LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Security requirements acknowledging last successful/unsuccessful login CENTOS 6.x (https://www.linuxquestions.org/questions/linux-security-4/security-requirements-acknowledging-last-successful-unsuccessful-login-centos-6-x-4175514685/)

cujo@apl 08-13-2014 08:56 AM
Security requirements acknowledging last successful/unsuccessful login CENTOS 6.x
 
I have a security requirement that directs me to show and acknowledge last successful login, last unsuccessful login, and number of unsuccessful logins since last successful login. I have pam_lastlog configured as a session control in system-auth. When I login, it does indeed show what I need it to show in the gdm greeter just before starting the session.

My problem is my requirement is for user acknowledgement of that message rather than just display and start session. Is there any way to capture the output and somehow write it to a file or pipe it to zenity? My hope was to put it in /etc/gdm/PreSession/Default. I have google searched until my eyes hurt without success, was hoping someone else out there has been there and done that. Thanks!

unSpawn 08-14-2014 12:57 AM
Quote:
Originally Posted by cujo@apl (Post 5220397)
My problem is my requirement is for user acknowledgement of that message
Indeed. If the workstation is used by multiple users then any previous login may not be mine. Should that information be shown to me? And if you think it should be, on what grounds would you think I should acknowledge that?..

cujo@apl 08-14-2014 06:09 AM
It's a DISA STIG requirement for the contracts we work on. More informational to the user, however the section is quite specific about the user having to acknowledge both a warning banner and the lastlog information. Don't see much of a clean way to do it other than script it after the user logs in and pipe it to zenity unless someone has a better idea.

netnix99 08-14-2014 08:08 AM
Maybe this will help, unSpawn:

Quote:
"a security requirement that directs me to show and acknowledge last successful login, last unsuccessful login, and number of unsuccessful logins since last successful login"
...refers only to the information of the user logging on. User 1 only sees the last successful login, last unsuccessful login, and number of unsuccessful logins of USER 1, not the last person (or all persons) to use the computer. This way if I have an account on a PC, but I have never logged into it, when I DO log into it, it will show me when I logged in last (should be never) or if anyone has attempted to log in as me and failed (last unsuccessful login & number of unsuccessful logins).

HTH

cujo@apl 08-14-2014 08:47 AM
Ah, I missed the gist of unSpawn's question.

unSpawn 08-14-2014 04:58 PM
Quote:
Originally Posted by netnix99 (Post 5220952)
...refers only to the information of the user logging on. User 1 only sees the last successful login, last unsuccessful login, and number of unsuccessful logins of USER 1, not the last person (or all persons) to use the computer.
Indeed helpful, thanks!


Quote:
Originally Posted by cujo@apl (Post 5220911)
Don't see much of a clean way to do it other than script it after the user logs in and pipe it to zenity unless someone has a better idea.
I don't think you would want to do it any other way because then you've got an authenticated user you can show nfo about.

Code:
#!/bin/bash --
# Set debug mode when testing:
set -vxe
# Set default behaviour:
LANG=C; LC_ALL=C; export LANG LC_ALL
# Note this script will run as root user.
# Preflight checks
for ITEM in last lastb head grep zenity; do
 which "${ITEM}" >/dev/null 2>&1|| exit 127
done
# Error out on some
[ ${#LOGNAME} -eq 0 ] && exit 127
[ ${#DISPLAY} -eq 0 ] && exit 127
# Values as is
LAST_GOOD=$(/usr/bin/last -wain1 ${LOGNAME} 2>/dev/null|/usr/bin/head -1 2>/dev/null|/bin/grep "^${LOGNAME}" 2>/dev/null)
LAST_BAD=$(/usr/bin/lastb -wain1 ${LOGNAME} 2>/dev/null|/usr/bin/head -1 2>/dev/null|/bin/grep "^${LOGNAME}" 2>/dev/null)
BAD_COUNT=$(/usr/bin/lastb ${LOGNAME} 2>/dev/null|/bin/grep -c "^${LOGNAME}[[:blank:]]" 2>/dev/null)
# User may only confirm :-]
/usr/bin/zenity --width=600 --ok-label=Confirm --title="Login nfo for ${LOGNAME}" --warning --text="${LAST_GOOD}\n${LAST_BAD}\nFailed logins for ${LOGNAME}: ${BAD_COUNT}"
exit 0
*Note you don't want PreSession but /etc/gdm/PostLogin/Default. If the script somehow doesn't work please its debug mode output and we'll try to help.

cujo@apl 08-18-2014 08:05 AM
Thanks, I'll give that a try.

I did discover an odd twist last week, RHEL does this exactly with a popup that you have to click OK on using the default greeter and pam_lastlog. I haven't had a chance to explore the difference in the greeter setup yet. I'll post up if I find something.

unSpawn 08-18-2014 05:01 PM
Quote:
Originally Posted by cujo@apl (Post 5222990)
I did discover an odd twist last week, RHEL does this exactly with a popup that you have to click OK on using the default greeter and pam_lastlog. I haven't had a chance to explore the difference in the greeter setup yet. I'll post up if I find something.
Please do! Sounds interesting.

mijohnst 02-10-2015 12:22 AM
Hey cujo@apl, I'm coming up on the exact same need and wondered if you figured this out. Your input would be much appreciated.


All times are GMT -5. The time now is 11:30 AM.