Background
Here’s a script which will display the number to times Failed to authenticate user
is found in the syslog
, during the last 24 hours, indicating a failed login attempt.
(Which I’m not saying is part of the Jamf 400 course, but I’m also not not saying is part of the Jamf 400 course.)
From man log
log show Shows contents of the system log datastore, archive or a specific tracev3 file. If a file or archive is not specified, the system datastore will be shown. If it is from a future system version that log cannot understand, it exists with EX_DATAERR (65) and an error message. The output contains only default level messages unless --info and/or --debug are specified. The output does not contain signposts unless --signpost is specified. --last time[m|h|d] | boot Shows events that occurred within the given time relative to the end of the log archive, or beginning at the last boot contained within the log archive. Time may be specified as minutes, hours or days. Time is assumed in seconds unless specified. Example: "--last 2m" or "--last 3h"
Script
#!/bin/bash # Extension Attribute to determine the number of failed login attempts during a specified duration # See: log help show searchDuration="24h" # [--last <num>[m|h|d] ] failedLoginAttempts=$( /usr/bin/log show --last "${searchDuration}" --style syslog --predicate 'eventMessage contains "Failed to authenticate user"' | /usr/bin/wc -l | /usr/bin/tr -d ' ' ) echo "<result>$failedLoginAttempts</result>" exit 0