On Mon, Jan 13, 2025 at 12:24 PM Panu Matilainen <pmatilai@xxxxxxxxxx> wrote:
On 1/10/25 5:20 PM, Zbigniew Jędrzejewski-Szmek wrote:
> On Thu, Jan 02, 2025 at 01:08:38PM -0500, Steve Grubb wrote:
>> * Verify that audit events exist for user and group creation:
>> ausearch --start recent -i -m
>> 'ADD_USER,USER_MGMT,USER_CHAUTHTOK,ROLE_ASSIGN,ROLE_REMOVE,DEL_USER,ADD_GROUP,GRP_MGMT,GRP_CHAUTHTOK,DEL_GROUP'
>> * Remove the package and verify audit events exist for account and group
>> deletion (see above ausearch command).
>
> I submitted https://github.com/systemd/systemd/pull/35957 to add audit
> log generation to systemd-sysusers.
Awesome, thanks!
> This should make systemd-sysusers
> match useradd/groupadd from shadow-utils wrt. to audit logs. Actually
> systemd-sysusers will probably not be used, since rpm rather calls
> /usr/lib/rpm/sysusers.sh, which uses useradd/groupadd. But it's probably
> a desirable change in any case, and it'll make things easier if we decide
> to use systemd-sysusers, either by default or as a fallback.
Given the lack of upstream reponse in the shadow-utils ticket, this may
well be the easier route. Rpm upstream prefers the script just to avoid
a systemd dependency by default, but I see no reason to stick with the
script when the real systemd-sysusers is available. (assuming the audit
stuff is added there)
Which shadow-utils upstream ticket?
I've long wanted to get rid of the patch we have in Fedora for shadow audit, either by including it upstream or removing it altogether, but I'm afraid it may affect our user's systems. Maybe this FSWC will be the trigger for such a change.
- Panu -
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Iker Pedrosa
Senior Software Engineer, Identity Management team
Txapela (gorria) buruan eta ibili munduan
(Red) hat on his head and walk the world
| |
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
