Auditing User Additions - Critical Oversight?

Steve Grubb sgrubb at redhat.com
Tue Apr 5 22:57:05 UTC 2016 

Hello,

On Tuesday, April 05, 2016 09:48:01 PM Blackwell, Joseph M wrote:
> I am working on scripting a report that can be run to filter and display the
> audits on a weekly basis, and I am having issues pulling specific events
> that indicate when users are added through the User Manager GUI (GNOME
> 2.28.2). I have nispom.rules file running on kernel "2.6.32-220.el6.x86_64
> (RHEL 6.2)". The following are the only events that show up in the
> audit.log for this activity.
> 
> type=USER_ACCT msg=audit(04/05/2016 14:21:42.854:36615) : user pid=15667
> uid=root auid=root ses=2
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=PAM:accounting acct=root exe=/usr/sbin/userhelper hostname=? addr=?
> terminal=? res=success' ----
> type=USER_START msg=audit(04/05/2016 14:21:42.870:36616) : user pid=15667
> uid=root auid=root ses=2
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=PAM:session_open acct=root exe=/usr/sbin/userhelper hostname=?
> addr=? terminal=? res=success'
> 
> These events are followed by other SYSCALL events showing root writing to
> shadow, gshadow, and passwd, but no indication of the actual account that
> was created/modified. Unless I am not configured correctly, these seems
> like a critical oversight. Perhaps I am missing something?

This is well known at least to anyone working in this area.


> I know that we can gather other events, such as when the useradd command is
> used, but there are many admins that prefer to use the GUI. I suppose I
> could copy the passwd file on a weekly basis and perform a diff, but it
> seems to me that this type of information should be baked in already,
> especially in cases where we are using indexers such as splunk.

No one has ever certified a Linux desktop under OSPP. Common Criteria is the 
big hammer that causes things to get done. After doing a brief survey of GUI 
user managers, none seem to use pam which means password policy is also 
probably not enforced.

-Steve

More information about the Linux-audit mailing list