On Friday, July 14, 2017 4:52:36 PM EDT warron.french wrote:
> Same as AUDIT(B) only for roles and groups?
Also hardwired. See the user account specification.
-Steve
> Simply put a watch rule on /etc/group and /etc/gshadow?
>
> Is that really enough? Do I also monitor the executables for /bin/passwd,
> /sbin/{groupadd, groupdel, groupmod, usermod}?
>
> Usermod, because technically, you can affect memberships of a user with
> this command and also useradd?
>
>
> Is *that *suitable?
>
> Is there an appropriate syscall for AUDIT(C)?
>
>
>
> --------------------------
> Warron French
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
