On Di, 27.06.23 12:04, Panu Matilainen (pmatilai@xxxxxxxxxx) wrote: > On 6/22/23 19:55, Steve Grubb wrote: > > > > https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format > > > > I would caution against this whole proposal. Not that I'm against it, but > > just saying be careful doing it. People often forget about our security > > concerns. Currently, shadow-utils has about 400 places which generate audit > > events during the managing of system and user accounts. libuser (I saw the > > deprecation email) has 55 places where it sends audit events managing > > accounts. > > > > There is a 10 year old (or more) standard published here: > > https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account-Lifecycle-Events > > > > If %pre getent, useradd, and groupadd are being replaced by something, that > > something needs to conform to the expected security safeguards that currently > > exist. It needs to match the kind of events and the format that currently > > exists. > > Looking at the systemd-sysusers source [1], it seems to do exactly zero > audit logging. So there's a bit of work to do on that front... last time I looked auditd is started later than systemd-sysusers. Hence not sure if sysusers would actually generate audit messages that auditd could pick them up. In general though: people who care about audit need to send us patches for this, if this matters to them. I don't think anyone in systemd upstream wil work on this on their own. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue