Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Users Search
Help Dashboard Sign In Sign Up
Q&A Meta
Q&A
Posts Tags Edits
Ask Question

Post History

66%
+2 −0
Q&A What does the "Valid" column mean in the output of "faillock"?

A good explanation is given on the RedHat Customer Portal. TL/DR: The Valid field indicates whether a record counts toward the lockout threshold (V) or not (I). The key seems to be the meaning of ...

posted 1y ago by AdminBee‭  ·  edited 1y ago by AdminBee‭

Answer
#7: Post edited by user avatar AdminBee‭ · 2023-08-03T08:53:53Z (over 1 year ago)
Explain column values
  • A good explanation is given on the [RedHat Customer Portal](https://access.redhat.com/solutions/6962920). TL/DR: The `Valid` field indicates whether a record counts toward the lockout threshold or not.
  • The key seems to be the meaning of the `fail_interval` configuration setting. From the manpage of `faillock.conf`:
  • > `deny=n`
  • >
  • > Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds `n`. The default is 3.
  • > `fail_interval=n`
  • >
  • > The length of the interval during which the consecutive authentication failures must happen for the user account lock out is `n` seconds. The default is 900 (15 minutes).
  • So, `pam_faillock` will only lock out a user if a number of `deny` failed attempts were tried _within the `fail_interval`_.
  • However, the "fail" history displayed by `faillock` may reach further back in time, and show attempts that fall outside of the current `fail_interval` (i.e. older than `fail_interval` seconds from "now"). **These wouldn't count to the locking threshold, and are therefore "invalid" for the purposes of `pam_faillock`.**[]()
  • This is not well documented, but can be inferred from the [source code of `pam_faillock.c`](https://github.com/briantward/pam-redhat/blob/master/pam_faillock/pam_faillock.c#L359)
  • ```lang-C
  • if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
  • opts->now - tallies->records[i].time >= opts->fail_interval ) {
  • tallies->records[i].status &= ~TALLY_STATUS_VALID;
  • } else {
  • ++failures;
  • }
  • ```
  • So, a record in the tally file does not count towards the threshold if the `time` attribute of the entry is further away from `now` than the `fail_interval` (or if the `unlock_time` has passed since the last lock); instead, the `TALLY_STATUS_VALID` flag is removed from such a record, which would cause it to be labelled `I` [in the output](https://github.com/briantward/pam-redhat/blob/master/pam_faillock/main.c#L178).
  • A good explanation is given on the [RedHat Customer Portal](https://access.redhat.com/solutions/6962920). TL/DR: The `Valid` field indicates whether a record counts toward the lockout threshold (`V`) or not (`I`).
  • The key seems to be the meaning of the `fail_interval` configuration setting. From the manpage of `faillock.conf`:
  • > `deny=n`
  • >
  • > Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds `n`. The default is 3.
  • > `fail_interval=n`
  • >
  • > The length of the interval during which the consecutive authentication failures must happen for the user account lock out is `n` seconds. The default is 900 (15 minutes).
  • So, `pam_faillock` will only lock out a user if a number of `deny` failed attempts were tried _within the `fail_interval`_.
  • However, the "fail" history displayed by `faillock` may reach further back in time, and show attempts that fall outside of the current `fail_interval` (i.e. older than `fail_interval` seconds from "now"). **These wouldn't count to the locking threshold, and are therefore "invalid" for the purposes of `pam_faillock`.**[]()
  • This is not well documented, but can be inferred from the [source code of `pam_faillock.c`](https://github.com/briantward/pam-redhat/blob/master/pam_faillock/pam_faillock.c#L359)
  • ```lang-C
  • if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
  • opts->now - tallies->records[i].time >= opts->fail_interval ) {
  • tallies->records[i].status &= ~TALLY_STATUS_VALID;
  • } else {
  • ++failures;
  • }
  • ```
  • So, a record in the tally file does not count towards the threshold if the `time` attribute of the entry is further away from `now` than the `fail_interval` (or if the `unlock_time` has passed since the last lock); instead, the `TALLY_STATUS_VALID` flag is removed from such a record, which would cause it to be labelled `I` [in the output](https://github.com/briantward/pam-redhat/blob/master/pam_faillock/main.c#L178) instead of `V`.
#6: Post edited by user avatar AdminBee‭ · 2023-08-03T08:45:19Z (over 1 year ago)
Add TL/DR
  • A good explanation is given on the [RedHat Customer Portal](https://access.redhat.com/solutions/6962920).
  • The key seems to be the meaning of the `fail_interval` configuration setting. From the manpage of `faillock.conf`:
  • > `deny=n`
  • >
  • > Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds `n`. The default is 3.
  • > `fail_interval=n`
  • >
  • > The length of the interval during which the consecutive authentication failures must happen for the user account lock out is `n` seconds. The default is 900 (15 minutes).
  • So, `pam_faillock` will only lock out a user if a number of `deny` failed attempts were tried _within the `fail_interval`_.
  • However, the "fail" history displayed by `faillock` may reach further back in time, and show attempts that fall outside of the current `fail_interval` (i.e. older than `fail_interval` seconds from "now"). These wouldn't count to the locking threshold, and are therefore "invalid" for the purposes of `pam_faillock`.
  • This is not well documented, but can be inferred from the [source code of `pam_faillock.c`](https://github.com/briantward/pam-redhat/blob/master/pam_faillock/pam_faillock.c#L359)
  • ```lang-C
  • if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
  • opts->now - tallies->records[i].time >= opts->fail_interval ) {
  • tallies->records[i].status &= ~TALLY_STATUS_VALID;
  • } else {
  • ++failures;
  • }
  • ```
  • So, a record in the tally file does not count towards the threshold if the `time` attribute of the entry is further away from `now` than the `fail_interval` (or if the `unlock_time` has passed since the last lock); instead, the `TALLY_STATUS_VALID` flag is removed from such a record, which would cause it to be labelled `I` [in the output](https://github.com/briantward/pam-redhat/blob/master/pam_faillock/main.c#L178).
  • A good explanation is given on the [RedHat Customer Portal](https://access.redhat.com/solutions/6962920). TL/DR: The `Valid` field indicates whether a record counts toward the lockout threshold or not.
  • The key seems to be the meaning of the `fail_interval` configuration setting. From the manpage of `faillock.conf`:
  • > `deny=n`
  • >
  • > Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds `n`. The default is 3.
  • > `fail_interval=n`
  • >
  • > The length of the interval during which the consecutive authentication failures must happen for the user account lock out is `n` seconds. The default is 900 (15 minutes).
  • So, `pam_faillock` will only lock out a user if a number of `deny` failed attempts were tried _within the `fail_interval`_.
  • However, the "fail" history displayed by `faillock` may reach further back in time, and show attempts that fall outside of the current `fail_interval` (i.e. older than `fail_interval` seconds from "now"). **These wouldn't count to the locking threshold, and are therefore "invalid" for the purposes of `pam_faillock`.**[]()
  • This is not well documented, but can be inferred from the [source code of `pam_faillock.c`](https://github.com/briantward/pam-redhat/blob/master/pam_faillock/pam_faillock.c#L359)
  • ```lang-C
  • if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
  • opts->now - tallies->records[i].time >= opts->fail_interval ) {
  • tallies->records[i].status &= ~TALLY_STATUS_VALID;
  • } else {
  • ++failures;
  • }
  • ```
  • So, a record in the tally file does not count towards the threshold if the `time` attribute of the entry is further away from `now` than the `fail_interval` (or if the `unlock_time` has passed since the last lock); instead, the `TALLY_STATUS_VALID` flag is removed from such a record, which would cause it to be labelled `I` [in the output](https://github.com/briantward/pam-redhat/blob/master/pam_faillock/main.c#L178).
#5: Post edited by user avatar AdminBee‭ · 2023-08-03T08:16:06Z (over 1 year ago)
Improve explanation and link to code fragment that controls the output
  • A good explanation is given on the [RedHat Customer Portal](https://access.redhat.com/solutions/6962920).
  • The key seems to be the meaning of the `fail_interval` configuration setting. From the manpage of `faillock.conf`:
  • > `deny=n`
  • >
  • > Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds `n`. The default is 3.
  • > `fail_interval=n`
  • >
  • > The length of the interval during which the consecutive authentication failures must happen for the user account lock out is `n` seconds. The default is 900 (15 minutes).
  • So, `pam_faillock` will only lock out a user if a number of `deny` failed attempts were tried _within the `fail_interval`_. However, the "fail" history displayed by `faillock` may reach further back in time, and show attempts that fall outside of the current `fail_interval`. These wouldn't count to the locking threshold, and are therefore "invalid" for the purposes of `pam_faillock`.
  • This is not well documented, but can be inferred from the [source code of `pam_faillock.c`](https://github.com/briantward/pam-redhat/blob/master/pam_faillock/pam_faillock.c#L359)
  • ```lang-C
  • if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
  • opts->now - tallies->records[i].time >= opts->fail_interval ) {
  • tallies->records[i].status &= ~TALLY_STATUS_VALID;
  • } else {
  • ++failures;
  • }
  • ```
  • So, a record in the tally file does not count towards the threshold if the `time` attribute of the entry is further away from `now` than the `fail_interval`; instead, the `TALLY_STATUS_VALID` flag is removed from such a record.
  • A good explanation is given on the [RedHat Customer Portal](https://access.redhat.com/solutions/6962920).
  • The key seems to be the meaning of the `fail_interval` configuration setting. From the manpage of `faillock.conf`:
