On Wed, Mar 07, 2018 at 01:07:15PM +0100, Steve Grubb wrote:
> On Tue, 6 Mar 2018 16:31:29 +0000
> Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote:
>
> > > > > > How does this interact with useradd and groupadd? Does this
> > > > > > replace them? And if so, does this send the required audit
> > > > > > events?
> > > > >
> > > > > It's a very simple tool to create system users and group
> > > > > in /etc/passwd. It just creates entries
> > > > > in /etc/{passwd,group,shadow}, and does not interact with audit
> > > > > in any way afaik.
> > > >
> > > > Is there some guideline that requires an audit log message to
> > > > occur whenever a user is added to a system?
> > >
> > > Yes. Absolutely. Even if that user is a system account.
> > >
> > > > We can't necessarily know on every end-user system when a user is
> > > > added by a central authority like FreeIPA, for example.
> > >
> > > That also has to be audited.
> > >
> > > > Even if we only limit it to dealing with /etc/passwd and friends,
> > > > there are still plenty of ways for this file to be modified that
> > > > wouldn't cause it to trigger an audit event unless we added a
> > > > service to monitor with inotify or similar.
> > >
> > > True. And we do include rules to catch these occurrences. But this
> > > not the preferred way because it does not give us the full
> > > information that is required. If we know that we are adding user
> > > accounts, we need to maintain the information for the whole
> > > lifecycle. If FreeIPA adds an account, it gets used and trips some
> > > audit events, then gets removed, we need the history of when it was
> > > added and when it was removed and by who.
> >
> > I assume that there some standarized log message to be emitted in this
> > case? If this is documented somewhere, we could add that, although
> > it'd probably be easier if somebody who knows audit submitted a pull
> > request. The sysusers code is at
> > https://github.com/systemd/systemd/blob/master/src/sysusers/sysusers.c#L1205.
>
> It will take me a couple days to get to this, but its simple enough I
> can just add the events. This trick is that they must match exactly
> the same format that shadow-utils sends. (I also wrote the patch for
> shadow-utils.)
Cool, thanks!
Zbyszek
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
