On Wednesday, June 28, 2023 10:15:48 AM EDT Lennart Poettering wrote: > On Di, 27.06.23 12:04, Panu Matilainen (pmatilai@xxxxxxxxxx) wrote: > > On 6/22/23 19:55, Steve Grubb wrote: > > > > https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format > > > > > > I would caution against this whole proposal. Not that I'm against it, > > > but just saying be careful doing it. People often forget about our > > > security concerns. Currently, shadow-utils has about 400 places which > > > generate audit events during the managing of system and user accounts. > > > libuser (I saw the deprecation email) has 55 places where it sends > > > audit events managing accounts. > > > > > > There is a 10 year old (or more) standard published here: > > > https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Accou > > > nt-Lifecycle-Events > > > > > > If %pre getent, useradd, and groupadd are being replaced by something, > > > that something needs to conform to the expected security safeguards > > > that currently exist. It needs to match the kind of events and the > > > format that currently exists. > > > > Looking at the systemd-sysusers source [1], it seems to do exactly zero > > audit logging. So there's a bit of work to do on that front... > > last time I looked auditd is started later than > systemd-sysusers. Hence not sure if sysusers would actually generate > audit messages that auditd could pick them up. When booted with audit=1, the kernel will look to audit_backlog_limit and hold that many event records until auditd can download them. The typical number people set is 8192. -Steve > In general though: people who care about audit need to send us patches > for this, if this matters to them. I don't think anyone in systemd > upstream wil work on this on their own. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
