On Mon, Jan 13, 2025 at 12:24 PM Panu Matilainen <pmati...@redhat.com> wrote:
> On 1/10/25 5:20 PM, Zbigniew Jędrzejewski-Szmek wrote: > > On Thu, Jan 02, 2025 at 01:08:38PM -0500, Steve Grubb wrote: > >> * Verify that audit events exist for user and group creation: > >> ausearch --start recent -i -m > >> > 'ADD_USER,USER_MGMT,USER_CHAUTHTOK,ROLE_ASSIGN,ROLE_REMOVE,DEL_USER,ADD_GROUP,GRP_MGMT,GRP_CHAUTHTOK,DEL_GROUP' > >> * Remove the package and verify audit events exist for account and group > >> deletion (see above ausearch command). > > > > I submitted https://github.com/systemd/systemd/pull/35957 to add audit > > log generation to systemd-sysusers. > > Awesome, thanks! > > > This should make systemd-sysusers > > match useradd/groupadd from shadow-utils wrt. to audit logs. Actually > > systemd-sysusers will probably not be used, since rpm rather calls > > /usr/lib/rpm/sysusers.sh, which uses useradd/groupadd. But it's probably > > a desirable change in any case, and it'll make things easier if we decide > > to use systemd-sysusers, either by default or as a fallback. > > Given the lack of upstream reponse in the shadow-utils ticket, this may > well be the easier route. Rpm upstream prefers the script just to avoid > a systemd dependency by default, but I see no reason to stick with the > script when the real systemd-sysusers is available. (assuming the audit > stuff is added there) > Which shadow-utils upstream ticket? I've long wanted to get rid of the patch we have in Fedora for shadow audit, either by including it upstream or removing it altogether, but I'm afraid it may affect our user's systems. Maybe this FSWC will be the trigger for such a change. > > - Panu - > > -- > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- Iker Pedrosa Senior Software Engineer, Identity Management team Red Hat <https://www.redhat.com> Txapela (gorria) buruan eta ibili munduan (Red) hat on his head and walk the world Basque proverb <https://www.redhat.com>
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
