Lockout record
Steve Grubb
sgrubb at redhat.com
Wed Dec 1 21:16:42 UTC 2010
On Wednesday, December 01, 2010 03:01:50 pm Steve M. Zak wrote:
> Does the audit system have a watch that will show account lockouts in real
> time?
You do not need to set any watch, pam sends a RESP_ACCT_LOCK_TIMED event when the
account is locked. Before that, the account is not locked. It is counting bad
authentication attempts and sending USER_AUTH events as the user tries to login.
> The pam implementation doesn't write to the logs until after the deny=
> number has been exceeded.
Pam writes something every time. It sends 2 different events because a bad auth is not
a lockout.
-Steve
More information about the Linux-audit
mailing list