Hello,
For a project I am working on, one of the requirements is to log the previous succesful and unsuccesful logon sothat users have a means to verify that their account has not been misused. The desired result would show something like this after logging on:
Last login: Mon Dec 10 12:56:13 2007 from mymachine.cust.com
Last failed login: Mon Dec 10 12:20:28 2007 from 193.12.23.8
The product used during the project is VMware ESX server 3.02 with update patch 1. Enabling the previous succesful logon has been fairly simple by specifying the following option in /etc/login.defs:
LASTLOG_ENAB yes
After reading various (man) pages on the subject, I added the following lines to /etc/login.defs to enable displaying the previous failed login information:
FAILLOG_ENAB yes
LOG_UNKFAIL_ENAB yes
However, this did not yield the desired result.
Thinking that this information must be coming from somewhere, I researched various possibilities and found that one of the following sources would probably be used:
I setup /var/log/btmp by touch-ing it. This did not yield the desired result. The file remained empty and no bad login information was displayed at logon time. After that, I modified /etc/pam.d/system-auth and added the following lines to enable logging to /var/log/faillog:
account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root
auth required /lib/security/$ISA/pam_tally.so no_magic_root
Although, faillog now functioned correctly, the bad login information still was not displayed at login time. For example:
root@esxhost etc# faillog -u useraccount
Username Failures Maximum Latest
useraccount 1 0 Mon Dec 10 14:24:22 +0100 2007 on mymachine.cust.com
At this point I am clueless how to resolve this issue and would appreciate some suggestions.
Best regards,
Erwin
For a project I am working on, one of the requirements is to log the previous succesful and unsuccesful logon sothat users have a means to verify that their account has not been misused. The desired result would show something like this after logging on:
Last login: Mon Dec 10 12:56:13 2007 from mymachine.cust.com
Last failed login: Mon Dec 10 12:20:28 2007 from 193.12.23.8
The product used during the project is VMware ESX server 3.02 with update patch 1. Enabling the previous succesful logon has been fairly simple by specifying the following option in /etc/login.defs:
LASTLOG_ENAB yes
After reading various (man) pages on the subject, I added the following lines to /etc/login.defs to enable displaying the previous failed login information:
FAILLOG_ENAB yes
LOG_UNKFAIL_ENAB yes
However, this did not yield the desired result.
Thinking that this information must be coming from somewhere, I researched various possibilities and found that one of the following sources would probably be used:
- /var/log/btmp
- /var/log/faillog
I setup /var/log/btmp by touch-ing it. This did not yield the desired result. The file remained empty and no bad login information was displayed at logon time. After that, I modified /etc/pam.d/system-auth and added the following lines to enable logging to /var/log/faillog:
account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root
auth required /lib/security/$ISA/pam_tally.so no_magic_root
Although, faillog now functioned correctly, the bad login information still was not displayed at login time. For example:
Username Failures Maximum Latest
useraccount 1 0 Mon Dec 10 14:24:22 +0100 2007 on mymachine.cust.com
At this point I am clueless how to resolve this issue and would appreciate some suggestions.
Best regards,
Erwin
Tags:
faillog_enab,
lastlog_enab,
pam_tally,
faillog,
btmp,
vi3,
hardening,
security
