<div dir="ltr">its a binary, use faillock to read it in centos6.<div><br></div><div><br></div><div><div>[root@something: log]$ cat /etc/*release*</div><div>CentOS release 6.4 (Final)</div><div>LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch</div><div>cat: /etc/lsb-release.d: Is a directory</div><div>CentOS release 6.4 (Final)</div><div>CentOS release 6.4 (Final)</div><div>cpe:/o:centos:linux:6:GA</div><div><br></div><div>[root@somethingawesome : log]$ man faillock |cat</div><div>FAILLOCK(8) Linux-PAM Manual FAILLOCK(8)</div><div><br></div><div><br></div><div><br></div><div>NAME</div><div> faillock - Tool for displaying and modifying the authentication failure</div><div> record files</div><div><br></div><div>SYNOPSIS</div><div> faillock [--dir /path/to/tally-directory] [--user username] [--reset]</div><div><br></div><div>DESCRIPTION</div><div> The pam_faillock.so module maintains a list of failed authentication</div><div> attempts per user during a specified interval and locks the account in</div><div> case there were more than deny consecutive failed authentications. It</div><div> stores the failure records into per-user files in the tally directory.</div><div><br></div><div> The faillock command is an application which can be used to examine and</div><div> modify the contents of the the tally files. It can display the recent</div><div> failed authentication attempts of the username or clear the tally files</div><div> of all or individual usernames.</div><div><br></div><div>OPTIONS</div><div> --dir /path/to/tally-directory</div><div> The directory where the user files with the failure records are</div><div> kept. The default is /var/run/faillock.</div><div><br></div><div> --user username</div><div> The user whose failure records should be displayed or cleared.</div><div><br></div><div> --reset</div><div> Instead of displaying the user´s failure records, clear them.</div><div><br></div><div>FILES</div><div> /var/run/faillock/*</div><div> the files logging the authentication failures for users</div><div><br></div><div>SEE ALSO</div><div> pam_faillock(8), pam(8)</div><div><br></div><div>AUTHOR</div><div> faillock was written by Tomas Mraz.</div><div><br></div><div><br></div><div><br></div><div>Linux-PAM Manual 02/22/2013 FAILLOCK(8)</div><div>[root@openvpnhamaster.devdc : log]$ man pam_faillock |cat</div><div>PAM_FAILLOCK(8) Linux-PAM Manual PAM_FAILLOCK(8)</div><div><br></div><div><br></div><div>man pam_faillock |cat<br></div></div><div><br></div><div>for info on how to set it up.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 22, 2014 at 10:42 AM, leam hall <span dir="ltr"><<a href="mailto:leamhall@gmail.com" target="_blank">leamhall@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Paul, what does "file /var/log/faillog" say? How about "strings<br>
/var/log/faillog"?<br>
<br>
Of course, it could have been a file that's held open but already removed.<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
<br>
On Mon, Sep 22, 2014 at 10:13 AM, Paul Cartwright<br>
<<a href="mailto:pbcartwright@gmail.com">pbcartwright@gmail.com</a>> wrote:<br>
> weird... I have a faillog, but it looks like a data file. when I try<br>
> more, it shows blanks..<br>
><br>
> ls -l /var/log/faillog<br>
> -rw------- 1 root root 32000 Sep 11 14:57 /var/log/faillog<br>
> pauls-server:/home/pbc # tail /var/log/faillog<br>
> pauls-server:/home/pbc #<br>
><br>
><br>
> tail shows nothing either..<br>
><br>
>> Never heard of a "faillog". There is secure and audit logs. /var/log/secure<br>
>> handles login attempts. If auditd is running, /var/log/audit/* handles all<br>
>> manner of access internal to the system (I.e. not web server access).<br>
>> Perhaps those are what was inferred.<br>
>> On Sep 22, 2014 9:43 AM, "Raj Wurttemberg" <<a href="mailto:rajaw@c64.us">rajaw@c64.us</a>> wrote:<br>
>><br>
>>> My Google-Fu must be running low this this morning...<br>
>>><br>
>>> What creates /var/log/faillog ? I have a RHCE 6.5 server and a security<br>
>>> auditor said that we should have a /var/log/faillog file. I have the<br>
>>> "pam_tally2" module loaded in the auth file "system-auth-ac" . The<br>
>>> pam_tally2 command does appear to give proper results as well.<br>
>>><br>
>>> Kind regards,<br>
>>> Raj Wurttemberg<br>
>>> <a href="mailto:rajaw@c64.us">rajaw@c64.us</a><br>
>>><br>
>>><br>
>>> _______________________________________________<br>
>>> Ale mailing list<br>
>>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>>> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>>> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>>><br>
>> -------------- next part --------------<br>
>> An HTML attachment was scrubbed...<br>
>> URL: <<a href="http://mail.ale.org/pipermail/ale/attachments/20140922/cb52c48d/attachment.html" target="_blank">http://mail.ale.org/pipermail/ale/attachments/20140922/cb52c48d/attachment.html</a>><br>
>> _______________________________________________<br>
>> Ale mailing list<br>
>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>><br>
>><br>
><br>
><br>
> --<br>
> Paul Cartwright<br>
> Registered Linux User #367800 and new counter #561587<br>
><br>
> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br>
<br>
<br>
</div></div><span class="im HOEnZb">--<br>
Mind on a Mission<br>
</span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><b><i>- Shawn Taaj</i></b><br>
</div>