Lastlog, process accounting, utmp/wtmp/utmpx/wtmpx, and maybe even syslog is useless if an intruder has taken steps to "vanish" properly. Kernel accounting, if transferred soon enough to some secured receiver site, may still be intact. Comments on other non-destroyable user-authentication records, anyone? _H*