Password Attempt Event
Valid on UNIX
capamsc141
Valid on UNIX
Password attempt events describe an attempt by an accessor to log in with an incorrect password.
Audit records in this event have the following format:
Date Time Status Event UserName Details Reason Terminal Program AuditFlags
- DateIdentifies the date that the event occurred.Format:DD MMM YYYYNote:Privileged Access ManagerEndpoint Management formats the date display according to your computer settings.
- TimeIdentifies the time that the event occurred.Format:HH:MM:SSNote:Privileged Access ManagerEndpoint Management formats the time display according to your computer settings.
- StatusIndicates an incorrect password attempt.Value:A (Password attempt)
- EventIdentifies the type of event this record belongs to.Note:Privileged Access ManagerEndpoint Management refers to this field simply asEvent.
- UserNameIdentifies the name of the accessor that performed the action that triggered this event.
- DetailsIndicates at which stagePrivileged Access Managerdecided what action to take for this event.Note:The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or inPrivileged Access ManagerEndpoint Management, the audit record displays the message that is associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.
- ReasonIndicates the reason thatPrivileged Access Managerwrote an audit record.Note:This field does not display in a detailed seaudit output or inPrivileged Access ManagerEndpoint Management. The audit record that you see in a non-detailed seaudit output displays a number in this field. This number is known as the reason code. For a complete list of reason codes, run seaudit -t.
- TerminalIdentifies the name of the terminal that the accessor used to connect to the host.
- ProgramIdentifies the name of the program that triggered the event.
- AuditFlagsIndicates whether the accessor is internal (Privileged Access Managerdatabase user) or an enterprise user.Note:If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.
Example: Password Attempt Event Message
The following audit record was taken from a detailed seaudit output.
13 Jan YYYY 16:21:12 A LOGIN admin 17 8 localhost.localdomain loginEvent: Password attemptStatus: Password attemptUserName: adminTerminal: localhost.localdomainDate: 13 Jan YYYYTime: 16:21Program: loginDetails: Attempt rejected by the native environmentUser Logon Session ID: 525f8d59:0000010aAuditFlags: AC database user
This audit record indicates that on January 13, YYYY, the user admin attempted to change the account password. The attempt was rejected by the native environment because of a login failure (authorization stage code 17 attempt rejected by the native environment). The pam _seos module logged this event (reason code 8 pam support UNIX failed login).