Security requirements acknowledging last successful/unsuccessful login CENTOS 6.x
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Security requirements acknowledging last successful/unsuccessful login CENTOS 6.x
I have a security requirement that directs me to show and acknowledge last successful login, last unsuccessful login, and number of unsuccessful logins since last successful login. I have pam_lastlog configured as a session control in system-auth. When I login, it does indeed show what I need it to show in the gdm greeter just before starting the session.
My problem is my requirement is for user acknowledgement of that message rather than just display and start session. Is there any way to capture the output and somehow write it to a file or pipe it to zenity? My hope was to put it in /etc/gdm/PreSession/Default. I have google searched until my eyes hurt without success, was hoping someone else out there has been there and done that. Thanks!
My problem is my requirement is for user acknowledgement of that message
Indeed. If the workstation is used by multiple users then any previous login may not be mine. Should that information be shown to me? And if you think it should be, on what grounds would you think I should acknowledge that?..
It's a DISA STIG requirement for the contracts we work on. More informational to the user, however the section is quite specific about the user having to acknowledge both a warning banner and the lastlog information. Don't see much of a clean way to do it other than script it after the user logs in and pipe it to zenity unless someone has a better idea.
"a security requirement that directs me to show and acknowledge last successful login, last unsuccessful login, and number of unsuccessful logins since last successful login"
...refers only to the information of the user logging on. User 1 only sees the last successful login, last unsuccessful login, and number of unsuccessful logins of USER 1, not the last person (or all persons) to use the computer. This way if I have an account on a PC, but I have never logged into it, when I DO log into it, it will show me when I logged in last (should be never) or if anyone has attempted to log in as me and failed (last unsuccessful login & number of unsuccessful logins).
...refers only to the information of the user logging on. User 1 only sees the last successful login, last unsuccessful login, and number of unsuccessful logins of USER 1, not the last person (or all persons) to use the computer.
Indeed helpful, thanks!
Quote:
Originally Posted by cujo@apl
Don't see much of a clean way to do it other than script it after the user logs in and pipe it to zenity unless someone has a better idea.
I don't think you would want to do it any other way because then you've got an authenticated user you can show nfo about.
Code:
#!/bin/bash --
# Set debug mode when testing:
set -vxe
# Set default behaviour:
LANG=C; LC_ALL=C; export LANG LC_ALL
# Note this script will run as root user.
# Preflight checks
for ITEM in last lastb head grep zenity; do
which "${ITEM}" >/dev/null 2>&1|| exit 127
done
# Error out on some
[ ${#LOGNAME} -eq 0 ] && exit 127
[ ${#DISPLAY} -eq 0 ] && exit 127
# Values as is
LAST_GOOD=$(/usr/bin/last -wain1 ${LOGNAME} 2>/dev/null|/usr/bin/head -1 2>/dev/null|/bin/grep "^${LOGNAME}" 2>/dev/null)
LAST_BAD=$(/usr/bin/lastb -wain1 ${LOGNAME} 2>/dev/null|/usr/bin/head -1 2>/dev/null|/bin/grep "^${LOGNAME}" 2>/dev/null)
BAD_COUNT=$(/usr/bin/lastb ${LOGNAME} 2>/dev/null|/bin/grep -c "^${LOGNAME}[[:blank:]]" 2>/dev/null)
# User may only confirm :-]
/usr/bin/zenity --width=600 --ok-label=Confirm --title="Login nfo for ${LOGNAME}" --warning --text="${LAST_GOOD}\n${LAST_BAD}\nFailed logins for ${LOGNAME}: ${BAD_COUNT}"
exit 0
*Note you don't want PreSession but /etc/gdm/PostLogin/Default. If the script somehow doesn't work please its debug mode output and we'll try to help.
I did discover an odd twist last week, RHEL does this exactly with a popup that you have to click OK on using the default greeter and pam_lastlog. I haven't had a chance to explore the difference in the greeter setup yet. I'll post up if I find something.
I did discover an odd twist last week, RHEL does this exactly with a popup that you have to click OK on using the default greeter and pam_lastlog. I haven't had a chance to explore the difference in the greeter setup yet. I'll post up if I find something.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.