- 'last', 'who', etc. get remote login information from
    /var/adm/utmpx and /var/adm/wtmp. That information is only logged
    into these files if they already exist. To create them, do
    'touch /var/adm/utmpx /var/adm/wtmpx'. The analogous files under
    IRIX 4.0.x are /etc/xutmp and /etc/xwtmp.

  - If you're running IRIX 5.3, install patch 420 to fix a bug which
    causes xterm(1) to log logins incorrectly.

  - As described in the login(1) manpage, you can add the line
    'syslog=all' to /etc/config/login.options (IRIX 4.0.x) or change the
    line 'SYSLOG=FAIL' in /etc/default/login to 'SYSLOG=ALL' (IRIX 5.x)
    to log all login attempts, not just successful ones, in
    /var/adm/SYSLOG. Under IRIX 5.x only, the same change in
    /etc/default/su has the same effect on 'su' attempts.

  - 'ftpd', 'rshd', 'tftpd' and 'fingerd' all have options ('-l' or
    '-L') which cause them to log all accesses. See their manpages.
    'ftpd' also has '-ll' and '-lll' options (undocumented before IRIX
    5.x) which log individual file transfers and the sizes of those
    files respectively.  Add the options to the last fields (not the
    second-to-last) of the appropriate lines of /etc/inetd.conf, then do
    'killall -HUP inetd' or reboot.

  - Consider using Wietse Venema's tcp_wrappers, at
    ftp://ftp.win.tue.nl/pub/security/. This allows you not only to log
    most types of connections, but to restrict connections from
    particular hosts and prevent some forms of address spoofing.
    README.IRIX in current versions of tcp_wrappers describes a number
    of ways in which it does not work well with IRIX, some of them
    serious. tcp_wrappers is still useful, but read README.IRIX
    carefully and test your configuration to be sure it's working.

Some parts © 2009 Advameg, Inc.