Provided by: chkrootkit_0.58b-1_amd64 
NAME
chklastlog - check lastlog file for deleted entries
SYNOPSIS
chklastlog looks for users whose login has been erased from the lastlog database.
DESCRIPTION
chklastlog reads all entries from /var/log/wtmp (a database of information about logins and logouts) and
checks that every user found in this file has an entry in /var/log/lastlog. It lists any users with
logins in wtmp but no lastlogin information. This may suggest the user account has been compromised and
the attacker has tried to cover their tracks.
chklastlog needs to be able to read /var/log/wtmp and /var/log/lastlogin. Normally these files are
world-readable so no special privileges are required.
FILES
/var/log/wtmp
database of logins and logouts.
/var/log/lastlog
database which contains info on the last login of each user.
SEE ALSO
wtmp(5), who(1), lastlog(8), last(1)
LIMITATIONS
wtmp may itself be incomplete because not all programmes record their activity using utmp logging. See
wtmp(8).
chklastlog will not detect missing entries if the user has logged in after the lastlog entry was deleted.
This program was originally designed to run on SunOS 4.x systems. On other systems the output is
undefined.
Oct 23, 2021 CHKLASTLOG(8)