Resolution
NetIQ Vulnerability Manager 5.0
fact
NetIQ Vulnerability Manager 5.5
fact
VigilEnt Security Agent for Unix 5.0
symptom
Why does the Active Users report show '??' for logon dates, while the Dormant User Accounts report shows actual dates?
symptom
Why do logon dates vary in reports run on the same Unix computer?
symptom
Why don't the Active Users and Dormant User Accounts checks work the same way?
cause
The Active Users and Dormant User Accounts checks draw their data from different sources. For the Active Users check, the data on the last command run is extracted from /var/adm/wtmp. However, when the date in the report is given as ?? date, that indicates that the Unix systems administration team has cleared out the wtmp file. The date listed is therefore the date on which the wtmp file was cleared.
For the Dormant User Accounts check, the information is extracted from /etc/security/lastlog. This file is continually updated and holds only the last time the user logged into the system. It is not cleared out as part of Unix systems administration. The wtmp file, on the other hand, holds one entry for every time each user logged in, which is why it must be cleared regularly.
note
The Dormant User Accounts check is based on a newer custom check-type code base. The Active Users check is currently generated by the older non-custom check code base and will be updated in an upcoming release of Vulnerability Manager.