[Pkg-shadow-devel] audit newgrp
kzak at redhat.com
Fri Feb 15 01:31:17 UTC 2008
On Thu, Feb 14, 2008 at 08:08:29PM +0100, Nicolas François wrote:
> On Wed, Feb 13, 2008 at 03:02:56PM +0100, pvrabec at redhat.com wrote:
> > could you commit this patch please. It makes newgrp to use correct audit
> > event. Patch from sgrubb at redhat.com
> Thanks, it's committed.
> With only minor reformatting.
> By the way, newusers do not have audit support.
> I'm also surprised by the audit events used in other tools.
> I would have expected useradd to use AUDIT_ADD_USER and userdel to use
> AUDIT_DEL_USER, but they are both using AUDIT_USER_CHAUTHTOK.
> Maybe the usage of audit in shadow should be audited.
> I'm not used at all with libaudit. Is there a developer manual which
There are man pages, but AUDIT_* messages are explained in
libaudit.h. A short overview:
/* Audit message types:
* 1000 - 1099 are for commanding the audit system
* 1100 - 1199 user space trusted application messages
* 1200 - 1299 messages internal to the audit daemon
* 1300 - 1399 audit event messages
* 1400 - 1499 kernel SE Linux use
* 1500 - 1599 AppArmor events
* 1600 - 1699 kernel crypto events
* 1700 - 1799 kernel anomaly records
* 1800 - 1999 future kernel use (maybe integrity labels and related events)
* 2001 - 2099 unused (kernel)
* 2100 - 2199 user space anomaly records
* 2200 - 2299 user space actions taken in response to anomalies
* 2300 - 2399 user space generated LSPP events
* 2400 - 2499 user space crypto events
* 2500 - 2999 future user space (maybe integrity labels and related events)
Karel Zak <kzak at redhat.com>
More information about the Pkg-shadow-devel