* AUDIT(B) - USER add, delete, modify, suspend and lock
@ 2017-07-14 20:48 warron.french
2017-07-14 20:56 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: warron.french @ 2017-07-14 20:48 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 394 bytes --]
Similar idea to the prior email:
I need to monitor local user account
*creation, modification, deletion, suspension and locking.*
I know that I can monitor: */etc/passwd, /etc/group, /etc/shadow* and
*/etc/gshadow*, but how do I monitor who modified wfrench inside
/etc/passwd?
Is:
*-w /etc/passwd -k monitor_account_manipulations*
Good enough?
--------------------------
Warron French
[-- Attachment #1.2: Type: text/html, Size: 832 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: AUDIT(B) - USER add, delete, modify, suspend and lock
2017-07-14 20:48 AUDIT(B) - USER add, delete, modify, suspend and lock warron.french
@ 2017-07-14 20:56 ` Steve Grubb
2017-07-14 21:20 ` warron.french
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2017-07-14 20:56 UTC (permalink / raw)
To: linux-audit
On Friday, July 14, 2017 4:48:11 PM EDT warron.french wrote:
> Similar idea to the prior email:
>
> I need to monitor local user account
>
>
> *creation, modification, deletion, suspension and locking.*
These events are all hardwired too. The events that you are looking for are
part of this specification:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account-Lifecycle-Events
As long as audit is enabled, you will get the events.
-Steve
> I know that I can monitor: */etc/passwd, /etc/group, /etc/shadow* and
> */etc/gshadow*, but how do I monitor who modified wfrench inside
> /etc/passwd?
>
> Is:
>
>
> *-w /etc/passwd -k monitor_account_manipulations*
> Good enough?
>
> --------------------------
> Warron French
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: AUDIT(B) - USER add, delete, modify, suspend and lock
2017-07-14 20:56 ` Steve Grubb
@ 2017-07-14 21:20 ` warron.french
0 siblings, 0 replies; 3+ messages in thread
From: warron.french @ 2017-07-14 21:20 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1113 bytes --]
Sorry, I failed to Reply-All on the first email thread too.
But it looks I might be onto something, yes? (I will look for your reply
in the other thread and make sure I Reply-All on it).
--------------------------
Warron French
On Fri, Jul 14, 2017 at 4:56 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Friday, July 14, 2017 4:48:11 PM EDT warron.french wrote:
> > Similar idea to the prior email:
> >
> > I need to monitor local user account
> >
> >
> > *creation, modification, deletion, suspension and locking.*
>
> These events are all hardwired too. The events that you are looking for are
> part of this specification:
>
> https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account-
> Lifecycle-Events
>
> As long as audit is enabled, you will get the events.
>
> -Steve
>
> > I know that I can monitor: */etc/passwd, /etc/group, /etc/shadow* and
> > */etc/gshadow*, but how do I monitor who modified wfrench inside
> > /etc/passwd?
> >
> > Is:
> >
> >
> > *-w /etc/passwd -k monitor_account_manipulations*
> > Good enough?
> >
> > --------------------------
> > Warron French
>
>
>
[-- Attachment #1.2: Type: text/html, Size: 2030 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-07-14 21:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-14 20:48 AUDIT(B) - USER add, delete, modify, suspend and lock warron.french
2017-07-14 20:56 ` Steve Grubb
2017-07-14 21:20 ` warron.french
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox