Tracking account lockouts and permission denied
Steve Grubb
sgrubb at redhat.com
Wed Oct 1 20:25:39 UTC 2008
On Wednesday 01 October 2008 15:58:44 Starr-Renee Corbin wrote:
> Hello, I am using RHEL 4 and need /var/log/audit/audit.log to show
> when an account is locked out
This is hardwired into the pam_talley2 code. As long as its in your login
config and audit is enabled, you should get it.
> and when a user is denied permission to
> security relevant files such as /etc/shadow.
In RHEL4, you can get accesses to /etc/shadow via watches, but not just the
denied because of permission. aureport --file --failed would find them for
you.
You can also get all opens that failed due to permission denied. This would
include more than /etc/shadow, though.
RHEL5 and current upstream kernels do not have this limitation and can record
the permission denied access to security relevant files.
-Steve
More information about the Linux-audit
mailing list