[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pkg-shadow-devel
Subject:    Re: [Pkg-shadow-devel] audit newgrp
From:       Karel Zak <kzak () redhat ! com>
Date:       2008-02-15 1:31:17
Message-ID: 20080215013117.GK14641 () ws ! dvoda ! cz
[Download RAW message or body]

On Thu, Feb 14, 2008 at 08:08:29PM +0100, Nicolas François wrote:
> Hi,
> 
> On Wed, Feb 13, 2008 at 03:02:56PM +0100, pvrabec@redhat.com wrote:
> > 
> > could you commit this patch please. It makes newgrp to use correct audit 
> > event. Patch from sgrubb@redhat.com
> 
> Thanks, it's committed.
> With only minor reformatting.
> 
> By the way, newusers do not have audit support.
> 
> I'm also surprised by the audit events used in other tools.
> I would have expected useradd to use AUDIT_ADD_USER and userdel to use
> AUDIT_DEL_USER, but they are both using AUDIT_USER_CHAUTHTOK.
> 
> Maybe the usage of audit in shadow should be audited.
> 
> I'm not used at all with libaudit. Is there a developer manual which

 There are man pages, but AUDIT_* messages are explained in
 libaudit.h. A short overview:

/* Audit message types:
 * 1000 - 1099 are for commanding the audit system
 * 1100 - 1199 user space trusted application messages
 * 1200 - 1299 messages internal to the audit daemon
 * 1300 - 1399 audit event messages
 * 1400 - 1499 kernel SE Linux use
 * 1500 - 1599 AppArmor events
 * 1600 - 1699 kernel crypto events
 * 1700 - 1799 kernel anomaly records
 * 1800 - 1999 future kernel use (maybe integrity labels and related events)
 * 2001 - 2099 unused (kernel)
 * 2100 - 2199 user space anomaly records
 * 2200 - 2299 user space actions taken in response to anomalies
 * 2300 - 2399 user space generated LSPP events
 * 2400 - 2499 user space crypto events
 * 2500 - 2999 future user space (maybe integrity labels and related events)
 */

    Karel

-- 
 Karel Zak  <kzak@redhat.com>


[prev in list] [next in list] [prev in thread] [next in thread]