Finding Failed Logins in Solaris using C2 Log

In Linux, you have lastb - last bad logins, to log failed logins. In Solaris, you can register it using loginlog(4). but it is not turn on by default.

If your environment enables auditing (aka BSM - Basic Security Module, or C2), you can extract the login information. Default setting for BSM includes login / logout. With auditreduce, you can extrace the lo (login/logout) class from the audit log. Below one-liner will help you to extract those logins.

root@chihung# auditreduce -a 20101025000000 -u chihung \
 -c lo /var/audit/20101024164715.not_terminated.chihung | praudit -l
header,85,2,ftp access,,chihung7,2010-10-25 11:37:59.141+08:00,subject,chihung,chihung,chihung,root,root,4675,4675,633 131093 host1.chihung.chan,text,bad password,return,failure,1
header,69,2,login - ssh,,chihung4,2010-10-25 11:52:19.537+08:00,subject,chihung,chihung,chihung,chihung,chihung,157,4071257189,37622 host2.chihung.chan,return,failure,Maximum number of attempts exceeded
header,69,2,login - ssh,,chihung2,2010-10-25 11:52:43.658+08:00,subject,chihung,chihung,chihung,chihung,chihung,327,372387060,376131094 host3.chihung.chan,return,failure,Permission denied