* Lockout record @ 2010-12-01 20:01 Steve M. Zak 2010-12-01 21:16 ` Steve Grubb 0 siblings, 1 reply; 6+ messages in thread From: Steve M. Zak @ 2010-12-01 20:01 UTC (permalink / raw) To: linux-audit@redhat.com Hi, Does the audit system have a watch that will show account lockouts in real time? The pam implementation doesn't write to the logs until after the deny= number has been exceeded. Thanks! ____________________________________________ Steve M. Zak -- This email was Anti Virus checked by Astaro Security Gateway. http://www.astaro.com ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Lockout record 2010-12-01 20:01 Lockout record Steve M. Zak @ 2010-12-01 21:16 ` Steve Grubb 2010-12-02 22:46 ` Steve M. Zak 0 siblings, 1 reply; 6+ messages in thread From: Steve Grubb @ 2010-12-01 21:16 UTC (permalink / raw) To: linux-audit On Wednesday, December 01, 2010 03:01:50 pm Steve M. Zak wrote: > Does the audit system have a watch that will show account lockouts in real > time? You do not need to set any watch, pam sends a RESP_ACCT_LOCK_TIMED event when the account is locked. Before that, the account is not locked. It is counting bad authentication attempts and sending USER_AUTH events as the user tries to login. > The pam implementation doesn't write to the logs until after the deny= > number has been exceeded. Pam writes something every time. It sends 2 different events because a bad auth is not a lockout. -Steve ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Lockout record 2010-12-01 21:16 ` Steve Grubb @ 2010-12-02 22:46 ` Steve M. Zak 2010-12-03 8:20 ` Tomas Mraz 0 siblings, 1 reply; 6+ messages in thread From: Steve M. Zak @ 2010-12-02 22:46 UTC (permalink / raw) To: Steve Grubb, linux-audit@redhat.com Hi Steve, Thanks for the info! I do see the USER_AUTH events which I didn't know about so thanks. I may have something mis-configured, but for instance in my pam.d/sshd file I have deny=5 I can see the 5 failed attempts as type=USER_AUTH with res=failed, but the RESP_ACCT_LOCK doesn't show up until the 6th login attempt and a message gets displayed to the user "Your account is locked. Maximum amount of failed attempts was reached." Does a lock event get written to the audit.log on the 5th attempt? (I didn't see RESP_ACCT_LOCK_TIMED in the log). A Red Hat KB article and Tech Support indicates that the lock happens at deny=n + 1, but it seems to happen at deny=n. The lock event seems to get recorded at deny=n + 1. Thanks! ____________________________________________ Steve M. Zak -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Wednesday, December 01, 2010 4:17 PM To: linux-audit@redhat.com Cc: Steve M. Zak Subject: Re: Lockout record On Wednesday, December 01, 2010 03:01:50 pm Steve M. Zak wrote: > Does the audit system have a watch that will show account lockouts in > real time? You do not need to set any watch, pam sends a RESP_ACCT_LOCK_TIMED event when the account is locked. Before that, the account is not locked. It is counting bad authentication attempts and sending USER_AUTH events as the user tries to login. > The pam implementation doesn't write to the logs until after the deny= > number has been exceeded. Pam writes something every time. It sends 2 different events because a bad auth is not a lockout. -Steve ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Lockout record 2010-12-02 22:46 ` Steve M. Zak @ 2010-12-03 8:20 ` Tomas Mraz 2010-12-03 14:54 ` Wieprecht, Karen M. 0 siblings, 1 reply; 6+ messages in thread From: Tomas Mraz @ 2010-12-03 8:20 UTC (permalink / raw) To: Steve M. Zak; +Cc: linux-audit@redhat.com On Thu, 2010-12-02 at 17:46 -0500, Steve M. Zak wrote: > Hi Steve, > > Thanks for the info! I do see the USER_AUTH events which I didn't know > about so thanks. > > I may have something mis-configured, but for instance in my pam.d/sshd > file I have deny=5 > > I can see the 5 failed attempts as type=USER_AUTH with res=failed, but > the RESP_ACCT_LOCK doesn't show up until the 6th login attempt and a > message gets displayed to the user "Your account is locked. Maximum > amount of failed attempts was reached." > > Does a lock event get written to the audit.log on the 5th attempt? (I > didn't see RESP_ACCT_LOCK_TIMED in the log). A Red Hat KB article and > Tech Support indicates that the lock happens at deny=n + 1, but it > seems to happen at deny=n. The lock event seems to get recorded at > deny=n + 1. You are right. The event is recorded only when the user attempts to log in after the deny=n failed attempts already happened. This is caused by the way pam_tally2 is set up in the PAM stack. The module cannot know if the n-th attempt is failed or not or more exactly said - the module is called only before the authentication in case of failed authentication. And so it cannot record the lock event earlier than during another authentication attempt for the user. