[ale] What creates /var/log/faillog ?

Shawn taaj.shawn at gmail.com
Mon Sep 22 10:50:33 EDT 2014 

its a binary, use faillock to read it in centos6.


[root at something: log]$ cat /etc/*release*
CentOS release 6.4 (Final)
LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch
cat: /etc/lsb-release.d: Is a directory
CentOS release 6.4 (Final)
CentOS release 6.4 (Final)
cpe:/o:centos:linux:6:GA

[root at somethingawesome : log]$ man faillock |cat
FAILLOCK(8)                    Linux-PAM Manual
 FAILLOCK(8)



NAME
       faillock - Tool for displaying and modifying the authentication
failure
       record files

SYNOPSIS
       faillock [--dir /path/to/tally-directory] [--user username] [--reset]

DESCRIPTION
       The pam_faillock.so module maintains a list of failed authentication
       attempts per user during a specified interval and locks the account
in
       case there were more than deny consecutive failed authentications. It
       stores the failure records into per-user files in the tally
directory.

       The faillock command is an application which can be used to examine
and
       modify the contents of the the tally files. It can display the recent
       failed authentication attempts of the username or clear the tally
files
       of all or individual usernames.

OPTIONS
       --dir /path/to/tally-directory
           The directory where the user files with the failure records are
           kept. The default is /var/run/faillock.

       --user username
           The user whose failure records should be displayed or cleared.

       --reset
           Instead of displaying the user´s failure records, clear them.

FILES
       /var/run/faillock/*
           the files logging the authentication failures for users

SEE ALSO
       pam_faillock(8), pam(8)

AUTHOR
       faillock was written by Tomas Mraz.



Linux-PAM Manual                  02/22/2013
FAILLOCK(8)
[root at openvpnhamaster.devdc : log]$ man pam_faillock |cat
PAM_FAILLOCK(8)                Linux-PAM Manual
 PAM_FAILLOCK(8)


man pam_faillock |cat

for info on how to set it up.


On Mon, Sep 22, 2014 at 10:42 AM, leam hall <leamhall at gmail.com> wrote:

> Paul, what does "file /var/log/faillog" say? How about "strings
> /var/log/faillog"?
>
> Of course, it could have been a file that's held open but already removed.
>
>
>
> On Mon, Sep 22, 2014 at 10:13 AM, Paul Cartwright
> <pbcartwright at gmail.com> wrote:
> > weird... I have a faillog, but it looks like a data file. when I try
> > more, it shows blanks..
> >
> > ls -l /var/log/faillog
> > -rw------- 1 root root 32000 Sep 11 14:57 /var/log/faillog
> > pauls-server:/home/pbc # tail /var/log/faillog
> > pauls-server:/home/pbc #
> >
> >
> > tail shows nothing either..
> >
> >> Never heard of a "faillog". There is secure and audit logs.
> /var/log/secure
> >> handles login attempts. If auditd is running, /var/log/audit/* handles
> all
> >> manner of access internal to the system (I.e. not web server access).
> >> Perhaps those are what was inferred.
> >> On Sep 22, 2014 9:43 AM, "Raj Wurttemberg" <rajaw at c64.us> wrote:
> >>
> >>> My Google-Fu must be running low this this morning...
> >>>
> >>> What creates /var/log/faillog ? I have a RHCE 6.5 server and a security
> >>> auditor said that we should have a /var/log/faillog file. I have the
> >>> "pam_tally2" module loaded in the auth file "system-auth-ac" .  The
> >>> pam_tally2 command does appear to give proper results as well.
> >>>
> >>> Kind regards,
> >>> Raj Wurttemberg
> >>> rajaw at c64.us
> >>>
> >>>
> >>> _______________________________________________
> >>> Ale mailing list
> >>> Ale at ale.org
> >>> http://mail.ale.org/mailman/listinfo/ale
> >>> See JOBS, ANNOUNCE and SCHOOLS lists at
> >>> http://mail.ale.org/mailman/listinfo
> >>>
> >> -------------- next part --------------
> >> An HTML attachment was scrubbed...
> >> URL: <
> http://mail.ale.org/pipermail/ale/attachments/20140922/cb52c48d/attachment.html
> >
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> http://mail.ale.org/mailman/listinfo/ale
> >> See JOBS, ANNOUNCE and SCHOOLS lists at
> >> http://mail.ale.org/mailman/listinfo
> >>
> >>
> >
> >
> > --
> > Paul Cartwright
> > Registered Linux User #367800 and new counter #561587
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
>
>
>
> --
> Mind on a Mission
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
*- Shawn Taaj*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140922/7cc5ad39/attachment.html>

More information about the Ale mailing list