/var/log/faillog

[lee]

Hi,

how come that failed logins aren't recorded in /var/log/faillog? The
file exists and is from July this year. When I run "faillog -a", it
lists entries like:


lee 0 0 01/01/70 01:00:00 +0100


There have been failed logins, though, and logging them is enabled in
/etc/login.defs. Interestingly, I can run "faillog -a" as ordinary user
and get the same results as when running it as root. That arises
privacy concerns. Is it supposed to be like this?


--
Debian testing amd64


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/878vctj...@yun.yagibdah.de

[Camaleón]

On Sat, 01 Sep 2012 15:47:15 +0200, lee wrote:

> how come that failed logins aren't recorded in /var/log/faillog?

I tend to review "/var/log/auth.log" for success/failed logins.

> The file exists and is from July this year. When I run "faillog -a", it
> lists entries like:
>
>
> lee 0 0 01/01/70 01:00:00 +0100

I get similar results. Maybe is that it needs to be configured first
somehow :-?

> There have been failed logins, though, and logging them is enabled in
> /etc/login.defs. Interestingly, I can run "faillog -a" as ordinary user
> and get the same results as when running it as root. That arises
> privacy concerns. Is it supposed to be like this?

Yes, it can lead to privacy concerns. You can change the file permissions
to be more conservative (read-write only by user-group which is set to
"root") when running over a multi-user system.

Greetings,

--
Camaleón

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/k1td79$ko4$1...@ger.gmane.org

[Bob Proulx]

lee wrote:
> how come that failed logins aren't recorded in /var/log/faillog? The
> file exists and is from July this year. When I run "faillog -a", it
> lists entries like:

I haven't researched this in detail so take it as conjecture only
but... It seems likely because your system hasn't had any failed
logins from /bin/login since few people actually use /bin/login to log
into systems these days. Most people log in using ssh or xdm. Are
you logging in on the text console and failing? Or an attached serial
terminal? If not then /bin/login wouldn't have anything to log. If
you are only logging in with an xdm/gdm/kdm/lightdm display manager
then I don't see how /bin/login is involved. Just a thought...

> There have been failed logins, though, and logging them is enabled in
> /etc/login.defs. Interestingly, I can run "faillog -a" as ordinary user
> and get the same results as when running it as root. That arises
> privacy concerns. Is it supposed to be like this?

Supposedly this setting should protect you from exposing a password as
an account name. Supposedly only valid account names would be
displayed and that would prevent serious information leakage.

File /etc/login.defs has:

# Enable display of unknown usernames when login failures are
# recorded.
#
# WARNING: Unknown usernames may become world readable.
# See #290803 and #298773 for details about how this could become a security
# concern
LOG_UNKFAIL_ENAB no

Just some thoughts...

Bob

[roger21]

so do we all agree that faillog is not working?

recall :

faillog (part of the login package) should track failled login attempt
in a the binary file /var/log/faillog

/var/log/faillog is read with the faillog command :

faillog -a

or

faillog -u <user>

it doesn't report any fail and the last date is always epoch

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: https://lists.debian.org/54C66170...@free.fr