auditing account lockouts
Steve Grubb
sgrubb at redhat.com
Mon Oct 10 14:13:05 UTC 2011
On Monday, October 10, 2011 09:54:00 AM Steve M. Zak wrote:
> Hi,
>
> Through experimentation and per Red Hat tech support when the deny=x switch
> is set in /etc/pam.d/login as below
>
> auth required pam_tally2.so deny=5 onerr=fail
>
> the lockout happens at 5 failed attempts, but the audit trail does not
> record it until the next try.
The man page says that the account lockout occurs when the tally _exceeds_ the deny
parameter. To lockout on 5 failed attempts, use deny=4.
-Steve
More information about the Linux-audit
mailing list