HPE Community
Operating System - HP-UX
1752794 Members
6603 Online
108789 Solutions
New Discussion юеВ

Security Audits-Account Locked Excessive Failed Logins

 
SOLVED
Go to solution
johnnymac_1
Advisor

тАО01-18-2011 08:45 AM

тАО01-18-2011 08:45 AM

Security Audits-Account Locked Excessive Failed Logins

When I am reviewing the security audits using the SAM interface, what system call or event will let me know when a account is locked due to excesive failed logins?
HP-UX 11 (B.11.23)
Very new to HP-UX so a million thanks,
John
0 Kudos
7 REPLIES 7
Manix
Honored Contributor

тАО01-18-2011 09:12 AM

тАО01-18-2011 09:12 AM

Re: Security Audits-Account Locked Excessive Failed Logins

is it a trusted system do you have /tcb directory

If the server is not trusted, then following command will help.

passwd -s
LK shows the account is locked.

If it is trusted, then
/usr/lbin/getprpw
and check for lockout parmater. it should not contain any 1 digit in its value. those all should be 0s.

The only way to lock an account in a non-trusted system is to replace the password with an asterisk (*) - you can visually check /etc/passwd for this.
HP-UX been always lovable - Mani Kalra
0 Kudos
johnnymac_1
Advisor

тАО01-18-2011 09:17 AM

тАО01-18-2011 09:17 AM

Re: Security Audits-Account Locked Excessive Failed Logins

I think it is trusted. Based on your directions, at the command prompt I will type

/usr/lbin/getprpw johnsmith
and check for lockout parmater. It should not contain any 1 digit in its value. Those all should be 0s. If there is a 1 digit, does that mean the account is locked?
0 Kudos
Manix
Honored Contributor

тАО01-18-2011 09:21 AM

тАО01-18-2011 09:21 AM

Re: Security Audits-Account Locked Excessive Failed Logins

# /usr/lbin/getprpw -m lockout userid

Will return something like:

Lockout = 0011000

Each character position above denotes a different reason for the account being locked.

From the getprpw man page:

lockout returns the reason for a lockout in a "bit" valued string, where 0 = condition not present, 1 is present. The position, left to right represents:

1 past password lifetime
2 past last login time (inactive account)
3 past absolute account lifetime
4 exceeded unsuccessful login attempts
5 password required and a null password
6 admin lock
7 password is a *
HP-UX been always lovable - Mani Kalra
0 Kudos
Manix
Honored Contributor

тАО01-18-2011 09:31 AM

тАО01-18-2011 09:31 AM

Solution

Re: Security Audits-Account Locked Excessive Failed Logins

Yes John !! you are absolutely correct.

Thanks

Manix
HP-UX been always lovable - Mani Kalra
0 Kudos
johnnymac_1
Advisor

тАО01-19-2011 08:13 AM

тАО01-19-2011 08:13 AM

Re: Security Audits-Account Locked Excessive Failed Logins

Manix,

You are a miracle worker. It worked great. I have a different question which I will include in a new thread concerning su logs and how to view succesfula and unsucessful su.
One more question concerning this topic (otherwise this is a closed thread). Is there a way to run a query based on all users who are locked without having to specifiy user name. I only have 5 users so I can write a script that calls out each by name but wondered if there was a simple way to list all locked/disbaled users.

A million thanks,
John
0 Kudos
Manix
Honored Contributor

тАО01-19-2011 10:40 AM

тАО01-19-2011 10:40 AM

Re: Security Audits-Account Locked Excessive Failed Logins

Thanks John !! if this one is resolved lets
close this thread -))
HP-UX been always lovable - Mani Kalra
0 Kudos
johnnymac_1
Advisor

тАО01-19-2011 10:42 AM

тАО01-19-2011 10:42 AM

Re: Security Audits-Account Locked Excessive Failed Logins

Thanks to all those who assisted. It worked great.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.