System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Security Audits-Account Locked Excessive Failed Logins

SOLVED
Go to solution
johnnymac_1
Advisor

Security Audits-Account Locked Excessive Failed Logins

When I am reviewing the security audits using the SAM interface, what system call or event will let me know when a account is locked due to excesive failed logins?
HP-UX 11 (B.11.23)
Very new to HP-UX so a million thanks,
John
7 REPLIES
Manix
Honored Contributor

Re: Security Audits-Account Locked Excessive Failed Logins

is it a trusted system do you have /tcb directory

If the server is not trusted, then following command will help.

passwd -s
LK shows the account is locked.

If it is trusted, then
/usr/lbin/getprpw
and check for lockout parmater. it should not contain any 1 digit in its value. those all should be 0s.

The only way to lock an account in a non-trusted system is to replace the password with an asterisk (*) - you can visually check /etc/passwd for this.
HP-UX been always lovable - Mani Kalra
johnnymac_1
Advisor

Re: Security Audits-Account Locked Excessive Failed Logins

I think it is trusted. Based on your directions, at the command prompt I will type

/usr/lbin/getprpw johnsmith
and check for lockout parmater. It should not contain any 1 digit in its value. Those all should be 0s. If there is a 1 digit, does that mean the account is locked?
Manix
Honored Contributor

Re: Security Audits-Account Locked Excessive Failed Logins

# /usr/lbin/getprpw -m lockout userid

Will return something like:

Lockout = 0011000

Each character position above denotes a different reason for the account being locked.

From the getprpw man page:

lockout returns the reason for a lockout in a "bit" valued string, where 0 = condition not present, 1 is present. The position, left to right represents:

1 past password lifetime
2 past last login time (inactive account)
3 past absolute account lifetime
4 exceeded unsuccessful login attempts
5 password required and a null password
6 admin lock
7 password is a *
HP-UX been always lovable - Mani Kalra
Manix
Honored Contributor
Solution

Re: Security Audits-Account Locked Excessive Failed Logins

Yes John !! you are absolutely correct.

Thanks

Manix
HP-UX been always lovable - Mani Kalra
johnnymac_1
Advisor

Re: Security Audits-Account Locked Excessive Failed Logins

Manix,

You are a miracle worker. It worked great. I have a different question which I will include in a new thread concerning su logs and how to view succesfula and unsucessful su.
One more question concerning this topic (otherwise this is a closed thread). Is there a way to run a query based on all users who are locked without having to specifiy user name. I only have 5 users so I can write a script that calls out each by name but wondered if there was a simple way to list all locked/disbaled users.

A million thanks,
John
Manix
Honored Contributor

Re: Security Audits-Account Locked Excessive Failed Logins

Thanks John !! if this one is resolved lets
close this thread -))
HP-UX been always lovable - Mani Kalra
johnnymac_1
Advisor

Re: Security Audits-Account Locked Excessive Failed Logins

Thanks to all those who assisted. It worked great.