lee wrote: > how come that failed logins aren't recorded in /var/log/faillog? The > file exists and is from July this year. When I run "faillog -a", it > lists entries like:
I haven't researched this in detail so take it as conjecture only but... It seems likely because your system hasn't had any failed logins from /bin/login since few people actually use /bin/login to log into systems these days. Most people log in using ssh or xdm. Are you logging in on the text console and failing? Or an attached serial terminal? If not then /bin/login wouldn't have anything to log. If you are only logging in with an xdm/gdm/kdm/lightdm display manager then I don't see how /bin/login is involved. Just a thought... > There have been failed logins, though, and logging them is enabled in > /etc/login.defs. Interestingly, I can run "faillog -a" as ordinary user > and get the same results as when running it as root. That arises > privacy concerns. Is it supposed to be like this? Supposedly this setting should protect you from exposing a password as an account name. Supposedly only valid account names would be displayed and that would prevent serious information leakage. File /etc/login.defs has: # Enable display of unknown usernames when login failures are # recorded. # # WARNING: Unknown usernames may become world readable. # See #290803 and #298773 for details about how this could become a security # concern LOG_UNKFAIL_ENAB no Just some thoughts... Bob
signature.asc
Description: Digital signature