Account Lockouts
Steve Grubb
sgrubb at redhat.com
Wed Jan 7 15:25:27 UTC 2009
On Wednesday 07 January 2009 10:17:54 am Starr-Renee Corbin wrote:
> While the account lockout policy is set, I am unable to figure out the
> syntax for the watches to add to audit.rules that will show the account
> lockout event. I have to be able to do this for about 150 systems.
pam_tally2 is hardwired to send lockout events to the audit system. Use it
rather than pam_tally. They will be in the audit logs as ANOM_LOGIN_FAILURES
when the limit is reached, as RESP_ACCT_LOCK_TIMED for the actual locking of
the acct, and RESP_ACCT_UNLOCK_TIMED when the acct is unlocked due to time
expiration or admin action.
-Steve
More information about the Linux-audit
mailing list