I have an installation of 11.4 on my laptop which I use for teaching classes on operating systems. The computer dual boots from an external hard drive. It has been updated with all necessary patches and updates as of this past Sunday. When I started to cover security I noted that the faillog command returned the command not found error when running as the root user. The file is in the correct place and is noted as a type “binary” but nothing can open it to get meaningful information, although kwrite will open it and shoe ASCII characters.
I have done many searches and made entries in the pam_ files to setup failed log in attempts but so far the faillog size remains at 0 bytes. I tried a touch command as recommended by one “expert” that posted a solution and the file changed from binary to text and is still 0 bytes in size?
I have searched for software packages and updates but nothing shows as applying to version 11.4? Any hellp will be very greatly appreciated.
It is not quite clear to me. Are you talking about a tool named faillog that you want to execute? It is not on my system either.
But then you talk about a file that is in the correct place, but you fail to tell where nor show any information about it. Why not post an
ls -l /path/to/that/file/faillog
so that we all can see and draw our conclusions?
Another thing I do not understand is that a file that has a size of 0 bytes can not be categorized as “binary” or “text” by any means. Thus I do not know where you get that from, but imho it is bogus.
I have such a file on 11.2 in /var/log sized 3.2K, but it is not marked executable. Also even if it were executable it would not be in the default paths so you would need to specify the full path or be in the /var/log directory to run it. But I believe this is the database file not the command. Now on 11.2 I see the faillog command in /usr/sbin, but on 11.4 I can not see this command. It runs but produces no output on 11.2, but I’d expect that since I have no failed log ons But there is still the database in /var/log. So I don’t know if it is something that is being removed or if perhaps it is a packaging error or maybe some additional package need to be added.
Thanks for the replies everyone, maybe this can get solved??? The file type of the /var/log/faillog was a “binary” meaning it was some sort of non text file that needs something special such as a “faillog” executable to read it. That fil used to be in /usr/sbin but is NOT on my machine or any of my student’s computers either. When I did a “touch” command the file changed from binary to text which surprised me and in both cases it had 0 bytes as a size. Before the switch, the ls -l gave the same result as noted above in Henk’s post.
Your original post was not very clear about the difference between the tool and the logfile. But as you see above we managed to find that out. Also I have glanced through the man faillog page on 11.2 that explains it of course.
It is not so important, but I still do not understand how you come to say “file type of the /var/log/faillog was a “binary””. I said “Thus I do not know where you get that from”. That may not be an explicit question, but it is an implicit one and you did not answer. So it is stiill unclear to me where that bogus came from. The file tool says about a file with 0 bytes that it is “empty”. (And it says about a non emtpy /var/log/faillog that it is “data”, which it says as it does not know what it is, but which in principle is as useless as calling it “binary” because everything in a computer file is “binary data” lol!).
Yes, we have to try to find if the faillog tool can be found anywhere in a repo.
Of course we could provide you with an 11.2 version of it. Which is very likely to function, but that is our last resort imho.
Thanks for the reply. I used the Dolphin file manager program and when looking at the file in the noted subdirectory it said “binary” on it! Where text files have “txt” and images have “image” such, this one had what looked like the Windows logo which I knew was not a Windows file. Several other search results also confirmed this and appears to be why a text editor such as kwrite can open it but displays ASCII characters similar to opening an executable or other binary file with Windows Notepad where ASCII characters were displayed. So that is how the “binary” label came to me. I am well aware ALL computer files are binary so that is NOT the point. The point is WHY 11.4 DOES NOT SEEM TO HAVE THE NECESSARY EXECUTABLE FILE SO THE LOG ALSO WITH THE SAME NAME CAN BE READ??!! I did also try to open the file with the included database and also copied it to a Redhat server and tried with Oracle since the file is a collection of database records for each failed login but no luck there.
As you teach about operating systems, you should know that end-user file managers like Dolphin are not the authorities you should depend on. Better use a basic tool like file. Which has the added feature that it will not show any idiotic logos. There is a thread here on the forums where I prove that Dolphin thinks that a file containing a GIF is a file containing a JPEG only because the name of the GIF file ends with the characters .jpeg. It never looks inside to make a real intelligent guess, but file does. Other file managers (like Konqueror) stll have different ideas.
We must however take into account that Linux has no means to tell what a file is ment to have as content type. The only thing one can do is look into it and see if there is some “magical number” that fits some definition.
Also, not only can any file be called “binary” or “data”, but every file can also be seen as a file with characters acording to one of the ISO 8859 definitions (take one at your choice) because all values a byte can have are defined in them . The only thing is that when it in fact is not what we call “plain text” it will have long lines (lacking LF characters except by incident) and also having the lower numbered ASCII ones which often have no glyph in the font used (but it may bleep when there is the value 7 ;)).
I guess there is no use to try the faillog file with all sorts of well know databases. It will have it’s own structure. After all a “database” is also a very vague expression that fits for any organised (set of) file(s).
As I see your very fond of having the tool and as I can not find it until now in a repo and nobody else showed up knowing where to find it, I copied the 11.2 one to a website: http://hcvv.home.xs4all.nl/faillog
You may download it if you wish so.
On 2011-06-08 12:36, hcvv wrote:
>
> It is not quite clear to me. Are you talking about a tool named
> -faillog- that you want to execute? It is not on my system either.
It was part of the standard components of a linux system, but has
disappeared in 11.4, I don’t know why. It could be a bug.
It mentions an alternate program to use to log failed logins, which means
that faillog is probably deprecated. Now, who can find a reference to this
somewhere?
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 2011-06-08 22:36, hcvv wrote:
>
> The story in that link seems to have the tool, but the tool cannot find
> the logfile. Exactly the opposite from what we have.
That tool (pam_tally2) needs you reconfigure pam to record failed login
attempts.
Thanks everyone and now it seems we are getting somewhere. I saw the fact that 11.2 seemed to be up to speed on this but now maybe it is not needed any longer??!! It appears you get what you pay for with many of the Linux tools and sometimes they act like Windows based tools in that they generalize so any image is a graphic and any video is a movie of some sort. Of course once you see that the .mkv file will not play with a certain video player the search is then on. The database layout of the entries in the faillog log file made me think it might be a C++ module possibley:
struct faillog {
short fail_cnt;
short fail_max;
char fail_line[12];
time_t fail_time;
};
especially with the braces and all. I need to dust off my C++ compiler and see if I can use a small program in C++ to write this to get into it. I’ll try your upload and in a day or two will let you know if my C++ idea works out.
> especially with the braces and all. I need to dust off my C++ compiler
> and see if I can use a small program in C++ to write this to get into
> it. I’ll try your upload and in a day or two will let you know if my C++
> idea works out.
That’s a dead horse.
Faillog is no longer used, the current stuff is, apparently, pam_tally2.
However, if you still want to investigate, just gather the sources of the
old faillog command, and the structure will be there.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
I was reading an article on security hardening and it suggested the use of faillog. Which I tried, which also failed like yours. I also read that faillog used to be part of the package “login”. So, “man login”.
At the bottom of the manpage it indicates the file /var/log/btmp - list of failed login sessions. So I’ll log out and goof my login just once to see if it indeed the answer to your problem
