For auditing purposes - is there a way to find failed login attempts on a Catalina or BigSur machine? It looks like there used to be, but no longer works as that info is now being hidden.
Question
Finding Failed Login Attempts
+8
+17Not sure if you're looking for failed attempts for a specific user, but maybe this would help:
dscl . readpl /Users/$user accountPolicyData failedLoginCount | sed 's/failedLoginCount://'+8Not sure if you're looking for failed attempts for a specific user, but maybe this would help:
dscl . readpl /Users/$user accountPolicyData failedLoginCount | sed 's/failedLoginCount://'JAMF Support found the following command, which seems to work, however shows the username as "<Private>":
“log show --predicate '(eventMessage CONTAINS "Authentication failed")' --style syslog --last 1d”
They said using sudo would unmask the <private> tags and show the usernames, but that did not work for me on my BigSur 11.6 test Mac.
However, I found a .mobileconfig file that uncloaked the usernames from the point of adding it forward. It had no effect on past entries.:
https://georgegarside.com/blog/macos/sierra-console-private/
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.