1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
.\" Copyright (c) DFN-CERT, Univ. of Hamburg 1994
.\"
.\" Univ. Hamburg, Dept. of Computer Science
.\" DFN-CERT
.\" Vogt-Koelln-Strasse 30
.\" 22527 Hamburg
.\" Germany
.TH CHKWTMP 8 "Oct 23, 2021"
.SH NAME
chkwtmp \- check wtmp file deleted entries
.SH SYNOPSIS
.B chkwtmp
looks for data deleted from
.I wtmp
.SH DESCRIPTION
.B chkwtmp
examines the file
.I /var/log/wtmp
for entries which have been overwritten (containing only
null-bytes). If such entries are found the program displays the
timestamps of the entries before and after the deleted entry,
providing an idea of when the entry was deleted.
.B chkwtmp
needs to be able to read
.IR /var/log/wtmp .
Normally this file is world-readable so no special privileges are
required.
.SH FILES
.TP
.I /var/log/wtmp
database of logins and logouts.
.SH SEE ALSO
.BR wtmp (4),
.BR who (1)
.SH LIMITATIONS
An entry is recognized as overwritten if the time-information has been
overwritten with null-bytes.
This program was originally designed to run on SunOS 4.x systems. On
other systems the output is undefined.
|
