From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: AUDIT(C) - Group/Role addition, deletion modification
Date: Fri, 14 Jul 2017 16:56:52 -0400
Message-ID: <1981954.z9XbvCV7WO@x2>
References: <CAJdJdQnM8m_KS1LKqyPWedFn26DbW0ELjFCGCmgcx4tVSuW2GA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAJdJdQnM8m_KS1LKqyPWedFn26DbW0ELjFCGCmgcx4tVSuW2GA@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday, July 14, 2017 4:52:36 PM EDT warron.french wrote:
> Same as AUDIT(B) only for roles and groups?

Also hardwired. See the user account specification.

-Steve

> Simply put a watch rule on /etc/group and /etc/gshadow?
> 
> Is that really enough?  Do I also monitor the executables for /bin/passwd,
> /sbin/{groupadd, groupdel, groupmod, usermod}?
> 
> Usermod, because technically, you can affect memberships of a user with
> this command and also useradd?
> 
> 
> Is *that *suitable?
> 
> Is there an appropriate syscall for AUDIT(C)?
> 
> 
> 
> --------------------------
> Warron French