Account Lockout Event - No Username Included

Comments 1

Hi All,

I have configured some of my systems for PAM_TALLY2 events on Red Hat 6.5. With syslog and auditd running and the password-auth file configured as following:

auth required pam_tally2.so deny=3 onerr=fail lock_timeout=300

account required pam_tally2.so

I am receiving the events for the account lockouts in the var/log/messages which include 'type=RESP_ACCT_LOCK' as expected. However there is no username information with the event.

My question, is it possible to configure the system so the event does include the offending username? This is required as I am developing use case rules within ArcSight.

Thanks in advance.

Sean.

Started 2015-10-22T08:18:10+00:00 by

Sean Moore

Newbie 5 points

Responses

JB Newbie 5 points

25 January 2016 9:23 PM

Jesse Bacon

Sean, you can get that data from the audit log using the aureport command like so: aureport -au -i --failed

The raw data must be in the audit log assuming that audit is enabled.

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

Account Lockout Event - No Username Included

Responses