Subject: !  -4- How can I log more information about logins?
Date: 06 Dec 1995 00:00:01 EST

  - 'last', 'who', etc. get remote login information from
    /var/adm/utmpx and /var/adm/wtmp. That information is only logged
    into these files if they already exist. To create them, do
    'touch /var/adm/utmpx /var/adm/wtmpx'. The analogous files under
    IRIX 4.0.x are /etc/xutmp and /etc/xwtmp.

+ - If you're running IRIX 5.3, install patch 420 to fix a bug which
+   causes xterm(1) to log logins incorrectly.

  - As described in the login(1) manpage, you can add the line
    'syslog=all' to /etc/config/login.options (IRIX 4.0.x) or change the
    line 'SYSLOG=FAIL' in /etc/default/login to 'SYSLOG=ALL' (IRIX 5.x)
    to log all login attempts, not just successful ones, in
    /var/adm/SYSLOG. Under IRIX 5.x only, the same change in
    /etc/default/su has the same effect on 'su' attempts.

  - 'ftpd', 'rshd', 'tftpd' and 'fingerd' all have options ('-l' or
    '-L') which cause them to log all accesses. See their manpages.
    'ftpd' also has '-ll' and '-lll' options (undocumented before IRIX
    5.x) which log individual file transfers and the sizes of those
    files respectively.  Add the options to the last fields (not the
    second-to-last) of the appropriate lines of /etc/inetd.conf, then do
    'killall -HUP inetd' or reboot.

  - Consider using TCP wrappers. Besides logging, these allow you to
    restrict connections to individual TCP daemons to particular hosts
    and prevent some forms of address spoofing. You can get source code
    from ftp://ftp.win.tue.nl/pub/security/.