[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Tracking account lockouts and permission denied



On Wednesday 01 October 2008 15:58:44 Starr-Renee Corbin wrote:
> Hello, I am using RHEL 4 and need /var/log/audit/audit.log to show  
> when an account is locked out

This is hardwired into the pam_talley2 code. As long as its in your login 
config and audit is enabled, you should get it.

> and when a user is denied permission to 
> security relevant files such as /etc/shadow.

In RHEL4, you can get accesses to /etc/shadow via watches, but not just the 
denied because of permission. aureport --file --failed would find them for 
you. 

You can also get all opens that failed due to permission denied. This would 
include more than /etc/shadow, though. 

RHEL5 and current upstream kernels do not have this limitation and can record 
the permission denied access to security relevant files.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]