On Friday, July 14, 2017 4:52:36 PM EDT warron.french wrote: > Same as AUDIT(B) only for roles and groups?
Also hardwired. See the user account specification. -Steve > Simply put a watch rule on /etc/group and /etc/gshadow? > > Is that really enough? Do I also monitor the executables for /bin/passwd, > /sbin/{groupadd, groupdel, groupmod, usermod}? > > Usermod, because technically, you can affect memberships of a user with > this command and also useradd? > > > Is *that *suitable? > > Is there an appropriate syscall for AUDIT(C)? > > > > -------------------------- > Warron French -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit