On Wednesday 07 January 2009 10:17:54 am Starr-Renee Corbin wrote: > While the account lockout policy is set, I am unable to figure out the > syntax for the watches to add to audit.rules that will show the account > lockout event. I have to be able to do this for about 150 systems.
pam_tally2 is hardwired to send lockout events to the audit system. Use it rather than pam_tally. They will be in the audit logs as ANOM_LOGIN_FAILURES when the limit is reached, as RESP_ACCT_LOCK_TIMED for the actual locking of the acct, and RESP_ACCT_UNLOCK_TIMED when the acct is unlocked due to time expiration or admin action. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
