Re: Tracking account lockouts and permission denied
On Wednesday 01 October 2008 15:58:44 Starr-Renee Corbin wrote:
Hello, I am using RHEL 4 and need /var/log/audit/audit.log to show
when an account is locked out
This is hardwired into the pam_talley2 code. As long as its in your login
config and audit is enabled, you should get it.
and when a user is denied permission to
security relevant files such as /etc/shadow.
In RHEL4, you can get accesses to /etc/shadow via watches, but not just the
denied because of permission. aureport --file --failed would find them for
you.
You can also get all opens that failed due to permission denied. This would
include more than /etc/shadow, though.
RHEL5 and current upstream kernels do not have this limitation and can record
the permission denied access to security relevant files.
-Steve