Hello, On Tuesday, April 05, 2016 09:48:01 PM Blackwell, Joseph M wrote: > I am working on scripting a report that can be run to filter and display the > audits on a weekly basis, and I am having issues pulling specific events > that indicate when users are added through the User Manager GUI (GNOME > 2.28.2). I have nispom.rules file running on kernel "2.6.32-220.el6.x86_64 > (RHEL 6.2)". The following are the only events that show up in the > audit.log for this activity. > > type=USER_ACCT msg=audit(04/05/2016 14:21:42.854:36615) : user pid=15667 > uid=root auid=root ses=2 > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='op=PAM:accounting acct=root exe=/usr/sbin/userhelper hostname=? addr=? > terminal=? res=success' ---- > type=USER_START msg=audit(04/05/2016 14:21:42.870:36616) : user pid=15667 > uid=root auid=root ses=2 > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='op=PAM:session_open acct=root exe=/usr/sbin/userhelper hostname=? > addr=? terminal=? res=success' > > These events are followed by other SYSCALL events showing root writing to > shadow, gshadow, and passwd, but no indication of the actual account that > was created/modified. Unless I am not configured correctly, these seems > like a critical oversight. Perhaps I am missing something?
This is well known at least to anyone working in this area. > I know that we can gather other events, such as when the useradd command is > used, but there are many admins that prefer to use the GUI. I suppose I > could copy the passwd file on a weekly basis and perform a diff, but it > seems to me that this type of information should be baked in already, > especially in cases where we are using indexers such as splunk. No one has ever certified a Linux desktop under OSPP. Common Criteria is the big hammer that causes things to get done. After doing a brief survey of GUI user managers, none seem to use pam which means password policy is also probably not enforced. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit