HPE Community
Operating System - Linux
1755703 Members
4397 Online
108837 Solutions
New Discussion юеВ

Re: User Locked Out Log

 
Dummy_Guy
Advisor

тАО10-10-2005 10:37 AM

тАО10-10-2005 10:37 AM

User Locked Out Log

Hi all,
I am using HP UX11.0. For auditing purposes, I really like to find out how often each user exceed the login attempt (ie. Locked out). Is there any log available? or is there anyway we can capture the information using scripts?
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

тАО10-10-2005 10:45 AM

тАО10-10-2005 10:45 AM

Re: User Locked Out Log

passwd -sa

That might show locked users.

A script that reads /var/adm/btmp will get you a list of users that have failed login too many times.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
saju_2
Respected Contributor

тАО10-10-2005 11:21 AM

тАО10-10-2005 11:21 AM

Re: User Locked Out Log

Hi john

There are mainly 3 files which contains the login informations.

/etc/utmp --contains a record of all users logged onto the system

/var/adm/btmp--contains bad login entries for each invalid logon attempt

/var/adm/wtmp--contains a record of all logins and logouts

Also from /var/adm/syslog/syslog u can get the information of the users logged into to the server or failed logon attempts.


Regards
CS
0 Kudos
Reply
Dummy_Guy
Advisor

тАО10-10-2005 12:49 PM

тАО10-10-2005 12:49 PM

Re: User Locked Out Log

I know what utmp, btmp and wtmp are.

My real problem is, I can't tell how many time a user been locked in a month. I can capture how many bad password entered during the month but I can't tell how many time they been locked out.

passwd -sa can tell me who are the user currently locked out but can't tell me from the history point of view.

I need to know so I can tell whether intruder was attempting to login.
0 Kudos
Reply
Adisuria Wangsadinata_1
Honored Contributor

тАО10-10-2005 01:02 PM

тАО10-10-2005 01:02 PM

Re: User Locked Out Log

Hi,

Actually you can get the information that you want by combine both information (from 'utmp, btmp and wtmp' and 'passwd -sa').

From here, at least you will find the trend which user is 'always' forgot about his/her password.

Because the different between 'the intruder was attempting to login' and 'the user that always forgot about their password' is very little. But you can prevent this by looking on the fact, one of them is by looking on the trend.

Hope this information can help you.

Cheers,
AW
now working, next not working ... that's unix
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.