Account Lockout Recorded in System Logs?
Very new to Linux.
I'm using RHEL 2.4 and could not find any record of accounts that were locked out due to unsuccessful logins other than in it was documented in the the /var/log/faillog. By default, does the Linux System Log record account lockouts and in which System Log, Audit, Message or Security? What trigger words should I look for, example account locked? The accounts do reflect in the faillog and the System Logs show authentication failures but I was just wondering if it was documented somewhere other than the faillog. A million thanks:) John |
According to this http://www.redhat.com/security/updates/errata/ there's no such thing as RHEL 2.4; sounds like the kernel version, not the release.
Please show uname -a cat /etc/redhat-release |
Reponse to typing commands
After I type:
uname -a The return is: Linux localhost.localdomain 2.6.9-67/0.15.Elsmp #1 SMP Tue Apr 22 13:58 EDT2 After I type: cat /etc/redhat-release The return is: Red Hat Enterprise Linux WS Release 4 (Nahant) Thanks John |
pam_tally
Should myfoucus be on pam_tally and modify the /etc/pam.d/login file:
auth required pam_tally.so file=/path/to/counter Write now my /etc/pam.d/sys-auth file, below: auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root Locks the account out and writes to the faillog file but I was wondering if I could specify an additional location where account lockouts or counters could be recorded? A millions thanks John |
RHEL4.0 then.
It should by default also log to /var/log/messages or /var/log/secure. You can edit /etc/syslog.conf to send auth messages to another place as well if you wish. |
All times are GMT -5. The time now is 12:25 AM. |