From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Auditing User Additions - Critical Oversight?
Date: Tue, 05 Apr 2016 18:57:05 -0400
Message-ID: <5330928.sxUSkOOQJC@x2>
References: <198b4e40890b4a1dbd4a83c039317d4a@XCH15-09-12.nw.nos.boeing.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <198b4e40890b4a1dbd4a83c039317d4a@XCH15-09-12.nw.nos.boeing.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Blackwell, Joseph M" <Joseph.M.Blackwell@boeing.com>
List-Id: linux-audit@redhat.com

Hello,

On Tuesday, April 05, 2016 09:48:01 PM Blackwell, Joseph M wrote:
> I am working on scripting a report that can be run to filter and display the
> audits on a weekly basis, and I am having issues pulling specific events
> that indicate when users are added through the User Manager GUI (GNOME
> 2.28.2). I have nispom.rules file running on kernel "2.6.32-220.el6.x86_64
> (RHEL 6.2)". The following are the only events that show up in the
> audit.log for this activity.
> 
> type=USER_ACCT msg=audit(04/05/2016 14:21:42.854:36615) : user pid=15667
> uid=root auid=root ses=2
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=PAM:accounting acct=root exe=/usr/sbin/userhelper hostname=? addr=?
> terminal=? res=success' ----
> type=USER_START msg=audit(04/05/2016 14:21:42.870:36616) : user pid=15667
> uid=root auid=root ses=2
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=PAM:session_open acct=root exe=/usr/sbin/userhelper hostname=?
> addr=? terminal=? res=success'
> 
> These events are followed by other SYSCALL events showing root writing to
> shadow, gshadow, and passwd, but no indication of the actual account that
> was created/modified. Unless I am not configured correctly, these seems
> like a critical oversight. Perhaps I am missing something?

This is well known at least to anyone working in this area.


> I know that we can gather other events, such as when the useradd command is
> used, but there are many admins that prefer to use the GUI. I suppose I
> could copy the passwd file on a weekly basis and perform a diff, but it
> seems to me that this type of information should be baked in already,
> especially in cases where we are using indexers such as splunk.

No one has ever certified a Linux desktop under OSPP. Common Criteria is the 
big hammer that causes things to get done. After doing a brief survey of GUI 
user managers, none seem to use pam which means password policy is also 
probably not enforced.

-Steve