<?xml version="1.0" encoding="UTF-8"?> <refentry id='faillog.8'> <!-- $Id$ --> <refmeta> <refentrytitle>faillog</refentrytitle> <manvolnum>8</manvolnum> <refmiscinfo class="sectdesc">System Management Commands</refmiscinfo> </refmeta> <refnamediv id='name'> <refname>faillog</refname> <refpurpose>display faillog records or set login failure limits</refpurpose> </refnamediv> <refsynopsisdiv id='synopsis'> <cmdsynopsis> <command>faillog</command> <arg choice='opt'> <replaceable>options</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> <refsect1 id='description'> <title>DESCRIPTION</title> <para> <command>faillog</command> formats the contents of the failure log from <filename>/var/log/faillog</filename> database. It also can be used for maintains failure counters and limits. Run <command>faillog</command> without arguments display only list of user faillog records who have ever had a login failure. </para> </refsect1> <refsect1 id='options'> <title>OPTIONS</title> <para> The options which apply to the <command>faillog</command> command are: </para> <variablelist remap='IP'> <varlistentry> <term><option>-a</option>, <option>--all</option></term> <listitem> <para>Display faillog records for all users.</para> </listitem> </varlistentry> <varlistentry> <term><option>-h</option>, <option>--help</option></term> <listitem> <para>Display help message and exit.</para> </listitem> </varlistentry> <varlistentry> <term> <option>-l</option>, <option>--lock-time</option> <replaceable>SEC</replaceable> </term> <listitem> <para> Lock account to <replaceable>SEC</replaceable> seconds after failed login. </para> </listitem> </varlistentry> <varlistentry> <term> <option>-m</option>, <option>--maximum</option> <replaceable>MAX</replaceable> </term> <listitem> <para> Set maximum number of login failures after the account is disabled to <replaceable>MAX</replaceable>. Selecting <replaceable>MAX</replaceable> value of 0 has the effect of not placing a limit on the number of failed logins. The maximum failure count should always be 0 for <emphasis>root</emphasis> to prevent a denial of services attack against the system. </para> </listitem> </varlistentry> <varlistentry> <term><option>-r</option>, <option>--reset</option></term> <listitem> <para> Reset the counters of login failures or one record if used with the <option>-u</option> <replaceable>LOGIN</replaceable> option. Write access to <filename>/var/log/faillog</filename> is required for this option. </para> </listitem> </varlistentry> <varlistentry> <term><option>-t</option>, <option>--time</option> <replaceable>DAYS</replaceable> </term> <listitem> <para> Display faillog records more recent than <replaceable>DAYS</replaceable>. The <option>-t</option> flag overrides the use of <option>-u</option>. </para> </listitem> </varlistentry> <varlistentry> <term> <option>-u</option>, <option>--user</option> <replaceable>LOGIN</replaceable> </term> <listitem> <para> Display faillog record or maintains failure counters and limits (if used with <option>-l</option>, <option>-m</option> or <option>-r</option> options) only for user with <replaceable>LOGIN</replaceable>. </para> </listitem> </varlistentry> </variablelist> </refsect1> <refsect1 id='caveats'> <title>CAVEATS</title> <para> <command>faillog</command> only prints out users with no successful login since the last failure. To print out a user who has had a successful login since their last failure, you must explicitly request the user with the <option>-u</option> flag, or print out all users with the <option>-a</option> flag. </para> </refsect1> <refsect1 id='files'> <title>FILES</title> <variablelist> <varlistentry> <term><filename>/var/log/faillog</filename></term> <listitem> <para>Failure logging file.</para> </listitem> </varlistentry> </variablelist> </refsect1> <refsect1 id='see_also'> <title>SEE ALSO</title> <para> <citerefentry> <refentrytitle>login</refentrytitle><manvolnum>1</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>faillog</refentrytitle><manvolnum>5</manvolnum> </citerefentry>. </para> </refsect1> </refentry>