3

RHEL 8 deprecated pam_tally2 command. Earlier version pam_tally command provides us number of failures count. e.g

[root@Linux7 ~]# pam_tally2
Login           Failures Latest failure     From
testNG_Admin        2    08/21/19 04:58:57  /deve/pts/0

As pam_faillock is replaced pam_tally2, now we would like to use faillock command.

But the issue is faillock command does not give failure count instead it gives all details.

e.g. 

[root@bsingh-vm4 ~]# faillock
a735c:
When                Type  Source                                           Valid
ajit:
When                Type  Source                                           Valid
2019-08-22 18:36:41 RHOST 172.18.252.88                                        V
2019-08-22 18:36:46 RHOST 172.18.252.88                                        V
2019-08-22 18:36:51 RHOST 172.18.252.88                                        V

Is there any way by which I can get count using some command? e.g.

a735c  0
ajit  3

Thanks in advance!!!

Ajit
  • 41
  • 1
  • 1
  • 2

1 Answers1

2

We have a ticket open with RedHat requesting the same. Here is the best I have come up with.

For our configuration, a user is locked when there are 5 failures.

On rhel8-instance, I have done > 5 failures for testNG_Admin; but faillock --user only reports the 5 that lead to lockout, as below : 

[myActiveUser@rhel8-instance ~]$ sudo faillock --user testNG_Admin
testNG_Admin:
When                Type  Source                                           Valid
2019-12-03 16:12:27 TTY   pts/0                                                V
2019-12-03 16:12:39 TTY   pts/0                                                V
2019-12-03 16:17:51 TTY   pts/0                                                V
2019-12-03 16:17:56 TTY   pts/0                                                V
2019-12-03 16:18:01 TTY   pts/0                                                V

Would like to know how many failures since user was reset? (This is what pam_tally2 would provide) - don't know how to accomplish this!

But, we can get how many failures in total since last successful login. First, let's get the time of the last successful login

[myActiveUser@rhel8-instance ~]$ sudo lastlog --user testNG_Admin
Username         Port     From             Latest
testNG_Admin        pts/0                     Tue Dec  3 16:06:54 -0600 2019

Now, since failed logins are kept in /var/log/btmp, accessed via "lastb," we can use this... noting that the userid is truncated ("testNG_A")

sudo lastb --since (YYYYMMDDhhmmss)

[myActiveUser@rhel8-instance ~]$ sudo lastb testNG_Admin --since 20191203160654
testNG_A pts/0                         Tue Dec  3 16:18 - 16:18  (00:00)
testNG_A pts/0                         Tue Dec  3 16:18 - 16:18  (00:00)
testNG_A pts/0                         Tue Dec  3 16:18 - 16:18  (00:00)
testNG_A pts/0                         Tue Dec  3 16:18 - 16:18  (00:00)
testNG_A pts/0                         Tue Dec  3 16:18 - 16:18  (00:00)
testNG_A pts/0                         Tue Dec  3 16:17 - 16:17  (00:00)
testNG_A pts/0                         Tue Dec  3 16:17 - 16:17  (00:00)
testNG_A pts/0                         Tue Dec  3 16:12 - 16:12  (00:00)
testNG_A pts/0                         Tue Dec  3 16:12 - 16:12  (00:00)

btmp begins Tue Dec  3 15:50:22 2019

[myActiveUser@rhel8-instance ~]$ sudo lastb testNG_Admin --since 20191203160654 | grep testNG_A | wc -l
9

So now we know there are 9 since last successful login... But... If we reset the account, and a success does not happen, we still will not know the exact number of failures since the account is UNLOCKED, as pam_tally2 would show!

[myActiveUser@rhel8-instance ~]$ sudo faillock --user testNG_Admin --reset
[myActiveUser@rhel8-instance ~]$ sudo faillock --user testNG_Admin
testNG_Admin:
When                Type  Source                                           Valid

[myActiveUser@rhel8-instance ~]$ sudo lastlog --user testNG_Admin
Username         Port     From             Latest
testNG_Admin        pts/0                     Tue Dec  3 16:06:54 -0600 2019

[myActiveUser@rhel8-instance ~]$ su - testNG_Admin
Password:
Last login: Tue Dec  3 16:06:54 CST 2019 on pts/0
Last failed login: Tue Dec  3 16:18:27 CST 2019 on pts/0
There were 9 failed login attempts since the last successful login.

[testNG_Admin@rhel8-instance ~]$ exit
logout

[myActiveUser@rhel8-instance ~]$ sudo lastlog --user testNG_Admin
Username         Port     From             Latest
testNG_Admin        pts/0                     Tue Dec  3 16:23:30 -0600 2019

[myActiveUser@rhel8-instance ~]$ sudo lastb testNG_Admin --since 20191203162330

btmp begins Tue Dec  3 15:50:22 2019

[myActiveUser@rhel8-instance ~]$ sudo lastb testNG_Admin --since 20191203162330 | grep testNG_A| wc -l
0
a-1
  • 121
  • 3
  • If tally log is in folder other than /var/run/faillock/ then faillock --reset --user --dir= should be used to unlock locked account – Vijay S B Sep 16 '22 at 13:22