From mboxrd@z Thu Jan 1 00:00:00 1970 From: Josh Subject: Re: User Account Lifecycle Auditing Specification Date: Mon, 15 Sep 2014 19:25:16 -0400 Message-ID: <2D672B81-6F01-4AC0-B400-1987FE058E49@gmail.com> References: <47029832.9hktZUGAtl@x2> Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s8FNPKmn018967 for ; Mon, 15 Sep 2014 19:25:20 -0400 Received: from mail-yk0-f178.google.com (mail-yk0-f178.google.com [209.85.160.178]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s8FNPJQh020271 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for ; Mon, 15 Sep 2014 19:25:19 -0400 Received: by mail-yk0-f178.google.com with SMTP id 20so2479897yks.23 for ; Mon, 15 Sep 2014 16:25:19 -0700 (PDT) Received: from joshks-air.int.kayses.us (c-67-191-185-71.hsd1.ga.comcast.net. [67.191.185.71]) by mx.google.com with ESMTPSA id t65sm5823966yht.12.2014.09.15.16.25.18 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 15 Sep 2014 16:25:18 -0700 (PDT) In-Reply-To: <47029832.9hktZUGAtl@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Sep 15, 2014, at 5:21 PM, Steve Grubb wrote: > = > Hello, > = > Recently I run across a problem where the events being sent by a program = that = > enrolls users and groups was found to be not sending the right events. So= me of = > the events were correct, some were wrong. In wanting to correct this prob= lem = > (and write verification suites later) I thought it might be nice to have = some = > specifications written up so that there is a common understanding that ma= y be = > referred to. This will allow correction of misbehaving programs and peopl= e to = > better understand what this handful of events mean in a larger context. > = > The document was added to the audit project page. A direct link can be fo= und = > here: > = > http://people.redhat.com/sgrubb/audit/user-account-lifecycle.txt > = > I would appreciate feedback and/or comments. I will also try to write up = a = > couple other areas that need some clarification in the near future. > = > -Steve Thanks for putting this together! =93The creation of a group mapping by adding a line to /etc/group should re= sults in the creation of an AUDIT_ADD_GROUP event.=94 sounds weird. Perhaps= you mean "The creation of a group mapping by adding a line to /etc/group s= hould result in the creation of an AUDIT_ADD_GROUP event.=94 "This will also allow for test suites to be created to spot problems with t= hsi common understanding of how the system should behave so that apps are c= orrected.=94 has a typo. Should be "This will also allow for test suites to= be created to spot problems with this common understanding of how the syst= em should behave so that apps are corrected.=94 Thanks, -josh