Thanks Karen,
Yes that does seem to be the best solution.
Have a great day!
____________________________________________
Steve M. Zak,
-----Original Message-----
From: Wieprecht, Karen M. [mailto:Karen.Wieprecht@jhuapl.edu]
Sent: Friday, December 03, 2010 9:54 AM
To: Tomas Mraz; Steve M. Zak
Cc: linux-audit(a)redhat.com
Subject: RE: Lockout record
We solve this by setting deny=4 if we want to see lockout messages after the 5th failed
login.
-----Original Message-----
From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of
Tomas Mraz
Sent: Friday, December 03, 2010 3:20 AM
To: Steve M. Zak
Cc: linux-audit(a)redhat.com
Subject: RE: Lockout record
On Thu, 2010-12-02 at 17:46 -0500, Steve M. Zak wrote:
Hi Steve,
Thanks for the info! I do see the USER_AUTH events which I didn't know
about so thanks.
I may have something mis-configured, but for instance in my pam.d/sshd
file I have deny=5
I can see the 5 failed attempts as type=USER_AUTH with res=failed, but
the RESP_ACCT_LOCK doesn't show up until the 6th login attempt and a
message gets displayed to the user "Your account is locked. Maximum
amount of failed attempts was reached."
Does a lock event get written to the audit.log on the 5th attempt? (I
didn't see RESP_ACCT_LOCK_TIMED in the log). A Red Hat KB article and
Tech Support indicates that the lock happens at deny=n + 1, but it
seems to happen at deny=n. The lock event seems to get recorded at
deny=n + 1.
You are right. The event is recorded only when the user attempts to log in after the
deny=n failed attempts already happened. This is caused by the way pam_tally2 is set up in
the PAM stack. The module cannot know if the n-th attempt is failed or not or more exactly
said - the module is called only before the authentication in case of failed
authentication.
And so it cannot record the lock event earlier than during another authentication attempt
for the user.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit