auditing account lockouts

auditing account lockouts

[Steve M. Zak]

[-- Attachment #1.1: Type: text/plain, Size: 646 bytes --]

Hi,

Through experimentation and per Red Hat tech support when the deny=x switch is set in /etc/pam.d/login as below

auth       required     pam_tally2.so deny=5 onerr=fail

the lockout happens at 5 failed attempts, but the audit trail does not record it until the next try.

Does the audit system provide a way to show that the lockout has occurred when the deny number is reached?  Ideally this would be some system log that uses a variation of "Account locked"



Thanks!

____________________________________________
Steve M. Zak,


-- 
This email was Anti Virus checked by Astaro Security Gateway. http://www.astaro.com

[-- Attachment #1.2: Type: text/html, Size: 2822 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auditing account lockouts

[Steve Grubb]

On Monday, October 10, 2011 09:54:00 AM Steve M. Zak wrote:
> Hi,
> 
> Through experimentation and per Red Hat tech support when the deny=x switch
> is set in /etc/pam.d/login as below
> 
> auth       required     pam_tally2.so deny=5 onerr=fail
> 
> the lockout happens at 5 failed attempts, but the audit trail does not
> record it until the next try.

The man page says that the account lockout occurs when the tally _exceeds_ the deny 
parameter. To lockout on 5 failed attempts, use deny=4.

-Steve