On Tue, 6 Mar 2018 16:31:29 +0000 Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote: > > > > > How does this interact with useradd and groupadd? Does this > > > > > replace them? And if so, does this send the required audit > > > > > events? > > > > > > > > It's a very simple tool to create system users and group > > > > in /etc/passwd. It just creates entries > > > > in /etc/{passwd,group,shadow}, and does not interact with audit > > > > in any way afaik. > > > > > > Is there some guideline that requires an audit log message to > > > occur whenever a user is added to a system? > > > > Yes. Absolutely. Even if that user is a system account. > > > > > We can't necessarily know on every end-user system when a user is > > > added by a central authority like FreeIPA, for example. > > > > That also has to be audited. > > > > > Even if we only limit it to dealing with /etc/passwd and friends, > > > there are still plenty of ways for this file to be modified that > > > wouldn't cause it to trigger an audit event unless we added a > > > service to monitor with inotify or similar. > > > > True. And we do include rules to catch these occurrences. But this > > not the preferred way because it does not give us the full > > information that is required. If we know that we are adding user > > accounts, we need to maintain the information for the whole > > lifecycle. If FreeIPA adds an account, it gets used and trips some > > audit events, then gets removed, we need the history of when it was > > added and when it was removed and by who. > > I assume that there some standarized log message to be emitted in this > case? If this is documented somewhere, we could add that, although > it'd probably be easier if somebody who knows audit submitted a pull > request. The sysusers code is at > https://github.com/systemd/systemd/blob/master/src/sysusers/sysusers.c#L1205. It will take me a couple days to get to this, but its simple enough I can just add the events. This trick is that they must match exactly the same format that shadow-utils sends. (I also wrote the patch for shadow-utils.) Thanks, -Steve _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx