From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: ausearch with message types does not return what I think it would
	return. (0 matches when adding a user)
Date: Tue, 30 Jun 2015 11:22:17 -0400
Message-ID: <4397065.b5uXy4mKpJ@x2>
References: <23396023F719ED41888885C3B22D602F0123D1@WPEXCH2010MR21.bur.hydro.qc.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <23396023F719ED41888885C3B22D602F0123D1@WPEXCH2010MR21.bur.hydro.qc.ca>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday, June 30, 2015 03:12:40 PM Alarie, Maxime wrote:
> I am new with auditd, and got some issues..
> 
> For example,  When I add or delete a user,  I cannot see the entry with
> ausearch -m ADD_USER, it returns 0 match, BUT  its logging it under
> USER_AUTH. If I do a ausearch -x adduser, ill thee se event audit.log with
> the EXECVE Type:
> 
> # ausearch -x useradd | grep titi
> type=EXECVE msg=audit(1435677075.900:49410): argc=2 a0="useradd" a1="titi"
> 
> I also tried to  find a full description of all message types  returned by
> ausearch -m  but could not find any..  Any help on this would be
> appreciated as well.

I think we discovered that shadow-utils had messed up the auditing pretty 
badly a few months ago. It caused me to write a document[1] that outlines how 
its supposed to work so that we can check any and all implementations to make 
sure they follow the standard. The shadow-utils in RHEL7.1 was patched to be 
correct and I presume the patch should be upstream by now.

So, I believe that is what you are seeing. Shadow-utils is a horrible piece of 
code for auditing because there are about 320 places that have audit events 
generated. I think upstream made it a little better, but its a huge problem 
because all those events have to be correct...and they weren't.

-Steve

[1] - http://people.redhat.com/sgrubb/audit/user-account-lifecycle.txt