How to clean wtmp 2

[khalidaaa]

Hi all,

I thought of sharing with you my experience with clearing wtmp.

/var/adm/wtmp can be cleared using the following ways:

/usr/sbin/acct/nulladm /var/adm/wtmp

cp /dev/null /var/adm/wtmp

format /var/adm/wtmp to ASCII text, clean the 'bogus' entrys and convert it back to wtmp format, you can do this by using the tool fwtmp: 
be sure /tmp has enough space 
convert the wtmp to ASCII --> /tmp/dummy.file 
/usr/sbin/acct/fwtmp </var/adm/wtmp >/tmp/dummy.file 
edit the file /tmp/dummy.file via "grep -v" or just plain vi 
convert the ASCII output back -->/var/adm/wtmp 
/usr/sbin/acct/fwtmp -ic <dummy.file >/var/adm/wtmp

Things to know about the wtmp file. 

1) This file grows in size and continues to grow even after a system reboot. 
2) As far as auditing goes, this file is useful when trying to find out who logged in, in the past. 
3) Can be corrupted if not maintained correctly. 

Because of the above, this is what I do: 

Create a script to reduce the size while keeping current login information. 
Add to cron to run once a month in the wee hours. 

Example: 

#!/bin/ksh 
################################################## ############### 
# 
# wtmp_shrink.ksh - Reduce the size of /var/adm/wtmp to 500 lines 
# (approximatly 324000) 
# 
################################################## ############### 
if [ -s /var/adm/wtmp ] 
then 
/usr/sbin/acct/fwtmp < /var/adm/wtmp > dummy.wtmp 
/usr/bin/tail -500 dummy.wtmp | /usr/sbin/acct/fwtmp -ic > /var/adm/wtmp 
/usr/bin/rm dummy.wtmp 
else 
continue 
fi

I got these info from different sites on the net and any one can share with us your experience if it is not one of the above to have all of these ideas in one place.

Hope it would be useful to any one facing the same incident.

Regards,
Khalid