: 2014/03/27 20:21:58

[RESOLVED] - last command not showing all logons

Post by warron.french » 2020/12/03 01:30:32

We have an issue on some servers where a user logging on is authenticating and,
  • it can be confirmed with audit records, using ausearch or reviewing the /var/log/audit/audit.log files (even with using grep),
  • it can be confirmed reviewing the /var/log/messages file,
but it cannot be confirmed with the last command.

What would cause this? Do we need to take some corrective action to improve visibility into whatever is happening on our systems?
Last edited by warron.french on 2020/12/04 00:16:40, edited 1 time in total.
Thanks,
War

chemal
Posts: 729
Joined: 2013/12/08 19:44:49

Re: last command not showing all logons

Post by chemal » 2020/12/03 02:04:42

last reads /var/log/wtmp and man wtmp says:

"There may be more users currently using the system, because not all programs use utmp logging."

I assume it's the same with wtmp logging.

User avatar
warron.french
Posts: 560
Joined: 2014/03/27 20:21:58

Re: last command not showing all logons

Post by warron.french » 2020/12/04 00:16:22

Thanks @chemal.

Merry Christmas?
Thanks,
War

User avatar
warron.french
Posts: 560
Joined: 2014/03/27 20:21:58

Re: [RESOLVED] - last command not showing all logons

Post by warron.french » 2020/12/08 16:09:14

Found the actual problem, and this post is inappropriately posted in the wrong forum - rather it shouldn't have been asked at all since CentOS Forums no longer support RHEL-variants of v6.x.

The issue was for our RHEL-6.x servers; however, we found that our AWS instance was also missing the appropriate changes.

First, ensure that /etc/ssh/sshd_config has the following syntax exactly:

Code: Select all

UsePAM    yes
Second, inside /etc/pam.d/sshd ensure this syntax is in place:

Code: Select all

session   required     pam_lastlog.so

That was it.
Thanks,
War

Post Reply

Return to “CentOS 7 - Security Support”