From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: USER_MGMT  event
Date: Mon, 06 Jan 2020 08:52:12 -0500
Message-ID: <3529393.oyAdU6xjk6@x2>
References: <5F4EE10832231F4F921A255C1D954298252E49@DEERLM99EX7MSX.ww931.my-it-solutions.net>
	<1686247.kkT0hDcqUl@x2>
	<5F4EE10832231F4F921A255C1D95429825ABCF@DEERLM99EX7MSX.ww931.my-it-solutions.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <5F4EE10832231F4F921A255C1D95429825ABCF@DEERLM99EX7MSX.ww931.my-it-solutions.net>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "MAUPERTUIS, PHILIPPE" <philippe.maupertuis@equensworldline.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Monday, January 6, 2020 4:44:07 AM EST MAUPERTUIS, PHILIPPE wrote:
> On Monday, December 30, 2019 12:29:13 PM EST MAUPERTUIS, PHILIPPE wrote:
> > On a RHEL8 server, when playing around with usermod and  chsh, I noticed
> > that usermod -c 'root@xxx' root generates a user_mgmt event
> > But chsh -s /usr/bin/tlog-rec-session root didn't.
> > Is that the expected behavior ?
> 
> It depends. Did you get any event at all? There is a chance that you just
> have mismatching events.
> 
> > I was expecting an event for both.
> 
> There should be an event for both.
> 
> > Should I open a ticket at redhat for this ?
> 
> Let's see what the answer is for the above.

Based on the logs provided, I'd say that opening a ticket is the right thing 
to do.

-Steve