[ale] What creates /var/log/faillog ?
Raj Wurttemberg
rajaw at c64.us
Mon Sep 22 13:38:20 EDT 2014
Hey Chuck,
Actually, I don't have a /var/log/faillog file and the security auditor says
that we should have the file. I was thinking that maybe an older pal_tally
module created that file.
Kind regards,
Raj
-----Original Message-----
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Chuck
Payne
Sent: Monday, September 22, 2014 11:56 AM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] What creates /var/log/faillog ?
Raj,
Do you have lsof installed, you got a lot of great answer for the guys, but
if you aren't sure what writing a file, you have your good friend lsof to
the recuse. This is good to know incase you have find a process or a service
you do not know.
Since you where wonder what wrote file log, the first thing to do see what
process might be writing the file.
lsof | grep /var/log/faillog
I am going to use the example with my firewall called tengu
lsof grep | grep tengu
mysqld 2966 23380 mysql 71u REG 8,6
151472 2364586 /var/lib/mysql/tengu/ips.MYD
mysqld 2966 23380 mysql 72u REG 8,6
1024 2364588 /var/lib/mysql/tengu/whitelist.MYI
mysqld 2966 23380 mysql 73u REG 8,6
0 2364589 /var/lib/mysql/tengu/whitelist.MYD
sh 11792 root 10r REG 8,6
20964 7480015 /usr/local/bin/tengu
sh 11802 root 10r REG 8,6
20964 7480015 /usr/local/bin/tengu
sh 21553 root 10r REG 8,6
20964 7480015 /usr/local/bin/tengu
sh 21564 root 10r REG 8,6
20964 7480015 /usr/local/bin/tengu
A break down of lsof
1st column is the process running
2nd column is the pid
3rd column is the user
4th is FD
5th is Type
6th is Device where the server is running 7th is size/off 8th Node 9th name
of the files it is suing,
So I found an active pid, and I use lsof to show me what files and process
are in
lsof -p 12197
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sh 12197 root cwd DIR 8,6 4096 7471772 /usr/local/bin
sh 12197 root rtd DIR 8,6 4096 2 /
sh 12197 root txt REG 8,6 106920 9699332 /bin/dash
sh 12197 root mem REG 8,6 1599536 6685394
/lib/x86_64-linux-gnu/libc-2.13.so
sh 12197 root mem REG 8,6 136936 6685389
/lib/x86_64-linux-gnu/ld-2.13.so
sh 12197 root 0u CHR 4,2 0t0 1043 /dev/tty2
sh 12197 root 1u CHR 4,2 0t0 1043 /dev/tty2
sh 12197 root 2u CHR 4,2 0t0 1043 /dev/tty2
sh 12197 root 10r REG 8,6 20964 7480015 /usr/local/bin/tengu
Again, lsof is great to see what might be writing and where the program that
is wring the log is. I know it a bit munch but if Google letting you down,
and you want to make sure it not some script kiddies script running on a
server, lsof is your sherlock to find what doing what.
On Mon, Sep 22, 2014 at 11:22 AM, Paul Cartwright <pbcartwright at gmail.com>
wrote:
> An HTML attachment was scrubbed...
> URL: <
> http://mail.ale.org/pipermail/ale/attachments/20140922/c08d072e/attach
> ment.html
> >
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
--
Terror PUP a.k.a
Chuck "PUP" Payne
(678) 636-9678
-----------------------------------------
Discover it! Enjoy it! Share it! openSUSE Linux.
-----------------------------------------
openSUSE -- Terrorpup
openSUSE Ambassador/openSUSE Member
skype,twiiter,identica,friendfeed -- terrorpup
freenode(irc) --terrorpup/lupinstein
Register Linux Userid: 155363
Have you tried SUSE Studio? Need to create a Live CD, an app you want to
package and distribute , or create your own linux distro. Give SUSE Studio a
try.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.ale.org/pipermail/ale/attachments/20140922/21397dea/attachment.
html>
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
More information about the Ale
mailing list