From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: AUDIT(B) - USER add, delete, modify, suspend and lock
Date: Fri, 14 Jul 2017 16:56:06 -0400
Message-ID: <4389313.SMzMEvUi0t@x2>
References: <CAJdJdQn+R4Ce+54dSGH-tDXDu-Abc1cy9-U9fQakLjUPoAa-Bg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAJdJdQn+R4Ce+54dSGH-tDXDu-Abc1cy9-U9fQakLjUPoAa-Bg@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday, July 14, 2017 4:48:11 PM EDT warron.french wrote:
> Similar idea to the prior email:
> 
> I need to monitor local user account
> 
> 
> *creation, modification, deletion, suspension and locking.*

These events are all hardwired too. The events that you are looking for are 
part of this specification:

https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account-Lifecycle-Events

As long as audit is enabled, you will get the events.

-Steve

> I know that I can monitor: */etc/passwd, /etc/group, /etc/shadow* and
> */etc/gshadow*, but how do I monitor who modified wfrench inside
> /etc/passwd?
> 
> Is:
> 
> 
> *-w /etc/passwd  -k monitor_account_manipulations*
> Good enough?
> 
> --------------------------
> Warron French