Lockout record

[Tomas Mraz]

On Thu, 2010-12-02 at 17:46 -0500, Steve M. Zak wrote: 
> Hi Steve,
> 
> Thanks for the info! I do see the USER_AUTH events which I didn't know
> about so thanks. 
> 
> I may have something mis-configured, but for instance in my pam.d/sshd
> file I have deny=5
> 
> I can see the 5 failed attempts as type=USER_AUTH with res=failed, but
> the RESP_ACCT_LOCK doesn't show up until the 6th login attempt and a
> message gets displayed to the user "Your account is locked. Maximum
> amount of failed attempts was reached."
> 
> Does a lock event get written to the audit.log on the 5th attempt? (I
> didn't see RESP_ACCT_LOCK_TIMED in the log). A Red Hat KB article and
> Tech Support indicates that the lock happens at deny=n + 1, but it
> seems to happen at deny=n. The lock event seems to get recorded at
> deny=n + 1. 

You are right. The event is recorded only when the user attempts to log
in after the deny=n failed attempts already happened. This is caused by
the way pam_tally2 is set up in the PAM stack. The module cannot know if
the n-th attempt is failed or not or more exactly said - the module is
called only before the authentication in case of failed authentication.
And so it cannot record the lock event earlier than during another
authentication attempt for the user.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb