On Wednesday 07 January 2009 10:17:54 am Starr-Renee Corbin wrote:
While the account lockout policy is set, I am unable to figure out
the
syntax for the watches to add to audit.rules that will show the account
lockout event. I have to be able to do this for about 150 systems.
pam_tally2 is hardwired to send lockout events to the audit system. Use it
rather than pam_tally. They will be in the audit logs as ANOM_LOGIN_FAILURES
when the limit is reached, as RESP_ACCT_LOCK_TIMED for the actual locking of
the acct, and RESP_ACCT_UNLOCK_TIMED when the acct is unlocked due to time
expiration or admin action.
-Steve