NetIQ Vulnerability Manager 5.0
NetIQ Vulnerability Manager 5.5
VigilEnt Security Agent for Unix 5.0
Why does the Active Users report show '??' for logon dates, while the Dormant User Accounts report shows actual dates?
Why do logon dates vary in reports run on the same Unix computer?
Why don't the Active Users and Dormant User Accounts checks work the same way?
The Active Users and Dormant User Accounts checks draw their data from different sources. For the Active Users check, the data on the last command run is extracted from
/var/adm/wtmp. However, when the date in the report is given as
?? date, that indicates that the Unix systems administration team has cleared out the
wtmp file. The date listed is therefore the date on which the wtmp file was cleared.
For the Dormant User Accounts check, the information is extracted from
/etc/security/lastlog. This file is continually updated and holds only the last time the user logged into the system. It is not cleared out as part of Unix systems administration. The
wtmp file, on the other hand, holds one entry for every time each user logged in, which is why it must be cleared regularly.
The Dormant User Accounts check is based on a newer custom check-type code base. The Active Users check is currently generated by the older non-custom check code base and will be updated in an upcoming release of Vulnerability Manager.