Bashscripts.org

Hello all,

An unsuccessful login via a tty by a known user and an unknown user will generate an almost exact line in /var/log/secure with the exception of the last field. To see this specifically do Ctrl-Alt-F2, for example. Now login with a known user and log out. Next attempt a login with a bogus user name which fails. Go back to your GUI enviroment (Ctrl-Alt-F7) and then tail /var/log/secure. For the known user the last field will be "user=some_name_here". The unknown user will not have a "user=" field.

How do I capture the two via different variables in bash?

For example:
KNOWN_USER=`syntax that finds the user= field.`
echo There is a user= field and the user is mmouse.

UNKNOWN_USER=`syntax that does NOT find the user= field`
echo There is NO user= field and an unknown user tried to login.

If been exploring using sed to grab (or not grab) that last field, but haven't hit upon the right syntax yet.

If some of you better scripters have ideas it would be super to hear from you.

Thanks.

Hi Geelsu!

The output in my current /var/log/secure doesn't seem to match what you're describing. Could you maybe give us a couple of sample lines, with a known and an unknown user?

Here's an example that may help. First, my log entries look like this:


We *could* just go by the 'invalid user' pattern, but it looks like I get two of those per attempt. Invalid users on my system always produce a line with 'input_userauth_request: invalid user username', so we can get the bad user this way:


While valid users produce an 'Accepted password' line that we can use:


I hope this helps! If you have a few lines from that log we can probably give you a more specific example.

-J

Hi Jeo,

You seem to be gaining access via ssh. My access is via the runlevel 5 GUI such as GNOME or KDE.

From /var/log/secure.

Here is what you get with a valid user.
Jan 7 09:01:07 wks90 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=george

Here is what you get with an INVALID user:
Jan 7 09:01:15 wks90 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=


There are other entries in /var/log/secure that show the name of the INVALID user, but this is the only one that shows what tty the attempt was made on. That is why I am trying to capture that line so I can grab the specific tty info. But I don't want to grab the line that shows george because I am a valid user.

Oh, I see... Sorry, working with servers all day gets me stuck in no-X mode

So I think I'm seeing what you're seeing now. Is the tty what you're looking for specifically? I'm not sure how consistent the output is, and if it's a really busy system (lots of users logging in and out) then there might be lines interspersed between which would make this less accurate, but you could try something like this (disclaimer: this might be ugly... I absolutely love awk, but I don't use it like this very often!):



That ought to at least get you started. I hope it helps!