All of the following events provide valuable information about the users on your system. The bad_auth event records all attempts to login that fail because of an invalid password or login name. A high number of such failures may indicate that someone who does not know a valid login name or password is trying to log in. It is especially important to audit this event if you have dial-up terminal ports on your system. If you choose to audit the bad_auth, event, it must be set in the system-wide event mask, not in a specific user event mask. The event records failed login attempts, and a user event mask takes effect only once a user has successfully logged on.
User authentication events
| Event | Description | Manual page | Object audit |
|---|---|---|---|
| bad_auth | bad login name/password | login(1) | N |
| bad_lvl | bad login level | login(1) | N |
| cron | cron job | cron(ADM) | N |
| def_lvl | change a user's default level | login(1) | N |
| login | use a login schema | login(1) | N |
| logoff | terminate a login session | NA | N |
| passwd | change password | passwd(1) | N |