From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Steve M. Zak" <smzak@faac.com>
Subject: auditing account lockouts
Date: Mon, 10 Oct 2011 09:54:00 -0400
Message-ID: <E2B97F4E65AFD84DA1A7B3BEC35E17140149E9350822@hailstorm.faac.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8553976333929187748=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com
	[10.5.110.16])
	by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id p9ADqieS016150
	for <linux-audit@redhat.com>; Mon, 10 Oct 2011 09:52:44 -0400
Received: from email.faac.com (email.faac.com [96.61.198.2])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p9ADqdLO011656
	for <linux-audit@redhat.com>; Mon, 10 Oct 2011 09:52:39 -0400
Received: from hailstorm.faac.com ([10.10.10.30]:44088)
	by email.faac.com with esmtps (TLSv1:RC4-MD5:128) (Exim 4.69)
	(envelope-from <smzak@faac.com>) id 1RDGHU-0000oM-1b
	for Linux-audit@redhat.com; Mon, 10 Oct 2011 09:52:36 -0400
Content-Language: en-US
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Linux-audit@redhat.com" <Linux-audit@redhat.com>
List-Id: linux-audit@redhat.com


--===============8553976333929187748==
Content-Language: en-US
Content-Type: multipart/alternative;
	boundary="_000_E2B97F4E65AFD84DA1A7B3BEC35E17140149E9350822hailstormfa_"


--_000_E2B97F4E65AFD84DA1A7B3BEC35E17140149E9350822hailstormfa_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

Through experimentation and per Red Hat tech support when the deny=3Dx swit=
ch is set in /etc/pam.d/login as below

auth       required     pam_tally2.so deny=3D5 onerr=3Dfail

the lockout happens at 5 failed attempts, but the audit trail does not reco=
rd it until the next try.

Does the audit system provide a way to show that the lockout has occurred w=
hen the deny number is reached?  Ideally this would be some system log that=
 uses a variation of "Account locked"



Thanks!

____________________________________________
Steve M. Zak,


--=20
This email was Anti Virus checked by Astaro Security Gateway. http://www.as=
taro.com

--_000_E2B97F4E65AFD84DA1A7B3BEC35E17140149E9350822hailstormfa_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40"><head><meta http-equiv=3DContent-Type content=
=3D"text/html; charset=3Dutf-8"><meta name=3DGenerator content=3D"Microsoft=
 Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli=
nk=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal>Hi,<o:p></o:p></=
p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>Through ex=
perimentation and per Red Hat tech support when the deny=3Dx switch is set =
in /etc/pam.d/login as below<o:p></o:p></p><p class=3DMsoNormal><o:p>&nbsp;=
</o:p></p><p class=3DMsoNormal>auth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; req=
uired&nbsp;&nbsp; &nbsp;&nbsp;pam_tally2.so deny=3D5 onerr=3Dfail<o:p></o:p=
></p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>the loc=
kout happens at 5 failed attempts, but the audit trail does not record it u=
ntil the next try.<o:p></o:p></p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p>=
<p class=3DMsoNormal>Does the audit system provide a way to show that the l=
ockout has occurred when the deny number is reached?&nbsp; Ideally this wou=
ld be some system log that uses a variation of &#8220;Account locked&#8221;=
<o:p></o:p></p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNorm=
al><o:p>&nbsp;</o:p></p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=
=3DMsoNormal>Thanks!<o:p></o:p></p><p class=3DMsoNormal><o:p>&nbsp;</o:p></=
p><p class=3DMsoNormal>____________________________________________<o:p></o=
:p></p><p class=3DMsoNormal>Steve M. Zak, <o:p></o:p></p><p class=3DMsoNorm=
al><o:p>&nbsp;</o:p></p></div></body></html><pre>
--=20
This email was Anti Virus checked by Astaro Security Gateway. http://www.as=
taro.com</pre>

--_000_E2B97F4E65AFD84DA1A7B3BEC35E17140149E9350822hailstormfa_--


--===============8553976333929187748==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============8553976333929187748==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auditing account lockouts
Date: Mon, 10 Oct 2011 10:13:05 -0400
Message-ID: <201110101013.06113.sgrubb@redhat.com>
References: <E2B97F4E65AFD84DA1A7B3BEC35E17140149E9350822@hailstorm.faac.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <E2B97F4E65AFD84DA1A7B3BEC35E17140149E9350822@hailstorm.faac.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday, October 10, 2011 09:54:00 AM Steve M. Zak wrote:
> Hi,
> 
> Through experimentation and per Red Hat tech support when the deny=x switch
> is set in /etc/pam.d/login as below
> 
> auth       required     pam_tally2.so deny=5 onerr=fail
> 
> the lockout happens at 5 failed attempts, but the audit trail does not
> record it until the next try.

The man page says that the account lockout occurs when the tally _exceeds_ the deny 
parameter. To lockout on 5 failed attempts, use deny=4.

-Steve