On Friday, January 10, 2025 10:20:07 AM EST Zbigniew Jędrzejewski-Szmek wrote: > On Thu, Jan 02, 2025 at 01:08:38PM -0500, Steve Grubb wrote: > > > * Verify that audit events exist for user and group creation: > > > > ausearch --start recent -i -m > > > > 'ADD_USER,USER_MGMT,USER_CHAUTHTOK,ROLE_ASSIGN,ROLE_REMOVE,DEL_USER,ADD_G > > ROUP,GRP_MGMT,GRP_CHAUTHTOK,DEL_GROUP' > > I submitted https://github.com/systemd/systemd/pull/35957 to add audit > log generation to systemd-sysusers. This should make systemd-sysusers > match useradd/groupadd from shadow-utils wrt. to audit logs. Actually > systemd-sysusers will probably not be used, since rpm rather calls > /usr/lib/rpm/sysusers.sh, which uses useradd/groupadd. But it's probably > a desirable change in any case, and it'll make things easier if we decide > to use systemd-sysusers, either by default or as a fallback. > > I get something like this: > $ sudo build/systemd-sysusers --inline 'u foo5' > ... > type=ADD_GROUP msg=audit(01/10/2025 16:03:15.451:3907) : pid=3846607 > uid=root auid=zbyszek ses=2 msg='op=adding group acct=foo5 > exe=systemd-sysusers hostname=x1c addr=? terminal=pts/8 res=success' > type=ADD_USER msg=audit(01/10/2025 16:03:15.457:3908) : pid=3846607 > uid=root auid=zbyszek ses=2 msg='op=adding user acct=foo5 > exe=systemd-sysusers hostname=x1c addr=? terminal=pts/8 res=success' > As noted in the other messages in the thread, rpm packages generally > do not remote users. systemd-sysusers has no functionality to remove > users or groups. Thus we only care about additions. Thanks. It just occurred to me that upstream shadow-utils has kinda broken auditing. The way that audit events get parsed is looking for name=value keyword pairs. Anything else gets thrown away. So, in cases of "op=adding group", only "adding" is kept. The fix for this is to replace the space with either a dash or underscore. Then the audit tools will see adding-group as one word and keep it. This little detail is important when testing with ausearch --start recent -m ADD_USER --format text ausearch --start recent -m ADD_USER --format csv I see that f41 and rawhide are OK because of a patch fedora is carrying. But upstream shadow-utils has a problem. Would you mind adding a small patch on top of your patch that adds a dash between words for the operation? Check it with the format text option above. It should make sense as an English sentence. I'll have to figure out what to do with upstream shadow-utils. Unless other distros applies fedora's patch, they have a somewhat broken audit trail around the user account lifecycle. -Steve -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
