Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Take iSight snapshots during invalid login attempts' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Take iSight snapshots during invalid login attempts
Authored by: steveonamac on Dec 12, '06 12:32:39PM

not being a shell person, this was in fact kinda difficult for me to get going. But i have a log showing now in Geektool that will record the invalid attempts, but no pictures in the folder. The log says

Tue Dec 12 13:01:27 2006 authsightd[1042] /var/log/authfail/steve_12_12_2006_13:1:27.jpg
Tue Dec 12 13:01:29 2006 authsightd[1042] CAPTURE ON [Time 2006.12.12 19:01:28 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message authinternal failed to authenticate user steve.] [Level 3] [UID -2] [GID -2] [Host Steves-iMac-G5-2]
Tue Dec 12 13:01:29 2006 authsightd[1042] /var/log/authfail/steve_12_12_2006_13:1:29.jpg

i see there is a path for the pics, but none there. Any thoughts?

Thanks!



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: johnlunney on Dec 12, '06 01:35:31PM

I haven't tried this out, but I see colons in the path, that's never good.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: JohnnyMnemonic on Dec 12, '06 03:11:14PM

you probably will find that you need to add write permissions to that folder for people besides root. As it was moved into the /var/log directory, it appears to have inherited drwxr-xr-x; just "sudo chmod g+w /var/log/authfail', and then ls -al /var/log | grep authfail.

It should now say:
drwxrwxr-x 6 root wheel 204 Dec 12 14:07 authfail

OTOH, I would like to have this triggered by the presentation of the login box, not just a password attempt. In short, I'd like to see who's trying to wake my screen, not guess my password. Anyone know how to change the watcher to make this happen?

Thanks!



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: superfly on Dec 12, '06 03:29:39PM

You can change the script to watch for "Showing Login Window" instead of "failed to authenticate user". That message appears when you log out, though, so you'll have lots of pictures.

Also, /var/log/secure.log is a lot easier to read than /var/log/asl.log.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: mr007 on Dec 12, '06 03:43:15PM

What about a combination of show login window and failed to authenticate user? I dont wanna have pictures of me all over the place as soon as i wake my MBP up from screensave mode, I just want shots of those who wake it up and try to gain access through the login window that pops up. Something similar to what Deskshade does with its log after the screen has been locked, but with pics!

Any ideas?



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: superfly on Dec 12, '06 03:57:52PM

I'm not sure. My screen saver hardly ever gets used.

You could simulate someone trying to break in, and then see what's in the log files. If you can find messages that occur then, and not when you're just normally using the machine, you can change the script to watch for them.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: raider on Dec 12, '06 04:27:04PM

What you want is not actually a combination of failed login attempts and show login window - but instead the combination of show login window and LACK of successful login.

So take a picture whenever the show window occurs, but delete the picture if there is a successful login.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: bradfantin on Apr 12, '07 04:07:14PM

i got a way to make this work. i got a simple program to turn on invisable files. then i located var/logs/authfail and in that foler there were the pictures, only problem was youd have to view these under invisable files, witch are kinda confusing. a simple automator workflow can resolve this by geting finder items, and compying them to your desktop. this way when u log in run the workflow open up the copy of that invisable folder wiht the pics, and throw the copy away so no one gets any ideaas :P



[ Reply to This | # ]