Re: Account Lockouts - Steve Grubb

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Account Lockouts
Date: Wed, 7 Jan 2009 10:25:27 -0500	[thread overview]
Message-ID: <200901071025.28494.sgrubb@redhat.com> (raw)
In-Reply-To: <50311B90-F22F-47D7-992D-BF3669ECE227@arlut.utexas.edu>

On Wednesday 07 January 2009 10:17:54 am Starr-Renee Corbin wrote:
> While the account lockout policy is set, I am unable to figure out the
> syntax for the watches to add to audit.rules that will show the account
> lockout event.  I have to be able to do this for about 150 systems.

pam_tally2 is hardwired to send lockout events to the audit system. Use it 
rather than pam_tally. They will be in the audit logs as ANOM_LOGIN_FAILURES 
when the limit is reached, as RESP_ACCT_LOCK_TIMED for the actual locking of 
the acct, and RESP_ACCT_UNLOCK_TIMED when the acct is unlocked due to time 
expiration or admin action.

-Steve

     prev parent reply	other threads:[~2009-01-07 15:25 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-19  0:02 audit-viewer help needed LC Bruzenak
     [not found] ` <1221812917.2947.10.camel@amilo>
     [not found]   ` <1221830658.6513.4.camel@homeserver>
2008-09-22 23:30     ` [PATCH] Handle timestamp 0.0 in auparse, was " Miloslav Trmač
2008-09-23  0:38       ` LC Bruzenak
2008-09-23  0:57         ` Miloslav Trmač
2008-09-23  1:04           ` LC Bruzenak
2008-10-18 15:51           ` Steve Grubb
2008-11-07 20:19       ` LC Bruzenak
2009-01-07 15:17         ` Account Lockouts Starr-Renee Corbin
2009-01-07 15:25           ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200901071025.28494.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.