Determine how often a specific local user has logged in in last 30 days

stephanpeterson
Contributor

To help identify shared Macs in our environment I'm trying to determine how often a specific local user account has logged in in the last 30 days. I realize it might be possible to query the JSS via the API to get this info, but I was hoping to be able to accomplish it via an EA.

Any help would be greatly appreciated. Thanks.

6 REPLIES 6

thoule
Valued Contributor II

The 'last' command used to give a nice list of login history. Sadly, I found that to be unreliable (as it's just blank, or shows login since last reboot only on many computers).

The other way to get that info is via the jamf log. (grep "Informing the JSS about login for user" /var/log/jamf.log. The problem with that solution is that it doesn't appear to go back 30 days. I'm not sure what the rotation/purging setting is on that log file. But if you want to keep 30 days, you'll need to manage your own rotation.

So I guess if I had your task, I'd write something to copy the last 30 days from the jamf.log file and keep it somewhere safe, then get my logged in users from that. Not easy, but not that hard either.

In case you want to pull parts out, here is a script I use to determine a computer's 'most frequent user' and assign it to them in the JSS. https://github.com/tmhoule/FrequentUser

stephanpeterson
Contributor

Yes, I found the 'last' command after posting my question. So far, it's giving me info. To your point, will I find machines that don't report info properly?

I'm also looking at 'ac -p | grep <username>' and it's giving me info that could be helpful too.

Right now we're trying to ween users off the use of a shared local user account that exists in our environment. My need of tools like 'last' and 'ac' is to help identify which machines that account is being used on with regularity. Eventually, we'll be getting rid of this account, but for now we'd like to identify the machines so that we can work with those users on transitioning away from the use of the shared account before it gets deleted.

SeanA
Contributor III

Another possibility (rough outline):

Create a policy which will run at login and will run inventory after the policy is run. This policy will run a script that would roughly do the following:

  1. create a file on the Mac, like using touch /path/to/text/file, in a somewhat hidden folder.
  2. the script will write the username of the account used to log in to the computer to that file (possibly in a format of date:name_of_account, or something similar). To do that, use the $3 parameter variable. Script Parameters. In the script, you could run a test to only write the username to the file ONLY if $3 is equal to the name of this shared user account.
  3. There are various method of finding the logged in user that I would imagine you would know. This post covers a lot of options. The post also seems to slightly touch upon the requirements you mention in your post.
  4. Afterwards, create an EA that will capture the contents of the file, such as using the cat command (cat /path/to/text/file).

SeanA
Contributor III

dupe

Joeborner
New Contributor II

@stephanpeterson - If it's the same user on all the machines just create a login script scoped to that user that logs the date of the login into a file and another script which counts the lines that are above the specified date and echoes this into a text file as a number. This script could also tidy up older dates if you don't need these anymore. This count can then be used as an extended attribute.

Doing it as a number allows you to then make smart groups based on greater than X amount of logins.

stephanpeterson
Contributor

My goal for this was to try and help determine which machines in our environment were likely being used as shared Macs. For us that means that a specific local acct was being used with some regularity. However, we have some machines that have already transitioned away from that local acct existing and users are already logging in with their own credentials on these machines.

I created 2 extension attributes. The first one determines how many mobile AD accounts are present (H/T @chriscollins ):

userListCount=`dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | wc -l`

The second EA gets the hours of usage using the ac binary and does some rounding:

ac -p | grep <userid> | awk '{print $2}' | LC_ALL=C xargs /usr/bin/printf "%.*f
" 0

Thanks for the advice and I hope my solution is of benefit to someone else.