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Lockout record 2010-12-03 8:20 ` Tomas Mraz @ 2010-12-03 14:54 ` Wieprecht, Karen M. 2010-12-03 15:13 ` Steve M. Zak 0 siblings, 1 reply; 6+ messages in thread From: Wieprecht, Karen M. @ 2010-12-03 14:54 UTC (permalink / raw) To: Tomas Mraz, Steve M. Zak; +Cc: linux-audit@redhat.com We solve this by setting deny=4 if we want to see lockout messages after the 5th failed login. -----Original Message----- From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Tomas Mraz Sent: Friday, December 03, 2010 3:20 AM To: Steve M. Zak Cc: linux-audit@redhat.com Subject: RE: Lockout record On Thu, 2010-12-02 at 17:46 -0500, Steve M. Zak wrote: > Hi Steve, > > Thanks for the info! I do see the USER_AUTH events which I didn't know > about so thanks. > > I may have something mis-configured, but for instance in my pam.d/sshd > file I have deny=5 > > I can see the 5 failed attempts as type=USER_AUTH with res=failed, but > the RESP_ACCT_LOCK doesn't show up until the 6th login attempt and a > message gets displayed to the user "Your account is locked. Maximum > amount of failed attempts was reached." > > Does a lock event get written to the audit.log on the 5th attempt? (I > didn't see RESP_ACCT_LOCK_TIMED in the log). A Red Hat KB article and > Tech Support indicates that the lock happens at deny=n + 1, but it > seems to happen at deny=n. The lock event seems to get recorded at > deny=n + 1. You are right. The event is recorded only when the user attempts to log in after the deny=n failed attempts already happened. This is caused by the way pam_tally2 is set up in the PAM stack. The module cannot know if the n-th attempt is failed or not or more exactly said - the module is called only before the authentication in case of failed authentication. And so it cannot record the lock event earlier than during another authentication attempt for the user. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Lockout record 2010-12-03 14:54 ` Wieprecht, Karen M. @ 2010-12-03 15:13 ` Steve M. Zak 0 siblings, 0 replies; 6+ messages in thread From: Steve M. Zak @ 2010-12-03 15:13 UTC (permalink / raw) To: Wieprecht, Karen M., Tomas Mraz; +Cc: linux-audit@redhat.com Thanks Karen, Yes that does seem to be the best solution. Have a great day! ____________________________________________ Steve M. Zak, -----Original Message----- From: Wieprecht, Karen M. [mailto:Karen.Wieprecht@jhuapl.edu] Sent: Friday, December 03, 2010 9:54 AM To: Tomas Mraz; Steve M. Zak Cc: linux-audit@redhat.com Subject: RE: Lockout record We solve this by setting deny=4 if we want to see lockout messages after the 5th failed login. -----Original Message----- From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Tomas Mraz Sent: Friday, December 03, 2010 3:20 AM To: Steve M. Zak Cc: linux-audit@redhat.com Subject: RE: Lockout record On Thu, 2010-12-02 at 17:46 -0500, Steve M. Zak wrote: > Hi Steve, > > Thanks for the info! I do see the USER_AUTH events which I didn't know > about so thanks. > > I may have something mis-configured, but for instance in my pam.d/sshd > file I have deny=5 > > I can see the 5 failed attempts as type=USER_AUTH with res=failed, but > the RESP_ACCT_LOCK doesn't show up until the 6th login attempt and a > message gets displayed to the user "Your account is locked. Maximum > amount of failed attempts was reached." > > Does a lock event get written to the audit.log on the 5th attempt? (I > didn't see RESP_ACCT_LOCK_TIMED in the log). A Red Hat KB article and > Tech Support indicates that the lock happens at deny=n + 1, but it > seems to happen at deny=n. The lock event seems to get recorded at > deny=n + 1. You are right. The event is recorded only when the user attempts to log in after the deny=n failed attempts already happened. This is caused by the way pam_tally2 is set up in the PAM stack. The module cannot know if the n-th attempt is failed or not or more exactly said - the module is called only before the authentication in case of failed authentication. And so it cannot record the lock event earlier than during another authentication attempt for the user. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2010-12-03 15:11 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-12-01 20:01 Lockout record Steve M. Zak 2010-12-01 21:16 ` Steve Grubb 2010-12-02 22:46 ` Steve M. Zak 2010-12-03 8:20 ` Tomas Mraz 2010-12-03 14:54 ` Wieprecht, Karen M. 2010-12-03 15:13 ` Steve M. Zak
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox