Lockout record

Lockout record

[Steve M. Zak]

Hi,

Does the audit system have a watch that will show account lockouts in real time?

The pam implementation doesn't write to the logs until after the deny= number has been exceeded.

Thanks!


____________________________________________
Steve M. Zak



-- 
This email was Anti Virus checked by Astaro Security Gateway. http://www.astaro.com

Re: Lockout record

[Steve Grubb]

On Wednesday, December 01, 2010 03:01:50 pm Steve M. Zak wrote:
> Does the audit system have a watch that will show account lockouts in real
> time?

You do not need to set any watch, pam sends a RESP_ACCT_LOCK_TIMED event when the 
account is locked. Before that, the account is not locked. It is counting bad 
authentication attempts and sending USER_AUTH events as the user tries to login.
 
> The pam implementation doesn't write to the logs until after the deny=
> number has been exceeded.

Pam writes something every time. It sends 2 different events because a bad auth is not 
a lockout.

-Steve

RE: Lockout record

[Steve M. Zak]

Hi Steve,

Thanks for the info!  I do see the USER_AUTH events which I didn't know about so thanks. 

I may have something mis-configured, but for instance in my pam.d/sshd file I have deny=5

I can see the 5 failed attempts as type=USER_AUTH with res=failed, but the RESP_ACCT_LOCK doesn't show up until the 6th login attempt and a message gets displayed to the user "Your account is locked. Maximum amount of failed attempts was reached."

Does a lock event get written to the audit.log on the 5th attempt? (I didn't see RESP_ACCT_LOCK_TIMED in the log).  A Red Hat KB article and Tech Support indicates that the lock happens at deny=n + 1, but it seems to happen at deny=n.  The lock event seems to get recorded at deny=n + 1. 

Thanks!





____________________________________________
Steve M. Zak



-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Wednesday, December 01, 2010 4:17 PM
To: linux-audit@redhat.com
Cc: Steve M. Zak
Subject: Re: Lockout record

On Wednesday, December 01, 2010 03:01:50 pm Steve M. Zak wrote:
> Does the audit system have a watch that will show account lockouts in 
> real time?

You do not need to set any watch, pam sends a RESP_ACCT_LOCK_TIMED event when the account is locked. Before that, the account is not locked. It is counting bad authentication attempts and sending USER_AUTH events as the user tries to login.
 
> The pam implementation doesn't write to the logs until after the deny= 
> number has been exceeded.

Pam writes something every time. It sends 2 different events because a bad auth is not a lockout.

-Steve

RE: Lockout record

[Tomas Mraz]

On Thu, 2010-12-02 at 17:46 -0500, Steve M. Zak wrote: 
> Hi Steve,
> 
> Thanks for the info! I do see the USER_AUTH events which I didn't know
> about so thanks. 
> 
> I may have something mis-configured, but for instance in my pam.d/sshd
> file I have deny=5
> 
> I can see the 5 failed attempts as type=USER_AUTH with res=failed, but
> the RESP_ACCT_LOCK doesn't show up until the 6th login attempt and a
> message gets displayed to the user "Your account is locked. Maximum
> amount of failed attempts was reached."
> 
> Does a lock event get written to the audit.log on the 5th attempt? (I
> didn't see RESP_ACCT_LOCK_TIMED in the log). A Red Hat KB article and
> Tech Support indicates that the lock happens at deny=n + 1, but it
> seems to happen at deny=n. The lock event seems to get recorded at
> deny=n + 1. 

You are right. The event is recorded only when the user attempts to log
in after the deny=n failed attempts already happened. This is caused by
the way pam_tally2 is set up in the PAM stack. The module cannot know if
the n-th attempt is failed or not or more exactly said - the module is
called only before the authentication in case of failed authentication.
And so it cannot record the lock event earlier than during another
authentication attempt for the user.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

RE: Lockout record

[Wieprecht, Karen M.]

We solve this by setting deny=4 if we want to see lockout messages after the 5th failed login.   

-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Tomas Mraz
Sent: Friday, December 03, 2010 3:20 AM
To: Steve M. Zak
Cc: linux-audit@redhat.com
Subject: RE: Lockout record

On Thu, 2010-12-02 at 17:46 -0500, Steve M. Zak wrote: 
> Hi Steve,
> 
> Thanks for the info! I do see the USER_AUTH events which I didn't know
> about so thanks. 
> 
> I may have something mis-configured, but for instance in my pam.d/sshd
> file I have deny=5
> 
> I can see the 5 failed attempts as type=USER_AUTH with res=failed, but
> the RESP_ACCT_LOCK doesn't show up until the 6th login attempt and a
> message gets displayed to the user "Your account is locked. Maximum
> amount of failed attempts was reached."
> 
> Does a lock event get written to the audit.log on the 5th attempt? (I
> didn't see RESP_ACCT_LOCK_TIMED in the log). A Red Hat KB article and
> Tech Support indicates that the lock happens at deny=n + 1, but it
> seems to happen at deny=n. The lock event seems to get recorded at
> deny=n + 1. 

You are right. The event is recorded only when the user attempts to log
in after the deny=n failed attempts already happened. This is caused by
the way pam_tally2 is set up in the PAM stack. The module cannot know if
the n-th attempt is failed or not or more exactly said - the module is
called only before the authentication in case of failed authentication.
And so it cannot record the lock event earlier than during another
authentication attempt for the user.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

RE: Lockout record

[Steve M. Zak]

Thanks Karen,

Yes that does seem to be the best solution.


Have a great day!


____________________________________________
Steve M. Zak,  


-----Original Message-----
From: Wieprecht, Karen M. [mailto:Karen.Wieprecht@jhuapl.edu] 
Sent: Friday, December 03, 2010 9:54 AM
To: Tomas Mraz; Steve M. Zak
Cc: linux-audit@redhat.com
Subject: RE: Lockout record

We solve this by setting deny=4 if we want to see lockout messages after the 5th failed login.   

-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Tomas Mraz
Sent: Friday, December 03, 2010 3:20 AM
To: Steve M. Zak
Cc: linux-audit@redhat.com
Subject: RE: Lockout record

On Thu, 2010-12-02 at 17:46 -0500, Steve M. Zak wrote: 
> Hi Steve,
> 
> Thanks for the info! I do see the USER_AUTH events which I didn't know 
> about so thanks.
> 
> I may have something mis-configured, but for instance in my pam.d/sshd 
> file I have deny=5
> 
> I can see the 5 failed attempts as type=USER_AUTH with res=failed, but 
> the RESP_ACCT_LOCK doesn't show up until the 6th login attempt and a 
> message gets displayed to the user "Your account is locked. Maximum 
> amount of failed attempts was reached."
> 
> Does a lock event get written to the audit.log on the 5th attempt? (I 
> didn't see RESP_ACCT_LOCK_TIMED in the log). A Red Hat KB article and 
> Tech Support indicates that the lock happens at deny=n + 1, but it 
> seems to happen at deny=n. The lock event seems to get recorded at 
> deny=n + 1.

You are right. The event is recorded only when the user attempts to log in after the deny=n failed attempts already happened. This is caused by the way pam_tally2 is set up in the PAM stack. The module cannot know if the n-th attempt is failed or not or more exactly said - the module is called only before the authentication in case of failed authentication.
And so it cannot record the lock event earlier than during another authentication attempt for the user.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit