AIX service account - how to find who is locking it

I have a non-expiring service account on an AIX server. I use the account to connect to my database.

Every couple of weeks some user or task tries to connect to the account with the wrong password, and the account gets locked. This causes me days of delay to get the account unlocked again.

I've asked all the people who seem likely to be connecting but they all say it's not them. The AIX sysadmins tell me they can't track who is trying to connect. It is someone within our internal network.

Is there any way on AIX of tracking who is attempting the connection? Perhaps a log of IP addresses attempting connection?

Payson

Posted 2016-03-08T04:46:10.387

Reputation: 21

1All the people who are most likely to be locking the account deny that they or their programs are doing it. Yes, one of them is wrong, but I don't know who. – Payson – 2016-03-29T00:11:18.133

OK -- I've edited that into the question. – David Richerby – 2016-03-29T01:03:15.373

Answers

Basically, as an administrative point of view all apps and DB team should have their own monitoring script which should do the trick to monitor the commands run by individuals and time of login.

I am an AIX administrator myself. When this same situation comes to any apps team with their common app account they would come to us and ask who has locked it? Answer : There is no straight answer for this with me but its kind of predictive answer. (May be this is the reason why this is still unanswered). I used to check all unsuccessful/failed login attempts made to that account as the users would first login to that host with their own account and then sudo to that app account. Then I would check who all are the members of that app account logged into that server at that instance. I would give them the user IDs of those users to the person who as asked for this.

Note : AIX Administrators usually checks the entries of /var/adm/wtmp and /etc/security/failedlogin to get the idea who made the login to a server and at what time and who did register a failed login.

Hope this helps a bit.

A_G

Posted 2016-03-08T04:46:10.387

Reputation: 1

Right in /var/adm/syslog by default, looked like this

Dec 13 18:43:33 moscow auth|security:info sshd[14483679]: Failed password for myservacct from 192.168.0.12 port 59148 ssh2
Dec 13 18:43:38 moscow auth|security:info syslog: ssh: failed login attempt for myservacct from 192.168.0.12

a simple grep will collects failed attempts, e.g.

> tail -1000 /var/adm/syslog | grep -i failed.*myservacct

If there's no such info, check whether your /etc/syslog.conf has been set to write auth.info to your log file.

chingNotCHing

Posted 2016-03-08T04:46:10.387

Reputation: 876