/var/log/faillog

avrely · February 20, 2012, 11:44pm

Hi, how to view /var/log/faillog in openSUSE11.4

m1140:/ # /var/log/faillog
-bash: /var/log/faillog: cannot execute binary file
m1140:/ # l /var/log/faillog
-rwxrwxrwx 1 root root 320096 Nov  6 20:28 /var/log/faillog*

Thanks.

robin_listas · February 21, 2012, 1:08am

On 2012-02-20 23:46, avrely wrote:
>
> Hi, how to view /var/log/faillog in openSUSE11.4
>
>
> Code:
> --------------------
> m1140:/ # /var/log/faillog
> -bash: /var/log/faillog: cannot execute binary file
> m1140:/ # l /var/log/faillog
> -rwxrwxrwx 1 root root 320096 Nov 6 20:28 /var/log/faillog*
> --------------------

Be careful, you might succeed executing a non executable file as root and
destroy your system - which is not normal, those permissions are not the
standard. You have done something.

I think it was done with acct.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

avrely · February 21, 2012, 5:44am

I have changed to 0600

m1140:~ # l /var/log/faillog
-rw------- 1 root root 320096 Nov  6 20:28 /var/log/faillog

But how do I use this log? How can i read it?

martin_helm · February 21, 2012, 10:55am

I think faillog is deprecated (have no authoritative link for that but
the faillog command which read /var/log/faillog does no longer exist for
quite a while).
Have a look at pam_tally2, you need to run it as root (“man pam_tally2”
tells you more), you probably need to configure your system to write the
info needed (/var/log/tallylog) by pam_tally2.

DenverD · February 21, 2012, 12:02pm

On 02/20/2012 11:46 PM, avrely wrote:
> rwxrwxrwx 1 root root 320096 Nov 6 20:28 /var/log/faillog*

i know there is a school of thought that goes like this:

-it is MY machine and i will look at, write to or execute anything i want!

-so, if i wanna do chmod 777, i WILL!

which is all ok, but please make a good usable backup FIRST and be
prepared to restore from it, rather than ask for hours of help to
breathe life back into a self-murdered system…

on the other hand, i’ve never found a valid need to do chmod 777

–
DD http://tinyurl.com/DD-Caveat
What does DistroWatch write about YOU?: http://tinyurl.com/SUSEonDW

robin_listas · February 21, 2012, 1:08pm

On 2012-02-21 10:55, Martin Helm wrote:
> I think faillog is deprecated (have no authoritative link for that but
> the faillog command which read /var/log/faillog does no longer exist for
> quite a while).

No, something is writing my faillog in my machine even now. It is dated Jan
20 here. But I intentionally tried to login with a false password and then
with a false identity, and the file was not updated. I don’t know who is
writing it.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

robin_listas · February 21, 2012, 1:13pm

On 2012-02-21 05:46, avrely wrote:
> But how do I use this log? How can i read it?

I said that I think it was done with acct. It is a package that you may
have, or not, installed, and it has several manuals. I suggest you read
them and find out if they say something.

Don’t think I don’t want to help. I read them a bit and did not find it, I
would need more time to make sure. So, as you are the person interested,
you read it

You can also try google /var/log/faillog: first hit points to a man faillog.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

martin_helm · February 21, 2012, 1:54pm

Am 21.02.2012 13:08, schrieb Carlos E. R.:
> No, something is writing my faillog in my machine even now. It is dated Jan
> 20 here. But I intentionally tried to login with a false password and then
> with a false identity, and the file was not updated. I don’t know who is
> writing it.
>
You understand me wrong I said the faillog COMMAND is no longer there
which was used in older versions to read /var/log/faillog! The
/var/log/faillog is a far as I can see written by pam_tally (not
pam_tally2 which uses /var/log/tallylog).
The newer /var/log/tallylog is not written unless you configure it and I
also see on a 11.4 which is not an updated older version but was a fresh
install that faillog always remains at a size of 1 byte and does not
change when I intentionaly perform a failed login.

So maybe you can simply read it with “pam_tally --user xxx” (which is
deprecated).

robin_listas · February 21, 2012, 2:08pm

On 2012-02-21 13:54, Martin Helm wrote:

> You understand me wrong I said the faillog COMMAND is no longer there
> which was used in older versions to read /var/log/faillog! The
> /var/log/faillog is a far as I can see written by pam_tally (not
> pam_tally2 which uses /var/log/tallylog).


Telcontar:~ # l /var/log/faillog
-rw------- 1 root root 64096 Jan 20 02:09 /var/log/faillog
Telcontar:~ # l /var/log/tallylog
-rw------- 1 root root 0 Jun  8  2011 /var/log/tallylog

Somebody writes faillog with I have no idea what information.

The newer /var/log/tallylog is not written unless you configure it and I
also see on a 11.4 which is not an updated older version but was a fresh
install that faillog always remains at a size of 1 byte and does not
change when I intentionaly perform a failed login.

So maybe you can simply read it with “pam_tally --user xxx” (which is
deprecated).


Telcontar:~ # pam_tally --user cer

pam_tally is deprecated and pam_tally2 should be used instead

User cer        (1000)  has 0
Telcontar:~ # pam_tally2 --user cer
Login           Failures Latest failure     From
cer                 0
Telcontar:~ #

which is not true, there are failed logins.

Maybe pam is misconfigured in my system.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

martin_helm · February 21, 2012, 2:38pm

Am 21.02.2012 14:08, schrieb Carlos E. R.:
>


> Telcontar:~ # l /var/log/faillog
> -rw------- 1 root root 64096 Jan 20 02:09 /var/log/faillog
> Telcontar:~ # l /var/log/tallylog
> -rw------- 1 root root 0 Jun  8  2011 /var/log/tallylog
>
>

Somebody writes faillog with I have no idea what information.
Is this an updated system on my machine faillog has always 1 byte, no
change at all.


> Telcontar:~ # pam_tally --user cer
>
> pam_tally is deprecated and pam_tally2 should be used instead
>
> User cer        (1000)  has 0
Can you try

pam_tally --file /var/log/faillog --user cer


?

--
PC: oS 11.4 (dual boot 12.1) 64 bit | Intel Core i7-2600@3.40GHz | KDE
4.6.0 | GeForce GT 420 | 16GB Ram
Eee PC 1201n: oS 11.4 64 bit | Intel Atom 330@1.60GHz | KDE 4.8.0 |
nVidia ION | 3GB Ram

robin_listas · February 21, 2012, 3:08pm

On 2012-02-21 14:38, Martin Helm wrote:
> Am 21.02.2012 14:08, schrieb Carlos E. R.:

>> Somebody writes faillog with I have no idea what information.
> Is this an updated system on my machine faillog has always 1 byte, no
> change at all.

Yep, upgraded system.

> Can you try
>


> pam_tally --file /var/log/faillog --user cer
>

?

Same result.


Telcontar:~ # pam_tally --file /var/log/faillog --user cer

pam_tally is deprecated and pam_tally2 should be used instead

User cer        (1000)  has 0

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

avrely · February 21, 2012, 11:10pm

Hm…:\

m1140:~ # pam_tally

pam_tally is deprecated and pam_tally2 should be used instead

m1140:~ # pam_tally2
pam_tally2: No such file or directory

robin_listas · February 21, 2012, 11:28pm

On 2012-02-21 23:16, avrely wrote:

> Code:
> --------------------
> m1140:~ # pam_tally
>
> pam_tally is deprecated and pam_tally2 should be used instead
>
> m1140:~ # pam_tally2
> pam_tally2: No such file or directory
> --------------------

Strange. It comes in the “pam” package.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)