From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tomas Mraz Subject: RE: Lockout record Date: Fri, 03 Dec 2010 09:20:00 +0100 Message-ID: <1291364400.15535.86.camel@vespa.frost.loc> References: <201012011616.43237.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Steve M. Zak" Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com On Thu, 2010-12-02 at 17:46 -0500, Steve M. Zak wrote: > Hi Steve, > > Thanks for the info! I do see the USER_AUTH events which I didn't know > about so thanks. > > I may have something mis-configured, but for instance in my pam.d/sshd > file I have deny=5 > > I can see the 5 failed attempts as type=USER_AUTH with res=failed, but > the RESP_ACCT_LOCK doesn't show up until the 6th login attempt and a > message gets displayed to the user "Your account is locked. Maximum > amount of failed attempts was reached." > > Does a lock event get written to the audit.log on the 5th attempt? (I > didn't see RESP_ACCT_LOCK_TIMED in the log). A Red Hat KB article and > Tech Support indicates that the lock happens at deny=n + 1, but it > seems to happen at deny=n. The lock event seems to get recorded at > deny=n + 1. You are right. The event is recorded only when the user attempts to log in after the deny=n failed attempts already happened. This is caused by the way pam_tally2 is set up in the PAM stack. The module cannot know if the n-th attempt is failed or not or more exactly said - the module is called only before the authentication in case of failed authentication. And so it cannot record the lock event earlier than during another authentication attempt for the user. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb