On Fri, 25 Mar 2005, Jason Pepas wrote:
2) LOG_ALERT. According to syslog(2):
#define KERN_ALERT "<1>" /* action must be taken immediately */
I would posit that a client attempting to authenticate with a non-existing username does not meet this criteria. In my opinion an argument can be made that this is not even an error condition, and thus should be at level LOG_WARNING or below.
I think this should be configurable, based on end user preference to prioritize and respond to such events. In a high security environment, this could indicate a user, malicious or otherwise, going where they shouldn't be. How you report this to your log management / analysis tools is completely dependent on your security stance and reaction requirements.
- billn
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
