loginlog无法正常显示错误登录信息

清透水瓶

按照系统文件的说明，如果/etc/default/login中的SYSLOG_FAILED_LOGINS=0，那么所有的错误登录信息都会被loginlog所记录。
但是当我从其他系统telnet这台服务器的时候，只有错误输如三次密码的时候，这些信息才会被记录。就是说必须满足RETRY的值之后，
所有的尝试操作才会被记录，这样是对的吗？ 如果这样的话，SYSLOG_FAILED_LOGINS=0 又有什么意义呢？

/etc/default/login
# RETRIES determines the number of failed logins that will be
# allowed before login exits.
#
RETRIES=3
#
# The SYSLOG_FAILED_LOGINS variable is used to determine how many failed
# login attempts will be allowed by the system before a failed login
# message is logged, using the syslog(3) LOG_NOTICE facility.  For example,
# if the variable is set to 0, login will log -all- failed login attempts.
#
SYSLOG_FAILED_LOGINS=0
"/etc/default/login" 74 lines, 2011 characters

那位大虾能帮着解答一下，先这里谢了。

yoyosys

0，1只是一个启用，禁用的开关，和多少次没有关系的

清透水瓶

原帖由 yoyosys 于 2009-5-8 13:41 发表
0，1只是一个启用，禁用的开关，和多少次没有关系的

谢谢楼上的回答，但是按照以下的解释，如果是0的话应该会记录所有的login attempts。你所说的启用和禁用是对何而言呢？ loginlog？

if the variable is set to 0, login will log -all- failed login attempts.

清透水瓶

经过测试，authlog 和 loginlog 都不能记录dtlogin登录失败的消息。

查到了一个sun 的solution，可以实现记录dtlogin登录的消息。

Symptoms
For security reasons, I need to log the attempts and failures when users
login via dtlogin.  There doesn't seem to be a method to do this.


Resolution
Z55HM6D Internal ID use only.

It is possible to log dtlogin attempts using the syslog facility.

Make backup copies of the /etc/pam.conf and /etc/syslog.conf files.

Edit the /etc/pam.conf file.
Find the Account management section.
Add the word debug to the end of the login and dtlogin lines under
the Account management section (see "Additional Information" section
below).

# Account management
#
login   account required   /usr/lib/security/pam_unix.so.1 debug
dtlogin account required   /usr/lib/security/pam_unix.so.1 debug
#
other   account required        /usr/lib/security/pam_unix.so.1

Edit the /etc/syslog.conf file.

Add
        ;auth.debug;user.debug

to the line that defines logging to the /var/adm/messages.
Example, change:
*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages
so that it looks like:
*.err;kern.debug;daemon.notice;mail.crit;auth.debug;user.debug
/var/adm/messages

If you don't want the logging to be in /var/adm messages the
auth.debug;user.debug could be logged to another file by making
a new line in the syslog.conf file that looks like this:

auth.debug;user.debug                /var/adm/login_log


The results in either /var/adm/messages or /var/adm/login_log look like
this:

Nov  9 15:20:27 host dtlogin[733]: unix pam_sm_authenticate(dtlogin root),
flags = 0
Nov  9 15:20:28 host dtlogin[733]: pam_authenticate: error Authentication
failed
Nov  9 15:20:53 host dtlogin[733]: unix pam_sm_authenticate(dtlogin
wintest), flags = 0
Nov  9 15:20:54 host dtlogin[733]: pam_authenticate: error Authentication
failed
Nov  9 15:21:05 host dtlogin[733]: unix pam_sm_authenticate(dtlogin
wintest), flags = 0
Nov  9 15:30:17 host dtlogin[1029]: unix pam_sm_authenticate(dtlogin root),
flags = 0
Nov  9 15:30:19 host dtlogin[1029]: pam_authenticate: error Authentication
failed

Note that the login at 15:21:05 was successful.

Additional Information
8M5JVD7 Internal ID use only.

With Solaris 8 patch 108993-14 (or higher) and Solaris 9 patch 113476-01
(or higher) the pam library pam_unix.so.1 was split in several libraries,
including pam_unix_auth.so.1.

The same keyword "debug" can be placed after the pam_unix_auth.so.1 entries
in /etc/pam.conf as shown above and SOME useful output is sent to syslogd
when users attempt to login incorrectly.  However, the messages are not the
same as described above.  If a non-existent user tries to login, a useful
message is provided, but if a real user gives the wrong password, the debug
message is less useful.

One alternative method involves the use of auditing.  With a few easy steps
auditing can be enabled to track all failed logins:

1. Add the login/logout flag to the /etc/security/audit_control
   as follows (- means track only unsuccessful attempts):

   flags:-lo

   See the audit_control(4) manpage for more details.

2. Run /etc/security/bsmconv

   See the bsmconv(1M) manpage for more details.

3. Reboot.

4. To view the logs run the command:

   # auditreduce|praudit

   See the praudit(1M) and auditreduce(1M) manpages for more details.


Another method involves turning on dtlogin debugging:

1. Edit the file /etc/init.d/dtlogin, change the line:

   /usr/dt/bin/dtlogin -daemon &

   to

   /usr/dt/bin/dtlogin -daemon -debug 16 > /tmp/dtlogin.log 2>&1 &

2. Restart dtlogin (or reboot).

3. View the log in /tmp/dtlogin.log

Product
Solaris

清透水瓶

测试后，个人认为下面这个方法比较好

1. Add the login/logout flag to the /etc/security/audit_control
   as follows (- means track only unsuccessful attempts):

   flags:-lo

   See the audit_control(4) manpage for more details.

2. Run /etc/security/bsmconv

   See the bsmconv(1M) manpage for more details.

3. Reboot.

4. To view the logs run the command:

   # auditreduce|praudit

   See the praudit(1M) and auditreduce(1M) manpages for more details.

设置成功后，可以查到dtlogin登录de信息了

# auditreduce|praudit
file,Thu May 14 07:50:13 GMT 2009, + 0 msec,
header,44,2,system booted,na,Thu May 14 07:50:13 GMT 2009, + 594 msec
text,booting kernel
header,86,2,su,,Thu May 14 07:55:31 GMT 2009, + 658 msec
subject,omcadmin,root,omc,omcadmin,omc,2257,610,574 65559 10.225.9.9
text,success for user root
return,success,0
header,81,2,login - local,,Thu May 14 07:59:34 GMT 2009, + 900 msec
subject,omcadmin,omcadmin,omc,omcadmin,omc,2338,2338,0 0 somcsys4
text,invalid password
return,failure: Interrupted system call,-1
header,82,2,login - telnet,,Thu May 14 08:00:58 GMT 2009, + 887 msec
subject,-1,-1,-1,-1,-1,2738,2738,24 2 10.225.9.9
text,invalid user name
return,failure: No such process,-1
header,81,2,login - telnet,,Thu May 14 08:01:33 GMT 2009, + 691 msec
subject,asaadmin,asaadmin,omc,asaadmin,omc,2966,2966,24 2 10.225.9.9
text,invalid password
return,failure: Interrupted system call,-1
header,81,2,login - local,,Thu May 14 08:26:41 GMT 2009, + 32 msec
subject,omcread,omcread,omcread,omcread,omcread,2338,2338,0 0 somcsys4
text,invalid password
return,failure: Interrupted system call,-1
file,Thu May 14 08:26:41 GMT 2009, + 0 msec,
#