Hi OpenBSD community,
while investigating OpenBSD in the light of digital forensics, I
stumbled over following aspect:
The program "useradd" logs to syslog (facility LOG_USER, severity
LOG_INFO) while the program "adduser" logs to its own special log
file.
Furthermore, "adduser" uses a custom log format, different from the
format used by syslog.
I didn't find a reason for this difference and am curious to hear, if
anyone else knows.
If nothing speaks for splitting the logs, I propose to change
"adduser" to also log to syslog, making the entries exportable
through syslogs features and more accessible to tooling building on
syslog log files.
While I'm a novice with Perl, I made following changes (see end of
mail) and successfully tested them on OpenBSD 7.5. Next to changing
logging in "adduser" to syslog, I also added a log message to
"rmuser" for when user accounts are removed.
PS: I couldn't figure out how to make these patches with CVS, so
plain diff it is
Kind Regards
Herbert
diff adduser.perl.bak adduser.perl
32a33
> use Sys::Syslog;
52a54,55
> openlog("adduser", "nofatal,pid", "LOG_USER"); # setup syslog connection
>
84d86
< $logfile = "/var/log/adduser"; # logfile
814c816
< &adduser_log("$name:*:$u_id:$g_id($group_login):$fullname");
---
> syslog("LOG_INFO", "new user added: name=$name ($fullname),
> uid=$u_id, gid=$g_id, group_login=$group_login, home=$home/$name, sh=$sh");
861c863
< &adduser_log("$name:*:$u_id:$g_id($group_login):$fullname");
---
> syslog("LOG_INFO", "new user added: name=$name ($fullname), uid=$u_id,
> gid=$g_id, group_login=$group_login, home=$home/$name, sh=$sh");
1095,1113d1096
< # log for new user in /var/log/adduser
< sub adduser_log {
< local($string) = @_;
< local($e);
<
< return 1 if $logfile eq "no";
<
< local($sec, $min, $hour, $mday, $mon, $year) = localtime;
< $year += 1900;
< $mon++;
<
< foreach $e ('sec', 'min', 'hour', 'mday', 'mon') {
< # '7' -> '07'
< eval "\$$e = 0 . \$$e" if (eval "\$$e" < 10);
< }
<
< &append_file($logfile, "$year/$mon/$mday $hour:$min:$sec $string");
< }
<
1592,1594d1574
< # logfile ("/var/log/adduser" or "no")
< logfile = "$logfile"
<
1653a1634
> closelog();
diff rmuser.perl.bak rmuser.perl
38a39
> use Sys::Syslog;
99a101
> openlog("rmuser", "nofatal,pid", "LOG_USER"); # setup syslog connection
189a192
> syslog("LOG_INFO", "user removed: name=$login_name");
217a221
> closelog();
diff adduser.8.bak adduser.8
355,357d354
< .It Pa /var/log/adduser
< log file for
< .Nm
