Lockout record
Steve M. Zak
smzak at faac.com
Thu Dec 2 22:46:42 UTC 2010
Hi Steve,
Thanks for the info! I do see the USER_AUTH events which I didn't know about so thanks.
I may have something mis-configured, but for instance in my pam.d/sshd file I have deny=5
I can see the 5 failed attempts as type=USER_AUTH with res=failed, but the RESP_ACCT_LOCK doesn't show up until the 6th login attempt and a message gets displayed to the user "Your account is locked. Maximum amount of failed attempts was reached."
Does a lock event get written to the audit.log on the 5th attempt? (I didn't see RESP_ACCT_LOCK_TIMED in the log). A Red Hat KB article and Tech Support indicates that the lock happens at deny=n + 1, but it seems to happen at deny=n. The lock event seems to get recorded at deny=n + 1.
Thanks!
____________________________________________
Steve M. Zak
-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: Wednesday, December 01, 2010 4:17 PM
To: linux-audit at redhat.com
Cc: Steve M. Zak
Subject: Re: Lockout record
On Wednesday, December 01, 2010 03:01:50 pm Steve M. Zak wrote:
> Does the audit system have a watch that will show account lockouts in
> real time?
You do not need to set any watch, pam sends a RESP_ACCT_LOCK_TIMED event when the account is locked. Before that, the account is not locked. It is counting bad authentication attempts and sending USER_AUTH events as the user tries to login.
> The pam implementation doesn't write to the logs until after the deny=
> number has been exceeded.
Pam writes something every time. It sends 2 different events because a bad auth is not a lockout.
-Steve
More information about the Linux-audit
mailing list