Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!clyde.concordia.ca!uunet!auspex!guy
From: guy@auspex.UUCP (Guy Harris)
Newsgroups: comp.unix.questions
Subject: Re: UNIX logging question.
Keywords: failed login password
Message-ID: <2719@auspex.UUCP>
Date: 15 Dec 89 22:40:38 GMT
References: <3259@hub.UUCP> <300@rulcvx.uucp> <1989Dec9.004940.29347@cunixf.cc.columbia.edu>
Reply-To: guy@auspex.auspex.com (Guy Harris)
Organization: Auspex Systems, Santa Clara
Lines: 44

>On BSD 4.3 based systems (I believe), such as SunOS 4.x and UMAX 4.3,
>failed logins, root logins, records of successful and failed su's are
>logged using syslog(3).

More precisely, the 4.3BSD "login" logs, through "syslog":

	EVENT					SEVERITY

	failed attempts to log in as
	"root" on a terminal not
	marked "secure"				"crit"

	*repeated* login failures on
	the same "session" with
	"login", regardless of account,
	where "repeated" means "5 or more
	in a row" (after which, it hangs
	the phone up)				"crit" in 4.3BSD
						"err" in 4.3-tahoe

	successful logins on "dialup"
	lines (i.e., ones where the tty's
	file name ends with "d" and one
	character after the "d")		"info"

	successful root logins			"notice"
	
and the 4.3BSD "su" logs:

	EVENT					SEVERITY

	failed "su"s to "root"			"crit"

	successful "su"s to "root"		"notice"

Successful "su"s to accounts other than "root", and individual failed
logins to any account, aren't logged at all.  (Presumably the intent for
the latter is to keep it from logging a message every time you transpose
two characters in your password or something like that.)  "Failed"
logins are those where the account was valid, but either 1) the password
wasn't the right one or 2) the account was "root", the password was
valid, but the terminal wasn't marked "secure".

Vendors may change these.