On Wednesday 01 October 2008 15:58:44 Starr-Renee Corbin wrote: > Hello, I am using RHEL 4 and need /var/log/audit/audit.log to show > when an account is locked out
This is hardwired into the pam_talley2 code. As long as its in your login config and audit is enabled, you should get it. > and when a user is denied permission to > security relevant files such as /etc/shadow. In RHEL4, you can get accesses to /etc/shadow via watches, but not just the denied because of permission. aureport --file --failed would find them for you. You can also get all opens that failed due to permission denied. This would include more than /etc/shadow, though. RHEL5 and current upstream kernels do not have this limitation and can record the permission denied access to security relevant files. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
