I am using a laptop . I was thinking to have a support in my Ubuntu machine. When an incorrect password is entered, a picture is taken later revealing who has been trying to gain access.
I have searched around and the only thing I have found is stuff to do this on Macs. Is It possible to write a script for Ubuntu to do same .
If possible then what is a script or Software to make this happen.
Based on this post on the Ubuntuforums by BkkBonanza.
This is an approach using PAM and will work for all failed login attempts. Using SSH, a virtual terminal or via the regular login screen, it doesn't matter as everything is handled by PAM in the end.
Install ffmpeg 
, we're going to use this as a command line way of grabbing the webcam images. Update: ffmpeg is removed when you upgrade to Ubuntu 14.04. We can use avconv in place of ffmpeg in the below script. No need to install anything separately.
Create a small script somewhere, e.g. /usr/local/bin/grabpicture with the following content:
#!/bin/bash
ts=`date +%s`
ffmpeg -f video4linux2 -s vga -i /dev/video0 -vframes 3 /tmp/vid-$ts.%01d.jpg
exit 0 #important - has to exit with status 0
Change the /dev/video0 with the actual video device of your webcam and choose a path where the pictures are being saved - I just choose /tmp.
In the newer version of Ubuntu use avconv instead of ffmpeg (sudo apt-get install libav-tools).
Make it executable, e.g. chmod +x /usr/local/bin/grabpicture.
Test it, by just calling it: /usr/local/bin/grabpicture. Check if you see files appearing in /tmp/vid....jpg.
Configure PAM to call this on every failed attempt.
Note: do this carefully - if this fails you'll not be able to gain access to your system again in a regular way.
Open a terminal window with root access (sudo -i) and leave it open - just in case you screw up in the next steps.
Open /etc/pam.d/common-auth in your favourite editor, e.g. by doing gksudo gedit /etc/pam.d/common-auth. Keep in mind for the following steps that order of lines in this file matters.
Locate the line below. By default there's one line before the one with pam_deny.so. On my 12.04 system it looks like this:
auth [success=1 default=ignore] pam_unix.so nullok_secure
In this line change the success=1 to success=2 to have it skip our script on success. This is an important step If you failed this step see below how to recover (***).
Right below there, add a new one to call the actual script:
auth [default=ignore] pam_exec.so seteuid /usr/local/bin/grabpicture
Save and close the file. No need to restart anything.
Test it.
su -l username to log in as another user with username username (change with an actual one of course). Deliberately enter the wrong password. Check if this result in a new picture.If the tests have succeeded you can log out from your DE (Unity/KDE/...) and you should see the same when entering a wrong password from the login screen.
(***) How to recover the system if you messed with /etc/pam.d/common-auth file:
init=/bin/sh
to the line starting by "linux"
Mount the system with write access
mount -o remount,rw /
Edit the file and fix
vi /etc/pam.d/common-auth
One way that enables you to run a command when an incorrect password is entered, is to make use of the Authorization Log.
Authorization Log
The Authorization Log tracks usage of authorization systems, the mechanisms for authorizing users which prompt for user passwords, such as the Pluggable Authentication Module (PAM) system, the sudo command, remote logins to sshd and so on. The Authorization Log file may be accessed at
/var/log/auth.log. This log is useful for learning about user logins and usage of the sudo command.
On a failed login attempt, a record will be appended to the /var/log/auth.log file and the last line will contain something like:
pam_unix(gdm-password:auth): authentication failure;
If you constantly monitor the file for modification and check if the last line contains the keyword failure with for example grep failure then you know a failed login attempt has just occurred and you can run whatever command you want based on this action.
Change
echo "failed login"in the scripts below to the command you wish to run upon a failed login.
You can monitor the last line of the /var/log/auth.log file with a script like this:
#!/bin/bash
while true
do
sleep 1
if (( $(tail -1 /var/log/auth.log | grep failure | wc -l) == 1))
then
echo "failed login"
# Your command here
fi
done
Or even better, you can install inotify-tools and use inotifywait to monitor the file instead of the sleep 1 and the script will be like this:
#!/bin/bash
while inotifywait -q -e modify /var/log/auth.log >/dev/null
do
if (( $(tail -1 /var/log/auth.log | grep failure | wc -l) == 1))
then
echo "failed login"
# Your command here
fi
done
inotify-tools can be installed with the following command:
sudo apt install inotify-tools
To run this solution as a system service, please follow these steps:
Copy and paste the script code above ( without echo "failed login" as I added this line for debugging purposes only ) into a file in your home directory and name it TakePicture.sh and save the file.
Make the shell script file executable by running the following command in the terminal:
chmod +x ~/TakePicture.sh
sudo nano /etc/systemd/system/TakePicture.service
USERNAME with your username and save it by pressing Ctrl + X then press Y then press Enter :[Unit]
Description=Take Picture
[Service]
Type=oneshot
ExecStart=/home/USERNAME/TakePicture.sh
[Install]
WantedBy=multi-user.target
sudo systemctl start TakePicture
sudo systemctl enable TakePicture
Notice:
The authorization Log will contain all sorts of failed logins or authentications ( ie. GDM, SSH, terminal user authentication, sudo, ... etc. ).
If your aim is just to activate the script when an actual physical login happens ( ie. someone is sitting infront of your computer, using your keyboard and looking at your screen ), then you need to change the above if statement to be like this:
if (( $(tail -1 /var/log/auth.log | grep gdm | grep failure | wc -l) == 1))
if GDM is your login manager. This way the script will only be triggered if an actual failed physical login happens.
