The intrusion database is a database of login failures kept by the Security Server process.
After one failed login attempt, the user becomes a "Suspect": the system begins to monitor the terminal, terminal server connection, or network connection where the login is taking place (whether failures from terminal class logins are counted by terminal is controlled by LGI_BRK_TERM). As failures continue, the operating system not only records failures but takes restrictive measures. The person attempting login is monitored more closely and limited to a certain number of login retries within a limited period of time. Once a person exceeds either the retry or time limitation, he or she cannot log in for a while, even with a valid user name and password. At a later point, the restriction eases, and login is allowed once again.
The suspect status is given to the user, terminal, terminal server connection, or network connection after one incorrect login attempt. It is maintained for LGI_BRK_TMO (five minutes by default). If during that time another login attempt is failed, the monitoring period is increased by the value of LGI_BRK_TMO. If during the monitoring period the maximum number of attempts LGI_BRK_LIM (five by default) is exceeded, the status is changed to "Intruder".
The user, terminal, terminal server connection, or network connection with the Intruder status is denied login during a time period equal to the value of LGI_HID_TIM (five minutes by default) multiplied by a random value between 1 and 1.5. If LGI_BRK_DISUSER is set to 1, the DISUSER flag is set on the account so all subsequent login attempts are prevented.
Managing the Intrusion Database
You can view the intrusion database with the SHOW INTRUSION command. This requires Security privilege. You can delete intrusion records with DELETE/INTRUSION_RECORD.