Tracking account lockouts and permission denied

Tracking account lockouts and permission denied

[Starr-Renee Corbin]

Hello, I am using RHEL 4 and need /var/log/audit/audit.log to show  
when an account is locked out and when a user is denied permission to  
security relevant files such as /etc/shadow.

This is in conjunction with our NISPOM requirements.

Any help is greatly appreciated!

Corbin

Re: Tracking account lockouts and permission denied

[Steve Grubb]

On Wednesday 01 October 2008 15:58:44 Starr-Renee Corbin wrote:
> Hello, I am using RHEL 4 and need /var/log/audit/audit.log to show  
> when an account is locked out

This is hardwired into the pam_talley2 code. As long as its in your login 
config and audit is enabled, you should get it.

> and when a user is denied permission to 
> security relevant files such as /etc/shadow.

In RHEL4, you can get accesses to /etc/shadow via watches, but not just the 
denied because of permission. aureport --file --failed would find them for 
you. 

You can also get all opens that failed due to permission denied. This would 
include more than /etc/shadow, though. 

RHEL5 and current upstream kernels do not have this limitation and can record 
the permission denied access to security relevant files.

-Steve