[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Lockout record

We solve this by setting deny=4 if we want to see lockout messages after the 5th failed login.   

-----Original Message-----
From: linux-audit-bounces redhat com [mailto:linux-audit-bounces redhat com] On Behalf Of Tomas Mraz
Sent: Friday, December 03, 2010 3:20 AM
To: Steve M. Zak
Cc: linux-audit redhat com
Subject: RE: Lockout record

On Thu, 2010-12-02 at 17:46 -0500, Steve M. Zak wrote: 
> Hi Steve,
> Thanks for the info! I do see the USER_AUTH events which I didn't know
> about so thanks. 
> I may have something mis-configured, but for instance in my pam.d/sshd
> file I have deny=5
> I can see the 5 failed attempts as type=USER_AUTH with res=failed, but
> the RESP_ACCT_LOCK doesn't show up until the 6th login attempt and a
> message gets displayed to the user "Your account is locked. Maximum
> amount of failed attempts was reached."
> Does a lock event get written to the audit.log on the 5th attempt? (I
> didn't see RESP_ACCT_LOCK_TIMED in the log). A Red Hat KB article and
> Tech Support indicates that the lock happens at deny=n + 1, but it
> seems to happen at deny=n. The lock event seems to get recorded at
> deny=n + 1. 

You are right. The event is recorded only when the user attempts to log
in after the deny=n failed attempts already happened. This is caused by
the way pam_tally2 is set up in the PAM stack. The module cannot know if
the n-th attempt is failed or not or more exactly said - the module is
called only before the authentication in case of failed authentication.
And so it cannot record the lock event earlier than during another
authentication attempt for the user.
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

Linux-audit mailing list
Linux-audit redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]