useradd question
Lenny Bruzenak
lenny at magitekltd.com
Mon May 20 20:05:55 UTC 2019
On 5/20/19 2:59 PM, Steve Grubb wrote:
> So...I went digging through the source code of useradd.c. In main is this
> comment:
>
> /*
> * Do the hard stuff:
> * - open the files,
> * - create the user entries,
> * - create the home directory,
> * - create user mail spool,
> * - flush nscd caches for passwd and group services,
> * - then close and update the files.
> */
>
> If you dig around, you'll see in the above process it calls usr_update().
> This is where the audit event is. The very next function call is close_files.
> This is where it actually writes to the files where it would be visible to
> auditd. So, it looks like auditing in shadow-utils is busted.
>
> I also see where its calling pam_tally2 which is deprecated for years. It
> should be calling faillock. I'll chat with upstream maintainers.
>
> -Steve
Thank you Steve, much appreciated! If they are able to provide a patch,
would you mind asking them to send me a link and I'll test it ASAP?
LCB
--
Lenny Bruzenak
MagitekLTD
More information about the Linux-audit
mailing list