Re: [Fed-Talk] Auditing using Common Criteria
Re: [Fed-Talk] Auditing using Common Criteria
- Subject: Re: [Fed-Talk] Auditing using Common Criteria
- From: Todd Heberlein <email@hidden>
- Date: Mon, 24 Sep 2007 17:08:11 -0700
On Sep 17, 2007, at 11:32 AM, EXT-Traynor, Paul I wrote:
We have verified that account lockout occurs as configured, but
there is
no audit record of it that we can find.
I have confirmed this is the case (at least when attempting to login
from console). I am auditing with
flags:all
naflags:all
and I can account for every audit record. No audit record is
generated when maxFailedLoginAttempts is exceeded.
In fact, all subsequent login attempts generate by the locked out
user generates no audit records. Apparently the login process knows
that the user has been locked out and doesn't even attempt to perform
the authentication. These post-maxFailedLoginAttempts rejections fail
silently as far as the audit trail is concerned.
If you want, I can probably write a simple command-line application
that can count the number of consecutive failed login attempts and
simply generate an alert when the count exceeds some user-supplied
threshold.
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden