On Tue, 6 Mar 2018 16:31:29 +0000
Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote:
> > > > > How does this interact with useradd and groupadd? Does this
> > > > > replace them? And if so, does this send the required audit
> > > > > events?
> > > >
> > > > It's a very simple tool to create system users and group
> > > > in /etc/passwd. It just creates entries
> > > > in /etc/{passwd,group,shadow}, and does not interact with audit
> > > > in any way afaik.
> > >
> > > Is there some guideline that requires an audit log message to
> > > occur whenever a user is added to a system?
> >
> > Yes. Absolutely. Even if that user is a system account.
> >
> > > We can't necessarily know on every end-user system when a user is
> > > added by a central authority like FreeIPA, for example.
> >
> > That also has to be audited.
> >
> > > Even if we only limit it to dealing with /etc/passwd and friends,
> > > there are still plenty of ways for this file to be modified that
> > > wouldn't cause it to trigger an audit event unless we added a
> > > service to monitor with inotify or similar.
> >
> > True. And we do include rules to catch these occurrences. But this
> > not the preferred way because it does not give us the full
> > information that is required. If we know that we are adding user
> > accounts, we need to maintain the information for the whole
> > lifecycle. If FreeIPA adds an account, it gets used and trips some
> > audit events, then gets removed, we need the history of when it was
> > added and when it was removed and by who.
>
> I assume that there some standarized log message to be emitted in this
> case? If this is documented somewhere, we could add that, although
> it'd probably be easier if somebody who knows audit submitted a pull
> request. The sysusers code is at
> https://github.com/systemd/systemd/blob/master/src/sysusers/sysusers.c#L1205.
It will take me a couple days to get to this, but its simple enough I
can just add the events. This trick is that they must match exactly
the same format that shadow-utils sends. (I also wrote the patch for
shadow-utils.)
Thanks,
-Steve
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
