[ale] What creates /var/log/faillog ?

Raj Wurttemberg rajaw at c64.us
Mon Sep 22 13:38:20 EDT 2014


Hey Chuck,

Actually, I don't have a /var/log/faillog file and the security auditor says
that we should have the file.  I was thinking that maybe an older pal_tally
module created that file. 

Kind regards,
Raj

-----Original Message-----
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Chuck
Payne
Sent: Monday, September 22, 2014 11:56 AM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] What creates /var/log/faillog ?

Raj,

Do you have lsof installed, you got a lot of great answer for the guys, but
if you aren't sure what writing a file, you have your good friend lsof to
the recuse. This is good to know incase you have find a process or a service
you do not know.

Since you where wonder what wrote file log, the first thing to do see what
process might be writing the file.

lsof | grep  /var/log/faillog

I am going to use the example with my firewall called tengu

lsof grep | grep tengu

mysqld     2966 23380       mysql   71u      REG                8,6
 151472    2364586 /var/lib/mysql/tengu/ips.MYD
mysqld     2966 23380       mysql   72u      REG                8,6
 1024    2364588 /var/lib/mysql/tengu/whitelist.MYI
mysqld     2966 23380       mysql   73u      REG                8,6
0    2364589 /var/lib/mysql/tengu/whitelist.MYD
sh        11792              root   10r      REG                8,6
20964    7480015 /usr/local/bin/tengu
sh        11802              root   10r      REG                8,6
20964    7480015 /usr/local/bin/tengu
sh        21553              root   10r      REG                8,6
20964    7480015 /usr/local/bin/tengu
sh        21564              root   10r      REG                8,6
20964    7480015 /usr/local/bin/tengu

A break down of lsof

1st column is the process running
2nd column is the pid
3rd column is the user
4th is FD
5th is Type
6th is Device where the server is running 7th is size/off 8th Node 9th name
of the files it is suing,

So I found an active pid, and I use lsof to show me what files and process
are in

lsof -p 12197
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
sh      12197 root  cwd    DIR    8,6     4096 7471772 /usr/local/bin
sh      12197 root  rtd    DIR    8,6     4096       2 /
sh      12197 root  txt    REG    8,6   106920 9699332 /bin/dash
sh      12197 root  mem    REG    8,6  1599536 6685394
/lib/x86_64-linux-gnu/libc-2.13.so
sh      12197 root  mem    REG    8,6   136936 6685389
/lib/x86_64-linux-gnu/ld-2.13.so
sh      12197 root    0u   CHR    4,2      0t0    1043 /dev/tty2
sh      12197 root    1u   CHR    4,2      0t0    1043 /dev/tty2
sh      12197 root    2u   CHR    4,2      0t0    1043 /dev/tty2
sh      12197 root   10r   REG    8,6    20964 7480015 /usr/local/bin/tengu


Again, lsof is great to see what might be writing and where the program that
is wring the log is. I know it a bit munch but if Google letting you down,
and you want to make sure it not some script kiddies script running on a
server, lsof is your sherlock to find what doing what.



On Mon, Sep 22, 2014 at 11:22 AM, Paul Cartwright <pbcartwright at gmail.com>
wrote:

> An HTML attachment was scrubbed...
> URL: <
> http://mail.ale.org/pipermail/ale/attachments/20140922/c08d072e/attach
> ment.html
> >
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at 
> http://mail.ale.org/mailman/listinfo
>



--
Terror PUP a.k.a
Chuck "PUP" Payne

(678) 636-9678
-----------------------------------------
Discover it! Enjoy it! Share it! openSUSE Linux.
-----------------------------------------
openSUSE -- Terrorpup
openSUSE Ambassador/openSUSE Member
skype,twiiter,identica,friendfeed -- terrorpup
freenode(irc) --terrorpup/lupinstein
Register Linux Userid: 155363

Have you tried SUSE Studio? Need to create a Live CD,  an app you want to
package and distribute , or create your own linux distro. Give SUSE Studio a
try.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.ale.org/pipermail/ale/attachments/20140922/21397dea/attachment.
html>
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo



More information about the Ale mailing list