1 files changed, 138 insertions, 0 deletions
diff --git a/vimwiki/Check User Login.md b/vimwiki/Check User Login.md
new file mode 100644
index 0000000..30b8a68
--- /dev/null
+++ b/vimwiki/Check User Login.md
@@ -0,0 +1,138 @@
+
+# How to check last login time for user #
+
+There are a number of ways to check last logged in users with time details.
+
+1. `last` This command searches back through the file `/var/log/wtmp (or the file designated by the -f flag)` 
+        and displays a list of all users logged in/out since the file was created.
+	
+	*Example*__To view last login of all users:__
+	
+	`$ last`
+	`bob pts/7        server1.example Mon May  5 14:36   still logged in` 
+	`bob pts/5        server1.example Mon May  5 14:34   still logged in` 
+	`root   pts/5        main.test       Sun Apr 27 04:18 - 04:20  (00:02)` 
+	`john  pts/11       server1.example Sat Apr 26 06:25 - 17:16  (10:51)` 
+	`john  pts/10       server1.example Sat Apr 26 06:20 - 17:16  (10:56)`
+	
+2. 
+	*Example*__To view last login of  specific user:__
+	
+	`$ last bob`
+	`bob pts/7        server1.example Mon May  5 14:36   still logged in` 
+	`bob pts/5        server1.example Mon May  5 14:34   still logged in` 
+	
+3. 
+	*Example*__To view ip address details of the source machine:__
+	
+	`$ last bob -i`
+	`bob pts/7        192.168.0.100 Mon May  5 14:36   still logged in` 
+	`bob pts/5        192.168.0.100 Mon May  5 14:34   still logged in` 
+	
+3. `lastlog` This formats and prints the contents of the last login log `/var/log/lastlog` file.
+	
+	*Example*__To view last login time of user bob:__
+	
+	`$ lastlog -u bob`
+	`Username         Port     From             Latest`
+	`dave         pts/7    server1.example Mon May  5 14:36:52 -0400 2014`
+
+# Track successful/failed login attempts #
+
+1. Login attempts are stored in `/var/log/secure` and this file can be checked.
+
+`# less /var/log/secure | grep bob`
+
+`May 18 14:56:17 lab1 unix_chkpwd[17490]: password check failed for user (bob)`
+`May 18 14:56:17 lab1 sshd[17489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=server1.example.com  user=bob`
+`May 18 14:56:18 lab1 sshd[17481]: Accepted keyboard-interactive/pam for bob from 192.168.0.25 port 60735 ssh2`
+`May 18 14:56:18 lab1 sshd[17481]: pam_unix(sshd:session): session opened for user bob by (uid=0)`
+`May 18 16:50:04 lab1 unix_chkpwd[19626]: password check failed for user (bob)`
+`May 18 16:50:04 lab1 sudo: pam_unix(sudo:auth): authentication failure; logname=bob uid=0 euid=0 tty=/dev/pts/12 ruser= rhost=  user=bob`
+`May 18 16:50:04 lab1 sudo: bob : TTY=pts/12 ; PWD=/home/bob ; USER=root ; COMMAND=/bin/su -`
+`May 18 16:50:04 lab1 su: pam_unix(su-l:session): session opened for user root by bob(uid=0)`
+
+2. Collect authentication reports for all recent attempts made on the system.
+
+	*Example*__Reports for all attempts:__
+	
+`# aureport -au -i`
+
+`Authentication Report`
+`============================================`
+`# date time acct host term exe success event`
+`============================================`
+`1. 05/16/14 10:12:54 bob ? /dev/pts/116  /usr/bin/sudo  yes 6946469`
+`2. 05/16/14 12:09:19 jeff ? /dev/pts/117  /usr/bin/sudo  yes 6947443`
+`3. 05/16/14 12:16:11 jeff ? /dev/pts/102  /usr/bin/sudo  yes 6947512`
+`4. 05/16/14 13:00:10 bob ? /dev/pts/116  /usr/bin/sudo  yes 6947866`
+	
+	*Example*__Reports for successful attempts:__
+	
+`# aureport -au -i --success`
+
+`Authentication Report`
+`============================================`
+`# date time acct host term exe success event`
+`============================================`
+`1. 05/16/14 10:12:54 bob ? /dev/pts/116  /usr/bin/sudo  yes 6946469`
+`2. 05/16/14 12:09:19 jeff ? /dev/pts/117  /usr/bin/sudo  yes 6947443`
+`3. 05/16/14 12:16:11 jeff ? /dev/pts/102  /usr/bin/sudo  yes 6947512`
+`4. 05/16/14 13:00:10 bob ? /dev/pts/116  /usr/bin/sudo  yes 6947866`
+	
+	*Example*__Reports for failed attempts:__
+	
+`# aureport -au -i --failed`
+
+`Authentication Report`
+`============================================`
+`# date time acct host term exe success event`
+`============================================`
+`1. 05/16/14 15:42:11 dave ? /dev/pts/124 /usr/bin/sudo  no 6949322`
+`2. 05/17/14 12:02:53 andy 10.10.10.26 ssh  /usr/sbin/sshd no 6959885`
+`3. 05/18/14 01:21:06 abhay ? /dev/pts/12   /usr/bin/sudo  no 6967954`
+	
+	*Example*__Login Failures:__
+	
+`# aureport -l --failed`
+
+`Login Report`
+`============================================`
+`# date time auid host term exe success event`
+`============================================`
+`1. 05/16/14 21:50:22 pete  10.191.29.164  sshd /usr/sbin/sshd no 6952386`
+`2. 05/17/14 12:02:09 andy   10.10.10.26    sshd /usr/sbin/sshd no 6959875`
+`3. 05/17/14 12:02:48 andy   10.10.10.26    sshd /usr/sbin/sshd no 6959884`
+
+	*Example*__Successful Logins:__
+	
+`# aureport -l --success`
+
+`Login Report`
+`============================================`
+`# date time auid host term exe success event`
+`============================================`
+`1. 05/16/14 21:50:22 42771  10.191.29.164  sshd /usr/sbin/sshd yes 6952386`
+`2. 05/17/14 12:02:09 34566   10.10.10.26    sshd /usr/sbin/sshd yes 6959875`
+`3. 05/17/14 12:02:48 34566   10.10.10.26    sshd /usr/sbin/sshd yes 6959884`
+
+	*Example*__Login Summary Report:__
+	
+`# aureport -l --success --summary -i`
+
+`Success Login Summary Report`
+`============================================`
+`total	auid`
+`============================================`
+`4  alison`
+`4  alex`
+`3  andy`
+`2  suzanne`
+`1  paul`
+`1  dave`
+`1  pete`
+`1  rashmi`
+
+##Refs:##
+1. https://www.golinuxhub.com/2014/05/how-to-check-last-login-time-for-users.html 
+2. https://www.golinuxhub.com/2014/05/how-to-track-all-successful-and-failed.html