On Fri, Jan 10, 2025 at 04:21:56PM -0500, Steve Grubb wrote: > On Friday, January 10, 2025 10:20:07 AM EST Zbigniew Jędrzejewski-Szmek > wrote: > > https://github.com/systemd/systemd/pull/35957 > Thanks. It just occurred to me that upstream shadow-utils has kinda broken > auditing. The way that audit events get parsed is looking for name=value > keyword pairs. Anything else gets thrown away. So, in cases of "op=adding > group", only "adding" is kept. The fix for this is to replace the space with > either a dash or underscore. Then the audit tools will see adding-group as > one word and keep it. > > This little detail is important when testing with > > ausearch --start recent -m ADD_USER --format text > ausearch --start recent -m ADD_USER --format csv > > I see that f41 and rawhide are OK because of a patch fedora is carrying. But > upstream shadow-utils has a problem. > > Would you mind adding a small patch on top of your patch that adds a dash > between words for the operation? Check it with the format text option above. > It should make sense as an English sentence. I'll have to figure out what to > do with upstream shadow-utils. Unless other distros applies fedora's patch, > they have a somewhat broken audit trail around the user account lifecycle. I reworked the PR significantly based on the comments. PTAL again. The log now is: type=ADD_GROUP msg=audit(01/14/2025 11:40:36.144:6837) : pid=1206846 uid=root auid=zbyszek ses=2 msg='op=adding-group acct=foo6 exe=systemd-sysusers hostname=x1c addr=? terminal=pts/10 res=success' type=ADD_USER msg=audit(01/14/2025 11:40:36.145:6838) : pid=1206846 uid=root auid=zbyszek ses=2 msg='op=adding-user acct=foo6 exe=systemd-sysusers hostname=x1c addr=? terminal=pts/10 res=success' Zbyszek -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
