On Wednesday, December 01, 2010 03:01:50 pm Steve M. Zak wrote:
Does the audit system have a watch that will show account lockouts in
real
time?
You do not need to set any watch, pam sends a RESP_ACCT_LOCK_TIMED event when the
account is locked. Before that, the account is not locked. It is counting bad
authentication attempts and sending USER_AUTH events as the user tries to login.
The pam implementation doesn't write to the logs until after the
deny=
number has been exceeded.
Pam writes something every time. It sends 2 different events because a bad auth is not
a lockout.
-Steve