AUDIT(B) - USER add, delete, modify, suspend and lock
warron.french
warron.french at gmail.com
Fri Jul 14 21:20:33 UTC 2017
Sorry, I failed to Reply-All on the first email thread too.
But it looks I might be onto something, yes? (I will look for your reply
in the other thread and make sure I Reply-All on it).
--------------------------
Warron French
On Fri, Jul 14, 2017 at 4:56 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Friday, July 14, 2017 4:48:11 PM EDT warron.french wrote:
> > Similar idea to the prior email:
> >
> > I need to monitor local user account
> >
> >
> > *creation, modification, deletion, suspension and locking.*
>
> These events are all hardwired too. The events that you are looking for are
> part of this specification:
>
> https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account-
> Lifecycle-Events
>
> As long as audit is enabled, you will get the events.
>
> -Steve
>
> > I know that I can monitor: */etc/passwd, /etc/group, /etc/shadow* and
> > */etc/gshadow*, but how do I monitor who modified wfrench inside
> > /etc/passwd?
> >
> > Is:
> >
> >
> > *-w /etc/passwd -k monitor_account_manipulations*
> > Good enough?
> >
> > --------------------------
> > Warron French
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170714/15a30c51/attachment.htm>
More information about the Linux-audit
mailing list