  • > `deny=n`
  • >
  • > Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds `n`. The default is 3.
  • > `fail_interval=n`
  • >
  • > The length of the interval during which the consecutive authentication failures must happen for the user account lock out is `n` seconds. The default is 900 (15 minutes).
  • So, `pam_faillock` will only lock out a user if a number of `deny` failed attempts were tried _within the `fail_interval`_.
  • However, the "fail" history displayed by `faillock` may reach further back in time, and show attempts that fall outside of the current `fail_interval` (i.e. older than `fail_interval` seconds from "now"). These wouldn't count to the locking threshold, and are therefore "invalid" for the purposes of `pam_faillock`.
  • This is not well documented, but can be inferred from the [source code of `pam_faillock.c`](https://github.com/briantward/pam-redhat/blob/master/pam_faillock/pam_faillock.c#L359)
  • ```lang-C
  • if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
  • opts->now - tallies->records[i].time >= opts->fail_interval ) {
  • tallies->records[i].status &= ~TALLY_STATUS_VALID;
  • } else {
  • ++failures;
  • }
  • ```
  • So, a record in the tally file does not count towards the threshold if the `time` attribute of the entry is further away from `now` than the `fail_interval` (or if the `unlock_time` has passed since the last lock); instead, the `TALLY_STATUS_VALID` flag is removed from such a record, which would cause it to be labelled `I` [in the output](https://github.com/briantward/pam-redhat/blob/master/pam_faillock/main.c#L178).
#4: Post edited by user avatar AdminBee‭ · 2023-08-03T08:00:18Z (over 1 year ago)
Fix indentation
  • A good explanation is given on the [RedHat Customer Portal](https://access.redhat.com/solutions/6962920).
  • The key seems to be the meaning of the `fail_interval` configuration setting. From the manpage of `faillock.conf`:
  • > `deny=n`
  • >
  • > Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds n. The default is 3.
  • > `fail_interval=n`
  • >
  • > The length of the interval during which the consecutive authentication failures must happen for the user account lock out is `n` seconds. The default is 900 (15 minutes).
  • So, `pam_faillock` will only lock out a user if a number of `deny` failed attempts were tried _within the time specified in `fail_interval`_. However, the "fail" history displayed by `faillock` may reach further back in time, and show attempts that fall outside of the current `fail_interval`. These wouldn't count to the locking threshold, and are therefore "invalid" for the purposes of `pam_faillock`.
  • This is not well documented, but can be inferred from the [source code of `pam_faillock.c`](https://github.com/briantward/pam-redhat/blob/master/pam_faillock/pam_faillock.c#L359)
  • ```lang-C
  • if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
  • opts->now - tallies->records[i].time >= opts->fail_interval ) {
  • tallies->records[i].status &= ~TALLY_STATUS_VALID;
  • } else {
  • ++failures;
  • }
  • ```
  • So, a record in the tally file does not count towards the threshold if the `time` attribute of the entry is further away from `now` than the `fail_interval`; instead, the `TALLY_STATUS_VALID` flag is removed from such a record.
  • A good explanation is given on the [RedHat Customer Portal](https://access.redhat.com/solutions/6962920).
  • The key seems to be the meaning of the `fail_interval` configuration setting. From the manpage of `faillock.conf`:
  • > `deny=n`
  • >
  • > Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds `n`. The default is 3.
  • > `fail_interval=n`
  • >
  • > The length of the interval during which the consecutive authentication failures must happen for the user account lock out is `n` seconds. The default is 900 (15 minutes).
  • So, `pam_faillock` will only lock out a user if a number of `deny` failed attempts were tried _within the `fail_interval`_. However, the "fail" history displayed by `faillock` may reach further back in time, and show attempts that fall outside of the current `fail_interval`. These wouldn't count to the locking threshold, and are therefore "invalid" for the purposes of `pam_faillock`.
  • This is not well documented, but can be inferred from the [source code of `pam_faillock.c`](https://github.com/briantward/pam-redhat/blob/master/pam_faillock/pam_faillock.c#L359)
  • ```lang-C
  • if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
  • opts->now - tallies->records[i].time >= opts->fail_interval ) {
  • tallies->records[i].status &= ~TALLY_STATUS_VALID;
  • } else {
  • ++failures;
  • }
  • ```
  • So, a record in the tally file does not count towards the threshold if the `time` attribute of the entry is further away from `now` than the `fail_interval`; instead, the `TALLY_STATUS_VALID` flag is removed from such a record.
#3: History hidden by user avatar AdminBee‭ · 2023-08-03T07:57:11Z (over 1 year ago)
Detailed history before this event is hidden because of a redaction. 
A good explanation is given on the [RedHat Customer Portal](https://access.redhat.com/solutions/6962920).

