On Wednesday, December 01, 2010 03:01:50 pm Steve M. Zak wrote: > Does the audit system have a watch that will show account lockouts in real > time?
You do not need to set any watch, pam sends a RESP_ACCT_LOCK_TIMED event when the account is locked. Before that, the account is not locked. It is counting bad authentication attempts and sending USER_AUTH events as the user tries to login. > The pam implementation doesn't write to the logs until after the deny= > number has been exceeded. Pam writes something every time. It sends 2 different events because a bad auth is not a lockout. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