The key seems to be the meaning of the `fail_interval` configuration setting. From the manpage of `faillock.conf`:
> `deny=n`
>
>   Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds n. The default is 3.

> `fail_interval=n`
>
> The length of the interval during which the consecutive authentication failures must happen for the user account lock out is `n` seconds. The default is 900 (15 minutes).

So, `pam_faillock` will only lock out a user if a number of `deny` failed attempts were tried _within the time specified in `fail_interval`_. However, the "fail" history displayed by `faillock` may reach further back in time, and show attempts that fall outside of the current `fail_interval`. These wouldn't count to the locking threshold, and are therefore "invalid" for the purposes of `pam_faillock`.

This is not well documented, but can be inferred from the [source code of `pam_faillock.c`](https://github.com/briantward/pam-redhat/blob/master/pam_faillock/pam_faillock.c#L359)
```lang-C
if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
   opts->now - tallies->records[i].time >= opts->fail_interval ) {
       tallies->records[i].status &= ~TALLY_STATUS_VALID;
   } else {
   ++failures;
}
```
So, a record in the tally file does not count towards the threshold if the `time` attribute of the entry is further away from `now` than the `fail_interval`; instead, the `TALLY_STATUS_VALID` flag is removed from such a record.
#2: Post edited by user avatar AdminBee‭ · 2023-08-03T07:57:11Z (over 1 year ago)
Amend original explanation

The detailed changes of this event are hidden because of a redaction.

#1: Initial revision by user avatar AdminBee‭ · 2023-08-03T07:54:36Z (over 1 year ago)

The detailed changes of this event are hidden because of a redaction.